This content has been marked as final. Show 10 replies
We created out own rules. The 6.1 FW stateful, so we focused on only allowing traffic in for the VPN setup itself.
We did not bother making complex rules that would only cause customer service calls. The main thing is to shutdown netbios traffic when mobile.
We never used adaptive for anything. No need to. Focus on what you want to block rather than what you want to allow.
"We never used adaptive for anything. No need to. Focus on what you want to block rather than what you want to allow"
Why not use Adaptive and create block rules from there?
I agree, it would be very hard to block all traffic and create rules for what you want to allow as you would surely miss something. But equally is it not very difficult to create block rules for everything you want to block without missing something?
Thanks for the information. So your firewall rules consist mainly of blocks to most or all Netbios related traffic? I notice in the Minimal McAfee provided settings, it specifically allows some netbios traffic (from trusted sites, but then again, if you're trusted sites are 10. sites, that means that other companies' 10. networks would also be trusted), but blocks Incoming Netbios TCP traffic from non-trusted sites. Would you consider that insufficient, security wise, and instead, block all Netbios traffic?
When a firewall is stateful, does that mean that so long as the traffic is initiated locally, the return traffic will be allowed? Or, does it means that as long as the traffic is initiated locally AND is allowed by the firewall, the return traffic will be allowed? In other words, I'm wondering if we have to specify allowed outgoing traffic in order for the return traffic to be allowed.
That's the conundrum we face. We want to keep our rule base simple, but sometimes simple rules cannot account for every case. The one problem I see with adaptive mode is that we may inadvertently create permanent rules to allow "bad" traffic in, if proper analysis of the adapted rules generated is not done, and with data from thousands of clients coming in, how does one perform proper analysis on all of it?
I was hoping that a solution would be to use one of McAfee's provided rule sets, based on the assumption that somebody with network expertise at McAfee had put some thought into what a good set of rules should be. Is that wishful thinking?
It depends on your corporate policy.
Are you trying to prevent employees from doing certain things or just want to block unsolicited inbound traffic, or both?
We realized we only want to block inbound. We handle employees using apps like P2P with A/V unwanted programs, etc. I would keep the rules simple. Remember you have IPS catching most of the bad stuff as once a connection is made, the FW provides little protection.
As mentioned before I also never use the "Adaptive mode" because it generates many rules which are not necessary and to "broad" which means allowing to much.
Our basic setting looks like this:
1) Internal LAN (Connection aware group based on ip range, dns-suffix, dns servers):
-> Allow ALL
2) VPN -> Allow standard VPN protocols to the VPN gateways
3) Generally allow: bootp, dns
This the standard if the following prerequisites exist:
1) No other traffic then VPN is allowed from external
2) The VPN client gets an internal IP address and the settings specified for "Internal LAN" which is then allowing all traffic through VPN
3) If a VPN client gets a special IP subnet assigned via VPN we normally activated the HIPS quarantine mode for this subnet
I like the simplicity of your implementation. When the PC is not currently connected to your LAN or VPN (say, they are connected to their home's or hotel's network), what do you allow, or is it just bootp and DNS?
We just want to block unsolicited inbound traffic. We also have our anti-virus software blocking unwanted programs.
In this config its just bootp and dns - but in some situations like hotels HTTPS would be required to gain access to the WLAN hotspot or perhaps to the companys webmailer.