cancel
Showing results for 
Search instead for 
Did you mean: 
pierce
Level 13
Report Inappropriate Content
Message 1 of 7

HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

Hey,

My security team raised an issues that they are concerned that users at home not on our VPN network might map a local network drive and export data.

does any one know of an easy HIPS8 rule to block this behaviour or limit it to only my trusted IP range?

currently dont have any location aware rules (CAGS) its pretty much a block list and then allow all.

thanks,

Pierce

1 Solution

Accepted Solutions

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

could probably create a home CAG and CAG for at work, where at home the CAG criteria you define as private networks (172.x.x.x, 192.x.x.x, 10.x.x.x). then for the CAG for work, list your work IP ranges as the criteria. then in the home CAG, you could explicitly block SMB 445, netbios 137, 138 and 139 traffic. Obviously you could allow this traffic for the work CAG. Make sure you are using the "isolate this connection" button to your advantage too.

CAGs are often over complicated and shouldnt be though of as anything more than just normal firewall rule groups. You could change the configuration of your current firewall fairly easily, test, and implement.

There is probably no hard and fast method for doing this, you can play around with it and probably land at good configuration.

6 Replies

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

could probably create a home CAG and CAG for at work, where at home the CAG criteria you define as private networks (172.x.x.x, 192.x.x.x, 10.x.x.x). then for the CAG for work, list your work IP ranges as the criteria. then in the home CAG, you could explicitly block SMB 445, netbios 137, 138 and 139 traffic. Obviously you could allow this traffic for the work CAG. Make sure you are using the "isolate this connection" button to your advantage too.

CAGs are often over complicated and shouldnt be though of as anything more than just normal firewall rule groups. You could change the configuration of your current firewall fairly easily, test, and implement.

There is probably no hard and fast method for doing this, you can play around with it and probably land at good configuration.

pierce
Level 13
Report Inappropriate Content
Message 3 of 7

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

Thanks Greatscott,

Thanks for pointing me in the right direction!

I have opted to add a block at the end of my firewall rule set and then add a CAG for my internal network with the allow rule inside. Im all about keeping this as simple as possible!

So...

CAG(internal network)

     Rule to allow 445, 137-139

other rules

Block rule for 445,137-139

now just to work out how to configure the CAG to apply to my network! Think i need to dig out the guide for that.

thanks,

Pierce

Highlighted

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

Make sure you test this out as well to be sure that it fits your needs.

pierce
Level 13
Report Inappropriate Content
Message 5 of 7

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

dont worry about that, I have learnt my lessons with HIPS. its very much a slow and steady progress on testing and roll out!

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution
pierce wrote:

I have opted to add a block at the end of my firewall rule set

    

As a suggestion, I would not recommended a BLOCK ALL rule at the bottom of a firewall rule policy.  HIPS ADAPTIVE mode functionality is helpful when troubleshooting firewall rules, and in order for Adaptive mode to work, the traffic must pass through all the firewall rules (not matching any of them) and hit the inheritied BLOCK ALL TRAFFIC rule at the bottom of the firewall policy.  Your BLOCK ALL rule will prevent Adaptive mode from ever working since you have a "catch all" block rule.

pierce
Level 13
Report Inappropriate Content
Message 7 of 7

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

Hey Kary,

thanks for that pointer, I should have clarrified I only added a block for the specfic ports not everything.

My policy is the standard allow things out.

Then a few custom blocked ports/applications

then an allow all out.

I dont have time with all my other duties to manage the HIPS firewall in fully locked down mode (i did try!) so am waiting for some other projects to clear.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community