Location awareness best practices for Endpoint Protection
search cancel

Location awareness best practices for Endpoint Protection

book

Article ID: 178049

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Learn more about location awareness in Symantec Endpoint Protection (SEP), and best practices for configuring and managing client locations and policies.

Resolution

Contents

Locations and location awareness

Users frequently need to connect to the network from various locations, including from home, the office, or remote locations when traveling. You can assign a separate security policy for each location or type of network connection (wireless, ethernet, or VPN). Symantec eliminates rogues that expose your organization to hackers while automating the process.

To protect the network, you must set up the conditions to trigger this automatic switching or location awareness by applying the best security policy to a client or server. The best security policy is typically contingent upon the location from where a user connects.

You can assign a set of conditions to each group's location that automatically selects the correct security policy for a user's environment. Conditions include information such as the network settings of the computer that initiated the network access request. An IP address, MAC address, or the address of a directory server can also function as a condition.

If you change the security policy in the console, either the management server updates the policy on the client, or the client downloads the policy. If the current location is not valid after the update, then the client switches to another valid location, or the client uses the default location.

Note: Symantec does not recommend more than seven (7) locations per group when using Location Awareness. Exceeding this number can negatively affect the execution time on how long it takes the Endpoint Protection client to process and ultimately connect to a valid location when it meets all conditions. SEP client parses through all configured locations and selects the best location based on matched parameters (with respect to defined conditions) . Every matched parameter adds weightage and accordingly SEP clients select location for the maximum weightage location.

 

Location planning

Before adding locations to a group, consider the types of security policies that you need in your environment. Also consider the following, which define each location:

  • From which locations are users connecting?
    • Consider which locations you need to create, and how to label each one. For example, users may connect at the office, from home, from a customer site, or from another remote site such as a hotel during travel. Additional qualified locations may be required at a large site.
  • Should location awareness be set up for each location?
  • How do you want to identify the location if using location awareness?
    • Identify the location based on IP addresses, WINS, DHCP, or DNS server addresses, network connections, and other criteria.
  • Identify the location by network connection, then what type of connection is it? For example, the network connection may be a connection to the Endpoint Protection Manager, dial-up networking, or a particular brand of VPN server.
    • Should clients connecting in this location use a specific type of control, such as server control, mixed control, or client control?
    • Should Host Integrity checks be made at each location? Alternatively, should the policy skip the checks at any time such as when not connected to the Endpoint Protection Manager?
    • What applications and services should you allow at each location?
    • Should the location use the same communication settings as other locations in the group, or use different settings? Note: You can use a unique set of communication settings for each location.

Default locations

Endpoint Protection Manager uses the default location for a group if one of the following occurs:

  • Multiple locations meet the location criteria, and the last location does not meet location criteria.
  • You use location awareness and no locations meet the criteria.
  • You rename the location, or make changes to the location in the policy. The client reverts to the default location when it receives the new policy.

When you initially install Symantec Endpoint Protection Manager (SEPM), only the default location, named "Default," is set up. At that time, every group's default location is "Default." You can later change this to the correct location after you add other locations. In addition, every group must have a default location. You may prefer to designate a location like "Home" or "Travel" as the default location.

Location-specific conditions

You can specify a number of conditions to determine when to allow a client computer to switch to another location, before you allow the client to connect to your network. Switching locations allows a different set of security policies to apply when a client computer is connecting to the network from a more vulnerable location.

If the conditions match, the client computer automatically switches to the designated group's location with its associated policy, and the computer can connect to your network.

The conditions may be positive or negative. For example:

  • Positive: A client computer matches because it uses an IP address that falls within a particular IP address range, or has a particular registry key that can be specified.
  • Negative: A computer matches if it does not use a specific wireless SSID that you have specified. You can add, edit, or delete these condition settings.

Table: Available location criteria as of Endpoint Protection 14

Option
Description
Computer IP Address

This criterion has the following options:

  • If the client computer has one of the IP addresses listed.
  • If all of the IP addresses of the client computer are listed.
  • If the client computer does not have any of the addresses listed.
You can specify the following criterion types: IP Address, IP Range, or Subnet Address and Subnet Mask and their values.
Gateway Address

This criterion has the following options:

  • If the Gateway address of the client computer is one of the addresses listed. This condition includes all computers that match the listed IP addresses.
  • If the Gateway address of the client computer does not match any address listed

You can specify the following criterion types: IP Address, IP Range, Subnet Address and Subnet Mask, or a MAC Address and their values.

WINS Server Address

This criterion has the following options:

  • If the client uses one of the WINS Server addresses listed.
  • If all of the WINS Servers on the client computer are listed.
  • If the client computer does not have any of the WINS Server addresses listed.

You can specify the following criterion types: IP Address, IP Range, or Subnet Address and Subnet Mask) and their values.

DNS Server Address

This criterion has the following options:

  • If the client computer uses one of the DNS Server addresses listed.
  • If all of the DNS Servers on the client computer are listed.
  • If the client computer does not use any of the DNS Server addresses listed.

You can specify the following criterion types: IP Address, IP Range, or Subnet Address and Subnet Mask and their values.

DHCP Server Address

This criterion has the following options:

  • If the DHCP Server address of the client computer is one of the addresses listed.
  • If the DHCP Server address of the client computer does not match any address listed.
You can specify the following criterion types: IP Address, IP Range, Subnet Address and Subnet Mask, or a MAC Address and their values.
Network Connection Type

This criterion has the following options:

  • If the client computer uses the network connection type specified.
  • If the client computer does not use the network connection type specified.

You can specify the following network connection types as of Endpoint Protection 14:

  • Any networking
  • Dial-up networking
  • Ethernet
  • Wireless
  • Check Point VPN-1 · Cisco 3000 VPN
  • Microsoft PPTP VPN
  • Juniper NetScreen or SafeNet VPN
  • Nortel Contivity VPN
  • Aventail SSL VPN
  • Juniper SSL VPN
Management Server Connection

This criterion has the following options:

  • If the client computer can connect to the management server.
  • If the client computer cannot connect to the management server.

Note: Symantec does not recommend usage of Management Server Connection unless a distinct set of management servers is being used for the location. A server outage or connection issue will result in clients switching locations.

Trusted Platform Module

This criterion has the following options:

  • If the client computer uses the Trusted Platform Module specified.
  • If the client computer does not use the Trusted Platform Module specified.
You can specify the following Trusted Platform Module types:
  • Any TPM Token
  • IBM TPM Token
  • HP TPM Token
DNS Lookup

This criterion has the following options:

  • If the client computer can resolve the host name specified.
  • If the client computer cannot resolve the host name specified.
You can specify the host name and the DNS resolved address.
Registry Key

This criterion allows for checking against the following conditions:

  • Whether the specified registry key name or a registry key value name exists or does not exist on the client computer.
  • Whether the specified registry key value data is equal to or not equal to a particular key name, value type (String, DWORD, or Binary), or value name.
Wireless SSID

This criterion has the following options:

  • If the client computer uses one of the Wireless SSIDs listed.
  • If the client computer does not use one of the Wireless SSIDs listed.

Note : SEP will refer the Wireless SSID provided by the OS. For a Wireless connection that is in a network bridge, SEP will refer the Network bridge SSID which is provided by OS and not the SSID of the Wireless connection that is a part of the Bridge (or masked by Network bridge).
Powershell command that will display the wifi SSID: “Netsh wlan show interfaces | select-string SSID” 

NIC Description

This criterion has the following options:

  • If the client computer uses one of the NIC descriptions listed.
  • If the client computer does not use one of the NIC descriptions listed.
DHCP Connection DNS Suffix

This criterion has the following options:

  • If the client computer uses one of the DNS suffixes listed.
  • If the client computer does not use one of the DNS suffixes listed.
ICMP Request (Ping)

This criterion has the following options:

  • Match this criterion if any one of the listed hosts can be pinged.
  • Match this criterion only if all of the listed hosts can be pinged.
  • Match this criterion if any one of the listed hosts cannot be pinged.
  • Match this criterion only if all of the listed hosts can be pinged.

General client settings

Use this dialog to configure the general location awareness and client restart settings. These settings are applied to each client within the selected group.

Table: General settings for client

Option Description
Location Settings: Remember the last location

At initial logon, Endpoint Protection uses the last-used location.

  • If you have enabled location awareness, the client switches to the appropriate location after a few seconds.
  • If you have disabled location awareness, the user can manually switch between any of the locations, even when the client is in server control.
  • If you have enabled a quarantine location, the client may change to the quarantine after a short time.
Enable Location Awareness

Automatically selects the correct location in which to place the clients. The location determines which policy takes effect. Restarts the client in the last-used location before the user turned off the client computer.

  • Note: You can use location awareness only for clients in the subgroups that do not inherit their policy contents from a parent group.
  • This option is enabled by default.

Table: Restart options

Restart options specifies the method by which the client computer restarts after client installation, or when the client computer shuts down.

You can configure the following restart options:

Options Description
Prompt the user to restart the computer

Displays a notification on the client to prompt the user to restart the client computer. The user can click No to postpone when to restart the client.

Message

The additional text that you can add to the notification.

Maximum number of snooze opportunities

The number of times that the user can postpone the computer restart before the computer automatically restarts.

Maximum time between snoozes (seconds)

The time period between when the user postpones the computer restart and when the notification appears again.

  • The notification window will automatically close after (seconds)
  • The number of seconds that the notification remains open before the client restarts.
Force the computer to restart

The computer automatically restarts. The user does not have an opportunity to postpone the restart.

Automatic assignment of policies

Control of the policies that are assigned to clients is contingent on the location from which a client connects. Therefore, you should enable location awareness.

To enable a client's automatic assignment of policies

  1. In the console, click Clients.
  2. On the Clients page, under View Clients, select the group to implement automatic switching of locations.
  3. On the Policies tab, uncheck Inherit policies and settings from parent group "group name".
    Modify only the location-independent settings for those groups that have not inherited those policies and setting from a parent group.
  4. Under Location-independent Policies and Settings, click General Settings.
  5. In the General Settings dialog box, on the General Settings tab, under Location Settings, check Remember the last location.
    By default, this option is enabled. The client is initially assigned to the policy that is associated with the location from which the client last connected to the network.
    • If Remember the last location is checked when a client computer connects to the network, then the client is initially assigned a policy. This policy is associated with the last-used location. If location awareness is enabled, then the client automatically switches to the appropriate policy after a few seconds. The policy that is associated with a specific location determines a client's network connection. If location awareness is disabled, the client can manually switch between any of the locations even when it is in server control. If a quarantine location is enabled, the client may switch to the quarantine policy after a few seconds.
    • If Remember the last location is not checked when a client connects to the network, then the client is initially assigned the policy that is associated with the default location. The client cannot connect to the last-used location. If location awareness is enabled, then the client automatically switches to the appropriate policy after a few seconds. The policy that is associated with a specific location determines a client's network connection. If location awareness is disabled, the user can manually switch between any of the locations even when the client is in server control. If a quarantine location is enabled, the client may switch to the Quarantine Policy after a few seconds.
  6. Check Enable Location Awareness.
    By default, location awareness is enabled. The client is automatically assigned to the policy that is associated with the location from which the user tries to connect to the network.
  7. Click OK.

Add locations to groups with a wizard

You can add locations to a group by using a wizard, and each location can have its own set of policies and settings. When the criteria (conditions) are met, the policy can trigger the clients to switch to a new location with different security settings.

The best security policies typically depend on where the client is located when it connects to the network. When you enable location awareness, it ensures that the strictest security policy is assigned to a client when you need it.

To add a location with a wizard

  1. In the console, click Clients.
  2. On the Clients page, under View Clients, select the group to add one or more locations to.
  3. On the Policies tab, uncheck Inherit policies and settings from parent group "group name".
    Add locations only to groups that do not inherit policies from the parent group.
  4. Under Tasks, click Add Location.
  5. In the Welcome to the Add Location Wizard panel, click Next.
  6. In the Specify Location Name panel, type a name and description for the new location, and click Next.
  7. In the Specify a Condition panel, select any of the following conditions under which a client switches from one location to another:
    • No specific condition: Select this option so that the client can choose this location if multiple locations are available.
    • IP address range: Select this option so that the client can choose this location if its IP address is included in the specified range. Specify both the start IP address and end IP address.
    • Subnet address and subnet mask: Select this option so that the client can choose this location if its subnet mask and subnet address are specified.
    • DNS server: Select this option so that the client can choose this location if it connects to the specified DNS server.
    • Client can resolve host name: Select this option so that the client can choose this location if it connects to the specified domain name and DNS resolve address.
    • Client can connect to management server: Select this option so that the client can choose this location if it connects to the specified management server.
    • Network connection type: Select this option so that the client can choose this location if it connects to the specified type of networking connection.
  8. Click Next.
  9. In the Add Location Wizard Complete panel, click Finish.

Locations and firewall policies

The Endpoint Protection Manager includes a default Firewall Policy with firewall rules and firewall settings for the office environment. The office environment is normally under the protection of corporate firewalls, boundary packet filters, or antivirus servers. Therefore, it is normally more secure than most home environments where limited boundary protection is available.

When the console is installed for the first time, it automatically adds a default Firewall Policy to each group. Every time you add a new location, the console automatically copies a Firewall Policy to the default location.

If the default protection is not appropriate, you can customize it using the Firewall Policy for each location, such as for a home site or customer site. If the default Firewall Policy is not what you need, you can edit or replace the policy with another shared policy.

Firewall policy elements

Firewall rules Firewall rules are policy components that control how the firewall protects computers from malicious incoming traffic and applications. The firewall automatically checks all incoming and outgoing packets against these rules, and allows or blocks the packets based on information specified in rules.
Smart traffic filters Allows the specific types of traffic that are required on most networks such as DHCP, DNS, and WINS traffic.
See Firewall Policy Built-in Rules - Smart traffic filtering
Traffic and stealth settings Detects and blocks traffic that comes from certain drivers, protocols, and other sources.
See Firewall Policy - Protection and Stealth Settings
Peer-to-peer authentication settings Blocks a remote computer from connecting to a client computer until the client computer has authenticated that remote computer.
See Firewall Policy - Blocking a remote computer by configuring peer-to-peer authentication

A location can be set to client control or mixed control so that the user can customize the Firewall Policy.

You can edit or create firewall policies similar to other types of policies. In addition, you can assign, withdraw, replace, copy, export, import, or delete firewall policies.

Typically, you can assign a policy to multiple groups in the security network. Create a non-shared, location-specific policy if there are specific requirements for a particular location.

Symantec recommends that you become familiar with the basics of policy configuration when working with policies.