Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
325 Views 1 Reply Latest reply: Dec 11, 2013 1:22 PM by greatscott RSS
BobStasz Newcomer 34 posts since
Apr 1, 2010
Currently Being Moderated

Dec 10, 2013 9:11 AM

Assistance with Location Awareness

Our firm has a situation where a business unit does security consultation.  Part of that process involves penetration testing.  The staff have a Windows 7 laptop with a built in NIC, and a USB NIC (TRULink ASIX AX88178 USB 2.0) that is bound ONLY to a Back Track VM they use for testing.  The McAfee HIPs Sofwtare is bound to both NIC's.  The HIPs Firewall interferes with the pen testing tools they use even though the software is NOT installed on the Back Track VM.  Likewise the USB External NIC is only NIC set-up in the BackTrack VM; No traffic is allowed on the Back Track VM from the internal NIC.

 

From what has been seen, it appears there is still some lower-level traffic being monitored (and blocked) by McAfee HIPs on the external USB NIC.  I have attempted to build location awareness rules specific to the eternal USB NIC traffic and have not been successful.  Is there a way to create a Network Awareness \ Location Awareness HIPs Firewall rule set to allow all traffic on the USB external NIC, but still monitor the traffic on the internal built-in NIC?

 

Bob Staszewski (bob.staszewski@crowehorwath.com)

  • greatscott Champion 293 posts since
    Jul 18, 2011
    Currently Being Moderated
    1. Dec 11, 2013 1:22 PM (in response to BobStasz)
    Re: Assistance with Location Awareness

    Bob,

     

    Not sure how your FW is setup presently, but sounds like it could be your issue. I would create a firewall policy for just these pen test systems, then apply it to them. Here is the setup as if you were looking at the Firewall Rules policy in ePO:

     

    ____________________________

    Firewall Rules policy
    1. External USB NIC Location Aware group (within this group, configure the network criteria to be the single static IP of the External USB NIC, or range of addresses if the IP varies. Make sure you check the "Isolate this connection" box")

    -> place your firewall rules for this NIC here within this group

    2. Internal NIC Location Aware group (again, configure your network to be the static IP of the internal NIC, or DHCP range. Again, check the "Isolate this connection" box.)

    ->place your firewall rules for this NIC here within this group

    ____________________________

     

    Kinda simplified, but it gives you a general idea.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points