3 Replies Latest reply on Sep 28, 2012 9:39 AM by mhar

    Network Objects: Domain vs. Host

    Travler

      I'm still quite a novice when it comes to the MFE.  When I create new rules, I rely on the rules created by the McAfee engineer who installed our appliance for guidance.  I've noticed that I have quite a few "domain" Network Objects but have no "host" Network Objects.  After reviewing the sparse information on the Help page of these two types of Network Objects, I've started to wonder if I'm doing things inappropriately.

       

      For instance, I have a rule set up for our ePO server to communicate with the "domain" Network Object of "epo.mcafee.com".  This raises some questions:

      1) Shoud this be a "host" object instead of "domain"?

      2) Being a "domain" object, does having "epo." in front of "mcafee.com" actually do anything?  In other words, does everything other than the basic domain (mcafee.com) get ignored in a "domain" Network Object?

       

      One further question:

      1) Our network currently uses static IPs but we are in the process of converting to DHCP.  All our current rules use "IP Address" Network Objects for designating internal workstations.  Can I use a "host" Network Object for internal workstations as long as I use the FQDN?

       

      Thanks in advance!

        • 1. Re: Network Objects: Domain vs. Host
          PhilM

          There are a couple of MFE support staff present on these forums, so they may be able to offer you a more authoratitive response, but here's what I think:-

           

          1) Shoud this be a "host" object instead of "domain"?

           

          I would say yes.

           

          2) Being a "domain" object, does having "epo." in front of "mcafee.com" actually do anything?  In other words, does everything other than the basic domain (mcafee.com) get ignored in a "domain" Network Object?

           

          I've always thought of domain objects as being a little bit like wilcard entries (*.domain.com). So in this instance I wouldn't expect a domain object called epo.mcafee.com to automatically ignore the "epo." part, but read it as "*.epo.mcafee.com"

           

          However, in my 12-odd years working with this product, I have always avoided using host or domain objects as much as possible - simply because they are obviously reliant on DNS in order to work properly and if you DNS is playing up all of your host/domain-based Firewall rules are going act up also.


          One further question:

          1) Our network currently uses static IPs but we are in the process of converting to DHCP.  All our current rules use "IP Address" Network Objects for designating internal workstations.  Can I use a "host" Network Object for internal workstations as long as I use the FQDN?

           

          If you are running MFE v8 I would strongly recommend that you look at installing the McAfee Logon Collector (MLC). It is available from your McAfee download repository. It is installed to a Winodws server on your domain and is then configured to communicate back to the Firewall. It gives you two new features. Firstly all the audit traffic will include Windows usernames in addition to hostnames and/or IP addresses. Secondly, it also then allows you to create Firewall rules based on the users and groups in your active directory domain. In a DHCP environment, where workstation IP addresses could change regularly you no longer need to worry about where a connection is coming from but instead who is making that connection. The rules then follow users around the network - it doesn't matter where they are because as soon as they log into a workstation and the MLC sees that authentication action takes place, it reports it back to the Firewall.

           

          I hope that helps.

           

          -Phil.

          1 of 1 people found this helpful
          • 2. Re: Network Objects: Domain vs. Host

            Hello,

             

            I do agree Phil that DNS objects (host or domain) should  be used sparingly as you are letting your firewall policy be decided by DNS (notorious for being unreliable and insecure).

             

            Now that I am done with my spiel, I found a KB article that explains host and domain objects (we have this question alot): KB61366

             

            Hope this helps

             

            Matt

            1 of 1 people found this helpful
            • 3. Re: Network Objects: Domain vs. Host

              I can personally vouch for some pretty serious performance issues (as of Sidewinder 7) that were caused by host objects on the firewall.  It's now part of our official policy to never use them.