4 Replies Latest reply on Jul 6, 2017 4:03 AM by wouterr

    Traffic matched on wrong rule

    mreco

      Hi,

       

      We have migrated our HIPS policy to ENS FW.

       

      In HIPS, these rules have been working just fine for the last couple of years.

      In ENS FW, we see weird behavior.

       

      In the FW options, these networks have been defined as ‘trusted neworks’:

       

      127.0.0.1/32

      127.0.0.0/8

      ::1

       

      When I connect from to this machine (where ENS FW is on) from another machine via CIFS, traffic is allowed and matched on the ‘Allow Trusted Networks’ rule:

       

      Time: 07/06/2017 09:07:43 AM

      Event:  Traffic

      IP-address: 10.0.0.10

      Description: SYSTEM

      Path:  SYSTEM

      Message:      Allowed Incoming TCP  -  Source 10.0.0.11 :  (50371)   Destination 10.0.0.10 : msds (445)

      Rule:  Allow Trusted Networks

       

      We use 'location awareness' to check if a system is in our internal network, based on 'Connection specific DNS suffix' checking for our internal domain names.

       

      As you can see in the ENS FW activity log, the location detection is successful (unfortunately part of the logging is in Dutch):

       

      6-7-2017 09:37:13    mfefw(4820.2656) <SYSTEM> blframework.FIREWALL.Activity: Modus Firewall is ingesteld op Ingeschakeld/Beveiligen.

      6-7-2017 09:37:13    mfefw(4820.7340) <SYSTEM> blframework.FIREWALL.Activity: Opstartbeveiliging is Uitgeschakeld.

      6-7-2017 09:37:13    mfefw(4820.1004) <SYSTEM> blframework.FIREWALL.Activity: GTI-overtredingen rapporteren is Uitgeschakeld.

      6-7-2017 09:37:13    mfefw(4820.7340) <SYSTEM> blframework.FIREWALL.Activity: Inkomende tolerantie van GTI-firewall is ingesteld op Niet blokkeren.

      6-7-2017 09:37:13    mfefw(4820.1004) <SYSTEM> blframework.FIREWALL.Activity: Uitgaande tolerantie van GTI-firewall is ingesteld op Niet blokkeren.

      6-7-2017 09:37:13    mfefw(4820.2656) <SYSTEM> blframework.FIREWALL.Activity: Weergavestatus van waarschuwing is Uitgeschakeld.

      6-7-2017 09:37:13    mfefw(4820.1004) <SYSTEM> blframework.FIREWALL.Activity: Verkeer via bruggen is Uitgeschakeld.

      6-7-2017 09:37:13    mfefw(4820.2656) <SYSTEM> blframework.FIREWALL.Activity: Niet-ondersteund protocol is Uitgeschakeld.

      6-7-2017 09:37:13 mfefw(4820.2656) <SYSTEM> blframework.FIREWALL.Activity:

      Number of currently matching locations: 1

       

      Name: DNS suffix check

        Number of criterias: 3

      Connection specific DNS Suffix: domain1.nl

      Connection specific DNS Suffix: *.forest.nl

      Connection specific DNS Suffix: otherforest.net

       

      When disabling the ‘Allow Trusted Networks’ rule in ENS FW, traffic is matched on the correct rule:

       

      Time: 07/06/2017 09:54:00 AM

      Event:  Traffic

      IP-address: 10.0.0.10

      Description: SYSTEM

      Path:  SYSTEM

      Message:      Allowed Incoming TCP  -  Source 10.0.0.11 :  (51095)   Destination 10.0.0.10 : msds (445)

      Rule:  Inside our internal network

       

      Doing the same with the same policy on a system that has HIPS installed, the action is logged correctly on the ‘Inside our internal network’ rule:

       

      Why is traffic matched on ‘Trusted Networks’ when that rule is enabled, although our internal networks are not defined as a trusted network?


       

        • 1. Re: Traffic matched on wrong rule
          mreco

          OK, it is even worse.

          Even when not connected to our internal network, but to a home or unknown network, incoming traffic is allowes on 'Allow Trusted Networks':

           

          Time: 07/06/2017 10:33:29 AM

          Event:  Traffic

          IP-address:  192.168.34.71

          Description:  SYSTEM

          Path:  SYSTEM

          Message:      Allowed Incoming TCP  -  Source  192.168.34.71 :  (49779)   Destination  192.168.34.91 : msds (445)

          Rule:  Allow Trusted Networks

          • 2. Re: Traffic matched on wrong rule
            mreco

            And in my first post I forgot to mention that the networks in our 'Inside our internal networks' rule are 10.0.0.0/8 and 172.16.0.0/12.

            • 4. Re: Traffic matched on wrong rule
              wouterr

              Hi,

               

              there is an important piece of text in the help for ENS regarding "defined networks"

              -------------------------------------------------------------------------------- --------------------------------------------------------------------------

              Defined Networks:

              Address Specifies the address of the network to define. 
              • Trusted — Allows all traffic from the network, regardless of rules. 
              • Not trusted — Adds the network to the list of defined networks for creating rules. 

              Tip Best practice: To control traffic to Defined Networks that aren't trusted, associate them with firewall rules.

              -------------------------------------------------------------------------------- --------------------------------------------------------------------------

               

              so unlike anyone would expect you have to put your trusted network as "not trusted" in ENS otherwise all network traffic to these IP ranges will be automatically allowed.