Endpoint Protection

Here is a question for all you that are deploying the Network Threat Protection component of SEP 11 with Location Based Policies.

 

We have the corporate desktops that are pretty static, but then there is the laptop community.

 

So what kind of firewall ruleset or policy do you use for your hundreds or thousands of laptops when they are not on the managed network?

 

I'm looking for ideas. 

The optimal will provide the greatest amount of protection with the fewest amount of support calls to the helpdesk. (Yes, I know this could be quite a compromise)

 

Do you show the mobile user anything?

 

Do you give them any sort of control? (manual override when they are on the darkside of the moon)

 

Regulations require that the firewall is installed, active and end users can't change the settings. (Sound familiar)

 

But once they leave the managed network, if there are issues, who knows where they will be and what kind of connection they will have (if they have one)?

 

Do you allow all initiated from the laptop out, but nothing initiated from the outside in (rely on state)?  And then hope IPS, AV and AS do the rest?

 

Maybe some combination that blocks the Microsoft ports going out and allows VPN?

 

Do you "ASK", and then face the support calls when the less savvy users don't know what the pop is or means?

 

How do you deal with the user at a home office with split tunneling?

 

There are all kinds of usage scenarios.  What about wireless? 

OK so I'm getting a little ahead of myself.

 

Lets start with a good base policy for a laptop that is now out on an unmanaged network (home, hotel, airport....)

 

And certainly if you have a pointer or reference that can help and fast track this process...Please post it.

 

Thank you!!!!

 

toko

 

 

Let the firewall rules remain same but change the live update settings\\Allow user to manually launch liveupdate.

Like Ajit says, let the users launch LU on their own.

As a security measure, I block access to USB drives, CD / DVD Writers, RF and Bluetooth points on the laptops via location specific policies once they detect that they are off premise.

Also, the user interface is completely locked down and the SEP interface is password protected, along with Tamper Protection set to BLOCK to prevent users from tampering / uninstalling the Software. A pretty hardened system is what we try to make with SEP, and go as far as the product allows us to, shying just short of a system lockdown.

This way, we ideally prevent any threats from user's home PC's / personal USB drives from infecting the systems when they are off premise.

Same here - allow LU, but the firewall is the firewall, I see no reason to loosen or tighten depending on location.
IMO, risks are risks. We block the same and allow the same regardless and it's worked just fine.
We're pretty strict on "things" (devices), but pretty open on web sites, blocking only the social networking sites and ebay where folks seem to have forgotten they were using GOVERNMENT OWNED computers when selling their eBay items! So we blocked 'em. No reason for eBay at work anyway. Sine they need to do research during their normal work, it's hard to block much as far as sites, but we allow only friendly traffic in any case, even with our Routers (ASA 5505s)
If it wasn't asked for, it won't come in.
USB - BLOCKED unless it's an APPROVED state-owned ENCRYPTED device. ALL other storage devices are blocked, except the dictation recorders.  They can use their approved Blackberries, but the SD is blocked so files can't come and go.
NO IPODS!! Those are blocked - connect an iPod and it installes crap software and jabbers like crazy on the network. They can listen, but we found they were using gov't computers to download songs, rip CDs and so on. That's the same in or out of office. Really, the only thing is to allow LU, otherwise, blocked is blocked, allowed is allowed and we've seen no reason at all for different configurations.