Endpoint Protection

 View Only

  • 1.  How best to reliably detect you are on a specific corporate network?

    Posted May 29, 2009 09:14 AM
    We use locations to change our firewall policy depending on whether you are on our corporate network, off it, off it but connected via vpn, etc.

    We started by configuring it like this: if you can detect the Management Server, you're on the corporate network.  If you can't, you're off it.  That worked great - except - people seemed to change locations a lot when they shouldn't have.  Even though our management server was up, for some reason a user would briefly be unable to reach it and then they are in the "off the network" location for a little while.  Plus, Symantec support tells us that a computer will only know if it can reach the management server once for every heartbeat - so if you have an infrequent heartbeat, the computer could remain in the wrong location for quite awhile. Symantec support suggested we not rely on the management server, but to check for our DNS servers instead.  The problem is that doesn't really confirm that you are on OUR network. Another network could very well use the same IP for a DNS server. (And it would be super-easy to spoof if one wanted to).

    So, we are now looking for a better way to tell that you are on a specific network.  Any recommendations? How are you addressing this?

    TIA - Paul


  • 2.  RE: How best to reliably detect you are on a specific corporate network?

    Posted May 29, 2009 10:27 AM
    We currently use a combination of DNS Suffix and Management Server connection.  If you happen to have the same DNS suffix throughout your network, then this would probably work fine.  We use a combination of both.

    The DNS suffix you should use is the one that you see listed when you do an IPCONFIG /ALL

    Connection-Specific DNS Suffix:  yourDNSsuffix.com



  • 3.  RE: How best to reliably detect you are on a specific corporate network?

    Posted May 29, 2009 11:39 AM
    You can also ping something that's only accessible from your internal network, like private leg of the fwall or internal switch.
    Just a guess.. 


  • 4.  RE: How best to reliably detect you are on a specific corporate network?

    Posted May 29, 2009 12:41 PM
    That seems like a good approach.

    Do you do an AND or an OR?

    Seems like saying "you're on our network if you have our DNS Suffix AND you see the Management Server" would help avoid spoofing, but would also expose a machine to thinking it is off the network if you had a problem with the management server.

    On the other hand, if you say "you're on our network if you have our DNS Suffix OR you see the Management Server", is looking for the management server offering any value?


  • 5.  RE: How best to reliably detect you are on a specific corporate network?

    Posted May 29, 2009 02:35 PM
    Well, the only reason why we also use an AND is because some of our regions within the company may not use the same DNS Suffix;  By having the Manager Connection, we cover those systems as well...
    If you entire network uses the same DNS suffix, it should work pretty well with only DNS Suffix.

    I don't like the idea of having to ping a device to determine whether it's in the network because you then start to create network traffic every time the system checks for a location change (by default I think it's like 4 seconds).


  • 6.  RE: How best to reliably detect you are on a specific corporate network?

    Posted May 29, 2009 11:36 PM
    If you use specific PUBLIC IPs on your network, you can use the check to see if system has this IP or part of the subnet. It's going to require some testing, but totally doable.