Hello - I've been tasked with replacing our existing Trend IDF product with the McAfee HIPS one.
Obviously, I've been asked to provide a like for like solution, or as close to it as possible.
The requirement is that when connected to our LAN, the F/W doesn't block any traffic, (All Ingoing / All Outgoing Allowed), but connections to other networks are prevented, so the user can't be connect to our LAN and say a wireless hotspot at the same time.
When not connected to our LAN, All Incoming traffic would be blocked, All Outgoing traffic would be allowed, and the single network at a time continues.
With the Trend product, I accomplished this by creating a "On Domain" context, and an "Off Domain" context, and then assigning rules via the context.
(On Domain was defined as "Locally connected to Domain", Off Domain is defined as "Not connected to Domain).
In McAfee HIPS, I'm having difficulty working out how to achieve this. I've created a location "On Domain", defined as "Require that ePO be reachable", and can assign rules to that, but how can I create an "Off Domain" location, and am I even going about this in the right way?
Location aware groups will help you with this.
See page 55 of: PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide.
You don't need to have an "Off domain" policy. With a Location aware group, you apply a ruleset when the system is on an "approved" network. If it doesn't match that Location aware group, then the rest of the firewall rule policy will apply (e.g., allow no/limited traffic).
Thanks, I will make an "On Domain" location requiring the ePO server to be available, and using the Domain's DNS suffix, and move the "Off Domain" rules out of that group and delete the second location.
But after some time (eg 10 minutes) connecting to an router at home, my Test-Notebook gets an IP from my router and all works fine to surf the Internet through my home-ISP. Any suggestions to that behavior?