Infected hosts are not always identified by Endpoint AV alone. As we know, MSS utilizes logs and alert correlation from various sources to identify and alert on malicious activity, and more streams of log data will mean more capability to recognize malicious activity on a customer’s network. Symantec MSS utilizes network security devices against multiple feeds and MSS intelligence to alert on malicious activity from correlated log data. Most firewall devices are placed at the network perimeter and do not always have visibility into the specific endpoint systems which engaged in malicious activity, nor do they provide visibility into communication between network peers on the same segment where the traffic does not cross the network perimeter. Identifying the true source of malicious activity can also be a challenge if the traffic traverses unmonitored network security devices before triggering an alert; this can make identifying the infected host more difficult as well.
When firewall logs from either endpoint machines or internal firewall devices are not available, identifying the host of the incident is difficult for an incident with no host information available. Not having enough endpoint visibility can also contribute to an inability to identify malicious activity at all.
This document outlines the steps to enable firewall in Symantec Endpoint Protection software and the benefits and best practices.
Symantec Endpoint Protection (SEP) has various inbuilt modules such as Antivirus, IPS, Application/Device Control, Client Operations, and Firewall. Generally, the antivirus and IPS module in host machines are almost always enabled on the monitored Endpoints, but not the firewall module is infrequently enabled. Though endpoint machines are monitored by the perimeter network devices such as firewall and IDS, MSS may not have complete visibility into internal network due to address translations, network infrastructure design, or specific traffic that does not traverse monitored network perimeters. Thus, identifying the right endpoint node during infections or targeted attacks consumes considerable amount of time for system/network engineers at the customer environment. This delays mitigation steps and may lead to more damage to the host, data and systems.
By enabling firewall logging in the SEP, MSS SOC will be able to identify attacks or malicious traffic from the host machine directly, rather than the NAT traffic from perimeter devices, which needs to be traced to the original host machine by correlating perimeter logs and timestamps.
In a scenario where no address translation is applied and the logs from firewall devices monitored have already the true source host IP information, then this solution doesn’t apply.
Enabling Firewall Protection in SEP
The firewall protection policy in SEP allows all inbound IP-based network traffic and outbound IP-based network traffic, with the following exceptions:
Note: IPv6 is a network layer protocol that is used across the Internet. For systems that run Microsoft Vista, several default rules block the Ethernet protocol type of IPv6. If you remove the default rules, you must create a rule that blocks IPv6.
The default firewall protection restricts the inbound connections for a few protocols that are often used in attacks (e.g., Windows file sharing). Internal network connections are allowed and external networks are blocked.
Enabling the endpoint firewall module consumes additional endpoint resources. This can be minimized to best performance with authorizing internal to internal traffic by ignoring the RFC 1918 IP ranges in a separate rule.
Other Benefits from MSS
In addition to identifying true source IPs, the logs from endpoint firewall also provides a larger set of benefits from MSS outlined below: