Endpoint Protection

 View Only

  • 1.  Firewall file fingerprinting

    Posted Oct 25, 2010 05:38 PM

    I have a general question about firewall rule management and would like to know the experience of others who have been managing their SEP workstation firewalls from the perspective of least priviledge. 

    I notice when tying a rule down to a particular .EXE file, there is an option for specifying the file fingerprint.  Where do I find the file fingerprint of a particular .EXE file, or is it just the SHA1 hash of that file?

     

    I would like to tie each rule down to allowing specific .EXE files instead of just "any" to the ports and remote IP's in question.  I see things like ntoskrnl.exe, CcmExec.exe, lsass.exe, etc as common files requesting packets.  I figure even with using file fingerprint I would only have 3 versions of each to manage, one for XP, Vista, and Win7.  Is this a reasonable approach to locking it down and maintaining the concept of least privilege or is this approach too much management overhead to be effective?  If too much, how do you recommend locking it down while keeping the rest of the machines protected from things like malware sending traffic to the domain controllers out commonly known open ports.

     

    Thanks. 



  • 2.  RE: Firewall file fingerprinting

    Posted Oct 25, 2010 06:12 PM

    I think you are looking to block or allow files by the md5 ?

    https://www-secure.symantec.com/connect/pt-br/forums/how-block-applications-sep-using-md5



  • 3.  RE: Firewall file fingerprinting

    Posted Oct 25, 2010 06:20 PM

    The file fingerprint refers to the MD5. There is a "checksum.exe" utility in the SEP client installation folder you can use to get MD5's for any executable on the machine.

    Reasonable is all perspective...to one it may be unreasonable while to another its legit. If you are okay with creating these rules and managing it than I would say it's not unreasonable. I can tell you it's not something I have seen someone do before though.



  • 4.  RE: Firewall file fingerprinting

    Posted Oct 26, 2010 03:55 PM

    When you say it's not something you have seen done before, do you mean you have not seen someone use the MD5 to limit down the applications, instead they just use the application names by themselves. 

    Or are you saying that you have no seen someone limit the rules to application/EXE at all, either by name or MD5 fingerprint, and instead they only create source/destination based port and IP rules with no application awareness?

    Just curious what is typical out in the field of the management of client firewalls among other SEP administrators. 



  • 5.  RE: Firewall file fingerprinting

    Posted Oct 26, 2010 04:08 PM

    Hi clamu,

    I meant that I have not seen someone use the MD5 to limit the applications in the firewall.

    I typically see clients use just the source/destination type or using protocols, etc. to administrate their networks. I assume the overhead in managing your type of setup may be too much for some. You'd have to take into account Windows patches changing the fingerprints and suddenly your network is down as we are blocking critical windows applications and/or issues that could arise like this.

    Obviously it would be a good idea to thoroughly test your setup before rolling it out to production.