Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
181 Views 0 Replies Latest reply: Nov 21, 2013 9:48 AM by wes44 RSS
wes44 Newcomer 1 posts since
Nov 21, 2013
Currently Being Moderated

Nov 21, 2013 9:48 AM

Firewall rules for network sniffer?

I’m attempting to enable McAfee HIP Firewall 8.0 on a series of machines configured as network sensors and I am having some difficulty creating a firewall rule to allow the sensor NICs to see all traffic, while enabling the firewall on the rest of the NICs.  The sensor NICs are located behind network taps and are able to receive data, but cannot transmit.

 

Wireshark is one of the applications in use, but after adding a firewall rule allowing the Wireshark executable to receive data on any port from any host, the Activity Log shows that no application is associated with that traffic, so the rule is ineffective.  I’ve tested some workaround ideas with mixed results.

 

  • Allowing traffic selectively on network adapters that are connected to a network tap via a connection aware group.  This is tricky because using an IP alone as the group criteria does not seem to be effective, and though it does work when additional information such as the default gateway or DNS is specified, these settings have the potential to disrupt external connectivity.
  • Creating a rule to block traffic addressed to the local network adapter, then creating an "allow all" firewall rule directly below to allow the reception of traffic directed to other hosts.  This works, but there seems to be some additional risk from the “allow all” rule.
  • Add the sniffing application to the Trusted Applications group.  This does not seem to work, because the HIP firewall doesn't associate the traffic with the application.

 

Is there a best practice for applying separate firewall rules to different NICs in the same machine?

 

Thank you

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points