I am running SEP 12.1.3001.165, and have the firewall policy enabled w/option for Port Scan Detection also enabled, and the option checked to automatically block an attacker's address for x seconds. This works great, and blocks/logs port scanning activity.
However, I would like to create an exception so that certain internal IPs can scan our network for open ports and perform other types of port scanning activity. Generally, these IPs would belong to our security staff, incident response, patching, anti-virus and networking teams.
I've figured out a few options that allow me to do this, but none seem totally ideal, and am wondering if there is another "best method" that I am missing.
Option 1.
Create two firewall policies, one in which port scan detection is enabled, and the other disabled. Create two groups, and apply each policy to one of the groups. Create a host group containing all the hosts that are authorized to conduct port scanning on the network, and create a rule in the firewall policies to always allow traffic from those IP addresses. Then, to prevent the return traffic from being detected as a port scan, also add those computers to the second group with the policy that disables the feature.
The problem with this, is that if any computer on the authorized list becomes infected with something, all traffic from their PCs will be allowed on the network without being blocked by the firewall.
Option 2.
Enable port scan detection, but do not enable blocking.
The problem with this is that even though the port scan will be allowed, it is not blocked. It is only logged, thus, it doesn't really increase security except to let us know there was a port scan performed.
Perhaps an option to "Allow port scans from this Host Group" could help in a future version of SEP, but in the meantime, how can I take advantage of this awesome security feature, but still allow my administrative staff to conduct port scans on our own network without being blocked by our own security software?