cancel
Showing results for 
Search instead for 
Did you mean: 
jawuk
Level 7

Connection Aware Groups- Rules above CAGS, and CAGS above CAGS

Hi all.

apologies for the weird title. It does though, explain my question.


With regards to Firewall rules for Connection Aware Groups (CAGS) in Host Intrustion Prevention, McAfee states that you should place any fudamentel rules you require for connectivity ABOVE the CAG, as once a connection is found, that belongs to a CAG, it will only process rules in the CAG and ABOVE ONLY.

For example, if you create a VPN connection for connectivity from a wireless hotspot, you create rules for establishing the initial network connectivity and for the VPN tunnel, and then, below this, create the CAG for the virtual VPN adapter, and the rules you want associated with the CAG.

No problems so far.

My question is this, does this mean that as soon as ANY adapter matches a connection aware group, NO traffic on ANY INTERFACE ever gets the chance to go below that CAG and possibly match another CAG below the CAG in operation?


For example.


I have my basic network rules setup at the top.
I have a CAG for Coporate LAN connectivity, with all IP traffic allowed
I have a CAG for VPN Connectivity with all IP traffic allowed
I have a CAG for ActiveSync device (which created a virtual adapter with only certain network traffic allowed.

If i have it in this order, does this mean that when i connect to the coporate LAN and the adapter matches that CAG, that my active sync device will NOT work, ie, traffic will not get a chance to match the CAG below the Corporate LAN CAG as that CAG is currently in operation.

OR

Does it just mean that 'for traffic that does not match any other CAG, and it does not match a rule above the CAG which is in operation, it is disregarded'?

I would just test it, but it will take me a while to configure up another activesync/pda pc. My users gone walk about.

cheers

J
0 Kudos
4 Replies
Bestpractice
Level 7

Re: Connection Aware Groups- Rules above CAGS, and CAGS above CAGS

I believe multiple CAG criteria (and rules contained within) can be processed simultaneously.

0 Kudos
JeffGerard
Level 10

Re: Connection Aware Groups- Rules above CAGS, and CAGS above CAGS

The best way to understand CAG processing is to read the documentation and keep in mind there is also the "isolate this connection" option.  I forget exactly where, but somewhere in the docs there is a flowchart explaining the processing order that really helps explain CAG processing.  Sorry it's not a better answer and please don't take this as an "RTFM" as that is not my intention here

0 Kudos
Bestpractice
Level 7

Re: Connection Aware Groups- Rules above CAGS, and CAGS above CAGS

As taken from the CAG doco. (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20747/en_US/...)

"

Can more than one CAG be active at the same time?

Yes. The Host IPS firewall is adapter aware and can apply different CAGs to different interfaces at the same time. As interfaces are connected and present themselves to Windows, the firewall begins tracking traffic through them and applying the appropriate rules.

Can I have more than one isolated CAG in the firewall policy?

Yes. If no active NIC matches the first CAG’s criteria, the firewall skips the CAG and continues analyzing against the rules that follow the CAG. Because the first CAG was skipped, the fact that it was set to isolate is ignored. For examples on configuring isolated CAGs, please refer to t

McAfee Host Intrusion Prevention 7.0 Product Guide."

0 Kudos
JeffGerard
Level 10

Re: Connection Aware Groups- Rules above CAGS, and CAGS above CAGS

Keep in mind that as soon as a CAG matches where "isolated" is checked, no further processing applies.  That CAG will be processed as if it is the last ruleset in the policy.

0 Kudos