1 of 1 people found this helpful
Create your VPN rules outside the CAG, to allow the system to makea VPN connection. Make the rules inside the CAG group to control the behavior of the system once a VPN connection has been established. Isolate the connection in the CAG rule.
Name your rules. When you make a connection, check the HIPS console activity log and show all allowed and blocked traffic. When an event occurs, it will show you the rule name. Track the rule name to the section where the rule resides.
Thank you Namster.
Could you also clear this up?
I made as you wrote and everything seems to be fine for now.
In the CAG rule organisation network i used trusted network and many other criteries... Inside that i did made two rules allowing all in and out in TC and UDP.
Is this a good way or does that mean other pople outside our organisation can make some harm?
I do understand that so that anything happening is allowed inside that trusted network.
Thank you very much for the help.
1 of 1 people found this helpful
Think of your CAG rule as a special key, the more items you put in there, the complex the key is. If the computer has all of the criteria listed in the CAG they are allowed to use those rules inside of the group, you mentioned that you allow in and out all tcp and udp.
.. now If you marked in your CAG, "Isolate this connection" it will make it so that the traffic made for this CAG criteria will be allowed to communicate with those rules.
So lets say your hotel has an address of 188.8.131.52/24
And your company VPN gives you an address of 246.135.246.101/24, which is in your trusted network. The CAG should allow you to communicate all tcp and udp to address 246.135.246.102. If someone at your hotel with address 184.108.40.206 tries to talk to you, it assuming that you don't have any rules outside of your CAG, it shouldn't be able to talk to you on any port.
Pilot this, take the laptop home to your home network and VPN into work. And then see if another computer on your home network can ping your work computer. Assuming that you do not have a rule to allow pings outside of your CAG, it should not work. Now as another test, while connected to VPN at home, try to ping another computer in the house.
Ok, I took the laptop at home connected to my home network.
At work we have a public wlan. there the VPN did work fine and got access to work network.
At home i could not use vpn to get the connection at work. Did check the log and there where alot of dns suff blocked.
The question: On firewall rules the "Sample Connection-Aware Rule List" has a bunch of rules including VPN, isnt that enough?
Do i have to add something more that is missing?
Okay, sounds like you need certain things to work first.
On the top of your rules, outside of the CAG, you need to have enough rules there to help you establish a VPN connection. Troubleshoot and modify your FW rule policy to make this work first. Then you work on your CAG rules.
Those samples are useful but might not cover all the protocols that you need to establish a VPN connection due to your VPN client or other factors. You can always do an adaptive mode and then establish a VPN connection to help you figure out the minimum rules you require to make it work.
For example, I have rules that look similar to this:
Allow VPN ike, etc
Those help me establish the VPN connection
Then I have my CAG rules below it, and within the rules it says something like:
CAG Rules for ABC Company
Allow ALL TCP/IP In/Out
Allow UDP In/Out
Thank you very much for your help. Everything works fine. Did do just like you told to do.
I have to ask one more thing.
In the hips predefined rules list there is "NetBIOS Group" including bunch of rules.
Is this rule ok, if i put this as is before the CAG rule?
Does this give too much access tot the computer before its connected to the LAN?
I think that if you want to keep your system secure, perhaps outside the cag, you only put the things that you need to make your CAG qualifying connection.
Now I know that some of your customers might travel and goto a hotel and VPN for work related items. The quetion you need to answer is: "What type of communications would you like the client to do outside of VPN?"
In my opinion, I've setup policies to just allow DHCP, DNS and web browsing, majic-jack, skype, etc...but nothing netbios because nothing outside your home network really needs to do netbios calls. I suggest that you search the internet for those protocols that you have questions about to understand what they do. This will help you properly secure your environment.