6 Replies Latest reply on Apr 14, 2011 12:37 PM by allamiro

    How to test trusted Networks

      I am looking for a solution to test my trusted networks in HIPs. Or it could be my understanding of the way it works and I need an explaination. First of all if I am on a workstation with HIPS and Trusted networks setup should I be able to access \\servername  a share on a non trusted network, ie one not in the list, also if I do a port scan to a workstation  from a non trusted workstation all the package should all the packets be dropped straight away

        • 1. Re: How to test trusted Networks
          Kary Tankink

          Trusted Networks serves two functions:

           

          1. If a Firewall rule's Remote address is set to "Trusted Networks", then that firewall rule applies to all the IP addresses included in the Trusted Networks policy.
          2. Network IPS exceptions - IP addresses are added to the Trusted Networks policy and the option "Mark as Trusted for Network IPS" is selected.  These addresses can no longer trigger any of the Network IPS signatures.

           

           

          Message was edited by: Kary Tankink on 10/21/10 4:12:08 PM CDT
          • 2. Re: How to test trusted Networks

            Thanks for the reply still a little confused, I have setup trusted networks to six individual servers created a rule called Trusted in firewall policies and its set for allow; so with allow I assume that means the client will only trust those machines, but it doesn’t appear to work, as I can still see the shares on a machine with HIPs  from a non trusted machine.

             

            I appreciate that there is delay from making a change on the server to seeing the change on the client , have I setup the trusts correctly ?

             

            Also does the stateful firewall from a HIP hosted client allow you access a non trusted machine ?.

             

            • 3. Re: How to test trusted Networks
              Kary Tankink

              With that "Trusted Network Rule" firewall rule, yes, you are allowing all traffic in/out to any IP addresses that are listed in the Trusted Networks policy.  You might still have other firewall rules that allow traffic (particular NETBIOS) for other systems.  As a test, you could put a DENY ALL firewall rule right below this "Trusted Network Rule" firewall rule so you can see that the only traffic allowed is the Trusted Networks traffic.

               

              As with any test, only configure this on a single system and separate policy, so as to not affect your entire environment.

               

              Also does the stateful firewall from a HIP hosted client allow you access a non trusted machine ?.

              This depends on how you write your firewall rules.  You are in control of what network traffic is allowed in/out of the system.

              • 4. Re: How to test trusted Networks

                Question :

                 

                if you set your IP on trusted network policy do you have to add a rule also to the firewall policy to allow it ? for example a volunerability scanner ?

                • 5. Re: How to test trusted Networks
                  Kary Tankink

                  Yes.  Adding IPs to the Trusted Networks policy does nothing just by itself.  For Firewall, you must create a rule that uses the "Trusted Network" as the remote address.  The firewall rule will then block/allow all traffic according to the list of IPs in the "Trusted Network" policy

                   

                  For vulnerability scanners, you would need to enable the "Trusted for Network IPS".  This will keep the scanner's IP address from triggering any of the Network IPS signatures (including the TCP/UDP Port Scan signatures).

                  • 6. Re: How to test trusted Networks

                    Can you create an exceptions and create a policy from the clients that managed by the ePO server for HIPS firewall rule   using the learn mode and using the McAfee icon on the clients ?