cancel
Showing results for 
Search instead for 
Did you mean: 
toms
Level 7
Report Inappropriate Content
Message 11 of 17

Re: HIPS 8.0 firewall logging to EPO server?

Centralized logging isn't just feasable, it's pretty much half the point of EPO.  If you can't see what you're managing, the effect that is, you're effectively driving blind.  If the architecture can't handle the traffic volume, then it needs to be fixed.  You can't tune a firewall without access to the logs. 

Sorry to rant, but AV and other PC security products have been too far behind the curve for too long.  I hear among other security professionals that we have a user training problem.  No, what we have is a situation where the defending technology isn't working well enough.  We need to stop worrying about reports, graphs, charts, and user interface, and get back to the nuts and bolts of security.  Or, just consign yourself to the belief that AV/HIPS/desktop firewall are just commodities, and then we, as customers, will just go to the lowest bidder. 

Re: HIPS 8.0 firewall logging to EPO server?

i said logging firewalls would be nice, but ePO still has its shortcomings. mcafee should investigate it. i surmise that if you were to take a typical ePO server right now, and magically turn on this function, it would break.

the_un
Level 7
Report Inappropriate Content
Message 13 of 17

Re: HIPS 8.0 firewall logging to EPO server?

Just use the features the product DOES have to achieve what you need. I would bet using Adaptive mode (don't retain existing rules) and using "Treat match as intrusion" for explicit blocks would be enough logging for MOST use cases described here. I've used it just fine for my tuning needs.

I haven't been in an environment yet (I'm a consultant, dozens of HIPS FW/IPS installs/upgrades/tweaks) where logging each and every packet is warranted. Would it be useful for those fringe cases? Sure. But at what cost to the event parser, database, and web console when trying ANY query from the ePOEvents table? Keep in mind that your "Top 10 Virus Detections" query comes from the same table you want to store each and every FW rule match.

To answer OPs question: Don't have a single Allow rule, just explicit denys and treat as intrusion, and be in adaptive mode (no default deny at bottom though). It's rough, crude, and will be a royal PITA to try and manage for more than a couple systems, but it will get you at least 90% of what you're looking for.

er587
Level 7
Report Inappropriate Content
Message 14 of 17

Re: HIPS 8.0 firewall logging to EPO server?

Take a look at McAfee TAT. McAfee Threat Activity Tracer (TAT) is a host based software solution that allows you to collect network telemetry for host based threat activity.  With this information you can gain a better understanding of where attacks are originating from, both inside and outside of your environment.  I put the PER in for this functionallity 2012, this was the result. Its a good tool.. Hopefully this type of functionallity will be supported in future HIPS version.

It uploads the firewall events to ePO based on a HIPS/VSE events. Not all blocks, just based on events  

https://community.mcafee.com/docs/DOC-4231

Message was edited by: er587 on 10/24/13 11:59:44 AM CDT

Re: HIPS 8.0 firewall logging to EPO server?

I was checking TAT and, although it would partially cover the desired behaviour, it's not officially supported by McAfee. A shame, really.

Re: HIPS 8.0 firewall logging to EPO server?

While I haven't used it, the MER tool suppose to allow you to pull logs

the other option is to write a powershell script to pull all the events.log file, then you can create scipt to merge and then remove duplicates.

Hope to expanned on KB while working on Port White-listing.

Re: HIPS 8.0 firewall logging to EPO server?

I haven't tested it out, but I was told that if on each firewall rule on your policy you check the box "Treat match as intrusion (Windows Only)", it will send the event up to the ePO server. If you want to view all the BLOCKED traffic, then you can create a rule at the bottom of your policy with DENY ALL and check that box, then whenever a connection is blocked by the DENY ALL rule, you should see it as a event in the Host IPS module.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center