Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee

More documents

Recommendations

Info

Configuring Firewall Policies Overview of Firewall policies network architecture is built on the seven-layer Open System Interconnection (OSI) model, where each layer handles specific network protocols. Figure 16: Network layers and protocols The firewall in Host Intrusion Prevention provides both stateful packet filtering and stateful packet inspection. NOTE: When using IPv6, stateful functionality is only supported on Vista. Stateful packet filtering Stateful packet filtering is the stateful tracking of TCP/UDP/ICMP protocol information at Transport Layer 4 and lower of the OSI network stack. Each packet is examined and if the inspected packet matches an existing firewall allow rule, the packet is allowed and an entry is made in a state table. The state table dynamically tracks connections previously matched against a static rule set, and reflects the current connection state of the TCP/UDP/ICMP protocols. If an inspected packet matches an existing entry in the state table, the packet is allowed without further scrutiny. When a connection is closed or times out, its entry is removed from the state table. Stateful packet inspection Stateful packet inspection is the process of stateful packet filtering and tracking commands at Application Layer 7 of the network stack. This combination offers a strong definition of the 46 McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0
Configuring Firewall Policies Overview of Firewall policies computer’s connection state. Access to the application level commands provides error-free inspection and securing of the FTP protocol. State table A stateful firewall includes a state table that dynamically stores information about active connections created by allow rules. Each entry in the table defines a connection based on: • Protocol — The predefined way one service talks with another; includes TCP, UDP and ICMP protocols. • Local and remote computer IP addresses — Each computer is assigned a unique IP address. IPv4, the current standard for IP addresses permits addresses 32 bits long, whereas IPv6, a newer standard, permits addresses 128 bits long. IPv6 is already supported by some operating systems, such as Windows Vista and several Linux distributions. Host Intrusion Preventions supports both standards. • Local and remote computer port numbers — A computer sends and receives services using numbered ports. For example, HTTP service typically is available on port 80, and FTP services on port 21. Port numbers range from 0 to 65535. • Process ID (PID) — A unique identifier for the process associated with a connection’s traffic. • Timestamp — The time of the last incoming or outgoing packet associated with the connection. • Timeout: — The time limit (in seconds), set with the Firewall Options policy, after which the entry is removed from the table if no packet matching the connection is received. The timeout for TCP connections is enforced only when the connection is not established. • Direction — The direction (incoming or outgoing) of the traffic that triggered the entry. After a connection is established, bidirectional traffic is allowed even with unidirectional rules, provided the entry matches the connection’s parameters in the state table. State table functionality Note the following about the state table: • If firewall rule sets change, all active connections are checked against the new rule set. If no matching rule is found, the connection entry is discarded from the state table. • If an adapter obtains a new IP address, the firewall recognizes the new IP configuration and drops all entries in the state table with an invalid local IP address. • When the process ends all entries in the state table associated with a process are deleted. How firewall rules work Firewall rules determine how to handle network traffic. Each rule provides a set of conditions that traffic has to meet and has an action associated with it: allow or block traffic. When Host Intrusion Prevention finds traffic that matches a rule’s conditions, it performs the associated action. Host Intrusion Prevention uses precedence to apply rules: the rule at the top of the firewall rules list is applied first. If the traffic meets this rule’s conditions, Host Intrusion Prevention allows or blocks the traffic. It does not try to apply any other rules in the list. McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0 47
Page 1 and 2: McAfee Host Intrusion Prevention 7.
Page 3 and 4: Contents Introducing Host Intrusion
Page 5 and 6: Contents Creating firewall rule gro
Page 7 and 8: Introducing Host Intrusion Preventi
Page 13 and 14: Managing Your Protection Management
Page 25 and 26: Configuring IPS Policies Overview o
Page 27 and 28: Configuring IPS Policies Working wi
Page 45: Configuring Firewall Policies The F
Page 49 and 50: Configuring Firewall Policies Overv
Page 57 and 58: Configuring Firewall Policies Worki
Page 69 and 70: Configuring Application Blocking Po
Page 77 and 78: Configuring General Policies Workin
Page 87 and 88: Working with Host Intrusion Prevent
Page 97 and 98:
Working with Host Intrusion Prevent
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Index clients (continued) updating
Page 109 and 110:
Index McAfee Default policy (contin
Page 111 and 112:
Index T troubleshooting, Host IPS C
show all

Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?