Is it possible to enable/disable rules based on the AD groups that a user is a member of?
In trying to decipher some requirements placed upon me, I've tried to accomodate them by whitelisting IP traffic. For a bog standard user this has worked well, but for developers it isn't going so well. So what I would like to do is use their AD group memberships to faciliate the enabling of rules to allow them extended access to services, rather than having a global developer set of rules.
One feature that is being worked on is User-Based policies (no exact ETAs at this point). It will have some limitations, but basically will apply a Firewall Rule policy based on the logged in Active Directory user.
AD User1 logs into a system will get Firewall Rule Policy1.
AD User2 logs into a system and will get Firewall Rule Policy2.
If you're interested in more details, contact Sales/Support for details (e.g., discussion with the Host IPS Product Manager).
The currently released HIPS build does not have this feature though....yet.
one really backward way to do this is have the developers implement some sort of arbitrary registry key on all their systems. then use that key to authenticate to a connection aware group in the firewall. within that connection aware group you could have a looser ruleset/ or an allow all. assuming your general population of users doesnt have the capability to add/remove/modify registry settings, they could never be authenticated to that connection aware group via the HIPS firewall.
again this doesnt address AD groups but it could work.
Thanks for the ideas greatscott & Namster - looking at the LAG setup though, that would be fine if I needed a loose "all user type x gets this", but I want true granular control - user X needs SQL and vmware so get 1433/tcp and 4712/TCP-UDP to host z, user Y needs SQL etc
I'll have a prod of sales to see if they can give me some details on user based policies - thats exactly the sort of functionality that I need
In the mean time i've got some due diligence to do with Trend, Sophos and Microsoft
No if I wanted true granularity like that I just need a rule engine that is capable of parsing AD memberships and adding in the requirements based on those
I was having a chat with a Pen Testing company recently, and they were saying that they hadn't come across any sites that properly whitelisted their traffic, so I showed them my test bed and they were impressed that they couldn't find anything to leverage - because all my workstations and servers have rules which only permit specific traffic.
It starts to get complicated when I have users that need to add in specific requirements, hence the view that if I could interpret their AD memberships then it would be easy to map in rule changes.
I was slightly shocked to realise that Microsoft have got this capability via the GPO - makes a pleasant change