This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lateral Movement Protection conditions

Hi community,

I have been running some tests for lateral movement protection, and tried to reach its limitations. I'd like to share my results, and maybe you may have results of different cases that I did not think of.
In order to test, I turned off the Network Threat Protection service from the Windows services.msc app. This turns the status of the endpoint to Red.
Endpoints 1-3 have a Threat Prevention policy which includes self-isolation.

This is the network diagram:

Endpoint 2 was set to have a red status.
All traffic to/from Endpoint 3 was blocked.
UDP/TCP traffic to/from Server was blocked. ICMP traffic was allowed.
All traffic to/from Endpoint 1 was permitted (firewall did not have any restrictions).
UDP/TCP traffic to the Internet was blocked. ICMP traffic was allowed.

What do you think? Are these the results you would have expected?

Cheers,
Steven.

This thread was automatically locked due to age.

Badrobot over 5 years ago

It was my understanding that the device in red would be separated from the rest by means of-

The device in question set to isolate Endpoint 2 would essentially isolate all traffic within

End Points 1, 3 & the server isolating themselves from Endpoint 2 or denying all traffic from endpoint 2

The firewall isolating Endpoint 2 from the internet and other segments and devices as well.

Or am I not understanding this correctly?

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel
StevenSultana over 5 years ago

I asked for a clarification in a recent webinar about this, in fact.
- Endpoints in the same network (or rather, broadcast domain) deny traffic from the Red endpoint by filtering its MAC address (the XG informs the rest of the endpoints of the 'bad' MAC address). This is why Endpoint 3 denied ALL traffic.
- I imagine that the Server did not deny all traffic (ICMP was allowed) because the Server Client does not have the Isolation feature.
- I am still not sure why UDP/TCP traffic was blocked to the Server.
- As you said, traffic to Endpoint 1 and the Internet would be blocked by the Heartbeat feature on the XG. However this was not enabled during my tests, and UDP/TCP traffic was still blocked for the Internet.
Cancel
Vote Up 0 Vote Down

Cancel
Badrobot over 5 years ago in reply to StevenSultana

So what happens if you change the mac address on that RED endpoint?

https://docs.microsoft.com/en-us/powershell/module/netadapter/set-netadapter?view=win10-ps

Would it then be allowed to talk to End Point 3? I am curious now....

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel
Paul Digby over 5 years ago in reply to StevenSultana

The description from Sophos
https://news.sophos.com/en-us/2019/01/22/xg-firewall-and-lateral-movement-protection/

Although, does not give the 'higher level detail of how. But as you say above, done by MAC address
Cancel
Vote Up 0 Vote Down

Cancel
Badrobot over 5 years ago in reply to Paul Digby

Yes that is what I would be interested in, knowing if this is done on the Mac Address, IP Address or FQDN or a combination of all three or even a Unique Identifier tied directly to Sophos as well.

Respectfully,

Badrobot
Cancel
Vote Up 0 Vote Down

Cancel