SEP11 and Wireless Management

Symantec has added device control in Symantec Endpoint Protection 11 (SEP11) MR2. This can be used to disable wireless cards when connected to a wired connection.

Symantec has a KB article that explains “How to block all Wireless traffic when an Ethernet interface is active using Symantec Endpoint Protection 11.x”

Unfortunately it is not possible to disable all wireless cards automatically. Each wireless card has a device ID. You need to determine the device IDs to block. For me, I went into SMS to determine how many different wireless adapters are in use in the enterprise. Next, I used SMS to find online computers with each make/model of card. I followed the instructions in the Symantec KB to gather the device ID from the registry and add them to the block list. You’ll have to ask the helpdesk to let you know when new wireless cards start showing up. (occasionally check SMS to double-check).

My biggest problem was that their KB described two locations – wired and wireless. That is the most vanilla configuration possible and it assumes you don’t have any other firewall profiles. Most people I suspect are going to already have location profiles set up for their firewall rules. I already had CorporateLAN, VPN and External configured. To integrate this KB into my existing rules, I setup locations CorpLan-Ethernet, CorpLan-Wifi, VPN, External-Ethernet, External-wifi and default.

So far its working great in testing, and I plan to role this out to a larger group of testers after I make a couple changes. It is really exciting to be on the cusp of solving a security issue that has been lingering for years, that is the problem of wireless cards looking to make a connection even as the wired card is active on our corporate lan.