McAfee Host IPS 6.0 Connection Aware Groups

Similar documents
Understanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

Lesson Plans Managing a Windows 2003 Network Infrastructure

Prestige 202H Plus. Quick Start Guide. ISDN Internet Access Router. Version /2004

Barracuda Link Balancer Administrator s Guide

Detecting rogue systems

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Chapter 4 Customizing Your Network Settings

Chapter 3 LAN Configuration

CET442L Lab #2. IP Configuration and Network Traffic Analysis Lab

ReadyNAS Setup Manual

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

Transparent Identification of Users

How to connect your new virtual machine to the Internet

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Chapter 4 Customizing Your Network Settings

Cisco AnyConnect Secure Mobility Solution Guide

Lab Configuring the PIX Firewall as a DHCP Server

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Scenario: Remote-Access VPN Configuration

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Chapter 9 Monitoring System Performance

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Hardware Sizing and Bandwidth Usage Guide. McAfee epolicy Orchestrator Software

1 PC to WX64 direction connection with crossover cable or hub/switch

Basic IPv6 WAN and LAN Configuration

Barracuda Link Balancer

Stateful Inspection Technology

McAfee Optimized Virtual Environments for Servers. Installation Guide

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

Configuring Routers and Their Settings

CMPT 471 Networking II

Multi-Homing Security Gateway

Fireware Essentials Exam Study Guide

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Desktop Release Notes. Desktop Release Notes 5.2.1

Configuration Example

Protecting a Corporate Network with ViPNet. Best Practices in Configuring the Appropriate Security Level in Your ViPNet Network

Microsoft Windows Server System White Paper

Network Configuration Settings

Chapter 3 Security and Firewall Protection

The Trivial Cisco IP Phones Compromise

Product Guide. McAfee Endpoint Protection for Mac 2.1.0

Direct or Transparent Proxy?

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Using Remote Desktop Software with the LAN-Cell

Configuring PA Firewalls for a Layer 3 Deployment

Lab PC Network TCP/IP Configuration

Configuration Example

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

Step-by-Step Configuration

Data Center Connector for vsphere 3.0.0

Top-Down Network Design

Configuration Example

Overview of WebMux Load Balancer and Live Communications Server 2005

epolicy Orchestrator Log Files

Chapter 6 Virtual Private Networking

Kerio VPN Client. User Guide. Kerio Technologies

The McAfee SECURE TM Standard

To Configure Network Connect, We need to follow the steps below:

Preliminary Course Syllabus

McAfee Certified Product Specialist McAfee epolicy Orchestrator

Dell SonicWALL SRA 7.0 Geo IP & Botnet Filters

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Using Remote Desktop Software with the LAN-Cell 3

Introduction. Assessment Test

BroadCloud PBX Customer Minimum Requirements

Using RADIUS Agent for Transparent User Identification

Managing Remote Access

Chapter 12 Supporting Network Address Translation (NAT)

Lucent VPN Firewall Security in x Wireless Networks

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

Application Note. Configuring McAfee Firewall Enterprise for McAfee Web Protection Service

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

icrosoft TMG Replacement with NetScaler

V Series Rapid Deployment Version 7.5

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

Configuring Dynamic DNS

Why an Intelligent WAN Solution is Essential for Mission Critical Networks

Unified Threat Management

Packet Tracer - Troubleshooting IPv4 and IPv6 Addressing Topology

A Guide to New Features in Propalms OneGate 4.0

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Network Instruments white paper

McAfee Agent Handler

VMware vsphere 5.0 Evaluation Guide

Configuring DHCP Snooping

Domain 3.0 Networking... 1

VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning

If you have questions or find errors in the guide, please, contact us under the following address:

NETGEAR ProSAFE WC9500 High Capacity Wireless Controller

Transcription:

White Paper July 2006 McAfee Host IPS 6.0 Connection Aware Groups Usage and Configuration Guide

Page 2 Table of Contents Topcis Covered 3 Connection Aware Groups Defined 3 McAfee Host IPS Rule Processing 7 Binding to Network Adapters 7 Using McAfee Host IPS Connection Aware Groups 7 Designing Connection Aware Groups 8 Testing Connection Aware Groups 8 Limitation of Connection Aware Groups 9

Page 3 McAfee Host IPS 6.0 Connection Aware Groups Usage and Configuration Guide McAfee Host IPS 6.0 combines the protection of local firewall security and intrusion prevention protection at both the host and network levels. Managed by McAfee epolicy Orchestrator, Host IPS 6.0 provides network and security administrators a comprehensive tool in securing hosts throughout the organization. Enhanced features such as connection aware groups provide even more flexibility in designing a robust firewall rule set. The purpose of this paper is to clarify the use of connection aware groups in McAfee s Host Intrusion Prevention 6.0 application. The goal of this paper is to educate McAfee Host IPS Administrators about the use and limitations of connection aware groups. The authors will endeavor to provide answers to some of the more advanced technical questions associated with connection aware groups. The limitations of connection aware groups will be discussed at a technical level. Main Topics Covered: Defining connection aware groups Using connection aware groups to control IP traffic with access control rules Designing and implementing connection aware groups Limitations inherent to using McAfee Host IPS 6.0 connection aware groups Connection Aware Groups Defined McAfee Host IPS 6.0 Firewall connection aware groups (CAG) are sets of firewall rules that can be applied or ignored depending on the criteria defined by the connection aware group properties (see figure 1 for example). The criteria that define a connection aware group are based upon the IP configuration information acquired during network adapter binding. The ability of the firewall to select which rule set to use to filter traffic based on the connection configuration information allows administrators enhanced functionality in applying security measures for the various connection states clients are utilizing in today s diverse business networking. Figure 1 - McAfee Host IPS CAG Example

Page 4 Think of the connection aware group as one of several firewalls within the firewall. If the user connects at the company s LAN, then rules applicable to the company s LAN can be applied against the traffic coming from or going to the LAN. If the user connects to the company s RADIUS environment via dial-up, then a different but applicable set of rules can be applied. But if the user connects to an environment for which there are no predefined connection aware groups, the default generic firewall rule set can still be enforced. Options within the criteria are evaluated by OR. If several options are configured for a criterion, the option 1 OR option 2 OR option 3 (etc.) must be met. As soon as one of the options is met, the criterion is considered met. Connection aware groups are defined by one or more criteria based on the network adapter s logical IP configuration. Figure 2 is an excerpt of the results from an ipconfig /all command displaying the adapter s logical IP information. Most of these properties can be used when defining the connection aware group. Figure 2 - IP Configuration Information For each criterion enabled, one or more options can be configured. As the McAfee Host IPS Firewall analyzes the packets, it verifies the local adapter configuration information conforms to the options of the criteria. As soon as one of the options within the criterion is met, McAfee Host IPS will move to the next criterion and begin verifying the configuration information meets one of those options listed. Therefore not all options need be met, but at least one option of each criterion enabled for the connection aware group must be met for it to be utilized. The McAfee Host IPS connection aware group implementation allows for the following possible criteria in defining a group as shown in figure 3: IP Address or Range - Required Default Gateway DHCP Server Primary DNS Server Secondary DNS Server Figure 3 - CAG Properties or Criteria Side Note: The Connection Type is not one of the criteria used to define the connection aware group. The Connection Type is a label to help McAfee Host IPS administrators govern the rule sets. The icon associated to the connection aware group (figure 4) is based on what Connection Type is selected, but traffic is not compared against a VPN connection. It is compared against the criteria defined for the connection aware group as described in the previous paragraph. Primary WINS Server Secondary WINS Server The criteria are evaluated by AND. If criteria 1 and criteria 2 are configured, then criteria 1 AND Criteria 2 must be met. Figure 4 - Connection Type Icons

Page 5 Examples: The McAfee Host IPS Administrator wishes to create a simple connection aware group that contains 20 specific firewall rules his company s security policy requires be active when users are connected to the company s LAN, but provide for stricter filtering with a smaller rule set if the user s computer is connected somewhere other than the company s LAN. He knows that the users will always receive an IP address within the 10.10.18.0/24 subnet issued from the DHCP Server with the address 10.10.18.5 and a WINS Server of address 10.10.18.17 will be provided with the other DHCP configuration information. The Administrator can use these three criteria Local Subnet (figure 5), DHCP Server address (figure 6) and WINS Server address (figure 7) to define the Company LAN connection aware group. He can apply the required rule set to this connection aware group. He can create the stricter rule set outside the connection aware group. When users connect to the company s LAN and the adapter is bound with the expected logical configuration information, the Host IPS Firewall will analyze the packet, determine that the packet is to or from an adapter that meets the criteria for the Company LAN connection aware group, and process the packet with those associated rules. Figure 5 - IP Information List Taking the example further, the McAfee Host IPS Administrator learns that users might travel to a second office in the next state. The assigned subnet there is slightly different (10.10.25.0/24); as is the DHCP Server (10.10.25.7); and the WINS Server (10.10.25.3). The Administrator can add this information to the Company LAN connection aware group he has already created as additional options (figures 6 and 7). If a user connects to either site s LAN and the configuration information of the adapter matches one of the options, the criterion is considered to be met. However, all defined criteria of the connection aware group must be met for the connection aware group rule set to be used. It is important to note that if any of the criteria defined for a connection aware group is not met, the rule set attached to the connection aware group is completely bypassed. If all criteria defined for a connection aware group are met, the attached rule set is used. If the traffic does not match any of the rules within the connection aware group, it will be filtered against the remaining general rules or connection aware groups. In more complex configurations, it is common to find rules repeated throughout the McAfee Host IPS Firewall policy because administrators will want to use the same rule in various configurations. Figure 6 - DHCP Server List Figure 7 - Primery WINS List

Page 6 The McAfee Host IPS Administrator has another example: One of the Company VPs calls the Host IPS Administrator frustrated that even though he is connected to the company s LAN, he has very limited access. After some brief troubleshooting, the administrator discovers that the IP configuration information for the adapter has been manually set. Although the IP address is correct, no DHCP Server was defined. Because of this, the VP s firewall noted all three criteria defined by the connection aware group were not met. The VP s firewall did not parse the connection aware group associated rule set but went directly to the general rules, which were very limiting (figure 8). Another common example: While the Host IPS Administrator is managing the firewall rules, he notices a client learned rule that is quite common among the users. Upon investigation, the rule is associated to a new application the company requires employees to use. The Host IPS Administrator determines this is an important allow rule to include in the Company s LAN connection aware group and so he does. Soon thereafter, employees complain that when they attempt to use the application while connected to the company s LAN, it fails to run correctly. The Host IPS Administrator reopens the firewall policy and notes the new rule is listed. However, it is listed in the general firewall rule set below the connection aware group and not included within the connection aware group. Because the Company Required Rule #20 limits that specific traffic, Rule #20 will be used and the New Application Rule will not be processed (figure 9). When the Host IPS Administrator moved the new rule into the Company LAN connection aware group above Company Required Rule # 20 and deployed the updated firewall policy, employees noticed the application began functioning correctly. Figure 8 - CAG Associated Rules & General Rules Figure 9 - New Application Rule Outside CAG

Page 7 McAfee Host IPS 6.0 Rule Processing The McAfee Host IPS 6.0 Firewall processes traffic exactly the same within a connection aware group as it does with the general rule set. As packets are received by the firewall for analysis, the packet data is compared to the rules in order from the top down. As soon as a rule condition is met, the packet is processed in accordance with the met rule and no further filtering of the packet happens. If a packet is processed against all listed rules without finding a match, the packet is blocked with a default veto rule which will block all traffic not otherwise allowed by the configured firewall rules. The exception to this is when the firewall is in Learn Mode. Therefore it is important to put the most critical and specific rules at the beginning of rule sets within connection aware group or in the general listing to ensure they are processed before a more all-purpose rule is. This ordering process mandates that connection aware groups should be placed in this hierarchical order so that as the packets are processed they do not match a rule unintentionally prior to matching an intended connection aware group. Using McAfee Host IPS 6.0 Connection Aware Groups Connection aware groups allow for complex administration of the McAfee Host IPS Firewall for systems that are routinely connected to a variety of locations that require different network traffic rule sets. Environments with large and varied networks and thus large and varied rule sets are an ideal setting for using connection aware groups to manage these rules. Creating more open rule configurations in trusted networking configurations and stringent general rules allows administrators to enforce network security when systems are connecting to foreign environments. There are any number of scenarios that connection aware groups address with improvements to managing the traffic to and from systems. Connection aware groups are not recommended for simple static networking environments. They can not be used to manage network adapters. Connection aware groups cannot be used to manage traffic based on remote network adapter information but rules can be created to filter the traffic in this way. Example: The McAfee Host IPS Administrator configures a specific rule to block all FTP requests and puts it at the top of the firewall rule list, above the Company LAN connection aware group. But one of the rules within the Company s LAN connection aware group is configured to allow FTP traffic to a specific company FTP server. Because the rule blocking FTP will be processed prior to the connection aware group, the packets will be blocked and the connection aware group rule set will never be parsed. When users connect to the Company LAN, they will not be allowed to use FTP services. NOTE: There is currently one exception to the top down processing of the firewall rules. Block rules specific to defined domain name(s) are processed out of order and before other rules. Binding to Network Adapters McAfee Host IPS Firewall attempts to bind to all network adapters as they are activated during the OS startup, when an adapter is re-enabled or when the IP configuration information is released and renewed. As packets originate from the local system, the networking stack determines which adapter to use. When the packets are queued to be sent, the firewall examines the packets comparing the packet and adapter information against the connection aware groups and firewall rules. The packets will be allowed or blocked based on the outcome of this comparison. As packets arrive from the network to the various adapters, a similar filtering process is initiated. Again, as a packet is examined, filtering decisions based upon the rules and connection aware groups determines if the packet is allowed or blocked. Please see the Limitations of Connection Aware Groups section for specific information related to multi-homed systems and systems with multiple IP addresses assigned to a single network adapter.

Page 8 Designing Connection Aware Groups To build a firewall rule set which utilizes connection aware groups effectively and correctly, the Host IPS Administrator will want to consider the following: Rules that are applicable for all connected states Rules that are applicable for each specific connection state Rules that should be applied if the connection state does not meet any specifically defined state Rules Applicable to All Connected States Rules that are applicable for all connected states such as important system boot network processes or blanket denial rules are not required to be placed within a connection aware group. Rather, if the rule will be applicable for any state, regardless of the connection, the rule should be moved to the beginning of the firewall rule list outside and above any connection aware groups. By doing this, the Host IPS Administrator can ensure the rule is processed prior to any configuration dependent rule set applications. The Host IPS Administrator can also reduce the CPU overhead Host IPS uses to determine if the connection aware group criteria are met by the traffic. The Allow BootP rule is a good example of a rule that would be applicable for most connected states, has limited security issues, and will allow the initial adapter configuration to proceed. Rules Applicable to Specific Connected States Determining specific connection applicable rules is the next major phase of designing the rule set. There are two steps to this phase: Identify specific rules that should be utilized for a given connection Determine the various connections that will have specific or unique rules associated by the connection Define one or two general criteria that define the connection aware group note that this is for initial group creation and more specific criteria can and should be added during testing. Add the rules - using the top-down, specific to general model - that are particular to the connection aware group. Rules particular to multiple groups should be included within each applicable group. Ensure that all required specific rules are included within the connection aware groups. Make sure that any required allow rules are appended to the end of the connection aware groups because the default behavior of the firewall is to block any traffic not specifically allowed. Rules Applicable to Non-Specific States the Host IPS Administrator wished to prevent FTP traffic to certain addresses unless the user is connected to the company LAN, he could ensure an ALLOW rule is included in the connection aware group and a BLOCK rule is added after the connection aware groups. Again, any final required allow rules are appended to the end of the general rules list or the traffic will be blocked. Testing Connection Aware Groups It is important to test the firewall rules to verify the network traffic will be filtered as intended via the general and connection aware group rule sets. It is recommended that the Host IPS Administrator create a test environment on which to test the rules. 1. Test the first rules for functionality. a. These rules should not be associated to a connection aware group. b. These rules should allow the system to boot and initialize the desired networking state. 2. Test the connection aware group. a. Create deny or permit rules immediately after the connection aware group that directly oppose the rules within the connection aware group to verify the traffic is being filtered as expected. b. Work through the rule list within the connection aware group verifying each rule is valid and triggered by the correct adapter connection IP configuration information. c. Test any additional connection aware groups, adding contrary rules directly after the connection aware group to identify if the rule is not working. 3. When all connection aware groups are tested, remove the various contrary rules added for testing, leaving the remaining desired non-connection specific general rule set. 4. Ensure the adapters are not matching any connection aware group criteria and begin testing the general rules. 5. Finally, return to the properties of the connection aware groups and add enough criteria to ensure the connection aware group will be utilized when intended. a. Typically define 3 or more criteria. b. Administrators should retest a few of the rules within the connection aware group to ensure the more specific criteria have not become too specific to the point of exclusion. After the connection aware groups are added, append the general Host IPS Firewall rules with any general rules that should be applied if the system does not have any connection that matches any of the preceding connection aware groups. For example, if

Page 9 Limitations of Connection Aware Groups Connection aware groups cannot enable or disable adapters based on their criteria or the adapter s settings. The current McAfee Host IPS 6.0 product will only filter traffic from the connected and enabled adapters. Current technology and logic within the application do not allow for adapter or device control. Adaptive rules or Learned Rules are not appended to connection aware groups. If it becomes apparent that important rules learned by the clients need to be included within the appropriate connection aware groups, the administrator will be required to manually add those rules. Because the rules are learned at the client, there is no automated way to incorporate those rules to the firewall policy pushed down from the epo management policy. Connection aware groups cannot be made to identify rogue network environments. The configuration information of a connection aware group can be made very general; however it is impossible to guess all the possible variations associated with rogue networks. Administrators should build connection aware groups based upon network connections they can specifically define. Three or more criteria provide accurate application of the connection aware group. All other unknown adapter configuration traffic should be filtered by the general rule set. Because many networks use private IP addressing schemas, it is very common to find 10.10.x.x and 192.168.x.x environments. If too few criteria for a connection aware group are defined, it is possible to match a configuration because it has common traits of the intended network. Host IPS Administrators are encouraged to specify as many criteria as possible to increase the probability of correct identification. The limitation in this case is the connection aware group rules will be filtered against unintended network environments simply because the match the connection aware criteria. There is a documented defect (BZ280294) that identifies a condition where packet information is associated with an internal adapter and can therefore be filtered by any connection aware groups that match any bound addapters criteria. This condition might manifest on systems with multiple network adapters and connection aware groups. McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. 2005 McAfee, Inc. All Rights Reserved.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information