McAfee Desktop Firewall 8.0

Walkthrough Guide

Table of Contents:

Introduction ……………………………………………………….. Page 1Updating ePO for Desktop Firewall ………………………………. Page 2Firewall Configuration Tab Overview …………………………….. Page 4Application Configuration Tab Overview ………………………... Page 5IDS Configuration Tab Overview ………………………………… Page 6Administrative Configuration Tab Overview …………………….. Page 8Building Firewall Rules and the options …………………………. Page 9Building a Sample Lovsan rule …………………………………… Page 10Testing the Rules …………………………………………………. Page 11Audit Based Learn Mode …………………………………………. Page 12Updating Software (i.e. Service Packs, etc..) ………..……………. Page 13Trusted Networks …………………………………………………. Page 14Quarantine Mode Explained ………………………………………. Page 15What the user can expect to see with Quarantine Mode ………….. Page 17IDS Signature Updates ……………………………………………. Page 18McAfee Installation Designer 7.1 …………………………………. Page 19Deploying through ePO or 3rd Party Software ………………….… Page 20Exporting and Importing policies …………………………………. Page 21Proof of Concept ..…………………………………………………. Page 23Sample ePO reports ……………………………………………….. Page 24The Hostile Internet and the Mobile Workforce ………………….. Page 27Comments …………………………………………………………. Page 29

1

Desktop Firewall 8.0 Walkthrough Guide

Where is the industry at today and what is all of the hype around endpoint firewalls?

In the last 5 years the industry has seen a significant increase in the technical aptitude ofmalicious code writers. The techniques that are used consist of fundamentalunderstanding of networking, operating systems, scripting and of course socialengineering. The finely tuned threats contain exploits to the underlying operatingsystems or applications that most of us rely on for business continuity and the writers ofthe threats know and depend on this. The threats that we know of have begun to spreadat speeds that have left most analysts wondering how, where and why did it get into ournetwork and what can we do to prevent this from happening again? The challenge is thatthe threats are released as quickly as 2 days after the vendor has posted a patch or fix tothe problem. Most organizations have not had a chance to apply this fix throughout theEnterprise, let alone go through a QA cycle to ensure that it does not cause any problemswith their existing applications. So what can be done to minimize the possibility of theseever evolving threats from impacting your network? Defense in Depth….

What is McAfee Desktop Firewall? Well, it is a required layer of security that IT staffand organizations have come to realize is part of their Defense in Depth approach. Forobvious reasons, the industry has dictated that the road warrior workforce need this layerof defense as without it, they are left to the hunting hounds on the Internet. This poses asa significant threat to the corporation and the measures that have been taken to secure itfrom the Internet. Inside the corporate environment, McAfee Desktop Firewall gives youthe ability to control every endpoint and what applications that those endpoints can use toaccess the network and its resources. This then limits the possibility that a new threatwould be able to use your systems as either hosts for attacks (Zombies), or propagationpoints. A layered security architecture approach is becoming quite common these daysand is quickly at the forefront of every organizational security strategy.

If we look at where we have come in the last 10 years, it will give you an idea of whyDesktop Firewall has become a requirement. Ten years ago or less, organizations beganmoving away from all of their hosts having routable IP’s, and moving toward a gatewayfirewall that would NAT or hide their internal systems from the Internet. Today, we haveover 95% of organizations with gateway firewalls, we have VPN’s to extend our networkto the mobile workforce, we have ACL’s on routers for additional restrictions, we haveVLANS, we have IDS and are moving towards the Entercept/IntruVert model of IPS, andAntiVirus is now understood as a must have on all systems. McAfee Desktop Firewall isanother extension of this methodology.

NOTE: Desktop Firewall is another extension of the security strategy that attempts tomove organizations from a reactive position to a preventative position.

2

Updating ePO for McAfee Desktop Firewall 8.0:

Like all other products that ePO is able to manage and report on, McAfee DesktopFirewall is another one that must be added to ePO’s repositories for deployment, nap fileschecking in for management and an ePO update ran for reporting.

NOTE: The same ePO update that must be ran on the ePO Server itself, must be ran onany remote consoles as well.

In the following screenshots we will go through this procedure.

Step 1. Depending on how you received your McAfee Desktop Firewall product, youmay have to extract a zip file or if it was a CD you may have an installer window thatautoruns. Either way, you need to run McAfeeFireEPOUpdate80.exe on the ePO Server.This will require a reboot of the Server so please plan this accordingly.

Step 2. Log into the ePO Server. In the left hand pane left click on repository. This willopen up a new window in the right hand pane that outlines the AutoUpdate componentsor options of ePO. This screenshot is provided for reference.

3

Step 3. Click on ‘Check in package’. This will walk you through adding a new productfor ePO to deploy. You will be required to locate the pkgcatalog.z file that you extractedwith the Desktop Firewall zip file. From there, ePO will update itself with gathering therequired files for Desktop Firewall deployment.

NOTE: You may wish to schedule a replication task for the evening that you addDesktop Firewall into the ePO repository. This way any systems that you wish to deploythe firewall to, will be obtaining the firewall package from a local repository ordistribution point.

Step 4. Click on ‘Check in NAP’. Now you will choose ‘Add new software to bemanaged’ and it will ask you to browse to the location where the appropriate NAP file isfor ePO to be able to manage Desktop Firewall. This will be the same location that youextracted the initial zip file to. A sample screenshot is shown.

When you have completed these four steps, the firewall is now ready for ePOdeployment, management and reporting.

NOTE: As with all ePO managed products, McAfee Desktop Firewall can have a uniqueconfiguration for every machine in the corporation or every machine could have thesame policy. The flexibility and control is native to ePO. Generally speaking, IT staffare the test bed systems that assist in building a policy template for maximum control andor flexibility as required.

4

McAfee Desktop Firewall Configuration Tabs:

There are 4 main tabs that allow for unique policy configuration from within the ePOConsole and we will have a look at each of those now individually.

Firewall Configuration Tab outlined:Trusted Networks

Policy Templates

AdministrativeRules

Client Rules

Options include:1) Enable Firewall – whether the firewall is enabled or not and whether Learn Mode is

enabled for inbound and outbound. NOTE: If Audit Learn Mode is not enabled thenpopup rule permission requests will take place on the client machine. Audit LearnMode is strongly recommended for transparent policy template building.

2) Sample Policy Templates – A starting point for building a policy and is outlinedfurther in the product documentation

3) Trusted Networks – The ability to create two Firewall rule sets within one policy andis explained further in this guide.

4) Administrative Rules – Rules that cannot be tampered with by the user.5) Client Rules – When Audit Learn Mode is enabled the users do not experience any

popup questions asking to permit or deny the traffic. Instead you are provided with aview of the traffic that they accessed on the network within the ePO Console and canblock or permit them as fit by dragging and dropping them into the administrativerules section and modifying accordingly.

6) Merge rules – Select this option if you do not want ePO to overwrite the users ruleseach time policy is enforced.

7) Add – The starting point to adding new rules or creating new groups to add ruleswithin.

5

Application Configuration Tab outlined:

Administrative Rules for Application monitoring

Client Rules (applications) that were locally ran.

NOTE: These rules can be moved into the administrative rules section to prevent usertampering. This can be accomplished by simply clicking on one and dragging anddropping it up into the administrative rules section. To select multiple rules, hold downthe shift key and left click or hold down the control key and left click on the individualrules. Then once again drag and drop them into the administrative rules section.

Application Hooking explained:

If a user has a trusted application and it was called ‘trusted.exe’ installed on their system.Now, the user adds a rule saying ‘trusted.exe’ can do whatever it wants as far as networkaccess goes. If there was a rogue application say ‘badapp.exe’ and it wanted to access thenetwork, but the user did not give any permission to this application (Default action isdeny if learn mode is disabled) it would be denied.Rogue applications use the Windows feature CBT hooks, and CreateRemoteThread toeither hook existing Windows handles in other applications or create threads in otherapplications. I will explain this in more detail; ‘badapp.exe’ would attach to a Windowshandle created by ‘trusted.exe’ or creates a remote thread in ‘trusted.exe’. In either casethe rogue application ‘badapp.exe’ succeeds in injecting code into ‘trusted.exe’ process.When this injected code does network activity, the application firewall sees it astrusted.exe is doing network activity and it is allowed. To stop this kind of behavior wedetect when applications are trying to inject code into other address space.

6

Intrusion Detection Configuration Tab outlined:

There are several options available in the Intrusion Detection tab section. We will nowhave a look at these by referencing the screenshot from the ePO Console.

First choice is to determine whether you wish to have the Intruders automatically blockedor not. Along with this choice, you can decide whether it is for good, or for a specifiedduration of time. Using the time interval will have Desktop Firewall blockcommunication from the attacking machine to the host that was attacked until the timeinterval has concluded.

NOTE: Keep in mind when making this choice that IP addressing does change forsystems that use DHCP, which for the most part is the case with providers of high speedCable and DSL Internet. This will as well be a policy choice.

The next option is defining an email account that alerts can be forwarded to. This may bethe ePO Administrator, a Security officer, or any person that would be responsible forbeing alerted to attacks that are taking place on hosts that you are responsible for. Theemail account and the SMTP Server settings are required at this time.The display notification window option will determine whether or not you wish for thereto be a popup on the attacked machine. Some organizations will choose to have this andothers will not. You may wish to consider this if you don’t define the ‘Send alerts byemail’ option. This way if there is a popup alert window that an attack is being made ona machine, then someone in Help Desk or Security will most likely be alerted to theproblem. As well there is a play sound option, this has an obvious alerting sound and auser would definitely be able to recognize that there has been an attack on their machine.

7

Choosing the ‘Flash Tray Icon’ option will simply have the Firewall shield change fromthe shield appearance to a flashing exclamation mark to alert the user.

When selecting the ‘Clear Intruder List on ePO Policy Update’, you are acknowledgingthat the ePO Server has already identified and received the events of the attacker and thatany appropriate policy configuration changes have been made and the list is safe to becleared until a further event would take place.

Signature Exclusions gives the ePO Administrator the ability to determine if there aresome signatures that the organization does not recognize as valid attacks against therehosts and can safely be removed from the list. A common question is ‘why do you havethe limited number of signatures that you do?’ There are several reasons for this, IDShas as we all know taken a bit of convincing to understand where it fits into the securitystrategy as for the most part it triggers an alert for an event that has happened already.

Secondly, the amount of overhead that is introduced to a host machine as a result ofhaving to parse through thousands and thousands of signatures is significant. Now,multiply that by the thousands of hosts that you have deployed the Firewall/IDS solutionto, and the alerts that result from the signatures and you will quickly see that this canbecome an administrative nightmare. So what we have done is focused on the core attacktools that are used and provided the firewalling capabilities and enterprise managementthat make this all feasible.

McAfee leverages the application control component of the firewall to assist in limitingthe number of signatures that would be required. This is accomplished in two parts withthe firewall. The first part is the firewall configuration which controls traffic in and outof the machines, and the second part is the application control which controls what can beran locally on the machine.

NOTE: The Intrusion Detection capabilities of McAfee Desktop Firewall can beenabled/disabled as required depending on the corporate policy, the same goes for theFirewall itself. McAfee provides a list of signatures that are considered high risk toclients or hosts and this list of IDS signatures will be updated as required.

8

Administrative Configuration Tab outlined:

The users can be given as much or as little access to modify the firewall asoutlined by the corporate security policy. This is all controlled in the administrativeconfiguration tab for Desktop Firewall 8.0 in the ePO console. The options are brokendown into 3 different sections to allow for maximum flexibility, and they are the Firewallconfiguration, Application Configuration and Intrusion Configuration screens. Theseoptions are shown in the below image.

Select the appropriate options if you wish to give the client the ability to modify any ofthe firewall, application or IDS options. Each of these sections can be individuallytailored to meet the corporate policy requirements.Additional Options on this page are:1) Enable ePO error reporting – allows the firewall to track internal software problems.2) Enable ePO Reporting – tells the firewall whether or not to send events to the ePO

Server.3) Enable Rulelist Exporting – allows you to create a policy and export it from a

machine and then import it into to ePO for further deployment.4) Hide Tray Icon from Users – Hides the Desktop Firewall systray icon.5) Enable Firewall Audit Learn Mode – allows for transparent firewall rule set building.6) Enable Application Audit Learn Mode – allows for transparent application rule set

building.7) Enable Application Hooking Audit Learn Mode – allows you to monitor applications

that may attempt to bind themselves to other programs.

NOTE: The client will still not be able to modify the administrative rules at any point,however be aware that you may not wish to give them the ability to disable the firewall.

9

Building Firewall Rules and the options:

NOTE: One important note when working with the firewall is to understand the ruleordering process and it is that the first rule that matches is applied. The firewall does notcontinue to process the rest of the rules, as this would just incur additional overhead to thesystem.

Let’s have a quick look at the options andflexibility that the firewall allows for. Pleaserefer to the side image when following along.

Description – A simple means to be able toreference the rule or group and understand whatit’s for.Action – Either Block or Permit the trafficProtocol – The firewall has 122 + canned IPProtocols as well as allowing for Appletalk,NetBEUI, IPX and 802.1x trafficDirection – Either incoming, outgoing or eitherdirection.Application – You can browse to the executableapplication. Further granularity can be definedfor the executable by choosing ‘customize’. Thisallows you to define whether you wish toperform a cryptographic fingerprint or use pathinformation to control the application versioning.Local Service – Depending on whether thetraffic is defined as incoming or outgoing by thedirection option, the local service is usually anephemeral port above 1024 and is best left at‘any’.Remote Service – 4 options are available andthey are Any, Single, List and Range. Singlesimply addresses the need for one single port, forexample accessing a Webserver will most likelybe directed to port 80. List can allow you todefine the fact that the application is going to beiexplorer.exe and the remote service will be a listthat has defined http, https and ftp. This allowsfor a single rule to encompass multiple functionsor requirements. Range allows you to define a range of ports that may be required to access aparticular server. Any, simply means that as an example, iexplorer.exe could access any portoutbound.Address – Allows you to define the destination of this traffic. The options are Single, Subnet, LocalSubnet (as defined by the network adapters subnet), Range, Domain Name, Fully Qualified DomainName, Trusted and Any.

10

Building a Sample Lovsan protection rule (just an example):

First, login into the ePO console and expand the directory tree and either click on a site that hasDesktop Firewall deployed to it or an individual node that you would like to create this sample rule for.Once you have done this, in the top right window (pane), expand McAfee Desktop Firewall 8.0 andclick on the Administrative Options choice. In the bottom right window (pane) there will be 4configuration tabs and they are Firewall Configuration, Application Configuration, IntrusionConfiguration, and Administrative Configuration. Please select the Firewall configuration tab, whichis the default first option opened. This window is split into 2 sections, one is for the Administrativerules and the second is the client rules. If you select ‘Merge these rules with users rules’ the next timethat the ePO agent communicates with the ePO server, the client rules will become populated with theconnections that the client made from their desktop if ‘Audit Learn Mode’ was enabled. Audit LearnMode is discussed later in this document.

1. Click add and choose ‘New Rule’2. Give the rule a name in the Description section, in our example we’ll use “Lovsan block rule”3. Action will be to block the packet4. Protocol will be left at TCP as this was a TCP based scan conducted by the Lovsan worm5. Direction, we will change this to reflect outbound as Lovsan sent outbound port 4444 queries6. Application, we will leave this blank as this could be any unknown threat that may attempt to use

this port, so we won’t be creating a hash or checksum on the executable7. Local Service, this will remain at ‘ANY’ as the client operating system is going to choose an

ephemeral port above 10248. Remote Service, this we will set to 4444 as this was the port that Lovsan attempted its portscan on9. Address, we will leave this as ‘ANY’ as we wish to block this from attempting to spread to any

machine. 10. Additional Options:

1. Treat Rule Match as Intrusion – this could be used if we wish to have reporting ofthis rule being matched be sent back to the ePO Server. You could then use it toidentify which machines may have been compromised and are attempting to spreadthe worm.

2. Restrict rule to currently defined time interval – this option allows you to define atime when this rule would be permitted for a windowed period. Options are Days ofthe week, deactivate the rule when the timeframe expires, switch the rule when thetimeframe expires, and defining the start and end times.

3. Log matching traffic – this option can be selected if you wish to specifically havethis traffic logged on the local machine for further review or analysis.

4. Active – determining if you wish to create the rule and activate it immediately orhave the rule on hand and activated at a later date or time.

NOTE: The time based rules can be very effective for things such as permitting users to browsethe Internet on their lunch hour when it is their personal time. Corporate policy will of coursedictate such restrictions and should be outline ahead of Desktop Firewall deployment.As well it is important to recognize that there are legitimate Windows services that use port 135and a couple of quick examples are WINS Server, DHCP Server, DNS Server and the serviceexamples are epmap and loc-srv. If you deployed the Firewall in audit learn mode, you may seesome of these executables were ‘hashed’ as a result.

Please pay attention to rule order. As mentioned earlier in this document, the Desktop Firewall will notcontinue to process through the rule set when a rule has already matched. Also, please be aware that thisis an example, as a result I did not choose to show using port 135 because if improperly used it wouldblock most of Windows networking.

11

Testing the Rules:

Testing the rule sets for Desktop Firewall is a simple process. From a client machineattempt to access network or Internet resources, if for some reason any of these resourcesare not available, review your rule set to ensure that the proper rules are listed. If you arestill not sure why the traffic is not accessible, modify the settings from the ePO consoleso that the firewall is back in ‘Audit Learn Mode’. Attempt to then make those sameconnections again. You will see the network traffic that was required and can now dragthe rules required from the client listed rules into the administrative listed rules, whichcannot be modified by the end user. This is a process that will need to be reviewedperhaps several times depending on your methodology for creating the firewall rule set,but will accomplish the desired end results.

Creating a rule example. Let’s say that I wish to have a rule that permits a site/machineto use Internet Explorer to access any website (http), any secure website (https) and ftpover their web browser. That rule would look like this…

NOTE: If for some reason, you were not able to browse the Internet, as suggestedabove, change the Firewall to be in Audit Learn Mode and you will quickly learn whatadditional communications were required for this to be permitted.

12

Audit Based Learn Mode:

The key to a good firewall, is understanding how to lock down the rule sets. New toversion 8.0 is the ability to deploy the firewall in what is known as Audit Learn Mode.This feature allows the appropriate IT administrator to deploy the firewall to a user andbegin to build a template. The users system will require a reboot upon completion of theDesktop Firewall install, this is required as the firewall needs to be able to hook into theTCP/IP stack and the network adapter. After rebooting the user will login to the networkand conduct their standard daily routine as if the firewall was not installed on theirmachine. While they are doing so, the firewall and the ePO agent are reporting back tothe ePO server what these connections are and for the time being permitting them. If youreference the Firewall administrative Options in ePO, you will see that there are twosections (Firewall Configuration Tab and Application Configuration Tab) where we viewwhat the user has launched for connections that have accessed the network and whatapplications have ran locally on their machine. Now that we have an idea of whatconnections the user has launched from their machine, we can start to lock down thepolicy. By simply dragging rules from the client rules pane of the ePO console up intothe administrator rules section, we now have begun to build our firewall template. Theuser does not have the ability to modify administrator rules, even if you give them theability to create and delete rules, administrative rules always take precedence.

NOTE: Many clients have deployed Desktop Firewall to baseline what communicationports are required as new applications have been introduced into the Corporatenetworks.

Once a baseline policy has been established, the policies can be imported andexported to groups, sites, and individual machines through ePO. As well McAfeeInstallation Designer 7.1 will allow you to build a single package that will have a pre-configured VirusScan 7.1 Enterprise and Desktop Firewall 8.0 install with the latestDAT’s, Engine and Firewall rule set. These options are discussed later in this document.

13

Updating software i.e. SP’s for MS, etc…

A common question when using the firewall is ‘what if I update my version of InternetExplorer?’ The firewall can calculate checksums or hashes on executable files thataccess the network which allows for version control. However, when updates arerequired, some modifications to the checksum may be required. As a result, the firewallcan be changed from a ‘fingerprint’ to a defined path of where the new version of theapplication is installed to. This will allow for a future checksum if required as well aslong as the install path is constant. Of course whenever possible using checksums is themore secure methodology to use. As well most organizations will proceed with a QAperiod of testing the new application or service packs before deployment to productionbased machines. As a result, the Desktop Firewall should be enabled on these systems inAudit Learn Mode, once again providing a seamless foundation for a secure policytemplate that can be deployed throughout the organization.

Defining whether to use cryptographic fingerprint or path option:

The benefit of using fingerprints is that an organization now has the ability to trulycontrol application versions. Now, 6 months down the road you can review the systemsand expect that they will still remain the COE image that had been initially deployed.Unless of course there was a requirement to patch the systems and re-fingerprint certainapplications as a result.An additional benefit, is knowing that a user cannot change ‘badapp.exe’ to be‘trusted.exe’ and pose a security risk to the organization. The hash or fingerprint wouldnot match up and the application would not be allowed to execute.

14

Trusted Networks explained:

Trusted Networks is often a confusing methodology. When thinking of trusted networksthink of not only what subnet you are currently a part of, think of what other networksthat you communicate with. Essentially, trusted networks allow you to define twofirewall rule sets within one. By defining one rule set that perhaps reflects remote accesseither from hotel rooms, home networks etc… you can use trusted networks to createanother rule set that defines what applications you are allowed to run that access yourcorporate internal network only.

Defining your trusted networks based on IP address, address range or subnet.

NOTE: Also being able to choose whether the IDS should be triggered from a specifichost if defined or from this network (for example with a ThreatScan agent). In this caseyou would specify a 32bit address of the ThreatScan host, for example 192.168.1.124 and255.255.255.255.

15

Quarantine Mode explained:

Quarantine mode is a unique distinctive feature to Desktop Firewall 8.0, the ePO agentand ePO 3.0. It is independent of what type of VPN gateway your organization may beusing. When selecting quarantine mode, if the client is given an ip address that is part ofthe defined quarantine subnet, the system has a new temporary rule set that is in place.This rule set typically would permit, dhcp, dns, ePO agent, and vpn traffic. Whathappens is the firewall asks the ePO agent if there are any policy changes, outstandingtasks or software deployment (these could be hotfixes, service packs, dat updates,extra.dat updates) tasks that have not been completed. While these checks or tasks arerun, the machine is not permitted to access the network resources or is contained to thetraffic that is restricted by the quarantine mode rule set. When the agent has verified thatthe tasks are complete and the system is updated or current, the quarantine mode is liftedand the firewall policy is now enforced. A sample Quarantine mode configurationscreenshot is provided below. Remember this rule set can be unique to the firewallpolicy that will run when the Quarantine mode check is complete. You may wish to havesome additional scripts or checks, ran on the system while the machine is in Quarantinemode.

Defining the Quarantine Mode networks and specifying the action and notificationscreen that the user would see:

16

NOTE: Defining the Quarantine Mode rule set. These are common services that youwould wish to permit before the standard firewall policy is in place. Think of it as therequirement checker before network access is given. For example, you may wish topermit ePO agent communication, DHCP, VPN, and DNS which would allow a user on ahome network to request an IP address from the ISP, resolve IP to name, make the VPNconnection and allow the agent to ask the ePO Server if there is new policy or a task thatit missed completing. This allows for McAfee to be independent of what type of VPNgateway solution you are using as we ask the questions of ourselves. i.e. Is my AV up todate, have I missed completing a task, and does the Firewall have the latest policy beforethis machine accesses the corporate network.

17

What the user can expect to see when their system is in Quarantine Mode:

The first screenshot is an example that shows the notification that a user would seeadvising them that there is machine is in Quarantine Mode and is being checked for anyoutstanding tasks or policies completed. As shown earlier in this guide, this message canbe customized to suit an organizations need.

Once the agent has completed it’s check for missed tasks, policy updates and anyadditional events to upload to the ePO Server, the Quarantine Mode is lifted and theappropriate firewall policy is now in place. The below screenshot shows the UpdateCheck Successful message that would appear on the users machine.

NOTE: If the Quarantine Mode check fails, the initial poll is 30 seconds. If the checkstill fails the polling is changed to every 2 minutes.

18

IDS (Intrusion Detection Signature) updates:

The Intrusion Detection signatures utilize the same McAfee common updatingtechnology and scheduling that our AntiVirus and ePO agent use. The nai.com update site is considered the "source repository". This is where the updates,including IDS signatures and VirusScan DAT files, are stored. Every ePO serverinstallation then has it's own "Master Repository", which can be configured to updateitself with the "Source Repository" at nai.com through a scheduled "pull task". Whenproducts deployed via ePO update themselves, they go to the "Master Repository" at theePO server to obtain their updates or any other defined Distribution point (i.e. DistributedRepositiories or SuperAgents, please refer to the ePO Product Guide for additionalinformation on this). Both VirusScan and Desktop Firewall allow the user to configurewhen updates should occur. However, the ePO Adminstrator can also schedule updatesvia the ePO Console. To do so, select Directory, or specific machine(s) in the tree on theleft-hand side, then select the Tasks tab. Right-click in the list of tasks, and selectSchedule Task. There is an entry for "ePolicy Orchestrator Agent Update" with task type"Update". Choose this, and give the task a name. After clicking OK, you can then double-click on the new task to configure when it occurs. This task will cause all ePO deployedproducts to update, assuming that there is one available.

Some screenshots are included below which include the scheduling option and a sampleupdate in progress screenshot.

NOTE: For additional information on the ePO agent updating options, please referencethe ePO Product Guide documentation.

19

Desktop Firewall 8.0 and McAfee Installation Designer 7.1:

McAfee has developed a product called Installation Designer. With Installation Designer7.1 you can customize your VirusScan 7.0 settings, policies, DAT’s, Engines as well asan entire build and policies for Desktop Firewall 8.0. I have provided the two mainscreenshots that show the options for configuring Desktop Firewall via InstallationDesigner 7.1.

With this screenshot you can see that your options are to browse to the initial packageinstallation file or mcafeefire_en.exe. Additional options here include choosing whetherthe install will take place to the default folder location or the option to specify a differentpath. As well, you can choose whether this will be an ePO managed package or not. Thenext screenshot shows the four configuration tabs that you should already now befamiliar with. Installation Designer gives you the option to create a policy that will beembedded into this installer, or you can go to the ‘administrative’ tab and choose ‘importpolicy from file’. You will then browse to the location that you saved the firewall rule setthat you wish to embed in the installer.

NOTE: There is another option to import and export the firewall rule sets and this isnative to ePO 3.0. You can simply select which product you wish to export the policy forfrom one site and then import it to another site. This is covered in greater detail in theePO 3.0 Product Guide.

20

Deploying through ePO or manual deployment and ePO managing it:

Deploying the Desktop Firewall through ePO is a simple task. The only requirement tobe able to do this is having the ePO agent on the client or server system. Please refer tothe ePO documentation for this procedure.

NOTE: Deployment of the ePO agent can be via login scripts, pushed from ePO, SMS,Tivoli, ZenWorks or any other 3rd party utility that gives this functionality.

Assuming that the ePO agent exists on the systems you wish to deploy the firewall to,you simply need to click on the ‘tasks’ tab in the upper right pane of the ePO console foreither the individual machine or the site you wish to deploy the firewall to. The firstoption is the task tab, and choose the setting option. Depending on the software that youhave checked into the ePO repository, you may have several options that have choices ofignore, install or remove. Select install for Desktop Firewall. If you wish to have thedeployment take place immediately, right click on the node or site and choose ‘sendagent wakeup call’. This will advise the agent that there is new policy that they need tocheck for from the ePO server and the client will then begin pulling the software from theePO server or one of the defined distribution points as outlined in the ePO product guide.Deploying the firewall manually can be done by several options either, login scripts,SMS, Tivoli, Zenworks or other 3rd party utilities. As long as it is the ePO manageableversion of the firewall, the next time that the agent is set to communicate with the ePOserver it will exchange it’s incremental properties and update the ePO server with the factthat it has Desktop Firewall now installed. The ePO server will then by default have theclient set to inherit policy and a policy change will occur.

Choosing ePO deployment as shown below. What happens here is when the agentchecks for policy changes with the ePO Server it recognizes that it is set to ‘install’McAfee Desktop Firewall. If the agent reports that it has the firewall installed, thennothing is done. If the agent does not advise that it has the firewall then the agent willreceive the Firewall install package from it’s predefined Local Distribution point.

21

Exporting and Importing Policies:

There are several options for importing and exporting policies for Desktop Firewall 8.0for deployment. ePO has an option to import and export policies native to it and DesktopFirewall is another product which can leverage this capability. Below are twoscreenshots that show exporting a Desktop Firewall policy and then importing a policyinto ePO. This is accomplished within the ePO console by right clicking on a site orgroup and selecting ‘Policy’ and choosing the appropriate action (i.e. import or export).

22

Another way to accomplish this is to provide the ability to export a rule set for the givenmachines that you are wishing to use as template builders. This option is in theAdministrative Configuration tab within ePO and is called ‘Enable Rulelist Exporting’.When you have enabled this option, you will have the ability to right click on theFirewall shield in the systray, choose view, then firewall policy and then up in the menusection, select ‘Export Policy’. Choose a location to copy the file to so that at a laterpoint you can import it into ePO. Both the exporting and importing screens are shownbelow.

23

Proof of Concept things to be aware of:

Believe it or not there are only a few things to be aware of when looking to introduce atest or production deployment of McAfee Desktop Firewall and I will attempt to suggesta few things to keep in mind.

It is strongly encouraged that you use the Audit Learn Mode feature and you willnotice that I have suggested it several times throughout the document. The reason andemphasis for this is that strangely enough it is quite easy to overlook requiredcommunication for an application to function. As a result, the Firewall will be blamedthat it is the reason that things are not working. Well actually that is most likely correct!But, it is because the appropriate rules for the communication are not in place. This iswhere the strength of Audit Learn Mode come into play and the ability to be as granularas you like when building this firewall template.

Also, when deploying the Firewall through an established VPN tunnel and ePO orany 3rd party utility, be aware that the VPN will not be able to be established unless youhave packaged the required rule set in place. The Firewall truly does it’s job by blockingtraffic that is not permitted and will do so until it gets it’s next policy change from theePO Server or you embed that rule set in the Firewall installer. Contact your local SEand they can provide the appropriate options depending on your deployment strategy.

24

Sample ePO Reports:

The Desktop Firewall reports give a valuable overview of what types of Intrusionattempts your hosts are seeing, applications that have been blocked, failed quarantineupdates, top attackers, top targets. Some sample reports have been included to provide anidea of this type of information:

25

26

Note: These are some of the sample canned reports included with ePO for DesktopFirewall 8.0.

27

The Hostile Internet and our Mobile Workforce:

One of the most recognized tools on the Internet for conducting an OS (OperatingSystem) fingerprint is NMAP. The two examples below show a host without DesktopFirewall protecting and the information gathered, and that same host with DesktopFirewall protecting and the lack of information gathered.

Without McAfee Desktop Firewall running:

• Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) • Host (192.168.1.4) appears to be up ... good.• Initiating SYN Stealth Scan against (192.168.1.4)• Adding open port 3372/tcp• Adding open port 135/tcp• Adding open port 81/tcp• Adding open port 445/tcp• Adding open port 80/tcp• Adding open port 1033/tcp• Adding open port 139/tcp• Adding open port 1433/tcp• Adding open port 8081/tcp• The SYN Stealth Scan took 41 seconds to scan 1601 ports.• For OSScan assuming that port 80 is open and port 1 is closed and neither are firewalled• Interesting ports on (192.168.1.4):• (The 1592 ports scanned but not shown below are in state: closed)• Port State Service• 80/tcp open http • 81/tcp open hosts2-ns • 135/tcp open loc-srv • 139/tcp open netbios-ssn • 445/tcp open microsoft-ds • 1033/tcp open netinfo • 1433/tcp open ms-sql-s • 3372/tcp open msdtc • 8081/tcp open blackice-icecap • Remote operating system guess: Windows 2000/XP/ME• TCP Sequence Prediction: Class=random positive increments• Difficulty=11881 (Worthy challenge)• IPID Sequence Generation: IncrementalNmap run completed -- 1 IP address (1 host up) scanned in 45 seconds

Indeed this was a Windows 2000 system. Half of the battle for the remote attacker isalready done, as now it is a simple case of finding the correct script to provide root accessto the Windows box. The next example now shows the same system with the Firewallup and running and the IDS set to block for a limited timeframe. Of course if this sameattacker port scanned this machine at a later date, they would once again be blocked forthe specified timeframe.

28

With McAfee Desktop Firewall up and running:

• Starting nmap V. 3.00 ( www.insecure.org/nmap/ )• Host (192.168.1.4) appears to be up ... good.• Initiating SYN Stealth Scan against (192.168.1.4)• The SYN Stealth Scan took 173 seconds to scan 1601 ports.• Warning: OS detection will be MUCH less reliable because we did not find at least

1 open and 1 closed TCP port• All 1601 scanned ports on (192.168.1.4) are: filtered• Too many fingerprints match this host for me to give an accurate OS guess• TCP/IP fingerprint:• SInfo(V=3.00%P=i686-pc-linux-gnu%D=9/8%Time=3D7B5543%O=-1%C=-1)• T5(Resp=N)• T6(Resp=N)• T7(Resp=N)• PU(Resp=N)

Nmap run completed -- 1 IP address (1 host up) scanned in 188 seconds

As you can see, NMAP was not able to gather an OS fingerprint even though this hosthad the exact same ports running and listening. The firewall has performed as expected,the report will be sent back to ePO the next time that the ePO agent can establishcommunication with the Server. This is very useful for understanding how and whereparticular hosts in the enterprise are being probed for information.

NOTE: All communication between the ePO agent and the ePO Server is SPIPEencrypted which is a technique based on PGP encryption.

29

Special Thanks:

I would just like to take this opportunity to thank the Desktop Firewall DEV team fortheir responsiveness in providing assistance when I needed it. As well there were manyreviewers whom provided great insight into content that should be discussed, Greg,Randy, Sylvain, Doug, Dan, Toralv and Scott. Cheers.

Expert Services:

Network Associates Expert Services offers a number of services including ThreatAssessment. This service provides a review of their anti-virus products, policies andprocesses, a vulnerability scan of mission critical servers and a scan of random nodes todetermine the organization's exposure to threats, a review of their change managementprocedures and policies, and incident response planning.

For more information contact your local services representative.

Comments:

If you have any feedback or questions relating to the contents, you can contact the authorat dean_carey@nai.com

Rev: 8.3a