Our Firm has a few staff that use a secondary NIC on their machines to access clients networks. They have a need to allow McAfee HIPs (220.127.116.118) to bind and monitor traffic on the notebook built-in NIC, but not bind and monitor traffic on a USB external NIC that is being used by a VMWare Virtual machine. On the Windows 7 system, the external USB NIC properties have all connection uses unchecked, except for the VMWare Bridge Protocol.
Previous t HIPs 8.0, McAfee used it's own NDIS Intermediate Filter Miniport. Now HIPs uses th Microsoft NDIS archetecture. Per McAfee KB Article:
NDIS 6 bindings are not configurable in the Host IPS product. I'd be curious to know why the NDIS binding needs to be removed from this external USB NIC device. Is there an issue caused by this binding? If so, you might want to report the issue to McAfee Support for further investigation.
The reason they would like to remove all bindings on this USB NIC is to perform network testing unfettered through the VMWare VM. They used to be able to uncheck the binding for the McAfee NDIS Intermediate Filter Port and accomplish this until HIPs 8.0.
By unchecking all the connection uses on the USB NIC, they claim to sequestor that network interface to ONLY the VMWare VM, and there are some articles published on the internet that support this idea (http://www.tech-juice.org/2011/06/26/using-a-network-card-only-for-a-vmware-virt ual-machine/). They do not setup any sort of bridging back to the main OS from the VMWare VM.
So, your reply begs the question in my mind, if there is a way to "unbind" the NDIS binding on the USB NIC, and leave it on the internal NIC...
Upon thinking further, that would not work, however, I am curious if there is a way to design a firewall rule in HIPs to allow all traffic on the secondary NIC being used by the VM, and apply all other rules on the main host built-in NIC?
is a way to design a firewall rule in HIPs to allow all traffic on the secondary NIC being used by the VM, and apply all other rules on the main host built-in NIC?
HIPS 8.0 does have the ability to apply a firewall rule based on Media Types (Wired/Wireless/Virtual NIC). I believe VMware NICs will fall under the Virtual NIC category, but it would need to be tested.
Correct. And I have tried various ways to add rules to allow the traffic on the virtual NIC, and still protect wired and wireless.
Could you answer one question for me before I do that though? In order for the network awareness selection to allow or disallow traffic on a virtual NIC in the HIPs Firewall, the HIPs product would need to be installed on the Virtual Machine, correct? In our case the VM is accessed using VMware Workstation and the HIPs software is on the host OS, but not on the virtual machine OS. Therefore, I believe that the Host OS, and HIPs are unaware that the traffic being blocked is generated by the VM. As far as HIPs is concerned it is just traffic on the host OS.
Thanks for the help. I'll check for a reply.
In order for the network awareness selection to allow or disallow traffic on a virtual NIC in the HIPs Firewall, the HIPs product would need to be installed on the Virtual Machine, correct?
HIPS only needs to be installed on the VM Host (it can be installed on virtual Guests, but it's not required). HIPS will filter the VM traffic using firewall rules if you are using VMWare NAT or Host networks. If using the VMWare Bridge network, use the Firewall Option ALLOW BRIDGED TRAFFIC in HIPS 8.0 (VM Bridged networks are not supported in HIPS 7.0).
Why don't you just create a CAG in your firewall ruleset? Structure it like this
Corporate Internal Firewall CAG (criteria is configured to use your IP ranges, DNS servers, WINS server, DHCP server, etc)
Internal corporate firewall ruleset listed here
External Companies Firewall CAG (criteria is configured to use the IP ranges of the USB NIC)
Allow all rule
This way, any traffic matching your company IP ranges is subject to the firewall rules. The traffic matching the the USB NIC traffic, is given an allow all rule.