2 Replies Latest reply on Mar 20, 2015 4:15 PM by mhuisman

    HIPS (Firewall) Ignoring blocked traffic from Windows Update

    mhuisman

      I am using HIPS's 8.0 Firewall to limit outbound traffic from endpoint and have been having some issue filtering out some noise form Microsoft.

      This is all set up on a very restrictive network, I am only allowed to go out over port 443 to 4 different servers.

      Using the "Mark as Intrusion" feature I am able to track any unwanted traffic in or out, the issue is that I am seeing quite a bit of traffic being sent to Microsoft Update servers.

      I am using a 3rd party remote management system to interact with these machines and to push updates.  Unfortunately it utilizes the Microsoft updater serveries and will turn them on as it sees fit regardless of how you configure them.

      The big issue is we are required to monitor all traffic going in or out on a daily basis and there is no way sift though 3-50 IPs per machine per day when we are dealing with thousands of systems.

      Is there some way to ignore the traffic to Microsoft but still block it?

        • 1. Re: HIPS (Firewall) Ignoring blocked traffic from Windows Update
          Kary Tankink

          Host IPS does not have the ability to send Firewall traffic (allowed or blocked) to the ePO server.  The "Mark as Intrusion" option just marks the blocked firewall traffic to trigger Network IPS signature 3702.

           

          The big issue is we are required to monitor all traffic going in or out on a daily basis and there is no way sift though 3-50 IPs per machine per day when we are dealing with thousands of systems.

          There is no functionality to monitor traffic going in/out of the system using the Host IPS/ePO products.  Firewall event traffic is only stored locally in the HIPS Activity log.  Using the "Intrusion" mechanism is not an accurate (nor suggested) way to monitor firewall traffic; it also doesn't include all firewall activity details.

          • 2. Re: HIPS (Firewall) Ignoring blocked traffic from Windows Update
            mhuisman

            Sure, but if you mark it as an intrusion it gives you the ability to create an Automatic Response based on that event and then you can review the alerts.

            It is not ideal but we are required to monitor "Firewall Logs" to meet PCI compliance.

            We were sold HIPS in an ePO package as a PCI solution for security and now we are coming up on our audit.  I am hoping to pass this solution off as a compensating control for not having adequate firewall logging.

            How can McAfee claim that the firewall is PCI complaint when it does not support firewall logging?