Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Installationsanleitung

McAfee Host Intrusion Prevention 8.0Installation Guide

Extension/client functionality• Two versions of Host Intrusion Prevention 8.0: a firewall-only version and a full versioncontaining both firewall and

Best Practices for Quick SuccessMcAfee Host Intrusion Prevention delivers great value to your organization by reducing patchingfrequency and urgency,

5 Optional adaptive mode6 Enhanced protection and advanced tuning7 Maintenance and expansion beyond IPSBoth desktops and servers follow a similar roll

1. Strategize2. Prepare a pilot environment3. Install and configure4. Do initial tuning5. Activate adaptive mode (optional)6. Refine tuning7. Perform

• Servers running dedicated database, web, email, or other applications, as well as print andfile servers.Lab or real world?Many enterprises require l

“Patch Tuesday” issues were shielded using the out-of-the-box basic protection level. Activatingeven default protection offers significant immediate v

Choose your optionOption 1 helps you gain the most protection benefit from your IPS investment. Option 2 presentsa reliable, lightweight strategy. Pic

Process overview:Figure 2: Host Intrusion Prevention installation and maintenance using ePolicy Orchestrator• The ePO server works with McAfee Agent o

Group the clients logically. Clients can be grouped according to any criteria that fit in the ePOSystem Tree hierarchy. For example, you might group a

Refine baseline policies (optional)Some administrators tweak protection defaults immediately, before starting the deployment.You can automatically pro

COPYRIGHTCopyright © 2010 McAfee, Inc. All Rights Reserved.No part of this publication may be reproduced, transmitted, transcribed, stored in a retrie

1 Check that the Host IPS services (FireSvc.exe, mfefire.exe, mfevtp.exe) and frameworkservice (McAfeeFramework.exe) are started.2 Very Important! Run

legitimate activities, most common with internally-developed applications, these false positivescan be resolved in the next step.TIP: Often when scann

legitimate applications, and you do not need to permit these behaviors. Validate that theuser application functions correctly and continue blocking.TI

5. Activate adaptive mode (optional)After completing a business cycle with the software in place, begin to implement well-targetedrules to create cust

• Track client rules in the ePO console, viewing them in regular, filtered, and aggregatedviews.• Use automatically created client rules to define new

Continue tuningReview exceptions and any issues that emerge. Manage these as discussed in the initial tuningstep.• Monitor help desk calls and user co

computers fit into a few usage profiles. Managing a large deployment is reduced tomaintaining a few policy rules.• Repeat the process for power users

Installing in ePolicy OrchestratorThis version of Host Intrusion Prevention requires that you install one or more extensions inePolicy Orchestrator de

FunctionalityRequired extensionsFile nameMcAfee ePOversionePO Help with Host IntrusionPrevention 8.0 informationHelp Content: hip_800_help* Valid only

In ePolicy Orchestrator 4.0, Host Intrusion Prevention 8.0.0 and Host IPS LicenseExtension, if installed, appear in the Managed Products list under ex

ContentsInstalling McAfee Host Intrusion Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Components.

Migrating PoliciesYou cannot use McAfee Host Intrusion Prevention version 6.1 or 7.0 policies with version 8.0clients without first migrating version

To version 8.0, do this...To migrate this version of Host IntrusionPrevention...• Migrate 6.1 policies to 8.0 policies by running the HostIPS 8.0 migr

Migrating policies through an xml fileIf the McAfee Host Intrusion Prevention 6.1 or 7.0 extension is not installed and you havepreviously exported se

Installing the Windows ClientThis section describes the requirements, properties, and installation of McAfee Host IntrusionPrevention 8.0 Windows clie

• Enterprise Edition• Ultimate EditionWindows Server 2003 SP2, 2003 R2, 2003 R2 SP2 (32- & 64-bit)• All editionsWindows Server 2008, 2008 SP1, 200

MED-V 1.0, 1.0 SP1•• App-V 4.5, 4.6• SCVMM 2008, 2008 R2• SCCM 2007SP2, 2007 R2• SCOM 2007, 2007 R2• Microsoft App-V 4.5, 4.6• XP Mode Windows 7 32- a

Before you beginIf a previous version of the client exists, be sure to disable IPS protection before attempting toinstall.Task1 Copy the client instal

Task1 From the ePO server, select the system from which you want to remove the software.2 Enforce the Host Intrusion Prevention Client UI policy optio

3 Set debugging: Select Help | Troubleshooting and enable full debug logging for firewalland IPS).4 Ensure that both Host IPS and Network IPS are disa

Installing the Solaris ClientThis section describes the requirements, properties, and installation of McAfee Host IntrusionPrevention 8.0 Solaris clie

Installing the Solaris client locally. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Policy enforcementNot all Host Intrusion Prevention 8.0 policies are available for the Solaris client. In brief, HostIntrusion Prevention protects the

For more information on editing signatures, seeAppendix A — Writing Custom Signaturesinthe product guide or help.Installing the Solaris client remotel

You are now ready to monitor and deploy IPS policies for the Solaris client. For details, see theMcAfee Host Intrusion Prevention 8.0 Product Guide.To

Verify the Solaris client is runningThe client might be installed correctly, but you might encounter problems with its operation. Ifthe client does no

Installing the Linux ClientThis section describes the requirements, properties, and installation of McAfee Host IntrusionPrevention 8.0 Linux client,

• Red Hat Linux Enterprise 5, 64-bit• 2.6.18-8.el5• SUSE Linux Enterprise 10, 32-bit• 2.6.16.21-0.8-bigsmp• 2.6.16.21-0.8-default• 2.6.16.21-0.8-smp•

Available optionsPolicy• Signatures (default and custom HIPS rules only)NOTE: NIPS signatures and Application Protection Rules are notavailable.AllIPS

Task1 Copy the appropriate .rpm file from the client installation package to the Linux system:• Red Hat Linux Enterprise 4, 32-bit1 MFEhiplsm-kernel-8

You are now ready to monitor and deploy IPS policies for the Linux client. For details, see theHost Intrusion Prevention 8.0 Product Guide.To be sure

Verify the Linux client is runningThe client might be installed correctly, but you might encounter problems with its operation. Ifthe client does not

Installing McAfee Host Intrusion PreventionThis guide provides all the information you need to install and start using Host IntrusionPrevention 8.0 so

collect event information, and transmit the information back to ePolicy Orchestrator throughthe McAfee Agent.Figure 1: Host Intrusion Prevention prote

• McAfee Agent — Agent installed on a managed system that acts as the intermediary betweenthe Host Intrusion Prevention client and the ePolicy Orchest

On client systemsOn the ePolicy Orchestrator serverLinuxSolarisWindowsHost IPS 8.0 extensionsVersion––Firewall only for ePO 4.54.5• McAfee Agent 4.0(P

TrustedSource rating and blocking: Firewall rules block or allow incoming or outgoingtraffic according to McAfee TrustedSource ratings•• IP spoof prot