Endpoint Protection

Hello All,

Sorry if this has been posted before I have been searching everywhere and can not locate any help for my problems. Sorry also if this is not the appropriate forum for this topic.

We are demoing the endpoint protection software against MS Forefront and I am having problems with Symantec's IPS app in the suite, it is not blocking any brute force attempts on the ftp server - I can monitor the traffic and see it going through the symantec software but someone could be connected all day trying a multitude of login credentials to try to authenticate against the ftp server - symantec never blocks or bans these IPs. mostly these are coming from China.

If I turn on the hardware firewall and run our normal setup the problems are resolved but in testing the endpoint software as a backup solution or 2nd line of defense it completely ignores these brute force attacks.

I have made sure the firewall is running, made sure all the applicable options in IPS are selected I even envoked the Peer to Peer connection timeout requests and the symantec software just never does anything about this traffic. Heck the monitors don't even show it as an attack and isn't even logged.


Also,

If I do packet flooding like UDP floods against the server with the endpoint software it doesn't block the offending IP it continues to let the UDP attacks in.

I have the standard firewall rules set (OOB) can someone please explain what I am doing wrong or if the software is not supposed to prevent these kinds of attack. Any help would be appreciated, thanks!

Mike A.

It is always advised to have a combination of Hosed based and network based firewall and IPS/IDS
Host based firewall and IPS works good if there is an internal attack.
However for external attacks it is always advised to have NIDS/NIPS.
You can create custom Intrusion prevention signatures in order to block these attacks.

However i would like you configure your firewall rules in a more stringent way if you want it to actually block a few things because by default SEP firewall rules are so that everything should work and there should be no hardening of the server after installing the firewall.

Please read the Whitepaper for SEP firewall and configure it accordingly.

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032011043948

I hope this helps.

My two cents...you might want to start creating custome rulesets for your IPS on SEP if you seeing something that is not built in. Having said that multi layer defense such as network IPS and application layer Security would do a world of good agianst such attacks. Finally patching...You gotta do that...