Title

(U//FOUO) The Host Intrusion Prevention System (HIPS) Firewall must include a rule to allow outbound connections, unless a rule explicitly blocks the connection. (Cat II impact)

Discussion

Outbound connections are imperative for the operation of the McAfee Agent to communicate with the ePO server, Agent Handlers, and repositories. To ensure that connectivity is maintained, all outbound connections must be allowed with an explicit rule. Rules may also be explicitly created to block undesired outbound connections.

Check Content

Note: This check is intended for client workstations. Refer to the following STIGs for additional firewall rules that must be implemented for each specific application: ePO server STIGs, Agents Handler STIG, Staging Server STIG and Remote Console STIG. If H36900 is compliant (HIPS Enabled), any FW policy applied has an implicit rule to block all traffic but is hidden and cannot be checked. The spirit and intent of this STIG check is to ensure there are explicit rules configured to allow all known inbound and outbound traffic, especially outbound so that the client can communicate to the ePO server and other security systems. This can be individual rules blocking specific outbound destination/protocols, with an "Allow All" immediately below the those explicit outbound block rules but above the "Block All" rule or can only be specific and explicitly configured outbound allow rules. This check will ensure the client workstation can make all outbound connections except for those explicitly dropped. This rule must be above the "Block All" rule but below all explicitly configured rules. From the HBSS client, right-click the "McAfee Agent" icon in the system tray, then select Manage Features | Host Intrusion Prevention to open the McAfee UI console. Select the “Firewall Policy” tab. From the "Firewall rules" list, verify there is a rule, or multiple rules, to allow outbound connections. If no rule exists to allow outbound connections, this is a finding.

Fix Text

From the ePO server console, select the asset to be checked, then select "Assigned Policies", followed by the correct version of HIPS from the dropdown product list (e.g., Host Intrusion Prevention 8: Firewall). From the "Firewall Rules" category, select the applicable policy. Create a firewall rule to allow outbound connections.

Additional Identifiers

Rule ID: SV-60365r4_rule

Vulnerability ID: V-47483

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.