McAfee Desktop Firewall

Transcription

1 McAfee Desktop Firewall Product Guide Revision 1.0 version 8.0

2 COPYRIGHT 2003 Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. To obtain this permission, write to the attention of the Network Associates legal department at: 5000 Headquarters Drive, Plano, Texas 75024, or call TRADEMARK ATTRIBUTIONS Active Firewall, Active Security, Active Security (in Katakana), ActiveHelp, ActiveShield, AntiVirus Anyware and design, AVERT, Bomb Shelter, Certified Network Expert, Clean-Up, CleanUp Wizard, CNX, CNX Certification Certified Network Expert and design, Covert, Design (stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (in Katakana), Dr Solomon s, Dr Solomon s label, Enterprise SecureCast, Enterprise SecureCast (in Katakana), epolicy Orchestrator, Event Orchestrator (in Katakana), EZ SetUp, First Aid, ForceField, GMT, GroupShield, GroupShield (in Katakana), Guard Dog, HelpDesk, HomeGuard, Hunter, LANGuru, LANGuru (in Katakana), M and design, Magic Solutions, Magic Solutions (in Katakana), Magic University, MagicSpy, MagicTree, McAfee, McAfee (in Katakana), McAfee and design, McAfee.com, MultiMedia Cloaking, Net Tools, Net Tools (in Katakana), NetCrypto, NetOctopus, NetScan, NetShield, NetStalker, Network Associates, Network Policy Orchestrator, NetXray, NotesGuard, npo, Nuts & Bolts, Oil Change, PC Medic, PCNotary, PortalShield, Powered by SpamAssassin, PrimeSupport, Recoverkey, Recoverkey International, Registry Wizard, Remote Desktop, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, SmartDesk, Sniffer, Sniffer (in Hangul), SpamKiller, SpamAssassin, Stalker, SupportMagic, ThreatScan, TIS, TMEG, Total Network Security, Total Network Visibility, Total Network Visibility (in Katakana), Total Service Desk, Total Virus Defense, Trusted Mail, UnInstaller, Virex, Virus Forum, ViruScan, VirusScan, WebScan, WebShield, WebShield (in Katakana), WebSniffer, WebStalker, WebWall, Who s Watching Your Network, WinGauge, Your E-Business Defender, ZAC 2000, Zip Manager are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners. This product includes or may include software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes or may include cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes or may include some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for any software covered under the GPL which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that Network Associates provide rights to use, copy or modify a software program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. LICENSE AGREEMENT NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO NETWORK ASSOCIATES OR THE PLACE OF PURCHASE FOR A FULL REFUND. Issued April 2003 / McAfee Desktop Firewall TM software version 8.0 DOCUMENT BUILD # DBN 007-EN

3 Contents Preface Audience Conventions Getting information Contacting McAfee Security & Network Associates Introducing Desktop Firewall What is Desktop Firewall? About the firewall About the application monitoring system About the intrusion detection system (IDS) What are the two versions of Desktop Firewall? What s new in this release? Common features Bi-directional Learn Mode Application monitoring Support for rules based on non-ip protocols Support for rules based on wireless traffic Support for domain-based rules Support for time-based rules Updateable IDS signatures Policy Archives epolicy Orchestrator features Improved reports and filtering Quarantine Mode Audit Learn Mode Remote ruleset monitoring Browsable known rules Product Guide iii

4 Contents Section 1 Using Desktop Firewall as a Stand-Alone Product 2 Getting Started with Desktop Firewall A quick tour of the Desktop Firewall interface The system tray The system tray icon The shortcut menu The main console The menus The Task menu The Edit menu The View menu The Help menu The Firewall Policy tab The Trusted Networks dialog box The Firewall Rule dialog box The firewall s Learn Mode alert The Application Policy tab The Application Rule dialog box The application monitoring Learn Mode alerts The Intruder Policy tab The Blocked Host dialog box The Intrusion Detected Alert dialog box The Spoof Detected Alert dialog box The Activity Log tab Starting and stopping Desktop Firewall Choosing which features to run Enabling and disabling all product features Enabling and disabling the firewall feature Enabling and disabling the application monitoring feature To enable and disable application creation monitoring To enable and disable application hook monitoring Enabling and disabling the IDS feature Enabling and disabling the logging feature To enable and disable firewall logging iv McAfee Desktop Firewall TM software version 8.0

5 Contents 3 Setting Up the Firewall About the firewall feature Firewall rules and precedence Ordering your firewall rule list Protection levels and policy archives The software s default protection levels The Learning Starter protection level The Minimal protection level The Client Medium protection level The Client High protection level The Server Medium protection level The Server High protection level Firewall Learn Mode alerts Trusted networks Setting up the firewall feature Enabling and disabling the firewall feature Enabling and disabling Firewall Learn Mode To enable and disable Learn Mode for incoming traffic To enable and disable Learn Mode for outgoing traffic Using protection levels and policy archives Using a protection level Using a policy archive Creating a policy archive Creating a policy archive using the Export Policy feature Creating a policy archive using the Edit Policy Archive dialog box Editing a policy archive Deleting a policy archive Setting up trusted networks Setting trusted network options Adding someone to the Trusted Networks list Removing someone from the Trusted Networks list Responding to firewall Learn Mode alerts To respond to a firewall Learn Mode alert Working with firewall rules Creating a new firewall rule Copying a firewall rule Editing a firewall rule Deleting a firewall rule Product Guide v

6 Contents Enabling and disabling a firewall rule Creating a new rule group Exporting a policy file Importing a policy file Setting Up the Intrusion Detection System (IDS) About the IDS feature Intrusion alerts Setting up the IDS feature Enabling and disabling the IDS feature Enabling and disabling intrusion alerts Configuring the software s default response to intrusions To automatically block potential intruders To automatically allow potential intruders Setting up notification options Selecting the attacks you want to scan for Responding to Intrusion Detected Alerts Working with blocked addresses Adding someone to the blocked addresses list Removing someone from the blocked addresses list Tracing an IP address Updating IDS signatures Updating IDS signatures immediately Scheduling regular IDS signature updates Enabling AutoUpdate Setting up an AutoUpdate schedule Running AutoUpdate daily Running AutoUpdate weekly Running AutoUpdate monthly Running AutoUpdate once Running AutoUpdate when your computer starts Running AutoUpdate when you log on Running AutoUpdate when your computer is idle Running AutoUpdate immediately Running AutoUpdate over a dial-up connection Applying advanced schedule options vi McAfee Desktop Firewall TM software version 8.0

7 Contents 5 Setting Up Application Monitoring About the application monitoring feature Application Learn Mode alerts Setting up the application monitoring feature Enabling and disabling the application monitoring feature To enable and disable application creation monitoring To enable and disable application hook monitoring Enabling and disabling Application Learn Mode To enable and disable Application Creation Learn Mode To enable and disable Application Hooking Learn Mode Responding to Application Learn Mode Alerts Working with application rules Creating a new application rule Editing an application rule Deleting an application rule Disabling an application rule Setting Up Logging About logging IDS events in the Activity Log Finding and exporting IDS event data System events in the Activity Log Setting up the logging feature Enabling and disabling firewall logging Filtering log events Sorting log events Saving the log Clearing the log Product Guide vii

8 Contents Section 2 Using Desktop Firewall with epolicy Orchestrator 7. Getting Started with Desktop Firewall and epo About epolicy Orchestrator The epolicy Orchestrator system How Desktop Firewall works with epolicy Orchestrator A quick tour of the epolicy Orchestrator interface The console tree The details pane Accessing Desktop Firewall through epolicy Orchestrator The Policies view The Firewall Configuration tab The Application Configuration tab The Intrusion Configuration tab The Administrative Configuration tab The Properties view The Tasks view Setting Up the Software for Deployment About policy inheritance Choosing which features to run Enabling and disabling the firewall feature Enabling and disabling the application monitoring feature To enable and disable application creation monitoring To enable and disable application hook monitoring Enabling and disabling the IDS feature Controlling the user s experience Showing and hiding Desktop Firewall Locking and unlocking parts of the Desktop Firewall interface Enabling and disabling the Export Policy option Configuring the software by importing a policy file Importing a policy file into epolicy Orchestrator Setting up the epo reporting feature Enabling and disabling the epo reporting option Controlling Desktop Firewall policy enforcement Enforcing policies viii McAfee Desktop Firewall TM software version 8.0

9 Contents 9 Setting Up the Firewall Using epo Working with firewall rules in epo Reviewing a user s rules To copy a user s rules To preserve or overwrite user rules Using known rules Adding known rules to your firewall rule list Using Audit Learn Mode to create rules Turning Firewall Audit Learn Mode on and off Setting up quarantines How Quarantine Mode works Setting up Quarantine Mode Opening the Quarantine Mode dialog box Enabling and disabling Quarantine Mode Defining quarantined networks Configuring the Quarantine Mode failure option Setting up a quarantine notification message Viewing and editing the Quarantine Mode rule list Setting Up the Intrusion Detection System Using epo About the IDS feature and epo Setting up the IDS feature in epo Selecting the attacks you want to scan for in epo Clearing a user s blocked addresses list automatically Setting Up Application Monitoring Using epo Working with application rules in epo Reviewing a user s rules To copy a user s rules To preserve or overwrite user rules Using Audit Learn Mode to create rules Turning the application Audit Learn Modes on and off Product Guide ix

10 Contents 12 Creating Reports Using epo About Desktop Firewall reports Event data and epolicy Orchestrator Performing an agent wakeup call The Desktop Firewall reports Creating Desktop Firewall reports Accessing the epo Reports feature Selecting groups to report on Generating a report Section 3 Appendices, Glossary, & Index A Error Reporting Using the error reporting utility To run the error reporting utility with Desktop Firewall (stand-alone version) To run the error reporting utility with Desktop Firewall (epolicy Orchestrator version) To use the error reporting utility Glossary Index x McAfee Desktop Firewall TM software version 8.0

11 Preface This guide introduces McAfee Desktop Firewall TM software version 8.0, and provides the following information: Overview of the product. Descriptions of product features. Procedures for performing tasks. Glossary of terms. Audience This information is intended primarily for two audiences: Network administrators who are responsible for their company s anti-virus and security program. Users with some responsibility for configuring and using the software on their own workstations. Product Guide 11

12 Preface Conventions This guide uses the following conventions: Bold All words from the user interface, including options, menus, buttons, and dialog box names. Example Type the User name and Password of the desired account. Courier Text that represents something the user types exactly; for example, a command at the system prompt. Example To enable the agent, run this command line on the client computer: FRMINST.EXE /INSTALL=AGENT /SITEINFO=C:\TEMP\SITELIST.XML Italic Names of product manuals and topics (headings) within the manuals; emphasis; introducing a new term. Example Refer to the Desktop Firewall Product Guide for more information. <TERM> Angle brackets enclose a generic term. Example In the console tree under epolicy Orchestrator, right-click <SERVER>. NOTE WARNING Supplemental information; for example, an alternate method of executing the same command. Important advice to protect a user, computer system, enterprise, software installation, or data. 12 McAfee Desktop Firewall TM software version 8.0

13 Getting information Getting information Installation Guide * Product Guide * Help Release Notes Contacts System requirements and instructions for installing and starting the software. Desktop Firewall 8.0 Installation Guide (This guide.) Product introduction and features, detailed instructions for configuring the software, information on deployment, recurring tasks, and operating procedures. Desktop Firewall 8.0 Product Guide High-level and detailed information on configuring and using the software. What s This? field-level help. ReadMe. Product information, resolved issues, any known issues, and last-minute additions or changes to the product or its documentation. Contact information for McAfee Security and Network Associates services and resources: technical support, customer service, AVERT (Anti-Virus Emergency Response Team), beta program, and training. This file also includes phone numbers, street addresses, web addresses, and fax numbers for Network Associates offices in the United States and around the world. * An Adobe Acrobat.PDF file on the product CD or the McAfee Security download site. A printed manual that accompanies the product CD. Text files included with the software application and on the product CD. Help accessed from the software application: Help menu and/or Help button for page-level help; right-click option for What s This? help. Product Guide 13

14 Preface Contacting McAfee Security & Network Associates Technical Support Home Page KnowledgeBase Search PrimeSupport Service Portal * McAfee Beta Program AVERT Anti-Virus Emergency Response Team Home Page Virus Information Library Submit a Sample Download Site Home Page DAT File and Engine Updates Product Upgrades * Training On-Site Training McAfee Security University Network Associates Customer Service Web US, Canada, and Latin America toll-free: ftp://ftp.nai.com/pub/antivirus/datfiles/4.x services_corporate_division@nai.com Phone VIRUS NO or Monday Friday, 8 a.m. 8 p.m., Central Time For additional information on contacting Network Associates and McAfee Security including toll-free numbers for other geographic areas see the Contact file that accompanies this product release. * Login credentials required. 14 McAfee Desktop Firewall TM software version 8.0

15 Introducing Desktop Firewall 1 This section introduces Desktop Firewall 8.0 and its features: What is Desktop Firewall? What are the two versions of Desktop Firewall? What s new in this release? What is Desktop Firewall? The Desktop Firewall software provides security for individual computers. It protects computers from external threats (such as hackers) and from internal threats (such as some viruses). It secures computers using several features, including: A firewall that inspects incoming and outgoing network traffic, and either blocks it or allows it, based on rules that you set up. An application monitoring system, which monitors the applications you use and prevents those you specify from starting, or from binding themselves to other programs. An intrusion detection system (IDS) that scans traffic destined for your computer and identifies any potential attacks on your system. An activity log that records information about Desktop Firewall actions. You can use this log to troubleshoot problems, or review past activities. You can use all of these features together, or only those features that you need. About the firewall Desktop Firewall includes a software firewall feature. This firewall is a program that acts as a filter between your computer and the network or Internet. The firewall can scan all traffic arriving at your computer (incoming traffic) and all traffic sent by your computer (outgoing traffic). It scans traffic at the packet level. As it reviews each arriving or departing packet, the firewall checks its list of rules. A rule is a set of criteria with an associated action. If a packet matches all the criteria in a rule, the firewall performs the action specified by the rule either allowing the packet through the firewall, or blocking it. Product Guide 15

16 Introducing Desktop Firewall For example, a rule might allow DNS lookups. To accomplish this, the rule would specify that it only applies to packets using the UDP protocol and the DNS service (on port 53). The associated action would be Allow. Any time the firewall intercepted a DNS lookup packet, it would check its rule list, find that the packet matched this particular rule, and allow it through the firewall. You can make rules as simple or complex as you need them. Desktop Firewall supports rules based on: IP and non-ip protocols. The direction of the network traffic (incoming, outgoing, or both). The application that generated the traffic. The service or port used by your computer (as the recipient or the sender). The service or port used by the remote computer (as the sender or the recipient). The IP address(es) used by the packet. The time of day or week that the packet was sent. To make configuring the firewall feature simpler, Desktop Firewall offers: Protection levels Learn Mode A protection level is a collection of default rules and firewall settings. Desktop Firewall comes with several predefined protection levels for different situations. To switch to a protection level, you simply select its name from the Protection Level list on the Firewall Policy tab. You can also create customized collections of rules and settings that apply to all Desktop Firewall features (not just the firewall). These are called policy archives, and they appear in the Protection Level list. If you are not certain what rules you need, you can also enable Learn Mode. In this mode, Desktop Firewall prompts you whenever it intercepts a packet that it does not know how to handle (it does not have a rule for it). The software prompts you to select an action (allow or block), and then automatically creates a new rule to cover packets of this type in future. You can create rules and configure the firewall feature using the Firewall Policy tab in the main Desktop Firewall window. 16 McAfee Desktop Firewall TM software version 8.0

17 What is Desktop Firewall? About the application monitoring system Desktop Firewall includes an application monitoring feature. This means that you can configure the software to monitor the applications that you use, and either allow them or block them. Desktop Firewall offers two types of application monitoring. It can oversee: application creation application hooking When the Desktop Firewall software monitors application creation, it looks for programs that are trying to run. You may want to prevent some applications from starting. Some viruses, for instance, try to run programs that harm your computer. You can prevent this from happening by creating application rules (similar to firewall rules) that only allow the programs you use to run. When the Desktop Firewall software monitors application hooking, it looks for programs that are trying to bind (or hook ) themselves to other applications. In some cases applications need to bind themselves to other programs, but in other cases this is suspicious behavior that may indicate a virus or other attack on your system. You can use configure Desktop Firewall to monitor only application creation, only application hooking, or both. The Desktop Firewall application monitoring feature works like the firewall feature. You create a list of application rules; one rule for each application you want to allow or block. Each time Desktop Firewall detects an application trying to start or hook another application, it checks its application rule list to see whether the program is allowed to do this. It then allows or blocks the application, based on the action you specified in the rule. To make creating application rules easier, Desktop Firewall includes a Learn Mode for both types of application monitoring. In this mode, Desktop Firewall prompts you whenever it detects an application that it does not have a rule for. The software prompts you to select an action (allow or block), and then automatically creates a new rule to cover this application in future. You can create application rules and configure the application monitoring feature using the Application Policy tab in the main Desktop Firewall window. Product Guide 17

18 Introducing Desktop Firewall About the intrusion detection system (IDS) Desktop Firewall includes an intrusion detection system (IDS). Like the firewall feature, the IDS attempts to stop attacks on your system. The firewall feature tries to prevent attacks from happening, by restricting the network traffic that it allows through. The IDS, however, monitors the traffic allowed by the firewall and looks for patterns that indicate a potential attack in progress. Attacks are also known as intrusions. Some intrusions succeed because they use a combination of approaches. Firewalls look at individual communication attempts, and cannot see the patterns that characterize these more sophisticated attacks. Intrusion detection systems specialize in detecting these attacks. The Desktop Firewall IDS uses a library of IDS signatures to recognize the patterns of common attacks. A signature is a collection of information pertaining to a specific attack, that allows Desktop Firewall to recognize it. The Desktop Firewall software comes with a default set of IDS signatures. You can update the software s list of signatures using the AutoUpdate and Update Now options. If you enable the IDS, the Desktop Firewall software continually monitors incoming traffic. If it detects a potential attack, it prompts you for an action block or don t block the intruder s IP address. You can also try to trace the intruder s IP address in order to identify them. Whenever you choose to block an intruder, Desktop Firewall adds their IP address to its blocked addresses list. You can add addresses to this list manually (you don t have to wait for an intrusion). You can view the list of blocked IP addresses using the Intruder Policy tab in the main Desktop Firewall window. You can configure the Desktop Firewall IDS feature using the McAfee Desktop Firewall Options dialog box. The dialog box contains two tabs. The Options tab lets you define how you want Desktop Firewall to notify you when an attack occurs. The Signatures tab lets you select which known attacks Desktop Firewall monitors for. 18 McAfee Desktop Firewall TM software version 8.0

19 What are the two versions of Desktop Firewall? What are the two versions of Desktop Firewall? Desktop Firewall comes in two versions a stand-alone version and an epolicy Orchestrator (epo) version. The stand-alone version of Desktop Firewall runs on a single computer. You configure the software directly. This version is ideal for individual users or small corporate networks. The epolicy Orchestrator version of Desktop Firewall works differently. McAfee epolicy Orchestrator is a separate, software management product. You can use epolicy Orchestrator to distribute Desktop Firewall to many different computers from a single point (the epo console). You can also manage all the distributed firewalls from the console, send out policy and signature updates, and gather information to create reports. This version of Desktop Firewall is ideal for enterprise users. What s new in this release? Common features This release of Desktop Firewall software introduces new features for both the stand-alone and epolicy Orchestrator versions of the product. The new features that apply to both versions include: Bi-directional Learn Mode on page 20. Application monitoring on page 21. Support for rules based on non-ip protocols on page 22. Support for rules based on wireless traffic on page 23. Support for domain-based rules on page 24. Support for time-based rules on page 25. Updateable IDS signatures on page 26. Policy Archives on page 27. Product Guide 19

20 Introducing Desktop Firewall Bi-directional Learn Mode Previous release In previous releases of Desktop Firewall, the firewall feature s Learn Mode automatically applied to both incoming and outgoing network traffic. Current release In this release, you can specify whether you want to apply the firewall s Learn Mode to incoming communication, outgoing communication, or both. Benefits In many cases you will only need to monitor unknown incoming traffic (i.e., traffic arriving at your computer from another source). This new feature lets you ignore outgoing traffic, and reduces the number of Learn Mode alerts that you need to deal with. Where to find To configure the firewall feature s Learn Mode, open the main Desktop Firewall window and click on the Firewall Policy tab. The Learn Mode checkboxes appear near the top of the tab. For more information See Enabling and disabling Firewall Learn Mode on page 65 for more information. 20 McAfee Desktop Firewall TM software version 8.0

21 What s new in this release? Application monitoring Previous release In previous releases of Desktop Firewall, you could only monitor individual packets created by applications (using the firewall feature). Current release In this release, you can use the new Desktop Firewall application monitoring feature to allow or block specific applications. You can monitor applications that try to run (application creation), or applications that try to bind themselves to other programs (application hooking). Benefits This feature lets you block undesirable programs from running, and lets you identify and prevent suspicious programs (including some viruses) from binding themselves to normal applications. Where to find You can access this feature through the Application Policy tab in the main Desktop Firewall window. For more information For more information on this feature, see About the application monitoring system on page 17. See Setting Up Application Monitoring on page 97 for more information. Product Guide 21

22 Introducing Desktop Firewall Support for rules based on non-ip protocols Previous release In previous releases of Desktop Firewall, you could only create firewall rules that applied to IP-based traffic. Current release In this release, you can create firewall rules that apply to non-ip protocols like IPX and Appletalk. Benefits This feature lets the firewall feature filter a broader range of network traffic, which makes your computer more secure. Where to find To create a firewall rule based on non-ip protocols, open the main Desktop Firewall window and click on the Firewall Policy tab. Click Add, and select New Rule. In the Firewall Rule dialog box, select the Non-IP option in the Protocol area. Select the relevant protocol from the Non-IP list. Finish filling in the other criteria for your new rule, and then click OK. For more information See Creating a new firewall rule on page 72 for more information. 22 McAfee Desktop Firewall TM software version 8.0

23 What s new in this release? Support for rules based on wireless traffic Previous release In previous releases of Desktop Firewall, you could not create firewall rules based on wireless network traffic. Current release In this release, you can create firewall block rules for network traffic based on the a, b, and g wireless protocols. Benefits This feature lets you restrict or prevent wireless networking within your organization. Where to find To create a firewall rule based on wireless protocols, open the main Desktop Firewall window and click on the Firewall Policy tab. Click Add, and select New Rule. In the Firewall Rule dialog box, select the IP list, and then select IP item from the list. Finish filling in the other criteria for your new rule, and then click OK. For more information See Creating a new firewall rule on page 72 for more information. Product Guide 23

24 Introducing Desktop Firewall Support for domain-based rules Previous release In previous releases of Desktop Firewall, you could not create firewall rules based on Internet domains. Current release In this release, you can create firewall rules that apply to network traffic destined for, or coming from, specific domains (e.g., Benefits This feature makes managing the firewall feature easier. In the past, if you wanted to block an entire domain, you had to identify the IP addresses associated with that domain and then create rules based on those IP addresses. The addresses could change at any time. Creating rules based on domains means greater rule coverage and less maintenance. Where to find To create a firewall rule based on a domain, open the main Desktop Firewall window and click on the Firewall Policy tab. Click Add, and select New Rule. In the Firewall Rule dialog box, select either Domain name(s) or Fully Qualified Domain from the Address list. Click the button that appears to define the domain. Finish filling in the other criteria for your new rule, and then click OK. For more information See Creating a new firewall rule on page 72 for more information. 24 McAfee Desktop Firewall TM software version 8.0

25 What s new in this release? Support for time-based rules Previous release In previous releases of Desktop Firewall, you could not apply time restrictions to firewall rules. Current release In this release, you can apply time constraints to a firewall rule. For example, you could make Desktop Firewall apply the rule only on weekdays, or only during working hours. You can also specify how you want Desktop Firewall to handle the rule the rest of the time. When the rule is not valid for the current time, the software can: Disable the rule. Reverse the rule. For instance, if you create a rule that allows HTTP-based traffic during working hours, you can either make Desktop Firewall ignore the rule the rest of the time (the rule is disabled), or reverse the rule and block HTTP traffic the rest of the time. Benefits This feature makes your firewall policies more flexible, by letting you create rules that only apply on certain days or times. Where to find To apply time restrictions to a rule, open the main Desktop Firewall window. Double-click the rule that you want to modify. In the Firewall Rule dialog box, select the Restrict rule to currently defined time interval checkbox and click Time. Use the Edit Time Interval dialog box to set up the times and days when you want to make this rule active. Also specify whether you want to disable the rule outside of this time period (using the Deactivate rule when time expires option), or reverse the rule (using the Switch rule permission when time expires option). For more information See Creating a new firewall rule on page 72 for more information. Product Guide 25

26 Introducing Desktop Firewall Updateable IDS signatures Previous release In previous releases of Desktop Firewall, the IDS feature came with a predefined list of attacks that Desktop Firewall could detect. You could not configure this list, or add new attacks to it. Current release In this release, you can configure which attacks the IDS monitors for. You can also update the software s list of IDS signatures. (Signatures are the descriptions of known attacks that Desktop Firewall uses to recognize them.) You can schedule regular AutoUpdates, or perform updates manually. Benefits By using this feature, you can guarantee that Desktop Firewall is up to date and scanning for all the latest attacks. Where to find To schedule AutoUpdates, right-click the Desktop Firewall system tray icon and select AutoUpdate Properties. To perform an immediate update, right-click the Desktop Firewall system tray icon and select Update Now. To select the attacks that you want Desktop Firewall to monitor for, open the main Desktop Firewall window and click on the Edit menu. Select Options to open the McAfee Desktop Firewall Options dialog box. Click on the Signatures tab to see and work with the list of available IDS signatures. For more information See Updating IDS signatures on page 87 for more information. 26 McAfee Desktop Firewall TM software version 8.0

27 What s new in this release? Policy Archives Previous release In previous releases of Desktop Firewall, you could export firewall rule lists, but you could not save all of your Desktop Firewall settings to a file. Current release In this release, you can create custom protection levels for the Desktop Firewall. These are called policy archives. Policy archives affect your firewall, application monitoring, IDS, and log settings. You can apply these settings by simply selecting a policy archive name from the firewall s Protection Level list. Benefits This feature lets you switch rules sets and settings instantly. Where to find To create a new policy archive, first set up the firewall, application monitoring, IDS, and log settings that you want to use. When you finish, click the Task menu and select Export Policy. Type a file name for the policy archive, then select OK. Click Yes when Desktop Firewall asks whether you want to make this a policy archive. Enter a name for the policy archive; this name appears in the Desktop Firewall Protection Level list. Click OK to finish creating the policy archive. To change the name of an existing policy archive, select Edit Policy Archive from the Protection Level list. Use the Edit Policy Archive dialog box to select and change the name of the policy archive. For more information See Protection levels and policy archives on page 61 for more information. Product Guide 27

28 Introducing Desktop Firewall epolicy Orchestrator features The new features that apply only to the epolicy Orchestrator version of Desktop Firewall include: Improved reports and filtering on page 28. Quarantine Mode on page 29. Audit Learn Mode on page 30 Remote ruleset monitoring on page 31. Browsable known rules on page 32. Improved reports and filtering Previous release In previous releases of Desktop Firewall, you could create reports but you could not filter out information that you weren t interested in. Current release In this release, Desktop Firewall and epolicy Orchestrator support filtering. Most Desktop Firewall reports let you specify criteria for at least one of their report columns. When Desktop Firewall creates a finished report, it only uses data that fulfilled all of your filter criteria. Benefits Filtering lets you keep reports small and manageable, and lets you display only relevant information. Where to find To see the Report Data Filter dialog box, generate a report in epolicy Orchestrator. For more information See Creating Reports Using epo on page 155 for more information. 28 McAfee Desktop Firewall TM software version 8.0

29 What s new in this release? Quarantine Mode Previous release In previous releases of Desktop Firewall, you could not prevent computers from communicating with other network users when they did not have all the latest policies, software updates, DAT files, etc. Current release In this release, you can specify protected subnets and addresses. If a Desktop Firewall computer receives one of these addresses, the software automatically quarantines them until epolicy Orchestrator can verify that they have all the necessary files and policies. You can set up special firewall rules that only apply to quarantined users. Benefits This feature improves your overall network security by ensuring that all network users have the most current policies and files. Where to find To see the Define Quarantined Networks dialog box, navigate to the Administrative Configuration tab in epolicy Orchestrator, and then click Configure Quarantine Mode. For more information See Setting up quarantines on page 139. Product Guide 29

30 Introducing Desktop Firewall Audit Learn Mode Previous release In previous releases of Desktop Firewall, you could enable Learn Mode for the firewall feature. In this mode, Desktop Firewall prompts users for an action (allow or block) each time it encounters unknown network traffic. The software then creates a new firewall rule based on their choice. The regular Learn Mode feature requires users to respond to Learn Mode alerts, and you cannot control whether users allow or block traffic. Current release In this release, you can choose between Learn Mode and the new Audit Learn Mode. You can apply Audit Learn Mode to the firewall feature or the application monitoring feature. When you enable Audit Learn Mode, users never have to see or respond to Learn Mode alerts. Their Desktop Firewall software automatically creates new allow rules whenever it intercepts unknown applications or firewall traffic. Benefits Audit Learn Mode provides the same functionality as Learn Mode, but does not require any action from users. This feature makes a powerful combination with remote ruleset monitoring (see Remote ruleset monitoring on page 31), which lets you review the rules created by Audit Learn Mode remotely, and copy any appropriate rules to your main ruleset for general deployment. Where to find To enable or disable Audit Learn Mode, navigate to the Administrative Configuration tab in epolicy Orchestrator, and either select or deselect the Enable <feature> Audit Learn Mode checkbox. For more information See any of the following topics: The Administrative Configuration tab on page 120. Turning Firewall Audit Learn Mode on and off on page 139. Turning the application Audit Learn Modes on and off on page McAfee Desktop Firewall TM software version 8.0

31 What s new in this release? Remote ruleset monitoring Previous release In previous releases of Desktop Firewall, you could not monitor the rules that individual users added to their firewall rule list when you gave them rule-creation abilities or enabled Learn Mode. Current release In this release, you can review a user s rule list remotely using the epo console. You can also copy selected rules and add them to your main ruleset, for deployment to other Desktop Firewall users. Benefits This feature is particularly useful when you enable Learn Mode or Audit Learn Mode for Desktop Firewall users. When these modes are active, Desktop Firewall automatically creates new rules whenever it encounters unknown applications or firewall traffic. You can use remote ruleset monitoring to review these learned rules at regular intervals. Where to find To view a remote user s rule list, select the user in epolicy Orchestrator, then open the Firewall Configuration or Application Configuration tab. User-created rules appear in the Client Rules list. NOTE Before you use remote ruleset monitoring, select the Merge these rules with users rules checkbox. If you do not select this checkbox, Desktop Firewall overwrites any user-created rules each time you make changes to your deployed administrative ruleset, and you will not see user rules in the Client Rules list. For more information See Reviewing a user s rules on page 136 for more information about reviewing a user s firewall rules. See Reviewing a user s rules on page 152 for more information about reviewing a user s application rules. Product Guide 31

32 Introducing Desktop Firewall Browsable known rules Previous release In previous releases of Desktop Firewall, the firewall feature came with a set of predefined known rules. Administrators had no way to view or modify these default rules. Current release In this release, epolicy Orchestrator administrators can view the complete list of predefined rules. They can also add them to their firewall rule list. Benefits Known rules make configuring Desktop Firewall easier, since in many cases administrators can use existing rules rather than creating new ones. Where to find To view the list of available rules in Desktop Firewall, navigate to the Firewall Configuration tab in epolicy Orchestrator, and click Add. Select Predefined Rules. Desktop Firewall presents a complete list of its predefined firewall rules. For more information For more information, see Using known rules on page McAfee Desktop Firewall TM software version 8.0

33 SECTION 1 Using Desktop Firewall as a Stand-Alone Product Getting Started with Desktop Firewall Setting Up the Firewall Setting Up the Intrusion Detection System (IDS) Setting Up Application Monitoring Setting Up Logging

34

35 Getting Started with Desktop Firewall 2 This section provides a high-level introduction to the Desktop Firewall interface and the software s major features (stand-alone version). It also covers how to start and stop both the product and its individual components. The following topics are included: A quick tour of the Desktop Firewall interface. Starting and stopping Desktop Firewall. Choosing which features to use. A quick tour of the Desktop Firewall interface This section introduces the main parts of the Desktop Firewall user interface. If you need information on specific fields, lists, and options while using the product, you can get further details by using the Desktop Firewall What s This? help system. NOTE This help is available from all Desktop Firewall dialog boxes, but not from the main console. To access this type of help, first navigate to the dialog box that you want information about. Next, click the question mark icon in the top, right corner. Your cursor should change to include a question mark. Click on the part of the interface that you want help with. Desktop Firewall will display a short What s This? help topic in a pop-up window. Figure 2-1. What s This help icon Product Guide 35

36 Getting Started with Desktop Firewall The system tray When you install Desktop Firewall, the software adds an icon to your Windows system tray. You can use this tray icon to check the product s status. You can also configure Desktop Firewall to hide this tray icon. If you right-click the tray icon, Desktop Firewall displays a menu that you can use to perform basic actions. The system tray icon The Desktop Firewall system tray icon changes appearance to indicate the product s status. It indicates when the product is working properly, when it is turned off, and when it has detected an attack on your system. The following table shows how the tray icon appears, depending on software s state. Icon Desktop Firewall s status Desktop Firewall is working properly. Desktop Firewall has detected a potential attack on your computer. Desktop Firewall is turned off. You can also see ToolTips that indicate the software s status by holding your mouse pointer over the system tray icon for a few seconds. 36 McAfee Desktop Firewall TM software version 8.0

37 A quick tour of the Desktop Firewall interface The shortcut menu If you right-click the Desktop Firewall system tray icon, the software displays a menu that you can use to perform basic actions: Menu item Disable/Enable Firewall Help Options... View AutoUpdate Properties... What it does If Desktop Firewall is turned off, this option restarts the product. If Desktop Firewall is turned on, this option turns it off. Launches your choice of help systems in your default Web browser: Help Topics launches the main Desktop Firewall online help system. Virus Information opens McAfee Security s Virus Information Library page, so that you can research known viruses. Submit a Sample opens McAfee Security s WebImmune page, so that you can submit potentially infected files for analysis. Technical Support opens McAfee Security s Desktop Firewall support page. Opens the McAfee Desktop Firewall Options dialog box, where you can configure the IDS feature and tell Desktop Firewall to either show or hide its system tray icon. Opens the main Desktop Firewall console to the tab you specify: Firewall Policy displays the Firewall Policy tab, where you can work with firewall rules and set up trusted networks. Application Policy displays the Application Policy tab, where you can work with application rules and configure application monitoring. Intruder Policy displays the Intruder Policy tab, where you can view a list of blocked IP addresses and add new ones to the list. Activity Log displays the Activity Log tab, where you can view information on allowed or blocked traffic, and configure the logging feature. Opens the Desktop Firewall AutoUpdate Properties dialog box, which you can use to schedule regular IDS signature updates. Product Guide 37

38 Getting Started with Desktop Firewall Menu item Update Now... About... What it does Forces Desktop Firewall to immediately download new signatures for its IDS feature. Opens the About Desktop Firewall dialog box, which displays the version number and other product information. The main console You access the Desktop Firewall main console either by double-clicking the system tray icon, or by right-clicking the icon and selecting one of the View options from the resulting menu. The Desktop Firewall main console gives you access to all of its features and configuration options. The console consists of several menus and tabs. The menus let you perform all of the same actions as the tray icon s shortcut menu, plus a few extra. The tabs let you configure the software features, and view information about them. Each tab corresponds to a specific Desktop Firewall feature: Tab name Firewall Policy Application Policy Intruder Policy Activity Log Corresponds to The firewall feature, which allows or blocks network communication based on the rules that you define. The application monitoring feature, which allows or blocks programs from running (application creation) or from binding to other applications (application hooking). The IDS feature, which looks for complex attacks on you computer, and blocks known attackers. The logging feature, which tracks information on Desktop Firewall activities so that you can review and export it at any time. The menus The menus in the main Desktop Firewall console let you change tabs and configure Desktop Firewall features. Some menu items change depending on which tab you are using in the main Desktop Firewall console. For example, the Clear option (from the Edit menu) is only available when you are using the Activity Log tab. 38 McAfee Desktop Firewall TM software version 8.0

39 A quick tour of the Desktop Firewall interface The Task menu The Task menu lets you perform actions that you cannot perform using any of the Desktop Firewall tabs. Task menu item Export Policy Import Policy Enable McAfee Desktop Firewall Disable McAfee Desktop Firewall AutoUpdate Properties Update Now Exit What it does Exports the following information to a policy file: The current firewall rule list. The current application rule list. The current IDS blocked addresses list. Your Learn Mode settings. Your trusted networks. A list of any IDS signature exclusions. Your Activity Log settings. Your system tray setting (visible or hidden). Loads all the information from an exported policy file, and uses it to replace the software s existing settings. Turns on all Desktop Firewall features, unless you have specifically disabled any of them. (Features include the firewall, intrusion detection system (IDS), application monitoring, and logging.) Turns off Desktop Firewall. This disables all product features. Desktop Firewall will not monitor or block any network communication. Opens the Desktop Firewall AutoUpdate Properties dialog box, which you can use to schedule regular IDS signature updates. Forces Desktop Firewall to immediately download new signatures for its IDS feature. Closes the Desktop Firewall main console. Product Guide 39

40 Getting Started with Desktop Firewall The Edit menu The Edit menu lets you manipulate the entries in your policy and blocked addresses lists, and lets you configure program options. Not all menu items are available from each tab. For example, Move Up and Move Down are disabled when you use the Intruder Policy and Activity Log tabs. Edit menu item Move Up Move Down Remove Clear Properties Options What it does Moves the selected list item up one position in the list. Moves the selected list item down one position in the list. Deletes the selected rule. Deletes all entries from the log window. Opens a dialog box that displays the properties for the selected item. Opens the McAfee Desktop Firewall Options dialog box, where you can configure the IDS feature and tell Desktop Firewall to either show or hide its system tray icon. The View menu The View menu lets you switch from one tab to another. View menu item Firewall Policy Application Policy Intruder Policy Activity Log What it does Displays the Firewall Policy tab, where you can work with firewall rules and set up trusted networks. Displays the Application Policy tab, where you can work with application rules and configure application monitoring. Displays the Intruder Policy tab, where you can view a list of blocked IP addresses and add new ones to the list. Displays the Activity Log tab, where you can view information on allowed or blocked traffic, and configure the logging feature. 40 McAfee Desktop Firewall TM software version 8.0

41 A quick tour of the Desktop Firewall interface The Help menu The Help menu lets you access a range of information pertaining to Desktop Firewall and network security. Desktop Firewall opens the selected information in your default Web browser. Help menu item Help Topics Virus Information Submit a Sample Technical Support About What it does Launches the main Desktop Firewall online help system, which contains product overviews and procedures. Opens McAfee Security s Virus Information Library web page, so that you can research known viruses. Opens McAfee Security s WebImmune web page, so that you can submit potentially infected files for analysis. Opens McAfee Security s Desktop Firewall support web page. Opens the About Desktop Firewall dialog box, which displays the version number and other product information. The Firewall Policy tab The Firewall Policy tab lets you configure the firewall feature. Using this tab, you can: Turn the firewall on or off using the Enable Firewall checkbox. Enable or disable Learn Mode using the Learn Mode checkboxes. Select a predefined set of firewall rules from the Protection Level list. Identify IP addresses and subnets that you feel you can safely communicate with, by adding them to the Trusted Networks list (click the Trusted button). Review the rules that the firewall is currently applying, using the rule list. Create new firewall rules and groups using the Add button. Edit or view selected firewall rules using the Properties button. Delete firewall rules using the Remove button. Product Guide 41

42 Getting Started with Desktop Firewall Figure 2-2. The Firewall Policy tab The rule list shows all the firewall rules currently available to Desktop Firewall. Each line represents a single rule or rule group. You can determine what each rule does by reading the information in each column: 42 McAfee Desktop Firewall TM software version 8.0

43 A quick tour of the Desktop Firewall interface Column Description What it shows A brief statement outlining the purpose of this rule or rule group. (For rules) An icon indicating whether the rule is currently in use: shows that the rule is active. shows that the rule is disabled. (For rule groups) An icon indicating whether the rules in the group are active or not: shows that all rules in this group are active. shows that some rules in this group are disabled. shows that all rules in this group are disabled. Protocol Whether the rule allows traffic, or blocks it: shows that the rule allows traffic. shows that the rule blocks traffic. Whether the rule applies to incoming traffic, outgoing traffic, or both: shows that the rule applies to incoming traffic. shows that the rule applies to outgoing traffic. shows that the rule applies to both directions. Which protocol(s) the rule applies to (TCP, UDP, ICMP, etc.). Intrusion Whether Desktop Firewall treats traffic that matches this rule as an intrusion (an attack) on your system: shows that this rule creates an intrusion alert. Schedule Whether this rule only applies at specific times: shows that this rule has time restrictions. Service (L) The names of any services on your computer that this rule applies to. When possible, this column also shows associated port numbers. You can define an individual service, a range of services, a list of specific services, or specify either all (Any) or no services (N/A). Product Guide 43

44 Getting Started with Desktop Firewall Column What it shows Service (R) The names of any services that this rule applies to on the computer you are sending traffic to, or receiving traffic from. When possible, this column also shows associated port numbers. You can define an individual service, a range of services, a list of specific services, or specify either all (Any) or no services (N/A). Address The IP address, subnet, domain, or other specific identifier that this rule applies to. Application The application that this rule applies to, including the program name and executable file name. The Trusted Networks dialog box You access the Trusted Networks dialog box from the Firewall Policy tab (click the Trusted button). This dialog box lets you view the list of IP addresses and subnets that you ve defined as trustworthy. You can also add new entries to the list, and set some basic options. A trusted address or subnet is a user, or group of users, that you consider safe to communicate with. If your computer is part of a corporate network, or if you often share computer resources with other users, then you trust these other users. Desktop Firewall lets you treat the computers you trust as a group, by adding them to the Trusted Networks list. This makes it easier to create firewall rules specifically for these users. You can add individual IP addresses, a range of IP addresses, or entire subnets to your trusted group. You can also choose to automatically add your local subnet (the subnet that your own computer belongs to) to the Trusted Network list. To do this, select the Include Local Subnet Automatically option. The Firewall Rule dialog box You access the Firewall Rule dialog box from the Firewall Policy tab, by either editing an existing rule or adding a new rule. This dialog box lets you create and configure firewall rules. A rule is a set of criteria. As Desktop Firewall filters your incoming and outgoing network traffic, it compares each intercepted packet to the criteria in your rules. If a packet meets the criteria in a specific rule, Desktop Firewall follows the instruction associated with that rule either allowing the packet through the firewall, or blocking it. 44 McAfee Desktop Firewall TM software version 8.0

45 A quick tour of the Desktop Firewall interface You can make rules as general or as specific as you need. The more criteria you define for a rule, the fewer communication attempts will match it. For descriptions of the individual text boxes and lists in the Firewall Rule dialog box, see Creating a new firewall rule on page 72. The firewall s Learn Mode alert If you enable the firewall s Learn Mode, this alert automatically appears whenever Desktop Firewall intercepts network traffic that it cannot match against any of its existing rules. The Learn Mode alert dialog box displays information about the intercepted traffic on two tabs the Application Information tab, and the Connection Information tab. The Application Information tab gives details about the application that generated the traffic, and lists the time and date when Desktop Firewall intercepted it. The Connection Information tab provides the traffic s networking information, including the protocol and port it used, the IP address that sent it, its destination address, and more. Figure 2-3. The firewall s Learn Mode alert dialog box Desktop Firewall uses this dialog box to prompt you for a decision. You can let the intercepted traffic through the firewall using the Allow button, or block it using the Deny button. Desktop Firewall creates a new rule based on your decision, and adds it to the firewall rule list. If necessary, you can alter the type of rule that Desktop Firewall creates using the options on the Connection Information tab. See To respond to a firewall Learn Mode alert on page 71 for more information. Product Guide 45

46 Getting Started with Desktop Firewall The Application Policy tab The Application Policy tab lets you configure the application monitoring feature. This feature lets you control the applications you use. You can specify whether an application can run (known as application creation), and whether it can bind itself to other programs (known as application hooking). Using this tab, you can: Turn application monitoring on or off using the top two Enable checkboxes. Enable or disable Learn Mode using the Learn Mode checkboxes. Review the application rules that Desktop Firewall is currently applying, using the rule list. Create new application rules using the Add button. Edit or view selected application rules using the Properties button. Delete application rules using the Remove button. Figure 2-4. The Application Policy tab The rule list shows all the application rules currently used by Desktop Firewall. Each line represents a single rule. You can determine what each rule does by reading the information in each column: 46 McAfee Desktop Firewall TM software version 8.0

47 A quick tour of the Desktop Firewall interface Column What it shows Description A brief statement outlining the purpose of this rule. An icon indicating whether the rule is currently in use: shows that the rule is active. shows that the rule is disabled. Create An icon indicating whether Desktop Firewall allows the application associated with this rule to run: shows that the application can run. shows that the application cannot run. Hook An icon indicating whether Desktop Firewall allows the application associated with this rule to bind itself to other programs: shows that the application can hook other programs. shows that the application cannot hook other programs. Application The filename and path of the application that this rule applies to. The Application Rule dialog box You access the Application Rule dialog box from the Application Policy tab, either by adding a new rule or by editing an existing rule. This dialog box lets you create and configure application monitoring rules. Each rule is a set of instructions associated with a particular application. To create a rule, you specify an application and then select or deselect checkboxes to indicate whether: The application can run. The application can bind itself to other programs. You can also enable or disable the rule. Once you finish setting up the rule, Desktop Firewall adds a new entry to its application rule list. If you enable application monitoring, it checks this list each time an application tries to start, or tries to hook another application. Then it allows or blocks the application s attempt based on the rules you created. Product Guide 47

48 Getting Started with Desktop Firewall The application monitoring Learn Mode alerts If you enable Learn Mode for application monitoring, alerts automatically appear whenever Desktop Firewall detects an application that it does not have a rule for. To see alerts when programs try to run, you must select Enable Application Creation Learn Mode on the Application Policy tab. To see alerts when programs try to bind themselves to other applications, you must select Enable Application Hooking Learn Mode. In each case, the Learn Mode alert displays information about the application that Desktop Firewall detected, and lists the time and date when it intercepted this program. Figure 2-5. The Application Creation Alert and Application Hook Alert dialog boxes Desktop Firewall uses these alerts to prompt you for a decision. You can let the application run or hook using the Allow button, or you can prevent it using the Deny button. Desktop Firewall creates a new rule based on your decision, and adds it to the application rule list. The Intruder Policy tab The Intruder Policy tab lets you monitor and work with your list of blocked hosts (IP addresses). This tab is related to the Desktop Firewall IDS feature. When you enable this feature, Desktop Firewall constantly scans for attacks on your system. If it detects an attack, it asks you whether you want to add the intruder to the list of blocked addresses. (You can disable these prompts if necessary; see Enabling and disabling intrusion alerts on page 81.) You can also add individuals to the blocked addresses list manually. Unlike the other Desktop Firewall tabs, you cannot use the Intruder Policy tab to turn the IDS feature on or off, or to configure the feature. You must use the McAfee Desktop Firewall Options dialog box to set up the IDS feature. (Select the Edit menu, then Options.) 48 McAfee Desktop Firewall TM software version 8.0

49 A quick tour of the Desktop Firewall interface Using the Intruder Policy tab, you can: Review the list of blocked addresses. Block new hosts, by adding their information to the list using the Add button. Stop blocking hosts, by deleting their entries using the Remove button. Edit or view the details of a selected host, using the Properties button. Figure 2-6. The Intruder Policy tab The blocked addresses list shows all the hosts currently blocked by Desktop Firewall. Each line represents a single host. You can get more information on individual hosts by reading the information in each column: Column What it shows Source The IP address that Desktop Firewall is blocking. Blocked Reason An explanation of why Desktop Firewall is blocking this address. If Desktop Firewall added this address to the list because of an attempted attack on your system, this column describes the type of attack. If Desktop Firewall added this address because one of its firewall rules used the Treat rule match as intrusion option, this column lists the name of the relevant firewall rule. If you added this address manually, this column lists only the IP address that you blocked. Product Guide 49

50 Getting Started with Desktop Firewall Column What it shows Time The time and date when you added this address to the blocked addresses list. Time Remaining How long Desktop Firewall will continue to block this address. If you specified an expiration time when you blocked the address, this column shows the number of minutes left until Desktop Firewall removes the address from the list. If you specified that you wanted this address blocked until you manually removed it from the list, this column displays Until removed. The Blocked Host dialog box You access the Blocked Host dialog box from the Intruder Policy tab, either by adding a new blocked IP address or by editing an existing blocked host. This dialog box lets you. Set up an IP address that you want to block. Look up a domain name to get the corresponding IP address. Define how long you want Desktop Firewall to block the IP address. Trace the IP address to gather information like its MAC address (a unique hardware identifier) and server banner details. Once you finish setting up a blocked address, Desktop Firewall adds a new entry to the list on its Intruder Policy tab. It blocks any communication attempt from that IP address until you either remove it from the blocked addresses list, or until a set period of time expires (i.e., the time you specified in the Blocked Host dialog box). The Intrusion Detected Alert dialog box If you enable both the IDS feature and its Display notification message when attacked option, this alert automatically appears when Desktop Firewall detects a potential attack on your computer. NOTE Complex attacks can defeat firewalls by assaulting computers using several approaches at once. Only intrusion detection systems like Desktop Firewall s IDS can recognize and stop these attacks. For maximum security, enable both the firewall and IDS features. 50 McAfee Desktop Firewall TM software version 8.0

51 A quick tour of the Desktop Firewall interface The Intrusion Detected Alert dialog box displays information about the intercepted attack on two tabs the Intrusion Information tab, and the Packet Information tab. The Intrusion Information tab gives details about the attack that generated the alert, including a description of the attack, the IP address where the attack originated, and the time and date when Desktop Firewall intercepted it. The Packet Information tab displays the data that Desktop Firewall intercepted, along with its addressing information (for example, its Ethernet, IP, and TCP or UDP headers). Figure 2-7. The Intrusion Detected Alert dialog box Desktop Firewall uses this dialog box to prompt you for a decision. If the intercepted traffic is not an attack, you can allow it through using the Don t Block button. If the attack is a real threat, you can stop it using the Block button. NOTE Your IDS option settings play an important role in securing your computer against intrusions like these. If you select the Automatically block attackers setting in the McAfee Desktop Firewall Options dialog box, Desktop Firewall stops suspected attacks the moment it detects them. If you do not select this option, Desktop Firewall continues to let network traffic through until you select Block or Don t Block in the Intrusion Detected Alert dialog box. If you click Block, Desktop Firewall adds the IP address where this attack originated to the blocked addresses list on the Intruder Policy tab. You specify how long the address remains there using the options in the Intrusion Detected Alert dialog box. In addition to allowing or blocking the suspected attack, you can click Trace Source to gather information about the attacker. If your trace succeeds, you can obtain the attacker s MAC address (a unique hardware identifier), telnet server banner, HTTP server version, FTP server banner, and SMTP server banner. Product Guide 51

52 Getting Started with Desktop Firewall The Spoof Detected Alert dialog box If you enable the IDS feature, this alert automatically appears if Desktop Firewall detects that an application on your computer is sending out spoofed network traffic. This means that the application is trying to make it seem like traffic from your computer actually comes from a different computer. It does this by changing the IP address in the outgoing packets. NOTE Spoofing is always suspicious activity. If you see this dialog box, immediately investigate the application that sent the spoofed traffic. The Spoof Detected Alert dialog box is very similar to the firewall feature s Learn Mode alert. It displays information about the intercepted traffic on two tabs the Application Information tab, and the Connection Information tab. The Application Information tab shows: The IP address that the traffic pretends to come from. Information about the program that generated the spoofed traffic. The time and date when Desktop Firewall intercepted the traffic. The Connection Information tab provides further networking information. In particular, Local Address shows the IP address that the application is pretending to have, while Remote Address shows your actual IP address. Figure 2-8. The IDS feature s Spoof Detected Alert dialog box When Desktop Firewall detects spoofed network traffic, it tries to block both the traffic and the application that generated it. It does this by adding a new rule to the end of the firewall rule list. This Block spoofing attacker rule specifically blocks all traffic created by the suspicious application, unless another rule in the rule list overrides it. 52 McAfee Desktop Firewall TM software version 8.0

53 A quick tour of the Desktop Firewall interface The Activity Log tab The Activity Log tab lets you configure the logging feature and track Desktop Firewall actions. Using this tab, you can: Enable or disable firewall logging, using the Traffic Logging checkboxes. View the running log data, using the log display area. Export packet data (indicated by an Intrusion Data icon) associated with a specific IDS event by right-clicking the log entry. Apply filters to the log data, to see only the information you are interested in (using the Filter Options checkboxes). Export the log data to a file using the Save button. Delete all log entries using the Clear button. NOTE You can enable and disable logging for the firewall feature, but not for the IDS or application monitoring features. Desktop Firewall always logs information relating to these features, but you can hide these events by applying filters. Figure 2-9. The Activity Log tab The log display area shows any log entries you have chosen to view. It may not display all log entries if you applied filters to the data (using the Filter Options checkboxes). Each log entry represents a single Desktop Firewall action. You can get more information on these actions by reading the information in each column: Product Guide 53

54 Getting Started with Desktop Firewall Column What it shows Time The date and time of the Desktop Firewall action. Event The feature that performed the action. Traffic indicates a firewall action. Application indicates an application monitoring action. Intrusion indicates an IDS action. Address The remote address that this communication was either sent to, or sent from. Intrusion Data An icon indicating that Desktop Firewall saved the packet data associated with this attack. (This icon only appears for IDS log entries.) shows that you can export the packet data associated with this log entry. Right-click the log entry to save the data to a Sniffer file. Application The program that caused the action. Message A description of the action, with as much detail as possible. Starting and stopping Desktop Firewall You can start and stop Desktop Firewall using the Task menu in the main Desktop Firewall console, or using the system tray icon s shortcut menu. In both cases, select Enable McAfee Desktop Firewall to start the software, or Disable McAfee Desktop Firewall to turn it off. When you enable Desktop Firewall, it runs constantly in the background. You can turn its individual features on and off without affecting each other. For instance, you can disable the IDS feature, but still run the firewall feature. If you turn Desktop Firewall off, however, you disable all of its features simultaneously. These features include the firewall, application monitoring, intrusion detection, and logging. Desktop Firewall cannot secure any network communication when it is disabled. NOTE When you restart your computer, Desktop Firewall remains in its previous state. This means that if you disabled the software before restarting, Desktop Firewall will still be disabled after the restart. 54 McAfee Desktop Firewall TM software version 8.0

55 Choosing which features to run Choosing which features to run You can turn individual Desktop Firewall features on and off when Desktop Firewall is running, depending on your needs. Your choices include: The firewall, which inspects incoming and outgoing network traffic and either blocks it or allows it based on rules that you set up. The application monitoring system, which monitors the applications you use and prevents those you specify from starting, or from binding themselves to other programs. The intrusion detection system (IDS), which scans traffic destined for your computer and identifies potential attacks on your system. Logging, which lets you keep a history of Desktop Firewall actions for later review. Enabling and disabling all product features To enable or disable all Desktop Firewall features simultaneously, you must start or stop the software. You can do this using the Task menu in the main Desktop Firewall console, or using the system tray icon s shortcut menu. In both cases, select Enable McAfee Desktop Firewall to start the software, or Disable McAfee Desktop Firewall to turn it off. Enabling and disabling the firewall feature 1 In Desktop Firewall, click the Firewall Policy tab to make it active. 2 Do one of the following: To enable the firewall, select the Enable Firewall checkbox. To disable the firewall, deselect the checkbox. NOTE Enabling and disabling the firewall feature does not enable or disable the intrusion detection, application monitoring, or logging features. Product Guide 55

56 Getting Started with Desktop Firewall Enabling and disabling the application monitoring feature Desktop Firewall supports two kinds of application monitoring. You can monitor for applications that are trying to run (application creation), or you can monitor for applications that are trying to bind themselves to other programs (application hooking). NOTE Enabling and disabling application monitoring does not enable or disable the firewall, intrusion detection, or logging features. To enable and disable application creation monitoring 1 In Desktop Firewall, click the Application Policy tab to make it active. 2 Do one of the following: To enable creation monitoring, select the Enable Application Creation Monitor checkbox. To disable creation monitoring, deselect the Enable Application Creation Monitor checkbox. To enable and disable application hook monitoring 1 In Desktop Firewall, click the Application Policy tab to make it active. 2 Do one of the following: To enable hook monitoring, select the Enable Application Hooking Monitor checkbox. To disable hook monitoring, deselect the Enable Application Hooking Monitor checkbox. 56 McAfee Desktop Firewall TM software version 8.0

57 Choosing which features to run Enabling and disabling the IDS feature 1 In Desktop Firewall, select the Edit menu. 2 Select Options. The McAfee Desktop Firewall Options dialog box appears. The Intrusion Detection Options area controls the IDS feature. 3 Do one of the following: To enable intrusion detection, select the Enable Intrusion Detection checkbox. To disable intrusion detection, deselect the Enable Intrusion Detection checkbox. NOTE Enabling and disabling the IDS feature does not enable or disable the firewall, application monitoring, or logging features. Enabling and disabling the logging feature Desktop Firewall lets you log information about: Actions that the software allowed. Actions that the software blocked. You can enable and disable logging for the firewall feature, but not for the IDS or application monitoring features. Desktop Firewall always logs information relating to these features (but you can hide these events by applying filters). For the firewall feature, you can choose to log only allowed events, only blocked events, both, or neither. To enable and disable firewall logging 1 In Desktop Firewall, click the Activity Log tab to make it active. 2 Do one of the following: To log information about allowed firewall actions, select the Log All Allowed checkbox. To disable logging for allowed firewall actions, deselect the checkbox. Product Guide 57

58 Getting Started with Desktop Firewall 3 Do one of the following: To log information about blocked firewall actions, select the Log All Blocked checkbox. To disable logging for blocked firewall actions, deselect the checkbox. 58 McAfee Desktop Firewall TM software version 8.0

59 Setting Up the Firewall 3 This section introduces the Desktop Firewall firewall feature, and describes how it filters your network traffic based on rules that you set up The following topics are included: About the firewall feature. Setting up the firewall feature. Responding to firewall Learn Mode alerts. Working with firewall rules. About the firewall feature Desktop Firewall includes a firewall feature that protects your computer by filtering all network traffic that you send and receive. You can allow legitimate traffic through the firewall, and block the rest. You configure the firewall by setting up rules on the Firewall Policy tab. See Firewall rules and precedence on page 60 for more information. The software comes with several predefined sets of firewall rules. These rule sets are called protection levels. Protection levels offer different levels of protection, based on your security needs. See Protection levels and policy archives on page 61 for more information. You can use Learn Mode to create new, customized firewall rule sets. In Learn Mode, Desktop Firewall prompts you for an action whenever it detects unknown network traffic. Once you select an action, the software automatically creates a new firewall rule to cover this type of traffic. See Firewall Learn Mode alerts on page 64 for more information. Your Trusted Networks group can also make rule management easier. This group contains a list of addresses and subnets that you consider safe to communicate with. By treating these users as a group, you can create rules that apply specifically to them. See The Trusted Networks dialog box on page 44 and Trusted networks on page 64 for more information. Product Guide 59

60 Setting Up the Firewall Firewall rules and precedence The firewall feature uses rules to determine what it does each time it intercepts network traffic. A rule is a set of conditions that traffic has to meet. Each rule also has an action associated with it either allow traffic, or block it. When Desktop Firewall finds traffic that matches a rule s conditions, it performs the specified action. You create and manage rules using the Firewall Policy tab in the main Desktop Firewall console. This tab contains the firewall rule list, which displays all of the rules currently available to Desktop Firewall. The software uses precedence when it applies the rules in this list. Precedence controls which rules the software applies first. When Desktop Firewall intercepts network traffic, it always applies the rule at the top of its rule list first. If the traffic meets this rule s conditions, Desktop Firewall allows or blocks the traffic. It does not try to apply any other rules in its rule list. If, however, the traffic does not meet the first rule s conditions, Desktop Firewall looks at the next rule in its list. It works its way down through the firewall rule list until it finds a rule that the traffic matches. If no rule matches, the firewall automatically blocks the traffic unless you have Learn Mode turned on (in which case it prompts you for an action). Sometimes the intercepted traffic matches more than one rule in the firewall rule list. In this case, precedence means that Desktop Firewall only applies the first rule it finds (the highest in the list). Because it then stops processing the list, the firewall never sees the second applicable rule. Ordering your firewall rule list When you create or customize your firewall rule list, place your most specific rules near the top of the list, and more general rules near the bottom. This ensures that Desktop Firewall filters traffic the way you want it to, because it will not miss rules based on exceptions to other, more general rules. For example, to block all HTTP requests except those from IP address , you would create two rules: Allow Rule: Allow HTTP traffic from IP address (This rule is the most specific.) Block Rule: Block all traffic using the HTTP service. (This rule is more general.) You must place the more specific Allow Rule higher in the firewall rule list than the more general Block Rule. This ensures that when the firewall intercepts an HTTP request from address , the first matching rule it finds is the one that allows this traffic through the firewall. 60 McAfee Desktop Firewall TM software version 8.0

61 About the firewall feature If you placed the more general Block Rule higher than the more specific Allow Rule, Desktop Firewall would match the HTTP request from against the Block Rule before it found the exception. It would block the traffic, even though you really wanted to allow HTTP requests from this address. NOTE Desktop Firewall handles precedence for domain-based rules differently. If you have any domain rules in your firewall rule list, the software applies them first. Protection levels and policy archives The Desktop Firewall software comes with several predefined sets of firewall rules. These rule sets are called protection levels. Protection levels offer different amounts of firewall protection, based on your security needs. You can use a protection level as is, or use it as a base for creating your own, customized rule list. Desktop Firewall also lets you create policy archives. A policy archive is a custom collection of firewall, application monitoring, IDS, and logging settings. NOTE You set up and manage policy archives using the Firewall Policy tab, but these are not exclusively a firewall feature. Policy archives include settings for all Desktop Firewall features, not just the firewall. You select protection levels and policy archives using the Protection Level list on the Firewall Policy tab. The software s default protection levels Desktop Firewall offers several protection levels: Minimal Learning Starter Client Medium Client High Server Medium Server High Select the protection level that you want to use from the Protection Level list on the Firewall Policy tab. If you then add, edit, or delete any rules, Desktop Firewall changes the display name to Custom to show that you edited the protection level. Product Guide 61

62 Setting Up the Firewall The Learning Starter protection level Use the Learning Starter protection level if you plan to use Desktop Firewall s Learn Mode to build a custom rule list for your environment. This protection level: Blocks any incoming ICMP traffic that an attacker could use to gather information about your computer. Desktop Firewall allows all other ICMP traffic. Allows incoming and outgoing UDP traffic related to DHCP (Dynamic Host Configuration Protocol), DNS (Domain Name System), NTP (Network Time Protocol), and authentication services. The Minimal protection level Use the Minimal protection level to provide basic protection from common attacks. This protection level: Blocks any incoming ICMP traffic that an attacker could use to gather information about your computer. Desktop Firewall allows all other ICMP traffic. Allows Windows file sharing requests from computers that belong to the same subnet as you, but blocks file sharing requests from anyone else. Allows you to browse Windows domains, workgroups, and computers. Allows all high incoming and outgoing UDP traffic. Allows traffic that uses BOOTP, DNS, and Net Time UDP ports. The Client Medium protection level Use the Client Medium protection level to provide more protection than the Minimal level offers. This protection level: Allows only ICMP traffic needed for IP networking (including outgoing pings, trace routes, and incoming ICMP messages). Desktop Firewall blocks all other ICMP traffic. Allows UDP traffic necessary for accessing IP information (such as your own IP address, or the network time). Desktop Firewall also allows traffic on high UDP ports (1024 or higher) with this protection level. Allows Windows file sharing, but only for your local subnet. You cannot browse outside of your local subnet, and Desktop Firewall blocks anyone outside of your subnet from accessing the files on your computer. 62 McAfee Desktop Firewall TM software version 8.0

63 About the firewall feature The Client High protection level Use the Client High protection level if you are under attack, or at high risk of an attack. This protection level allows only minimal traffic in and out of your system. Specifically, this level: Allows only ICMP traffic that is necessary for proper networking. Desktop Firewall blocks both incoming and outgoing pings. Allows only UDP traffic that is necessary for accessing IP information (such as your own IP address, or the network time). Blocks Windows file sharing. The Server Medium protection level Use the Server Medium protection level if you run a network server. This protection level: Allows ICMP traffic that facilitates communications between the server and its clients. Desktop Firewall blocks all other ICMP traffic. Allows UDP traffic that is necessary for accessing IP information. Desktop Firewall also allows traffic on high UDP ports (1024 or higher). The Server High protection level Use the Server High protection level if you run a server that is connected directly to the Internet, and is therefore at a high risk of attack. McAfee Security recommends that you use this protection level as a base for creating your own, customized rule set. This lets you tailor the firewall s security to meet the exact requirements of your server. You can set up the firewall to allow only the services that the server supports, and therefore reduce the number of open ports. By default, this protection level: Allows specific ICMP traffic that which facilitates communications between the server and its clients. Desktop Firewall blocks all other ICMP traffic. Allows UDP traffic that is necessary for accessing IP information. Desktop Firewall blocks all other UDP traffic. Product Guide 63

64 Setting Up the Firewall Firewall Learn Mode alerts When you enable the firewall feature, Desktop Firewall continually monitors the network traffic that your computer sends and receives. It allows or blocks traffic based on the rules you set up on the Firewall Policy tab. If the software intercepts traffic that it cannot match against an existing rule, it automatically blocks it unless you enable the firewall s Learn Mode. You can enable Learn Mode for incoming communication only, outgoing communication only, or both. In Learn Mode, Desktop Firewall displays a Learn Mode alert when it intercepts unknown network traffic. This alert dialog box prompts you for an action you can either allow or block the traffic. The firewall creates a new rule based on the action you select. For more information, see Responding to firewall Learn Mode alerts on page 70. Trusted networks If your computer is part of a corporate network, or if you routinely share computer resources with others, then you might want to treat the computers you trust as a group. You could then create firewall rules specifically for this group. Desktop Firewall lets you create a group of trusted networks. Trusted networks can include subnets, individual IP addresses, or ranges of addresses. You set up and configure your trusted network group using the Trusted Networks dialog box. Click the Trusted button on the Firewall Policy tab to open this dialog box. If your computer belongs to a corporate network and you want to treat other subnet members as trusted, you do not have to add them to your trusted network list manually. Instead you can select the Include Local Subnet Automatically option in the Trusted Networks dialog box. Setting up the firewall feature Use the Firewall Policy tab to configure the firewall feature. Using this tab, you can: Enable or disable the firewall. Enable or disable Learn Mode for incoming and/or outgoing firewall traffic. Work with protection levels and policy archives. Work with your trusted networks group. 64 McAfee Desktop Firewall TM software version 8.0

65 Setting up the firewall feature Enabling and disabling the firewall feature 1 In Desktop Firewall, click the Firewall Policy tab to make it active. 2 Do one of the following: To enable the firewall, select the Enable Firewall checkbox. To disable the firewall, deselect the checkbox. Enabling and disabling Firewall Learn Mode Desktop Firewall supports two kinds of Firewall Learn Mode: Incoming Learn Mode only monitors traffic that your computer receives. Outgoing Learn Mode only monitors traffic that your computer sends. To enable and disable Learn Mode for incoming traffic 1 In Desktop Firewall, click the Firewall Policy tab. 2 Do one of the following: To enable Incoming Learn Mode alerts, select the Incoming Enabled checkbox. To disable Incoming Learn Mode alerts, deselect the checkbox. To enable and disable Learn Mode for outgoing traffic 1 In Desktop Firewall, click the Firewall Policy tab. 2 Do one of the following: To enable Outgoing Learn Mode alerts, select the Outgoing Enabled checkbox. To disable Outgoing Learn Mode alerts, deselect the checkbox. Using protection levels and policy archives Use the Protection Level list on the Firewall Policy tab to choose a protection level or policy archive: A protection level is a predefined set of firewall rules. You cannot create or delete protection levels. A policy archive is a collection of firewall, application monitoring, IDS, and log settings. You can create, edit, and delete policy archives. Product Guide 65

66 Setting Up the Firewall Using a protection level 1 In Desktop Firewall, click the Firewall Policy tab. 2 Using the Protection Level list, select the protection level that you want to use: Minimal Client Medium Client High Server Medium Server High Learning Starter Desktop Firewall replaces your firewall settings with those in the protection level. See The software s default protection levels on page 61 for more information. Using a policy archive 1 In Desktop Firewall, click the Firewall Policy tab. 2 Using the Protection Level list, select the policy archive that you want to use. Desktop Firewall asks you to confirm that you want to use this policy archive. 3 Click Yes. Desktop Firewall replaces all of your firewall, application monitoring, IDS, and logging settings with those in the policy archive. Creating a policy archive You can create a new policy archive in two ways: Configure all of your Desktop Firewall settings, then export these settings as a policy archive. Use the Edit Policy Archive dialog box to import an existing policy file (.PFR) as a policy archive. Creating a policy archive using the Export Policy feature 1 In Desktop Firewall, configure your firewall, application monitoring, IDS, and logging features. Your policy archive will include all of these settings. 2 Select the Task menu, then Export Policy. 3 Navigate to the folder where you want to store your policy archive. 66 McAfee Desktop Firewall TM software version 8.0

67 Setting up the firewall feature 4 In the File name field, type a name for the policy file. Skip this step if you want to use the default filename (MDFPOLICY.PFR). 5 Click Save. Desktop Firewall asks whether you want to use this policy file as a policy archive. 6 Click Yes. Desktop Firewall opens the Edit Policy Archive Properties dialog box. 7 In the Description field, type a name for the policy archive. This name appears in the Protection Level list on the Firewall Policy tab. 8 Click OK. Desktop Firewall creates the policy archive and adds it to the Protection Level list. Creating a policy archive using the Edit Policy Archive dialog box NOTE To create a policy archive using this procedure, you must have an existing Desktop Firewall policy (.PFR) file. 1 In Desktop Firewall, click the Firewall Policy tab. 2 From the Protection Level list, select Edit Policy Archive. Desktop Firewall opens the Edit Policy Archive dialog box. 3 Click Add. 4 In the Description field, type a name for the policy archive. This name appears in the Protection Level list on the Firewall Policy tab. 5 Click Browse, then navigate to the policy file that you want to use as a policy archive. 6 Select the file name, then click Open. 7 Click OK. Desktop Firewall adds the new policy archive to the Policy Archives list on the Edit Policy Archive dialog box. 8 Click OK to return to the Firewall Policy tab. You can now access the new policy archive from the Protection Level list on this tab. Product Guide 67

68 Setting Up the Firewall Editing a policy archive 1 In Desktop Firewall, click the Firewall Policy tab. 2 From the Protection Level list, select Edit Policy Archive. Desktop Firewall opens the Edit Policy Archive dialog box. 3 Select the policy archive that you want to edit, then click Properties. 4 Edit the archive s description, or click Browse to select a new policy archive file (.PFR). 5 Click OK to save your changes. 6 Click OK to close the Edit Policy Archive dialog box. Deleting a policy archive 1 In Desktop Firewall, click the Firewall Policy tab. 2 From the Protection Level list, select Edit Policy Archive. Desktop Firewall opens the Edit Policy Archive dialog box. 3 Select the policy archive that you want to delete, then click Remove. 4 Click Yes to delete the archive. 5 Click OK to save your changes and close the Edit Policy Archive dialog box. Desktop Firewall removes the policy archive from the Protection Level list, but does not delete the policy file (.PFR) that it was based on. Setting up trusted networks Desktop Firewall maintains a list of addresses and subnets that you trust. It treats these users as a group, which lets you create firewall rules that apply only to them. You work with your list of trusted addresses and subnets using the Trusted Networks dialog box. To reach this dialog box, click Trusted on the Firewall Policy tab. The Trusted Networks dialog box lets you: Set up your trusted network options (which determine whether Desktop Firewall treats others on your local subnet as trusted). Add addresses or subnets to your trusted list. Delete addresses or subnets that you no longer want to trust. 68 McAfee Desktop Firewall TM software version 8.0

69 Setting up the firewall feature Setting trusted network options 1 In Desktop Firewall, click the Firewall Policy tab. 2 Click Trusted. The Trusted Networks dialog box appears. 3 In the Options area, select one of the following options: Option Do not include Local Subnet Automatically Include Local Subnet Automatically What it does Makes Desktop Firewall treat users on your subnet as untrusted, unless you add them to your Trusted Networks list. Makes Desktop Firewall treat all users on your subnet as trusted, even if you haven t added them to your Trusted Networks list. 4 Click OK. Adding someone to the Trusted Networks list 1 In Desktop Firewall, click the Firewall Policy tab. 2 Click Trusted. The Trusted Networks dialog box appears. 3 Click Add. The Add Trusted Network dialog box appears. 4 In the Type area, select IP Address, IP Address Range, or Subnet to indicate which of these you want to add. 5 Fill in the resulting fields to define the address, range, or subnet that you want Desktop Firewall to trust. 6 Click OK. Desktop Firewall adds a new item to its Trusted Networks list. 7 Click OK. Product Guide 69

70 Setting Up the Firewall Removing someone from the Trusted Networks list 1 In Desktop Firewall, click the Firewall Policy tab. 2 Click Trusted. The Trusted Networks dialog box appears. 3 In the Trusted Networks list, select the address, range, or subnet that you want to delete. 4 Click Remove. Desktop Firewall asks you to confirm that you want to delete this list item. 5 Click Yes. The software removes the selected list item. 6 Click OK. Responding to firewall Learn Mode alerts If you enabled the firewall s Learn Mode for either incoming or outgoing traffic, Desktop Firewall displays a Learn Mode alert whenever it detects unknown network traffic. Use this alert dialog box to either allow or block the traffic. Desktop Firewall creates a new firewall rule based on your choice. 70 McAfee Desktop Firewall TM software version 8.0

71 Responding to firewall Learn Mode alerts To respond to a firewall Learn Mode alert 1 If necessary, click the Connection Information tab and set up options for your new firewall rule: Option Create a firewall application rule for all ports and services Remove this rule when the application terminates What it does Select this option to make the new rule allow or block this application s traffic over any port or service. If you do not select this option, the new firewall rule only allows or blocks specific ports: If the intercepted traffic uses a port lower than 1024, the new rule allows or blocks only that specific port. If the traffic uses port 1024 or higher, the new rule allows or blocks the range of ports from 1024 to Select this option to make the new rule temporary; Desktop Firewall deletes the rule when you exit the application that: Created this network traffic, in the case of outgoing communications. Handles this network traffic, in the case of incoming communications. 2 On the Application Information tab, do one of the following: If You want to block this traffic (and all similar traffic) You want to let this traffic (and all similar traffic) through the firewall Then Click Deny. Click Allow. Desktop Firewall creates a new firewall rule based on your choice and adds it to the firewall rule list on the Firewall Policy tab. The software automatically allows or blocks similar traffic in future. Product Guide 71

72 Setting Up the Firewall Working with firewall rules Rules determine how the firewall feature reacts to incoming and outgoing network traffic. You create and manage rules using the firewall rules list on the Firewall Policy tab. The firewall rules list and the Firewall Policy tab let you: Create new firewall rules and rule groups, using the Add button. Edit and disable existing firewall rules, using the Properties button. Delete firewall rules, using the Remove button. Copy firewall rules, using the Duplicate button. You can also save your firewall rules (along with your application monitoring, IDS, and log settings) by exporting them to a policy file. Or you can replace your current Desktop Firewall rules and settings by importing a policy file. Creating a new firewall rule 1 In Desktop Firewall, click the Firewall Policy tab. 2 Click Add, then select New Rule. The Firewall Rule dialog box appears. 3 In the Description field, enter a brief statement that outlines the purpose of this rule. 4 From the Action list, select one of the following: Permit, if you want this rule to let traffic through the firewall. Block, if you want this rule to stop traffic from passing the firewall. 5 Using the Protocol lists, select the network protocol that you want this rule to apply to: Select IP to apply this rule to IP-based protocols. Select an IP protocol from the list, or select All IP Protocols to monitor all protocols. Select Non-IP to apply this rule to other protocols, such as IPX. 6 Using the Direction list, specify whether you want Desktop Firewall to monitor incoming traffic, outgoing traffic, or both when it applies this rule. 72 McAfee Desktop Firewall TM software version 8.0

73 Working with firewall rules 7 If necessary, specify more criteria for the firewall to scan for: Option Application Local Service Remote Service Address What it does Applies the rule to traffic generated by a specific application. Select an application from the list, or click Browse and navigate to the program file. Applies the rule to traffic that uses a specific service or port on your computer. By default, rules apply to all services and ports. Using the Local Service list, select whether you want to specify a single service, a range, or a list. Next, use the resulting fields to select the services or ports. Pick services from the list, or type their associated port numbers. Applies the rule to traffic that uses a specific service or port on another computer. By default, rules apply to all services and ports. Using the Remote Service list, select whether you want to specify a single service, a range, or a list. Next, use the resulting fields to select the services or ports. Pick services from the list, or type their associated port numbers. Applies the rule to traffic destined for, or originating from, a specific IP address, subnet, range, or domain. You can also apply the rule to trusted network traffic. Use the Address list to select which one you want to apply the rule to. Next, use the resulting fields or buttons to set up the addresses, subnets, or domains that you want Desktop Firewall to monitor. Product Guide 73

74 Setting Up the Firewall 8 In the Options area, specify when you want this rule to be active, and how you want the firewall to react when it finds matching traffic. Select any of the following: Option Treat rule match as intrusion Restrict rule to currently defined time interval Log matching traffic Active What it does Makes Desktop Firewall react to traffic that matches this rule as though it were an attack on your computer. Your IDS settings define whether the software blocks the traffic, and whether it displays an intrusion alert message. Applies the rule during the time periods that you specify. You determine whether Desktop Firewall disables the rule the rest of the time, or reverses the action it normally performs (for example, allowing traffic that it normally blocks). Click Time to set up time restrictions for this rule. Tells Desktop Firewall to record information about matching traffic in the Activity Log. Makes Desktop Firewall enforce this rule. 9 Click OK to save this rule and close the Firewall Rule dialog box. Copying a firewall rule 1 In Desktop Firewall, click the Firewall Policy tab. 2 In the firewall rule list, select the rule that you want to copy. 3 Click Duplicate. Desktop Firewall adds a copy of this rule to the bottom of your rule list. 74 McAfee Desktop Firewall TM software version 8.0

75 Working with firewall rules Editing a firewall rule 1 In Desktop Firewall, click the Firewall Policy tab. 2 In the firewall rule list, select the rule that you want to edit. 3 Click Properties. The Firewall Rule dialog box appears. 4 Edit any necessary rule settings. See Creating a new firewall rule on page 72 for field descriptions. 5 Click OK to save your changes. Deleting a firewall rule 1 In Desktop Firewall, click the Firewall Policy tab. 2 In the firewall rule list, select the rule that you want to delete. 3 Click Remove. 4 Click Yes to delete the rule. Enabling and disabling a firewall rule 1 In Desktop Firewall, click the Firewall Policy tab. 2 In the firewall rule list, select the rule that you want to enable or disable. 3 Click Properties. The Firewall Rule dialog box appears. 4 In the Options area, do one of the following: To enable the firewall rule, select Active. To disable the firewall rule, deselect Active. 5 Click OK. Product Guide 75

76 Setting Up the Firewall Creating a new rule group 1 In Desktop Firewall, click the Firewall Policy tab. 2 Click Add, then select New Group. The Firewall Rule Group appears. 3 In the Description field, enter a brief statement outlining the purpose of this group. 4 Click OK to add the group. Exporting a policy file NOTE When you export a policy file, you save all of your current firewall, application monitoring, IDS, and logging settings. 1 In Desktop Firewall, select the Task menu. 2 Select Export Policy. 3 Navigate to the folder where you want to store the exported policy file (.PFR). 4 In the File name field, type a name for the policy file. 5 Click Save. Desktop Firewall asks whether you want to create a policy archive from this policy file. 6 Do one of the following: If you do not want to create a policy archive, click No. Desktop Firewall saves all of your existing firewall, application monitoring, IDS, and logging settings to a policy file. If you want to create a policy archive from this file, click Yes. Desktop Firewall creates the policy file and opens the Edit Policy Archive Properties dialog box. Continue to Step 7. 7 In the Description field, type a name for the policy archive. This name appears in the Protection Level list on the Firewall Policy tab. 8 Click OK. Desktop Firewall creates the policy archive and adds it to the Protection Level list. 76 McAfee Desktop Firewall TM software version 8.0

77 Working with firewall rules Importing a policy file NOTE When you import a policy file, you replace all of your current firewall, application monitoring, IDS, and logging settings. 1 In Desktop Firewall, select the Task menu. 2 Select Import Policy. 3 Navigate to the policy file (.PFR) that you want to import. 4 Select the file name, then click Open. 5 Click Yes to import the file. Desktop Firewall replaces your existing firewall, application monitoring, IDS, and logging settings with those in the imported policy file. Product Guide 77

78 Setting Up the Firewall 78 McAfee Desktop Firewall TM software version 8.0

79 Setting Up the Intrusion Detection System (IDS) 4 This section introduces the Desktop Firewall intrusion detection system (IDS), and describes how it scans for and blocks attacks against your computer. The following topics are included: Setting up the IDS feature. Responding to Intrusion Detected Alerts. Working with blocked addresses. Updating IDS signatures. About the IDS feature The Desktop Firewall software includes an IDS feature that protects your computer from complex attacks. Attacks are also known as intrusions. While the firewall feature can allow or block incoming network traffic based on the rules that you set up, it cannot tell whether the traffic is part of an attack. To detect attacks you must enable the IDS feature. This feature looks for patterns in incoming network traffic. Certain patterns represent attacks. The IDS feature uses a library of IDS signatures to recognize the patterns of common attacks. A signature is a collection of information that describes a specific attack, so that Desktop Firewall can recognize it. The Desktop Firewall software comes with a default set of IDS signatures. You can configure which attacks the IDS scans for by selecting the signatures the software uses. You can also update the Desktop Firewall signature list using the AutoUpdate and Update Now options. Intrusion alerts When you enable the IDS, the Desktop Firewall software continually monitors incoming traffic for attacks on your system. It allows or blocks suspected intrusions based on the default action you define using the McAfee Desktop Firewall Options dialog box. See Configuring the software s default response to intrusions on page 81 for more information. Product Guide 79

80 Setting Up the Intrusion Detection System (IDS) You can also enable or disable Intrusion Detected Alerts alert messages that appear when the IDS detects a potential attack. The Intrusion Detected Alert dialog box prompts you for an action block or don t block the intruder. You can override the software s default response to intrusions using this dialog box. To enable or disable intrusion alerts, see Enabling and disabling intrusion alerts on page 81. Setting up the IDS feature Use the McAfee Desktop Firewall Options dialog box to configure the IDS feature. This dialog box lets you: Enable and disable the IDS feature. Enable Intrusion Detected Alerts. Determine the software s default response to potential intrusions allow them through the firewall, or block them. Set up ways for the software to notify you when it detects an intrusion. Define which attacks you want the IDS feature to scan for. Figure The McAfee Desktop Firewall Options dialog box 80 McAfee Desktop Firewall TM software version 8.0

81 Setting up the IDS feature Enabling and disabling the IDS feature 1 In Desktop Firewall, select the Edit menu. 2 Select Options. The McAfee Desktop Firewall Options dialog box appears. The Intrusion Detection Options area controls the IDS feature. 3 Do one of the following: To enable the IDS feature, select the Enable Intrusion Detection checkbox. To disable the IDS feature, deselect the checkbox. 4 Click OK to save your IDS settings. Enabling and disabling intrusion alerts 1 In Desktop Firewall, select the Edit menu. 2 Select Options. The McAfee Desktop Firewall Options dialog box appears. 3 Locate the Display notification message when attacked checkbox, then do one of the following: To enable intrusion alerts, select the checkbox. To disable intrusion alerts, deselect the checkbox. 4 Click OK to save your IDS settings. Configuring the software s default response to intrusions Desktop Firewall needs to know what to do when its IDS feature detects a potential attack. You have two options: Desktop Firewall can block the suspected attack. Desktop Firewall can allow the suspicious network traffic through the firewall. Use the McAfee Desktop Firewall Options dialog box to select one of these options. Note that if you enabled intrusion alerts, you can override the software s default response. Each time the IDS feature detects an attack, it displays an Intrusion Detected Alert. This dialog box lets you choose whether to allow or block the intercepted traffic on a case by case basis. Product Guide 81

82 Setting Up the Intrusion Detection System (IDS) To automatically block potential intruders 1 In Desktop Firewall, select the Edit menu. 2 Select Options. The McAfee Desktop Firewall Options dialog box appears. 3 Select the Automatically block attackers checkbox. Desktop Firewall will now block all suspected intruders and add their IP addresses to the IDS blocked addresses list. The IDS feature blocks intruders as soon as it detects them. You can configure how long the software blocks intruders by selecting a block option. 4 Select one of the following block options: Option until removed for <TIME> min. What it does Blocks intruders until you either: Click Don t Block on the Intrusion Detected Alert dialog box. Manually remove them from the blocked addresses list. Blocks intruders until: The period of time you specify elapses. You click Don t Block on the Intrusion Detected Alert dialog box. You manually remove them from the blocked addresses list. 5 Click OK to save your IDS settings. To automatically allow potential intruders 1 In Desktop Firewall, select the Edit menu. 2 Select Options. The McAfee Desktop Firewall Options dialog box appears. 3 Deselect the Automatically block attackers checkbox. Desktop Firewall now allows potential intruders through the firewall. If you enabled intrusion alerts, you can override this setting by clicking Block in the Intrusion Detected Alert dialog box. See Intrusion alerts on page 79 for more information. 4 Click OK to save your IDS settings. 82 McAfee Desktop Firewall TM software version 8.0

83 Setting up the IDS feature Setting up notification options 1 In Desktop Firewall, select the Edit menu. 2 Select Options. The McAfee Desktop Firewall Options dialog box appears. 3 Select any of the following options to enable them: Option Send attack alerts by Play sound when attacked Flash McAfee Firewall tray icon when attacked What it does Sends an message to the address you specify each time the IDS feature detects an attack. You can only enter one address. Use the format username@domain.suffix. Also enter the domain name or IP address of an SMTP server in the Outgoing mail (SMTP) server field. Desktop Firewall must be able to communicate with this server in order to send alerts. Sounds an alert tone whenever the IDS feature detects a potential intruder. You can change the alert tone using the Sounds and Multimedia Properties dialog box (accessed from the Windows Control Panel). Configure the Firewall Intruder Alert entry to change the alert tone. Makes the Desktop Firewall system tray icon alternate between its normal icon and an intrusion alert icon to indicate a potential attack on your system. 4 Click OK to save your IDS settings. Selecting the attacks you want to scan for 1 In Desktop Firewall, select the Edit menu. 2 Select Options. The McAfee Desktop Firewall Options dialog box appears. 3 Click Signatures to display that tab. This tab displays a list of all the signatures that the IDS feature has available. Each signature corresponds to an attack that Desktop Firewall can scan for. Product Guide 83

84 Setting Up the Intrusion Detection System (IDS) 4 Edit the signatures list. To scan for a specific type of attack, select the checkbox beside its name. To ignore a specific type of attack, deselect the checkbox beside its name. 5 Click OK to save your settings. Responding to Intrusion Detected Alerts If you enabled intrusion alerts, the Desktop Firewall software displays an Intrusion Detected Alert dialog box when the IDS feature detects an attack on your system. Use this dialog box to select an action block or don t block the intruder, or trace the intruder: Click Block to stop the intrusion. Desktop Firewall also adds the attacker s IP address to the blocked addresses list on the Intruder Policy tab. The IDS feature blocks this address as long as it remains on the list. Select a Block option to determine how long it remains there: Option until removed for <TIME> min. What it does Blocks the intruder s address until you manually remove it from the blocked addresses list. Blocks the intruder s address until either: The period of time you specify elapses. You manually remove the address from the blocked addresses list. Click Don t Block to let the intercepted communication continue. For example, you might do this if the potential intrusion is actually legitimate network traffic. Click Trace to open the Blocked Host dialog box, where you can trace the intruder s IP address to gather more information about them. For more information, see Tracing an IP address on page McAfee Desktop Firewall TM software version 8.0

85 Working with blocked addresses Working with blocked addresses Desktop Firewall maintains a list of addresses that it blocks on the Intruder Policy tab. You can add intruders to this list by selecting Block from the Intruder Detected Alert dialog box, or you can add addresses to the list manually. The blocked addresses list and the Intruder Policy tab let you: Define new IP addresses that you want to block, using the Add button. Delete addresses that you no longer want to block, using the Remove button. Trace an IP address, using the Blocked Host dialog box. Adding someone to the blocked addresses list 1 In Desktop Firewall, click Intruder Policy to display that tab. 2 Click Add. The Blocked Host dialog box appears. 3 Do one of the following: If You know the IP address of the person you want to block You only know the domain name that you want to block Then 1 Type their IP address in the IP Address field. 1 Click DNS Lookup. 2 In the DNS Lookup dialog box, type the domain name. 3 Click Lookup. Desktop Firewall tries to identify the IP address that belongs to the domain name. If it succeeds, it lists the address in the Found IP Address area. 4 Click Use to transfer the address information into the Blocked Host dialog box. Product Guide 85

86 Setting Up the Intrusion Detection System (IDS) 4 Select one of the Block options to determine how long Desktop Firewall will block this address: Option until removed for <TIME> min. What it does Blocks the intruder until you manually remove them from the blocked addresses list. Blocks the intruder until either: The period of time you specify elapses. You manually remove them from the blocked addresses list. 5 Click OK. Desktop Firewall adds this address to its blocked addresses list. Removing someone from the blocked addresses list 1 In Desktop Firewall, click Intruder Policy to display that tab. 2 In the blocked addresses list, select the IP address that you no longer want to block. 3 Click Remove. Desktop Firewall asks you to confirm that you no longer want to block this address. 4 Click Yes. Desktop Firewall removes the address from its blocked addresses list. Tracing an IP address 1 In Desktop Firewall, click Intruder Policy to display that tab. 2 Do one of the following: If The address you want to trace already exists in the blocked hosts list The address you want to trace is not in the blocked hosts list Then 1 Select that address, then click Properties. The Blocked Host dialog box appears. 1 Click Add. 2 In the Blocked Host dialog box, type the address you want to trace in the IP Address field. 86 McAfee Desktop Firewall TM software version 8.0

87 Updating IDS signatures 3 Click Trace Source. Desktop Firewall displays any information it gathers about the address in the Trace Results area. 4 Click Cancel to return to the Intruder Policy tab. Updating IDS signatures The IDS feature detects attacks by recognizing patterns in incoming network traffic. Certain traffic patterns represent attacks. Desktop Firewall uses signatures to recognize common attack patterns. A signature is a collection of information that describes a specific attack so that Desktop Firewall can recognize it. The Desktop Firewall software comes with a default set of IDS signatures. It also provides two features for updating the signature list: AutoUpdate and Update Now. Use these options to keep the Desktop Firewall IDS feature up-to-date at all times: Use Update Now to immediately download the latest signatures for Desktop Firewall. Use AutoUpdate to schedule regular, automatic signature updates. Updating IDS signatures immediately 1 Right-click the Desktop Firewall system tray icon and select Update Now. Desktop Firewall starts AutoUpdate and begins downloading new signatures. An Update in Progress window appears. The status area logs each AutoUpdate action. 2 When the update finishes, click Close. Scheduling regular IDS signature updates Use the AutoUpdate feature to set up automatic signature updates. You can schedule these updates to occur at any time. To set up regular updates, you must: Enable AutoUpdate. Set up an AutoUpdate schedule. Product Guide 87

88 Setting Up the Intrusion Detection System (IDS) Enabling AutoUpdate 1 Right-click the Desktop Firewall system tray icon and select AutoUpdate Properties. The Desktop Firewall AutoUpdate Properties dialog box appears. 2 Click Schedule to open the Schedule Settings dialog box. 3 Click Task to display that tab. 4 In the Schedule Settings area, select Enable (scheduled task runs at specified time). This setting makes AutoUpdate run at the times and dates that you specify on the Schedule tab. 5 If you do not want AutoUpdate to run for an extended period of time, select Stop the task if it runs for, then define a maximum running time in hours and minutes. 6 If necessary, specify the user account that you want AutoUpdate to use when it runs. In the Task area, enter the following account information: User: Enter the username for the account. Domain: Enter the domain name for the account. Password: Enter the password for the account. Note that you do not have to specify a user account for AutoUpdate. If you do not fill in these fields, AutoUpdate runs under the local system account. If you do specify a user account, make certain that this account has the logon as batch job privilege. Otherwise AutoUpdate will not be able to access network resources properly. 7 Click Apply to save your changes. Now that AutoUpdate is enabled, you can set up an AutoUpdate schedule. 88 McAfee Desktop Firewall TM software version 8.0

89 Updating IDS signatures Setting up an AutoUpdate schedule You can schedule AutoUpdate to run at any time and date that meets your needs. The Schedule Settings dialog box offers you a range of choices for when to run AutoUpdate: Daily Weekly Monthly Once At System Startup At Logon When Idle Run Immediately Run On Dialup Running AutoUpdate daily 1 In the Schedule Settings dialog box, click Schedule to display that tab. 2 In the Schedule area, select Daily from the Schedule Task list. 3 In the Start Time field, enter the time of day that you want AutoUpdate to start. 4 Select a time zone option: Option UTC Time What it does (Coordinated Universal Time) Runs AutoUpdate simultaneously in all time zones. Local Time Runs AutoUpdate independently in each local time zone. 5 If necessary, select Enable randomization. This runs AutoUpdate at a random point within a time interval that you set. Enter a maximum time interval in hours and minutes, between one minute and twenty-four hours. Product Guide 89

90 Setting Up the Intrusion Detection System (IDS) 6 If necessary, select Run missed task. This ensures that if AutoUpdate does not run at the scheduled time, it automatically runs the next time you start your computer. Enter a value in minutes in the Delay missed task by field. This defines how long you delay running AutoUpdate if it does not run at its scheduled time. 7 If necessary, click Advanced to set up a more detailed AutoUpdate schedule. See Applying advanced schedule options on page 95 for more information. 8 In the Every field in the Schedule Task Daily area, enter a frequency in days. For example, if you enter 2 in this field, AutoUpdate runs every two days. If you want to run AutoUpdate on specific days of the week, set up a Weekly schedule instead. 9 Click OK to save your settings and close the Schedule Settings dialog box. Running AutoUpdate weekly 1 In the Schedule Settings dialog box, click Schedule to display that tab. 2 In the Schedule area, select Weekly from the Schedule Task list. 3 In the Start Time field, enter the time of day when you want AutoUpdate to start. 4 Select a time zone option: Option UTC Time What it does (Coordinated Universal Time) Runs AutoUpdate simultaneously in all time zones. Local Time Runs AutoUpdate independently in each local time zone. 5 If necessary, select Enable randomization. This runs AutoUpdate at a random point within a time interval that you set. Enter a maximum time interval in hours and minutes, between one minute and twenty-four hours. 90 McAfee Desktop Firewall TM software version 8.0

91 Updating IDS signatures 6 If necessary, select Run missed task. This ensures that if AutoUpdate does not run at the scheduled time, it automatically runs the next time you start your computer. Enter a value in minutes in the Delay missed task by field. This defines how long you delay running AutoUpdate if it does not run at its scheduled time. 7 If necessary, click Advanced to set up a more detailed AutoUpdate schedule. See Applying advanced schedule options on page 95 for more information. 8 In the Schedule Task Weekly area, set up an AutoUpdate frequency and day: Option Every... on... What it does Enter a frequency, in weeks. For example, if you enter 2 in this field, AutoUpdate runs every two weeks. Select the day(s) on which AutoUpdate runs. 9 Click OK to save your settings and close the Schedule Settings dialog box. Running AutoUpdate monthly 1 In the Schedule Settings dialog box, click Schedule to display that tab. 2 In the Schedule area, select Monthly from the Schedule Task list. 3 In the Start Time field, enter the time of day when you want AutoUpdate to start. 4 Select a time zone option: Option UTC Time What it does (Coordinated Universal Time) Runs AutoUpdate simultaneously in all time zones. Local Time Runs AutoUpdate independently in each local time zone. 5 If necessary, select Enable randomization. This runs AutoUpdate at a random point within a time interval that you set. Enter a maximum time interval in hours and minutes, between one minute and twenty-four hours. Product Guide 91

92 Setting Up the Intrusion Detection System (IDS) 6 If necessary, select Run missed task. This ensures that if AutoUpdate does not run at the scheduled time, it automatically runs the next time you start your computer. Enter a value in minutes in the Delay missed task by field. This defines how long you want to delay running AutoUpdate if it does not run at its scheduled time. 7 If necessary, click Advanced to set up a more detailed AutoUpdate schedule. See Applying advanced schedule options on page 95 for more information. 8 In the Schedule Task Monthly area, select one of the monthly options: Option Day of the month Delay task by What it does Select this option to run AutoUpdate on a specific calendar date (for example, the 14th or the 31st). Select this option to run AutoUpdate on a relative day of the month (for example, the second Monday or the last Friday). Use the two lists to configure this option. 9 Click Select Months and set up the months in which you want to run AutoUpdate. 10 Click OK to return to the Schedule tab. 11 Click OK to save your settings and close the Schedule Settings dialog box. Running AutoUpdate once 1 In the Schedule Settings dialog box, click Schedule to display that tab. 2 In the Schedule area, select Once from the Schedule Task list. 3 In the Start Time field, enter the time of day when you want AutoUpdate to start. 4 Select a time zone option: Option UTC Time What it does (Coordinated Universal Time) Runs AutoUpdate simultaneously in all time zones. Local Time Runs AutoUpdate independently in each local time zone. 92 McAfee Desktop Firewall TM software version 8.0

93 Updating IDS signatures 5 If necessary, select Enable randomization. This runs AutoUpdate at a random point within a time interval that you set. Enter a maximum time interval in hours and minutes, between one minute and twenty-four hours. 6 If necessary, select Run missed task. This ensures that if AutoUpdate does not run at the scheduled time, it automatically runs the next time you start your computer. Enter a value in minutes in the Delay missed task by field. This defines how long you delay running AutoUpdate if it does not run at its scheduled time. 7 If necessary, click Advanced to set up a more detailed AutoUpdate schedule. See Applying advanced schedule options on page 95 for more information. 8 In the Schedule Task Once area, use the Run on list to select the date on which you want to run AutoUpdate. 9 Click OK to save your settings and close the Schedule Settings dialog box. Running AutoUpdate when your computer starts 1 In the Schedule Settings dialog box, click Schedule to display that tab. 2 In the Schedule area, select At System Startup from the Schedule Task list. 3 In the Schedule Task at System Startup area, set up the startup options: Option Only run this task once per day Delay task by What it does Select this option to run AutoUpdate only once per day. If you do not select this option, the task runs every time you restart your computer. Enter a time interval in minutes. When you restart your computer, AutoUpdate waits for this time period to elapse before starting its update. This allows time for startup scripts to run. 4 Click OK to save your settings and close the Schedule Settings dialog box. Product Guide 93

94 Setting Up the Intrusion Detection System (IDS) Running AutoUpdate when you log on 1 In the Schedule Settings dialog box, click Schedule to display that tab. 2 In the Schedule area, select At Logon from the Schedule Task list. 3 In the Schedule Task at Logon area, set up the logon options: Option Only run this task once per day Delay task by What it does Select this option to run AutoUpdate only once per day. If you do not select this option, the task runs every time you log on. Enter a time interval in minutes. When you log on to your computer, AutoUpdate waits for this time period to elapse before starting its update. This allows time for logon scripts to run. 4 Click OK to save your settings and close the Schedule Settings dialog box. Running AutoUpdate when your computer is idle 1 In the Schedule Settings dialog box, click Schedule to display that tab. 2 In the Schedule area, select When Idle from the Schedule Task list. 3 In the Schedule Task When Idle area, enter the number of minutes that you want the computer to be idle before AutoUpdate starts. 4 Click OK to save your settings and close the Schedule Settings dialog box. Running AutoUpdate immediately 1 In the Schedule Settings dialog box, click Schedule to display that tab. 2 In the Schedule area, select Run Immediately from the Schedule Task list. 3 If necessary, select Enable randomization. This runs AutoUpdate at a random point within a time interval that you set. Enter a maximum time interval in hours and minutes, between one minute and twenty-four hours. 4 Click OK to save your settings and close the Schedule Settings dialog box. 94 McAfee Desktop Firewall TM software version 8.0

95 Updating IDS signatures Running AutoUpdate over a dial-up connection 1 In the Schedule Settings dialog box, click Schedule to display that tab. 2 In the Schedule area, select Run On Dialup from the Schedule Task list. 3 If necessary, select Enable randomization. This runs AutoUpdate at a random point within a time interval that you set. Enter a maximum time interval in hours and minutes, between one minute and twenty-four hours. 4 In the Schedule Task Run On Dialup area, select or deselect the Only run this task once a day checkbox. This specifies whether you want to run this task only once per day for dial-up users, or more often. 5 Click OK to save your settings and close the Schedule Settings dialog box. Applying advanced schedule options 1 To open the Advanced Schedule Options dialog box: a b In the Schedule Settings dialog box, click Schedule to switch to that tab. In the Schedule area, click Advanced. This button is only available if you selected Daily, Weekly, Monthly, or Once from the Schedule Task list. 2 If necessary, set up a Start Date and an End Date. Click each list to select a date from the calendar. 3 If necessary, select Repeat Task and use the options below this checkbox to define how often AutoUpdate runs: Option Every Until What it does Enter a frequency, then define whether you want this number to be in minutes or in hours. Define when you want AutoUpdate to stop repeating. Enter a time of day, or a duration in hours and minutes. For example, if you set Every to 1 hours, and you set Until to a duration of 24 hours, then AutoUpdate runs hourly for a full day. 4 Click OK to return to the Schedule Settings dialog box. Product Guide 95

96 Setting Up the Intrusion Detection System (IDS) 96 McAfee Desktop Firewall TM software version 8.0

97 Setting Up Application Monitoring 5 This section introduces the Desktop Firewall application monitoring feature, and describes how it controls the applications that you use. The following topics are included: About the application monitoring feature. Setting up the application monitoring feature. Responding to Application Learn Mode Alerts. Working with application rules. About the application monitoring feature The Desktop Firewall software includes an application monitoring feature. This feature lets you control the applications that you use. You can specify whether applications can run (known as application creation), and whether they can bind themselves to other programs (known as application hooking): Use application creation monitoring when you want to prevent specific or unknown programs from running. For example, some Trojan horse attacks can run malicious applications on your computer without your knowledge. If you enable application creation monitoring, you can prevent attacks like this from succeeding by allowing only specific, legitimate applications to run. You can also enable Application Creation Learn Mode, in which Desktop Firewall prompts you for an action whenever it detects unknown applications trying to run. Use application hook monitoring when you want to prevent unknown applications from binding themselves to other programs. Some legitimate applications need to hook other programs, but hooking can also indicate an attack. For example, a malicious application might try to copies of itself to other people by hooking your application. If the application successfully binds itself to your program, it gains access to that application s abilities. You can prevent attacks like this from succeeding by turning on application hook monitoring. You can configure this feature to let only specific applications bind themselves to other programs. You can also enable Application Hooking Learn Mode, in which Desktop Firewall prompts you for an action whenever it detects unknown applications trying to hook other programs. Product Guide 97

98 Setting Up Application Monitoring You configure both types of application monitoring by setting up application rules on the Application Policy tab. Each application rule associates a set of actions with a specific application. See Working with application rules on page 100 for more information. Application Learn Mode alerts When you enable either Application Creation Learn Mode or Application Hooking Learn Mode, Desktop Firewall continually monitors application activities on your computer. It allows or blocks these applications based on the rules you set up on the Application Policy tab. If Desktop Firewall detects an application that it does not recognize, though, it displays an Application Creation Alert or Application Hooking Alert. These alert dialog boxes prompt you for an action allow the unknown application, or block it. For more information, see Responding to Application Learn Mode Alerts on page 100. Setting up the application monitoring feature Use the Application Policy tab to configure the application monitoring feature. Using this tab, you can: Enable or disable application monitoring. Enable or disable Application Learn Mode. Enabling and disabling the application monitoring feature Desktop Firewall supports two kinds of application monitoring. You can monitor for applications that are trying to run (application creation), or you can monitor for applications that are trying to bind themselves to other programs (application hooking). To enable and disable application creation monitoring 1 In Desktop Firewall, click the Application Policy tab to make it active. 2 Do one of the following: To enable creation monitoring, select the Enable Application Creation Monitor checkbox. To disable creation monitoring, deselect the Enable Application Creation Monitor checkbox. 98 McAfee Desktop Firewall TM software version 8.0

99 Setting up the application monitoring feature To enable and disable application hook monitoring 1 In Desktop Firewall, click the Application Policy tab to make it active. 2 Do one of the following: To enable hook monitoring, select the Enable Application Hooking Monitor checkbox. To disable hook monitoring, deselect the Enable Application Hooking Monitor checkbox. Enabling and disabling Application Learn Mode Desktop Firewall supports two kinds of Application Learn Mode: Application Creation Learn Mode alerts you when unknown applications try to run. Application Hooking Learn Mode alerts you when unknown applications try to bind themselves to other programs. To enable and disable Application Creation Learn Mode 1 In Desktop Firewall, click the Application Policy tab to make it active. 2 Do one of the following: To enable Learn Mode alerts, select the Enable Application Creation Learn Mode checkbox. To disable Learn Mode alerts, deselect the checkbox. To enable and disable Application Hooking Learn Mode 1 In Desktop Firewall, click the Application Policy tab to make it active. 2 Do one of the following: To enable Learn Mode alerts, select the Enable Application Hooking Learn Mode checkbox. To disable Learn Mode alerts, deselect the checkbox. Product Guide 99

100 Setting Up Application Monitoring Responding to Application Learn Mode Alerts If you enabled Learn Mode for either creation monitoring or hook monitoring, Desktop Firewall displays an Application Creation Alert or Application Hook Alert whenever it detects an unknown application. Use this dialog box to select an action: Click Allow to let the application complete its action: For an Application Creation Alert, clicking Allow lets the application run. For an Application Hook Alert, clicking Allow lets the application bind itself to another program. Click Deny to block the application: For an Application Creation Alert, clicking Deny prevents the application from running. For an Application Hook Alert, clicking Deny blocks the application from binding itself to another program. When you click Allow or Deny, Desktop Firewall creates a new application rule based on your choice. It adds this rule to the application rule list on the Application Policy tab. The software allows or blocks this application automatically in future. Working with application rules Rules determine how the application monitoring feature treats different applications. You create and manage rules using the application rules list on the Application Policy tab. The application rules list and the Application Policy tab let you: Create new application rules, using the Add button. Edit and disable existing application rules, using the Properties button. Delete application rules, using the Remove button. 100 McAfee Desktop Firewall TM software version 8.0

101 Working with application rules Creating a new application rule 1 In Desktop Firewall, click the Application Policy tab. 2 Click Add. The Application Rule dialog box appears. 3 Using the Application list, select the application that you want to apply this rule to. If the application does not appear in this list, click Browse and navigate to the application s executable file. 4 Select Application rule is Active. 5 Do one of the following: If You want to let this application run You want to prevent this application from running Then Select Application is allowed to be Created. Deselect this checkbox. 6 Do one of the following: If You want to let this application bind itself to other programs You want to prevent this application from binding to other programs Then Select Application is allowed to be Hook other applications. Deselect this checkbox. 7 Click OK to add your new rule to the application rule list. Editing an application rule 1 In Desktop Firewall, click the Application Policy tab. 2 In the application rule list, select the rule that you want to edit. 3 Click Properties. The Application Rule dialog box appears. Product Guide 101

102 Setting Up Application Monitoring 4 Change any of this rule s settings: Setting Application Application rule is Active Application is allowed to be Created Application is allowed to Hook other applications What it does Determines which application this rule applies to. Select an application from the list, or click Browse to navigate to the application s executable file. Enables or disables this rule. Determines whether Desktop Firewall lets this application run, or stops it from running. Determines whether Desktop Firewall lets this application bind to other programs, or stops it from binding. 5 Click OK to save your changes and return to the Application Policy tab. Deleting an application rule 1 In Desktop Firewall, click the Application Policy tab. 2 In the application rule list, select the rule that you want to delete. 3 Click Remove. Desktop Firewall asks you to confirm that you want to delete the rule. 4 Click Yes. Desktop Firewall removes this rule from the application rule list. Disabling an application rule 1 In Desktop Firewall, click the Application Policy tab. 2 In the application rule list, select the rule that you want to disable. 3 Click Properties. The Application Rule dialog box appears. 4 Deselect the Application rule is Active checkbox. 5 Click OK to save your changes. Desktop Firewall stops enforcing this rule, but does not remove it from the application rule list. 102 McAfee Desktop Firewall TM software version 8.0

103 Setting Up Logging 6 This section introduces the Desktop Firewall logging feature, and describes how it records information about the software s activities. The following topics are included: About logging. Setting up the logging feature. About logging The Desktop Firewall logging feature lets you track the software s past actions. Recorded actions are called events. The logging feature tracks two types of events: Allowed events. These track actions that permit something to happen. For example, when the application monitoring feature lets a program start, this is an allowed event. Blocked events. These track actions that prevent something from happening. For example, when the IDS feature does not let traffic from a specific IP address through the firewall, this is a blocked event. You can enable and disable logging for the firewall feature, but not for the IDS or application monitoring features. Desktop Firewall always logs information relating to these features (but you can hide these events by applying filters). For the firewall feature, you can choose to log only allowed events, only blocked events, both, or neither. Use the Desktop Firewall Activity Log tab to configure logging. This tab also displays the event log. Each line represents a single event. Each column provides specific information about that event. See The Activity Log tab on page 53 for column descriptions. You can sort the events in the log to make finding specific events easier. You can also filter the events that Desktop Firewall displays, so that you view only the events that relate to a specific software feature (firewall, application monitoring, or IDS). If your log becomes too big you can save the event data to a tab-delimited text file (for use with other applications). Once you save the data, you can clear the log. Product Guide 103

104 Setting Up Logging IDS events in the Activity Log When the Desktop Firewall IDS detects a possible attack on your system, it attempts to capture information from the incoming traffic. If the software succeeds, it makes the captured packet data available to you in the Activity Log. You can save this data to a McAfee Sniffer.CAP file for further analysis. Finding and exporting IDS event data 1 Deselect all of your Filter Options except for Intrusions. Desktop Firewall filters out any firewall and application monitoring events, and displays only IDS events in the Activity Log. 2 Check the Intrusion Data column for each IDS event. If an icon ( ) appears in this column, it indicates that Desktop Firewall captured packet data for this event. 3 To save the data, right-click the log entry, then select Save Event Data. 4 Select the folder where you want to store the file, and assign the file a name. 5 Click Save. Desktop Firewall exports the captured data to a McAfee Sniffer file that you can review using any compatible software. System events in the Activity Log Desktop Firewall occasionally logs system events as well as feature-related events. System events track problems with the software, such as a service failing to start. System events always appear in the Activity Log; you cannot filter out system events or disable system event logging. The Event column remains blank for system events (this column normally event types like Application or Intrusion). Setting up the logging feature You can configure the Desktop Firewall logging feature to track and display only the information you are interested in. You can: Enable or disable logging for firewall events. Apply filters to limit the events that Desktop Firewall displays. Sort events. Save the event log. Clear the event log. 104 McAfee Desktop Firewall TM software version 8.0

105 Setting up the logging feature Enabling and disabling firewall logging 1 In Desktop Firewall, click Activity Log to display that tab. 2 Do one of the following: To log information about allowed firewall events, select the Log All Allowed checkbox. To disable logging of allowed firewall events, deselect the checkbox. 3 Do one of the following: To log information about blocked firewall events, select the Log All Blocked checkbox. To disable logging of blocked firewall events, deselect the checkbox. Filtering log events 1 In Desktop Firewall, click Activity Log to display that tab. 2 In the Filter Options area, select checkboxes to show specific event types, or deselect checkboxes to hide specific event types: Checkbox Traffic Applications Intrusions What it does Shows or hides firewall events Shows or hides application monitoring events Shows or hides IDS events NOTE You cannot filter out system events; Desktop Firewall always displays these events. Product Guide 105

106 Setting Up Logging Sorting log events 1 In Desktop Firewall, click Activity Log to display that tab. 2 Click on a column name to re-order the log based on the column contents: Column Time Event Address Intrusion Data Application Message What it does Sorts events according to when they occurred. Sorts events according to their types. For example, all Application events appear in a block. Sorts events according to the remote IP addresses associated with them. (This is the address that firewall traffic was sent to, or received from.) Sorts events to isolate any IDS events that have captured intrusion data associated with them. Sorts events according to which application caused them. Sorts events according to the message associated with them (alphabetically, or reverse alphabetically). NOTE Disable the firewall logging feature while you sort the event log. Otherwise Desktop Firewall continues to add firewall log events at the bottom of the list, without sorting them according to the column you selected. Saving the log 1 In Desktop Firewall, click Activity Log to display that tab. 2 Click Save. 3 Navigate to the folder where you want to save the log data. 4 In the File name field, type a name for the log file. 5 Click Save. 106 McAfee Desktop Firewall TM software version 8.0

107 Setting up the logging feature Clearing the log 1 In Desktop Firewall, click Activity Log to display that tab. 2 Click Clear Desktop Firewall asks you to confirm that you want to delete all log entries. 3 Click Yes. Desktop Firewall clears the Activity Log. Product Guide 107

108 Setting Up Logging 108 McAfee Desktop Firewall TM software version 8.0

109 SECTION 2 Using Desktop Firewall with epolicy Orchestrator Getting Started with Desktop Firewall and epo Setting Up the Software for Deployment Setting Up the Firewall Using epo Setting Up the Intrusion Detection System Using epo Setting Up Application Monitoring Using epo Creating Reports Using epo

110

111 Getting Started with Desktop Firewall and epo 7 This section introduces Desktop Firewall 8.0 and how you can manage it using McAfee epolicy Orchestrator. The following topics are included: About epolicy Orchestrator. How Desktop Firewall works with epolicy Orchestrator. A quick tour of the epolicy Orchestrator interface. Accessing Desktop Firewall through epolicy Orchestrator. About epolicy Orchestrator McAfee epolicy Orchestrator (epo) is a centralized software management application that lets you: Manage security solutions for your entire network, from a single console. Store a range of epo-compatible applications in the epolicy Orchestrator software Repository (including Desktop Firewall). Deploy these applications to epo-managed computers. Send out regular product and policy updates. Create graphical reports. The epolicy Orchestrator system An epolicy Orchestrator system includes the following components: The epolicy Orchestrator server, which stores all the applications that you deploy using epo, as well as all the data collected by epo agents. The epolicy Orchestrator console, which is the user interface that you use to manage and deploy agents and products. The epolicy Orchestrator agent, which is an application that you deploy to the computers you manage using epo. Agents collect information for epolicy Orchestrator, and run tasks that you set up using the epo console. Product Guide 111

112 Getting Started with Desktop Firewall and epo How Desktop Firewall works with epolicy Orchestrator Desktop Firewall integrates into epolicy Orchestrator like other epo-compatible applications (including VirusScan and ThreatScan). To integrate Desktop Firewall and epolicy Orchestrator, you: 1 Prepare epolicy Orchestrator to manage Desktop Firewall, by running the Desktop Firewall Updater application on your epo server and console. 2 Add the Desktop Firewall software to the epolicy Orchestrator Repository. For more information, see your Desktop Firewall Installation Guide. Once you integrate Desktop Firewall into epolicy Orchestrator, you can use the epo console to configure and manage it. The console also lets you create tasks. Tasks are instructions that epolicy Orchestrator sends to epo agents. You use epolicy Orchestrator s Deployment task to deploy Desktop Firewall. You can configure this task to occur on a specific day and time by setting up a task schedule. At the scheduled time, epolicy Orchestrator distributes your tasks to the epo agents on your target computers. It also sends any necessary software files. The epo agents carry out the instructions in your tasks. For example, when you create a product deployment task for Desktop Firewall, the epo agents install the client software on your target computers. The epolicy Orchestrator agents communicate with your epo server at regular intervals. Each time they check in, they get any policy changes for the products you deployed to their computers. This means that if you make configuration changes to Desktop Firewall, the epolicy Orchestrator agents automatically update any affected computers at their next update interval. You do not have to set up special tasks for Desktop Firewall policy updates. See your epolicy Orchestrator Product Guide for more information on epolicy Orchestrator agents, tasks, and updates. 112 McAfee Desktop Firewall TM software version 8.0

113 A quick tour of the epolicy Orchestrator interface A quick tour of the epolicy Orchestrator interface The epolicy Orchestrator interface includes two main sections: 1 The console tree, which lets you select epolicy Orchestrator objects to work with (for example, individual computers, or the entire epo software Repository). 2 The details pane, which provides an area for working with the object you selected. 1 2 Figure The epolicy Orchestrator console The console tree The console tree appears at the left side of the epolicy Orchestrator console. It consists of a hierarchical view of everything that epolicy Orchestrator manages. Once you log in to your epo server, an icon representing this server appears in the console tree along with icons representing its Directory and Repository. The Directory contains a hierarchy of sites, groups, and individual computers. These represent the users that you manage with epolicy Orchestrator. To work with users, expand the Directory and navigate through the resulting list of groups and sites. The Repository contains a list of all the applications you deploy and manage using epolicy Orchestrator. Product Guide 113

114 Getting Started with Desktop Firewall and epo The details pane The details pane appears at the right side of the epolicy Orchestrator console. Sometimes this pane contains a single page, while at other times it splits into two parts (the upper details pane and the lower details pane). In every case, the details pane offers you a range of actions associated with your console tree selection. For example, if you select Repository from the console tree, the details pane lists actions for updating the software in the Repository. Accessing Desktop Firewall through epolicy Orchestrator You use the epolicy Orchestrator console to access and configure Desktop Firewall. Most of the time you work with Desktop Firewall using three main epo views: The Policies view, which lets you configure Desktop Firewall for a specific computer or group. The Properties view, which lets you gather Desktop Firewall version information for a specific computer. The Tasks view, which lets you schedule Desktop Firewall for deployment. The Policies view The epolicy Orchestrator Policies tab lists all of the applications that you can deploy to a selected computer or group. The tab also lets you configure these applications before deploying them. To get to the Policies tab: 1 Use the epolicy Orchestrator console tree to select a computer or group. Selecting a computer or group brings up the Policies, Properties, and Tasks tabs in the epo details pane. 2 Select the Policies tab. epolicy Orchestrator splits the details pane into two parts the upper details pane and the lower details pane: The upper area lists all of the applications that you can deploy to this computer or group. The lower details area shows information about the application you select in the upper details pane. 114 McAfee Desktop Firewall TM software version 8.0

115 Accessing Desktop Firewall through epolicy Orchestrator Desktop Firewall should show up in this list as McAfee Desktop Firewall 8.0 If it does not appear in the list, verify that you installed the product correctly. See the Desktop Firewall Installation Guide for details. To configure Desktop Firewall for deployment, you must open the Administrative Options page in the lower details pane. To open the Administrative Options page: 1 Use the epolicy Orchestrator console tree to select a computer or group. 2 In the details pane, select the Policies tab. 3 In the upper details pane, double-click McAfee Desktop Firewall 8.0. Administrative Options appears below McAfee Desktop Firewall 8.0 in the list. 4 Select Administrative Options. epolicy Orchestrator displays the Administrative Options page in the lower details pane. Figure The Administrative Options page in epo The Administrative Options page uses an interface similar to the stand-alone Desktop Firewall interface. It contains a series of tabs that you use to configure Desktop Firewall for deployment. These tabs include: The Firewall Configuration tab, for setting up the firewall feature. The Application Configuration tab, for setting up the application monitoring feature. The Intrusion Configuration tab, for setting up the intrusion detection system. The Administrative Configuration tab, for setting up the epo-specific features in Desktop Firewall. Product Guide 115

116 Getting Started with Desktop Firewall and epo Before you configure Desktop Firewall for a specific epolicy Orchestrator group or computer, you must deselect the Inherit checkbox at the top of the Administrative Options page. Otherwise epo automatically assigns this computer or group the same Desktop Firewall configuration as the site or group to which it belongs. This is known as policy inheritance. See About policy inheritance on page 126 for more information. When you finish making configuration changes, always click the Apply button at the top of the Administrative Options page to save your changes. The Firewall Configuration tab The Firewall Configuration tab lets you configure the firewall feature. This feature lets you place filters on your users incoming and outgoing network communication. Using this tab, you can: Turn the firewall feature on or off using the Enable Firewall checkbox. Enable or disable Learn Mode using the Learn Mode checkboxes. Select a predefined set of firewall rules from the Policy Template list. Identify IP addresses and subnets that users can safely communicate with, by adding them to the Trusted Networks list (click the Trusted button). Use the Administrative Rules list to review the firewall rules that epo deploys. Use the Client Rules list to review any rules that the selected user added. Overwrite user rules, using the Merge these rules with users rules checkbox. Create new firewall rules and groups using the Add button. Edit or view selected firewall rules using the Properties button. Delete firewall rules using the Remove button. 116 McAfee Desktop Firewall TM software version 8.0

117 Accessing Desktop Firewall through epolicy Orchestrator Figure The Firewall Configuration tab in epo The rule list and other interface options on this tab duplicate the Firewall Policy tab in the stand-alone version of Desktop Firewall. Unlike the stand-alone version, the epolicy Orchestrator firewall feature includes a few additional features: The rule list contains two sections. The upper part of the rule list contains administrative rules (rules that you set up and deploy using epolicy Orchestrator). The lower part of the rule list contains user rules (rules that the selected user has added, either manually or using Learn Mode). If you want to add a user s rules to your deployable rules, you can drag them from the Client Rules list to the Administrative Rules list. You can overwrite user rules. The Client Rules list shows rules created by users. Desktop Firewall overwrites these rules each time you make a configuration change in epolicy Orchestrator. If you do not want to overwrite users rules, select the Merge these rules with users rules checkbox. If, however, you want a new set of rules to completely replace the existing Desktop Firewall policies, then deselect this checkbox. You can review known rules. When you click Add, the epolicy Orchestrator version of Desktop Firewall offers you an additional option Predefined Rules. Selecting this option opens the Select Predefined Rules dialog box, which displays a list of all the rules that Desktop Firewall ships with. You can add any of these rules to your administrative rule list by selecting them and clicking OK. Product Guide 117

118 Getting Started with Desktop Firewall and epo The Application Configuration tab The Application Configuration tab lets you configure the Desktop Firewall application monitoring feature. This feature lets you control the applications that your users run. Using application monitoring, you can specify whether a program can run (known as application creation), and whether it can bind itself to other programs (known as application hooking). You can also: Turn application monitoring on or off using the top two Enable checkboxes. Enable or disable Learn Mode using the Learn Mode checkboxes. Use the Administrative Rules list to review the application rules that epo deploys. Use the Client Rules list to review any rules that the selected user added. Overwrite user rules, using the Merge these rules with users rules checkbox. Create new application rules using the Add button. Edit or view selected application rules using the Properties button. Delete application rules using the Remove button. Figure The Application Configuration tab in epo The rule list and other interface options on this tab duplicate the Application Policy tab in the stand-alone version of Desktop Firewall. 118 McAfee Desktop Firewall TM software version 8.0

119 Accessing Desktop Firewall through epolicy Orchestrator Unlike the stand-alone version, the epolicy Orchestrator interface includes two additional application features: The rule list contains two sections. The upper part of the rule list contains administrative rules (rules that you set up and deploy using epolicy Orchestrator). The lower part of the rule list contains user rules (rules that the selected user has added, either manually or using Learn Mode). If you want to add a user s rules to your deployable rules, you can drag them from the Client Rules list to the Administrative Rules list. You can overwrite user rules. The Client Rules list shows rules created by users. Desktop Firewall overwrites these rules each time you make a configuration change in epolicy Orchestrator. If you do not want to overwrite users rules, select the Merge these rules with users rules checkbox. If, however, you want a new set of rules to completely replace the existing Desktop Firewall policies, then deselect this checkbox. The Intrusion Configuration tab The Intrusion Configuration tab lets you configure settings for the intrusion detection system (IDS). When you enable this feature, Desktop Firewall constantly scans for attacks on the computer it protects. You can use this tab to define whether a deployed Desktop Firewall: Blocks suspected attacks, or lets the network traffic through. Adds the IP addresses of potential attackers to its blocked addresses list. Sends alert messages when it detects a potential attack on its system. Displays an alert message when its computer is being attacked. Plays an alert sound or flashes its system tray icon to indicate a potential attack. Deletes the entries in its blocked addresses list each time it receives updated policies from epolicy Orchestrator. Uses some or all of its available IDS signatures. Product Guide 119

120 Getting Started with Desktop Firewall and epo Figure The Intrusion Configuration tab in epo The Intrusion Configuration tab controls the same Intrusion Detection settings as the McAfee Desktop Firewall Options dialog box in the stand-alone version of the software. Note that if you allow Desktop Firewall users to change their program settings, then the selections you make on this tab are merely defaults that they can alter. If, however, you lock the Desktop Firewall interface (using the Administrative Configuration tab), then these settings become fixed until you or another epo administrator changes them. See Locking and unlocking parts of the Desktop Firewall interface on page 130 for more information. The Administrative Configuration tab The Administrative Configuration tab lets you control how Desktop Firewall appears to users, and also lets you configure its epo-specific features. Using this tab, you can: Hide Desktop Firewall from users. Prevent users from accessing specific Desktop Firewall features. Enable and disable Audit Learn Mode for the firewall and application monitoring features. Configure Quarantine Mode. Import firewall, application monitoring, and IDS settings from an existing policy file. Configure Desktop Firewall to send event data to epolicy Orchestrator, so that you can use the information to create reports. 120 McAfee Desktop Firewall TM software version 8.0

121 Accessing Desktop Firewall through epolicy Orchestrator Figure The Administrative Configuration tab in epo The tab contains two sections. The Administrative Configuration Options section lets you set up epo-specific features: Option Enable Error Reporting Enable epo Reporting Enable Rulelist Exporting Hide Tray Icon from Users What it does Makes Desktop Firewall track and report information about internal software problems. Tells Desktop Firewall whether or not to send its event data to epolicy Orchestrator. Event data is similar to the Activity Log data in the stand-alone version. epolicy Orchestrator uses event data to create reports. If you deselect this option, the deployed product will not send epolicy Orchestrator its event information, and you will not be able to generate Desktop Firewall reports for this computer or group. Enables or disables the Export Policy option on the deployed Desktop Firewall Task menu. Shows or hides the Desktop Firewall system tray icon. Product Guide 121