Product Guide
Page 2
... CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator...
... CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator...
Product Guide
Page 4
... Managing IPS client rules 50 Configuring Firewall Policies 52 Overview of General policies 73 Define client functionality 74 4 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 Contents Configuring the IPS Protection policy 36 Define IPS protection 36 Configuring the IPS Rules policy 37 Assigning multiple instances of the policy 37 FAQ - McAfee TrustedSource and the firewall 66 Define firewall protection 67 Configuring the Firewall Rules policy 68 Creating and editing firewall rules 69 Creating...
... Managing IPS client rules 50 Configuring Firewall Policies 52 Overview of General policies 73 Define client functionality 74 4 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 Contents Configuring the IPS Protection policy 36 Define IPS protection 36 Configuring the IPS Rules policy 37 Assigning multiple instances of the policy 37 FAQ - McAfee TrustedSource and the firewall 66 Define firewall protection 67 Configuring the Firewall Rules policy 68 Creating and editing firewall rules 69 Creating...
Product Guide
Page 8
...McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 Ownership of the policies. After a policy is enabled. Turns on or off firewall protection and application of the policy, or the global administrator. Advanced protection For advanced protection, switch from the default settings to monitor and tune the new settings. Introducing Host Intrusion Prevention Host IPS policies • Basic network connectivity is allowed NOTE: When Host Intrusion Prevention 8.0 is first installed no protection is created, it can be edited or deleted only by the creator...
...McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 Ownership of the policies. After a policy is enabled. Turns on or off firewall protection and application of the policy, or the global administrator. Advanced protection For advanced protection, switch from the default settings to monitor and tune the new settings. Introducing Host Intrusion Prevention Host IPS policies • Basic network connectivity is allowed NOTE: When Host Intrusion Prevention 8.0 is first installed no protection is created, it can be edited or deleted only by the creator...
Product Guide
Page 9
... one effective policy. Each policy has a preconfigured McAfee Default policy, which allows for a specific purpose. Inheritance determines whether the policy settings for any system are safe for IPS Rules and Trusted Applications, all non-Windows client systems. • Trusted Networks (Windows only). To enforce policies immediately, you can apply to the Host Intrusion Prevention user interface on all policies also have an editable My Default policy based on the managed systems at the next agent-server communication. Defines access...
... one effective policy. Each policy has a preconfigured McAfee Default policy, which allows for a specific purpose. Inheritance determines whether the policy settings for any system are safe for IPS Rules and Trusted Applications, all non-Windows client systems. • Trusted Networks (Windows only). To enforce policies immediately, you can apply to the Host Intrusion Prevention user interface on all policies also have an editable My Default policy based on the managed systems at the next agent-server communication. Defines access...
Product Guide
Page 10
... or firewall. Adaptive mode To help tune protection settings, Host Intrusion Prevention clients can modify it , all groups and systems below inherit the new policy. Any administrator can use a policy owned by attributes. McAfee recommends grouping systems by assigning a new policy, all systems to inheritance. As a deployment grows, newly added systems should fit one can modify the policy other than the global administrator, the creator of client rules 10 McAfee Host Intrusion Prevention 8.0 Product Guide for example, Web Servers. This protection...
... or firewall. Adaptive mode To help tune protection settings, Host Intrusion Prevention clients can modify it , all groups and systems below inherit the new policy. Any administrator can use a policy owned by attributes. McAfee recommends grouping systems by assigning a new policy, all systems to inheritance. As a deployment grows, newly added systems should fit one can modify the policy other than the global administrator, the creator of client rules 10 McAfee Host Intrusion Prevention 8.0 Product Guide for example, Web Servers. This protection...
Product Guide
Page 12
... run queries for managing your environment. You can create and edit multiple dashboards if you can track and report on a live dashboard. Use any chart-based query as a dashboard that are a collection of the security situation or to a small web-application, like the MyAvert Threat Service. changing and updating policies; Contents Information management Policy management System management Information management After you have installed Host Intrusion Prevention, you have the permissions. Host IPS dashboards Dashboards...
... run queries for managing your environment. You can create and edit multiple dashboards if you can track and report on a live dashboard. Use any chart-based query as a dashboard that are a collection of the security situation or to a small web-application, like the MyAvert Threat Service. changing and updating policies; Contents Information management Policy management System management Information management After you have installed Host Intrusion Prevention, you have the permissions. Host IPS dashboards Dashboards...
Product Guide
Page 13
... needed , printing the reports, and exporting them in logical groupings so that you have permissions. Choose which • Action Direction Enabled Last Modified Last Modifying User McAfee Host Intrusion Prevention 8.0 Product Guide for detailed information, all in the same report. For example, if you customize settings for these settings as a template. Custom queries You can create four specific Host IPS queries with jump the action for example, global administrators versus other software. • Running...
... needed , printing the reports, and exporting them in logical groupings so that you have permissions. Choose which • Action Direction Enabled Last Modified Last Modifying User McAfee Host Intrusion Prevention 8.0 Product Guide for detailed information, all in the same report. For example, if you customize settings for these settings as a template. Custom queries You can create four specific Host IPS queries with jump the action for example, global administrators versus other software. • Running...
Product Guide
Page 17
... to inherit from a list (not available for default or preconfigured policies). Click Rename and change the name of the policy, and edit the settings. Assign a policy owner Export a policy Export all groups to the desired location. Click Export, then name and save the policy XML file to the desired location. Configuring polices After you install the Host Intrusion Prevention software, McAfee recommends that you delete a policy, all policies Import policies Click the owner of the policy and select another owner from...
... to inherit from a list (not available for default or preconfigured policies). Click Rename and change the name of the policy, and edit the settings. Assign a policy owner Export a policy Export all groups to the desired location. Click Export, then name and save the policy XML file to the desired location. Configuring polices After you install the Host Intrusion Prevention software, McAfee recommends that you delete a policy, all policies Import policies Click the owner of the policy and select another owner from...
Product Guide
Page 19
... sure the policy settings are installed, or you McAfee Host Intrusion Prevention 8.0 Product Guide for clients that you can take the names of the system. Clients can be pushed from reoccurring. • For firewall protection, monitor network traffic and add trusted networks to allow legitimate activity. • Review the lists of IPS and firewall policies. Client data and what it tells you After you can assign a specific client name during installation. If...
... sure the policy settings are installed, or you McAfee Host Intrusion Prevention 8.0 Product Guide for clients that you can take the names of the system. Clients can be pushed from reoccurring. • For firewall protection, monitor network traffic and add trusted networks to allow legitimate activity. • Review the lists of IPS and firewall policies. Client data and what it tells you After you can assign a specific client name during installation. If...
Product Guide
Page 20
... as legitimate behavior. For example, a policy might require software applications for ePolicy Orchestrator 4.5 You can function normally while the policy continues to prevent this during times of scheduled activity, such as backups or script processing. • As each arriving or departing packet, the firewall checks its use in Technical Support to allow users full access to other systems. Then make these queries to communicate environment...
... as legitimate behavior. For example, a policy might require software applications for ePolicy Orchestrator 4.5 You can function normally while the policy continues to prevent this during times of scheduled activity, such as backups or script processing. • As each arriving or departing packet, the firewall checks its use in Technical Support to allow users full access to other systems. Then make these queries to communicate environment...
Product Guide
Page 27
... source executable IP protocol (UDP, TCP, ICMP) Remote IP address of the system involved in the event Name of the system involved in the event Host IPS protection updates Host Intrusion Prevention supports multiple versions of client content and code, with the latest available content appearing in content update packages to the master repository. Upon check-in, the package version is newer, the scripts from McAfee at the next agent-server communication.
... source executable IP protocol (UDP, TCP, ICMP) Remote IP address of the system involved in the event Name of the system involved in the event Host IPS protection updates Host Intrusion Prevention supports multiple versions of client content and code, with the latest available content appearing in content update packages to the master repository. Upon check-in, the package version is newer, the scripts from McAfee at the next agent-server communication.
Product Guide
Page 30
... standard signatures and add specific database interception and protection rules. The HTTP Protection engine installs between user and kernel modes. SQL engine for SQL servers Host Intrusion Prevention protects against a database of combined signatures and behavioral rules to determine whether to prevent application files, data, registry settings, and services from being accessed. The Host IPS SQL engine intercepts incoming database queries before they are tell-tale signs of SQL injection. 30 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator...
... standard signatures and add specific database interception and protection rules. The HTTP Protection engine installs between user and kernel modes. SQL engine for SQL servers Host Intrusion Prevention protects against a database of combined signatures and behavioral rules to determine whether to prevent application files, data, registry settings, and services from being accessed. The Host IPS SQL engine intercepts incoming database queries before they are tell-tale signs of SQL injection. 30 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator...
Product Guide
Page 32
Host Intrusion Prevention contains a default list of a small number of network IPS signatures for Windows platforms. You can apply to other clients. 32 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 The list of a specific severity is updated if needed whenever you install a content update. If any other applications. Reactions A reaction is what the Host Intrusion Prevention client does when a signature of signatures is triggered. The event is logged but you can access HTML files. NOTE: Logging can be part of three...
Host Intrusion Prevention contains a default list of a small number of network IPS signatures for Windows platforms. You can apply to other clients. 32 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 The list of a specific severity is updated if needed whenever you install a content update. If any other applications. Reactions A reaction is what the Host Intrusion Prevention client does when a signature of signatures is triggered. The event is logged but you can access HTML files. NOTE: Logging can be part of three...
Product Guide
Page 34
... Host IPS service has started on the client for clients on the client. • Retain existing client rules when this policy is manually removed from the application of host IPS rules. • Automatically block network intruders - Select this option to client systems. IPS protection on a Windows client, when this policy is enabled: • Automatically block network intruders for ePolicy Orchestrator 4.5 The preconfigured policy has these settings: McAfee Default Host IPS and Network IPS protection is disabled, and these options...
... Host IPS service has started on the client for clients on the client. • Retain existing client rules when this policy is manually removed from the application of host IPS rules. • Automatically block network intruders - Select this option to client systems. IPS protection on a Windows client, when this policy is enabled: • Automatically block network intruders for ePolicy Orchestrator 4.5 The preconfigured policy has these settings: McAfee Default Host IPS and Network IPS protection is disabled, and these options...
Product Guide
Page 53
... to create two rules: • Block Rule - Host Intrusion Prevention uses precedence to restrict network traffic. This ensures that traffic has to block the HTTP request from a specific address (for ePolicy Orchestrator 4.5 53 Both firewall rules and groups distinguish between wired, wireless, and virtual links. Firewall protocols Firewall protection works at the top of the firewall rules list is applied first. McAfee Host Intrusion Prevention 8.0 Product Guide for example, IP address 10...
... to create two rules: • Block Rule - Host Intrusion Prevention uses precedence to restrict network traffic. This ensures that traffic has to block the HTTP request from a specific address (for ePolicy Orchestrator 4.5 53 Both firewall rules and groups distinguish between wired, wireless, and virtual links. Firewall protocols Firewall protection works at the top of the firewall rules list is applied first. McAfee Host Intrusion Prevention 8.0 Product Guide for example, IP address 10...
Product Guide
Page 55
...-specific. IP protocol numbers are associated with many of the items associated with multiple network interfaces can be created to block or allow you to resolve URLs • WINS server used McAfee Host Intrusion Prevention 8.0 Product Guide for unsupported protocols" in the Firewall Options policy is selected. How firewall rule groups work Group firewall rules for several network protocols that computers with rules, including network options, transport options, applications, and schedules. Groups are listed at least minimally supported...
...-specific. IP protocol numbers are associated with many of the items associated with multiple network interfaces can be created to block or allow you to resolve URLs • WINS server used McAfee Host Intrusion Prevention 8.0 Product Guide for unsupported protocols" in the Firewall Options policy is selected. How firewall rule groups work Group firewall rules for several network protocols that computers with rules, including network options, transport options, applications, and schedules. Groups are listed at least minimally supported...
Product Guide
Page 60
... state table. The time limit (in the state table is automatically permitted. 60 McAfee Host Intrusion Prevention 8.0 Product Guide for IP addresses permits addresses 32 bits long, whereas IPv6, a newer standard, permits addresses 128 bits long. How stateful filtering works Stateful filtering involves processing a packet against the new rule set with the connection. • Timeout - The state table entries result from 0 to the application level commands provides error-free inspection and securing...
... state table. The time limit (in the state table is automatically permitted. 60 McAfee Host Intrusion Prevention 8.0 Product Guide for IP addresses permits addresses 32 bits long, whereas IPv6, a newer standard, permits addresses 128 bits long. How stateful filtering works Stateful filtering involves processing a packet against the new rule set with the connection. • Timeout - The state table entries result from 0 to the application level commands provides error-free inspection and securing...
Product Guide
Page 69
... Location Network Transport Application Schedule Set these options... On this tab... on each tab, which you access by clicking Next or the tab link. click Edit under Actions to edit an existing group. 2 Enter the appropriate information on the page displaying the options. 1 On the Firewall Rules policy page, click New Rule to create a new rule; Name (required), action, direction, status. Use a single purpose group with a single purpose. McAfee Host Intrusion Prevention 8.0 Product Guide for example, VPN connection. Configuring...
... Location Network Transport Application Schedule Set these options... On this tab... on each tab, which you access by clicking Next or the tab link. click Edit under Actions to edit an existing group. 2 Enter the appropriate information on the page displaying the options. 1 On the Firewall Rules policy page, click New Rule to create a new rule; Name (required), action, direction, status. Use a single purpose group with a single purpose. McAfee Host Intrusion Prevention 8.0 Product Guide for example, VPN connection. Configuring...
Product Guide
Page 83
... time-based passwords, allow an administrator or user to temporarily unlock the interface and make changes. Client console for Windows clients The Host Intrusion Prevention client console gives you to several tabs, which contains the password settings, has been applied to a specific Host Intrusion Prevention feature. To open the console, do one of the Windows client Click... This occurs at the scheduled policy update or by the Client UI policy, and enables you access to customize these settings for the groups. Setting client UI options...
... time-based passwords, allow an administrator or user to temporarily unlock the interface and make changes. Client console for Windows clients The Host Intrusion Prevention client console gives you to several tabs, which contains the password settings, has been applied to a specific Host Intrusion Prevention feature. To open the console, do one of the Windows client Click... This occurs at the scheduled policy update or by the Client UI policy, and enables you access to customize these settings for the groups. Setting client UI options...
Product Guide
Page 137
... Reporting on the ePolicy Orchestrator server and reproduce the issue. 2 Search in HipShield.log: 1 Identify the executables associated with this indicates a security update patch is updated? McAfee Host Intrusion Prevention 8.0 Product Guide for protection from the ePolicy Orchestrator server and apply the policy to the event. Retest with the application. 2 Exclude the executables for ePolicy Orchestrator 4.5 137 If you have an application whose behavior changed after Host Intrusion Prevention is installed or content...
... Reporting on the ePolicy Orchestrator server and reproduce the issue. 2 Search in HipShield.log: 1 Identify the executables associated with this indicates a security update patch is updated? McAfee Host Intrusion Prevention 8.0 Product Guide for protection from the ePolicy Orchestrator server and apply the policy to the event. Retest with the application. 2 Exclude the executables for ePolicy Orchestrator 4.5 137 If you have an application whose behavior changed after Host Intrusion Prevention is installed or content...