2 Replies Latest reply: Dec 21, 2012 5:12 AM by jj4sec RSS

    Connection/domain awareness

    jj4sec

      I miss an option in HIPS to check if the machine can connect to the domain or not.

      In microsoft FW it is possible to configure rules if the machine is domain connected or not and this is a very strong feature.

      I this possible with McAfee ?

      Does someone know if the Microsoft feature is someware available in the registry and if I can use that key to create connection aware rules ?

        • 1. Re: Connection/domain awareness
          zaloorb

          jj4sec,

           

          I believe the feature you are referring to is called Connection Aware Group (CAG) in HIPS 7 or Connection Isolation Group (CIG) in HIPS 8. It is thoroughly referenced in the product documentation:

           

          HIPS 7: https://kc.mcafee.com/corporate/index?page=content&id=PD20107

          HIPS 8: https://kc.mcafee.com/corporate/index?page=content&id=PD22894

           

          You can use this feature to create rule groups that follow a specific set of connection parameters such as:

           

          - IP Address

          - DNS Search Suffix

          - Default Gateway

          - DNS Server

          - DHCP Server

          - WINS Server

           

          You have a lot of options here but none that would directly reference domain connectivity. It would only be inferred by the above parameters but should work in most instances as, if the machines are connected to a specific domain, they should have a unique parameter from thst list above that could designate them as part of the domain.

           

          Hope this helps!

           

           

          Zaloorb

          • 2. Re: Connection/domain awareness
            jj4sec

            Thanks for the answer

             

             

            It is indeed connection aware groups I refer to but the options are not "domain aware" and can be faked.

            Our company policy is that no internet connectivity is allowed except via the company internet infrastructure, security and logging.

            This is very difficult to implement with the McAfee options an even impossible if it must be impossible to bypass by intelligent IT people.