Main
Page
Page
COPYRIGHT
TRADEMARK ATTRIBUTIONS
LICENSE INFORMATION License Agreement
Attributions
PATENT INFORMATION
Contents
1 Introducing Host Intrusion Prevention 9
2Basic Concepts 15
3 Using ePolicy Orchestrator 23
4 IPS Policies 33
5 Firewall Policies 68
6 Application Blocking Policies 94
7 General Policies 103
8 Maintenance 115
9 Host Intrusion Prevention Client 132
Page
1
Prevention
Whats new in this release
Changes from the previous release
New features
Using this guide
Audience
Conventions
This guide uses the following conventions:
Bold Condensed
Getting product information
Standard documentation
Contact information
Threat Center: McAfee Avert Labs http://www.mcafee.com/us/threat_center/default.asp
Download Site
Technical Support
Customer Service
2
IPS feature
Signature rules
Behavioral rules
Events
Reactions
Exception rules
Firewall feature
Firewall rules
Client firewall rules
Application Blocking feature
Client application blocking rules
General feature
Policy management
Policy enforcement
Policies and policy categories
Policy inheritance and assignment
Policy ownership
Policy assignment locking
Deployment and management
Preset protection
Adaptive and Learn mode
Tuning
Reports
3
ePolicy Orchestrator operations used with Host Intrusion Prevention
ePolicy Orchestrator console
Policy management
Assigning owners to policies
Generating notifications
Generating reports
Host Intrusion Prevention operations
Installing the Host Intrusion Prevention server
Deploying Host Intrusion Prevention clients
Viewing and working with client data
Placing clients in Adaptive or Learn mode
Configuring policies
Policy viewing alerts
Fine-tuning
Using Help
Help navigation procedures
Help in the user interface
Table3-1 Host Intrusion Prevention icons IPS Events/Signatures
IPS Signature Rules
4
Host and network IPS signature rules
HIPS
NIPS
Behavioral rules
Preset IPS policies
Configuring the IPS Options policy
Page
Configuring the IPS Protection policy
Page
The IPS Protection dialog box appears.
3Select the type of reaction for each severity level:
4Click Apply, and then click Close. 5Click Apply on the IPS Protection category line.
Configuring the IPS Rules policy
IPS Rules policy details
Exception Rules
Creating exception rules
Editing exception rules
Enabling and disabling exception rules
Deleting exception rules
Moving exception rules to another policy
Signatures
Types of signatures
Viewing signatures
Modifying host and network signatures
Creating custom signatures
Using the wizard to create signatures
Using the standard mode to create signatures
Page
5Click Apply to apply the new settings, and then OK.
Editing custom signatures
Deleting custom signatures
To use Standard Method: To use Expert Method:
Application Protection Rules
Page
Page
Editing Application Protection Rules
Enabling and disabling Application Protection Rules
Deleting Application Protection Rules
IPS Events
Viewing events
Configuring the event view
Filtering events
Marking events
Marking similar events
Viewing event details
Creating event-based exceptions and trusted applications
Example
Searching for related exceptions
IPS Client Rules
Regular View
Aggregated View
Search IPS Exception Rules
Page
5
HIP 6.0 rules
HIP 6.1 rules
State table
State table functionality
How firewall rules work
Ordering the firewall rule list
How stateful filtering works
How stateful packet inspection works
Stateful protocol tracking
Firewall rule groups and connection-aware groups
Page
Firewall Learn and Adaptive modes
Stateful filtering
Quarantine policies and rules
Migrating custom 6.0 firewall rules to 6.1 rules
Preset Firewall policies
Configuring the Firewall Options policy
Page
Configuring the Firewall Rules policy
Creating new Firewall Rules policies
Minimal (Default)
Subnet Automatically
Learning Starter
Subnet Automatically
Client Medium
The Create New Policy dialog box appears.
Viewing and editing firewall rules
Creating a new firewall rule or firewall group
Page
Deleting a firewall rule or group
Viewing firewall client rules
Page
Configuring the Quarantine Options policy
Configuring the Quarantine Rules policy
Creating new Quarantine Rules policies
Viewing and editing quarantine rules
Creating a new quarantine rule or group
Deleting a quarantine rule or group
6
Application creation
Application hooking
Preset Application Blocking policies
Configuring the Application Blocking Options policy
Page
Configuring the Application Blocking Rules policy
Creating new Application Blocking Rules policies
Viewing and editing Application Blocking Rules
Creating new Application Blocking Rules
Deleting an application blocking rule
Viewing application client rules
Page
7
Preset General policies
Configuring Enforce Policies
Configuring the Client UI policy
Creating and applying a Client UI policy
Setting passwords
Page
Tray icon control
Configuring the Trusted Networks policy
5Do any of the following:
Configuring the Trusted Applications policy
Creating and applying Trusted Applications policies
Creating trusted applications
Editing trusted applications
Enabling and disabling trusted applications
Deleting trusted applications
8
Fine-tuning a deployment
Analyzing IPS events
Creating exception rules and trusted application rules
Working with client exception rules
Creating and applying new policies
Policy maintenance and tasks
Policies tab
Policy inheritance and assignment
Page
Policy Catalog
Viewing policy information
Editing policy information
Page
Running server tasks
Directory Gateway
Event Archiver
Property Translator
Setting up notifications for events
How notifications work
Creating rules
Host Intrusion Prevention notifications
Running reports
Pre-defined reports
Report repository
Summary information and details
Report content control
Host Intrusion Prevention reports
The Host Intrusion Prevention report templates include:
IPS Events Summary by Signature
Use this report to view IPS events per signature. Details include:
Filters on signature, recording time, severity level, OS user, reaction, process, and source IP.
IPS Event Summary by Target
Use this report to view IPS events per host. Details include:
Filters on signature, recording time, severity level, OS user, reaction, process, and source IP.
Network Intrusion Summary by Source IP
Use this report to view network intrusion events per source IP. Details include:
Top 10 Attacked Nodes for IPS
Filters on platform and signature type.
Top 10 Triggered Signatures
Use this report to view a bar chart of the 10 most triggered IPS signatures. Details include:
Filters on platform and signature type.
Top 10 Blocked Applications
Use this report to view a bar chart of the 10 most blocked applications. Details include:
Filters on application description, host name, and event time.
Failed Quarantine Updates
Use this report to view failed quarantine updates per host. Details include:
Updating
Checking in the update package
Updating clients
9
Windows client
System tray icon
Client console
Unlocking the client interface
Setting options
Error Reporting
Troubleshooting
Logging
Host IPS engines
Alerts
Intrusion alerts
Firewall alerts
Application Blocking alerts
Quarantine alerts
Spoof Detected alerts
Page
IPS Policy tab
IPS Policy options
IPS Policy exception rules
Exception rules list
Firewall Policy tab
Firewall Policy options
Firewall Policy Rules
Firewall rules list
Application Policy tab
Application Policy options
Application Policy rules
Application rules list
Blocked Hosts tab
Blocked Hosts list
Page
Application Protection tab
Application Protection list
Activity Log tab
Activity Log options
Activity Log list
You can clear the list either by deleting the log contents or saving it to a .txt file.
Note:
McAfee Host Intrusion Prevention Options
Solaris client
Policy enforcement with the Solaris client
Troubleshooting
Client installation issues
Verifying installation files
Client operations issues
Starting and stopping the client
Linux client
Policy enforcement with the Linux client
Notes about the Linux client
Troubleshooting
Client installation issues
Verifying installation files
Verifying the client is running
Client operations issues
Troubleshooting tool
Starting and stopping the client
10
Page
Page
Page
A
Rule Structure
See Windows Custom Signatures for an explanation of the various sections and values.
Mandatory common sections
Use of Include and Exclude
Optional common sections
Use of the dependencies section
Section value variables
Use of wildcards
Use of environment variables
Use of predefined variables
MS SQL Database Server
Solaris Apache and iPlanet
Windows Custom Signatures
The following table lists the possible sections of the class Files.
Class Files
Page
Page
Class Isapi
Page
Page
Class Registry
Page
Class Services
The following rule would prevent deactivation of the Alerter service.
The various sections of this rule have the following meaning:
every one of these rules would need to use the same ID.
Page
Solaris Custom Signatures
The following table lists the possible sections of the class Files.
Class UNIX_file
Page
Advanced Details
Class UNIX_apache
Page
Linux Custom Signatures
The following table lists the possible sections of the class Files.
Class UNIX_file
Summary of parameters and directives
The following is a summary of parameters and directives according to type.
List of parameters according to type
List of directives according to type
Glossary
Page
Page
Page
Page
Page
Page
Page
Page
Index
A
B
C
D
G
H
I
K
L
Q
R
S
T
U