Manuals / McAfee / Marine Equipment / Marine Radio

McAfee 6.1 manual Firewall feature, Firewall rules, Client firewall rules

Models: 6.1

1 201

Download 201 pages 13.13 Kb

Page 17

McAfee® Host Intrusion Prevention 6.1 Installation/Configuration Guide	Basic Concepts
	Firewall feature

2

Firewall feature

The Host Intrusion Prevention Firewall feature acts as a filter between a computer and the network or Internet it is connected to. The 6.0 Firewall Rules policy uses static packet filtering with top-down rule matching. When a packet is analyzed and matched to a firewall rule, with criteria such as IP address, port number, and packet type, the packet is allowed or blocked. If no matching rule is found, the packet is dropped. The current version Firewall Rules policy uses both stateful packet filtering and stateful packet inspection.

Other features include:

A Quarantine Mode into which client computers can be placed and to which you can apply a strict set of firewall rules that defines with whom quarantined clients can and cannot communicate.

Connection Aware Groups that let you create specialized rule groups based on a specific connection type for each network adapter.

Firewall rules

You can create firewall rules as simple or complex as you need. Host Intrusion Prevention supports rules based on:

Connection type (network or wireless).

IP and non-IP protocols.

Direction of the network traffic (incoming, outgoing, or both).

Applications that generated the traffic.

Service or port used by a computer (as the recipient or the sender).

Service or port used by a remote computer (as the sender or the recipient).

Source and destination IP addresses.

Time of day or week that the packet was sent or received.

Client firewall rules

As with the IPS rules, a client in Adaptive or Learn mode can create client rules to allow blocked activity. You can track the client rules and view them in a regular and aggregated view. Use these client rules to create new policies or add them to existing policies that can be applied to other clients.

17

Image 17

McAfee 6.1 manual Firewall feature, Firewall rules, Client firewall rules

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion Changes from the previous release New featuresWhat’s new in this release Audience Using this guideThis guide uses the following conventions ConventionsBold Condensed ExampleStandard documentation Getting product informationContact information Customer ServiceProfessional Services Signature rules IPS featureBasic Concepts Events Behavioral rulesReactions Exception rulesClient firewall rules Firewall featureFirewall rules Client application blocking rules Application Blocking featureGeneral feature Policies and policy categories Policy managementPolicy enforcement Policy assignment locking Policy inheritance and assignmentPolicy ownership Deployment and management Preset protectionAdaptive and Learn mode Reports Tuning„ Deploy Host Intrusion Prevention clients Using ePolicy OrchestratorEPolicy Orchestrator console EPolicy Orchestrator consoleAssign Policies Policy managementHost Intrusion Prevention operations Installing the Host Intrusion Prevention serverAssigning owners to policies Generating notificationsViewing and working with client data Deploying Host Intrusion Prevention clientsPlacing clients in Adaptive or Learn mode Policy viewing alerts Configuring policiesActive X control security warning Fine-tuningHelp navigation procedures Using HelpIPS Events/Signatures Help in the user interfaceIPS Exception Rules IPS Signature RulesOverview IPS PoliciesBenefits of Host IPS Host and network IPS signature rulesBenefits of Network IPS Preset IPS policiesBehavioral rules To configure the IPS Options policy Configuring the IPS Options policyQuick access To create a new IPS Options policy Click ApplyIPS Options dialog box appears Select the needed optionsConfiguring the IPS Protection policy To create a new IPS Protection policy To configure the IPS Protection policySelect the type of reaction for each severity level IPS Protection dialog box appearsTo create a new IPS Rules policy Configuring the IPS Rules policyTo assign IPS Rules policies IPS Rules policy details To create an exception Creating exception rulesTo edit an exception rule Editing exception rulesYou can view and edit details of an existing exception Enabling and disabling exception rules To disable/enable an exceptionDeleting exception rules Moving exception rules to another policyTypes of signatures SignaturesHost signatures Custom host signaturesIPS Rules-Signatures tab Viewing signaturesModifying host and network signatures To modify default signaturesCreating custom signatures To modify the view of signaturesTo create signatures using the wizard Using the wizard to create signaturesTo create a signature with the standard mode Using the standard mode to create signaturesNew Custom Signature-General tab Deleting custom signatures Editing custom signaturesTo use Standard Method To use Expert Method To edit a custom signature11 Application Protection Rules analysis Application Protection Rules12 IPS Rules-Application Protection Rules To create an application protection rule13 New Trusted Application dialog box-General tab Editing Application Protection Rules IPS EventsEnabling and disabling Application Protection Rules Deleting Application Protection RulesTo view IPS events Viewing eventsTo change the event view Configuring the event viewFiltering events To mark an event as read Marking eventsTo mark an event as unread To hide an eventTo mark similar events Marking similar events„ Agent „ Signatures „ User „ Process „ Severity Level HiddenTo view event details Viewing event detailsCreating event-based exceptions and trusted applications To create an event-based trusted application To create an event-based exceptionTo search for a related exception IPS Client RulesSearching for related exceptions To migrate client rules to an IPS Rules policy Regular ViewClick the Aggregate View tab on the IPS Client Rules tab Aggregated ViewTo aggregate client rules To search for exceptions and manage the list of exceptions Search IPS Exception Rules22 Search IPS Exception Rules tab Firewall Policies HIP 6.1 rules HIP 6.0 rulesStateful packet inspection State tableStateful packet filtering Ordering the firewall rule list How firewall rules workStateful filtering process How stateful filtering worksProtocol Description of handling How stateful packet inspection worksStateful protocol tracking TCP Firewall rule groups and connection-aware groupsOverview Stateful filtering Firewall Learn and Adaptive modesQuarantine policies and rules To migrate rules Preset Firewall policiesMigrating custom 6.0 firewall rules to 6.1 rules To configure the Firewall Options policy Configuring the Firewall Options policySelect For these settings Off McAfee Default Learn„ Select New Policy Create New Policy dialog box appearsTo create a Firewall Rules policy Configuring the Firewall Rules policyCreating new Firewall Rules policies Include Local Subnet Automatically selected Server High Select this For this protection Policy Server MediumDo any of the following Viewing and editing firewall rulesTo view and edit a firewall rule Add Policy or Duplicate PolicyTo create a firewall rule Select the appropriate settings Click OKCreating a new firewall rule or firewall group Firewall Rule Group dialog box appears To create a new rule groupTo create a connection-aware group Type a name for this group in the Name fieldTo delete a firewall rule or group Deleting a firewall rule or groupTo add predefined rules To modify the view, do any of the following Viewing firewall client rulesTo view all firewall client rules To view details of an aggregated firewall rule To view aggregated firewall client rulesSelect New Policy Configuring the Quarantine Options policyTo configure the Quarantine Options policy Quarantine Rules policy provides access for Configuring the Quarantine Rules policyCreating new Quarantine Rules policies To create a Quarantine Rules policyClick Properties Viewing and editing quarantine rulesTo view and edit a quarantine rule Deleting a quarantine rule or group Creating a new quarantine rule or groupTo create a quarantine rule To delete a quarantine rule or groupApplication creation Application Blocking PoliciesApplication hooking Preset Application Blocking policiesApplication Blocking feature contains two policy categories To apply an Application Blocking Options policy Configuring the Application Blocking Options policySelect this policy For these settings Off McAfee Default Application Blocking Options To create an Application Blocking Rules policy Configuring the Application Blocking Rules policyCreating new Application Blocking Rules policies To view and edit an application blocking rule Viewing and editing Application Blocking RulesTo create a new application blocking rule Creating new Application Blocking RulesApplication Rule dialog box appears 100Viewing application client rules Deleting an application blocking ruleTo delete an application blocking rule To view all client application rulesTo view details of an aggregated client application rule To view aggregated client application rulesGeneral Policies General feature contains four policy categories Preset General policiesConfiguring the Client UI policy Configuring Enforce PoliciesTo change the policy setting Regular UserTo configure a Client UI policy Administrator UserCreating and applying a Client UI policy Disconnected User107 Setting passwords108 To create an administrator passwordClick the Advanced Options tab in the Client UI policy To provide tray icon control of Windows UI To create a time-based passwordTray icon control 110 Configuring the Trusted Networks policyTo configure trusted network options Edit Select To do this AddRemove Include Local SubnetCreating and applying Trusted Applications policies Configuring the Trusted Applications policyTo create a new policy Trusted Application tab appearsTo create a trusted application Creating trusted applicationsEditing trusted applications To disable/enable a trusted applicationEnabling and disabling trusted applications Deleting trusted applicationsFine-tuning a deployment MaintenanceAnalyzing IPS events 115Working with client exception rules Creating exception rules and trusted application rulesCreating and applying new policies For details on working with client rules, seeTo view and reset broken inheritance below a specific node Policy maintenance and tasksPolicies tab Policy inheritance and assignmentClick Copy policy assignments To copy and paste policy assignments of a nodePolicy Catalog To view nodes where a policy is assignedViewing policy information To view all policies that have been createdEditing policy information To view the settings and owner of a policyTo view assignments where policy enforcement is disabled To edit a policy Directory Gateway Running server tasksEvent Archiver Property TranslatorCreating rules Setting up notifications for eventsHow notifications work 124 Host Intrusion Prevention notificationsReport repository Running reportsPre-defined reports Host Intrusion Prevention reports Report content controlSummary information and details IPS Events Summary by SignatureSignature IPS Event Summary by TargetNetwork Intrusion Summary by Source IP Top 10 Triggered Signatures Top 10 Attacked Nodes for IPSBlocked Application Summary Filters on platform and signature typeInitial View Drill Down Host Name Failed Quarantine UpdatesTop 10 Blocked Applications To add update packages automatically Checking in the update packageUpdating From the Task type list, select Repository PullTo run an update task To add update packages manuallyTo have a client request an update Updating clientsWindows client Host Intrusion Prevention Client133 System tray iconClient console Unlocking the client interface Setting optionsTo unlock the Host Intrusion Prevention interface To customize client optionsTroubleshooting Error ReportingShow tray icon Error Reporting Select For thisSecurity Violations To set IPS logging optionsTo set Firewall logging options 137 AlertsIntrusion alerts Firewall alerts To respond to a firewall Learn Mode alert138 Has the Treat rule match as an intrusion option selectedApplication Blocking alerts „ The IP address that the traffic pretends to come from 140 Quarantine alertsSpoof Detected alerts IP Spoof Detected Alert dialog box 141IPS Policy options IPS Policy tabTo customize IPS Policy options 142Exception rules list IPS Policy exception rulesTo edit the exception rules 143Firewall Policy options Firewall Policy tabTo customize Firewall Policy options 144145 Firewall Policy RulesFirewall rules list Application Policy options Application Policy tabTo customize Application Policy options 146147 Application Policy rulesApplication rules list Blocked Hosts list Blocked Hosts tab148 Column What it showsUntil removed To edit the Blocked Hosts list149 Application Protection list Application Protection tabThis list shows all monitored processes on the client 150Activity Log options Activity Log tabTo customize Activity Log options 151152 Activity Log listSelect Create Sniffer Capture... McAfee Host Intrusion Prevention OptionsClient installation issues TroubleshootingSolaris client Policy enforcement with the Solaris clientRun this command To do this Client operations issues154 File/Directory Name Description155 To stop a Solaris clientTo restart a Solaris client Policy enforcement with the Linux client Linux clientFile Name Description Verifying the client is running158 Troubleshooting toolTo stop a Linux client Run the command hipts agent offTo restart a Linux client 159What is a policy? Frequently Asked QuestionsWhat is the McAfee Default policy? 160161 How do I create an exception based on an IPS Event? How do I view IPS events triggered by clients?How do I find existing policies that match a given profile? How do I create custom signatures for an IPS Policy?Rule Structure Writing Custom SignaturesBasic structure of a rule is the following 164Section Name Value Description Mandatory common sections165 Name/domain user name Use of Include and ExcludeUse of the dependencies section Optional common sectionsSection value variables Use of environment variables Use of wildcardsUse of predefined variables Windows IIS Web Server169 MS SQL Database ServerSolaris Apache and iPlanet Windows Custom Signatures This topic describes how to write Windows custom signaturesClass Files 170171 GUI name Explanation Advanced DetailsClass Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Section Values Meaning/remarks Class ServicesGUI Name Explanation Possible Values Windows Custom Signatures Solaris Custom Signatures This topic describes how to write Solaris custom signaturesClass UNIXfile 181Directive File Source File permission New permission Relevant X directives per section183 Advanced DetailsClass UNIXapache Solaris Custom Signatures 185 Linux Custom SignaturesList of parameters according to type Summary of parameters and directivesList of directives according to type 186187 GlossaryBlocked host 188Console tree 189EPolicy Orchestrator database server 190See also minimal properties 191Inactive agent 192Policy enforcement interval 193Severity level 194SYN flood 195Index Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com