Symantec Endpoint Protection 11.0 (Hamlet) Antivirus & Antispyware Firewall & IPS Symantec Client Security 3.1 Antivirus & Antispyware Network Threat Protection Proactive Threat Protection Network Access Control Confidence Online Symantec WholeSecurity Antivirus & Antispyware Symantec Antivirus 10.1 Release 11.0 Firewall Device Control Network Access Control Symantec Sygate Enterprise Protection 5.1 1
Release 11 4 modulja SEP 11 Antivirus & Antispyware Detect, block, and remove Viruses Spyware Rootkits Other malware Antivirus & Antispyware Network Threat Protection Network Threat Protection Detect and block external threats Inbound and outbound filtering Location-aware policies Proactive Threat Protection Protect against 0- day threats Block device access based on policy Proactive Threat Protection Symantec Endpoint Protection Manager Network Access Control SNAC 11 Network Access Control Enforce policy compliance for endpoints Block unauthorized endpoints from access Prevent compromises from remote employees 2
Anatomy of Layered Endpoint Protection Endpoint Exposures Always on, always up-todate Protection Technology Host integrity & remediation Symantec Solution Symantec Network Access Control Zero-hour attacks, identity theft, application injection Applications Behaviour Blocking Symantec Confidence Online ipod slurping, IP theft Buffer Overflow, process injection, key logging Malware, Rootkits, day-zero vulnerabilities I/O Devices Memory/ Processes Operating System Device controls Buffer overflow & exploit protection O/S Protection Symantec Sygate Enterprise Protection Symantec Critical System Protection Hamlet Symantec Client Security Worms, exploits & attacks Network Connection Network IPS Client Firewall Symantec Mobile Security Viruses, Trojans, malware & spyware Data & File System AntiVirus Anti-spyware Symantec AntiVirus 3
Endpoint Security összetevői Network Access Control Device Control Intrusion Prevention Firewall Antspyware Symantec Endpoint Protection 11.0 Symantec Network Access Control 11.0 AntiVirus 4
Endpoint Protection összetevői AntiVirus World s leading AV solution Most (31) consecutive VB100 Awards AntiVirus 5
Endpoint Protection összetevői Antispyware Best rootkit detection and removal Raw Disk Scan for superior Rootkit protection Antispyware AntiVirus Source: Thompson Cyber Security Labs, August 2006 6
Application Firewall Rule-based Firewall engine Can see encrypted/unencrypted traffic Firewall rule triggers Application, host, service, time Full Support for TCP/IP TCP, UDP, ICMP, Raw IP Protocol Support for Ethernet Protocols (block or allow) Token Ring, IPX/SPX, AppleTalk, NetBEUI Can block protocol drivers (example: VMWare, WinPcap) Adapter specific rules 7
AutoLocation Switching Enhancements AutoLocation Triggers IP address (range or mask) DNS server DHCP server WINS server Gateway address TMP token exists (hw token) DNS name resolves to IP Policy Manager connected Network connection type (wireless, VPN, Ethernet, dialup) Supports and/or relationships Policy: Remote Policy: Office Remote Location (home, coffee shop, hotel, etc. Corporate LAN 8
Device Control Block Devices by type (Windows Class ID) Supports all common ports USB, Infrared, Bluetooth, Serial, Parallel, FireWire, SCSI, PCMCIA Example: Block all USB devices except USB mouse and keyboard Peripheral Deice Control 9
Endpoint Protection összetevői Network Access Control Device Control Network Access Control Network access control ready Agent is included, no extra agent deployment Simply license SNAC Server Intrusion Prevention Firewall Antispyware AntiVirus 10
The Need for Endpoint Compliance Protection Viruses Worms Trojans Spyware Unknown Attacks Compliance Endpoint Security Policy Anti-Virus On Anti-Virus Signature Updated Personal Firewall On Service Pack Updated Patch Updated Status 11
Start Programs Menu
Login to the Console
Home - Dashboard
Monitors - Summary
Reports Quick Reports
Policies AntiVirus Overview
Clients Clients View
Admin - Administrators
Gyakorlati feladatok 1. Vírusdefiníció és egyéb tartalom frissítése a Managerben 2. SEPM content update ellenőrzése 3. Csoport létrehozása 4. Find Unmanaged Computers 5. SEP telepítése a kliensre a Managerből 6. Manage Location 7. Application and Device Control Policy készítése 8. Riport készítés
Automatic Content Updates internetkapcsolat esetén Click Admin Select Servers Right-Click Site Properties LiveUpdate Tab
Change Source Server for Manager to Internal LiveUpdate Server Click Edit Source Servers Select the Use a specified internal LiveUpdate server radio button Click Add
Belső LiveUpdate Server Define Internal LiveUpdate Server as shown below HTTP and FTP are supported protocols
Run LiveUpdate on Manager Manually
LiveUpdate Results
Confirming LiveUpdate Content on Manager
1. gyak. Vírusdefiníció és egyéb tartalom frissítése a Managerben.jdb fájlból URL: http://www.symantec.com/business/security_response/definitions.jsp Download Definitions by Product - Symantec Endpoint Protection Manager Installations on Windows Platforms (32-bit) A megfelelő (32 bit).jdb file letöltése, átnevezése.zip-ről.jdb-re A.JDB file másolása a "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming" könyvtárba (default install esetén). Kb. 30 mp - 1 perc míg a.jdb file aktivizálódik (majd eltűnik az incoming" könyvtárból).
2. gyak. SEPM content update ellenőrzése Nézzük meg a "C:\Program Files\Symantec\Symantec Endpoint Protection Manger\Inetpub\content\ {C60DC234-65F9-4674-94AE-62158EFCA433}" könyvtárat! Az alkönyvtár neve "ymmddxxx". Pl. 100217069". (Dátum és a def. száma). Lesz benne egy "Full" nevű könyvtár és egy "Full.zip". A "Full" tartalmazza a virus definition set-et.
Beépített csoportok
3. gyak. Csoportok létrehozása Csoport létrehozása után Policies and Packages rendelhető hozzájuk LAN group létrehozása: Clients/Add group
4. gyak. Find Unmanaged Computers
5. gyak. SEP telepítése a kliensre a Managerből (némi idő türelem!)
6. gyak. Add a Location Wizard
Name the Location
Specify a Condition
Define IP Range for the Location
Location Added under Policies Tab
Managing Locations Locations can be edited You can use multiple AND and OR conditions You include or exclude conditions (e.g. if IP addresses do NOT match those listed below) Enable notification
Editing Policies Best Practices Edit Policies in the Policies Section of the Interface It is also possible to edit policies in Clients>Policies, but it can be more difficult to keep track of shared policies
7. gyak. Application and Device Control Policy készítése Name Policy for Lan Group
Assign a policy After clicking OK you are asked if you want to Assign the policy You can always assign policies later by right-clicking a policy and selecting Assign
Firwall Policy Office Location
Firewall Policy Adding a Blank Rule In a New Firewall Policy, under Rules, Click Blank Rule
Firewall Rule, add Action Action = Block Options for Logging shown here
Add Notification On Notification Tab add check to notify users Default is not to Notify when Firewall blocks traffic
Objectives Create a Package for the Laptop Group Deploy the Package to an XP Client
Packages Symantec refers to the bundle of installation files for the Agent software as a package. A package is not executable until it is exported When a package is exported it is saved to a folder on a filesystem The following aspects can be defined when a package is exported into a distributable format Deployment Method Feature Selection Install Settings Single/Multiple File Distribution Whether or not to include Security Policy
Exporting a Package Generating a Package based on defined Settings and Features Saved to FileSystem, ready for deployment
Steps to Export a Package 1. Know which group to which a package will be deployed 2. Define Settings for target group 3. Define Features to be included for target 4. Export Package to a directory on the filesystem 5. The resulting files can be deployed via 1. Software deployment software 2. Client Remote Wizard 3. Web-based installs 4. Etc...
Creating Packages for Deployment 1 Client Install Packages include binaries to build installable Packages
Creating Packages for Deployment 2 Add new Client Install Settings to define: Installation type (Silent, Interactive, etc...) Reboot Install Location Installation Logging Start Menu Upgrade Settins
Creating Packages for Deployment 3 Add new Client Install Feature Sets to define: AV and Email Plugins Firewall and IPS Proactive Threat Scan
Creating Package for Deployment 4 Exporting the Package to the Filesystem: Location for Installation files Single exe or Multiple Files with.msi Install Settings Feature Set Policy Settings Computer or User Mode
Client Remote Wizard Start>Programs>Symantec Endpoint Protection Manager
Migration and Deployment Wizard
Migration and Deployment Wizard
Migration and Deployment Wizard It is possible to create a Group on the fly through the Deployment wizard Select an existing client installation package to deploy
Migration and Deployment Wizard Select the Installation package created for the Munich Laptop Group and then click Next
Migration and Deployment Wizard If possible select the target system from Network Neighborhood and click Add. Otherwise click Add or Import Computer to enter an IP Address for a target system
Migration and Deployment Wizard Enter the IP address for the target system
Migration and Deployment Wizard When target system is added to the right column, click Finish
Migration and Deployment Wizard
Unattended Installation on Client
Client Appears in Management Console Client is seen in Munich Laptop Group
8. gyak. Riport készítés Jelentés formájában prezentálandó, hogy az egyes munkaállomásokon mikor és ki végzett scan-nelést.
Riport készítés Jelentés formájában prezentálandó az egyes munkaállomások állapota (mikori az egyes csoportokhoz hozzárendelt utolsó policy).