cancel
Showing results for 
Search instead for 
Did you mean: 
schmiewliski
Level 10

Firewall and CAGS

Hello Everyone.

Can haven't tested this yet as I've been trawlling the forum trying to work out how to implement this.

I wish to be able to allow users of laptops to VPN in to the office when travelling, either from home dsl or hotel.

From what I have seen in the forum and with whats available document wise is very limited. So would really like a seconfd opinion if the following is correct

Ok my firewall rule I have set is as follows

Allow McAfee signed apps

Allow loopback

Allow DHCP

Allow DNS

Allow HTTP

VPN (Timed group - set to 10 mins)

       Allow IPsec ESP

       Allow IKE

       Allow GRE

       Allow IKE Outbound

CorpNetwork (CAG based on DNS Suffix)

       Allow all inbound

       Allow all outbound

       Allow local loopback

Block All

Is the correct for allowing a user to be able to access the internet for 10 mins, long enough to establisg a vpn connection and then only use the corporate network ?

Many thanks in advance

Steve

0 Kudos
3 Replies
greatscott
Level 12

Re: Firewall and CAGS

we investigated the same method you did. however, as a user, you can just keep resetting the 10 minute timer. this essentially gives the user unlimited web access.

i could be wrong on this, but i think this feature really turned us off from the timed group.

0 Kudos
McAfee Employee

Re: Firewall and CAGS

you can just keep resetting the 10 minute timer. this essentially gives the user unlimited web access.

This is correct.  There is no additional functionality to limit the use of Timed Groups, however, Patch 4 added the ability to report on its use.

PD25043 -Host Intrusion Prevention 8.0 Patch 4 Release Notes

https://kc.mcafee.com/corporate/index?page=content&id=PD25043

Reporting for timed groups usage

In this release of Host Intrusion Prevention, each time a user triggers a timed group, Host Intrusion

Prevention generates an McAfee ePO event on the client and logs that action. The McAfee ePO

administrator can then run a report to query the usage of timed groups.

For reporting on the usage of timed groups to work properly, you must run the Patch 4 version on both

the clients and Extension.

For information on configuring timed groups and running reports, see New features — Extension.

Allow HTTP

VPN (Timed group - set to 10 mins)

       Allow IPsec ESP

       Allow IKE

       Allow GRE

       Allow IKE Outbound

VPN traffic really should not be in a CAG.  Typically, VPN traffic should ALWAYS be allowed out so the VPN tunnel can be built.  Once the VPN is connected, you can then use a CAG to match against the VPN network.  The CAG should match AFTER the VPN tunnel is established, which means VPN traffic Allow rules first, then the CAG.  The traffic associated with building the VPN tunnel should not be part of the VPN CAG; the VPN network that the client is connected to should be.

For hotels/airports/etc., where the user must authenticate via HTTP/HTTPS to get Internet access, you would use a Timed-group here.

  1. Limited HTTP access to authenitcate to hotel/airport/etc network.
  2. Connect to VPN tunnel.
  3. Apply CAG based on VPN network.

It would look more like this:

Allow HTTP CAG (Timed group - set to 10 mins)

       Allow HTTP/HTTPS traffic out

Allow VPN traffic

       Allow IPsec ESP

       Allow IKE

       Allow GRE

       Allow IKE Outbound

VPN CAG

       <Allow traffic as needed>

0 Kudos
schmiewliski
Level 10

Re: Firewall and CAGS

Thanks Kary,

The advice you have given has been most helpful...will go away and do some testing and look at the timed group report.. at least it's a starting point and should be able to pin point people who are abusing the function..

0 Kudos