Endpoint Protection

 I need to present a list of reasons to management why the SEP client firewall is a better option for our domain workstations than the built in Windows firewall.  Here is what I have come up with so far.  Are there any other SEP firewall advantages I could list?  Am I right in saying some of the below options can't be done with the Windows firewall?  We have about 79% of our workstations on XP, the rest are on Win7, all with SEP 11.0.5.

1. 
   SEP firewall is stateful (unsure if Windows firewall is stateful or not)
2. SEP has location awareness configurable with several options (I'm trying to compile a list of all options).  Windows XP firewall does not, Windows 7 firewall only has three categories, Home Work and Public.
3. Both can be centrally managed, SEP through SEPM and Windows via GPO, but SEP can have separate policies based on many location options whereas we'd have to make multiple AD groups or OU's to set separate firewall GPO policies
4. SEP firewall can block split tunneling by disabling wireless adapters when wired, Windows firewall cannot. 
5. SEP has Smart Traffic Filtering, Windows does not (?)
6. SEP firewall can block all or some websites, Windows firewall cannot (?)

Title: 'About Windows Firewall and Symantec Endpoint Protection's NTP'
Document ID: 2009120816110248
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009120816110248?Open&seg=ent




Title: 'Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper'
Document ID: 2007121714495348
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2007121714495348?Open&seg=ent

Things you have mentioned is correct and valid points however have a look at these links as well

About Windows Firewall and Symantec Endpoint Protection's NTP

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009120816110248

SEP firewall Whitepaper

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

Check this discussions

https://www-secure.symantec.com/connect/forums/windows-firewall-vs-symantec-endpoint-network-threat-protection-firewall


 

The firewall components in Symantec Endpoint Protection have a long pedigree, both prior to acquisition with Sygate and also post acquisition with Symantec. It is a mature and enterprise ready product, consistently performing well and meeting our customer’s complex requirements.

With SEP, the combination of two strong enterprise firewall products has resulted in a very well rounded firewall offering suitable for SMB and large  enterprises and encompassing the following features:

o Enterprise Class rules based stateful firewall engine
o Triple Intrusion Prevention Engine
o Scalable Location Awareness
o Application and Device Control
o Detailed Logging and Reporting
o Advanced Network Security protection technologies

In contrast, the Windows Vista firewall is a relative newcomer to the client firewall arena. Based on the Windows XP firewall, its security has been slowly increased through different production revisions and service packs. Initially it was a very basic inbound traffic based filter. Windows XP SP2 introduced the concept of applications and ICMP but was still only able to block inbound communications – all outbound connections where allowed.

Windows Vista enhances this feature set and adds the following new capabilities:
o IPv6 connection filtering
o Outbound packet filtering, reflecting increasing concerns about spyware and viruses that attempt to "phone home"
o With the advanced packet filter, rules can also be specified for source and destination IP addresses and port ranges
o Rules can be configured for services by its service name chosen by a list, without needing to specify the full path file name
o IPsec is fully integrated, allowing connections to be allowed or denied based on security certificates, Kerberos authentication, etc. Encryption can also be required for any kind of connection
o A new management console snap-in named Windows Firewall with Advanced Security which provides access to many advanced options, and enables remote administration
o Ability to have separate firewall profiles for when computers are domain-joined or connected to a private or public network. Support for the creation of rules for enforcing server and domain isolation policies


The major downside to the Windows Vista firewall however is that it still provides no form of reporting or central monitoring, even though they are now able to configure the product with much more granularity than before; administrators are still “blind” when it comes to seeing what’s happening on their client machines.

Oops I think I was late Prachand answered it before me :)

This link is helpful:  https://www-secure.symantec.com/connect/forums/windows-firewall-vs-symantec-endpoint-network-threat-protection-firewall

Also this is helpful: "The major downside to the Windows Vista firewall however is that it still provides no form of reporting or central monitoring, even though they are now able to configure the product with much more granularity than before; administrators are still “blind” when it comes to seeing what’s happening on their client machines."

I already have NTP installed and the firewall policy withdrawn on all the workstations.  So the "About Windows Firewall" document does not apply to my question.

The "Best Practices" document also does not apply, because it does not discuss any Windows firewall options or capabilities.  In fact if you Ctrl+F and search for "Windows" there are no results.  This document will be helpful *if* and when I can enable the SEP firewall on our network, but I won't get to that  point until I can convince management *why* SEP's firewall is better than Windows'.  

So far the only point I am able to add to my list above is the paragraph about the better logging capabilities of SEP since the Windows firewall does not provide logging.  Excellent point, thank you. 

If you know of additional limitations of the Windows firewall please reply and I will include them into my list.

The Vista Firewall is capable of scanning inbound & outbound connections, you will only be notified about inbound connections that get blocked. That means that most outbound connections will silently be blocked 

In SEP firewall you can schedule a rule
https://www-secure.symantec.com/connect/forums/rules-schedule

Scheduled/time-based  rule, another great benefit of the SEP firewall over the Windows firewall.  Thank you.  Please keep 'em comin'

In SEP you can use Learned applications and create firewall rule with them.
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/36f099f2e011f3dc882573a2005a9326?OpenDocument