4 Replies Latest reply on Sep 15, 2009 9:09 AM by cliff620

    McAfee HIPS and remote networks

      Evening All,

      We've previously used Sygate as our client side firewall and after Symantec bought them and launched that awful Endpoint Protection rubbish, we are now looking at McAfee HIPS as a replacement

      We've already got EPO running and use McAfee for AV so it fitted in quite nicely

      Got it rolled out to a couple of machines for testing and got pretty much the same rules we had on Sygate / Symantec. However there is one little issue we have noticed

      On Sygate / Symantec there was the option to disable the firewall for a set period of time (in our case 5mins) before it would reactivate. This meant when a user went to a wireless hotspot (i.e. Starbucks, Airports, etc) it gave the user enough time to open a browser, browse to the hotspot providers login page, authenticate or pay and then launch their VPN client before coming back on

      Ideally we would like to do the same with McAfee. I can't see an option to allow the user to deactivate the firewall part of HIPS for a set period of time (although there might be and I just haven't found it yet)

      Don't really want to give the users the option to browse wherever they like when they are on a non-corporate network

      Has anyone else got a setup similiar to this? or has anyone good ideas?

      Cheers
      Rob
        • 1. RE: McAfee HIPS and remote networks
          SergeM


          I'd love to have that option.
          Presently and AFAIK, the only possibility is to let the user "disable" Host IPS and let the McAfee Agent reactivate it.

          The McAfee Agent enforces the policies at set interval defined in the agent's settings. So if you disable HIPS or VSE or any part of it, the agent will reactivate them after a while.

          It can be somewhat tricky... imagine the Agent is set to enforce the policies every 10 minutes and it last enforced them 1 minute ago, then if you disable HIPS, it will be reenabled in 9 minutes, which should leave you plenty of time to log on to the proxy, authenticate and so on.
          Now if the policies were last enforced 9min and 30 seconds ago, and you disable HIPS, then you have approximatively 30 seconds to do the logon thing...

          You can also set a password to the disable menu options so that only selected users can do that.

          "hope it helps"
          Serge
          • 2. RE: McAfee HIPS and remote networks
            cliff620
            I believe it is only reactivated on an Agent policy enforcement with the ePO server or after a system reboot.
            I could not believe this limitation either and called McAfee support about this every issue and the reply was what I described above and this was not anything we wanted to expose our company data to..


            What we ended up doing was this:

            We setup two network aware policies.
            more open policy - for when they are on the corporate LAN (Looks at the DNS servers on the client) and allow inbound and outbound to trusted networks (we are protected behind corporate firewalls)
            The other is more restrictive - when the user takes their assigned laptop and plugs into the wild internet.
            While on the internet, they can join and participate on the network and are allowed to send outbound traffic but we do block unsolicted inbound traffic. (not the most secure - but we are able to turn off the ability for the user to shut down the firewall) This took a little while in adaptive mode to tweak - but so far we have gone a couple years without an incident or a policy modification.
            • 3. RE: McAfee HIPS and remote networks
              SergeM


              I'm curious about connection aware rules/groups...
              How did you define the rules so as to differentiate between you Net and outside?
              Was it a "simple" IP-range in xxx.yyy.aaa.0/24 or something more complete?

              Serge
              • 4. RE: McAfee HIPS and remote networks
                cliff620
                We have 12,000 desktop, 2,000 laptop with HIPS and only 10 DNS servers that serve all these PCs.
                (The DNS servers were the thing that is least likely to change in our environment)

                With the DNS server addresses in hand, I setup a connection aware group name "On Network" and used DNS Server as the Criteria.
                I also setup a second group called "Off Network" just to be consistent.

                Then add ALL your DNS servers (ip address) to the list.
                (if I recall correctly, you can use the command "nslookup yourdomain" to get a list of DNS servers

                This will create a connection aware group based upon machine with your DNS server listed in the adapter.
                (The DNS servers can be manually added by users to get around this - just don't tell them what you are using to determine on or off network)


                I then went to the Trusted Network policy and added about 30 X.X.X.X/16 subnets and 15 X.X.X.X/24 that represent the server environements to the Trusted Networks policy.

                Then I created a rule for the "On Network" connection aware group to allow IP traffic inbound and outbound to Trusted Networks while they are on the corporate LAN (This is only due to fact we are being protected by perimeter firewalls with a diligent team to manage these firewalls.)
                Once this new rule is created, you must move it up witht he up arrows until it gets inside your connection aware group..

                Now the hard part..
                If a user is in adaptive mode and has created a business required rule - Does it go in the On network group or Off network group..?
                If you find a easy way - let me know..

                Good luck
                Cliff