Best Practices: Symantec Endpoint Protection Manager in a Demilitarized Zone
search cancel

Best Practices: Symantec Endpoint Protection Manager in a Demilitarized Zone

book

Article ID: 155708

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You need to know the best practices for exposing a Symantec Endpoint Protection Manager (SEPM) to the Internet in a Demilitarized Zone (DMZ) or as a Bastion host.

Environment

Any

Resolution

To prevent possible exploitation of the SEPM, Symantec does not recommend directly connecting a SEPM to the Internet without first taking the appropriate measures
to secure and/or harden the SEPM and its underlying operating system.

If you require an Internet accessible SEPM, you can minimize your exposure to attack by taking the following actions:

  1. If possible, block access to SEPM ports not needed for client-server communications
  2. If you are unable to update to the latest version of SEPM, review any security advisories related to your SEPM version, and apply any mitigation steps
  3. Install Symantec Endpoint Protection (SEP) client and enable all protection technologies
  4. Install Symantec Data Center Security (DCS) client to harden the Operating System against possible attacks (see https://www.symantec.com/products/threat-protection/data-center-security for more information)
  5. Regularly audit the security of your computers in the DMZ

Configure Firewall Rules

To minimize exposure to exploitation attempts, only allow incoming connections over the ports you absolutely need. For example:

  1. Block external access to the SEPM Web services port (default: TCP 8446)
  2. Block external access to the SEPM Reporting server (default: TCP 8445)
  3. Block external access to the SEPM Console port (default: TCP 8443)
  4. If you plan to host clients outside of the DMZ, allow external access to the SEPM client-server communications port(s) (default HTTP: TCP 8014, default HTTPS: TCP 443)
  5. If you only plan to host clients in the DMZ, block external access to the client server communications port(s)
  6. If your SEPM database is on a Microsoft SQL server that is not in the DMZ, you must allow communications between the SEPM and the SQL server (default TCP 1433)

Replication

SEPM replication takes place over the SEPM communications port (default: TCP 8443). To limit exposure to attacks, do not directly connect your replication partner SEPM to the Internet. If you must replicate with a SEPM in the DMZ, you must allow communications between the replication partner SEPM servers over the SEPM communications port.