Increasing Host IPS Management Success … · Managing the Host IPS Environment . Kary Tankink...

2013 © McAfee Inc. External Use

Increasing Host IPS Management Success

60 Webinar Series Tech


Webinar Viewing

• Click the arrow on the Grab Tab to open or close the control panel

• Audio options — listen via your PC computer OR via the telephone

• Ask questions via the “Questions” pane

Increasing Host IPS Management Success 2 Tech|60 Webinar Series March 4/6, 2013


Today’s Tech|60 Presenters

Brad Gable Senior Tier III Product Engineer Endpoint Security

Kary Tankink Senior Enterprise Product Engineer Endpoint Security


2013 © McAfee Inc. External Use Increasing Host IPS Management Success 4

HIPS Troubleshooting and Tuning Brad Gable Senior Tier III Product Engineer Endpoint Security, McAfee Support

Tech|60 Webinar Series March 4/6, 2013


McAfee Host IPS – Current Versions

Host IPS 8.0 • Version 8.0.0.2151 for Windows

(Patch 2)

• Version 8.0.0.2482 for Windows (P2 + Hotfix 803520 rollup)

• Version 8.0.0.1741 for Solaris

• Version 8.0.0.1919 for Linux

• ePO Extension 8.0.0.600

HIPS Patch release cycle: Feb, Jun, Oct (see KB51560)

Case for Keeping Up to Date Latest codebase is best Software landscape is constantly

maturing and changing New fixes are put into next

releases Management effort made easy Difficulty maintaining multiple

versions Difficulty maintaining upgrade

paths for older versions Many fixes cannot be back-

ported to earlier versions



Host IPS — The Basics

• Host IPS signature content provides protection from known system vulnerabilities and unknown zero-day threats

• Zero-day threats: Occur between disclosure of the vulnerability and patch deployment to all endpoints — you have “zero days” to bridge the security gap

• Host IPS contains generic buffer overflow protection and other generic signature mechanisms to protect systems during this zero-day gap period

McAfee recommends applying security updates ASAP to reduce frequent or repeated IPS signature detections



Best Practices — What to Avoid

• Remember that endpoint systems will not use the same policies

• Don’t perform too little testing or validation on standard enterprise image

• Don’t “set and forget”

• Don’t make multiple changes at once

• Don’t leave Adaptive Mode on indefinitely

For more information, refer to PD20796 — “Adopting HIPS Best Practices for Quick Success”

Increasing Host IPS Management Success 7

https://kc.mcafee.com/corporate/index?page=content&id=PD20796


Assessing Host IPS Security Events

• Identify the signature number that is being triggered and the description information from the IPS Rules policy in ePolicy Orchestrator (ePO)

• Review the references CVE description links if any are included in the description information for that signature

• Identify whether any Microsoft Technet Security Bulletins are linked to the applicable vulnerability, and if any updates have been released

• Verify whether systems reporting the IPS event have any applicable MS Security Updates applied

– If YES, the IPS Signature may be disabled on systems with the MS Security Updates applied

– If NO, McAfee recommends that you apply the applicable MS Security Updates to the affected systems ASAP



IPS Signature Descriptions



CVE Descriptions



MS Security Bulletin



Third-Party Program Interoperability Tuning

• Troubleshooting a network facing application or traffic is blocked by Host Intrusion Prevention Firewall (KB67055)

• Third-party application stops working or is impaired after HIPS is installed or content is updated (KB67056)

• HIPS 7.0 / 8.0 agent logging and troubleshooting on Microsoft Windows (KB51517) (Debug Logging)

NOTE: If you have to escalate an unresolvable issue, it’s important that you also engage the third-party vendor for analysis along with McAfee. Many interoperability issues require resolution by the third-party vendor. McAfee is committed to working closely with third-party vendors to resolve these issues.


https://kc.mcafee.com/corporate/index?page=content&id=KB67055

http://kb.mcafee.com/agent/index?page=content&id=KB67056




Tips for Successful Firewall Tuning

• Host IPS 8.0 includes simplified default firewall policy rule templates on which to base your policy

• The firewall is considered stateful

• The use of Location Aware groups further define rule sets for remote users off the normal LAN

• Trusted Networks — making networks trusted eliminates or reduces the need for network IPS exceptions and additional firewall rules (for Windows clients only)

• Trusted Applications — designating applications as trusted eliminates or reduces the need for IPS exceptions and additional firewall rules



Firewall Adaptive Mode

• Only use Adaptive Mode temporarily on a small number of systems to aid in firewall rules tuning

• Review client adaptive rules daily — or at a minimum, on a weekly basis

• Review firewall client rules and apply to a tuning firewall rules policy on the end system

• Tuning should be an iterative process

NOTE: Some network traffic related to applications might not be recognized by the Adaptive Mode, and you might have to configure firewall rules manually. Consult with your application vendor for information on application-specific firewall configurations to ensure functionality.



Managing the Host IPS Environment Kary Tankink Senior Enterprise Product Engineer Endpoint Security, McAfee Support



HIPS in the Enterprise

Deployment Recommendations • Identify non-critical users/systems with different roles/functions (remote users, workstation

users, file servers, web servers, etc.) to initially deploy the product and start tuning policies • Ensure that deployment tasks are setup at the proper ePO server organization levels to

avoid unintended product deployments • For detailed recommendations, refer to HIPS Best Practice Guide - KB70877

Documenting Configuration Changes • Document policy changes using new timestamps, naming conventions, role names, etc. • Duplicate or export copies of policies before changing • Avoid making major changes to a policy, that could greatly affect product functionality,

without first testing these changes in a separate test environment

Enforcing Policy Changes on Clients • Ensure that policy and assignment changes are made at the correct organizational level

(e.g., editing policies at the single-system level does not limit changes to that system unless policy inheritance is broken and a different policy is assigned to the single system)

• Host IPS 8.0 reports Policy Names in ePO server client node properties and the local client registry to verify policy enforcement changes




HIPS 8.0 Policy Names Reported in ePO Client Node Properties



HIPS 8.0 Policy Names Reported in the Registry



Common HIPS Issues

Network IPS exceptions (KB77236) • Exceptions for Network IPS Signatures can now be created using IPS Exceptions in

Host IPS 8.0 • Entering IP addresses into the Trusted Networks policy and enabling Trust for IPS is an

alternative method from previous HIPS versions




Common HIPS Issues




Executable File Description (KB71735) • Description is not a COMMENT field. • Incorrect Descriptions cause IPS exceptions and Firewall rules to fail since the defined

application does not properly match the running application





Executable File Description



Common HIPS Issues




Executable File Description (KB71735) • Description is not a COMMENT field. • Incorrect Descriptions cause IPS exceptions and Firewall rules to fail since the defined

application does not properly match the running application

Multi-slot Policies (PD22894, Pg. 38) • McAfee Default should always be assigned to the IPS Rules and Trusted Applications

policies. This ensures that monthly Host IPS Content changes are applied properly • Multiple policies can be utilized in the environment, depending on ePO System Tree

hierarchy; no specific order is required when assigning multiple policies – Policy 1: McAfee Default – Policy 2: All Servers – Policy 3: Web Servers only




https://kc.mcafee.com/corporate/index?page=content&id=PD22894


Multi-slot Policies – Assigned Policies



Multi-slot Policies – Viewing Assignments



Common Firewall Issues Loopback Network Adapter Traffic (KB71230) • Loopback traffic is used by many different applications and in HIPS 8.0, a Firewall Rule is required to

allow this Loopback adapter traffic to/from the system. • Many customers did not have a firewall rule for Loopback address traffic because it was not needed

in HIPS 7.0 policies, so migrated HIPS 7.0 policies will need to have this rule added.




Loopback Network Adapter Traffic Rule






Allow Traffic for Unsupported Protocols (KB66899) • Allows traffic for protocols unknown to Host IPS. Useful in determining if HIPS is blocking some

unknown protocol traffic that is needed for applications in your environment. • Firewall rules can be created for specific Ethertype protocols (which are typically listed in HIPS

Activity log as 0x#### event entries).





Allow Traffic for Unsupported Protocols









TrustedSource (GTI) Functionality (KB74925) • Ratings are performed against IP Address, not domains. • Will only block traffic to domains if the IP address (that resolves to that domain) matches the

configured TrustedSource threshold (Unverified, Medium, or High Risk).






TrustedSource GTI

Domain name is rated High Risk,

but not the IP address that it

resolves to.









TrustedSource (GTI) Functionality (KB74925) • Ratings are performed against IP Address, not domains. • Will only block traffic to domains if the IP address (that resolves to that domain) matches the

configured TrustedSource threshold (Unverified, Medium, or High Risk).

Disadvantage of using BLOCK ALL rule in the Firewall Rule policy • If a BLOCK ALL rule is configured in your Firewall Rule policy, Learn/Adaptive Mode functionality will

cease to function (BLOCK ALL rule is processed before the “Adaptive/Learn Mode” rule). • HIPS Client already includes a BLOCK ALL TRAFFIC rule. Network traffic that is not allowed by other

firewall rules will automatically get blocked.






Disadvantage of Using BLOCK ALL Rule



Working with McAfee Support

What You Can Do BEFORE You Call Review KB54960 — “How to isolate a suspect component in Host IPS” 1. Disable HIPS components (IPS, Firewall, and HIPS 7.0 Application

Blocking) to isolate which module may be causing the issue 2. Stop HIPS service 3. HIPS NDIS Driver testing

a. HIPS 8.0 - Enable FWPassthru - KB75917 b. HIPS 7.0 - Remove NDIS drivers - KB51676

What You Should Have WHEN You Call 1. Detailed description of the issue 2. Host IPS build installed - KB70725 3. Results of component isolation 4. HIPS full debugging enabled - KB72869








Questions…



McAfee Host IPS – Current Versions

Host IPS 8.0 • Version 8.0.0.2151 for Windows

(Patch 2)

• Version 8.0.0.2482 for Windows (P2 + Hotfix 803520 rollup)

• Version 8.0.0.1741 for Solaris

• Version 8.0.0.1919 for Linux

• ePO Extension 8.0.0.600

HIPS Patch release cycle: Feb, Jun, Oct (see KB51560)

Case for Keeping Current Latest codebase is best Software landscape is constantly

maturing and changing New fixes are put into next

releases Management effort made easy Difficulty maintaining multiple

versions Difficulty maintaining upgrade

paths for older versions Many fixes cannot be back-

ported to earlier versions



Thank You for Attending!

More questions? Go to community.mcafee.com click on “Business” then “Host Intrusion Prevention”

under the Endpoint Security section

https://community.mcafee.com/community/business/system/hip

Increasing Host IPS Management Success … · Managing the Host IPS Environment . Kary Tankink...

Documents

Transcript of Increasing Host IPS Management Success … · Managing the Host IPS Environment . Kary Tankink...