7 Replies Latest reply on Jun 16, 2009 11:19 AM by jskpoulsbo

    HIPS Firewall

      Can you tell me the purpose of the HIPS Firewall since every server I install it I have to turn off the firewall feature to begin with so people can do their work?
        • 1. Config?
          pwolfe
          Why not Configure it? You could allow the Ports For You're Different Needs or Even the Subnet, How about a range of IP's? Many Different Choices. Depending on which mode it is in it can be adaptive or in learn mode......
          • 2. RE: Config?
            woodsjw
            You installed a host based firewall on your servers without reading the documentation or knowing what it would do?
            • 3. RE: Config?
              Thanks pwolfe. But how do I configure it before I deploy it? Won't I mess up the settings for the HIPS on my ePO Server? Let me know how you configure it. That would help out a lot. Thanks.

              --------------------------------------------------------------------------------

              Why not Configure it? You could allow the Ports For You're Different Needs or Even the Subnet, How about a range of IP's? Many Different Choices. Depending on which mode it is in it can be adaptive or in learn mode......
              • 4. RE: Config?


                I know in general what the HIPS Module is for and know that we must install it. Soooo, I deployed HIPS onto a couple of my own servers because we are getting ready for an inspection and was told that the HIPS deployment was a requirement. I took the direct route and deployed first and asked questions later. I'm able to disable the firewall after installation so everything is okay. But now I need to learn how to deploy HIPS to other peoples servers without the Firewall enabled.
                • 5. RE: Config?
                  woodsjw


                  Do you know if it's the IPS or firewall that's required? Both?

                  For the firewall you might take a look at some of the canned "starter" firewall policies to see which would most closely match your environment. Then create a new policy based on the one you pick so you can edit it and remove any rules that don't fit your environment. Once you have a firewall rule set that you think is close, assign the rule set to your servers and then set the firewall options to "Adaptive". This will automatically create local exception rules on the servers whenever needed. (ICMP is at least one exception to this where a rule was not automatically created)

                  Let that run for a week or so and then review all the local rules that were "learned" to see which can be discarded and which need to be added to policy. Once you've got your policy sorted out you can switch from "Adaptive" to "On" and remove any local exceptions that you don't need. If you want to purely enforce the policy you can create a new policy copying the "On" policy and uncheck "Retain existing client rules when this policy is enforced" which will remove all locally created rules and enforce only what's set in policy.


                  IPS is very similar except there are many "High" severity events that are by default configured to not allow exceptions to be created. These are typically events that there are very few, if any, non-malicious reasons for. But it's important to note that "Adaptive" mode does not mean nothing will be blocked. You need to keep an eye on the event logs or use "Warning" mode to log only, until you're comfortable.

                  This was obviously a quick and dirty example.............
                  • 6. RE: Config?
                    pwolfe
                    Well stated
                    • 7. RE: Config?
                      Thanks woodsjw. This will be a great help to me. I really appreciate your time and this rough explanation. Respectfully, jskpoulsbo