1 2 Previous Next 15 Replies Latest reply: Sep 14, 2014 10:03 PM by fuzziest RSS

    HIPS 8.0 firewall logging to EPO server?

    kjhurni

      Please tell me that there's a way to have the McAfee HIPS (we have the EPO 4.6.x server, with the McAfee agent, HIPS, and VSE 8.8 on the machines) report back firewall logging activities?

       

      We're in the process of tuning (for lack of a better word) what firewall holes we may need to open (we have thousands of machines with different software, etc.)

       

      Our old security product (Cisco CSA) had the ability to report back everything to the server (blocked/allowed/monitored, etc.)

       

      All I could find was an old post on these forums from 2011 indicating that you could not do this, but instead had to visit each machine (or rdp/remote control each machine) to upload the logs.  REALLY?

       

      So I'm hoping that this has been changed.

       

      I think even the crummy MS firewall and integration with Forefront or whatever has this ability and supposedly HIPS is a higher level product than simple firewall/app whitelisting.

        • 1. Re: HIPS 8.0 firewall logging to EPO server?
          Kary Tankink
          Please tell me that there's a way to have the McAfee HIPS (we have the EPO 4.6.x server, with the McAfee agent, HIPS, and VSE 8.8 on the machines) report back firewall logging activities?


          This functionality does not exist in the McAfee Host IPS product.  HIPS Firewall events/activity are not sent to ePO.

          • 2. Re: HIPS 8.0 firewall logging to EPO server?
            kjhurni

            Thanks for the info. Guess it's time to start looking at other vendor's security products then.

            • 3. Re: HIPS 8.0 firewall logging to EPO server?
              er587

              K,

               

              I had the same problem a few months ago. I worked through my sales rep to show product mangers the gap in the HIPS product. After some long discussions, they finally came to realize this gap needed to be filled. Of course, it was kind of hard to change the product to include all the firewall events (Sophos doesn’t do it either), but we are happy to accept the middle ground. Then McAfee release a community tool called Threat Activity Tracer(TAT).

               

              The tool basically sends a user defined set of firewall logs prior to a VSE or HIPS event.  This allows you to get all the activity prior to asecurity event.

               

              https://community.mcafee.com/docs/DOC-4231 -- Great Job Torry!!

               

              A good use case that I'm testing..  With a HIPS application firewall rule allow JAVA to outbound to any, and then you add the FW log option specific to the TAT tool. You get hit with a drive by download using JAVA. The McAfee agent uploads the 5 prior firewall permits tagged with the JAVA rule.  Then you correlate this information with other security information in your environment, cross check whitelist host, and potentially create an automated response or risk score. This information now aids in your security intelligence. Additionally, using the WebAPI in 4.6, you can cross check these IP’s with known or new potential bad hosts on a periodic basis.  Pretty cool…

              • 4. Re: HIPS 8.0 firewall logging to EPO server?
                kjhurni

                Thanks for the information. 

                 

                Yes, I'm shocked that HIPS (even sold JUST as a firewall) doesn't natively have the ability to report these things back to the EPO server.  Unfortunately McAfee is horribly slow about responding to customer requests (I remember 8.5 and 8.7 betas where people were still asking for stuff that they'd asked for 3+ years earlier and McAfee turned a deaf ear to the whole thing).

                 

                But I'll pass the info along.

                 

                We may still end up looking at other products as this is quite disappointing.  It shouldn't be hard to change the product to log these things.  If it can log locally, it should be able to send these events back via the McAfee agent to the database, but if McAfee can't figure that out, then we probably don't want to use their products anymore.

                • 5. Re: HIPS 8.0 firewall logging to EPO server?
                  greatscott

                  logging all traffic captured on the firewall would be cool, but not really feasable. there is alot of traffic and i wouldnt expect ePO to be able to handle it all. ePO has its shortcomings, but remember that it manages alot more than just the HIPS Firewall.

                  • 6. Re: HIPS 8.0 firewall logging to EPO server?
                    kjhurni

                    Yes, EPO does more than that (well it CAN)--just depends on the products you use.  Plus, if it's able to do it, you can filter the events (like in VSE 8.8 or was it newer versions of ePO, McAfee changed the default notifications so that it didn't report like "scan took too long, timed out" events)

                     

                    At least then we could say, report blocked incoming ports (vs. outgoing), etc.

                    • 7. Re: HIPS 8.0 firewall logging to EPO server?
                      toms

                      Centralized logging isn't just feasable, it's pretty much half the point of EPO.  If you can't see what you're managing, the effect that is, you're effectively driving blind.  If the architecture can't handle the traffic volume, then it needs to be fixed.  You can't tune a firewall without access to the logs. 

                       

                      Sorry to rant, but AV and other PC security products have been too far behind the curve for too long.  I hear among other security professionals that we have a user training problem.  No, what we have is a situation where the defending technology isn't working well enough.  We need to stop worrying about reports, graphs, charts, and user interface, and get back to the nuts and bolts of security.  Or, just consign yourself to the belief that AV/HIPS/desktop firewall are just commodities, and then we, as customers, will just go to the lowest bidder. 

                      • 8. Re: HIPS 8.0 firewall logging to EPO server?
                        greatscott

                        i said logging firewalls would be nice, but ePO still has its shortcomings. mcafee should investigate it. i surmise that if you were to take a typical ePO server right now, and magically turn on this function, it would break.

                        • 9. Re: HIPS 8.0 firewall logging to EPO server?
                          the_un

                          Just use the features the product DOES have to achieve what you need. I would bet using Adaptive mode (don't retain existing rules) and using "Treat match as intrusion" for explicit blocks would be enough logging for MOST use cases described here. I've used it just fine for my tuning needs.

                           

                          I haven't been in an environment yet (I'm a consultant, dozens of HIPS FW/IPS installs/upgrades/tweaks) where logging each and every packet is warranted. Would it be useful for those fringe cases? Sure. But at what cost to the event parser, database, and web console when trying ANY query from the ePOEvents table? Keep in mind that your "Top 10 Virus Detections" query comes from the same table you want to store each and every FW rule match.

                           

                          To answer OPs question: Don't have a single Allow rule, just explicit denys and treat as intrusion, and be in adaptive mode (no default deny at bottom though). It's rough, crude, and will be a royal PITA to try and manage for more than a couple systems, but it will get you at least 90% of what you're looking for.

                          1 2 Previous Next