An error occurred:

HBSS HIP 8 Firewall Version Comparison

HBSS HIP 8 Firewall

Comparison

There are 2 differences between versions v1 r12 (April 26, 2019) (the "left" version) and v1 r14 (Oct. 25, 2019) (the "right" version).

Check H37000 - HIP 8 FW was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Text Differences

Title

(U//FOUO) The Host Intrusion Prevention System (HIPS) Firewall must include a rule to allow outbound connections, unless a rule explicitly blocks the connection.

Check Content

Note: This check is intended for outbound connections from client workstations. Refer to the following STIGs for additional firewall rules that must be implemented for each specific application: ePO server STIGs, Agents Handler STIG, Staging Server STIG and Remote Console STIG. If H36900 is compliant (HIPS Enabled), any FW policy applied has an implicit rule to block all traffic but is hidden and cannot be checked. The spirit and intent of this STIG check is to ensure there are explicit rules configured to allow all OUTBOUND known inbound and outbound traffic, traffic especially outbound so that the client can communicate to the ePO server and other security systems. systems, This unless blocked by a specific block rule. This can be individual rules blocking allowing specific outbound destination/protocols, destination/protocols with an "Allow All" immediately below the those explicit outbound block rules but above the "Block All". This All" rule or can only be specific and explicitly configured outbound allow rules. This check will ensure the client workstation can make all outbound connections except for those explicitly dropped. This rule must be above the "Block All" rule but below all explicitly configured rules. From the HBSS client, right-click the "McAfee Agent" icon in the system tray, then select Manage Features | Host Intrusion Prevention to open the McAfee UI console. Select the “Firewall Policy” tab. From the "Firewall rules" list, verify there is a rule, or multiple rules, to allow outbound connections. If no rule exists to allow outbound connections, this is a finding.

Discussion

Outbound connections are imperative for the operation of the McAfee Agent to communicate with the ePO server, Agent Handlers, and repositories. To ensure that connectivity is maintained, all outbound connections must be allowed with an explicit rule. Rules may also be explicitly created to block undesired outbound connections.

Fix

From the ePO server console, select the asset to be checked, then select "Assigned Policies", followed by the correct version of HIPS from the dropdown product list (e.g., Host Intrusion Prevention 8: Firewall). From the "Firewall Rules" category, select the applicable policy. Create a firewall rule to allow outbound connections.