2013 © McAfee Inc. External Use
Increasing Host IPS Management Success
60 Webinar Series Tech
2013 © McAfee Inc. External Use
Webinar Viewing
• Click the arrow on the Grab Tab to open or close the control panel
• Audio options — listen via your PC computer OR via the telephone
• Ask questions via the “Questions” pane
Increasing Host IPS Management Success 2 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Today’s Tech|60 Presenters
Brad Gable Senior Tier III Product Engineer Endpoint Security
Kary Tankink Senior Enterprise Product Engineer Endpoint Security
Increasing Host IPS Management Success 3 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use Increasing Host IPS Management Success 4
HIPS Troubleshooting and Tuning Brad Gable Senior Tier III Product Engineer Endpoint Security, McAfee Support
Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
McAfee Host IPS – Current Versions
Host IPS 8.0 • Version 8.0.0.2151 for Windows
(Patch 2)
• Version 8.0.0.2482 for Windows (P2 + Hotfix 803520 rollup)
• Version 8.0.0.1741 for Solaris
• Version 8.0.0.1919 for Linux
• ePO Extension 8.0.0.600
HIPS Patch release cycle: Feb, Jun, Oct (see KB51560)
Case for Keeping Up to Date Latest codebase is best Software landscape is constantly
maturing and changing New fixes are put into next
releases Management effort made easy Difficulty maintaining multiple
versions Difficulty maintaining upgrade
paths for older versions Many fixes cannot be back-
ported to earlier versions
Increasing Host IPS Management Success 5 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Host IPS — The Basics
• Host IPS signature content provides protection from known system vulnerabilities and unknown zero-day threats
• Zero-day threats: Occur between disclosure of the vulnerability and patch deployment to all endpoints — you have “zero days” to bridge the security gap
• Host IPS contains generic buffer overflow protection and other generic signature mechanisms to protect systems during this zero-day gap period
McAfee recommends applying security updates ASAP to reduce frequent or repeated IPS signature detections
Increasing Host IPS Management Success 6 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Best Practices — What to Avoid
• Remember that endpoint systems will not use the same policies
• Don’t perform too little testing or validation on standard enterprise image
• Don’t “set and forget”
• Don’t make multiple changes at once
• Don’t leave Adaptive Mode on indefinitely
For more information, refer to PD20796 — “Adopting HIPS Best Practices for Quick Success”
Increasing Host IPS Management Success 7
2013 © McAfee Inc. External Use
Assessing Host IPS Security Events
• Identify the signature number that is being triggered and the description information from the IPS Rules policy in ePolicy Orchestrator (ePO)
• Review the references CVE description links if any are included in the description information for that signature
• Identify whether any Microsoft Technet Security Bulletins are linked to the applicable vulnerability, and if any updates have been released
• Verify whether systems reporting the IPS event have any applicable MS Security Updates applied
– If YES, the IPS Signature may be disabled on systems with the MS Security Updates applied
– If NO, McAfee recommends that you apply the applicable MS Security Updates to the affected systems ASAP
Increasing Host IPS Management Success 8 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use Increasing Host IPS Management Success 9
IPS Signature Descriptions
Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use Increasing Host IPS Management Success 10
CVE Descriptions
Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
MS Security Bulletin
Increasing Host IPS Management Success 11 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Third-Party Program Interoperability Tuning
• Troubleshooting a network facing application or traffic is blocked by Host Intrusion Prevention Firewall (KB67055)
• Third-party application stops working or is impaired after HIPS is installed or content is updated (KB67056)
• HIPS 7.0 / 8.0 agent logging and troubleshooting on Microsoft Windows (KB51517) (Debug Logging)
NOTE: If you have to escalate an unresolvable issue, it’s important that you also engage the third-party vendor for analysis along with McAfee. Many interoperability issues require resolution by the third-party vendor. McAfee is committed to working closely with third-party vendors to resolve these issues.
Increasing Host IPS Management Success 12 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Tips for Successful Firewall Tuning
• Host IPS 8.0 includes simplified default firewall policy rule templates on which to base your policy
• The firewall is considered stateful
• The use of Location Aware groups further define rule sets for remote users off the normal LAN
• Trusted Networks — making networks trusted eliminates or reduces the need for network IPS exceptions and additional firewall rules (for Windows clients only)
• Trusted Applications — designating applications as trusted eliminates or reduces the need for IPS exceptions and additional firewall rules
Increasing Host IPS Management Success 13 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Firewall Adaptive Mode
• Only use Adaptive Mode temporarily on a small number of systems to aid in firewall rules tuning
• Review client adaptive rules daily — or at a minimum, on a weekly basis
• Review firewall client rules and apply to a tuning firewall rules policy on the end system
• Tuning should be an iterative process
NOTE: Some network traffic related to applications might not be recognized by the Adaptive Mode, and you might have to configure firewall rules manually. Consult with your application vendor for information on application-specific firewall configurations to ensure functionality.
Increasing Host IPS Management Success 14 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Managing the Host IPS Environment Kary Tankink Senior Enterprise Product Engineer Endpoint Security, McAfee Support
Increasing Host IPS Management Success 15 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
HIPS in the Enterprise
Deployment Recommendations • Identify non-critical users/systems with different roles/functions (remote users, workstation
users, file servers, web servers, etc.) to initially deploy the product and start tuning policies • Ensure that deployment tasks are setup at the proper ePO server organization levels to
avoid unintended product deployments • For detailed recommendations, refer to HIPS Best Practice Guide - KB70877
Documenting Configuration Changes • Document policy changes using new timestamps, naming conventions, role names, etc. • Duplicate or export copies of policies before changing • Avoid making major changes to a policy, that could greatly affect product functionality,
without first testing these changes in a separate test environment
Enforcing Policy Changes on Clients • Ensure that policy and assignment changes are made at the correct organizational level
(e.g., editing policies at the single-system level does not limit changes to that system unless policy inheritance is broken and a different policy is assigned to the single system)
• Host IPS 8.0 reports Policy Names in ePO server client node properties and the local client registry to verify policy enforcement changes
Increasing Host IPS Management Success 16 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
HIPS 8.0 Policy Names Reported in ePO Client Node Properties
Increasing Host IPS Management Success 17 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
HIPS 8.0 Policy Names Reported in the Registry
Increasing Host IPS Management Success 18 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Common HIPS Issues
Network IPS exceptions (KB77236) • Exceptions for Network IPS Signatures can now be created using IPS Exceptions in
Host IPS 8.0 • Entering IP addresses into the Trusted Networks policy and enabling Trust for IPS is an
alternative method from previous HIPS versions
Increasing Host IPS Management Success 19 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Common HIPS Issues
Network IPS exceptions (KB77236) • Exceptions for Network IPS Signatures can now be created using IPS Exceptions in
Host IPS 8.0 • Entering IP addresses into the Trusted Networks policy and enabling Trust for IPS is an
alternative method from previous HIPS versions
Executable File Description (KB71735) • Description is not a COMMENT field. • Incorrect Descriptions cause IPS exceptions and Firewall rules to fail since the defined
application does not properly match the running application
Increasing Host IPS Management Success 20 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Executable File Description
Increasing Host IPS Management Success 21 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Common HIPS Issues
Network IPS exceptions (KB77236) • Exceptions for Network IPS Signatures can now be created using IPS Exceptions in
Host IPS 8.0 • Entering IP addresses into the Trusted Networks policy and enabling Trust for IPS is an
alternative method from previous HIPS versions
Executable File Description (KB71735) • Description is not a COMMENT field. • Incorrect Descriptions cause IPS exceptions and Firewall rules to fail since the defined
application does not properly match the running application
Multi-slot Policies (PD22894, Pg. 38) • McAfee Default should always be assigned to the IPS Rules and Trusted Applications
policies. This ensures that monthly Host IPS Content changes are applied properly • Multiple policies can be utilized in the environment, depending on ePO System Tree
hierarchy; no specific order is required when assigning multiple policies – Policy 1: McAfee Default – Policy 2: All Servers – Policy 3: Web Servers only
Increasing Host IPS Management Success 22 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Multi-slot Policies – Assigned Policies
Increasing Host IPS Management Success 23 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Multi-slot Policies – Viewing Assignments
Increasing Host IPS Management Success 24 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Common Firewall Issues Loopback Network Adapter Traffic (KB71230) • Loopback traffic is used by many different applications and in HIPS 8.0, a Firewall Rule is required to
allow this Loopback adapter traffic to/from the system. • Many customers did not have a firewall rule for Loopback address traffic because it was not needed
in HIPS 7.0 policies, so migrated HIPS 7.0 policies will need to have this rule added.
Increasing Host IPS Management Success 25 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Loopback Network Adapter Traffic Rule
Increasing Host IPS Management Success 26 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Common Firewall Issues Loopback Network Adapter Traffic (KB71230) • Loopback traffic is used by many different applications and in HIPS 8.0, a Firewall Rule is required to
allow this Loopback adapter traffic to/from the system. • Many customers did not have a firewall rule for Loopback address traffic because it was not needed
in HIPS 7.0 policies, so migrated HIPS 7.0 policies will need to have this rule added.
Allow Traffic for Unsupported Protocols (KB66899) • Allows traffic for protocols unknown to Host IPS. Useful in determining if HIPS is blocking some
unknown protocol traffic that is needed for applications in your environment. • Firewall rules can be created for specific Ethertype protocols (which are typically listed in HIPS
Activity log as 0x#### event entries).
Increasing Host IPS Management Success 27 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Allow Traffic for Unsupported Protocols
Increasing Host IPS Management Success 28 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Common Firewall Issues Loopback Network Adapter Traffic (KB71230) • Loopback traffic is used by many different applications and in HIPS 8.0, a Firewall Rule is required to
allow this Loopback adapter traffic to/from the system. • Many customers did not have a firewall rule for Loopback address traffic because it was not needed
in HIPS 7.0 policies, so migrated HIPS 7.0 policies will need to have this rule added.
Allow Traffic for Unsupported Protocols (KB66899) • Allows traffic for protocols unknown to Host IPS. Useful in determining if HIPS is blocking some
unknown protocol traffic that is needed for applications in your environment. • Firewall rules can be created for specific Ethertype protocols (which are typically listed in HIPS
Activity log as 0x#### event entries).
TrustedSource (GTI) Functionality (KB74925) • Ratings are performed against IP Address, not domains. • Will only block traffic to domains if the IP address (that resolves to that domain) matches the
configured TrustedSource threshold (Unverified, Medium, or High Risk).
Increasing Host IPS Management Success 29 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
TrustedSource GTI
Domain name is rated High Risk,
but not the IP address that it
resolves to.
Increasing Host IPS Management Success 30 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Common Firewall Issues Loopback Network Adapter Traffic (KB71230) • Loopback traffic is used by many different applications and in HIPS 8.0, a Firewall Rule is required to
allow this Loopback adapter traffic to/from the system. • Many customers did not have a firewall rule for Loopback address traffic because it was not needed
in HIPS 7.0 policies, so migrated HIPS 7.0 policies will need to have this rule added.
Allow Traffic for Unsupported Protocols (KB66899) • Allows traffic for protocols unknown to Host IPS. Useful in determining if HIPS is blocking some
unknown protocol traffic that is needed for applications in your environment. • Firewall rules can be created for specific Ethertype protocols (which are typically listed in HIPS
Activity log as 0x#### event entries).
TrustedSource (GTI) Functionality (KB74925) • Ratings are performed against IP Address, not domains. • Will only block traffic to domains if the IP address (that resolves to that domain) matches the
configured TrustedSource threshold (Unverified, Medium, or High Risk).
Disadvantage of using BLOCK ALL rule in the Firewall Rule policy • If a BLOCK ALL rule is configured in your Firewall Rule policy, Learn/Adaptive Mode functionality will
cease to function (BLOCK ALL rule is processed before the “Adaptive/Learn Mode” rule). • HIPS Client already includes a BLOCK ALL TRAFFIC rule. Network traffic that is not allowed by other
firewall rules will automatically get blocked.
Increasing Host IPS Management Success 31 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Disadvantage of Using BLOCK ALL Rule
Increasing Host IPS Management Success 32 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Working with McAfee Support
What You Can Do BEFORE You Call Review KB54960 — “How to isolate a suspect component in Host IPS” 1. Disable HIPS components (IPS, Firewall, and HIPS 7.0 Application
Blocking) to isolate which module may be causing the issue 2. Stop HIPS service 3. HIPS NDIS Driver testing
a. HIPS 8.0 - Enable FWPassthru - KB75917 b. HIPS 7.0 - Remove NDIS drivers - KB51676
What You Should Have WHEN You Call 1. Detailed description of the issue 2. Host IPS build installed - KB70725 3. Results of component isolation 4. HIPS full debugging enabled - KB72869
Increasing Host IPS Management Success 33 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use Increasing Host IPS Management Success 34
Questions…
Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
McAfee Host IPS – Current Versions
Host IPS 8.0 • Version 8.0.0.2151 for Windows
(Patch 2)
• Version 8.0.0.2482 for Windows (P2 + Hotfix 803520 rollup)
• Version 8.0.0.1741 for Solaris
• Version 8.0.0.1919 for Linux
• ePO Extension 8.0.0.600
HIPS Patch release cycle: Feb, Jun, Oct (see KB51560)
Case for Keeping Current Latest codebase is best Software landscape is constantly
maturing and changing New fixes are put into next
releases Management effort made easy Difficulty maintaining multiple
versions Difficulty maintaining upgrade
paths for older versions Many fixes cannot be back-
ported to earlier versions
Increasing Host IPS Management Success 35 Tech|60 Webinar Series March 4/6, 2013
2013 © McAfee Inc. External Use
Thank You for Attending!
More questions? Go to community.mcafee.com click on “Business” then “Host Intrusion Prevention”
under the Endpoint Security section