9 Replies Latest reply: Apr 14, 2014 9:07 AM by greatscott RSS

    Firewall rules


      Is it possible to enable/disable rules based on the AD groups that a user is a member of?


      In trying to decipher some requirements placed upon me, I've tried to accomodate them by whitelisting IP traffic.   For a bog standard user this has worked well, but for developers it isn't going so well.  So what I would like to do is use their AD group memberships to faciliate the enabling of rules to allow them extended access to services, rather than having a global developer set of rules.

        • 1. Re: Firewall rules
          Kary Tankink

          Is it possible to enable/disable rules based on the AD groups that a user is a member of?
          This is not possible in Host IPS.

          • 2. Re: Firewall rules

            Thanks Kary,


            Guess i'll be ditching the HIPS firewall and going back to GPO or another product

            • 3. Re: Firewall rules

              one really backward way to do this is have the developers implement some sort of arbitrary registry key on all their systems. then use that key to authenticate to a connection aware group in the firewall. within that connection aware group you could have a looser ruleset/ or an allow all. assuming your general population of users doesnt have the capability to add/remove/modify registry settings, they could never be authenticated to that connection aware group via the HIPS firewall.


              again this doesnt address AD groups but it could work.

              • 4. Re: Firewall rules
                Kary Tankink

                One feature that is being worked on is User-Based policies (no exact ETAs at this point).  It will have some limitations, but basically will apply a Firewall Rule policy based on the logged in Active Directory user. 


                AD User1 logs into a system will get Firewall Rule Policy1.

                AD User2 logs into a system and will get Firewall Rule Policy2.


                If you're interested in more details, contact Sales/Support for details (e.g., discussion with the Host IPS Product Manager).




                The currently released HIPS build does not have this feature though....yet.

                • 5. Re: Firewall rules

                  HIPS8 has LAG rules which a registry key is one of the parameters that could be selected. Try using that with a GPO to set the key/value.

                  • 6. Re: Firewall rules

                    Thanks for the ideas greatscott & Namster - looking at the LAG setup though, that would be fine if I needed a loose "all user type x gets this", but I want true granular control - user X needs SQL and vmware so get 1433/tcp and 4712/TCP-UDP to host z, user Y needs SQL etc


                    I'll have a prod of sales to see if they can give me some details on user based policies - thats exactly the sort of functionality that I need


                    In the mean time i've got some due diligence to do with Trend, Sophos and Microsoft

                    • 7. Re: Firewall rules

                      if you wanted true granularity like that, you would be looking at a ton of fw policies.

                      • 8. Re: Firewall rules

                        No if I wanted true granularity like that I just need a rule engine that is capable of parsing AD memberships and adding in the requirements based on those


                        I was having a chat with a Pen Testing company recently, and they were saying that they hadn't come across any sites that properly whitelisted their traffic, so I showed them my test bed and they were impressed that they couldn't find anything to leverage - because all my workstations and servers have rules which only permit specific traffic. 


                        It starts to get complicated when I have users that need to add in specific requirements, hence the view that if I could interpret their AD memberships then it would be easy to map in rule changes.


                        I was slightly shocked to realise that Microsoft have got this capability via the GPO - makes a pleasant change

                        • 9. Re: Firewall rules

                          yep. i only meant a ton of HIPS FW policies. (incapable of AD/LDAP tie ins)