4 Replies Latest reply on Jul 24, 2009 12:53 PM by jawuk

    ''by path'' or ''by path then fingerprint'' firewall process rules

      Hi all

      when creating firewall rules and specifiing processes to allow traffic from, i can see a few option, 2 of which i am unsure of how they act , 'by path'' or ''by path and then fingerprint''.

      By path, i assume means no fingerprints of the app are ever taken, its purely done on file name,

      by path then fingerprint, am i right in saying that when the client first initiates the app that needs connectivity, an MD5 hash is stored locally on the client and from then on the program has to use that fingerprint? If so, what happens when a software update is released, for example for firefox.exe or iexplore.exe? I am assuming after which the rule is void, and the rule will have to be enabled, and disabled again? How does it know to recreate its hash?


        • 2. RE: ''by path'' or ''by path then fingerprint'' firewall process rules

          That is more or less consistent with what I have seen. Except that the rule isn't void, it's still active but it won't work on any systems where said application has been modified - it may work on 50% of your managed systems and not on other(*).

          And since it(*) doesn't know when/how to take a new hash and the user usually has no access to that interface (that's why we're using ePO), we have to get the new MD5 and update the rule on the ePO server...
          Which means that the rule will only work on those systems with a specific version of the software application (e.g. Firefox).
          Which in turns explains why we aren't using this for common applications (e.g. Firefox) as you'd have to take too many possible MD5 values into consideration. We do use it for specific "special" applications.


          (*) hereby making you crazy trying to figure out why the thing isn't working...
          (*) define "it" : McAfee HIPS
          • 3. RE: ''by path'' or ''by path then fingerprint'' firewall process rules
            cheers thats great info, this is what i was concerned of. I will make the ammendments i feel i require


            • 4. RE: ''by path'' or ''by path then fingerprint'' firewall process rules
              Hi ya

              sorry to bring this up again, but i just had another thought.

              It clearly says 'By Path then Fingerprint'. This could be interpeted two ways, as gramatically it has caused problems happy . The first way, as i mentioned above it would use path on the client, then fingerprint it, storing this value on the client, and using this from that point onwards (which would be lame, and cause problems)

              Do you not think it means that it will first look for a match by path (whatever the patch has been set as in the Firewall Rule Policy) and then by fingerprint (whatever the fingerprint has been set within the EPO policy).

              So basically, it looks in the path file for an entry (the less secure method), and if blank, will then try the fingerprint field, which, may or may not have an MH5 has value in it (the more secure method).

              So if you wanted to do it less securely, you would but in a path or just process name, and that would work, but as the fingerprint field is blank it would ignore.

              But if you wanted to do it more securely you would leave the path field blank and JUST but a fingerprint in instead?

              Its an either/OR thing

              in which case, i need to change nothing, leaving it on path then fingerprint would be just fine. . . ?

              im confused, and the documentation is NOT helpful in anyway