Thread Info
  • Locked Locked
  • Replies 5 replies
  • Subscribers 14 subscribers
  • Views 3775 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lateral Movement Protection conditions

StevenSultana

Hi community,

I have been running some tests for lateral movement protection, and tried to reach its limitations. I'd like to share my results, and maybe you may have results of different cases that I did not think of.
In order to test, I turned off the Network Threat Protection service from the Windows services.msc app. This turns the status of the endpoint to Red.
Endpoints 1-3 have a Threat Prevention policy which includes self-isolation.

This is the network diagram:

Endpoint 2 was set to have a red status.
All traffic to/from Endpoint 3 was blocked.
UDP/TCP traffic to/from Server was blocked. ICMP traffic was allowed.
All traffic to/from Endpoint 1 was permitted (firewall did not have any restrictions).
UDP/TCP traffic to the Internet was blocked. ICMP traffic was allowed.

What do you think? Are these the results you would have expected?

Cheers,
Steven.



This thread was automatically locked due to age.
Parents

  • I asked for a clarification in a recent webinar about this, in fact.
    - Endpoints in the same network (or rather, broadcast domain) deny traffic from the Red endpoint by filtering its MAC address (the XG informs the rest of the endpoints of the 'bad' MAC address). This is why Endpoint 3 denied ALL traffic.
    - I imagine that the Server did not deny all traffic (ICMP was allowed) because the Server Client does not have the Isolation feature.
    - I am still not sure why UDP/TCP traffic was blocked to the Server.
    - As you said, traffic to Endpoint 1 and the Internet would be blocked by the Heartbeat feature on the XG. However this was not enabled during my tests, and UDP/TCP traffic was still blocked for the Internet.

Reply

  • I asked for a clarification in a recent webinar about this, in fact.
    - Endpoints in the same network (or rather, broadcast domain) deny traffic from the Red endpoint by filtering its MAC address (the XG informs the rest of the endpoints of the 'bad' MAC address). This is why Endpoint 3 denied ALL traffic.
    - I imagine that the Server did not deny all traffic (ICMP was allowed) because the Server Client does not have the Isolation feature.
    - I am still not sure why UDP/TCP traffic was blocked to the Server.
    - As you said, traffic to Endpoint 1 and the Internet would be blocked by the Heartbeat feature on the XG. However this was not enabled during my tests, and UDP/TCP traffic was still blocked for the Internet.

Children
Unfiltered HTML