3 Replies Latest reply on Jun 7, 2010 3:08 PM by Kary Tankink

    HIPS policy to block WiFi when on LAN

    SergeM

      Hi,


      We have a "secure" LAN [1] here but there are loads ofWiFi broadcast around, some from public ISP.  So I am having issues with (some) users accessing an external, undocumented, unpoliced WiFi network from PCs that are on our LAN at the same time... You can imagine the risks and so on.


      I'm trying to make a policy (firewall policy?) in HIPS 7 that blocks WiFi whenever the users are on our internal LAN.

      Does anyone have an idea ?

       

      (We'll be looking into additional products such as McAfee Device Control later)

       

      thanks a lot (this is important and urgent as you may imagine)

        Serge

       

      [1] as secure as we can make it

        • 1. Re: HIPS policy to block WiFi when on LAN
          HupSkiDup

          that is reasonable.  Search the kb for "connection isolation" and CAG (connection aware group) to learn about doing that.  Connection isolation should kill all other network connections except the one that fits that connection aware group.

          1 of 1 people found this helpful
          • 2. Re: HIPS policy to block WiFi when on LAN
            SergeM

            Thanks for this information, I had a doubt that CAG & isolation might help but wasn't sure.

            I read most of what I could find (today) in the user manual and KB...

             

            Now, could you tell me what would happen if

             

            I create a CAG Rule #1  with

               - CAG criteria is PC is on our internal LAN with IP ... 192.168.100.0\24  (our internal net - hypothetic)

               - LAN only

               - connection isolation

               - rule says when PC is in this network"allow everything   IN/OUT   all IP"

             

            I have another similar CAG Rule #2 for when users use our VPN(e.g. from a hotel but also from within our network)

               - "any connection" (LAN or WiFi)

               - CAG criteria is PC is on a LAN with IP ...  192.168.200.0\24  (our VPN network - hypothetic)

               - NO connection isolation

               - rule says when PC is in VPN    "allow everything    IN/OUT  all IP"

             

            Would the users be able to open a VPN connection when in our LAN ?

            Wouldn't CAG Rule #1 block the VPN from being used because of connection isolation ?

            Should I then also isolate the VPN connection ?  I have a feeling that this would lock them suddenly out of the (hotel) network !??

             

            thanks

            Serge

            • 3. Re: HIPS policy to block WiFi when on LAN
              Kary Tankink

              When a system has matched a CAG rule (that has Connection Isolation enabled), then:

               

              1. All network traffic for the other network adapters that don't match the CAG (with isolation) will be blocked.

              2. All other CAGs below the CAG (with isolation) will be ignored.

              3. All firewall rules below the CAG (with isolation) will only apply to the matching-CAG (with isolation) network adapter.

               

               

              So as I understand it:

               

              Would the users be able to open a VPN connection when in our LAN ?

              The users would be able to open a VPN connection if the connection is being established using the LAN adapter.  The LAN network adapter matches the CAG (with Isolation), therefore all traffic to/from the LAN adapter would be allowed.  All Wireless network adapter traffic should be blocked at this point, when the LAN adapter matches the CAG (with Isolation).

               

              Wouldn't CAG Rule #1 block the VPN from being used because of connection isolation ?

              See above.  CAG Rule #1 would block the Wireless network adapter from establishing a VPN connection, but will not block the LAN adapter from establishing a VPN connection (if applicable to your VPN configuration).  When the LAN adapter matches the CAG (with Isolation), all network traffic to/from the LAN adapter will be allowed.

               

              Should I then also isolate the VPN connection ?  I have a feeling that this would lock them suddenly out of the (hotel) network !??

              What network adapter is being used to establish the VPN connection?  By isolating the VPN connection, you might lock out the hotel network (depending on your VPN connection configuration; are you using exclusive gateways (non split-tunneling) in your VPN configuration?  If so, you're "locking" out the hotel network anyways.)