Symantec Endpoint Protection Network Threat Protection (Firewall) Overview and Best Practices White Paper
When computers in a private network connect to the Internet, they physically connect their network to countless unknown networks. While most connections pose no threat to your computer or your network, others may be an attempt to infiltrate your network through unprotected computers. A successful attack can compromise classified information, halt productivity, and consequently destroy reputations and brand value.
Firewalls that are installed on endpoint computers protect against such attacks by creating a barrier between the computers and the external networks, including the Internet. This paper focuses on the network threat protection (or client firewall) component of Symantec™ Endpoint Protection; specifically the client firewall’s purpose, elements of a firewall policy, how firewall rules are processed, and a best practice approach for implementing a firewall policy in your network.
The Challenge of Configuring the Client Firewall
Firewalls are only as good as the policies they enforce. A poorly constructed policy can effectively let attackers in, while preventing trusted sources from accessing necessary resources. Before you configure the client firewall, you should understand how the firewall processes rules, how to create rules effectively (protect while maximizing performance), and how the firewall interacts with the other components of Symantec Endpoint Protection.
What is Symantec Endpoint Protection and Network Threat Protection?
Symantec Endpoint Protection protects endpoint computing devices from viruses, threats, and risks, and provides three layers of protection to your endpoint computing devices. The layers are Network and Host Exploit Mitigation , Proactive Threat Protection, and Virus and Spyware Protection. Network and Host Exploit Mitigation protection blocks threats from accessing your computer by using rules and signatures. Proactive Threat Protection identifies and mitigates the threats based on the threats’ behavior. Virus and Spyware threat protection identifies and mitigates the threats that attempt to or have gained access to your computers by using the Symantec signatures. The Symantec Endpoint Protection client firewall provides a barrier between the computer and the outside network. The client firewall prevents unauthorized users from accessing the computers and the networks that connect to the Internet, detects possible hacker attacks, protects personal information, and eliminates unwanted sources of network traffic. The firewall also protects against network threats and malware that attempt to proliferate in your network, such as bots. All the information that enters or leaves the client computer must pass through the client firewall, which examines the information packets. The client firewall blocks packets that do not meet the specified security criteria.
Firewall policies consist of one or more rules that work together to allow or block users from accessing the network. Firewall policies include the following elements:
Firewall rules control how the client protects the client computer from malicious inbound traffic and applications, in addition to malicious outbound traffic. Firewall rules can make the computer invisible to others on the Internet, protect remote users from hacker attacks, and prevent hackers from gaining backdoor access to the corporate network through these computers.
Smart traffic filters allow the specific types of traffic that are required on most networks such as DHCP, DNS, and WINS. Examples of traffic and stealth settings that enable additional traffic features are driver-level protection, NetBIOS protection, token ring traffic, DNS reverse lookup, and stealth mode settings. In general, a firewall rule describes the conditions in which a network connection may be allowed or denied.
Use the following firewall components to define the criteria for a firewall rule:
Use the following firewall components to define the criteria for a firewall rule:
The firewall uses stateful inspection. Stateful inspection is a process that tracks currently allowed connections. A unique combination of destination IP addresses, ports, and applications identifies a connection.
The client makes traffic flow decisions by using the connection information. When a newly received packet matches an existing allowed connection, the packet does not go through the rule inspection process. The packet is allowed automatically. More importantly, stateful inspection enables the simplification of the rule base. For traffic that is initiated in one direction only, you do not have to create rules that permit traffic in both directions. Client traffic that is typically initiated in one direction includes Telnet (port 23), HTTP (port 80), and HTTPS (port 443). For these protocols, create the outbound rule only, the response is allowed automatically by the SEP client.
How firewall rules are prioritized
A priority number is assigned automatically to each rule in the firewall table. The rule number determines the processing order for rules. The Symantec Endpoint Protection client firewall processes the firewall rule set in sequential order, starting at rule number one.
The rule severity (zero through fifteen) determines how critical the rule is when triggered:
Rules are not logically combined in any way and the firewall does not implement a best-fit algorithm. This scenario makes rule set design and troubleshooting simpler because you do not need to consider rule selection logic beyond simple traffic matching.
The firewall rule set contains a blue dividing line:
Rules are categorized as server rules or client rules: Server rules are created on the management server and downloaded to the client. Client rules are the rules that a user creates on a client.
The following shows the relationship between the client user’s control level and the user’s interaction regarding firewall rules:
For clients in mixed control, the firewall processes server rules and client rules in a particular order. Server rules with high priority levels are processed first. Client rules are processed second, and server rules with a lower priority are processed last.
Use caution when setting a client to mixed control, because the user can create a client rule that allows all traffic, and this rule overrides all server rules below the blue line.
Default Firewall Rules
The firewall is installed with default rules that are classified as Allow, Deny, Block and Log, or Log only. Default rules can be enabled or disabled as needed.
The Allow rules include fragmented packets and Wireless Extensible Authentication Protocol Over LANS (Wireless EAPOL). Wireless EAPOL is defined currently for Ethernet-like LANs including 802.1x wireless, as well as token ring LANs (including FDDI).
Also allowed are MS Remote Access and Routing ARP Driver, all outbound business applications, all outbound ping, pong, tracert, and VPN are allowed.
The Deny rules include blocking IPv6, IPv6 over IPv4, local file sharing, and Remote Administration
Logging rules include: Do not log broadcast and multicast traffic, block and log IP traffic, and block all other traffic.
Smart Traffic Filtering
Smart traffic filtering enables the use of essential network services without rules being defined to explicitly allow those services.
Smart filters are enabled by default and are defined for the following services:
Smart filters are evaluated before rule set examination, which means that any packet that matches an active occurrence of a Smart Filter is allowed. All others are denied. The DHCP, DNS, or WINS request must originate from the client computer and the response must occur within a predefined five-second period. The server sends the response and the response type is verified as valid in relation to the original client request.
Smart DHCP enables normal DHCP broadcast messaging to occur without a rule also being defined. The client DHCP messages must be configured to obtain an IP address automatically.
How the smart filter mechanism handles DHCP exchange messages:
The interface through which DNS requests are transmitted must be configured in the TCP/IP settings with a primary, and optionally, a secondary DNS server. The primary and secondary server assignments can be manually configured, or received using DHCP addressing. Only requests that are initiated by the client, and addressed to the specified primary or secondary DNS servers are allowed. Any other DNS request is denied automatically.
Smart WINS enables the use of the WINS service. WINS requests must be configured to use WINS resolution in the TCP/IP advanced settings. Unlike DNS, which is limited to a primary and a secondary server specification, any number of WINS servers may be defined. Only requests that are initiated by the client and addressed to a predefined WINS server are allowed. Any other WINS request is denied automatically. The client's resolution request causes a new smart filter to be added to the list, which defines a five-second response window in relation to the particular request made. The solicited server must respond, and the response must be received within the specified time period. The content of the response is validated against the original request as well. Invalid responses are ignored.
NetBIOS and Token Rings
Traffic settings can be enabled on the client to detect and block the traffic that communicates through drivers, NetBIOS, and token rings. You can also configure settings to detect the traffic that uses a more invisible attack.
Traffic Settings include the following:
Protection and Stealth Settings
When configuring stealth settings, understand that some settings can make Web sites render incorrectly. Other settings can cause all traffic to be blocked when an incompatible NIC card is installed. Unlike Traffic Settings, all Stealth Settings are disabled.
You can configure the following stealth settings:
Order of Rule Processing
The following shows the order in which all Network Threat Protection elements are processed. These elements include traffic and stealth settings:
The intrusion prevention system (IPS) is the client's second layer of defense after the firewall. The intrusion prevention system is a network-based system that operates on every computer on which the client is installed and the IPS system is enabled. If a known attack is detected, one or more intrusion prevention technologies can automatically block it.
The client contains smart attack signatures that are less likely to allow an intrusion attack. The client also contains a stateful engine that tracks all the incoming and the outgoing traffic. The client includes the intrusion prevention engine and a corresponding set of attack signatures by default.
You can block certain types of intrusion prevention attacks on the client, which depend on the intrusion prevention settings that you select. For example, you must enable the Enable Intrusion Prevention setting to enable the Symantec IPS signature engine and the Custom IPS signature engine.
You can configure the following Intrusion Prevention Settings:
Note that if you set the client to mixed control, you must also enable these settings in the Client/Server Control Settings dialog box.
Best Practice – Applying Firewall Policies in Your Network
Before you apply a firewall policy to your entire network, you should apply the policy to a small subset of clients that is representative of your network. If possible, you should initially apply the policy in a test environment. Symantec Endpoint Protection provides the default firewall policy as a foundation for you to build upon. In most cases, you must make modifications to the default firewall policy to accommodate your network’s architecture and your company’s security policy.
The firewall’s use of stateful inspection simplifies rule creation and maintenance, and allows your client computers to make necessary connections while being protected. Components of the firewall policy that are not based on firewall rules also protect your client computers. These components include intrusion prevention and smart traffic filters.
When you are ready to apply a firewall policy to your network, you should follow the following steps:
Enable and Configure Intrusion Prevention
Regardless of how you configure other Network Threat Protection features, you can protect your clients and servers from many network attacks by enabling Intrusion Prevention. Intrusion Prevention is an effective method to block known attacks. As signatures are created for new attacks, you can protect your computers by updating your IPS signatures through LiveUpdate. Additionally, you can create custom intrusion prevention signatures, which are processed first by the firewall.
Apply the firewall policy
The default firewall policy can potentially block the traffic that is necessary for your company to perform its business activities. To avoid this possibility, you should modify the default policy by making it more permissive.
You can make the default policy more permissive by performing either of the following modifications:
Monitor network traffic
After you apply the modified firewall policy, you can monitor and analyze the traffic that passes through your client computers from the Symantec Endpoint Protection Manager Console. From the traffic logs, you can determine which traffic should be allowed or blocked based on application, time of day, or service.
Fine-Tune firewall policy
After you have examined the information in the traffic logs, you can use the information to modify your firewall policy. You can also tighten or loosen your firewall policy by configuring Traffic and Stealth Settings, which allows or prevents some types of network traffic.
In general, you can tighten your firewall policy by restricting applications from accessing the network or launching. You can do so by creating custom firewall rules for specific applications. But there are limitations, as firewall rules that block certain applications from accessing the network still allow the application to launch. This result may not be what you intended.
Another method that you may want to explore, which can be more efficient, uses using an Application Control policy. Through an Application Control policy, you can block applications from executing.
You should gradually tighten your firewall policy in iterations. For example, you can block one or two applications at a time, then test the policy again. If there are no problems, you can continue to make your policy more restrictive as necessary.
Roll out modified firewall policy to your entire network
After you complete the modification of your firewall policy based on the network information from the traffic logs and environment tests, you can roll out the firewall policy to your entire network with great confidence that the firewall protects your client computers and allows the necessary traffic through.
For more information on the Symantec Endpoint Protection client firewall and application control, refer to the Symantec Endpoint Protection Administration Guide.