McAfee Host IPS 6.0 Connection Aware Groups

Transcription

1 White Paper July 2006 McAfee Host IPS 6.0 Connection Aware Groups Usage and Configuration Guide

2 Page 2 Table of Contents Topcis Covered 3 Connection Aware Groups Defined 3 McAfee Host IPS Rule Processing 7 Binding to Network Adapters 7 Using McAfee Host IPS Connection Aware Groups 7 Designing Connection Aware Groups 8 Testing Connection Aware Groups 8 Limitation of Connection Aware Groups 9

3 Page 3 McAfee Host IPS 6.0 Connection Aware Groups Usage and Configuration Guide McAfee Host IPS 6.0 combines the protection of local firewall security and intrusion prevention protection at both the host and network levels. Managed by McAfee epolicy Orchestrator, Host IPS 6.0 provides network and security administrators a comprehensive tool in securing hosts throughout the organization. Enhanced features such as connection aware groups provide even more flexibility in designing a robust firewall rule set. The purpose of this paper is to clarify the use of connection aware groups in McAfee s Host Intrusion Prevention 6.0 application. The goal of this paper is to educate McAfee Host IPS Administrators about the use and limitations of connection aware groups. The authors will endeavor to provide answers to some of the more advanced technical questions associated with connection aware groups. The limitations of connection aware groups will be discussed at a technical level. Main Topics Covered: Defining connection aware groups Using connection aware groups to control IP traffic with access control rules Designing and implementing connection aware groups Limitations inherent to using McAfee Host IPS 6.0 connection aware groups Connection Aware Groups Defined McAfee Host IPS 6.0 Firewall connection aware groups (CAG) are sets of firewall rules that can be applied or ignored depending on the criteria defined by the connection aware group properties (see figure 1 for example). The criteria that define a connection aware group are based upon the IP configuration information acquired during network adapter binding. The ability of the firewall to select which rule set to use to filter traffic based on the connection configuration information allows administrators enhanced functionality in applying security measures for the various connection states clients are utilizing in today s diverse business networking. Figure 1 - McAfee Host IPS CAG Example

4 Page 4 Think of the connection aware group as one of several firewalls within the firewall. If the user connects at the company s LAN, then rules applicable to the company s LAN can be applied against the traffic coming from or going to the LAN. If the user connects to the company s RADIUS environment via dial-up, then a different but applicable set of rules can be applied. But if the user connects to an environment for which there are no predefined connection aware groups, the default generic firewall rule set can still be enforced. Options within the criteria are evaluated by OR. If several options are configured for a criterion, the option 1 OR option 2 OR option 3 (etc.) must be met. As soon as one of the options is met, the criterion is considered met. Connection aware groups are defined by one or more criteria based on the network adapter s logical IP configuration. Figure 2 is an excerpt of the results from an ipconfig /all command displaying the adapter s logical IP information. Most of these properties can be used when defining the connection aware group. Figure 2 - IP Configuration Information For each criterion enabled, one or more options can be configured. As the McAfee Host IPS Firewall analyzes the packets, it verifies the local adapter configuration information conforms to the options of the criteria. As soon as one of the options within the criterion is met, McAfee Host IPS will move to the next criterion and begin verifying the configuration information meets one of those options listed. Therefore not all options need be met, but at least one option of each criterion enabled for the connection aware group must be met for it to be utilized. The McAfee Host IPS connection aware group implementation allows for the following possible criteria in defining a group as shown in figure 3: IP Address or Range - Required Default Gateway DHCP Server Primary DNS Server Secondary DNS Server Figure 3 - CAG Properties or Criteria Side Note: The Connection Type is not one of the criteria used to define the connection aware group. The Connection Type is a label to help McAfee Host IPS administrators govern the rule sets. The icon associated to the connection aware group (figure 4) is based on what Connection Type is selected, but traffic is not compared against a VPN connection. It is compared against the criteria defined for the connection aware group as described in the previous paragraph. Primary WINS Server Secondary WINS Server The criteria are evaluated by AND. If criteria 1 and criteria 2 are configured, then criteria 1 AND Criteria 2 must be met. Figure 4 - Connection Type Icons

5 Page 5 Examples: The McAfee Host IPS Administrator wishes to create a simple connection aware group that contains 20 specific firewall rules his company s security policy requires be active when users are connected to the company s LAN, but provide for stricter filtering with a smaller rule set if the user s computer is connected somewhere other than the company s LAN. He knows that the users will always receive an IP address within the /24 subnet issued from the DHCP Server with the address and a WINS Server of address will be provided with the other DHCP configuration information. The Administrator can use these three criteria Local Subnet (figure 5), DHCP Server address (figure 6) and WINS Server address (figure 7) to define the Company LAN connection aware group. He can apply the required rule set to this connection aware group. He can create the stricter rule set outside the connection aware group. When users connect to the company s LAN and the adapter is bound with the expected logical configuration information, the Host IPS Firewall will analyze the packet, determine that the packet is to or from an adapter that meets the criteria for the Company LAN connection aware group, and process the packet with those associated rules. Figure 5 - IP Information List Taking the example further, the McAfee Host IPS Administrator learns that users might travel to a second office in the next state. The assigned subnet there is slightly different ( /24); as is the DHCP Server ( ); and the WINS Server ( ). The Administrator can add this information to the Company LAN connection aware group he has already created as additional options (figures 6 and 7). If a user connects to either site s LAN and the configuration information of the adapter matches one of the options, the criterion is considered to be met. However, all defined criteria of the connection aware group must be met for the connection aware group rule set to be used. It is important to note that if any of the criteria defined for a connection aware group is not met, the rule set attached to the connection aware group is completely bypassed. If all criteria defined for a connection aware group are met, the attached rule set is used. If the traffic does not match any of the rules within the connection aware group, it will be filtered against the remaining general rules or connection aware groups. In more complex configurations, it is common to find rules repeated throughout the McAfee Host IPS Firewall policy because administrators will want to use the same rule in various configurations. Figure 6 - DHCP Server List Figure 7 - Primery WINS List

6 Page 6 The McAfee Host IPS Administrator has another example: One of the Company VPs calls the Host IPS Administrator frustrated that even though he is connected to the company s LAN, he has very limited access. After some brief troubleshooting, the administrator discovers that the IP configuration information for the adapter has been manually set. Although the IP address is correct, no DHCP Server was defined. Because of this, the VP s firewall noted all three criteria defined by the connection aware group were not met. The VP s firewall did not parse the connection aware group associated rule set but went directly to the general rules, which were very limiting (figure 8). Another common example: While the Host IPS Administrator is managing the firewall rules, he notices a client learned rule that is quite common among the users. Upon investigation, the rule is associated to a new application the company requires employees to use. The Host IPS Administrator determines this is an important allow rule to include in the Company s LAN connection aware group and so he does. Soon thereafter, employees complain that when they attempt to use the application while connected to the company s LAN, it fails to run correctly. The Host IPS Administrator reopens the firewall policy and notes the new rule is listed. However, it is listed in the general firewall rule set below the connection aware group and not included within the connection aware group. Because the Company Required Rule #20 limits that specific traffic, Rule #20 will be used and the New Application Rule will not be processed (figure 9). When the Host IPS Administrator moved the new rule into the Company LAN connection aware group above Company Required Rule # 20 and deployed the updated firewall policy, employees noticed the application began functioning correctly. Figure 8 - CAG Associated Rules & General Rules Figure 9 - New Application Rule Outside CAG

7 Page 7 McAfee Host IPS 6.0 Rule Processing The McAfee Host IPS 6.0 Firewall processes traffic exactly the same within a connection aware group as it does with the general rule set. As packets are received by the firewall for analysis, the packet data is compared to the rules in order from the top down. As soon as a rule condition is met, the packet is processed in accordance with the met rule and no further filtering of the packet happens. If a packet is processed against all listed rules without finding a match, the packet is blocked with a default veto rule which will block all traffic not otherwise allowed by the configured firewall rules. The exception to this is when the firewall is in Learn Mode. Therefore it is important to put the most critical and specific rules at the beginning of rule sets within connection aware group or in the general listing to ensure they are processed before a more all-purpose rule is. This ordering process mandates that connection aware groups should be placed in this hierarchical order so that as the packets are processed they do not match a rule unintentionally prior to matching an intended connection aware group. Using McAfee Host IPS 6.0 Connection Aware Groups Connection aware groups allow for complex administration of the McAfee Host IPS Firewall for systems that are routinely connected to a variety of locations that require different network traffic rule sets. Environments with large and varied networks and thus large and varied rule sets are an ideal setting for using connection aware groups to manage these rules. Creating more open rule configurations in trusted networking configurations and stringent general rules allows administrators to enforce network security when systems are connecting to foreign environments. There are any number of scenarios that connection aware groups address with improvements to managing the traffic to and from systems. Connection aware groups are not recommended for simple static networking environments. They can not be used to manage network adapters. Connection aware groups cannot be used to manage traffic based on remote network adapter information but rules can be created to filter the traffic in this way. Example: The McAfee Host IPS Administrator configures a specific rule to block all FTP requests and puts it at the top of the firewall rule list, above the Company LAN connection aware group. But one of the rules within the Company s LAN connection aware group is configured to allow FTP traffic to a specific company FTP server. Because the rule blocking FTP will be processed prior to the connection aware group, the packets will be blocked and the connection aware group rule set will never be parsed. When users connect to the Company LAN, they will not be allowed to use FTP services. NOTE: There is currently one exception to the top down processing of the firewall rules. Block rules specific to defined domain name(s) are processed out of order and before other rules. Binding to Network Adapters McAfee Host IPS Firewall attempts to bind to all network adapters as they are activated during the OS startup, when an adapter is re-enabled or when the IP configuration information is released and renewed. As packets originate from the local system, the networking stack determines which adapter to use. When the packets are queued to be sent, the firewall examines the packets comparing the packet and adapter information against the connection aware groups and firewall rules. The packets will be allowed or blocked based on the outcome of this comparison. As packets arrive from the network to the various adapters, a similar filtering process is initiated. Again, as a packet is examined, filtering decisions based upon the rules and connection aware groups determines if the packet is allowed or blocked. Please see the Limitations of Connection Aware Groups section for specific information related to multi-homed systems and systems with multiple IP addresses assigned to a single network adapter.

8 Page 8 Designing Connection Aware Groups To build a firewall rule set which utilizes connection aware groups effectively and correctly, the Host IPS Administrator will want to consider the following: Rules that are applicable for all connected states Rules that are applicable for each specific connection state Rules that should be applied if the connection state does not meet any specifically defined state Rules Applicable to All Connected States Rules that are applicable for all connected states such as important system boot network processes or blanket denial rules are not required to be placed within a connection aware group. Rather, if the rule will be applicable for any state, regardless of the connection, the rule should be moved to the beginning of the firewall rule list outside and above any connection aware groups. By doing this, the Host IPS Administrator can ensure the rule is processed prior to any configuration dependent rule set applications. The Host IPS Administrator can also reduce the CPU overhead Host IPS uses to determine if the connection aware group criteria are met by the traffic. The Allow BootP rule is a good example of a rule that would be applicable for most connected states, has limited security issues, and will allow the initial adapter configuration to proceed. Rules Applicable to Specific Connected States Determining specific connection applicable rules is the next major phase of designing the rule set. There are two steps to this phase: Identify specific rules that should be utilized for a given connection Determine the various connections that will have specific or unique rules associated by the connection Define one or two general criteria that define the connection aware group note that this is for initial group creation and more specific criteria can and should be added during testing. Add the rules - using the top-down, specific to general model - that are particular to the connection aware group. Rules particular to multiple groups should be included within each applicable group. Ensure that all required specific rules are included within the connection aware groups. Make sure that any required allow rules are appended to the end of the connection aware groups because the default behavior of the firewall is to block any traffic not specifically allowed. Rules Applicable to Non-Specific States the Host IPS Administrator wished to prevent FTP traffic to certain addresses unless the user is connected to the company LAN, he could ensure an ALLOW rule is included in the connection aware group and a BLOCK rule is added after the connection aware groups. Again, any final required allow rules are appended to the end of the general rules list or the traffic will be blocked. Testing Connection Aware Groups It is important to test the firewall rules to verify the network traffic will be filtered as intended via the general and connection aware group rule sets. It is recommended that the Host IPS Administrator create a test environment on which to test the rules. 1. Test the first rules for functionality. a. These rules should not be associated to a connection aware group. b. These rules should allow the system to boot and initialize the desired networking state. 2. Test the connection aware group. a. Create deny or permit rules immediately after the connection aware group that directly oppose the rules within the connection aware group to verify the traffic is being filtered as expected. b. Work through the rule list within the connection aware group verifying each rule is valid and triggered by the correct adapter connection IP configuration information. c. Test any additional connection aware groups, adding contrary rules directly after the connection aware group to identify if the rule is not working. 3. When all connection aware groups are tested, remove the various contrary rules added for testing, leaving the remaining desired non-connection specific general rule set. 4. Ensure the adapters are not matching any connection aware group criteria and begin testing the general rules. 5. Finally, return to the properties of the connection aware groups and add enough criteria to ensure the connection aware group will be utilized when intended. a. Typically define 3 or more criteria. b. Administrators should retest a few of the rules within the connection aware group to ensure the more specific criteria have not become too specific to the point of exclusion. After the connection aware groups are added, append the general Host IPS Firewall rules with any general rules that should be applied if the system does not have any connection that matches any of the preceding connection aware groups. For example, if

9 Page 9 Limitations of Connection Aware Groups Connection aware groups cannot enable or disable adapters based on their criteria or the adapter s settings. The current McAfee Host IPS 6.0 product will only filter traffic from the connected and enabled adapters. Current technology and logic within the application do not allow for adapter or device control. Adaptive rules or Learned Rules are not appended to connection aware groups. If it becomes apparent that important rules learned by the clients need to be included within the appropriate connection aware groups, the administrator will be required to manually add those rules. Because the rules are learned at the client, there is no automated way to incorporate those rules to the firewall policy pushed down from the epo management policy. Connection aware groups cannot be made to identify rogue network environments. The configuration information of a connection aware group can be made very general; however it is impossible to guess all the possible variations associated with rogue networks. Administrators should build connection aware groups based upon network connections they can specifically define. Three or more criteria provide accurate application of the connection aware group. All other unknown adapter configuration traffic should be filtered by the general rule set. Because many networks use private IP addressing schemas, it is very common to find x.x and x.x environments. If too few criteria for a connection aware group are defined, it is possible to match a configuration because it has common traits of the intended network. Host IPS Administrators are encouraged to specify as many criteria as possible to increase the probability of correct identification. The limitation in this case is the connection aware group rules will be filtered against unintended network environments simply because the match the connection aware criteria. There is a documented defect (BZ280294) that identifies a condition where packet information is associated with an internal adapter and can therefore be filtered by any connection aware groups that match any bound addapters criteria. This condition might manifest on systems with multiple network adapters and connection aware groups. McAfee, Inc Freedom Circle, Santa Clara, CA 95054, , McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners McAfee, Inc. All Rights Reserved.