6 Replies Latest reply on Aug 13, 2012 3:12 PM by Kary Tankink

    Trying to Create a Firewall Policy for Hotel Connections

      I am running ePO 4.6 and have the HIPS 8.0 software installed with the agent.  I am trying to do something I think would be very common, but there is almost no information anywhere on how to do it.  I want to create a rule set for the Firewall Rules so that when users are remote, they can ONLY connect to the network with either an SSL VPN or an IPSec client.  More specifically, the rule should do the following:

       

      • Allows a remote user to connect to the internet long enough to establish a connection to the outside world.  This could mean he is either at home, in a coffee shop OR is going through a captive portal to pay for the internet connection or at the very least accept the terms and conditions before getting connected.
      • After a successful connection to the internet (or after a short period of time like 10 minutes), ALL direct internet access should be blocked except through the corp VPN.
      • At this point the user can use either an IPSec VPN client to connect to the corporate LAN or he can connect to an SSL VPN gateway which is specified as the only one allowed.
      • If the user can connect to an IPSec device, and his internet connection contains the corporate domain suffix, he will be subjected to connection isolation and normal corporate internet policy will be allowed.

       

      Here is what I have for my rules (in order):

       

      • Allow McAfee signed apps
      • Allow Loopback (this is to overcome a bug in the software that blocks anything with a source IP of 127.x.x.x.  Its in the McAfee KB as a workaround)
      • Allow SSL VPN (a single SSL VPN device is specified in the rule as the allowed IP) (QUESTION #1:  I can not use HTTPS to reach this SSL VPN IP.  My connection does require a custom port (11434).  Does this make a difference?  I don't see anywhere I have to specify a port.  I just said allow all connection types to the IP of the remote SSL VPN device)
      • Timed Local Web Connection Group with "Allow HTTP/HTTPS Outgoing" inside the group.  The group was scheduled for 10 minutes of activity allowed.  HOWEVER (and here is QUESTION #2),  I want this timed group to AUTOMATICALLY start the countdown from 10 minutes until it disables HTTP/HTTPS.  It would appear that the only function McAfee supports for timed groups is to allow the user to enable the timer from the Tray Icon.  This functionality allows the remote user to restart the timer indefinitely so they can permanently have a functional web link if they keep resetting this timer.  This is ridiculous!!!  I need to restrict internet, not allow the remote user to decide when they can get it!!!
      • Allow IPSec VPN group from catalog which presumably will allow an IPSec client to fire up even if the timed group above (Allow HTTP/HTTPS Outgoing) has timed out.
      • Connection Isolation Group for wired connection if domain suffix is the corporate LAN domain.
      • Connection Isolation Group for wireless connection if domain suffix is the corporate LAN domain.
      • Connection Isolation Group for virtual connection if domain suffix is the corporate LAN domain.
      • Block Everything Else

       

      Please help.  The docs are very weak in this area and I need to hear from someone who actually has this type of behavior working.

       

      -Thanks

        • 1. Re: Trying to Create a Firewall Policy for Hotel Connections
          greatscott

          I agree with the portion about the timed Connection Aware Group/Connection Isolation Group. My initial reaction was that this was a great addition to HIPS, but upon testing, the user has to manually get into the HIPS console and enable the time countdown. This should be automatic, where if the user meets the criteria for the Group, their countdown begins.

           

          What is the point of having this group if the user is able to interact and click a button to keep allowing for an extra 5 minutes, 10 minutes, or however long the timed group is configured for? What if you need to have an inherently weak ruleset within this group, to ensure they can connect to VPN via random wireless connections, hotel/restaurant splash pages, etc? Timing is needed and necessary to limit exposure.

           

          I would suggest this be addressed at some point by McAfee.

          • 2. Re: Trying to Create a Firewall Policy for Hotel Connections
            Kary Tankink

            greatscott wrote:

            This should be automatic, where if the user meets the criteria for the Group, their countdown begins.

             

            What is the point of having this group if the user is able to interact and click a button to keep allowing for an extra 5 minutes, 10 minutes, or however long the timed group is configured for?


            The intended use of a Timed Firewall group is to allow a group of firewall rules to be activated and enabled for a short period of time. 

             

            Example scenario:

            • User's company laptop has no Internet browsing functionality outside of the Corporate network environment.
            • If the user is on the COE network (either in the office or connected by company VPN), then they can browse the Internet.
            • The user needs to temporarily open the firewall to allow Internet traffic to the hotel/airport/etc. splashpage.  Timed group allows Internet access for 5min to connect/authenticate to this splashpage.
            • HIPS Firewall is setup so that when the user connects to the company's COE or VPN network, the Location Aware Group automatically kicks in and allows more traffic out for the user.
            • The VPN is setup so that all internet browsing must be funnelled through the company gateway, and no Internet browsing is allowed out through the local ISP network.
            • The Timed group is only there to get the VPN connection started, at which point, the Timed Group rule can no longer function (or is needed) since the user now has Internet browsing through the company VPN network.

             

            With HIPS 7.0, the only way to get this scenario to work would be to use a static "always on" firewall rule to always allow Internet browsing.  With HIPS 8.0, the rule is only temporarily enabled.  With the right firewall configuration, it doesn't matter if the user reactivates the Timed Group rule, since they already have the Internet access they need, or the firewall rule configuration is setup so that other rules inside the Location Aware Group can override that Timed Group of rules (e.g., allow Internet browsing to specific internal sites and block all other HTTP access).

             

            If you have other needs for Timed Based Group rules that don't work in the current implementation, please submit a PER for them.

             

            KB60021 - Information about Product Enhancement Requests for McAfee products

             

            • 3. Re: Trying to Create a Firewall Policy for Hotel Connections
              greatscott

              I agree that the timed rule is better than having a permanent, static rule in the firewall to allow for VPN access.

               

              Here is my take on the ability for a user to abuse this function:

               

              • Richard Rootkit is working from home today. Powers on machine and obtains a 192.168.x.x IP address. Needs to get to VPN to get to his corporate network.
              • The Timed CAG on his system gives him 10 minutes of unlimited access for iexplore.exe to make sure he can get connected. He clicks it to allow the 10 minutes to begin.
              • Once connected to his network, he meets a new, separate CAG criteria, falls into his VPN IP range, and obtains a new, more restrictive rule set.
              • He can then still go back and click the timed CAG to allow a new 10 minute session of unlimited iexplore.exe browsing, at will.

               

              My take is that if when he powered on the system, the 10 minutes should have begun automatically, and there would not be another chance to activate this very loose CAG. I do see that it provides a little bit of flexibility, but from a security perspective, if a user can activate it as many times as they want, its really like letting a fox guard the hen house.

               

              Are there any switches in HIPS 8 to change any of the functionality surrounding the timed CAG button that the user can click? (Assuming we were to activate a timed CAG)

               

              Message was edited by: greatscott on 8/10/12 8:22:49 AM CDT
              • 4. Re: Trying to Create a Firewall Policy for Hotel Connections
                Kary Tankink
                • He can then still go back and click the timed CAG to allow a new 10 minute session of unlimited iexplore.exe browsing, at will.

                Write firewall rules in the VPN CAG to restrict IE traffic.  As long as there are firewall rules to control IE traffic, and these rules are above the Timed Group rule (top-down rule processing), then the Timed Group rule cannot be abused to give unlimited Internet access (e.g., when connected to the VPN network, allow all IE traffic to the company network IPs only, then block all other IE traffic.  The BLOCK IE rule would take precedence over the Timed Rule for IE allowing all traffic).  Different scenarios can be used and tested, depending on user requirements.

                 

                 

                Are there any switches in HIPS 8 to change any of the functionality surrounding the timed CAG button that the user can click? (Assuming we were to activate a timed CAG)

                There is not.  Please submit a Product Enhancement Request, for any ideas you have, as I can see the benefit of having this functionality.

                • 5. Re: Trying to Create a Firewall Policy for Hotel Connections
                  damageinc

                  Kary,

                   

                  I am not sure how writing firewall rules to restrict IE traffic while the user is in the VPN CAG/LAG solves this problem.  The problem that Scott seems to be stating is that if you make a CAG/LAG with an iexplore.exe rule that allows internet access so the person can access a hotel splash page, there's nothing that limits them in any way.  They can keep clicking the button to reset the timer, perpetually gaining internet access, although limited through Internet Explorer, with no intention of ever entering the VPN, and therefore, bypassing the company's proxy policy. 

                   

                  What we'd like to see is an actual hard limit to this, where the user can only click this once per Windows session.  This at least would force them to have to reboot to regain access.  This does not seem possible in HIPS 8.  The functionality is really no different than it was in HIPS 7, other than you can allow a user to manually enter a CAG/LAG without having the prerequisite criteria.

                   

                  -DamageInc

                  • 6. Re: Trying to Create a Firewall Policy for Hotel Connections
                    Kary Tankink
                    What we'd like to see is an actual hard limit to this, where the user can only click this once per Windows session.


                    Understood.  This functionality does not exist currently, but please submit a PER (see above) to the Product Manager with any changes you would like to see added to the product.