McAfee 6.1 2

15

2Basic Concepts

McAfee® Host Intrusion Prevention is a host-based intrusion protection system. It

protects against known and unknown attacks, including worms, Trojan horses, buffer

overflow, critical system file modification, and privilege escalation. Host Intrusion

Prevention management is delivered through the ePolicy Orchestrator console and

provides the ability to set and apply host intrusion prevention, firewall, application

blocking, and general policies. Host Intrusion Prevention clients are deployed to servers

and desktops and function as independent protective units. They report their activity to

ePolicy Orchestrator and retrieve updates for new attack definitions.

This section describes the four features of Host Intrusion Prevention and how it works

with ePolicy Orchestrator, and includes the following topics:

IPS feature

Firewall feature

Application Blocking feature

General feature

Policy management

Deployment and management

IPS feature

The IPS (Intrusion Prevention System) feature monitors all system and API calls and

blocks those that might result in malicious activity. Host Intrusion Prevention

determines which process is using a call, the security context in which the process

runs, and the resource being accessed. A kernel-level driver, which receives redirected

entries in the user-mode system call table, monitors the system call chain. When calls

are made, the driver compares the call request against a database of combined

signatures and behavioral rules to determine whether to allow, block, or log an action.

Signature rules

Signature rules are patterns of characters than can be matched against a traffic stream.

For example, a signature rule might look for a specific string in an HTTP request. If the

string matches one in a known attack, action is taken. These rules provide protection

against known attacks.

Contents

Main Page Page COPYRIGHT TRADEMARK ATTRIBUTIONS LICENSE INFORMATION License Agreement Attributions PATENT INFORMATION Contents 1 Introducing Host Intrusion Prevention 9 2Basic Concepts 15 3 Using ePolicy Orchestrator 23 4 IPS Policies 33 5 Firewall Policies 68 6 Application Blocking Policies 94 7 General Policies 103 8 Maintenance 115 9 Host Intrusion Prevention Client 132 Page 1 Prevention Whats new in this release Changes from the previous release New features Using this guide Audience Conventions This guide uses the following conventions: Bold Condensed Getting product information Standard documentation Contact information Threat Center: McAfee Avert Labs http://www.mcafee.com/us/threat_center/default.asp Download Site Technical Support Customer Service 2 IPS feature Signature rules Behavioral rules Events Reactions Exception rules Firewall feature Firewall rules Client firewall rules Application Blocking feature Client application blocking rules General feature Policy management Policy enforcement Policies and policy categories Policy inheritance and assignment Policy ownership Policy assignment locking Deployment and management Preset protection Adaptive and Learn mode Tuning Reports 3 ePolicy Orchestrator operations used with Host Intrusion Prevention ePolicy Orchestrator console Policy management Assigning owners to policies Generating notifications Generating reports Host Intrusion Prevention operations Installing the Host Intrusion Prevention server Deploying Host Intrusion Prevention clients Viewing and working with client data Placing clients in Adaptive or Learn mode Configuring policies Policy viewing alerts Fine-tuning Using Help Help navigation procedures Help in the user interface Table3-1 Host Intrusion Prevention icons IPS Events/Signatures IPS Signature Rules 4 Host and network IPS signature rules HIPS NIPS Behavioral rules Preset IPS policies Configuring the IPS Options policy Page Configuring the IPS Protection policy Page The IPS Protection dialog box appears. 3Select the type of reaction for each severity level: 4Click Apply, and then click Close. 5Click Apply on the IPS Protection category line. Configuring the IPS Rules policy IPS Rules policy details Exception Rules Creating exception rules Editing exception rules Enabling and disabling exception rules Deleting exception rules Moving exception rules to another policy Signatures Types of signatures Viewing signatures Modifying host and network signatures Creating custom signatures Using the wizard to create signatures Using the standard mode to create signatures Page 5Click Apply to apply the new settings, and then OK. Editing custom signatures Deleting custom signatures To use Standard Method: To use Expert Method: Application Protection Rules Page Page Editing Application Protection Rules Enabling and disabling Application Protection Rules Deleting Application Protection Rules IPS Events Viewing events Configuring the event view Filtering events Marking events Marking similar events Viewing event details Creating event-based exceptions and trusted applications Example Searching for related exceptions IPS Client Rules Regular View Aggregated View Search IPS Exception Rules Page 5 HIP 6.0 rules HIP 6.1 rules State table State table functionality How firewall rules work Ordering the firewall rule list How stateful filtering works How stateful packet inspection works Stateful protocol tracking Firewall rule groups and connection-aware groups Page Firewall Learn and Adaptive modes Stateful filtering Quarantine policies and rules Migrating custom 6.0 firewall rules to 6.1 rules Preset Firewall policies Configuring the Firewall Options policy Page Configuring the Firewall Rules policy Creating new Firewall Rules policies Minimal (Default) Subnet Automatically Learning Starter Subnet Automatically Client Medium The Create New Policy dialog box appears. Viewing and editing firewall rules Creating a new firewall rule or firewall group Page Deleting a firewall rule or group Viewing firewall client rules Page Configuring the Quarantine Options policy Configuring the Quarantine Rules policy Creating new Quarantine Rules policies Viewing and editing quarantine rules Creating a new quarantine rule or group Deleting a quarantine rule or group 6 Application creation Application hooking Preset Application Blocking policies Configuring the Application Blocking Options policy Page Configuring the Application Blocking Rules policy Creating new Application Blocking Rules policies Viewing and editing Application Blocking Rules Creating new Application Blocking Rules Deleting an application blocking rule Viewing application client rules Page 7 Preset General policies Configuring Enforce Policies Configuring the Client UI policy Creating and applying a Client UI policy Setting passwords Page Tray icon control Configuring the Trusted Networks policy 5Do any of the following: Configuring the Trusted Applications policy Creating and applying Trusted Applications policies Creating trusted applications Editing trusted applications Enabling and disabling trusted applications Deleting trusted applications 8 Fine-tuning a deployment Analyzing IPS events Creating exception rules and trusted application rules Working with client exception rules Creating and applying new policies Policy maintenance and tasks Policies tab Policy inheritance and assignment Page Policy Catalog Viewing policy information Editing policy information Page Running server tasks Directory Gateway Event Archiver Property Translator Setting up notifications for events How notifications work Creating rules Host Intrusion Prevention notifications Running reports Pre-defined reports Report repository Summary information and details Report content control Host Intrusion Prevention reports The Host Intrusion Prevention report templates include: IPS Events Summary by Signature Use this report to view IPS events per signature. Details include: Filters on signature, recording time, severity level, OS user, reaction, process, and source IP. IPS Event Summary by Target Use this report to view IPS events per host. Details include: Filters on signature, recording time, severity level, OS user, reaction, process, and source IP. Network Intrusion Summary by Source IP Use this report to view network intrusion events per source IP. Details include: Top 10 Attacked Nodes for IPS Filters on platform and signature type. Top 10 Triggered Signatures Use this report to view a bar chart of the 10 most triggered IPS signatures. Details include: Filters on platform and signature type. Top 10 Blocked Applications Use this report to view a bar chart of the 10 most blocked applications. Details include: Filters on application description, host name, and event time. Failed Quarantine Updates Use this report to view failed quarantine updates per host. Details include: Updating Checking in the update package Updating clients 9 Windows client System tray icon Client console Unlocking the client interface Setting options Error Reporting Troubleshooting Logging Host IPS engines Alerts Intrusion alerts Firewall alerts Application Blocking alerts Quarantine alerts Spoof Detected alerts Page IPS Policy tab IPS Policy options IPS Policy exception rules Exception rules list Firewall Policy tab Firewall Policy options Firewall Policy Rules Firewall rules list Application Policy tab Application Policy options Application Policy rules Application rules list Blocked Hosts tab Blocked Hosts list Page Application Protection tab Application Protection list Activity Log tab Activity Log options Activity Log list You can clear the list either by deleting the log contents or saving it to a .txt file. Note: McAfee Host Intrusion Prevention Options Solaris client Policy enforcement with the Solaris client Troubleshooting Client installation issues Verifying installation files Client operations issues Starting and stopping the client Linux client Policy enforcement with the Linux client Notes about the Linux client Troubleshooting Client installation issues Verifying installation files Verifying the client is running Client operations issues Troubleshooting tool Starting and stopping the client 10 Page Page Page A Rule Structure See Windows Custom Signatures for an explanation of the various sections and values. Mandatory common sections Use of Include and Exclude Optional common sections Use of the dependencies section Section value variables Use of wildcards Use of environment variables Use of predefined variables MS SQL Database Server Solaris Apache and iPlanet Windows Custom Signatures The following table lists the possible sections of the class Files. Class Files Page Page Class Isapi Page Page Class Registry Page Class Services The following rule would prevent deactivation of the Alerter service. The various sections of this rule have the following meaning: every one of these rules would need to use the same ID. Page Solaris Custom Signatures The following table lists the possible sections of the class Files. Class UNIX_file Page Advanced Details Class UNIX_apache Page Linux Custom Signatures The following table lists the possible sections of the class Files. Class UNIX_file Summary of parameters and directives The following is a summary of parameters and directives according to type. List of parameters according to type List of directives according to type Glossary Page Page Page Page Page Page Page Page Index A B C D G H I K L Q R S T U