Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configuring Firewall Policies<br />
Overview of Firewall policies<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> displays all the rules created on clients through learn mode or adaptive<br />
mode, and allows these rules to be saved and migrated to administrative rules.<br />
Stateful filtering with adaptive and learn mode<br />
When adaptive or learn mode is applied with the stateful firewall, the filtering process creates<br />
a new rule to handle the incoming packet. This filtering process proceeds as follows:<br />
1 The firewall compares an incoming packet against entries in the state table and finds no<br />
match, then examines the static rule list and finds no match.<br />
2 No entry is made in the state table, but if this is a TCP packet, it is put in a pending list. If<br />
not, the packet is dropped.<br />
3 If new rules are permitted, a unidirectional static allow rule is created. If this is s a TCP<br />
packet, an entry is made in the state table.<br />
4 If a new rule is not permitted, the packet is dropped.<br />
Firewall client rules<br />
A client in adaptive or learn mode can create Firewall client rules to allow blocked activity. In<br />
addition, rules can be created manually on the client computer. You can track the client rules<br />
and view them in a filtered or aggregated view. Use these client rules to create new policies or<br />
add them to existing policies.<br />
Filtering and aggregating rules<br />
Applying filters generates a list of rules that satisfies all of the variables defined in the filter<br />
criteria. The result is a list of rules that includes all of the criteria. Aggregating rules generates<br />
a list of rules grouped by the value associated with each of the variables selected in the Select<br />
columns to aggregate dialog box. The result is a list of rules displayed in groups and sorted<br />
by the value associated with the selected variables.<br />
Quarantine policies and rules<br />
When a client returns to the network after a prolonged absence, the quarantine policies restrict<br />
a client’s ability to communicate with the network until ePolicy Orchestrator verifies that the<br />
client has all the latest policies, software updates, and DAT files.<br />
NOTE: <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> en<strong>for</strong>ces quarantine rules <strong>for</strong> all ePolicy Orchestrator-managed<br />
applications. If you use ePolicy Orchestrator to manage clients with VirusScan Enterprise, <strong>Host</strong><br />
<strong>Intrusion</strong> <strong>Prevention</strong> will quarantine any returning client where VirusScan Enterprise tasks fail<br />
to run; <strong>for</strong> example, if an update task fails to deliver the latest DAT files.<br />
Out-of-date policies and files can create security holes and leave systems vulnerable to attack.<br />
By quarantining users until ePolicy Orchestrator updates them, unnecessary security risks are<br />
avoided. For example, a quarantine policy is useful <strong>for</strong> laptops whose policies and files may<br />
become out of date when they are away from the corporate network <strong>for</strong> a few days.<br />
When you enable the Quarantine Options policy, both ePolicy Orchestrator and <strong>Host</strong> <strong>Intrusion</strong><br />
<strong>Prevention</strong> participate. ePolicy Orchestrator detects whether a user has all the latest in<strong>for</strong>mation<br />
they need. <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> en<strong>for</strong>ces the quarantine until the client has all the necessary<br />
policies and files.<br />
NOTE: If a user connects to the network using VPN software, set quarantine rules to allow any<br />
traffic required to both connect and authenticate over the VPN.<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />
55