Please tell me that there's a way to have the McAfee HIPS (we have the EPO 4.6.x server, with the McAfee agent, HIPS, and VSE 8.8 on the machines) report back firewall logging activities?
This functionality does not exist in the McAfee Host IPS product. HIPS Firewall events/activity are not sent to ePO.
I had the same problem a few months ago. I worked through my sales rep to show product mangers the gap in the HIPS product. After some long discussions, they finally came to realize this gap needed to be filled. Of course, it was kind of hard to change the product to include all the firewall events (Sophos doesn’t do it either), but we are happy to accept the middle ground. Then McAfee release a community tool called Threat Activity Tracer(TAT).
The tool basically sends a user defined set of firewall logs prior to a VSE or HIPS event. This allows you to get all the activity prior to asecurity event.
https://community.mcafee.com/docs/DOC-4231 -- Great Job Torry!!
A good use case that I'm testing.. With a HIPS application firewall rule allow JAVA to outbound to any, and then you add the FW log option specific to the TAT tool. You get hit with a drive by download using JAVA. The McAfee agent uploads the 5 prior firewall permits tagged with the JAVA rule. Then you correlate this information with other security information in your environment, cross check whitelist host, and potentially create an automated response or risk score. This information now aids in your security intelligence. Additionally, using the WebAPI in 4.6, you can cross check these IP’s with known or new potential bad hosts on a periodic basis. Pretty cool…
Thanks for the information.
Yes, I'm shocked that HIPS (even sold JUST as a firewall) doesn't natively have the ability to report these things back to the EPO server. Unfortunately McAfee is horribly slow about responding to customer requests (I remember 8.5 and 8.7 betas where people were still asking for stuff that they'd asked for 3+ years earlier and McAfee turned a deaf ear to the whole thing).
But I'll pass the info along.
We may still end up looking at other products as this is quite disappointing. It shouldn't be hard to change the product to log these things. If it can log locally, it should be able to send these events back via the McAfee agent to the database, but if McAfee can't figure that out, then we probably don't want to use their products anymore.
Yes, EPO does more than that (well it CAN)--just depends on the products you use. Plus, if it's able to do it, you can filter the events (like in VSE 8.8 or was it newer versions of ePO, McAfee changed the default notifications so that it didn't report like "scan took too long, timed out" events)
At least then we could say, report blocked incoming ports (vs. outgoing), etc.
Centralized logging isn't just feasable, it's pretty much half the point of EPO. If you can't see what you're managing, the effect that is, you're effectively driving blind. If the architecture can't handle the traffic volume, then it needs to be fixed. You can't tune a firewall without access to the logs.
Sorry to rant, but AV and other PC security products have been too far behind the curve for too long. I hear among other security professionals that we have a user training problem. No, what we have is a situation where the defending technology isn't working well enough. We need to stop worrying about reports, graphs, charts, and user interface, and get back to the nuts and bolts of security. Or, just consign yourself to the belief that AV/HIPS/desktop firewall are just commodities, and then we, as customers, will just go to the lowest bidder.
Just use the features the product DOES have to achieve what you need. I would bet using Adaptive mode (don't retain existing rules) and using "Treat match as intrusion" for explicit blocks would be enough logging for MOST use cases described here. I've used it just fine for my tuning needs.
I haven't been in an environment yet (I'm a consultant, dozens of HIPS FW/IPS installs/upgrades/tweaks) where logging each and every packet is warranted. Would it be useful for those fringe cases? Sure. But at what cost to the event parser, database, and web console when trying ANY query from the ePOEvents table? Keep in mind that your "Top 10 Virus Detections" query comes from the same table you want to store each and every FW rule match.
To answer OPs question: Don't have a single Allow rule, just explicit denys and treat as intrusion, and be in adaptive mode (no default deny at bottom though). It's rough, crude, and will be a royal PITA to try and manage for more than a couple systems, but it will get you at least 90% of what you're looking for.