6 Replies Latest reply on Dec 7, 2017 9:19 AM by eobiont

    Trusted Network Policy

    eobiont

      The decision to combine the ENS Firewall options policy and the trusted networks list policy is causing me trouble.

       

      I have one policy I assign to some folks that allows them to temporarily disable the firewall - mostly developers who need to temporariy send files back to their desktop computers from network devices.

      With HIPS 8.0 firewall it was possible to assign that policy to just unlock the ability to disable HIPS components from the task bar.  I was able to maintain a single list of trusted networks in its own policy.

       

      Now that Trusted Network list has been combined with other Firewall policies, I have to maintain the trusted network list in multiple policies which is very undesirable.

       

      If I want one Firewall policy to have the firewall togleable and one policy where the firewall is not able to be disabled, but want to have the same Trusted Network list for both, then I have to maintain the trusted networks list in two places.

       

       

       

      Would another solution be to create a custom trusted networks Network rule in the catalog and use that instead of the built in [defined networks]/Trusted in the firewall rules?

       

      Does ENS firewall use the defined "Trusted Networks" in any case apart from the firewall rules?  I would like all clients to be open to the same list of Trusted IP addresses but have other elements of the Firewall (like the ability to toggle on/off) be different on some computers.


      I think it was a design mistake on McAfee's part to combine the Trusted Network Policy and the Options policy into a single firewall policy.  It is easy to imagine a scenario where you would want to have different options but the same trusted IP list - and this design decision requires customers to maintain the Trusted IP list in multiple polcies.

        • 1. Re: Trusted Network Policy
          Kary Tankink
          If I want one Firewall policy to have the firewall togleable and one policy where the firewall is not able to be disabled, but want to have the same Trusted Network list for both, then I have to maintain the trusted networks list in two places.

          Why do you need to maintain a list of trusted networks in two places?  In ENS FW, a Defined Network->Trusted network entry applies an ALLOW ALL IN/OUT for IPs listed in the Defined Networks->Trusted section.  These rules are processed before the FW Rule policy is, so "trusted" networks can be (should be) placed in the ENS FW Options policy; not the ENS FW Rules policy.  In HIPS, "Trusted Networks" entries did not actually allow all traffic in/out, like ENS FW does; it works similar to the ENS FW Defined Networks->Not Trusted networks (list the network entries as Not Trusted, then use those IPs in a FW Rule where Local/Remote Network = Defined Network.

           

           

          Would another solution be to create a custom trusted networks Network rule in the catalog and use that instead of the built in [defined networks]/Trusted in the firewall rules?

          Creating a FW Rule policy rule that ALLOW ALL IN/OUT for a list of "trusted" networks will work, but it will be applied/processed lower in the compiled FW rules on the client (e.g., meaning it will be processed below other hard coded rules, such as the GTI rules).  Using 'trusted' networks in the FW Options, instead of FW Rules, will override any GTI ratings that might block routable IPs.  Creating a Local/Remote Network in the ENS Firewall Catalog of your 'trusted' IPs, or just having the same list of IPs as Local/Remote Network entries with an ALLOW ALL type FW rule works the same as the Defined Networks->Trusted network rule, except that it's processed a bit later than other client-side FW rules.

           

           

          I think it was a design mistake on McAfee's part to combine the Trusted Network Policy and the Options policy into a single firewall policy.  It is easy to imagine a scenario where you would want to have different options but the same trusted IP list - and this design decision requires customers to maintain the Trusted IP list in multiple polcies.

          Submit a Product Idea if you have ideas on how to improve product functionality.

          • 2. Re: Trusted Network Policy
            eobiont

            The policy where the ability to toggle Firewall on/off is in the same policy -- ENS FW Options --  where the trusted network list is defined.

             

            Therefore, I need to have two ENS FW Options policies ---  one ENS FW Options policy with "FW toggle enabled"  and one with "FW toggle is disabled"

             

            When adding an IP address to the trusted network list.  I need to add it to the ENS FW Options --- FW Toggle Enabled and the ENS FW Options -- FW Toggle Disabled.

             

            I don't mean that I have to maintain two Trusted Network lists -- I mean I have to maintain the same list in two different ENS FW Options policies.  When adding an IP it has to be added to ALL ENS FW Options policies - of which I have two so far.  There could be more eventually.  I might have another policy where I don't want to overwrite client-side rules.  That is in the same ENS FW Options Policy.  Now the Trusted list would need to be maintained in three policies, and so on.

             

            I think to be flexible with the rules I may end up with 4 or 5 ENS Firewall Options policies (maybe one with client side rules allowed for instance) and the Trusted Network has to be maintained individually in each of those policies.

            • 3. Re: Trusted Network Policy
              Kary Tankink

              Ah I see.  I would submit a Product Idea to be able to use ENS Firewall Catalog items in the ENS Options policy (e.g., DNS Blocking entries, Defined Networks, and Trusted Executables).

              • 4. Re: Trusted Network Policy
                eobiont

                That would be a wonderful way to implement this.  Thanks for the suggestion.

                 

                What I am doing right now, is to leave the trusted networks blank in the ENS FW Options.  I then maintain a Network in FW Rules Catalog.   I then have an Any/Any  from/to that custom Trusted Networks as high up in the FW Rules as allowed. Its not ideal but better than what is currently in the product with regards to maintaining the list.

                • 5. Re: Trusted Network Policy
                  woody188

                  This was what I was thinking, if it can't be done in the Options to make it a catalog item.

                  • 6. Re: Trusted Network Policy
                    eobiont

                    I have submitted a product improvement suggestion.  Looking through the list of suggestions though, I am not sure it is monitored or maintained by McAfee in a meaningful way.