hi,
i just installed Symantec Endpoint Protection (SEP) ; so i will briefly explain what is is and what it does:
Endpoint ? what is that?
Endpoint security is an approach to network protection that requires each computing device on a corporate network to comply with certain standards before network access is granted. Endpoints include PCs, laptops, smartphones, tablets and specialized corporate equipment such as bar code readers or point of sale (POS) terminals.
the main target of endpoint protections is to protect your network from various attack vectors. the keyword here is network protection opposed to local protection of Home users solutions.
while some of its components (RT engine, Behavior Blocker known as Sonar, etc...) look similar to the home version (aka Norton IS) , the way SEP handle them (The firewall configurations, 0-day ( and definitions that go along with specific network exploits) and Policy settings) are very different.
The very database itself in SEP and NIS are not the same, and the process for detecting, monitoring and removal of both engines and its 0-day/Proactive Defense Protocols are differently calculated. Not to say that SEP is collecting datas gathered from all endpoints of its network across the world, comportment which is not being used by NIS. one of the best example is the Download Insight:
SEP's power comes from the collective as multiple Endpoints in a network work as one massive firewall, and if they for whatever reason cannot find a solution then the master server can. And if that fails you still have Symantec's own server and its HUGE world wide network of all clients who use their EP. So its really a collective effort. and not a indivdual effort.
you knew about cloud detection engine, SEP is like a full cloud suite, using dynamic sets of rules, not static ones found in home products.
What about my Windows Firewall?
unlike some FW that "discard" Windows Firewall , SEP manages it as it takes the WF's rules and enhance your protection by adding them to SEP itself (on top of their own and your custom rules) interestingly, that means that SEP knows thanks to Windows Update and Error Reporting if a vulnerability is active on your system and will ask Symantec for a temporary fix till Microsoft releases a KB package to fix it once and for all (if they can fix it and are aware of it)
So? what it does exactly?
basically, While your home user security soft protect you only when datas reach your computer , Endpoint protect you before they reach your router.
to explain , when you connect to google , this is the scheme your datas (packets) will have with a home user solution:
then google sent back datas in the opposite way.
with SEP there is some differences (this scheme is based if you are not managed by a master server):
As you can see when your datas are leaving your computer, they are tagged by SEP in both directions.
ok ! i got it but what are the Endpoint benefit for me over Home User's solutions?
normal programs go for user friendly and a minimized option list to maintain being userfriendly allowing to set a "basic" security that is being predefined for every day home use.. SEP on the other hand is only user friendly in its navigation but the custom rules, and very configuration setting are far tighter... but in return if configured by skilled hands you get even on lowest settings like a 100 times better security then for example traditional home solution. Endpoint protection can't be allowed to run out-of-the-box, they require specific & precise configuration depending of your network infrastructure.
the Keyword here is manual Configuration.
You can literally block every single address and domain while allowing just one like: "mycompany.com" and everything by default is being rerouted to a fake adress. That means that your PC cannot be infected by a malware as there is no end destination for a malware... or attack..
means a packet can be modified by malwares but SEP will recognize it as modified and tag him depending rules. if it is malicious, he packet is redirected elsewhere.
this simple analogy will resume the idea:
it is like when you enter a big company for an audit of the research department, you have been granted a visitor ID badge restricting your access until you are confirmed to access the department; once accredited you get the staff badge (with access allowance) but if you use a fake staff badge , you will be detected right away and kicked out the building.
that is the big difference with a home user network protection (aka Firewall); where the packet isn't checked and is accepted or dismissed by the firewall local rules :
to make another analogy, your packet is a club customer, and it knocks the door (ports) of your favorite club (your system) , then the security guard (the firewall) look at him and based on what you instructed him (the FW's rules), like "don't let enter people in sport shoes from this area" (IP-based rule) he will let him in or not (allow or block) without researching if you are a good or bad customer from this area !
Not saying that a packet sent by an hacker (ping/portscan) has the purpose to know if he connect to an IP or not, because a normal FW will block it, which means that a package goes back saying you cannot connect; which makes the hacker aware that his attack failed.
SEP just sends the package to somewhere.. and the hacker will never receive a reply back... from his point of view "mission accomplished".. while in fact SEP has effectively sent the attack to a valid IP adress that does not have a computer connected.
Conclusion:
obviously endpoint protections softs are not really made for Average Joe, since a wrongly done configuration will reduce the security to zero, but in the hands of a skilled user like network admins, the security granted is far above conventional home user products.
p.s: will update the thread if more infos are needed.
thanks to @n.nvt for its complementary informations/explanations
i just installed Symantec Endpoint Protection (SEP) ; so i will briefly explain what is is and what it does:
Endpoint ? what is that?
Endpoint security is an approach to network protection that requires each computing device on a corporate network to comply with certain standards before network access is granted. Endpoints include PCs, laptops, smartphones, tablets and specialized corporate equipment such as bar code readers or point of sale (POS) terminals.
Code:
From Symantec
Symantec Endpoint Protection is an endpoint security solution created through a layered approach to defense. With unique, layered technology, it detects and removes more malware than any other product in its class1. Derived from Symantec’s global intelligence network, our unique Insight and SONAR technologies enable faster scan, more accurate detection, and higher performance while utilizing fewer resources. With single management console, Symantec Endpoint Protection provides advance protection across multiple platforms both physical and virtualthe main target of endpoint protections is to protect your network from various attack vectors. the keyword here is network protection opposed to local protection of Home users solutions.
while some of its components (RT engine, Behavior Blocker known as Sonar, etc...) look similar to the home version (aka Norton IS) , the way SEP handle them (The firewall configurations, 0-day ( and definitions that go along with specific network exploits) and Policy settings) are very different.
SEP's power comes from the collective as multiple Endpoints in a network work as one massive firewall, and if they for whatever reason cannot find a solution then the master server can. And if that fails you still have Symantec's own server and its HUGE world wide network of all clients who use their EP. So its really a collective effort. and not a indivdual effort.
you knew about cloud detection engine, SEP is like a full cloud suite, using dynamic sets of rules, not static ones found in home products.
What about my Windows Firewall?
unlike some FW that "discard" Windows Firewall , SEP manages it as it takes the WF's rules and enhance your protection by adding them to SEP itself (on top of their own and your custom rules) interestingly, that means that SEP knows thanks to Windows Update and Error Reporting if a vulnerability is active on your system and will ask Symantec for a temporary fix till Microsoft releases a KB package to fix it once and for all (if they can fix it and are aware of it)
So? what it does exactly?
basically, While your home user security soft protect you only when datas reach your computer , Endpoint protect you before they reach your router.
to explain , when you connect to google , this is the scheme your datas (packets) will have with a home user solution:
Code:
your PC + solution > router > ISP > internet (relays) > google.comthen google sent back datas in the opposite way.
with SEP there is some differences (this scheme is based if you are not managed by a master server):
Code:
your PC > SEP > router > emulated SEP (probing & tagging your packets based on your SEP settings) > ISP > Internet > google.comAs you can see when your datas are leaving your computer, they are tagged by SEP in both directions.
ok ! i got it but what are the Endpoint benefit for me over Home User's solutions?
normal programs go for user friendly and a minimized option list to maintain being userfriendly allowing to set a "basic" security that is being predefined for every day home use.. SEP on the other hand is only user friendly in its navigation but the custom rules, and very configuration setting are far tighter... but in return if configured by skilled hands you get even on lowest settings like a 100 times better security then for example traditional home solution. Endpoint protection can't be allowed to run out-of-the-box, they require specific & precise configuration depending of your network infrastructure.
the Keyword here is manual Configuration.
You can literally block every single address and domain while allowing just one like: "mycompany.com" and everything by default is being rerouted to a fake adress. That means that your PC cannot be infected by a malware as there is no end destination for a malware... or attack..
N.nvt said:
means a packet can be modified by malwares but SEP will recognize it as modified and tag him depending rules. if it is malicious, he packet is redirected elsewhere.
this simple analogy will resume the idea:
it is like when you enter a big company for an audit of the research department, you have been granted a visitor ID badge restricting your access until you are confirmed to access the department; once accredited you get the staff badge (with access allowance) but if you use a fake staff badge , you will be detected right away and kicked out the building.
that is the big difference with a home user network protection (aka Firewall); where the packet isn't checked and is accepted or dismissed by the firewall local rules :
to make another analogy, your packet is a club customer, and it knocks the door (ports) of your favorite club (your system) , then the security guard (the firewall) look at him and based on what you instructed him (the FW's rules), like "don't let enter people in sport shoes from this area" (IP-based rule) he will let him in or not (allow or block) without researching if you are a good or bad customer from this area !
Not saying that a packet sent by an hacker (ping/portscan) has the purpose to know if he connect to an IP or not, because a normal FW will block it, which means that a package goes back saying you cannot connect; which makes the hacker aware that his attack failed.
SEP just sends the package to somewhere.. and the hacker will never receive a reply back... from his point of view "mission accomplished".. while in fact SEP has effectively sent the attack to a valid IP adress that does not have a computer connected.
Conclusion:
obviously endpoint protections softs are not really made for Average Joe, since a wrongly done configuration will reduce the security to zero, but in the hands of a skilled user like network admins, the security granted is far above conventional home user products.
p.s: will update the thread if more infos are needed.
thanks to @n.nvt for its complementary informations/explanations
Last edited by a moderator:
