Table of Contents
Advertisement
Configuring Firewall Policies
Overview of Firewall policies
How firewall rules work
Firewall rules determine how to handle network traffic. Each rule provides a set of conditions
that traffic has to meet and an action to allow or block traffic. When Host Intrusion Prevention
finds traffic that matches a rule's conditions, it performs the associated action.
Host Intrusion Prevention uses precedence to apply rules: the rule at the top of the firewall
rules list is applied first. If the traffic meets this rule's conditions, Host Intrusion Prevention
allows or blocks the traffic. It does not try to apply any other rules in the list. If, however, the
traffic does not meet the first rule's conditions, Host Intrusion Prevention looks at the next rule
in the list. It works its way down through the firewall rules list until it finds a rule that the traffic
matches. If no rule matches, the firewall automatically blocks the traffic. If learn mode is
activated, the user is prompted for an action to be taken. If adaptive mode is activated, an
allow rule is created for the traffic. Sometimes the intercepted traffic matches more than one
rule in the list. In this case, precedence means that Host Intrusion Prevention applies only the
first matching rule in the list.
Best practices
When you create or customize a firewall rules policy, place the more specific rules at the top
of the list, and the more general rules at the bottom. This ensures that Host Intrusion Prevention
filters traffic appropriately.
For example, to allow all HTTP requests except from a specific address (for example, IP address
10.10.10.1), you need to create two rules:
• Block Rule — Block HTTP traffic from IP address 10.10.10.1. This rule is more specific.
• Allow Rule — Allow all traffic using the HTTP service. This rule is more general.
You must place the more specific Block Rule higher in the firewall rules list than the more general
Allow Rule. This ensures that when the firewall intercepts the HTTP request from address
10.10.10.1, the first matching rule it finds is the one that blocks this traffic through the firewall.
If you placed the more general Allow Rule higher than the more specific Block Rule, Host
Intrusion Prevention would match all HTTP requests against the Allow Rule before it found the
Block Rule. It would thus allow the traffic, even though you wanted to block the HTTP request
from a specific address.
Firewall protocols
Firewall protection works at several layers of the network architecture, where different criteria
are used to restrict network traffic. This network architecture is built on the Transmission Control
Protocol/Internet Protocol (TCP/IP) suite.
Link Layer
The link layer protocol describes the media access control (MAC) method, and some minor
error-detection facilities.
Ethernet LAN (802.3), wireless Wi-Fi (802.11x), and virtual LAN (VPN) are in this layer. Both
firewall rules and groups distinguish between wired, wireless, and virtual links.
Network Layer
The network layer protocols define whole-network addressing schemes, routing, and network
control schemes.
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
53
Advertisement
Table of Contents
Troubleshooting
