1 Reply Latest reply on Jul 31, 2010 2:27 AM by bgable

    Hotel mode : FW configuration.

    jj4sec

      I try to replace the Vista FW with the McAfee FW but I need to find a solution for hotel connectivity.

      For the Vista FW the hotel-connectivity is solved by a timed script, giving users only tree minutes to fill in the hotal payment page and activate the VPN tunnel to the corporate netwerk.  After the tree minutes not internetconnectivity is allowed.

       

      I tried to translate this to the McAfee FW but  got stuck.

      * Vista FW does allow to check the domain controllers to be sure that the machine is connected to the corporate network.  This doesn't seems to be possible with HIPS.  An alternative here is to check the EPO-server but isn't so redundant as the domain controller setup (lots of countries with lots of WAN-connections).  The HIPS FW is maybe connection aware but it isn't domain aware and/or internet aware.

      * In my proposal below I got stuck in bulletin 6.  With another reading of the HIPS manual and checkin the config possibilities in ePO, I can't put in some checkings if I can connect to certain IP-adresses.  In Bulletin 6 I try to check if I have Internet access by checking some public IP-adresses (company public IP-adresses, pulbic DNS-servers, ....)

       

      Did someone configure something like this ?

      How can I solve my issues (no internet access alowed or only for a limited period (minutes)) ?

       

      My goal is :

      No bridging is allowed whenever connected

      Only internet access is allowed through my company FW, whitelisters, contentfilters, ...

      In a Hotel none ore only internet access limited in time, is allowed (just a few minutes to complete the hotel payment page)

      In a Hotel only traffic inside the VPN tunnel is allowed except for the limited time to fill in the payment page. As soon as my company network is reachable (public IP range), internet access must be blocked.

      Proposed solution

      Basic rules

      FW rules for DNS, DHCP, BOOTP

      VPN protocols (IPsec, IKE, GRE, ... like in the Default configuration in EPO)

      Is this enough ?

      2. Public IP range reachable

      Should I do something here to make the rest work.

      Should this be connection aware ?

      Connection type : any

      Connection options : ???

      Criteria :

      IP : KBC Public IP range (193......)

      3 CAG Inside Company network is reachable (Localy)

      All FW-rules for applications that are allowed to use directly connected to the company network. (Not when connected vie VPN)

      Connection type : any

      Connection options : isolate this connection

      Criteria :

      DNS suffix :

      INTERNAL 1.KBC.BE (ex DNS suffix for in company connection domain 1)

      INTERNAL 2.KBC.BE (ex DNS suffix for in company connection domain 2)

      Question

      If no match, will the FW rules be processed in "5 CAG Company network is reachable (Localy or via VPN)" or will the "isolate this connection" block further processing.

      4 CAG VPN Company network is reachable (VPN)

      All FW-rules for applications that are allowed to use through the VPN tunnel (Not when connected directly to the company network)

      Connection type : any

      Connection options : isolate this connection

      Criteria :

      DNS suffix :

      VPN 1.KBC.BE (ex DNS suffix for VPN connection domain 1)

      VPN 2.KBC.BE (ex DNS suffix for VPN connection domain 2)

      Question

      If no match, will the FW rules be processed in "5 CAG Company network is reachable (Localy or via VPN)" or will the "isolate this connection" block further processing.

       

      5 CAG Company network is reachable (Localy or via VPN)

      All FW-rules for applications that are allowed to use directly connected to the company network or through the VPN tunnel

      Connection type : any

      Connection options : isolate this connection

      Criteria :

      DNS suffix :

      VPN 1.KBC.BE (ex DNS suffix for VPN connection domain 1)

      VPN 2.KBC.BE (ex DNS suffix for VPN connection domain 2)

      INTERNAL 1.KBC.BE (ex DNS suffix for in company connection domain 1)

      INTERNAL 2.KBC.BE (ex DNS suffix for in company connection domain 2)

       

      Question

      Is it correct that this rules will only match if the machine is connected to the local LAN and received an IP matching one of the internal x domains or that my VPN tunnel is active and that I receive an IP from one of the VPN domains ?

      Or will these rules also be active on the VPN before my tunnel is established ?

      Do I need a seperate CAG VPN ?

      The ePO FW rules, shouldn't they be placed here or should they be placed at the top (Basic rules) ?

      6 CAG Connected to public internet

      This group should have only one rule and that is : Block everything

      Connection type : any

      Connection options : isolate this connection

      Criteria :

      IP :

      Public IP-adres VPN boxes KBC

      Ip adres from some internet DNS servers on the internet

       

      People with inside information could on there home router, block these IP-checkings and get to bulletin 7

      The more checkings in this rule the more complex it will be to stop this.

      7. Allow connection to hotel payment page.

      These rules should open HTTP and HTTPS to allow the user to fill in the hotal payment page.

      As soon as the public IP-range of KBC is reachable (meaning the Hotel allows the full internet access after successful payment), the rules above should block all internet access and only allow the user to open the VPN-connection to KBC and traffic inside the VPN.

      Allow HTTP, HTTPS

      Question

      These rules should only become active as long as I can't reach my local company network or I can't reach any public company IP-adresses.