8 Replies Latest reply on Oct 13, 2017 10:08 AM by eduardorinaris

    Domain/Public Profile in ENS Firewall

    wyle008

      Hi

       

      I am looking for best practices for the ENS Firewall configuration, specially how to configure rules for Domain and Non-Domain Networks.

       

      For example Windows Firewall does have the three default profiles Domain, Private and Public. Is there an easy way to "convert" these Windows Fireall profiles to ENS Firewall? If not, what Kind of default profles/rules are you creating and how do you decide about what is allowed/blocked in a public or private network?

       

      kind regards

        • 1. Re: Domain/Public Profile in ENS Firewall
          wouterr

          Hey,

           

          a good article related to Microsoft Network Location awareness and what windows is checking to determine domain connectivity.

          Network Location Awareness (NLA) and how it relates to Windows Firewall Profiles | Networking Blog

           

          This can be somewhat recreated in ENS with location aware groups. Some options like LDAP towards the domain controller is not available. but then again other options are available in ENS which you cannot configure in Windows.

          • 2. Re: Domain/Public Profile in ENS Firewall
            wyle008

            wouterr

            thank you for the link, good site to start and helpful background information.

             

            May I ask you if you have setup the ENS or HIPS Firewall in your company and if yes, if you just make a difference between domain network and other networks or do you also have different rules for public and private networks like in the Windows firewall?

             

            Kind regards

            • 3. Re: Domain/Public Profile in ENS Firewall
              youngs

              Hey, 

               

              I am not familiar with the windows firewall, we do use HIPS / ENS firewall a lot in our environment and do use Connection-Aware groups with Location set to determine if a device is connected to public network or corporate network.

               

              We have rules allowing traffic for all devices regardless of network connection that allows web browsers, connection to wireless networks and VPN.  We then have our Connection-Aware group and Location set to match DNS Suffix and DNS Server IP's.  Whatever is set on the location needs to be matched by the network adapter, you can see this info by doing ipconfig /all.  Within this Connection-Aware group we have rules that allow traffic only when on the corporate network. See below picture below:

              Not sure if this is of help and if you have other question let me know.

               

              If you do try these types of groups the log file the ENS uses to show if the connection-aware / location groups are being matched is called "Firewall_Activity.log" and is located under (C:\ProgramData\McAfee\Endpoint Security\Logs)

               

              Scott

              • 4. Re: Domain/Public Profile in ENS Firewall
                wyle008

                Hey Scott

                 

                Thanks a lot for sharing your experience, sure this will help

                 

                Just let me summarize to see if my understanding ist correct.

                 

                • By default you block all traffic for all networks (corporate and other networks) but you have exception rules which allows specific traffic.
                • You have just one Connection Aware group which is used for the corporate network.
                • There is no Connection Aware group for public / private networks because the matching parameters are unknown. For example you don't know DNS Suffix or Server of a public or private Network.
                • The rules allowing traffic for all devices regardless of network connection are outside of the connection aware group and are or are not collected in a normal group. These rules must probably moved to the top of the ruleset, above the CAG?

                 

                Is this correct so far?

                 

                I hope it is ok if I ask some more questions.

                 

                • Why do you use DNS Suffix AND DNS Server for matching the corporate network. Wouldn't be enough to just use DNS Suffix?
                • If you block all traffic in corporate Network by default and just allowing some specific traffic, is it correct that you then have to create additional exclusions for network applications which are not covered by the existing allowing rules (Whitelisting)? Wouldn't it make sense to allow all traffic within the corporate network and just block specific traffic (Blacklisting)?
                • Are you using the feature  "Connection Isolation" and if yes, in which context are you using it?
                • How did you plan the design of the Firewall rules? Just with internal disscussions about company requirements or have you used any documents like white papers, best practices, check lists etc.?

                 

                thanks in advance for your help

                • 5. Re: Domain/Public Profile in ENS Firewall
                  youngs

                  Hey,

                   

                  I am glad to help, local firewalls can be very useful but it does take some time to get to a policy that will work for your environment.  I started with McAfee's default policy then remove / added what we required for our environment based on talks with our security group and business groups.

                   

                  To your first group of points.

                  - Yes, by default McAfee's local firewall blocks all traffic unless its allow. We have rules that allow traffic basic networking as well for our VPN.
                  - Yes, we have one main CAG group for our environment and within this group are the rules we allow when connected to our corporate and match the location parameters.
                  - Correct, it would be very hard to know what to match for public / private networks.  We do use CAG groups with registry location based matching and then use GPO's to apply the registry key to certain devices if they require more less restrictive rules / traffic.
                  - Correct, the rules that are required for basic networking are all outside and above the CAG groups.  Think of the policy as traffic flows top to bottom, if traffic doesn't match a rule and makes it all the way through then it gets blocked.

                   

                   

                  The reason we added both DNS Suffix and DNS Server IP is to provide the requirement that both have to match before rules within the CAG are allowed.  This provides more security around users being able to spoof both at the same time.

                   

                  We don't use the application exclusions (Whitelisting) if that is what you are talking about.  We use all rule based allows or blocks and usually try restrict the rules by Port, IP and Application.

                   

                  Our CAG groups do have the "Connection Isolation" enabled and this is only to isolate the CAG rules that are set from users having two network connected. (wireless / wired when one matching the location and one doesn't)

                   

                  Like I said above we started with McAfee's default policy then added / changed to work for our environment.  We had may talks with our security group and a lot of trial and error / testing with business groups. Good luck and feel free to reach out to me again if needed.

                   

                  Scott.

                  • 6. Re: Domain/Public Profile in ENS Firewall
                    wyle008

                    Hey Scott

                     

                    Thanks again for taking time to Response

                     

                    I think your explanations will help me to start creating a firewall ruleset in ENS. So I will mark your answer as the correct answer.

                     

                    kind regards

                    • 7. Re: Domain/Public Profile in ENS Firewall
                      youngs

                      Your welcome, reach out again if you have other questions.

                       

                      Glad to be of help.

                       

                      Scott

                      • 8. Re: Domain/Public Profile in ENS Firewall
                        eduardorinaris

                        I use zz host and it´s work perfetly also they have

                        good vip and pro plans with prices from 1.25$

                        unlimited storage email accounts and antivirus...

                         

                        zz.com.ve

                         

                        Free Host

                         

                         

                        <a href="https://www.zz.com.ve" > www.zz.com.ve </a>