Product guide

ManualsBrandsMcafee ManualsOtherUTILITIES 4.0

McAfee Host Intrusion Prevention 7.0

Product Guide

for use with ePolicy Orchestrator 4.0

Summary of content (112 pages)

PAGE 1
McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.
PAGE 2
COPYRIGHT Copyright © 2007 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
PAGE 3
Contents Introducing Host Intrusion Prevention 7.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Host Intrusion Prevention protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Basic protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Advanced protection. . . . . . . . . . . . . . . . . . .
PAGE 4
Contents Configuring IPS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Overview of IPS policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Signature rules and how they work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Behavioral rules. . . . . . . . . . . .
PAGE 5
Contents Creating firewall rule groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Creating firewall connection-aware groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Adding predefined firewall rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Managing Firewall client rules. . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
Contents Unlocking the Windows client interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Setting client UI options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Client error reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Troubleshooting the Windows client. . . . . . . . . . . . . .
PAGE 7
Introducing Host Intrusion Prevention 7.0 McAfee Host Intrusion Prevention is a host-based intrusion detection and prevention system that protects system resources and applications from external and internal attacks. It delivers a manageable and scalable intrusion prevention solution for workstations, notebooks, and critical servers, including web and database servers. It proactively blocks zero-day and known attacks with patented technology.
PAGE 8
Introducing Host Intrusion Prevention 7.0 Types of Host Intrusion Prevention policies Basic protection Host Intrusion Prevention ships with a set of default settings that provide basic “out-of-the-box” protection for your environment. These settings include: • IPS protection is enabled; high severity signatures are prevented and all other signatures are ignored. • Firewall, quarantine, and application blocking protection are not enabled.
PAGE 9
Introducing Host Intrusion Prevention 7.0 Policy management • Firewall Options. Turns on or off firewall protection and application of adapative or learn mode. • Firewall Rules. Defines firewall rules. • Quarantine Options. Turns on or off quarantine mode. • Quarantine Rules. Defines firewall rules applied during quarantine. Application Blocking policies The Application Blocking feature contains two policies that manage application creation and application hooking. • Application Blocking Options.
PAGE 10
Introducing Host Intrusion Prevention 7.0 Policy tracking and tuning The two Host Intrusion Prevention policies without a My Default policy, IPS Rules and Trusted Applications, are called multiple-instance policies because you can assign multiple policy instances under a single policy. The policy instances are automatically combined into one effective policy.
PAGE 11
Introducing Host Intrusion Prevention 7.0 Policy tracking and tuning Prevention you can divide administrative duties based on product features, such as IPS or firewall. Deploying Host Intrusion Prevention to thousands of computers is easily managed because most computers fit into a few usage profiles. Managing a large deployment is reduced to maintaining a few policy rules.
PAGE 12
Introducing Host Intrusion Prevention 7.0 Policy tracking and tuning You can reduce the number of false positives by creating exception rules, trusted applications, and firewall rules. • Exception rules are mechanisms for overriding a security policy in specific circumstances. • Trusted applications are application processes that ignore all IPS, Firewall, or Application Blocking rules.
PAGE 13
Managing Your Protection Management of a Host IPS deployment includes monitoring, analyzing, and reacting to activities; changing and updating policies; and performing system tasks. Contents Management of information Management of policies Management of systems Management of information After you have installed Host Intrusion Prevention you can track and report on security issues that arise in your environment.
PAGE 14
Managing Your Protection Management of information You can produce queries for a group of selected client systems, or limit report results by product or system criteria. You can export reports into a variety of file formats, including HTML and Microsoft Excel. Your options include: • Setting a filter to gather only selected information. Choose which group or tags to include in the report. • Setting a data filter using logical operators, to define precise filters on the data returned by the report.
PAGE 15
Managing Your Protection Management of information Application Blocking Client Rules Firewall Client Rules • Non-IP Protocol • Process Eval Option • Process Name • Process Path • Props schema ID • Reaction • Remote Address • Remote Address Type • Remote Service • Rule Name • Start Time • Switch When Expired • Time Restriction • Time Task IPS Client Rules In addition, you can create queries using these Host IPS properties: • Agent type • Firewall Status • Application Blocking
PAGE 16
Managing Your Protection Management of policies HIP Query Summary Count of IPS Client Rules Displays the number of IPS client rules created over time. Top 10 Blocked Applications Displays the top 10 blocked applications for the past three months. Top 10 Quarantined Systems Displays the top 10 systems that were quarantined for the past three months. Top 10 Triggered Signatures Displays the top 10 triggered IPS signatures.
PAGE 17
Managing Your Protection Management of policies • Apply the new policy to a set of computers and monitor the results. • Repeat this process with each production group type. Automatic tuning Automatic tuning removes the need to constantly monitor all events and activities for all users. • Apply adaptive mode for IPS, Firewall, and Application Blocking policies, or apply learn mode for Firewall and Application Blocking policies.
PAGE 18
Managing Your Protection Management of policies To... Do this... Delete a policy Click Delete (not available for default or preconfigured policies). NOTE: When you delete a policy, all groups to which it is currently applied inherit the policy of this category from their parent. Before deleting a policy, look at all of the nodes to which it is assigned, and assign a different policy if you don’t want the policy to inherit from the parent.
PAGE 19
Managing Your Protection Management of policies • Establish a naming convention for your clients. Clients are identified by name in the System Tree, in certain reports, and in event data generated by activity on the client. Clients can take the names of the hosts on which they are installed, or you can assign a specific client name during installation. McAfee recommends establishing a naming convention for clients that is easy to interpret by anyone working with the Host Intrusion Prevention deployment.
PAGE 20
Managing Your Protection Management of systems might deem certain script processing as illegal behavior, but certain systems in your engineering groups need to perform such tasks. Allow exceptions to be created for those systems so they can function normally while the policy continues to prevent this activity on other systems. Then make these exceptions part of a server-mandated policy to cover only the engineering group.
PAGE 21
Managing Your Protection Management of systems Host IPS server tasks Host Intrusion Prevention provides a single server task that enables review and promotion of client rules to administrative policy. Property Translator The Property Translator server task translates Host Intrusion Prevention client rules that are stored in the ePolicy Orchestrator database to handle Host Intrusion Prevention sorting, grouping, and filtering of data.
PAGE 22
Managing Your Protection Management of systems 1 Describe the rule. 2 Set filters for the rule. 3 Set thresholds for the rule. 4 Create the message to be sent and the type of delivery.
PAGE 23
Managing Your Protection Management of systems Checking in update packages You can create an ePO pull task that automatically checks in content update packages to the master repository, or you can download an update package and check it in manually. Task • Use one of these two methods: Automatic check-in Manual check-in 1 Go to Software | Master Repository, then click Schedule Pull. 1 Download the file from McAfeeHttp or McAfeeFtp. 2 Name the task, for example, HIP Content Updates, then click Next.
PAGE 24
Configuring IPS Policies IPS policies turn host intrusion prevention protection on and off, set the reaction level to events, and provide details on exceptions, signatures, and application protection rules. Contents Overview of IPS policies Working with IPS Options policies Working with IPS Protection policies Working with IPS Rules policies Overview of IPS policies The IPS (Intrusion Prevention System) feature monitors all system and API calls and blocks those that might result in malicious activity.
PAGE 25
Configuring IPS Policies Overview of IPS policies Host intrusion prevention signatures Host IPS protection resides on individual systems such as servers, workstations or laptop. The Host Intrusion Prevention client inspects traffic flowing into or out of a system and examines the behavior of the applications and operating system for attacks. When an attack is detected, the client can block it at the network segment connection, or can issue commands to stop the behavior initiated by the attack.
PAGE 26
Configuring IPS Policies Overview of IPS policies Host Intrusion Prevention combines the use of signature rules and hard-coded behavioral rules. This hybrid method detects most known attacks as well as previously unknown or zero-day attacks. Events IPS events are generated when a client recognizes a violation of a signature or behavioral rule. Events are logged in the Events tab of the IPS Rules tab under Reporting. Administrators can view and monitor these events to analyze system rule violations.
PAGE 27
Configuring IPS Policies Working with IPS Options policies Working with IPS Options policies The IPS Options policy turns on and off IPS protection and allows you to apply adaptive mode on clients to create new exception rules. This policy category contains three preconfigured policies and an editable My Default policy. You can view and duplicate preconfigured policies; you can, create, edit, rename, duplicate, delete, and export custom policies.
PAGE 28
Configuring IPS Policies Working with IPS Protection policies 2 In the IPS Options policy list, click Edit under Actions to change the settings for a custom policy. Figure 2: IPS Options 3 In the IPS Options page that appears, make any needed changes, then click Save. Working with IPS Protection policies The IPS Protection policy sets the protective reaction for signature severity levels. These settings instruct clients what to do when an attack or suspicious behavior is detected.
PAGE 29
Configuring IPS Policies Working with IPS Protection policies • Prevent high and medium severity level signatures and ignore the rest. Maximum Protection • Prevent high, medium, and low severity level signatures and log the rest. Prepare for Enhanced Protection • Prevent high and log medium severity level signatures and ignore the rest. Prepare for Maximum Protection • Prevent high and medium severity level signatures, log low severity level signatures, and ignore the rest.
PAGE 30
Configuring IPS Policies Working with IPS Rules policies Working with IPS Rules policies The IPS Rules policy applies intrusion prevention safeguards. This policy is a multiple-instance policy that can have multiple instances assigned. For example, for an IIS Server you might apply a general default policy, a server policy, and an IIS policy, the latter two configured to specifically target systems runnings as IIS servers.
PAGE 31
Configuring IPS Policies Working with IPS Rules policies • Low — Signatures that are behavioral in nature and shield applications. Shielding means locking down application and system resources so that they cannot be changed. Preventing these signatures increases the security of the underlying system, but requires additional fine-tuning. • Information — Indicates a modification to the system configuration that might create a benign security risk or an attempt to access sensitive system information.
PAGE 32
Configuring IPS Policies Working with IPS Rules policies Configuring IPS Rules signatures Use this task to edit default signatures; create, edit or delete custom signatures; and move signatures to another policy. Task For option definitions, click ? on the page displaying the options. 1 On the Policy Catalog page, select Host Intrusion Prevention: IPS on the Product list and select IPS Rules on the Category list. The list of policies appears.
PAGE 33
Configuring IPS Policies Working with IPS Rules policies 8 Click Save to save changes. Creating signatures Use this task to create custom host intrusion prevention signatures to protect specific operations. Task For option definitions, click ? on the page displaying the options. 1 On the IPS Rules policy Signatures tab, click Add Signature. A blank Signature page appears. 2 On the signature’s IPS Signature tab, enter a name and select the platform, severity level.
PAGE 34
Configuring IPS Policies Working with IPS Rules policies To use Standard method: To use Expert method: signature. Before writing a rule, make sure you understand rule syntax. 5 1 Enter a name for the signature and choose a type. 2 Specify the operations that trigger the signature. 3 Indicate whether to include or exclude a particular parameter, what the parameter is and its value. 4 Click OK and the rule is added to the list at the top of the Subrule tab.
PAGE 35
Configuring IPS Policies Working with IPS Rules policies 4 On the Rule Definition tab, select the item to protect against modifications and enter details. Figure 8: Signature Creation Wizard— Rule Definitions 5 Click OK. Working with IPS Application Protection rules Application protection rules alleviate compatibility and stability issues resulting from process hooking. These rules permit or block user-level API hooking for defined and generated lists of processes.
PAGE 36
Configuring IPS Policies Working with IPS Rules policies runs as a service. If not, it is blocked; if it listens on a port or runs as a service, it is permitted to hook. Figure 9: Application Protection Rules analysis The IPS component maintains an information cache on running processes, which tracks hooking information.
PAGE 37
Configuring IPS Policies Working with IPS Rules policies Tasks Configuring IPS Rules application protection rules Creating application protection rules Configuring IPS Rules application protection rules Use this task to create, view, edit, or delete application protection rules and move application protection rules to another policy. Task For option definitions, click ? on the page displaying the options.
PAGE 38
Configuring IPS Policies Working with IPS Rules policies Task For option definitions, click ? on the page displaying the options. 1 On the IPS Rule policy Application Protection Rules tab, do one of the following: • Click Add Application Rule. A blank Application Protection Rule page appears. 2 • Select a rule and click Duplicate. After naming and saving the new rule, click Edit.
PAGE 39
Configuring IPS Policies Working with IPS Rules policies Configuring IPS Rules exceptions Use this task to create, view, edit, or delete exception rules and move exception rules to another policy Task For option definitions, click ? on the page displaying the options. 1 On the Policy Catalog page, select Host Intrusion Prevention: IPS on the Product list and select IPS Rules on the Category list. The list of policies appears.
PAGE 40
Configuring IPS Policies Working with IPS Rules policies 1 On the IPS Rule policy Exception Rules tab, click Add Exception. 2 Enter the required data on each tab of the Exception wizard. These include: Signatures, Users, Processes, Advanced Details and General tab. The Summary tab displays the settings made in the previous tabs. Figure 13: IPS Exception 3 Click Save. Working with IPS events An IPS event is triggered when a security violation, as defined by a signature, is detected.
PAGE 41
Configuring IPS Policies Working with IPS Rules policies applications that use TCP/IP Port 25 typically reserved for email applications, and this action would be detected by the TCP/IP Port 25 Activity (SMTP) signature. On the other hand, normal email traffic might also match this signature. When you see this signature, investigate the process that initiated the event. If the process is one that is not normally associated with email, like Notepad.exe, you might reasonably suspect that a Trojan was planted.
PAGE 42
Configuring IPS Policies Working with IPS Rules policies 2 Select the group in the System Tree for which you want to display IPS events. All events associated with the group appear. By default, not all events are displayed. Only events over the last 30 days appear. Figure 14: IPS Events tab 3 4 5 42 Determine how you want to view the list of events: To... Do this... Select columns to display Select Choose Columns from the Options menu.
PAGE 43
Configuring IPS Policies Working with IPS Rules policies exception under Creating exception rules, for creating a trusted application under Creating and editing Trusted Application rules. Managing IPS client rules Use this task to analyze IPS client rules created automatically when clients are in adaptive mode, or manually on the client provided the Client UI policy option to allow manual creation of client rules is enabled.
PAGE 44
Configuring IPS Policies Working with IPS Rules policies 4 44 To... Do this... Filter for exception criteria Select time criteria; type process path, process name, user name, computer name, or signature ID in the search text box; then click Filter. Click Clear to remove filter settings. Aggregate exceptions Click Aggregate, select the criteria on which to aggregate exceptions., then click OK. Click Clear to remove aggregation settings.
PAGE 45
Configuring Firewall Policies The Firewall policies of Host Intrusion Prevention protect computers by filtering all network traffic, allowing legitimate traffic through the firewall, and blocking the rest. Stateful filtering and packet inspection identify packets for different types of connections, and hold in memory the attributes of network connections from start-to-finish of transmission.
PAGE 46
Configuring Firewall Policies Overview of Firewall policies network architecture is built on the seven-layer Open System Interconnection (OSI) model, where each layer handles specific network protocols. Figure 16: Network layers and protocols The firewall in Host Intrusion Prevention provides both stateful packet filtering and stateful packet inspection. NOTE: When using IPv6, stateful functionality is only supported on Vista.
PAGE 47
Configuring Firewall Policies Overview of Firewall policies computer’s connection state. Access to the application level commands provides error-free inspection and securing of the FTP protocol. State table A stateful firewall includes a state table that dynamically stores information about active connections created by allow rules. Each entry in the table defines a connection based on: • Protocol — The predefined way one service talks with another; includes TCP, UDP and ICMP protocols.
PAGE 48
Configuring Firewall Policies Overview of Firewall policies If, however, the traffic does not meet the first rule’s conditions, Host Intrusion Prevention looks at the next rule in the list. It works its way down through the firewall rules list until it finds a rule that the traffic matches. If no rule matches, the firewall automatically blocks the traffic. If learn mode is activated, the user is prompted for an action to be taken; if adaptive mode is activated, an allow rule is created for the traffic.
PAGE 49
Configuring Firewall Policies Overview of Firewall policies 4 If the packet does not match any configurable rule, it is blocked. Figure 17: Stateful filtering process How stateful packet inspection works Stateful packet inspection combines stateful filtering with access to application-level commands, which secures protocols such as FTP. FTP involves two connections: control for commands and data for the information.
PAGE 50
Configuring Firewall Policies Overview of Firewall policies Protocol Description of handling UDP A UDP connection is added to the state table when a matching static rule is found and the action from the rule is Allow. Generic UDP connections, which carry Application-Level protocols unknown to the firewall, remain in the state table as long as the connection is not idle longer than the specified timeout period. ICMP Only ICMP Echo Request and Echo Reply message types are tracked.
PAGE 51
Configuring Firewall Policies Overview of Firewall policies Host Intrusion Prevention also supports a type of rule group that does affect how rules are handled. These groups are called connection-aware groups. Rules within connection-aware groups are processed only when certain criteria are met. Connection-aware groups let you manage rules that apply only when you connect to a network using a wired connection, a wireless connection, or a non-specific connection with particular parameters.
PAGE 52
Configuring Firewall Policies Overview of Firewall policies Connection isolation in connection-aware groups The connection isolation option in Connection-Aware Groups (CAG) prevents undesirable traffic from accessing a designated network through other active network interfaces on a computer, such as a wireless adapter connecting to a wi-fi hotspot while a wired adapter is connected to a LAN.
PAGE 53
Configuring Firewall Policies Overview of Firewall policies • If the traffic through a NIC does not match the CAG criteria, and the connection isolation option is enabled, the traffic is blocked. Figure 18: Network connection isolation As examples of using the connection isolation option, consider two settings: a corporate environment and a hotel.
PAGE 54
Configuring Firewall Policies Overview of Firewall policies Connection isolation on the corporate network Connection rules are processed until the Connection-Aware Group with corporate LAN connection rules is encounterd. This CAG contains these settings: • Connection type=LAN • DNS suffix=mycompany.
PAGE 55
Configuring Firewall Policies Overview of Firewall policies Host Intrusion Prevention displays all the rules created on clients through learn mode or adaptive mode, and allows these rules to be saved and migrated to administrative rules. Stateful filtering with adaptive and learn mode When adaptive or learn mode is applied with the stateful firewall, the filtering process creates a new rule to handle the incoming packet.
PAGE 56
Configuring Firewall Policies Working with Firewall Options policies When you configure the Quarantine Options policy, you specify a list of protected IP addresses and subnets. Any user assigned one of these addresses is quarantined by Host Intrusion Prevention upon returning to the network. When the Quarantine Options policy is applied to a client, Host Intrusion Prevention uses the ePolicy Orchestrator agent to determine if the client has the most recent policies and files.
PAGE 57
Configuring Firewall Policies Working with Firewall Rules policies Change the policy’s assignment on the Policy Assignment page. For a group, go to Systems | System Tree, select a group, and then on the Policies tab click Edit Assignment. For a system go to Systems | System Tree, select a group that contains the system, and then on the System tab, select the system and select More Actions | Modify Policies on a Single System.
PAGE 58
Configuring Firewall Policies Working with Firewall Rules policies • Allows Windows file sharing requests from computers in the same subnet, and blocks file sharing requests from anyone else. (The Trusted Networks policy must have Include Local Subnet Automatically selected.) • Allows you to browse Windows domains, workgroups, and computers. • Allows all high incoming and outgoing UDP traffic. • Allows traffic that uses BOOTP, DNS, and Net Time UDP ports.
PAGE 59
Configuring Firewall Policies Working with Firewall Rules policies • Allows only UDP traffic necessary for accessing IP information (such as your own IP address or the network time). • Blocks Windows file sharing. On the Policy Catalog policy list page, click New Policy to create a new custom policy; click Duplicate under Actions to create a new custom policy based on an existing policy. Change the policy’s assignment on the Policy Assignment page.
PAGE 60
Configuring Firewall Policies Working with Firewall Rules policies To... Do this Add a rule Click Add Rule or Add Predefined Rules. See Working with firewall rules or Working with predefined firewall rules for details. Add a group Click Add Group. See Working with rule groups for details. Add a connection-aware group Click Add Connection-Aware Group. See Working with connection-aware groups for details. Perform an action on a single rule Select the rule and click: Edit to edit an exisintg rule.
PAGE 61
Configuring Firewall Policies Working with Firewall Rules policies 1 On the Firewall Rules policy page, click Add Rule to create a new rule; click Edit under Actions to edit an existing rule. Figure 21: Firewall Rule 2 Select or type the needed options. 3 Click OK. Creating firewall rule groups Use this task to create a group to contain a set of rules with a single purpose, such as rules that allow for VPN connection. Groups appear in the rule list in black preceded by an arrow.
PAGE 62
Configuring Firewall Policies Working with Firewall Rules policies Creating firewall connection-aware groups Use this task to create a connection-aware group. These groups let you manage a set of rules that apply only when connecting to a network using a wired, wireless, or non-specific connection with particular parameters. Groups appear in the rule list in blue preceded by an arrow.
PAGE 63
Configuring Firewall Policies Working with Firewall Rules policies Access to Firewall Client Rules on the Host IPS tab under Reporting requires additional permissions other than that for Host Intrusion Prevention Firewall, including view permissions for Event Log, Systems, and System Tree access. Task For option definitions, click ? on the page displaying the options. 1 Go to Reporting | Host IPS | Firewall Client Rules.
PAGE 64
Configuring Firewall Policies Working with Quarantine Options policies Working with Quarantine Options policies The Quarantine Options policy turns on and off quarantine mode and quarantine notifications, defines quarantined networks, and configures fail options. This policy category contains a preconfigured policy, which has all settings disabled, and an editable My Default policy.
PAGE 65
Configuring Firewall Policies Working with Quarantine Rules policies Working with Quarantine Rules policies The Quarantine Rules policy is a special set of firewall rules that is enforced when quarantine mode is enabled. You create and manage quarantine rules by applying a Quarantine Rules policy with the appropriate settings. NOTE: If users connect to the network using VPN software, make certain that quarantine rules allow any traffic required to connect and authenticate over the VPN.
PAGE 66
Configuring Firewall Policies Working with Quarantine Rules policies 2 Click Edit to make changes on the Quarantine Rules page. Figure 24: Quarantine Rules list To... Do this... Add a rule Click Add Rule or Predefined Rules. See Working with quarantine rules or Working with predefined quarantine rules for details. Add a group Click Add Group. See Working with rule groups for details. Perform an action on a single rule Select the rule and click: Edit to edit an exisintg rule.
PAGE 67
Configuring Firewall Policies Working with Quarantine Rules policies 1 On the Quarantine Rules policy page, click Add Rule to create a new rule; click Edit under Actions to edit an existing rule. Figure 25: Quarantine Rule page 2 Select or type the needed options. 3 Click OK. Creating quarantine rule groups Use this task to create a group to contain a set of quarantine rules with a single purpose. Groups appear in the rule list in black preceded by an arrow.
PAGE 68
Configuring Firewall Policies Working with Quarantine Rules policies Adding predefined quarantine rules Use this task to add predefined quarantine rules that match your needs immediately or after you have edited them. Task For option definitions, click ? on the page displaying the options. 68 1 On the Quarantine Rules policy page, click Predefined Rules. 2 Select one or more predefined groups, or one or more predefined rules within a group.
PAGE 69
Configuring Application Blocking Policies The Application Blocking feature of Host Intrusion Prevention manages a set of applications that you allow to run (known as application creation) or bind (known as application hooking) with other applications.
PAGE 70
Configuring Application Blocking Policies Working with Application Blocking policies Filtering and aggregating rules Applying filters generates a list of rules that satisfies all of the variables defined in the filter criteria. The result is a list of rules that includes all of the criteria. Aggregating rules generates a list of rules grouped by the value associated with each of the variables selected in the Select columns to aggregate dialog box.
PAGE 71
Configuring Application Blocking Policies Working with Application Blocking Rules policies 1 Go to Systems | Policy Catalog and select Host Intrusion Prevention: Application Blocking in the Product list and Application Blocking Options in the Category list. The list of policies appears. 2 In the Application Blocking Options policy list, click Edit under Actions to change the settings for a custom policy.
PAGE 72
Configuring Application Blocking Policies Working with Application Blocking Rules policies Creating and editing Application Blocking rules Managing Application Blocking client rules Configuring an Application Blocking Rules policy Use this task to add or remove rules in a policy and move rules between policies. Task For option definitions, click ? on the page displaying the options.
PAGE 73
Configuring Application Blocking Policies Working with Application Blocking Rules policies To... Do this... To perform an action on a single rule Click: Edit to edit an existing rule. See Creating and editing Application Blocking rules for details. Duplicate to make a copy of the rule within the same policy and named ‘copy of’ the original rule. Delete to remove the rule from the list. 4 Click Save.
PAGE 74
Configuring Application Blocking Policies Working with Application Blocking Rules policies Select this option... To do this... Allow application to hook other applications Allow the application to bind to other applications. 5 Select Matching Options: Select this option... To do this... Fingerprint only Match against the fingerprint. only if the client's application is the same version of the application referenced on the server.
PAGE 75
Configuring Application Blocking Policies Working with Application Blocking Rules policies 2 Select the group in the System Tree for which you want to display client rules. 3 Determine how you want to view the list of client rules: 4 To... Do this... Sort by a column Click the column header. Filter for groups From the Filter menu, select This Group Only or This Group and All Subgroups.
PAGE 76
Configuring General Policies The General feature of Host Intrusion Prevention provides access to policies that are general in nature and not specific to one feature.
PAGE 77
Configuring General Policies Working with Client UI policies User type Regular Functionality The average user who has the Host Intrusion Prevention client installed on a desktop or laptop. The Client UI policy enables this user to: • View the Host Intrusion Prevention client icon in the system tray and launch the client user interface. • Get pop-up intrusion alerts or prevent them. • Create additional IPS, firewall, and application blocking rules.
PAGE 78
Configuring General Policies Working with Client UI policies 1 Go to Systems | Policy Catalog and select Host Intrusion Prevention: General in the Product list and Client UI in the Category list. The list of policies appears. 2 In the Client UI policy list, click Edit under Actions to change the settings for a custom policy. Figure 30: Client UI—General Settings tab 3 In the Client UI page, select a tab (General Options, Advanced Options, Troubleshooting Options) and make any needed changes.
PAGE 79
Configuring General Policies Working with Client UI policies Task 1 Click the Advanced Options tab in the Client UI policy. Figure 31: Client UI—Advanced Options tab 2 Determine the type of password you want to create: For this type of password... Do this... Administrator • Type a password in the Password text box. It must have at least ten characters. • Retype the password in the Confirm Password text box. • Click Save. • Select Enable time-based password.
PAGE 80
Configuring General Policies Working with Client UI policies • If the Client UI is unlocked, the menu commands have no effect. For details on using the tray icon menu, see the section on working with the Host IPS client. Use this task to configure the tray icon control. Task 1 Click the General Settings tab of the Client UI policy and select Show tray icon. 2 Click the Advanced Options tab and select Allow disabling of features from the tray icon, then select any or all of the features to be disabled.
PAGE 81
Configuring General Policies Working with Trusted Network policies To Do this... Turn on IPS logging Select from the list the message type to trigger logging of IPS events. Debug logs all messages; Information logs Information, Warning, and Error messages; Warning logs Warning and Error messages; Error logs error messages; Disabled logs no messages. The path of the log file on Windows clients is: C:\Documents and Settings\All Users\Application Data\McAfee\Host Intrusion Prevention\HipShield.
PAGE 82
Configuring General Policies Working with Trusted Applications policies Task For option definitions, click ? on the page displaying the options. 1 Go to Systems | Policy Catalog and select Host Intrusion Prevention: General in the Product list and Trusted Networks in the Category list. The list of policies appears. 2 In the Trusted Networks policy list, click Edit under Actions to change the settings for a custom policy. Figure 33: Trusted Networks 3 4 Do any of the following: Select... To do this..
PAGE 83
Configuring General Policies Working with Trusted Applications policies Change the policy’s assignment on the Policy Assignment page. For a group, go to Systems | System Tree, select a group, and then on the Policies tab click Edit Assignment.. For a system go to Systems | System Tree, select a group that contains the system, and then on the System tab, select the system and select More Actions | Modify Policies on a Single System.
PAGE 84
Configuring General Policies Working with Trusted Applications policies To... Do this... Perform an action on one or more applications at the same time Select them and click: Enable to enable a disabled application. Disable to disable an enabled application. Deleteto delete applications. Copy to to copy applications to another policy. You are prompted to indicate the policy. To perform an action on a single application Click: Edit to edit an existing application.
PAGE 85
Configuring General Policies Working with Trusted Applications policies 7 Click Save to apply all changes. Creating and editing Trusted Application rules Use this task to create a new trusted application or edit an existing one from the Trusted Applications policy page. Task For option definitions, click ? on the page displaying the options. 1 On the Trusted Applications policy page, click Add Rule to create a new rule; click Edit under Actions to edit an existing rule.
PAGE 86
Working with Host Intrusion Prevention Clients The Host Intrusion Prevention client can be installed on Windows, Solaris, and Linux platforms. Only the Windows client has an interface, but all versions have troubleshooting functionality. This section describes the basic features of each client version.
PAGE 87
Working with Host Intrusion Prevention Clients Overview of the Windows client Click... To do this... About... Open the About Host Intrusion Prevention dialog box, which displays the version number and other product information. If the Allow disabling of features from the tray icon option is applied to the client, some or all of these additional commands are available: Click... To do this... Restore Settings Enable all disabled features. Available only if one or more features have been disabled.
PAGE 88
Working with Host Intrusion Prevention Clients Overview of the Windows client Task 1 On the client console Edit menu, click Options. 2 In the Host Intrusion Prevention Options dialog box, select and deselect options as needed. Select... For this... Display pop-up alert An alert appears when an attack occurs. Play sound A sound plays when an attack occurs. Flash tray icon The icon toggles between regular status and attack status when an attack occurs.
PAGE 89
Working with Host Intrusion Prevention Clients Overview of the Windows client Troubleshooting the Windows client Host Intrusion Prevention includes a Troubleshooting option on the Help menu, which is available when the interface is unlocked. Options include enabling IPS and firewall logging and disabling system engines. Figure 37: Troubleshooting Options NOTE: McAfee provides a utility (ClientControl.
PAGE 90
Working with Host Intrusion Prevention Clients Overview of the Windows client Settings options for Firewall logging As part of troubleshooting you can create firewall activity logs that can be analyzed on the system or sent to McAfee support to help resolve problems. Use this task to to enable Firewall logging. Task 1 Select the Firewall Enable Logging checkbox. 2 Select the message type (All or a combination of Information, Warning, Error, Debug). 3 Click OK.
PAGE 91
Working with Host Intrusion Prevention Clients Overview of the Windows client mode, this alert appears only if the Allow Client Rules option is disabled for the signature that caused the event to occur. The Intrusion Information tab displays details about the attack that generated the alert, including a description of the attack, the user/client computer where the attack occurred, the process involved in the attack, and the time and date when Host Intrusion Prevention intercepted it.
PAGE 92
Working with Host Intrusion Prevention Clients Overview of the Windows client Host Intrusion Prevention creates a new firewall rule based on the options selected, adds it to the Firewall Rules list, and automatically allows or blocks similar traffic.
PAGE 93
Working with Host Intrusion Prevention Clients Overview of the Windows client is always suspicious activity. If you see this dialog box, immediately investigate the application that sent the spoofed traffic. NOTE: The Spoof Detected Alert dialog box appears only if you select the Display pop-up alert option. If you do not select this option, Host Intrusion Prevention automatically blocks the spoofed traffic without notifying you.
PAGE 94
Working with Host Intrusion Prevention Clients Overview of the Windows client Select... To do this... Enable Network IPS Enable network intrusion prevention protection. Enable Adaptive Mode Enable adaptive mode to automatically create exceptions to intrusion prevention signatures. Automatically block attackers Block network intrusion attacks automatically for a set period of time. Select Until removed to block an attack until it is removed, or select for X min.
PAGE 95
Working with Host Intrusion Prevention Clients Overview of the Windows client This column... Displays... Whether Host Intrusion Prevention treats traffic that matches this rule as an intrusion (an attack) on your system. Whether this rule only applies at specific times. Service (L) Services on your computer where this rule applies. When possible, this column shows associated port numbers.
PAGE 96
Working with Host Intrusion Prevention Clients Overview of the Windows client The application rules list displays rules relevant to the client and provides summary and detailed information for each rule. This column... Displays... Description The purpose of this rule. Create Permits application to run. Blocks application from running. Hook Permits application to hook other programs. other programs.
PAGE 97
Working with Host Intrusion Prevention Clients Overview of the Windows client Column What it shows Time • Time Remaining • How long Host Intrusion Prevention will continue to block this address. If you specified an expiration time when you blocked the address, this column shows the number of minutes left until Host Intrusion Prevention removes the address from the list.If you specified that you wanted this address blocked until you manually removed it from the list, this column displays Until removed.
PAGE 98
Working with Host Intrusion Prevention Clients Overview of the Windows client About the Activity Log tab Use the Activity Log tab to configure the logging feature and track Host Intrusion Prevention actions. The Activity Log contains a running log of activity. Most recent activity appears at the bottom of the list. Column What it shows Time The date and time of the Host Intrusion Prevention action. Event The feature that performed the action. • Traffic indicates a firewall action.
PAGE 99
Working with Host Intrusion Prevention Clients Overview of the Solaris client Select... To do this... Filter Options - Applications Filter the data to display events caused by applications. Filter Options - Intrusions Filter the data to display intrusions. NOTE: You can enable and disable logging for the firewall traffic, but not for the IPS or application blocking features. However, you can choose to hide these events in the log by filtering them out.
PAGE 100
Working with Host Intrusion Prevention Clients Overview of the Solaris client Solaris client issues After the Solaris client is installed and started, it protects its host. However, you may need to troubleshoot installation or operation issues. Client installation issues If a problem was caused while installing or uninstalling the client, there are several things to investigate.
PAGE 101
Working with Host Intrusion Prevention Clients Overview of the Solaris client that ships with the client (abcde12345), or send a Client UI policy to the client with either an administrator’s password or a time-based password set with the policy, and use this password. Use the troubleshooting tool to: • Indicate the logging settings and engine status for the client. • Turn message logging on and off. • Turn engines on and off.
PAGE 102
Working with Host Intrusion Prevention Clients Overview of the Linux client • Set IPS Options to Off in the ePO console and apply the policy to the client. 2 • Run the command: hipts engines MISC:off. Run the command: /etc/rc2.d/S99hip stop. Restarting the Solaris client You may need to stop a running client and restart it as part of troubleshooting. Task 1 To restart a client, run the command: /etc/rc2.d/S99hip restart. 2 Enable IPS protection.
PAGE 103
Working with Host Intrusion Prevention Clients Overview of the Linux client With this policy... These options are available... IPS Client Rules All Search IPS Exception Rules All HIP 7.0 FIREWALL None HIP 7.0 APPLICATION BLOCKING None Notes about the Linux client • If you have an existing SELinux policy in place or are using default protection settings, installing a Linux client replaces the policy with a default McAfee Host Intrusion Prevention policy.
PAGE 104
Working with Host Intrusion Prevention Clients Overview of the Linux client File Name Description *.so Host Intrusion Prevention and ePO agent shared object modules log directory Contains debug and error log files Installation history is written to /opt/McAfee/etc/hip-install.log. Refer to this file for any questions about the installation or removal process of the Host Intrusion Prevention client.
PAGE 105
Working with Host Intrusion Prevention Clients Overview of the Linux client Run this command... To do this... hipts engines :off Turn off the engine indicated. hipts engines all:on Turn on all engines. hipts engines all:off Turn off all engines. TIP: In addition to using the troubleshooting tool, consult the HIPShield.log and HIPClient.log files in the McAfee/hip/log directory to verify operations or track issues.
PAGE 106
Index A activity logs, Host IPS customizing options 98 deleting entries 98 firewall logging options 90 IPS logging options 89 viewing 98 working with Activity Log tab 98 adaptive mode about 11 analyzing client rules 74 application blocking and 70 application blocking client rules 69 automatic tuning 17 client rules, application blocking 74 exception rules and 26 Firewall Options policies 56 firewall rules 54 Firewall Rules policies 57 IPS Options policy 27 placing Host IPS clients in 19, 27 Quarantine Rules
PAGE 107
Index clients (continued) updating with task or agent wake-up call 23 Windows (See Windows client) 86 working with, in Host IPS 18 clients rules creating, with adaptive and learn modes 11 command-line options ClientControl.
PAGE 108
Index groups, Host IPS (continued) firewall connection-aware, creating 62 firewall rule groups, creating 61 how policies are applied 10 notifications and 21 quarantine rule groups, creating 67 H HIPS (host intrusion prevention signatures) 24, 90 hooking (See application blocking) 96 host intrusion prevention signatures 25 Host IPS activities and dashboards 13 basic and advanced protection 8 features and categories 9 how it works 7 how to set and tune protection 16 Intrusion Information tab 90 permission s
PAGE 109
Index McAfee Default policy (continued) Host Intrusion Prevention 9 McAfee recommendations contact McAfee support to disable HIPS engine 90 duplicate a policy before assigning to a group 10 for VPN connections, set quarantine rules 55 group Host IPS clients logically 18 group systems by Host IPS criteria 10 phased Host IPS deployment 18 tune Host IPS default policies 18 use IPS Protection to stagger impact of events 11 monitored processes, viewing 97 My Default policy Application Blocking 70 Application Bl
PAGE 110
Index preconfigured policies (continued) Application Blocking Rules 71 Client UI 77 Firewall Rules 57 IPS Options 27 IPS Protection 28 Quarantine Options 64 Trusted Applications 82 Trusted Network 81 Property Translator task 21 protocols tracking, and stateful firewall 49 Q Quarantine Options policy about 8, 55 alerts 92 configuring 64 working with 64 quarantine rules about 8 alerts, responding to 92 configuring 65 creating and editing 66 policies and rules 55 predefined, adding 68 rule groups, creating a
PAGE 111
Index T U troubleshooting, Host IPS Client UI 80 disabling Host IPS engines 90 error reporting 88 Firewall logging, setting options 90 hipts tool 100, 104 installing the client 100 Linux client 102, 103, 104 options 89 Solaris client 100 Windows client 89 trusted applications configuring, in Host IPS 83 creating a list in Host IPS 82 creating and editing, in Host IPS 85 creating, based on an event 40 defined 11 Host IPS policy categories 9 IPS Rules policy 40 McAfee products 8 Trusted Applications policy
PAGE 112
Index 112 McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.