Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configuring Firewall Policies<br />
Overview of Firewall policies<br />
Connection isolation on the corporate network<br />
Connection rules are processed until the Connection-Aware Group with corporate LAN connection<br />
rules is encounterd. This CAG contains these settings:<br />
• Connection type=LAN<br />
• DNS suffix=mycompany.com<br />
• Isolate this Connection =yes<br />
The computer has both LAN and wireless network adapters and connects to the corporate<br />
network with a wired connection, but the wireless interface is still active, so it connects to a<br />
hotspot outside the office. The computer connects to both networks because the rules <strong>for</strong> basic<br />
access are at the top of the firewall rules list. The wired LAN connection is active and meets<br />
the criteria of the corporate LAN CAG. The firewall processes the traffic through the LAN but<br />
because connection isolation is enabled, all other traffic not through the LAN is blocked.<br />
Connection isolation at a hotel<br />
Connection rules are processed until the Connection-Aware Group with VPN connection rules<br />
is encounterd. This CAG contains these settings:<br />
• Connection type=Any<br />
• DNS suffix=vpn.mycompany.com<br />
• IP Address=an address in a range specific to the VPN concentrator<br />
• Isolate this Connection =yes<br />
General connection rules allow the set-up of a timed account at the hotel to gain internet access.<br />
The VPN connection rules allow connection and use of the VPN tunnel. After the tunnel is<br />
established, the VPN client creates a virtual adapter that matches the criteria of the VPN CAG.<br />
The only traffic the firewall allows is inside the VPN tunnel and the basic traffic on the actual<br />
adapter. Attempts by other hotel guests to access the computer over the network, either wired<br />
or wireless, are blocked.<br />
How learn and adaptive modes affect the firewall<br />
When you enable the firewall, <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> continually monitors the network traffic<br />
that a computer sends and receives. It allows or blocks traffic based on the Firewall Rules policy.<br />
If the traffic cannot be matched against an existing rule, it is automatically blocked unless the<br />
firewall is operating in learn mode or adaptive mode.<br />
In learn mode, <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> displays a learn mode alert when it intercepts unknown<br />
network traffic. This alert prompts the user to allow or block any traffic that does not match an<br />
existing rule, and automatically creates corresponding dynamic rules <strong>for</strong> the non-matching<br />
traffic. You can enable learn mode <strong>for</strong> incoming communication only, <strong>for</strong> outgoing communication<br />
only, or both.<br />
In adaptive mode, <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> automatically creates an allow rule to allow all<br />
traffic that does not match any existing bock rule, and automatically creates dynamic allow<br />
rules <strong>for</strong> non-matching traffic.<br />
For security reasons, when the learn mode or adaptive mode is applied, incoming pings are<br />
blocked unless an explicit allow rule is created <strong>for</strong> incoming ICMP traffic. In addition, incoming<br />
traffic to a port that is not open on the host will be blocked unless an explicit allow rule is<br />
created <strong>for</strong> the traffic. For example, if the host has not started telnet service, incoming TCP<br />
traffic to port 23 (telnet) is blocked even when there is no explicit rule to block this traffic. You<br />
can create an explicit allow rule <strong>for</strong> any desired traffic.<br />
54<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong>