3 Replies Latest reply on Apr 16, 2014 2:28 AM by Steve Chmiewliski

    Firewall and CAGS

    Steve Chmiewliski

      Hello Everyone.

       

      Can haven't tested this yet as I've been trawlling the forum trying to work out how to implement this.

      I wish to be able to allow users of laptops to VPN in to the office when travelling, either from home dsl or hotel.

       

      From what I have seen in the forum and with whats available document wise is very limited. So would really like a seconfd opinion if the following is correct

       

      Ok my firewall rule I have set is as follows

       

      Allow McAfee signed apps

      Allow loopback

      Allow DHCP

      Allow DNS

      Allow HTTP

      VPN (Timed group - set to 10 mins)

             Allow IPsec ESP

             Allow IKE

             Allow GRE

             Allow IKE Outbound

      CorpNetwork (CAG based on DNS Suffix)

             Allow all inbound

             Allow all outbound

             Allow local loopback

      Block All

       

      Is the correct for allowing a user to be able to access the internet for 10 mins, long enough to establisg a vpn connection and then only use the corporate network ?

       

      Many thanks in advance

      Steve

        • 1. Re: Firewall and CAGS
          greatscott

          we investigated the same method you did. however, as a user, you can just keep resetting the 10 minute timer. this essentially gives the user unlimited web access.

           

          i could be wrong on this, but i think this feature really turned us off from the timed group.

          • 2. Re: Firewall and CAGS
            Kary Tankink

            you can just keep resetting the 10 minute timer. this essentially gives the user unlimited web access.

            This is correct.  There is no additional functionality to limit the use of Timed Groups, however, Patch 4 added the ability to report on its use.

             

             

            PD25043 -Host Intrusion Prevention 8.0 Patch 4 Release Notes

            https://kc.mcafee.com/corporate/index?page=content&id=PD25043

             

            Reporting for timed groups usage

            In this release of Host Intrusion Prevention, each time a user triggers a timed group, Host Intrusion

            Prevention generates an McAfee ePO event on the client and logs that action. The McAfee ePO

            administrator can then run a report to query the usage of timed groups.

            For reporting on the usage of timed groups to work properly, you must run the Patch 4 version on both

            the clients and Extension.

            For information on configuring timed groups and running reports, see New features — Extension.

             

             

             

             

             

            Allow HTTP

            VPN (Timed group - set to 10 mins)

                   Allow IPsec ESP

                   Allow IKE

                   Allow GRE

                   Allow IKE Outbound

             

            VPN traffic really should not be in a CAG.  Typically, VPN traffic should ALWAYS be allowed out so the VPN tunnel can be built.  Once the VPN is connected, you can then use a CAG to match against the VPN network.  The CAG should match AFTER the VPN tunnel is established, which means VPN traffic Allow rules first, then the CAG.  The traffic associated with building the VPN tunnel should not be part of the VPN CAG; the VPN network that the client is connected to should be.

             

             

            For hotels/airports/etc., where the user must authenticate via HTTP/HTTPS to get Internet access, you would use a Timed-group here.

             

            1. Limited HTTP access to authenitcate to hotel/airport/etc network.
            2. Connect to VPN tunnel.
            3. Apply CAG based on VPN network.

             

            It would look more like this:

            Allow HTTP CAG (Timed group - set to 10 mins)

                   Allow HTTP/HTTPS traffic out

            Allow VPN traffic

                   Allow IPsec ESP

                   Allow IKE

                   Allow GRE

                   Allow IKE Outbound

            VPN CAG

                   <Allow traffic as needed>

             

            1 of 1 people found this helpful
            • 3. Re: Firewall and CAGS
              Steve Chmiewliski

              Thanks Kary,

               

              The advice you have given has been most helpful...will go away and do some testing and look at the timed group report.. at least it's a starting point and should be able to pin point people who are abusing the function..