I am running ePO 4.6 and have the HIPS 8.0 software installed with the agent. I am trying to do something I think would be very common, but there is almost no information anywhere on how to do it. I want to create a rule set for the Firewall Rules so that when users are remote, they can ONLY connect to the network with either an SSL VPN or an IPSec client. More specifically, the rule should do the following:
Here is what I have for my rules (in order):
Please help. The docs are very weak in this area and I need to hear from someone who actually has this type of behavior working.
I agree with the portion about the timed Connection Aware Group/Connection Isolation Group. My initial reaction was that this was a great addition to HIPS, but upon testing, the user has to manually get into the HIPS console and enable the time countdown. This should be automatic, where if the user meets the criteria for the Group, their countdown begins.
What is the point of having this group if the user is able to interact and click a button to keep allowing for an extra 5 minutes, 10 minutes, or however long the timed group is configured for? What if you need to have an inherently weak ruleset within this group, to ensure they can connect to VPN via random wireless connections, hotel/restaurant splash pages, etc? Timing is needed and necessary to limit exposure.
I would suggest this be addressed at some point by McAfee.
This should be automatic, where if the user meets the criteria for the Group, their countdown begins.
What is the point of having this group if the user is able to interact and click a button to keep allowing for an extra 5 minutes, 10 minutes, or however long the timed group is configured for?
The intended use of a Timed Firewall group is to allow a group of firewall rules to be activated and enabled for a short period of time.
With HIPS 7.0, the only way to get this scenario to work would be to use a static "always on" firewall rule to always allow Internet browsing. With HIPS 8.0, the rule is only temporarily enabled. With the right firewall configuration, it doesn't matter if the user reactivates the Timed Group rule, since they already have the Internet access they need, or the firewall rule configuration is setup so that other rules inside the Location Aware Group can override that Timed Group of rules (e.g., allow Internet browsing to specific internal sites and block all other HTTP access).
If you have other needs for Timed Based Group rules that don't work in the current implementation, please submit a PER for them.
KB60021 - Information about Product Enhancement Requests for McAfee products
I agree that the timed rule is better than having a permanent, static rule in the firewall to allow for VPN access.
Here is my take on the ability for a user to abuse this function:
My take is that if when he powered on the system, the 10 minutes should have begun automatically, and there would not be another chance to activate this very loose CAG. I do see that it provides a little bit of flexibility, but from a security perspective, if a user can activate it as many times as they want, its really like letting a fox guard the hen house.
Are there any switches in HIPS 8 to change any of the functionality surrounding the timed CAG button that the user can click? (Assuming we were to activate a timed CAG)Message was edited by: greatscott on 8/10/12 8:22:49 AM CDT
He can then still go back and click the timed CAG to allow a new 10 minute session of unlimited iexplore.exe browsing, at will.
Write firewall rules in the VPN CAG to restrict IE traffic. As long as there are firewall rules to control IE traffic, and these rules are above the Timed Group rule (top-down rule processing), then the Timed Group rule cannot be abused to give unlimited Internet access (e.g., when connected to the VPN network, allow all IE traffic to the company network IPs only, then block all other IE traffic. The BLOCK IE rule would take precedence over the Timed Rule for IE allowing all traffic). Different scenarios can be used and tested, depending on user requirements.
Are there any switches in HIPS 8 to change any of the functionality surrounding the timed CAG button that the user can click? (Assuming we were to activate a timed CAG)
There is not. Please submit a Product Enhancement Request, for any ideas you have, as I can see the benefit of having this functionality.
I am not sure how writing firewall rules to restrict IE traffic while the user is in the VPN CAG/LAG solves this problem. The problem that Scott seems to be stating is that if you make a CAG/LAG with an iexplore.exe rule that allows internet access so the person can access a hotel splash page, there's nothing that limits them in any way. They can keep clicking the button to reset the timer, perpetually gaining internet access, although limited through Internet Explorer, with no intention of ever entering the VPN, and therefore, bypassing the company's proxy policy.
What we'd like to see is an actual hard limit to this, where the user can only click this once per Windows session. This at least would force them to have to reboot to regain access. This does not seem possible in HIPS 8. The functionality is really no different than it was in HIPS 7, other than you can allow a user to manually enter a CAG/LAG without having the prerequisite criteria.
What we'd like to see is an actual hard limit to this, where the user can only click this once per Windows session.
Understood. This functionality does not exist currently, but please submit a PER (see above) to the Product Manager with any changes you would like to see added to the product.