Our firm has a situation where a business unit does security consultation. Part of that process involves penetration testing. The staff have a Windows 7 laptop with a built in NIC, and a USB NIC (TRULink ASIX AX88178 USB 2.0) that is bound ONLY to a Back Track VM they use for testing. The McAfee HIPs Sofwtare is bound to both NIC's. The HIPs Firewall interferes with the pen testing tools they use even though the software is NOT installed on the Back Track VM. Likewise the USB External NIC is only NIC set-up in the BackTrack VM; No traffic is allowed on the Back Track VM from the internal NIC.
From what has been seen, it appears there is still some lower-level traffic being monitored (and blocked) by McAfee HIPs on the external USB NIC. I have attempted to build location awareness rules specific to the eternal USB NIC traffic and have not been successful. Is there a way to create a Network Awareness \ Location Awareness HIPs Firewall rule set to allow all traffic on the USB external NIC, but still monitor the traffic on the internal built-in NIC?
Bob Staszewski (email@example.com)
Not sure how your FW is setup presently, but sounds like it could be your issue. I would create a firewall policy for just these pen test systems, then apply it to them. Here is the setup as if you were looking at the Firewall Rules policy in ePO:
Firewall Rules policy
1. External USB NIC Location Aware group (within this group, configure the network criteria to be the single static IP of the External USB NIC, or range of addresses if the IP varies. Make sure you check the "Isolate this connection" box")
-> place your firewall rules for this NIC here within this group
2. Internal NIC Location Aware group (again, configure your network to be the static IP of the internal NIC, or DHCP range. Again, check the "Isolate this connection" box.)
->place your firewall rules for this NIC here within this group
Kinda simplified, but it gives you a general idea.