Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper
An illustrated version of this white paper is available in .pdf format.
When computers in a private network connect to the Internet, they physically connect their network to countless unknown networks. While most connections pose no threat to your computer or your network, there are, rogue individuals, such as hackers and script kiddies, who attempt to infiltrate your network through unprotected computers. A successful attack can compromise classified information, halt productivity, and consequently destroy reputations and brand value.
Firewalls that are installed on endpoint computers protect against such attacks by creating a barrier between the computers and the external networks, including the Internet. This paper focuses on the network threat protection (or client firewall) component of Symantec™ Endpoint Protection; specifically the client firewall’s purpose, elements of a firewall policy, how firewall rules are processed, and a best practice approach for implementing a firewall policy in your network.
The Challenge of Configuring the Client Firewall
Firewalls are only as good as the policies they enforce. A poorly constructed policy can effectively let attackers in, while preventing trusted sources from accessing necessary resources. Before you configure the client firewall, you should understand how the firewall processes rules, how to create rules effectively (protect while maximizing performance), and how the firewall interacts with the other components of Symantec Endpoint Protection.
What is Symantec Endpoint Protection 11.0 and Network Threat Protection?
Symantec Endpoint Protection 11.0 protects endpoint computing devices from viruses, threats, and risks, and provides three layers of protection to your endpoint computing devices. The layers are network threat protection, proactive threat protection, and antivirus and antispyware protection. Network threat protection blocks threats from accessing your computer by using rules and signatures. Proactive threat protection identifies and mitigates the threats based on the threats’ behavior. Antivirus and antispyware threat protection identifies and mitigates the threats that attempt to or have gained access to your computers by using the Symantec signatures. The Symantec Endpoint Protection client firewall provides a barrier between the computer and the outside network. The client firewall prevents unauthorized users from accessing the computers and the networks that connect to the Internet, detects possible hacker attacks, protects personal information, and eliminates unwanted sources of network traffic. The firewall also protects against network threats and malware that attempt to proliferate in your network, such as bots. All the information that enters or leaves the client computer must pass through the client firewall, which examines the information packets. The client firewall blocks packets that do not meet the specified security criteria.
Firewall policies consist of one or more rules that work together to allow or block users from accessing the network. Firewall policies include the following elements:
- Firewall Rules
- Stateful Inspection
- Rule Priority Number
- Control Type
- Default Firewall Rules
- Smart Traffic Filtering
- NetBIOS and Token Rings
- Stealth Settings
Firewall rules control how the client protects the client computer from malicious inbound traffic and applications, in addition to malicious outbound traffic. Firewall rules can make the computer invisible to others on the Internet, protect remote users from hacker attacks, and prevent hackers from gaining backdoor access to the corporate network through these computers.
Smart traffic filters allow the specific types of traffic that are required on most networks such as DHCP, DNS, and WINS. Examples of traffic and stealth settings that enable additional traffic features are driver-level protection, NetBIOS protection, token ring traffic, DNS reverse lookup, and stealth mode settings. In general, a firewall rule describes the conditions in which a network connection may be allowed or denied.
Use the following firewall components to define the criteria for a firewall rule:
- Triggers – Triggers include applications, hosts, protocol, and network adapters. The trigger definitions can be combined to form more complex rules, such as identifying a particular protocol in relation to a specific destination address. When rules are evaluated, all triggers must be true for a positive match to occur. If any trigger is not true in relation to the current packet, the rule cannot be applied.
Use the following firewall components to define the criteria for a firewall rule:
- Conditional Parameters – Conditional parameters do not describe an aspect of a network connection. Instead, the conditional parameters define the criteria that are used to determine the active state of a rule. The conditional parameters are optional and have no significance if they are not defined. When these parameters are defined, the perceived state of the rule is directly affected. You may define a schedule, or identify a screen saver state that dictates when a rule is considered active or inactive. The firewall does not evaluate inactive rules when packets are received.
- Action Parameters – Action parameters specify what actions are taken on a successful match of the rule. If the rule is selected in response to a received packet, all actions are executed. The packet is allowed or denied, and logging may occur as configured.
The firewall uses stateful inspection. Stateful inspection is a process that tracks currently allowed connections. A unique combination of destination IP addresses, ports, and applications identifies a connection.
The client makes traffic flow decisions by using the connection information. When a newly received packet matches an existing allowed connection, the packet does not go through the rule inspection process. The packet is allowed automatically. More importantly, stateful inspection enables the simplification of the rule base. For traffic that is initiated in one direction only, you do not have to create rules that permit traffic in both directions. Client traffic that is typically initiated in one direction includes Telnet (port 23), HTTP (port 80), and HTTPS (port 443). For these protocols, create the outbound rule only, the response is allowed automatically by the SEP client.
How firewall rules are prioritized
A priority number is assigned automatically to each rule in the firewall table. The rule number determines the processing order for rules. The Symantec Endpoint Protection client firewall processes the firewall rule set in sequential order, starting at rule number one.
The rule severity (zero through fifteen) determines how critical the rule is when triggered:
Rules are not logically combined in any way and the firewall does not implement a best-fit algorithm. This scenario makes rule set design and troubleshooting simpler because you do not need to consider rule selection logic beyond simple traffic matching.
The firewall rule set contains a blue dividing line:
System administrators with full access control can modify the highest priority rules that are placed above the blue line.
Clients who are in mixed control can sometimes modify the lesser priority rules that are placed below the blue line.
Rules are categorized as server rules or client rules: Server rules are created on the management server and downloaded to the client. Client rules are the rules that a user creates on a client.
The following shows the relationship between the client user’s control level and the user’s interaction regarding firewall rules:
- In Server Control the client receives server rules, but the user cannot view them. The user cannot create client rules.
- In Mixed Control, the client receives server rules and the user can view those rules in the Firewall Rules dialog box. The user can also create rules that are merged with existing rules. However, client rules go below the blue line and have a lesser priority.
- In Client Control, the client has full control. A best practice is to use caution when giving your users mixed or client control.
For clients in mixed control, the firewall processes server rules and client rules in a particular order. Server rules with high priority levels are processed first. Client rules are processed second, and server rules with a lower priority are processed last.
Use caution when setting a client to mixed control, because the user can create a client rule that allows all traffic, and this rule overrides all server rules below the blue line.
Default Firewall Rules
The firewall is installed with default rules that are classified as Allow, Deny, Block and Log, or Log only.
The Allow rules include fragmented packets and Wireless Extensible Authentication Protocol Over LANS (Wireless EAPOL). Wireless EAPOL is defined currently for Ethernet-like LANs including 802.1x wireless, as well as token ring LANs (including FDDI). Also allowed are MS Remote Access and Routing ARP Driver, all outbound business applications, all outbound ping, pong, tracert, and VPN are allowed.
The Deny rules include blocking IPv6, IPv6 over IPv4, local file sharing, and Remote Administration
Logging rules include: Do not log broadcast and multicast traffic, block and log IP traffic, and block all other traffic.
Smart Traffic Filtering
Smart traffic filtering enables the use of essential network services without rules being defined to explicitly allow those services.
Smart filters are enabled by default and are defined for the following services:
Smart filters are evaluated before rule set examination, which means that any packet that matches an active occurrence of a Smart Filter is allowed. All others are denied. The DHCP, DNS, or WINS request must originate from the client computer and the response must occur within a predefined five-second period. The server sends the response and the response type is verified as valid in relation to the original client request.
Smart DHCP enables normal DHCP broadcast messaging to occur without a rule also being defined. The client DHCP messages must be configured to obtain an IP address automatically.
How the smart filter mechanism handles DHCP exchange messages:
- The client first issues a broadcast DHCP Discover message. The sending of this message causes the creation of a new smart filter.
- The server must respond with an OFFER, within the relevant five-second window. Remember that each smart filter connection times out in five seconds.
- The client then issues a broadcast DHCP Request message, which creates another smart filter, and the server must respond with an ACKNOWLEDGEMENT, within the relevant five-second window.
The interface through which DNS requests are transmitted must be configured in the TCP/IP settings with a primary, and optionally, a secondary DNS server. The primary and secondary server assignments can be manually configured, or received using DHCP addressing. Only requests that are initiated by the client, and addressed to the specified primary or secondary DNS servers are allowed. Any other DNS request is denied automatically.
Smart WINS enables the use of the WINS service. WINS requests must be configured to use WINS resolution in the TCP/IP advanced settings. Unlike DNS, which is limited to a primary and a secondary server specification, any number of WINS servers may be defined. Only requests that are initiated by the client and addressed to a predefined WINS server are allowed. Any other WINS request is denied automatically. The client's resolution request causes a new smart filter to be added to the list, which defines a five-second response window in relation to the particular request made. The solicited server must respond, and the response must be received within the specified time period. The content of the response is validated against the original request as well. Invalid responses are ignored.
NetBIOS and Token Rings
You can enable traffic settings on the client to detect and block the traffic that communicates through drivers, NetBIOS, and token rings. You can also configure settings to detect the traffic that uses a more invisible attack.
Traffic Settings include the following:
- Enable driver-level protection that is enabled by default. When this option is enabled, any protocol driver that accesses a network is seen as a network application. Protocol drivers can be blocked or allowed dynamically. Note that Enable NetBIOS protection is not enabled by default. When this option is enabled, the firewall policy prevents a client from receiving NetBIOS packets on UDP 88, UDP 137, UDP 138, TCP 135, TCP 139, TCP 445, and TCP 1026 that originate from the computers that are located on a different subnet.
- Allow token ring traffic is enabled by default. When clients communicate through a token ring adapter, this option must be enabled in a firewall policy so the client can access the network.
- Enable reverse DNS lookup is enabled by default. When the client intercepts an IP packet that has an unknown IP address, this option allows a reverse DNS request to be sent that attempts to resolve the domain name.
- Enable anti-MAC spoofing is disabled by default. When this option is enabled, Anti-MAC spoofing protects a computer from allowing another computer to reset a MAC address table.
When configuring stealth settings, compatibility issues depend on which settings are enabled. Some settings can make Web sites render incorrectly. Other settings can cause all traffic to be blocked when an incompatible NIC card is installed. Unlike Traffic Settings, all Stealth Settings are disabled.
You can configure the following stealth settings:
- Enable stealth mode Web browsing: This setting detects all HTTP traffic on port 80 from a Web browser and removes information such as the browser name, version, the operating system, and the reference to the Web page. This setting stops Web sites from knowing which operating system and browser the client uses.
- Enable TCP resequencing: This setting prevents an intruder from taking advantage of the ability to forge (or spoof) a computer’s IP address by randomizing TCP sequence numbers.
- Enable OS fingerprint masquerading: This setting keeps programs from detecting a computer’s operating system that runs the SEP client software. This setting works best when TCP resequencing is enabled. The client changes the Time-To-Live (TTL) and identification value of TCP/IP packets to prevent other programs from identifying an operating system by using packet signatures.
Order of Rule Processing
The following shows the order in which all Network Threat Protection elements are processed. These elements include traffic and stealth settings:
- Custom Intrusion Prevention signatures are processed first.
- Next, Intrusion Prevention settings, traffic settings, and stealth settings are processed.
- Then, Smart traffic filters and Firewall rules are processed.
- Finally, Port scan checking and IPS signatures that are downloaded through LiveUpdate are processed.
The intrusion prevention system (IPS) is the client's second layer of defense after the firewall. The intrusion prevention system is a network-based system that operates on every computer on which the client is installed and the IPS system is enabled. If a known attack is detected, one or more intrusion prevention technologies can automatically block it.
The client contains smart attack signatures that are less likely to allow an intrusion attack. The client also contains a stateful engine that tracks all the incoming and the outgoing traffic. The client includes the intrusion prevention engine and a corresponding set of attack signatures by default.
You can block certain types of intrusion prevention attacks on the client, which depend on the intrusion prevention settings that you select. For example, you must enable the Enable Intrusion Prevention setting to enable the Symantec IPS signature engine and the Custom IPS signature engine.
You can configure the following Intrusion Prevention Settings:
- Enable Intrusion Prevention – Automatically detects and blocks network attacks. If you do not enable this setting, the client ignores possible attack signatures.
- Enable Denial of Service – Detection that identifies known attacks based on multiple packets.
- Enable Port Scan Detection – Monitors all incoming packets that any security rule blocks.
- Automatically block an attacker’s IP address – Blocks network traffic from the attacker for a configurable duration (default 10 minutes)
Note that if you set the client to mixed control, you must also enable these settings in the Client/Server Control Settings dialog box.
Best Practice – Applying Firewall Policies in Your Network
Before you apply a firewall policy to your entire network, you should apply the policy to a small subset of clients that is representative of your network. If possible, you should initially apply the policy in a test environment. Symantec Endpoint Protection provides the default firewall policy as a foundation for you to build upon. In most cases, you must make modifications to the default firewall policy to accommodate your network’s architecture and your company’s security policy.
The firewall’s use of stateful inspection simplifies rule creation and maintenance, and allows your client computers to make necessary connections while being protected. Components of the firewall policy that are not based on firewall rules also protect your client computers. These components include intrusion prevention and smart traffic filters.
When you are ready to apply a firewall policy to your network, you should follow the following steps:
- Leverage Intrusion Prevention protection
- Apply the firewall policy to a small subset of computers
- Monitoring network traffic through logs
- Fine-Tune policies based on network information that was gathered in logs
- Apply the modified firewall policy to your network
Enable and Configure Intrusion Prevention
Regardless of how you configure other Network Threat Protection features, you can protect your clients and servers from many network attacks by enabling Intrusion Prevention. Intrusion Prevention is an effective method to block known attacks. As signatures are created for new attacks, you can protect your computers by updating your IPS signatures through LiveUpdate. Additionally, you can create custom intrusion prevention signatures, which are processed first by the firewall.
Apply the firewall policy
The default firewall policy can potentially block the traffic that is necessary for your company to perform its business activities. To avoid this possibility, you should modify the default policy by making it more permissive.
You can make the default policy more permissive by performing either of the following modifications:
- Change some or all default Block rules to Permit, and ensure that these rules’ Logging option are set to Write to the Traffic log, so that every time traffic matches these rules the information is logged.
- Create a new rule (Permissive Rule), and set it to Permit and to Write to the Traffic log. Move this Permissive Rule to the top of the firewall so that it processes first.
Monitor network traffic
After you apply the modified firewall policy, you can monitor and analyze the traffic that passes through your client computers from the Symantec Endpoint Protection Manager Console. From the traffic logs, you can determine which traffic should be allowed or blocked based on application, time of day, or service.
Fine-Tune firewall policy
After you have examined the information in the traffic logs, you can use the information to modify your firewall policy. You can also tighten or loosen your firewall policy by configuring Traffic and Stealth Settings, which allows or prevents some types of network traffic.
In general, you can tighten your firewall policy by restricting applications from accessing the network or launching. You can do so by creating custom firewall rules for specific applications. But there are limitations, as firewall rules that block certain applications from accessing the network still allow the application to launch. This result may not be what you intended.
Another method that you may want to explore, which can be more efficient, uses using an Application Control policy. Through an Application Control policy, you can block applications from executing.
You should gradually tighten your firewall policy in iterations. For example, you can block one or two applications at a time, then test the policy again. If there are no problems, you can continue to make your policy more restrictive as necessary.
Roll out modified firewall policy to your entire network
After you complete the modification of your firewall policy based on the network information from the traffic logs and environment tests, you can roll out the firewall policy to your entire network with great confidence that the firewall protects your client computers and allows the necessary traffic through.
For more information on the Symantec Endpoint Protection client firewall and application control, refer to the Symantec Endpoint Protection Administration Guide and Symantec Endpoint Protection Client Guide.
Imported Document Id