cancel
Showing results for 
Search instead for 
Did you mean: 
pierce
Level 13

Java.exe and javaw.exe - what do you do regarding allowing ports?

Jump to solution

Hi All,

Im in the process of rolling out HIPS 7 firewall settings to 1500 users. I have 300 so far and the amount of java.exe and javaw.exe firewall rules is getting excessive and difficult to manage.

I have changed the rules to apply by path rather than by fingerprint to reduce the rules somewhat but they are still generating more and more required ports every few days.

I was wondering how anyone of this forum has setup java rules in their environment.

I'm tempted to add two rules for java.exe and javaw.exe that allow any IP protocoll from any local to any remote server as long as its in the trusted IP range but not sure if this is recommended or just the lazy way of doing things

Or is this just a case of sticking with it for a few weeks to capture everything?

thanks,

Pierce

0 Kudos
1 Solution

Accepted Solutions
pierce
Level 13

Re: Java.exe and javaw.exe - what do you do regarding allowing ports?

Jump to solution

Hey,

Seems like alot of people are quiet on HIPS when it comes to firewall rules.

In case anyone needs some inspiration.... here are the rules I have settled on for my firewall. This is all I have so far with 300 users, before it was 150 bundled up rules for various ports in and out and fast becoming a living nightmare to manage.

HIPSJavaRules.jpg

Use at your own risk etc.... etc...

thanks,

Pierce

0 Kudos
4 Replies
pierce
Level 13

Re: Java.exe and javaw.exe - what do you do regarding allowing ports?

Jump to solution

Hey,

Seems like alot of people are quiet on HIPS when it comes to firewall rules.

In case anyone needs some inspiration.... here are the rules I have settled on for my firewall. This is all I have so far with 300 users, before it was 150 bundled up rules for various ports in and out and fast becoming a living nightmare to manage.

HIPSJavaRules.jpg

Use at your own risk etc.... etc...

thanks,

Pierce

0 Kudos
petersimmons
Level 12

Re: Java.exe and javaw.exe - what do you do regarding allowing ports?

Jump to solution

If I were writing rules for Java I would probably allow clients to speak out outbound ports with Java only. The inbound flow is handled as part of the stateful nature. I'm not sure I'd want an inbound packet to initate connections to a java session.

All this assumes you are looking at your Java applications in other ways. Because of its nature no one can make any statements about it globally.

0 Kudos
pierce
Level 13

Re: Java.exe and javaw.exe - what do you do regarding allowing ports?

Jump to solution

Hey peter, I was thinking the same thing but we have alot of JAVA developers hosting lots of random apps so was easier to add in and out just to avoid any issues with our developers.

I did start with just out but soon starting adding a few in rules (no where near as much as the out rules).

0 Kudos
petersimmons
Level 12

Re: Java.exe and javaw.exe - what do you do regarding allowing ports?

Jump to solution

I can't argue with your logic from an operational standpoint. For a typical organization I'd urge a bit of caution trusting unsolicited inbound connections. However, using the new GTI feature to supplement this certainly reduces the risk a bit.

0 Kudos