cancel
Showing results for 
Search instead for 
Did you mean: 
morph
Level 7

Blocking Wifi when on LAN

Jump to solution

Hi all,

I'm fairly new to McAfee EPS so hopefully someone might help me out or point me in the right direction.

We have EPS and we need to somehow block Wifi connections when a notebook is also connected to the LAN network.

Is this doable and if yes is there some guide I can follow to acheive this?

Thank you in advance and best regards.

0 Kudos
1 Solution

Accepted Solutions
SCtbe
Level 12

Re: Blocking Wifi when on LAN

Jump to solution

You should use connection aware groups configured in HIPS, there is desctipion in product guide for HIPS.

Thread should be moved to HIPS section, as this would be right product. EPS is a bunch of products - suit, not a product itself. ePO is central management product for HIPS functionlaity.

0 Kudos
10 Replies
exbrit
Level 21

Re: Blocking Wifi when on LAN

Jump to solution

What McAfee product is this (SIEM, ePO..?) so I can redirect this thread?

0 Kudos
morph
Level 7

Re: Blocking Wifi when on LAN

Jump to solution

Hi,

The product is McAfee Endpoint Protection Suite. It has ePolicy Orchestartor 5.0.1.

Regards.

0 Kudos
exbrit
Level 21

Re: Blocking Wifi when on LAN

Jump to solution

OK, thanks.  Moved to ePO.

0 Kudos
ulyses31
Level 16

Re: Blocking Wifi when on LAN

Jump to solution

Hi morph, I think this could be done with Device Control. You can check an example on how to block a wireless device here (page 20):

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24504/en_US/...

0 Kudos
morph
Level 7

Re: Blocking Wifi when on LAN

Jump to solution

Hi Laszlo,

from what I understand this would permanently disable the wireless card.

What we need is to be able to use the wireless card but if there is LAN connection to the corporate network to disable the wifi card/traffic.

Basicly we need to prevent someone being connected to the LAN network and at the same time connected to some unprotected wifi outside of our network.

Regards.

0 Kudos
SCtbe
Level 12

Re: Blocking Wifi when on LAN

Jump to solution

You should use connection aware groups configured in HIPS, there is desctipion in product guide for HIPS.

Thread should be moved to HIPS section, as this would be right product. EPS is a bunch of products - suit, not a product itself. ePO is central management product for HIPS functionlaity.

0 Kudos
greatscott
Level 12

Re: Blocking Wifi when on LAN

Jump to solution

correct. could use some connection aware groups config'd with connection isolation enabled.

0 Kudos
ulyses31
Level 16

Re: Blocking Wifi when on LAN

Jump to solution

morph escribió:

Hi Laszlo,

from what I understand this would permanently disable the wireless card.

What we need is to be able to use the wireless card but if there is LAN connection to the corporate network to disable the wifi card/traffic.

Basicly we need to prevent someone being connected to the LAN network and at the same time connected to some unprotected wifi outside of our network.

Regards.

Well in fact (if I'm right) there's a different way to handle this. You can set a policy to disable wireless card when being online (i.e. when being on ePO's network) but enabled when being offline (when outside your corporate LAN)

El mensaje fue editado por: ulyses31 on 18/07/14 15:00:03 CEST
0 Kudos
McAfee Employee

Re: Blocking Wifi when on LAN

Jump to solution

HIPS does not have functionality to actually set a network adatper to DISABLED state.  In order to block WIFI on LAN networks, you would use Location Aware Groups and Connection Isolation (e.g, when the LAG matches/isolates the LAN adapter only, WIFI and all other adapters will automatically be blocked; basically moves the BLOCK ALL TRAFFIC rule to the LAG for all non-matching adapters).  Any rules above the LAG can still apply to WIFI adapters, if applicable.

Also, DHCP (and DNS) traffic is always allowed, so if the WIFI adapter is ENABLED by the OS, it will ALWAYS be allowed to get an IP address, but network traffic to/from that adapter may or may not be allowed depending on your configuration.