3 Replies Latest reply on Aug 7, 2013 8:52 AM by andy5340

    Interesting HIP Firewall "block" taking place

    andy5340

      I am implementing the HIP 8.0 Firewall and have placed a few outbound rules to permit and log traffic. To simplify my question, I am using browser traffic as my example.

       

      I have a statement that permits outbound TCP from C:\Program Files*\Internet Explorer\iexplore.exe to any destination port 80, 443, etc.

      A subsequent rule will block any undocumented or disallowed traffic and log it.

      When this rule is in place, the browser session works and the user experience is unaffected. However, I am seeing blocked traffic that matches the destination IP/port the browser is using. There is no application listed in the logs or in the user interface. The problem I am facing is that IF the user has any issue and he or an unfamiliar technician look at the logs, they will see this block and think that HIP is the problem.

       

      I am theorizing that this blank application is a TCP re-transmit that's being blocked. I know this will mean the TCP layer will eventially time-out and the application stack will re-transmit and traffic will go through. I'm confident that this is only milliseconds and the user experience should not be affected.

      So I have 2 questions:

      1. Am I wrong and this is not TCP retransmit?

      2. How can I manipulate my firewall ruleset to permit this type of activity, short of permitting all outbound traffic?

       

      Please excuse my ignorance if I am posting in the wrong place. This is my first post on the site and I'll be happy if I don't get completely flamed

       

      Thanks!

        • 1. Re: Interesting HIP Firewall "block" taking place
          Kary Tankink

          1. I'm not entirely sure.  A network trace would have to be analyzed to determine this.  edit: Please open a McAfee Service Request if you need additional assistance with this.

          2. You can remove the IE application from the firewall rule, which would apply the rule to all applications (but still limited to the other criteria; port 80/443), including the SYSTEM account (which is typically why you see no application in the firewall rule event; the traffic was ran through PID 0, instead of the iexplore.exe PID).

           

          Message was edited by: ktankink on 6/12/13 2:23:46 PM CDT
          1 of 1 people found this helpful
          • 2. Re: Interesting HIP Firewall "block" taking place
            andy5340

            Thank you for the response. I should've thought about using a sniffer.

            I did just that and used my firefox session to pandora to test. Sure enough, I see blocked traffic in the activity log that the sniffer shows to be retransmit traffic  .

            I'm not sure how to allow retransmit traffic while still limiting outbound traffic to known/authorized apps running from approved locations.

             

            [Edit]: Does anyone know how to permit retransmit traffic that shows up a a blank entry under the "application" column? I can't just say permit all 80/443 because Trojans, etc use these ports too.

            This is not restricted to just browser traffic. Any retransmit by the transport layer will be affected.

             

            Thank you for the help

             

            Message was edited by: andy5340 on 6/20/13 8:12:37 AM CDT
            • 3. Re: Interesting HIP Firewall "block" taking place
              andy5340

              Kary,

              If I remove the application criteria and restrict only to authorized ports, How do I then prevent malware from using those ports? Shouldn't McAfee at least account for PID 0 performing retransmit?

               

              Thanks!