Endpoint Protection

 View Only
  • 1.  Limiting SEP without deploying features?

    Posted Apr 06, 2010 09:16 AM
    Hi all,

    We are about to rollout SEP 11 to about 35,000 clients - and need input.  We've currently got SAV 10.1 deployed with the antivirus and antispyware portions active.

    We HAD planned on NOT implementing the intrustion protection, firewall, or the network threat protection parts.  The only parts we would implement would be the antivirus/antispyware and the proactive threat proptection pieces.

    I guess my question is this... if we do this - how much are we limiting the product.  I know quite a bit - I've heard as much as 60% of SEP's functionality.  But, some admins here are afraid of what installed applications would be affected by false heuristics detections, conflicts with firewalls (some workstations have 3rd party firewalls), etc.

    Has anyone implemented only parts of SEP for specific reasons to their organizations?  Just would like some caveats before we torque up the whole show.  :)

    Thanks,
    THUNTER


  • 2.  RE: Limiting SEP without deploying features?

    Posted Apr 06, 2010 09:23 AM

    If you have a "Good Firewall " , In place in your network  , then you can go without NTP.

    yes i have seen orginzation ( I can't name them) they have gone with only AV and AVS and PTP but they had Cisco or Juinper Firewall.

     



  • 3.  RE: Limiting SEP without deploying features?

    Posted Apr 06, 2010 09:36 AM
    with respect to NTP yes there are chances of false positives; we did test it in QA and decided not to go with as it wil put load on systems and not many customers have it installed coz they already have a firewall.
    PTP will not work on servers OS, in our environment we are running with AV and AS; decided to go with NTP after MU6 with complete test.


  • 4.  RE: Limiting SEP without deploying features?

    Posted Apr 06, 2010 09:45 AM

    I will say this, Symantec releases IPS (NTP) signatures often enough that offer potection from unpatched exploits that I found using NTP is useful. Currently, there are 1862 signatures that are included by Symantec. For example, the MS VBScript exploit which is still not patched by Microsoft had a signaure in Symantec's NTP feature. 

    Have a look at this site:
    http://www.symantec.com/en/sg/business/security_response/attacksignatures/


    Mike



  • 5.  RE: Limiting SEP without deploying features?
    Best Answer

    Posted Apr 06, 2010 09:51 AM
    On Windows server operating systems and Windows XP 64-bit operating systems, Proactive Threat Protection only supports Commercial Application List scanning or "CAL". This is why the status shows as "OFF" in the client interface.

    This does not mean that that PTP does not work on a server OS, only some components don't work


    http://service1.symantec.com/support/ent-security.nsf/docid/2008052215014748?Open&seg=ent


  • 6.  RE: Limiting SEP without deploying features?

    Posted Apr 06, 2010 10:25 AM
    by just Installing Antivirus and Antispyware you are only upgrading SAV 10.1 to 11.x with better management and reporting.

    You can have a test group where you can test all ( production ) applications. Firewall is rule based so whatever rule you apply it works on that.
    IPS is really a remarkable feature of SEP..as you said you leaving behind 60%..40% of that 60 is IPS as s security feature..

    Then rest Application and Device Control is just as per your requirement..however it can help you a lot if you plan to use it..

    The only most important question here would be where are you inclined more..Performance or Security ?


  • 7.  RE: Limiting SEP without deploying features?

    Posted Apr 06, 2010 11:11 AM

    If you have a firewall solution you're already happy with, you can deploy NTP for use for IPS only (essentially putting the firewall portion in pass-through mode):

    Title: 'Best practices regarding Intrusion Prevention System technology'
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009080314433948

    You may want to deploy AV/AS to all, then test on a small group for the additional functionality.  You can always add features post-deployment.  The clients will already have the components in place, so will not require pushing out additional MB over the network; you just 'flip a switch' to turn those features on.

    Title: 'How to add or remove features to existing Symantec Endpoint Protection client installations'
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008111808135348

    sandra


  • 8.  RE: Limiting SEP without deploying features?

    Posted Apr 06, 2010 03:05 PM
    Thanks so much for all the replies.  Several good responses there - and I really appreciate everyone's input, links, and help.

    You've all helped us in how we should test and he we should proceed.

    Thanks again,
    THunter


  • 9.  RE: Limiting SEP without deploying features?

    Posted Apr 06, 2010 07:40 PM

    You are missing out on a HUGE feature in SEP if you deploy to those machines without the IPS enabled.

    For example the IPS signature protect against MS08-067 which is a very common remote exploit used by virus authors to compromise machines across the network.
    If a new virus comes out that ues the exploit in MS08-067 a machine with the IPS enabled will identify the network traffic and block the attack.
    Once the IPS signature has been written it protects against all future virus that use that attack regardless of whether they are old/new/variants/etc

    In comparison the regular AV signature will completely miss a new variant that uses the same old exploit.
    You are left in a position where you are waiting for Symantec to release new definitions.
    This can become an issue as there are so many new variants of some virus today. I believe there are over 900 virus's in the wild that utilise MS08-067 at this time. 900+ different AV signatures vs 1 IPS signature??

    The IPS comonent requires the firewall so that it can perform at a low level within the network stack monitoring packets and performing blocks.. Initially you can easily deloy the firewall component with an ALLOW ANY ANY rule.
    Once it is in place you can then test a strict firewall policy that suits your corporate environment.

    I have it rolling out to 300,000+ endpoints at the moment with an allow any any rulebase so if you need any further advice just let me know.

    cheers

    Z