2 Replies Latest reply on Oct 22, 2012 7:01 PM by Kary Tankink

    HIPS (8.0.0.1855) Firewall and Trusted Networks

    jcusick

      Hopefully someone has a clue about this.

       

      Imagine a firewall with Location Aware Grouping by /24 network.

       

      It looks like this:

       

      -- allow dns

      -- allow dhcp

      -- etc

           LAG1 - based on gateway 192.168.1.1

                   -- Allow ping from Trusted

           LAG2 - based on gateway 192.168.2.1

                   -- Allow ping from trusted

          LAG3 - based on gateway 192.168.3.1

                 -- Allow ping from trusted

      -- Block ping

       

      I have a seperate Trusted Networks policy for each LAG

      LAG1 Trusted is 192.168.1.0/24

      LAG2 Trusted is 192.168.2.0/24

      LAG3 Trusted is 192.168.3.0/24

       

      I have 2 systems in each LAG, they can ping each other within the LAG as well as outside their LAG. In other words LAG1-Sys1 can ping LAG2-Sys1

       

      Each Allow rule above has the Network Name set to Trusted pulled from the catalog, which I assume checks the Trusted Networks Policy.

       

      If it does not, then what is the point of the Trusted Networks Policy, what is it used for, and how do I set this so that it will work? When editing the Network Name Trusted Network I selected Trusted from the dropdown list expecting that the Trusted Network policy would be referred to..

       

      Obviously I'm either not setting things up correctly or I am not understanding anything in the HIPS 8 manual after 4 or 5 complete re-reads of the firewall sections not to mention a couple of reads of the entire manual. For what it's worth, this seemed to work as expected within HIPS 7..

       

       

      JC

       

      Message was edited by: jcusick on 10/18/12 10:41:48 AM CDT
        • 1. Re: HIPS (8.0.0.1855) Firewall and Trusted Networks
          Hayton

          I've removed the duplicate post from Security Awareness - you should get an answer here in the HIP section.

          • 2. Re: HIPS (8.0.0.1855) Firewall and Trusted Networks
            Kary Tankink

            The Trusted Networks policy is used for a few items:

            1. Used in a Firewall rule where Local/Remote Network object is set to TRUSTED.
            2. Network IPS exclusions if you enable the Trust for IPS (not necessary anymore for HIPS 8.0, since you can create Network IPS exceptions in the IPS Rules policy with the Remote IP Address parameter).
            3. Exclusions for the HIPS Firewall TrustedSource feature.

             

             

            Going back to your comments, I'm trying to understand how your firewall rules are setup.  With HIPS 8.0, you do not need to use the TRUSTED entry in the Local/Remote Networks; you can simply use the subnet/range entries as needed.  In HIPS 7.0, the Trusted Networks policy was used to apply firewall rules to multiple IP address entries (single, range, CIDR entries), since a firewall rule could only have 1 entry; HIPS 8 allows mulitple entries now.

             

            You could change the Firewall rules in each LAG to not use the Trusted Networks policy at all, so you don't have to set a different Trusted Networks policy for each group of system.  Something like this (if I understand the functionality you're trying to implement correctly):

             

             

            -- allow dns

            -- allow dhcp

            -- etc

                 LAG1 - based on gateway 192.168.1.1

                         -- Allow ping from 192.168.2.0/24 & 192.168.3.0/24

                 LAG2 - based on gateway 192.168.2.1

                         -- Allow ping from 192.168.1.0/24 & 192.168.3.0/24

                LAG3 - based on gateway 192.168.3.1

                       -- Allow ping from 192.168.1.0/24 & 192.168.2.0/24

            -- Block ping

             

             

             

            In the above, the Trusted Network policy is not used at all for the Firewall.  You could also create Catalog Network objects for these networks as well, if you wanted (although not necessary).