cancel
Showing results for 
Search instead for 
Did you mean: 
pierce
Level 13

HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

Hey,

My security team raised an issues that they are concerned that users at home not on our VPN network might map a local network drive and export data.

does any one know of an easy HIPS8 rule to block this behaviour or limit it to only my trusted IP range?

currently dont have any location aware rules (CAGS) its pretty much a block list and then allow all.

thanks,

Pierce

0 Kudos
1 Solution

Accepted Solutions
greatscott
Level 12

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

could probably create a home CAG and CAG for at work, where at home the CAG criteria you define as private networks (172.x.x.x, 192.x.x.x, 10.x.x.x). then for the CAG for work, list your work IP ranges as the criteria. then in the home CAG, you could explicitly block SMB 445, netbios 137, 138 and 139 traffic. Obviously you could allow this traffic for the work CAG. Make sure you are using the "isolate this connection" button to your advantage too.

CAGs are often over complicated and shouldnt be though of as anything more than just normal firewall rule groups. You could change the configuration of your current firewall fairly easily, test, and implement.

There is probably no hard and fast method for doing this, you can play around with it and probably land at good configuration.

0 Kudos
6 Replies
greatscott
Level 12

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

could probably create a home CAG and CAG for at work, where at home the CAG criteria you define as private networks (172.x.x.x, 192.x.x.x, 10.x.x.x). then for the CAG for work, list your work IP ranges as the criteria. then in the home CAG, you could explicitly block SMB 445, netbios 137, 138 and 139 traffic. Obviously you could allow this traffic for the work CAG. Make sure you are using the "isolate this connection" button to your advantage too.

CAGs are often over complicated and shouldnt be though of as anything more than just normal firewall rule groups. You could change the configuration of your current firewall fairly easily, test, and implement.

There is probably no hard and fast method for doing this, you can play around with it and probably land at good configuration.

0 Kudos
pierce
Level 13

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

Thanks Greatscott,

Thanks for pointing me in the right direction!

I have opted to add a block at the end of my firewall rule set and then add a CAG for my internal network with the allow rule inside. Im all about keeping this as simple as possible!

So...

CAG(internal network)

     Rule to allow 445, 137-139

other rules

Block rule for 445,137-139

now just to work out how to configure the CAG to apply to my network! Think i need to dig out the guide for that.

thanks,

Pierce

0 Kudos
greatscott
Level 12

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

Make sure you test this out as well to be sure that it fits your needs.

0 Kudos
pierce
Level 13

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

dont worry about that, I have learnt my lessons with HIPS. its very much a slow and steady progress on testing and roll out!

0 Kudos
McAfee Employee

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution
pierce wrote:

I have opted to add a block at the end of my firewall rule set

    

As a suggestion, I would not recommended a BLOCK ALL rule at the bottom of a firewall rule policy.  HIPS ADAPTIVE mode functionality is helpful when troubleshooting firewall rules, and in order for Adaptive mode to work, the traffic must pass through all the firewall rules (not matching any of them) and hit the inheritied BLOCK ALL TRAFFIC rule at the bottom of the firewall policy.  Your BLOCK ALL rule will prevent Adaptive mode from ever working since you have a "catch all" block rule.

0 Kudos
pierce
Level 13

Re: HIPS 8 Rule advice, is there a rule that can restrict mapping network drives to trusted range only?

Jump to solution

Hey Kary,

thanks for that pointer, I should have clarrified I only added a block for the specfic ports not everything.

My policy is the standard allow things out.

Then a few custom blocked ports/applications

then an allow all out.

I dont have time with all my other duties to manage the HIPS firewall in fully locked down mode (i did try!) so am waiting for some other projects to clear.

0 Kudos