8 Replies Latest reply on Jan 21, 2011 6:13 AM by Namster

    HIPS CAG rules testing

      Hello everybody.

      I have been trying to configure HIPS to work in our organization.

      Banging my head many times to the "fire"wall now i think i got it work.


      We use epo 4.5 and HIPS 7


      First i took the Sample Connection-Aware Rule List and modified it.

      I wanted to create only a few rules .


      1. LAN and WLAN inside our organization so that everything works in the network. ( I think i got this working by using the prebuild rule inside the CAG:Internal Network (Sample/RFC1918) (Any) added that allow all in the trusted network in and out)

      2. Made a Copy of 1. and put inside VPN and allow netbios-ns 137.


      I'm not sure why it didnt work without the netbios 137 but i could not use the vpn. Now i can after adding the rule allow in out to UDP netbios-ns (137)


      The question is: Is my firewall now secure? Can the user take the laptop and go to a hotel and use the vpn from that connection?

      Where can i see if its using the second CAG the VPN i created.


      I did try to find some manuals where i could see some examples but didnt find any. I also did read the forum in here but just dont understand how the CAG realy works.



        • 1. Re: HIPS CAG rules testing

          Create your VPN rules outside the CAG, to allow the system to makea VPN connection. Make the rules inside the CAG group to control the behavior of the system once a VPN connection has been established. Isolate the connection in the CAG rule.


          Name your rules. When you make a connection, check the HIPS console activity log and show all allowed and blocked traffic. When an event occurs, it will show you the rule name. Track the rule name to the section where the rule resides.

          1 of 1 people found this helpful
          • 2. Re: HIPS CAG rules testing

            Thank you Namster.

            Could you also clear this up?

            I made as you wrote and everything seems to be fine for now.


            In the CAG rule organisation network i used trusted network and many other criteries... Inside that i did made two rules allowing all in and out in TC and UDP.


            Is this a good way or does that mean other pople outside our organisation can make some harm?


            I do understand that so that anything happening is allowed inside that trusted network.


            Thank you very much for the help.

            • 3. Re: HIPS CAG rules testing

              Think of your CAG rule as a special key, the more items you put in there, the complex the key is. If the computer has all of the criteria listed in the CAG they are allowed to use those rules inside of the group, you mentioned that you allow in and out all tcp and udp.


              .. now If you marked in your CAG, "Isolate this connection" it will make it so that the traffic made for this CAG criteria will be allowed to communicate with those rules.


              So lets say your hotel has an address of


              And your company VPN gives you an address of, which is in your trusted network. The CAG should allow you to communicate all tcp and udp to address If someone at your hotel with address tries to talk to you, it assuming that you don't have any rules outside of your CAG, it shouldn't be able to talk to you on any port.


              Pilot this, take the laptop home to your home network and VPN into work. And then see if another computer on your home network can ping your work computer. Assuming that you do not have a rule to allow pings outside of your CAG, it should not work. Now as another test, while connected to VPN at home, try to ping another computer in the house.

              1 of 1 people found this helpful
              • 4. Re: HIPS CAG rules testing

                Ok, I took the laptop at home connected to my home network.

                Strange problem:

                At work we have a public wlan. there the VPN did work fine and got access to work network.

                At home i could not use vpn to get the connection at work. Did check the log and there where alot of dns suff blocked.


                The question: On firewall rules the "Sample Connection-Aware Rule List" has a bunch of rules including VPN, isnt that enough?

                Do i have to add something more that is missing?

                • 5. Re: HIPS CAG rules testing

                  Okay, sounds like you need certain things to work first.


                  On the top of your rules, outside of the CAG, you need to have enough rules there to help you establish a VPN connection. Troubleshoot and modify your FW rule policy to make this work first. Then you work on your CAG rules.


                  Those samples are useful but might not cover all the protocols that you need to establish a VPN connection due to your VPN client or other factors. You can always do an adaptive mode and then establish a VPN connection to help you figure out the minimum rules you require to make it work.


                  For example, I have rules that look similar to this:


                  Allow DHCP

                  Allow DNS

                  Allow VPN ike, etc


                  Those help me establish the VPN connection


                  Then I have my CAG rules below it, and within the rules it says something like:


                  CAG Rules for ABC Company

                       Allow ALL TCP/IP In/Out

                       Allow UDP In/Out


                  • 6. Re: HIPS CAG rules testing

                    Thank you very much for your help. Everything works fine. Did do just like you told to do.

                    • 7. Re: HIPS CAG rules testing

                      I have to ask one more thing.

                      In the hips predefined rules list there is "NetBIOS Group" including bunch of rules.

                      Is this rule ok, if i put this as is before the CAG rule?

                      Does this give too much access tot the computer before its connected to the LAN?

                      • 8. Re: HIPS CAG rules testing

                        I think that if you want to keep your system secure, perhaps outside the cag, you only put the things that you need to make your CAG qualifying connection.


                        Now I know that some of your customers might travel and goto a hotel and VPN for work related items. The quetion you need to answer is: "What type of communications would you like the client to do outside of VPN?"


                        In my opinion, I've setup policies to just allow DHCP, DNS and web browsing, majic-jack, skype, etc...but nothing netbios because nothing outside your home network really needs to do netbios calls. I suggest that you search the internet for those protocols that you have questions about to understand what they do. This will help you properly secure your environment.