Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
4268 Views 13 Replies Latest reply: Oct 24, 2013 12:11 PM by andrealves RSS 1 2 Previous Next
kjhurni Apprentice 222 posts since
Aug 1, 2005
Currently Being Moderated

Oct 2, 2012 2:28 PM

HIPS 8.0 firewall logging to EPO server?

Please tell me that there's a way to have the McAfee HIPS (we have the EPO 4.6.x server, with the McAfee agent, HIPS, and VSE 8.8 on the machines) report back firewall logging activities?

 

We're in the process of tuning (for lack of a better word) what firewall holes we may need to open (we have thousands of machines with different software, etc.)

 

Our old security product (Cisco CSA) had the ability to report back everything to the server (blocked/allowed/monitored, etc.)

 

All I could find was an old post on these forums from 2011 indicating that you could not do this, but instead had to visit each machine (or rdp/remote control each machine) to upload the logs.  REALLY?

 

So I'm hoping that this has been changed.

 

I think even the crummy MS firewall and integration with Forefront or whatever has this ability and supposedly HIPS is a higher level product than simple firewall/app whitelisting.

  • Kary Tankink McAfee Employee 659 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Oct 2, 2012 2:30 PM (in response to kjhurni)
    Re: HIPS 8.0 firewall logging to EPO server?
    Please tell me that there's a way to have the McAfee HIPS (we have the EPO 4.6.x server, with the McAfee agent, HIPS, and VSE 8.8 on the machines) report back firewall logging activities?


    This functionality does not exist in the McAfee Host IPS product.  HIPS Firewall events/activity are not sent to ePO.

  • er587 Newcomer 2 posts since
    Oct 2, 2012
    Currently Being Moderated
    3. Oct 2, 2012 8:54 PM (in response to kjhurni)
    Re: HIPS 8.0 firewall logging to EPO server?

    K,

     

    I had the same problem a few months ago. I worked through my sales rep to show product mangers the gap in the HIPS product. After some long discussions, they finally came to realize this gap needed to be filled. Of course, it was kind of hard to change the product to include all the firewall events (Sophos doesn’t do it either), but we are happy to accept the middle ground. Then McAfee release a community tool called Threat Activity Tracer(TAT).

     

    The tool basically sends a user defined set of firewall logs prior to a VSE or HIPS event.  This allows you to get all the activity prior to asecurity event.

     

    https://community.mcafee.com/docs/DOC-4231 -- Great Job Torry!!

     

    A good use case that I'm testing..  With a HIPS application firewall rule allow JAVA to outbound to any, and then you add the FW log option specific to the TAT tool. You get hit with a drive by download using JAVA. The McAfee agent uploads the 5 prior firewall permits tagged with the JAVA rule.  Then you correlate this information with other security information in your environment, cross check whitelist host, and potentially create an automated response or risk score. This information now aids in your security intelligence. Additionally, using the WebAPI in 4.6, you can cross check these IP’s with known or new potential bad hosts on a periodic basis.  Pretty cool…

  • greatscott Champion 288 posts since
    Jul 18, 2011
    Currently Being Moderated
    5. Oct 3, 2012 10:15 AM (in response to kjhurni)
    Re: HIPS 8.0 firewall logging to EPO server?

    logging all traffic captured on the firewall would be cool, but not really feasable. there is alot of traffic and i wouldnt expect ePO to be able to handle it all. ePO has its shortcomings, but remember that it manages alot more than just the HIPS Firewall.

  • toms Newcomer 1 posts since
    Dec 3, 2012
    Currently Being Moderated
    7. Dec 3, 2012 10:17 AM (in response to greatscott)
    Re: HIPS 8.0 firewall logging to EPO server?

    Centralized logging isn't just feasable, it's pretty much half the point of EPO.  If you can't see what you're managing, the effect that is, you're effectively driving blind.  If the architecture can't handle the traffic volume, then it needs to be fixed.  You can't tune a firewall without access to the logs. 

     

    Sorry to rant, but AV and other PC security products have been too far behind the curve for too long.  I hear among other security professionals that we have a user training problem.  No, what we have is a situation where the defending technology isn't working well enough.  We need to stop worrying about reports, graphs, charts, and user interface, and get back to the nuts and bolts of security.  Or, just consign yourself to the belief that AV/HIPS/desktop firewall are just commodities, and then we, as customers, will just go to the lowest bidder. 

  • greatscott Champion 288 posts since
    Jul 18, 2011
    Currently Being Moderated
    8. Dec 4, 2012 2:05 PM (in response to toms)
    Re: HIPS 8.0 firewall logging to EPO server?

    i said logging firewalls would be nice, but ePO still has its shortcomings. mcafee should investigate it. i surmise that if you were to take a typical ePO server right now, and magically turn on this function, it would break.

  • the_un Newcomer 1 posts since
    Mar 24, 2012
    Currently Being Moderated
    9. Dec 13, 2012 11:55 AM (in response to toms)
    Re: HIPS 8.0 firewall logging to EPO server?

    Just use the features the product DOES have to achieve what you need. I would bet using Adaptive mode (don't retain existing rules) and using "Treat match as intrusion" for explicit blocks would be enough logging for MOST use cases described here. I've used it just fine for my tuning needs.

     

    I haven't been in an environment yet (I'm a consultant, dozens of HIPS FW/IPS installs/upgrades/tweaks) where logging each and every packet is warranted. Would it be useful for those fringe cases? Sure. But at what cost to the event parser, database, and web console when trying ANY query from the ePOEvents table? Keep in mind that your "Top 10 Virus Detections" query comes from the same table you want to store each and every FW rule match.

     

    To answer OPs question: Don't have a single Allow rule, just explicit denys and treat as intrusion, and be in adaptive mode (no default deny at bottom though). It's rough, crude, and will be a royal PITA to try and manage for more than a couple systems, but it will get you at least 90% of what you're looking for.

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points