Increasing Host IPS Management Success McAfee Inc. External Use

Transcription

1 Increasing Host IPS Management Success Tech 60 W ebinar Series

2 Webinar Viewing Click the arrow on the Grab Tab to open or close the control panel Audio options listen via your PC computer OR via the telephone Ask questions via the Questions pane 2 Increasing Host IPS Management Success

3 Today s Tech 60 Presenters Brad Gable Senior Tier III Product Engineer Endpoint Security Kary Tankink Senior Enterprise Product Engineer Endpoint Security 3 Increasing Host IPS Management Success

4 HIPS Troubleshooting and Tuning Brad Gable Senior Tier III Product Engineer Endpoint Security, McAfee Support 4 Increasing Host IPS Management Success

5 McAfee Host IPS Current Versions Host IPS 8.0 Version for Windows (Patch 2) Version for Windows (P2 + Hotfix rollup) Version for Solaris Version for Linux epo Extension HIPS Patch release cycle: Feb, Jun, Oct (see KB51560) Case for Keeping Up to Date Latest codebase is best Software landscape is constantly maturing and changing New fixes are put into next releases Management effort made easy Difficulty maintaining multiple versions Difficulty maintaining upgrade paths for older versions Many fixes cannot be backported to earlier versions 5 Increasing Host IPS Management Success

6 Host IPS The Basics Host IPS signature content provides protection from known system vulnerabilities and unknown zero-day threats Zero-day threats: Occur between disclosure of the vulnerability and patch deployment to all endpoints you have zero days to bridge the security gap Host IPS contains generic buffer overflow protection and other generic signature mechanisms to protect systems during this zero-day gap period McAfee recommends applying security updates ASAP to reduce frequent or repeated IPS signature detections 6 Increasing Host IPS Management Success

7 Best Practices What to Avoid Remember that endpoint systems will not use the same policies Don t perform too little testing or validation on standard enterprise image Don t set and forget Don t make multiple changes at once Don t leave Adaptive Mode on indefinitely For more information, refer to PD20796 Adopting HIPS Best Practices for Quick Success 7 Increasing Host IPS Management Success

8 Assessing Host IPS Security Events Identify the signature number that is being triggered and the description information from the IPS Rules policy in epolicy Orchestrator (epo) Review the references CVE description links if any are included in the description information for that signature Identify whether any Microsoft Technet Security Bulletins are linked to the applicable vulnerability, and if any updates have been released Verify whether systems reporting the IPS event have any applicable MS Security Updates applied If YES, the IPS Signature may be disabled on systems with the MS Security Updates applied If NO, McAfee recommends that you apply the applicable MS Security Updates to the affected systems ASAP 8 Increasing Host IPS Management Success

9 IPS Signature Descriptions 9 Increasing Host IPS Management Success

10 CVE Descriptions 10 Increasing Host IPS Management Success

11 MS Security Bulletin 11 Increasing Host IPS Management Success

12 Third-Party Program Interoperability Tuning Troubleshooting a network facing application or traffic is blocked by Host Intrusion Prevention Firewall (KB67055) Third-party application stops working or is impaired after HIPS is installed or content is updated (KB67056) HIPS 7.0 / 8.0 agent logging and troubleshooting on Microsoft Windows (KB51517) (Debug Logging) NOTE: If you have to escalate an unresolvable issue, it s important that you also engage the third-party vendor for analysis along with McAfee. Many interoperability issues require resolution by the thirdparty vendor. McAfee is committed to working closely with third-party vendors to resolve these issues. 12 Increasing Host IPS Management Success

13 Tips for Successful Firewall Tuning Host IPS 8.0 includes simplified default firewall policy rule templates on which to base your policy The firewall is considered stateful The use of Location Aware groups further define rule sets for remote users off the normal LAN Trusted Networks making networks trusted eliminates or reduces the need for network IPS exceptions and additional firewall rules (for Windows clients only) Trusted Applications designating applications as trusted eliminates or reduces the need for IPS exceptions and additional firewall rules 13 Increasing Host IPS Management Success

14 Firewall Adaptive Mode Only use Adaptive Mode temporarily on a small number of systems to aid in firewall rules tuning Review client adaptive rules daily or at a minimum, on a weekly basis Review firewall client rules and apply to a tuning firewall rules policy on the end system Tuning should be an iterative process NOTE: Some network traffic related to applications might not be recognized by the Adaptive Mode, and you might have to configure firewall rules manually. Consult with your application vendor for information on application-specific firewall configurations to ensure functionality. 14 Increasing Host IPS Management Success

15 Managing the Host IPS Environment Kary Tankink Senior Enterprise Product Engineer Endpoint Security, McAfee Support 15 Increasing Host IPS Management Success

16 HIPS in the Enterprise Deployment Recommendations Identify non-critical users/systems with different roles/functions (remote users, workstation users, file servers, web servers, etc.) to initially deploy the product and start tuning policies Ensure that deployment tasks are setup at the proper epo server organization levels to avoid unintended product deployments For detailed recommendations, refer to HIPS Best Practice Guide - KB70877 Documenting Configuration Changes Document policy changes using new timestamps, naming conventions, role names, etc. Duplicate or export copies of policies before changing Avoid making major changes to a policy, that could greatly affect product functionality, without first testing these changes in a separate test environment Enforcing Policy Changes on Clients Ensure that policy and assignment changes are made at the correct organizational level (e.g., editing policies at the single-system level does not limit changes to that system unless policy inheritance is broken and a different policy is assigned to the single system) Host IPS 8.0 reports Policy Names in epo server client node properties and the local client registry to verify policy enforcement changes 16 Increasing Host IPS Management Success

17 HIPS 8.0 Policy Names Reported in epo Client Node Properties 17 Increasing Host IPS Management Success

18 HIPS 8.0 Policy Names Reported in the Registry 18 Increasing Host IPS Management Success

19 Common HIPS Issues Network IPS exceptions (KB77236) Exceptions for Network IPS Signatures can now be created using IPS Exceptions in Host IPS 8.0 Entering IP addresses into the Trusted Networks policy and enabling Trust for IPS is an alternative method from previous HIPS versions 19 Increasing Host IPS Management Success

20 Common HIPS Issues Network IPS exceptions (KB77236) Exceptions for Network IPS Signatures can now be created using IPS Exceptions in Host IPS 8.0 Entering IP addresses into the Trusted Networks policy and enabling Trust for IPS is an alternative method from previous HIPS versions Executable File Description (KB71735) Description is not a COMMENT field. Incorrect Descriptions cause IPS exceptions and Firewall rules to fail since the defined application does not properly match the running application 20 Increasing Host IPS Management Success

21 Executable File Description 21 Increasing Host IPS Management Success

22 Common HIPS Issues Network IPS exceptions (KB77236) Exceptions for Network IPS Signatures can now be created using IPS Exceptions in Host IPS 8.0 Entering IP addresses into the Trusted Networks policy and enabling Trust for IPS is an alternative method from previous HIPS versions Executable File Description (KB71735) Description is not a COMMENT field. Incorrect Descriptions cause IPS exceptions and Firewall rules to fail since the defined application does not properly match the running application Multi-slot Policies (PD22894, Pg. 38) McAfee Default should always be assigned to the IPS Rules and Trusted Applications policies. This ensures that monthly Host IPS Content changes are applied properly Multiple policies can be utilized in the environment, depending on epo System Tree hierarchy; no specific order is required when assigning multiple policies Policy 1: McAfee Default Policy 2: All Servers Policy 3: Web Servers only 22 Increasing Host IPS Management Success

23 Multi-slot Policies Assigned Policies 23 Increasing Host IPS Management Success

24 Multi-slot Policies Viewing Assignments 24 Increasing Host IPS Management Success

25 Common Firewall Issues Loopback Network Adapter Traffic (KB71230) Loopback traffic is used by many different applications and in HIPS 8.0, a Firewall Rule is required to allow this Loopback adapter traffic to/from the system. Many customers did not have a firewall rule for Loopback address traffic because it was not needed in HIPS 7.0 policies, so migrated HIPS 7.0 policies will need to have this rule added. 25 Increasing Host IPS Management Success

26 Loopback Network Adapter Traffic Rule 26 Increasing Host IPS Management Success

27 Common Firewall Issues Loopback Network Adapter Traffic (KB71230) Loopback traffic is used by many different applications and in HIPS 8.0, a Firewall Rule is required to allow this Loopback adapter traffic to/from the system. Many customers did not have a firewall rule for Loopback address traffic because it was not needed in HIPS 7.0 policies, so migrated HIPS 7.0 policies will need to have this rule added. Allow Traffic for Unsupported Protocols (KB66899) Allows traffic for protocols unknown to Host IPS. Useful in determining if HIPS is blocking some unknown protocol traffic that is needed for applications in your environment. Firewall rules can be created for specific Ethertype protocols (which are typically listed in HIPS Activity log as 0x#### event entries). 27 Increasing Host IPS Management Success

28 Allow Traffic for Unsupported Protocols 28 Increasing Host IPS Management Success

29 Common Firewall Issues Loopback Network Adapter Traffic (KB71230) Loopback traffic is used by many different applications and in HIPS 8.0, a Firewall Rule is required to allow this Loopback adapter traffic to/from the system. Many customers did not have a firewall rule for Loopback address traffic because it was not needed in HIPS 7.0 policies, so migrated HIPS 7.0 policies will need to have this rule added. Allow Traffic for Unsupported Protocols (KB66899) Allows traffic for protocols unknown to Host IPS. Useful in determining if HIPS is blocking some unknown protocol traffic that is needed for applications in your environment. Firewall rules can be created for specific Ethertype protocols (which are typically listed in HIPS Activity log as 0x#### event entries). TrustedSource (GTI) Functionality (KB74925) Ratings are performed against IP Address, not domains. Will only block traffic to domains if the IP address (that resolves to that domain) matches the configured TrustedSource threshold (Unverified, Medium, or High Risk). 29 Increasing Host IPS Management Success

30 TrustedSource GTI Domain name is rated High Risk, but not the IP address that it resolves to. 30 Increasing Host IPS Management Success

31 Common Firewall Issues Loopback Network Adapter Traffic (KB71230) Loopback traffic is used by many different applications and in HIPS 8.0, a Firewall Rule is required to allow this Loopback adapter traffic to/from the system. Many customers did not have a firewall rule for Loopback address traffic because it was not needed in HIPS 7.0 policies, so migrated HIPS 7.0 policies will need to have this rule added. Allow Traffic for Unsupported Protocols (KB66899) Allows traffic for protocols unknown to Host IPS. Useful in determining if HIPS is blocking some unknown protocol traffic that is needed for applications in your environment. Firewall rules can be created for specific Ethertype protocols (which are typically listed in HIPS Activity log as 0x#### event entries). TrustedSource (GTI) Functionality (KB74925) Ratings are performed against IP Address, not domains. Will only block traffic to domains if the IP address (that resolves to that domain) matches the configured TrustedSource threshold (Unverified, Medium, or High Risk). Disadvantage of using BLOCK ALL rule in the Firewall Rule policy If a BLOCK ALL rule is configured in your Firewall Rule policy, Learn/Adaptive Mode functionality will cease to function (BLOCK ALL rule is processed before the Adaptive/Learn Mode rule). HIPS Client already includes a BLOCK ALL TRAFFIC rule. Network traffic that is not allowed by other firewall rules will automatically get blocked. 31 Increasing Host IPS Management Success

32 Disadvantage of Using BLOCK ALL Rule 32 Increasing Host IPS Management Success

33 Working with McAfee Support What You Can Do BEFORE You Call Review KB54960 How to isolate a suspect component in Host IPS 1. Disable HIPS components (IPS, Firewall, and HIPS 7.0 Application Blocking) to isolate which module may be causing the issue 2. Stop HIPS service 3. HIPS NDIS Driver testing a. HIPS Enable FWPassthru - KB75917 b. HIPS Remove NDIS drivers - KB51676 What You Should Have WHEN You Call 1. Detailed description of the issue 2. Host IPS build installed - KB Results of component isolation 4. HIPS full debugging enabled - KB Increasing Host IPS Management Success

34 Questions 34 Increasing Host IPS Management Success

35 McAfee Host IPS Current Versions Host IPS 8.0 Version for Windows (Patch 2) Version for Windows (P2 + Hotfix rollup) Version for Solaris Version for Linux epo Extension HIPS Patch release cycle: Feb, Jun, Oct (see KB51560) Case for Keeping Current Latest codebase is best Software landscape is constantly maturing and changing New fixes are put into next releases Management effort made easy Difficulty maintaining multiple versions Difficulty maintaining upgrade paths for older versions Many fixes cannot be backported to earlier versions 35 Increasing Host IPS Management Success

36 More questions? Go to community.mcafee.com click on Business then Host Intrusion Prevention under the Endpoint Security section Thank You for Attending!

37