McAfee 6.1 - page 75

75

McAfee® Host Intrusion Prevention6.1 Pro duct Guide Firewall Policies

Overview 5

Connection-aware groups let you manage rules that apply only when you connect to a

network using a wired connection, a wireless connection, or a non-specific connection

with particular parameters. In addition, these groups are network adapter-aware, so

that computers with multiple network interfaces can have rules apply that are adapter

specific. Parameters for allowed connections can include any or all of the following for

each network adapter:

IP address

DNS suffix

Gateway IP/MAC pair

DHCP IP/MAC pair

DNS server queried to resolve URLs

WINS server used

If two connection-aware groups apply to a connection, Host Intrusion Prevention uses

normal precedence and processes the first applicable connection-aware group in its

rule list. If no rule in the first connection-aware group matches, rule processing

continues and may match a rule in the next group.

When Host Intrusion Prevention matches a connection-aware group’s parameters to

an active connection, it applies the rules within the connection group. It treats the rules

as a small rule set and uses normal precedence. If some rules do not match the

intercepted traffic, the firewall ignores them.

A connection is allowed when all of the following conditions apply to a network adapter:

If Connection type is LAN.

or

If Connection type is Wireless (802.11).

or

If Connection type is Any and the DNS suffix list or the IP Address List is

populated.

If Check IP Address List is selected, the IP address of the adapter must match one

of the list entries.

If Check DNS Suffix List is selected, the DNS suffix of the adapter must match one

of the list entries. (DNS name matching is case sensitive.)

If Check Default Gateway List is selected, the default adapter Gateway IP/MAC pair

must match at least one of the list entries.

If Check DHCP Server List is selected, the adapter DHCP server IP/MAC pair must

match at least one of the list entries.

Note: The MAC address is optional and used only when specified.

If Check Primary DNS Server List is selected, the adapter DNS server IP address must

match any of the list entries.

If Check Secondary DNS Server List is selected, the adapter DNS server IP address

must match any of the list entries.

Contents

Main Page Page COPYRIGHT TRADEMARK ATTRIBUTIONS LICENSE INFORMATION License Agreement Attributions PATENT INFORMATION Contents 1 Introducing Host Intrusion Prevention 9 2Basic Concepts 15 3 Using ePolicy Orchestrator 23 4 IPS Policies 33 5 Firewall Policies 68 6 Application Blocking Policies 94 7 General Policies 103 8 Maintenance 115 9 Host Intrusion Prevention Client 132 Page 1 Prevention Whats new in this release Changes from the previous release New features Using this guide Audience Conventions This guide uses the following conventions: Bold Condensed Getting product information Standard documentation Contact information Threat Center: McAfee Avert Labs http://www.mcafee.com/us/threat_center/default.asp Download Site Technical Support Customer Service 2 IPS feature Signature rules Behavioral rules Events Reactions Exception rules Firewall feature Firewall rules Client firewall rules Application Blocking feature Client application blocking rules General feature Policy management Policy enforcement Policies and policy categories Policy inheritance and assignment Policy ownership Policy assignment locking Deployment and management Preset protection Adaptive and Learn mode Tuning Reports 3 ePolicy Orchestrator operations used with Host Intrusion Prevention ePolicy Orchestrator console Policy management Assigning owners to policies Generating notifications Generating reports Host Intrusion Prevention operations Installing the Host Intrusion Prevention server Deploying Host Intrusion Prevention clients Viewing and working with client data Placing clients in Adaptive or Learn mode Configuring policies Policy viewing alerts Fine-tuning Using Help Help navigation procedures Help in the user interface Table3-1 Host Intrusion Prevention icons IPS Events/Signatures IPS Signature Rules 4 Host and network IPS signature rules HIPS NIPS Behavioral rules Preset IPS policies Configuring the IPS Options policy Page Configuring the IPS Protection policy Page The IPS Protection dialog box appears. 3Select the type of reaction for each severity level: 4Click Apply, and then click Close. 5Click Apply on the IPS Protection category line. Configuring the IPS Rules policy IPS Rules policy details Exception Rules Creating exception rules Editing exception rules Enabling and disabling exception rules Deleting exception rules Moving exception rules to another policy Signatures Types of signatures Viewing signatures Modifying host and network signatures Creating custom signatures Using the wizard to create signatures Using the standard mode to create signatures Page 5Click Apply to apply the new settings, and then OK. Editing custom signatures Deleting custom signatures To use Standard Method: To use Expert Method: Application Protection Rules Page Page Editing Application Protection Rules Enabling and disabling Application Protection Rules Deleting Application Protection Rules IPS Events Viewing events Configuring the event view Filtering events Marking events Marking similar events Viewing event details Creating event-based exceptions and trusted applications Example Searching for related exceptions IPS Client Rules Regular View Aggregated View Search IPS Exception Rules Page 5 HIP 6.0 rules HIP 6.1 rules State table State table functionality How firewall rules work Ordering the firewall rule list How stateful filtering works How stateful packet inspection works Stateful protocol tracking Firewall rule groups and connection-aware groups Page Firewall Learn and Adaptive modes Stateful filtering Quarantine policies and rules Migrating custom 6.0 firewall rules to 6.1 rules Preset Firewall policies Configuring the Firewall Options policy Page Configuring the Firewall Rules policy Creating new Firewall Rules policies Minimal (Default) Subnet Automatically Learning Starter Subnet Automatically Client Medium The Create New Policy dialog box appears. Viewing and editing firewall rules Creating a new firewall rule or firewall group Page Deleting a firewall rule or group Viewing firewall client rules Page Configuring the Quarantine Options policy Configuring the Quarantine Rules policy Creating new Quarantine Rules policies Viewing and editing quarantine rules Creating a new quarantine rule or group Deleting a quarantine rule or group 6 Application creation Application hooking Preset Application Blocking policies Configuring the Application Blocking Options policy Page Configuring the Application Blocking Rules policy Creating new Application Blocking Rules policies Viewing and editing Application Blocking Rules Creating new Application Blocking Rules Deleting an application blocking rule Viewing application client rules Page 7 Preset General policies Configuring Enforce Policies Configuring the Client UI policy Creating and applying a Client UI policy Setting passwords Page Tray icon control Configuring the Trusted Networks policy 5Do any of the following: Configuring the Trusted Applications policy Creating and applying Trusted Applications policies Creating trusted applications Editing trusted applications Enabling and disabling trusted applications Deleting trusted applications 8 Fine-tuning a deployment Analyzing IPS events Creating exception rules and trusted application rules Working with client exception rules Creating and applying new policies Policy maintenance and tasks Policies tab Policy inheritance and assignment Page Policy Catalog Viewing policy information Editing policy information Page Running server tasks Directory Gateway Event Archiver Property Translator Setting up notifications for events How notifications work Creating rules Host Intrusion Prevention notifications Running reports Pre-defined reports Report repository Summary information and details Report content control Host Intrusion Prevention reports The Host Intrusion Prevention report templates include: IPS Events Summary by Signature Use this report to view IPS events per signature. Details include: Filters on signature, recording time, severity level, OS user, reaction, process, and source IP. IPS Event Summary by Target Use this report to view IPS events per host. Details include: Filters on signature, recording time, severity level, OS user, reaction, process, and source IP. Network Intrusion Summary by Source IP Use this report to view network intrusion events per source IP. Details include: Top 10 Attacked Nodes for IPS Filters on platform and signature type. Top 10 Triggered Signatures Use this report to view a bar chart of the 10 most triggered IPS signatures. Details include: Filters on platform and signature type. Top 10 Blocked Applications Use this report to view a bar chart of the 10 most blocked applications. Details include: Filters on application description, host name, and event time. Failed Quarantine Updates Use this report to view failed quarantine updates per host. Details include: Updating Checking in the update package Updating clients 9 Windows client System tray icon Client console Unlocking the client interface Setting options Error Reporting Troubleshooting Logging Host IPS engines Alerts Intrusion alerts Firewall alerts Application Blocking alerts Quarantine alerts Spoof Detected alerts Page IPS Policy tab IPS Policy options IPS Policy exception rules Exception rules list Firewall Policy tab Firewall Policy options Firewall Policy Rules Firewall rules list Application Policy tab Application Policy options Application Policy rules Application rules list Blocked Hosts tab Blocked Hosts list Page Application Protection tab Application Protection list Activity Log tab Activity Log options Activity Log list You can clear the list either by deleting the log contents or saving it to a .txt file. Note: McAfee Host Intrusion Prevention Options Solaris client Policy enforcement with the Solaris client Troubleshooting Client installation issues Verifying installation files Client operations issues Starting and stopping the client Linux client Policy enforcement with the Linux client Notes about the Linux client Troubleshooting Client installation issues Verifying installation files Verifying the client is running Client operations issues Troubleshooting tool Starting and stopping the client 10 Page Page Page A Rule Structure See Windows Custom Signatures for an explanation of the various sections and values. Mandatory common sections Use of Include and Exclude Optional common sections Use of the dependencies section Section value variables Use of wildcards Use of environment variables Use of predefined variables MS SQL Database Server Solaris Apache and iPlanet Windows Custom Signatures The following table lists the possible sections of the class Files. Class Files Page Page Class Isapi Page Page Class Registry Page Class Services The following rule would prevent deactivation of the Alerter service. The various sections of this rule have the following meaning: every one of these rules would need to use the same ID. Page Solaris Custom Signatures The following table lists the possible sections of the class Files. Class UNIX_file Page Advanced Details Class UNIX_apache Page Linux Custom Signatures The following table lists the possible sections of the class Files. Class UNIX_file Summary of parameters and directives The following is a summary of parameters and directives according to type. List of parameters according to type List of directives according to type Glossary Page Page Page Page Page Page Page Page Index A B C D G H I K L Q R S T U