Endpoint Protection

 View Only
  • 1.  Block Web Sites filtered by proxy with FW Rule

    Posted Jan 11, 2013 07:06 AM

    Referencing back to this forum post - https://www-secure.symantec.com/connect/forums/block-web-sites.

    - Essentially when trying to block a DNS Domain with a FW rule, traffic is blocked if it does not traferse a proxy server. A simple test enabling/disabling the proxy server settings in the web browser proves this problem

    How do I block traffic to DNS Domain e.g *.yahoo.com when that in fact is filtered by and probably offered by the proxy server?

    Are there any updates & thoughts on this problem?

    Thanks

     

     



  • 2.  RE: Block Web Sites filtered by proxy with FW Rule

    Trusted Advisor
    Posted Jan 11, 2013 07:11 AM

    Hello,

    Check this Article:

    Configuring the Symantec Endpoint Protection Firewall to filter traffic based on whether its source/destination is from a particular domain

    http://www.symantec.com/docs/TECH131681

    IPS custom signatures are checking single data packets for a defined pattern. Firewall rules allow or block traffic depending on IP addresses, ports, applications etc.

    To block a website, firewall rules are easier and more reliable. IPS custom signatures are very flexible but error-prone. Furthermore, the main purpose of IPS custom signatures is to fight exploits.

    To prevent users from using web proxies you could block all known web proxies by a firewall rule. I think it's not a good idea trying to block facebook with a single IPS signature. For example, if you block all traffic with the pattern "www.facebook.com", there may be strong side effects because every site with this pattern in it will be blocked. You have a ton of "false positives" then.

    Here is an interesting discussion of this issue:

    http://www.symantec.com/connect/forums/how-block-proxy-sites-through-custom-ips

    Blocking a Website using Symantec Endpoint Protection:

    http://www.symantec.com/docs/TECH92405

    Hope that helps!!


  • 3.  RE: Block Web Sites filtered by proxy with FW Rule

    Posted Jan 11, 2013 07:11 AM

    Hi,

    Check this thread and mithun comments

    https://www-secure.symantec.com/connect/forums/block-internet-address-sep-manager-firewall-rule



  • 4.  RE: Block Web Sites filtered by proxy with FW Rule

    Posted Jan 11, 2013 07:13 AM

    Install the SEP FW on the proxy server and block it there?

    Have to considered teh SWG or Symantec.Cloud for more detailed web filtering capabilities?

    http://www.symantec.com/web-gateway

    http://www.symantec.com/en/uk/web-security-cloud



  • 5.  RE: Block Web Sites filtered by proxy with FW Rule

    Posted Jan 11, 2013 07:32 AM

    Pls keep in mind, o soltution offered take into consideration that you network has a proxy server, webmarshal etc for browser requests. So when you traverse the domain proxy server & go to a website, the destination is seen as the proxy server and not yahoo.com as an example - hence the issue.

    - Why do i want to do this, add large list of malware domain names/ip's that SEP does not block

    ____

    Ashish - thx i already reviewed those articles and did not resolve

    Mithun - IPS rules, an option, but i cannot add many dns names, as i can do with Host Groups with FW

    SMLatCST - thx that is an option, the system is not windows which makes admin difficult

    Gordon



  • 6.  RE: Block Web Sites filtered by proxy with FW Rule

    Posted Jan 11, 2013 07:36 AM

    What proxy software are you using?  I'm quite surprised you can't set any web domain blocking rules there (is it just a squid cahce or something?)



  • 7.  RE: Block Web Sites filtered by proxy with FW Rule

    Posted Jan 11, 2013 08:04 AM

    SMLatCST - It can be done there (Proxy Server), but that is not really what i am focusing on here. I have clients that require management in multiple scenarios, and also without a proxy (Home users) etc.

    We are also looking at more advanced analytics / detection / remediation using SEP.

    The majority of companies use proxy servers on there network, in this case SEP FW ip/dns blocking will never work through the web browser



  • 8.  RE: Block Web Sites filtered by proxy with FW Rule

    Posted Jan 11, 2013 08:07 AM

    Ahhhh Gotcha, that clarified your use case smiley

    In that case, I'd really have to suggest a cloud-based web filtering service like that offered by Symantec.Cloud.  It's going to be difficult to cover all scenarios with SEP (as you've found) as webfiltering is not what it's designed for.

    Presumably though (in your current setup), when your users are at home, the SEP FW Rules work fine, and when they are in the office you can block those sites at your proxy.  So it's the duplication of effort, and risk of disparity you're trying to avoid?



  • 9.  RE: Block Web Sites filtered by proxy with FW Rule

    Posted Jan 14, 2013 04:19 AM

    Any suggestions from Symantec Engineers?