Video Screencast Help

Full IPv6 support in Symantec Endpoint Protection

Created: 10 Feb 2014 • Updated: 10 Feb 2014 | 1 comment
matt will fix it's picture
2 Agree
0 Disagree
+2 2 Votes
Login to vote

My idea is to have full IPv6 support in Symatnec Endpoint Protection.

There is a KB article which details what is and is not supported, however IPv6 is actively in use on some of our customers networks and the items that are not supported constitute huge gaps in IPv6 support that leave our systems open to attack.

For example:

  • The inablity to specifiy network locations on native IPv6 networks is a huge issue. This means we can't specify different firewall rulesets for clients "inside" the corporate network and clients "outside" the corporate network.
  • The inablity to specify source or destination IPv6 addresses in firewall rules is also a huge issue. For services like web browsing (TCP 80, 443) etc its acceptible to create a rule with any source/destination, however with services such as "Remote Desktop TCP 3389" for example, its a security requirement that only selected hosts are permitted to Remote Desktop to workstations. Its not acceptible to open a firewall rule to allow all IPv6 hosts the ability to RDP to a machine. 
  • The firewall issue coupled with the inability to specify location profiles means we need to open system sensitive services like RPC or Remote Desktop for all IPv6 hosts when they are on the Internet or corporate network. 

Please impliment full IPv6 support in firewall rules and location profiles!

Comments 1 CommentJump to latest comment

matt will fix it's picture

Also the inability to specify IPv6 subnets in the Group Update Provider (GUP) configuration adds further complexity to our location profiles.

If we could specify IPv6 subnets in the GUP settings then we could have one LiveUpdate policy for all computers.

However we can't, so we need a different LiveUpdate policy when clients are on the IPv6 network, which means another location profile. Whilst not a big issue, it adds to administration, especially when a setting needs to be changed in a location profile for groups that aren't inherited.

Login to vote