cancel
Showing results for 
Search instead for 
Did you mean: 
bxs
Level 7

HIPS Firewall causes unexplainable slowness with some apps

Environment: HIPS 7, patch 2. CMA 3.6.0, ePO 3.6.1, VSE 8.5 patch 6.1. All HIPS components are currently disabled EXCEPT for the Firewall component.

I have noticed that HIPS causes considerable slowness on some network intensive applications. Obviously some of this is expected just due to the nature of a software firewall, but I am talking fairly large delays. One app (Cisco Desktop Agent for VOIP phone control) specifically takes 5 seconds to launch and connect to the remote server if the firewall is disabled, whereas if the firewall is enabled it can take upwards of 60 seconds to connect.

The activity logs do not show any applicable traffic being blocked, so I am not clear how I can form a rule to help alleviate some of this slowness. This same application ran flawlessly on a DFW 8.5 machine. The current HIPS firewall ruleset was directly migrated from the DFW 8.5 ruleset -- so essentially the only new variable here is HIPS.

Ideas?
0 Kudos
5 Replies
Firewall-Joe
Level 9

RE: HIPS Firewall causes unexplainable slowness with some apps

One quick test would be to put an any-any rule at the top of the rule list.
If you put in an any-any rule and it works fine, then it's a configuration problem.
You're not allowing something that needs to be and it has to time out before it can connect.

Joe
0 Kudos
bxs
Level 7

RE: HIPS Firewall causes unexplainable slowness with some apps

Hi Joe- thanks...I had done that and did confirm that it resolved the problem. The problem I'm specifically confused about is that the blocked traffic is not tied to one specific process so I can't create a rule to allow the traffic without either leaving it open for any application or to only a single IP.

Heres an example of what I'm seeing over and over - almost certain this is the cause of the delay (.15 is the server, .228 is the workstation with HIPS):

Time: 10/10/2008 3:41:48 PM
Event: Traffic
IP Address/User: 10.250.64.15
Message: Blocked Incoming TCP - Source 192.168.1.15 : (6293) Destination 192.168.1.228 : (1423)

Time: 10/10/2008 3:41:48 PM
Event: Traffic
IP Address/User: 10.250.64.15
Message: Blocked Incoming TCP - Source 192.168.1.15 : (6293) Destination 192.168.1.228 : (1423)


For whatever its worth, we're operating on a whitelist principle - i.e. if the traffic doesn't match a rule, it gets dropped.
0 Kudos
Firewall-Joe
Level 9

RE: HIPS Firewall causes unexplainable slowness with some apps

The "whitelist" principle will be your undoing. Be prepared to create THOUSANDS of firewall rules. I'm not kidding. You will need a rule for every single application or process that wants to talk on the network.

What is that IP address (192.168.1.15)? If it's a server, then create a rule to allow traffic from that IP address alone. You could also use the Connection Aware Groups. When connected to the local LAN it has a more relaxed ruleset and when not in the office it's more strict.

Joe
0 Kudos
bxs
Level 7

RE: HIPS Firewall causes unexplainable slowness with some apps


Thanks - this is what I ended up doing.
0 Kudos
SergeM
Level 9

RE: HIPS Firewall causes unexplainable slowness with some apps



That seems rather standard and sane op to me... We have the same (and have lots of specific rules) here.

Serge
0 Kudos