New England Security User Group

Something I have been playing with without success for the last few weeks is a new firewall policy to contain a system. We'd like to craft a firewall policy that allows the client to communicate to the manager(s) only allowing no other outbound communication but allows inbound. Something that could isolate a system if we suspected a malware infection but still allow us to remotely examine the system and possibly remediate it. 

Other ideas we're playing with for this would be to give this group a high security AV policy, possibly a LU policy that directs to a place where we could put rapid-release definitions.

So far the policy I have blocks outbound as configured, execpting the manager, but is not allowing inbound sessions. Any ideas?

Checkout the Best Practices for Deploying Firewall Policies.

http://www.symantec.com/business/support/index?page=content&id=HOWTO55279&actp=search&viewlocale=en_US&searchid=1334318951340

Not exactly what I was looking for. We are looking to create a policy that would break the system, something you normally avoid,  The block outbound only (except allows above it) rule is proving to be something of a challenge.

What you are trying to do can be achieved.

What I would do, if I wanted to do something like this, is start with a blank canvas.

* * * * * *

Assess your needs.

1 - What ports am I sure I absolutely need.

2 - What ports am I not sure I need.

3 - How are we going to contain?

* * * * * * * *

If, I wanted only communication to the SEPM server; I would start by wiping all the firewall rules in a New rule set.  This will generate a mesage saying ALL traffic will be blocked.  Perfect, thats what we want.

Next, I would create my rules.  Open port 8014 for communication to and fro to the SEPM server. We now have a single rule.  Nothing in, nothing out, except SEPM traffic.

Screenshots below (Continued in next post)

- Create new firewall policy.

- Wipe all the rules; thus blocking all trafiic (objective 1 met).

* Next we create our SEPM communications policy.

- Choose to "allow connections".

- Choose to "allow all applications" (this can be changed later)

- Choose the destination "only the computer or sites listed below".  In this case I would suggest specifying only the SEPM server by IP address.

Why by IP?  Because we will be limiting all traffic.  Thus Netbios traffic on ports 137, 138 and 139 as well as DNS port 53 will be blocked (unless you create rules to allow them, which is going beyond this writing - but wil be possible if you follow the steps included).

-- Select "only the communications selected below".  (Screenshot above)

-- Click on ADD to create your protocol and port: (Other screenshot above)

--- TCP, local port 8014, remote port 8014 - Direction BOTH.

--- Up to you to choose to log or not. 

- Your first rule is created.

* * * * * * * *

You can do the same for all the traffic you deem necessary, always evaluate what you may need.

The last screen capture above, shows Incoming or Outgoing or both. 

For the rest of your rules, you can specify port ranges or multiple single ports, separated by a comma or a dash, notice there are no spaces between port numbers.

And you choose the direction of traffic, from what you were saying "Inbound only", so that is what you choose in the drop down menu.

And you will have met your second criteria.  A segregated, isolated machine.

Hope that helps.

I'm going to check it all out and post back, hopefully with success.