McAfee Desktop Firewall, TEPUM Secura

McAfee Desktop Firewall 8.0 

[ Ayrıntılı bilgi için; info@secura.com.tr ]

Agenda 

• Problems facing today’s IT environment 

• New Desktop Firewall 8.0 features & benefits 

• Real world example of Desktop Firewall in action 

• Summary 

McAfee Desktop Firewall 8.0, Page 2

VirusScan Enterprise 

+ Desktop Firewall 

VirusScan 

Enterprise 

E-Business 

Server 

VirusScan 

Wireless 

Desktop 

Firewall 

VirusScan ASaP 

desktop and server protection with 

online management reporting 

WebShield Appliance 

http,ftp,smtp,pop3 

GroupShield 

e-mail server 

Entercept 

system security products 

ePolicy Orchestrator 

management console 

NetShield 

file and print 

server/filers 

ThreatScan 

viral vulnerability 

assessment 


Problems facing today’s IT environments 

• The network is the battle ground 

• Defending the client 

• Controlling the client 


Problems Defending 

• Blended threats like SQLSlammer, Klez, BugBear, Fizzer, 

and Sobig cause damage 

• Anti-Virus alone cannot stop all new threats 

• Anti-virus alone cannot contain all threats from spreading 

• Spyware and other unwanted applications are everywhere 

• Increased numbers of mobile users & wireless hot spots 


Problems Controlling 

• Locking down a desktop computer is not easy 

• Users like to install their own software from the Internet 

• User change configurations without IT permission 

• Clients with old protection and security policies continually 

connect to the network 


Reducing Vulnerability with Desktop Firewall 

Before Virus 

(Proactive) 

After Virus 

(Reactive) 

•Proactively help 

prevent Spyware and 

unwanted programs. 

•Proactively reduce the 

speed of attack 

Fix 

Delivery 

Traditional 

AV Tools 

•Proactively prevent 

insecure clients 

accessing the network 

•Proactively reduce 

the chance of attack 

success 

•Proactively reduce 

the exposure to attack 

Time 

6 Months 3 Months 0 

3 Hours 6 Hours 

3 Days 

Virus 

Discovered 


How Desktop Firewall Works? 

Client 

Intrusion Detection System 

NEW Application Monitoring 

Network 

Packet/Application Firewall 

Policy Enforcement 

& 

Graphical Reporting 


McAfee Protection 

VirusScan Enterprise 

+ Desktop Firewall 

VirusScan 

Enterprise 

E-Business 

Server 

VirusScan 

Wireless 

Desktop 

Firewall 

WebShield Appliance 

http,ftp,smtp,pop3 

ePolicy Orchestrator 

management console 

NetShield 

file and print 

server/filers 

VirusScan ASaP 

desktop and server protection with 

online management reporting 

GroupShield 

e-mail server 

Entercept 

system security products 

ThreatScan 

viral vulnerability 

assessment 


New feature in Desktop Firewall 8.0 

• Application Monitoring 

• Quarantine Mode 

• Auto Learn & Audit Mode 

• Updateable IDS Signatures 

• Time Based Rules 

• Non IP Protocol Support 

• Split Learn Mode 

• Block by Domain Name 


Application Monitoring 

• Application Creation 

• Application Creation is the action of an application 

running 

• Benefit 

• Prevents malicious programs, spyware, Trojans from running 

• Suppresses some adware popup driven by executables 

• Enables Administrator to enforce the Common Operating 

Environment (COE) 

• Without the need to remove local admin rights 



• Application Hooking 

• ‘Hooking’ is the act of injecting code into another process 

• Benefit 

• Some processes will do this legitimately 

• If a process ‘Hooks’ into Internet Explorer and allowed to access 

the network, the hooking application can fool the firewall into 

thinking it is Internet Explorer 

• Prevent sophisticated attacks such as browser hijacking 




Quarantine Mode 

• Prevent none compliant systems connecting to the network 

• Benefit 

• Increase network security by automatically checking client security 

policies before allowing them to communicate on the network. 

• Protects the network from out-of-date anti-virus and Desktop 

Firewall software and policies. 

• Keeps potentially dangerous traffic off the network. 


Auto Learn & Audit Mode 

• Administrative ePO option to automatically learn rules 

• Benefit 

• Automatically learn rules for Desktop Firewall without user 

intervention. 

• Administrators can easily audit learned rules from a central console 

and refine policies. 

• Easy configuration to avoid blocking legitimate application - a worry 

for administrators 


Updateable IDS Signatures 

• Enables IDS protection to be 

updated with Signatures files. 

• IDS Signature updates are available 

on a monthly basis. 

• Benefit 

• provide continually enhanced 

intrusion detection 

• Offers rapid protection against 

tomorrow’s threats. 


Time Based Rules 

• Individual firewall rules can 

have a time restriction applied 

to them. 

• Rules can either disable or 

switch permissions (i.e.. Allow 

rule becomes a Block rule) 

when the time period expires. 

• Benefit 

• Time based rules enable 

flexible policies to be set so 

that rules are only active on 

certain times or days 


NON IP Protocols 

• 120 IP-based protocols. 

• WiFi (802.11x), NetBEUI, IPX, and 

AppleTalk. 

• Benefit 

• Multiple protocol rules provide greater 

levels of network security by filtering a 

broad range of network traffic. 


Split Learn Mode 

• Enables administrators to customize 

learn mode for either incoming, 

outgoing or both 

• Benefit 

• Allow Learn Mode to learn 

incoming or outbound or both 

• Provides flexible rule learning 

capabilities 


Block by domain name 

• Simply add domains that you wish to block access to. 

• Benefit 

• Enables entire internet domains to be easily blocked, 

• maintaining rules becomes easier. 


Evolution of Threats 

• 1994: Michelangelo – 6 months 

• 1997: Cap – 2 months 

• 1999: Melissa – 1 day 

• 2000: Loveletter – 4 hours 

• 2001: CodeRed/Nimda – 1 hour? 

• 2003: Slammer - 10 minutes 

14,000 

12,000 

10,000 

8,000 

6,000 

6250 

12500 

• 2004: Threat X – Seconds?!? 

4,000 

2,000 

2777 

0 

Code Red Nimda Goner 

Source: McAfee AVERT 


Proactive Protection Against Blended Threats 

Multiple attack methods are now common 

Internet Explorer (HTTP) 

OutLook (SMTP/MAPI) 

File Sharing (Network) 

IIS Web Server (HTTP) 

Peer2Peer Exploit 


How DTFW Would Have prevented Bugbear.b 

• The worm is received via email (i.e. Outlook) 

• Possibly self-executes on opening the email 

• Attempts to send spoofed email directly over SMTP 

• Also drops a backdoor on TCP port 1080 



• DTFW adds a protective ‘shield’ around the client 

• Only allowing ‘approved’ apps and services 

• Blended attacks are contained - never leaving the client 



• Instead of an infected client further infecting others 

• The worm’s traffic is instead blocked 

• The threat is instead, contained 


Other Real World Examples of Proactive Protection with 

Desktop Firewall 

• Preventing Fizzer 

• Uses network to spread 

• Worm uses:- SMTP(25), KaZaa, IRC(6667), AIM(5190), HTTP, 

and RAS to spread 

• Attempts to terminate AV software 

• Desktop Firewall deals with this 

• By default blocks these ports so worm could not spread if it arrived 

in your inbox 


Summary 

• The Network is the battle ground 

• Proactively prevents & contains the spread of unknown threats that 

AV alone can not. 

• Desktop Firewall proactive protects against blended threats – 

BugBear, Fizzer etc. 

• Centralized management and reporting with McAfee ePolicy 

Orchestrator 

• Top New Features 

• Prevent unwanted applications from running or hooking 

• Prevent insecure clients connecting to the network and causing 

damage 

• Update able intrusion detection system 

• Easy administration of firewall rules 


Teşekkür Ederiz. 

[ Ayrıntılı bilgi için; info@secura.com.tr ]

McAfee Desktop Firewall, TEPUM Secura

Create successful ePaper yourself

Delete template?

Save as template?