1 2 Previous Next 10 Replies Latest reply on Oct 29, 2007 11:31 AM by metalhead

    HIPS 6.1 Firewall Rules for VPN and External Networks

    McDuff
      We're implementing the HIPS 6.1 firewall on laptops that connect to the office via VPN, as well as laptops that connect external networks (like cafe hotspots). We will be using connection aware groups. We want our PCs to be secure, but we also want to maintain usability.

      I'm curious if, during your initial implementation, you chose to use one of the McAfee provided rules (Client Minimal, Medium, or High) as a basis, then added on to those, or if you wrote your own rules from scratch? Also, did you use learn or adaptive mode? It seems to me that there could be a security risk using learn/adaptive mode, especially when the HIPS administrators and/or users are not network savvy.

      What was your experience? If you had to do it over again, what would you recommend?
        • 1. RE: HIPS 6.1 Firewall Rules for VPN and External Networks
          We created out own rules. The 6.1 FW stateful, so we focused on only allowing traffic in for the VPN setup itself.

          We did not bother making complex rules that would only cause customer service calls. The main thing is to shutdown netbios traffic when mobile.

          We never used adaptive for anything. No need to. Focus on what you want to block rather than what you want to allow.
          • 2. RE: HIPS 6.1 Firewall Rules for VPN and External Networks
            "We never used adaptive for anything. No need to. Focus on what you want to block rather than what you want to allow"

            Why not use Adaptive and create block rules from there?

            I agree, it would be very hard to block all traffic and create rules for what you want to allow as you would surely miss something. But equally is it not very difficult to create block rules for everything you want to block without missing something?
            • 3. RE: HIPS 6.1 Firewall Rules for VPN and External Networks
              McDuff


              Thanks for the information. So your firewall rules consist mainly of blocks to most or all Netbios related traffic? I notice in the Minimal McAfee provided settings, it specifically allows some netbios traffic (from trusted sites, but then again, if you're trusted sites are 10. sites, that means that other companies' 10. networks would also be trusted), but blocks Incoming Netbios TCP traffic from non-trusted sites. Would you consider that insufficient, security wise, and instead, block all Netbios traffic?

              When a firewall is stateful, does that mean that so long as the traffic is initiated locally, the return traffic will be allowed? Or, does it means that as long as the traffic is initiated locally AND is allowed by the firewall, the return traffic will be allowed? In other words, I'm wondering if we have to specify allowed outgoing traffic in order for the return traffic to be allowed.
              • 4. RE: HIPS 6.1 Firewall Rules for VPN and External Networks
                McDuff


                That's the conundrum we face. We want to keep our rule base simple, but sometimes simple rules cannot account for every case. The one problem I see with adaptive mode is that we may inadvertently create permanent rules to allow "bad" traffic in, if proper analysis of the adapted rules generated is not done, and with data from thousands of clients coming in, how does one perform proper analysis on all of it?

                I was hoping that a solution would be to use one of McAfee's provided rule sets, based on the assumption that somebody with network expertise at McAfee had put some thought into what a good set of rules should be. Is that wishful thinking?
                • 5. RE: HIPS 6.1 Firewall Rules for VPN and External Networks


                  It depends on your corporate policy.

                  Are you trying to prevent employees from doing certain things or just want to block unsolicited inbound traffic, or both?

                  We realized we only want to block inbound. We handle employees using apps like P2P with A/V unwanted programs, etc. I would keep the rules simple. Remember you have IPS catching most of the bad stuff as once a connection is made, the FW provides little protection.
                  • 6. RE: HIPS 6.1 Firewall Rules for VPN and External Networks
                    metalhead
                    As mentioned before I also never use the "Adaptive mode" because it generates many rules which are not necessary and to "broad" which means allowing to much.

                    Our basic setting looks like this:

                    1) Internal LAN (Connection aware group based on ip range, dns-suffix, dns servers):
                    -> Allow ALL

                    2) VPN -> Allow standard VPN protocols to the VPN gateways

                    3) Generally allow: bootp, dns

                    This the standard if the following prerequisites exist:
                    1) No other traffic then VPN is allowed from external
                    2) The VPN client gets an internal IP address and the settings specified for "Internal LAN" which is then allowing all traffic through VPN
                    3) If a VPN client gets a special IP subnet assigned via VPN we normally activated the HIPS quarantine mode for this subnet
                    • 7. RE: HIPS 6.1 Firewall Rules for VPN and External Networks
                      McDuff


                      I like the simplicity of your implementation. When the PC is not currently connected to your LAN or VPN (say, they are connected to their home's or hotel's network), what do you allow, or is it just bootp and DNS?
                      • 8. RE: HIPS 6.1 Firewall Rules for VPN and External Networks
                        McDuff


                        We just want to block unsolicited inbound traffic. We also have our anti-virus software blocking unwanted programs.
                        • 9. RE: HIPS 6.1 Firewall Rules for VPN and External Networks
                          metalhead

                          In this config its just bootp and dns - but in some situations like hotels HTTPS would be required to gain access to the WLAN hotspot or perhaps to the companys webmailer.
                          1 2 Previous Next