cancel
Showing results for 
Search instead for 
Did you mean: 
McDuff
Level 10

HIPS 6.1 Firewall Rules for VPN and External Networks

We're implementing the HIPS 6.1 firewall on laptops that connect to the office via VPN, as well as laptops that connect external networks (like cafe hotspots). We will be using connection aware groups. We want our PCs to be secure, but we also want to maintain usability.

I'm curious if, during your initial implementation, you chose to use one of the McAfee provided rules (Client Minimal, Medium, or High) as a basis, then added on to those, or if you wrote your own rules from scratch? Also, did you use learn or adaptive mode? It seems to me that there could be a security risk using learn/adaptive mode, especially when the HIPS administrators and/or users are not network savvy.

What was your experience? If you had to do it over again, what would you recommend?
Tags (2)
0 Kudos
10 Replies
chuck92103
Level 7

RE: HIPS 6.1 Firewall Rules for VPN and External Networks

We created out own rules. The 6.1 FW stateful, so we focused on only allowing traffic in for the VPN setup itself.

We did not bother making complex rules that would only cause customer service calls. The main thing is to shutdown netbios traffic when mobile.

We never used adaptive for anything. No need to. Focus on what you want to block rather than what you want to allow.
0 Kudos
gerryrigney
Level 9

RE: HIPS 6.1 Firewall Rules for VPN and External Networks

"We never used adaptive for anything. No need to. Focus on what you want to block rather than what you want to allow"

Why not use Adaptive and create block rules from there?

I agree, it would be very hard to block all traffic and create rules for what you want to allow as you would surely miss something. But equally is it not very difficult to create block rules for everything you want to block without missing something?
0 Kudos
McDuff
Level 10

RE: HIPS 6.1 Firewall Rules for VPN and External Networks



That's the conundrum we face. We want to keep our rule base simple, but sometimes simple rules cannot account for every case. The one problem I see with adaptive mode is that we may inadvertently create permanent rules to allow "bad" traffic in, if proper analysis of the adapted rules generated is not done, and with data from thousands of clients coming in, how does one perform proper analysis on all of it?

I was hoping that a solution would be to use one of McAfee's provided rule sets, based on the assumption that somebody with network expertise at McAfee had put some thought into what a good set of rules should be. Is that wishful thinking?
0 Kudos
chuck92103
Level 7

RE: HIPS 6.1 Firewall Rules for VPN and External Networks



It depends on your corporate policy.

Are you trying to prevent employees from doing certain things or just want to block unsolicited inbound traffic, or both?

We realized we only want to block inbound. We handle employees using apps like P2P with A/V unwanted programs, etc. I would keep the rules simple. Remember you have IPS catching most of the bad stuff as once a connection is made, the FW provides little protection.
0 Kudos
metalhead
Level 12

RE: HIPS 6.1 Firewall Rules for VPN and External Networks

As mentioned before I also never use the "Adaptive mode" because it generates many rules which are not necessary and to "broad" which means allowing to much.

Our basic setting looks like this:

1) Internal LAN (Connection aware group based on ip range, dns-suffix, dns servers):
-> Allow ALL

2) VPN -> Allow standard VPN protocols to the VPN gateways

3) Generally allow: bootp, dns

This the standard if the following prerequisites exist:
1) No other traffic then VPN is allowed from external
2) The VPN client gets an internal IP address and the settings specified for "Internal LAN" which is then allowing all traffic through VPN
3) If a VPN client gets a special IP subnet assigned via VPN we normally activated the HIPS quarantine mode for this subnet
0 Kudos
McDuff
Level 10

RE: HIPS 6.1 Firewall Rules for VPN and External Networks



I like the simplicity of your implementation. When the PC is not currently connected to your LAN or VPN (say, they are connected to their home's or hotel's network), what do you allow, or is it just bootp and DNS?
0 Kudos
metalhead
Level 12

RE: HIPS 6.1 Firewall Rules for VPN and External Networks


In this config its just bootp and dns - but in some situations like hotels HTTPS would be required to gain access to the WLAN hotspot or perhaps to the companys webmailer.
0 Kudos
McDuff
Level 10

RE: HIPS 6.1 Firewall Rules for VPN and External Networks



We just want to block unsolicited inbound traffic. We also have our anti-virus software blocking unwanted programs.
0 Kudos
McDuff
Level 10

RE: HIPS 6.1 Firewall Rules for VPN and External Networks



Thanks for the information. So your firewall rules consist mainly of blocks to most or all Netbios related traffic? I notice in the Minimal McAfee provided settings, it specifically allows some netbios traffic (from trusted sites, but then again, if you're trusted sites are 10. sites, that means that other companies' 10. networks would also be trusted), but blocks Incoming Netbios TCP traffic from non-trusted sites. Would you consider that insufficient, security wise, and instead, block all Netbios traffic?

When a firewall is stateful, does that mean that so long as the traffic is initiated locally, the return traffic will be allowed? Or, does it means that as long as the traffic is initiated locally AND is allowed by the firewall, the return traffic will be allowed? In other words, I'm wondering if we have to specify allowed outgoing traffic in order for the return traffic to be allowed.
0 Kudos