a good article related to Microsoft Network Location awareness and what windows is checking to determine domain connectivity.
This can be somewhat recreated in ENS with location aware groups. Some options like LDAP towards the domain controller is not available. but then again other options are available in ENS which you cannot configure in Windows.
thank you for the link, good site to start and helpful background information.
May I ask you if you have setup the ENS or HIPS Firewall in your company and if yes, if you just make a difference between domain network and other networks or do you also have different rules for public and private networks like in the Windows firewall?
I am not familiar with the windows firewall, we do use HIPS / ENS firewall a lot in our environment and do use Connection-Aware groups with Location set to determine if a device is connected to public network or corporate network.
We have rules allowing traffic for all devices regardless of network connection that allows web browsers, connection to wireless networks and VPN. We then have our Connection-Aware group and Location set to match DNS Suffix and DNS Server IP's. Whatever is set on the location needs to be matched by the network adapter, you can see this info by doing ipconfig /all. Within this Connection-Aware group we have rules that allow traffic only when on the corporate network. See below picture below:
Not sure if this is of help and if you have other question let me know.
If you do try these types of groups the log file the ENS uses to show if the connection-aware / location groups are being matched is called "Firewall_Activity.log" and is located under (C:\ProgramData\McAfee\Endpoint Security\Logs)
Thanks a lot for sharing your experience, sure this will help
Just let me summarize to see if my understanding ist correct.
- By default you block all traffic for all networks (corporate and other networks) but you have exception rules which allows specific traffic.
- You have just one Connection Aware group which is used for the corporate network.
- There is no Connection Aware group for public / private networks because the matching parameters are unknown. For example you don't know DNS Suffix or Server of a public or private Network.
- The rules allowing traffic for all devices regardless of network connection are outside of the connection aware group and are or are not collected in a normal group. These rules must probably moved to the top of the ruleset, above the CAG?
Is this correct so far?
I hope it is ok if I ask some more questions.
- Why do you use DNS Suffix AND DNS Server for matching the corporate network. Wouldn't be enough to just use DNS Suffix?
- If you block all traffic in corporate Network by default and just allowing some specific traffic, is it correct that you then have to create additional exclusions for network applications which are not covered by the existing allowing rules (Whitelisting)? Wouldn't it make sense to allow all traffic within the corporate network and just block specific traffic (Blacklisting)?
- Are you using the feature "Connection Isolation" and if yes, in which context are you using it?
- How did you plan the design of the Firewall rules? Just with internal disscussions about company requirements or have you used any documents like white papers, best practices, check lists etc.?
thanks in advance for your help
I am glad to help, local firewalls can be very useful but it does take some time to get to a policy that will work for your environment. I started with McAfee's default policy then remove / added what we required for our environment based on talks with our security group and business groups.
To your first group of points.
- Yes, by default McAfee's local firewall blocks all traffic unless its allow. We have rules that allow traffic basic networking as well for our VPN.
- Yes, we have one main CAG group for our environment and within this group are the rules we allow when connected to our corporate and match the location parameters.
- Correct, it would be very hard to know what to match for public / private networks. We do use CAG groups with registry location based matching and then use GPO's to apply the registry key to certain devices if they require more less restrictive rules / traffic.
- Correct, the rules that are required for basic networking are all outside and above the CAG groups. Think of the policy as traffic flows top to bottom, if traffic doesn't match a rule and makes it all the way through then it gets blocked.
The reason we added both DNS Suffix and DNS Server IP is to provide the requirement that both have to match before rules within the CAG are allowed. This provides more security around users being able to spoof both at the same time.
We don't use the application exclusions (Whitelisting) if that is what you are talking about. We use all rule based allows or blocks and usually try restrict the rules by Port, IP and Application.
Our CAG groups do have the "Connection Isolation" enabled and this is only to isolate the CAG rules that are set from users having two network connected. (wireless / wired when one matching the location and one doesn't)
Like I said above we started with McAfee's default policy then added / changed to work for our environment. We had may talks with our security group and a lot of trial and error / testing with business groups. Good luck and feel free to reach out to me again if needed.
Thanks again for taking time to Response
I think your explanations will help me to start creating a firewall ruleset in ENS. So I will mark your answer as the correct answer.
Your welcome, reach out again if you have other questions.
Glad to be of help.
I use zz host and it´s work perfetly also they have
good vip and pro plans with prices from 1.25$
unlimited storage email accounts and antivirus...
<a href="https://www.zz.com.ve" > www.zz.com.ve </a>