Endpoint Protection

 View Only

  • 1.  Blank Entry In Protocol Type - Does This Mean All Types & Does This Apply In General To All Rules?

    Posted Nov 02, 2009 02:11 PM
    Hi.

    Last post :-)

    When one creates a new FWall Rule, at Service specification, in the service list, if one was to set the Protocol as IP and then left Protocol Type blank can I assume then that this is how we set the rule to mean all IP protocol types?

    I noted this because as a default during install, this is how the "Allow all other IP traffic" rule was set.

    Does this same scenario play out for the other service settings?

    Basically I want to create a rule for laptops that are out of the office to block all incoming traffic except for wireless EAPOL traffic and DHCP.  I'm assuming that a block on all incoming IP type traffice would block everything as needed using this blank setting but just wanted to confirm that with ya'll.

    Thanks.


  • 2.  RE: Blank Entry In Protocol Type - Does This Mean All Types & Does This Apply In General To All Rules?

    Posted Nov 02, 2009 02:30 PM

    You can check this disscussion to know about blocking services.

    https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-firewall-rule-set

    You should not leave this entry blank. from help file
     

    A network service trigger identifies one or more network protocols that are significant in relation to the described network traffic.

    You can define the following types of protocols:

    TCP
     Port or port ranges
     
    UDP
     Port or port ranges
     
    ICMP
     Type and code
     
    IP
     Protocol number (IP type)

    Examples: Type 1 = ICMP, Type 6 = TCP, Type 17 = UDP
     
    Ethernet
     Ethernet frame type

    Examples: Type 0x0800 = IPv4, Type = 0x8BDD = IPv6, Type 0x8137 = IPX
     

    When you define TCP-based or UDP-based service triggers, you identify the ports on both sides of the described network connection. Traditionally, ports are referred to as being either the source or the destination of a network connection.

    You can define the network service relationship in either of the following ways:

    Source and destination
     The source port and destination port are dependent on the direction of traffic. In one case the local client computer might own the source port, whereas in another case the remote computer might own the source port.
     
    Local and remote
     The local host computer always owns the local port, and the remote computer always owns the remote port. This expression of the port relationship is independent of the direction of traffic.
     

    You specify the direction of traffic when you define the protocol.

    You can define multiple protocols. For example, a rule might include the ICMP, IP, and TCP protocols. The rule describes multiple types of connections that may occur between the identified client computers, or are used by an application.
     



  • 3.  RE: Blank Entry In Protocol Type - Does This Mean All Types & Does This Apply In General To All Rules?

    Posted Nov 03, 2009 11:13 AM
    Hi Rafeeq.

    I don't understand.

    The default installation of the product creates a rule (one of the 15 or so created during install) called All all other IP traffic.  This rule is as follows:

    App=any
    host=any
    time=any
    service=IP
    adapter=all
    screen=any
    action=allow
    logging=none

    If you double click on the IP in the service box area, it opens up the service list.  In the service list, the top service is enabled, service name is blank and content=IP.  If you edit this, you will see that protocol is IP, type is blank and direction is both.  Apply to fragmented packets only is unchecked.

    This makes sense to me also.  Otherwise, you would have to create hundreds of rules to allow (or deny as I want to do) all traffic.  So, it makes sense in this case that this is how Symantec deals with creating a rule that addresses all traffic types.

    To summarize, I want to create a set a rules for a location that denies all traffic incoming except for EAPOL wireless and DHCP.  This location would kick in when the client was not able to see the mgmt server.  I should only have to create three rules in this case I would think:

    In order:

    1) Allow EAPOL.
    2) Allow DHCP
    3) Block all incoming IP, all hosts, all adapters, any app

    Comments appreciated.




  • 4.  RE: Blank Entry In Protocol Type - Does This Mean All Types & Does This Apply In General To All Rules?

    Posted Nov 03, 2009 01:51 PM
    I got your point
    when you select ip
    Protocol number (IP type)
    it should be followed by ip type (numbered ones)
    otherwise it does not know what to allow or block


  • 5.  RE: Blank Entry In Protocol Type - Does This Mean All Types & Does This Apply In General To All Rules?

    Posted Nov 04, 2009 12:09 PM
    why does symantec create a rule like this then during install?


  • 6.  RE: Blank Entry In Protocol Type - Does This Mean All Types & Does This Apply In General To All Rules?

    Posted Nov 04, 2009 12:38 PM
    Olstall,

    You are correct, it allows all ip traffic however same can be achieved by adding two rules, one for incoming and outgoing.

    the first one would be IP:[Incoming}

    the second one would be IP {outgoing]

    or what you said was correct IP and blank should allow all IP traffic..

    Here firewall rules are applied based on priority the first rule is applied first and then so on.

    This is rule is listed 14th, I dont think it would ever come for this policy,

    However disabling this would be a good security decision... Let me know your thoughts.


  • 7.  RE: Blank Entry In Protocol Type - Does This Mean All Types & Does This Apply In General To All Rules?
    Best Answer

    Posted Nov 09, 2009 01:44 AM
    The default firewall rules have been made taking all the users into consideration basically so that it doesn't block any  expected traffic.
     However there are many options with help of which you can create a very strict firewall policies its just that you will have to play with it for some time.

    I would suggest create a blank rule change allow to block that become BLOCK ALL
    then create one more policy above it and set it to allow EAPOL ( Wireless ) Traffic.