3 Replies Latest reply on Nov 20, 2014 4:47 PM by jj4sec

    Mcafee Agent Communication Firewall Rules - DNS Requests are Wide Open?

    epository

      All,

       

      When you look on your client Firewall's rules....cant see it from the EPO, it appears the default Mcafee Agent Communication rules allow DNS request outbound to anywhere.

       

      These will show up in your Activity Log as "McAfee - Allow DNS resolution."

       

      See Attached.

       

      Is there any way to restrict these default rules down to a specific set of DNS servers?

       

      Certain programs allow the exfiltration of data using DNS requests and I want to restrict DNS resolution to a specific IP range.

        • 1. Re: Mcafee Agent Communication Firewall Rules - DNS Requests are Wide Open?
          epository

          So, if I am reading this correctly, both DHCP and DNS are wide open.

           

          Then, if you created a LAG rule checking for the condition of DHCP servers or DNS servers, it is really only checking the ipconfig properties?

           

          It appears you cant really restrict where computers get their DHCP assignments or where they make DNS requests to?

           

          So, in this scenario, if someone steals a computer from my company that has HIPS Firewall enabled, they will be able to connect up anywhere and at least make DNS requests and get an IP assigned by DHCP....but if you have LAG rules there checking the ipconfig properties and restricting those to a limited set of IP's, then you can then further block all communication.

           

           

           

          ****************************************

           

          To clarify the Connection Isolation feature:

           

          1. Connection Isolation does not always prevent network adapters from getting IP addresses (as the McAfee Agent Communication rule group which is added in memory automatically allows DHCP traffic).  So the network adapters will still show as having an IP addresses and connected to the network, but depending on your ruleset and CAG configuration, network traffic can be blocked for all non-matching network adapters.

           

          2. Any firewall rules above a CAG that performs Connection Isolation will still apply to all network adapters.  Example: VPN rules should be above CAGs because you always want VPN tunnels to be established on any network adapter that the user is using, whether it be a wired or wireless connection.  But once the user is connected to VPN, you can them perform Connection Isolation to block traffic on non-matching adapters, but still allows the VPN tunnel to pass through even on a non-matching adapter (leaving the VPN tunnel established; otherwise the VPN tunnel would be destroyed).

          • 2. Re: Mcafee Agent Communication Firewall Rules - DNS Requests are Wide Open?
            greatscott

            I think your question is a two parter:

             

            1. "So, if I am reading this correctly, both DHCP and DNS are wide open"

            I think per the firewall built-in rules you see in the client side FW console, this is true.

             

            2. "If you created a LAG rule checking for the condition of DHCP servers or DNS servers, it is really only checking the ipconfig properties"

            Yes, essentially. But this has nothing to do with blocking or permitting. The "checking" of the DNS/DHCP servers only serves to match a criteria for that LAG. It has nothing to do with permitting or denying of traffic to those said DNS or DHCP servers.

            • 3. Re: Mcafee Agent Communication Firewall Rules - DNS Requests are Wide Open?
              jj4sec

              You are right.

               

              I have a case for this.  For me a bug because in de McAfee default they start with DNS rules while they will never be hit because the dynamic added rules on the top you can't get control on, will Always hit first.

              We wanted to get control on DNS request when on public networks or when having multiple interfaces active.

               

              For McAfee this is works as designed and had to create a PER, for me this is a BUG.

              This could easily be coverd by limitting the dynamic rules to the McAfee signed applications
              .