2 Replies Latest reply on Apr 8, 2010 8:07 AM by bgable

    Correct use of "Trusted networks" in HIPS



      I'm looking to see how people use the 'trusted networks' feature in HIPS.


      Would I be correct in saying that I could have a trusted network consisting of the address range of my severs and a firewall rule on each server that says to allow all trafic between these servers as they are on a section of the network considered trusted? It seems that I could simplify my firewall rules and mean I only need exceptions for traffic that falls outside of the trusted network e.g. to/from my DHCP network range?


      If my servers fall between and, why not trust that portion of the network and allow all traffic rather than creating rules for every single piece of network traffic between every host? Seems a reasonable way to keep things simple? For things like email I can add additional rules to allow comms with other networks.


      There is nothing to stop someone assigning a client with an IP address that falls within the trusted address range and plugging it into my network but then it is the job of IPS to detect scans and other malicious activity?


      Have I understood the correct use of trusted networks i.e. to allow me to simplify my firewall rules?


      Many thanks

        • 1. Re: Correct use of "Trusted networks" in HIPS

          Yes, you are correct.




          Trusted Networks policy lists IP addresses and networks that are safe for communication.

          Trusted networks can include individual IP addresses or ranges of IP addresses. Marking networks

          as trusted eliminates or reduces the need for network IPS exceptions and additional firewall

          rules. For Windows clients only.


          Settings for


          Trusted Networks and Trusted Applications policies can reduce or eliminate

          false positives, which aids in tuning a deployment.

          • 2. Re: Correct use of "Trusted networks" in HIPS

            Thanks for clarifying.


            I think I might do it the other way round as follows:


            Keep my trusted networks list to include all internal networks that need to communicate with each other e.g. the subnet with servers and the one with workstations and printers.


            Create a rule on all servers that allows TCP In/Out between all servers that fall within the range of IP addresses that I use for my servers, i.e. not the trusted networks so excluding workstations and printers.


            That way I can use the default corporate firewall rule set that includes rules that you would want between workstations and servers such as netbios and AD and means I don't need to treat workstations as entirely untrusted and create separate rules for them.


            So, in summary, my servers allow all traffic to and from all other servers and some traffic to/from clients on the trusted networks. Servers running web services or other apps can have custom rules to allow traffic inbound as required.