Firewall Flashcards

Question

What are the predefined firewall rule groups on the client?

Answer 1

McAfee core networking - Contains the core networking rules provided by McAfee and includes rules to allow McAfee applications and DNS Admin-defined - Contains rules defined by the administrator of the management server User-defined - Contains rules defined on the ENS Client Adaptive - Contains client exception rules that are created automatically when the system is in Adaptive mode Default - Contains default rules provided by McAfee

Answer 2

* Connection-specific DNS suffix * Primary WINS server IP address * Default gateway IP address * Secondary WINS server IP address * DHCP server IP address * Domain reachability (HTTPS) * DNS server queried to resolve URLs * Registry key * Single IP address * Range * Subnet

Answer 3

Prevent undesirable traffic from accessing a designated network When connection isolation is enabled for a group, and an active Network Interface Card matches the group criteria, Firewall only process traffic that matches: - Allow rules above the group in the firewall rules list - Group criteria All other traffic is blocked

Answer 4

The stateful tracking of TCP/UDP/ICMP protocol information at Transport Layer 4 and lower of the OSI network stack.

Answer 5

The state table dynamically tracks connections previously previously matched against a static rule set, and reflects the current connection state of the TCP/UD{/ICMP protocols. If an inspected packet matches an existing entry in the state table, the packet is allowed without further scrutiny. When a connection is closed or times out, its entry is removed from the state table.

Answer 6

The process of stateful packet filtering and tracking commands at Application Layer 7 of the OSI network stack. This combination offers a strong definition of the computer's connection state. Access to the application-level commands provides error-free inspection and securing of the FTP protocol

Answer 7

Each packet is examined, if the inspected packet matches an existing firewall allow rule, the packet is allowed an entry is made in the state table.

Answer 8

• Protocol — The predefined way one service talks with another; includes TCP, UDP, and ICMP protocols. • IP addresses for local and remote computers — Each computer is assigned a unique IP address. IPv4, the current standard for IP addresses, permits addresses 32 bits long, whereas IPv6, a newer standard, permits addresses 128 bits long. Many operating systems, including Windows Vista and later, support IPv6. Firewall supports both standards. • Port numbers for local and remote computers — A computer sends and receives services using numbered ports. For example, HTTP service typically is available on port 80, and FTP services on port 21. Port numbers range from 0–65535. • Process ID (PID) — A unique identifier for the process associated with a connection’s traffic. • Timestamp — The time of the last incoming or outgoing packet associated with the connection. • Timeout — The time limit (in seconds) after which the entry is removed from the table if no packet matching the connection is received. The timeout for TCP connections is enforced only when the connection isn't established. • Direction — The direction (incoming or outgoing) of the traffic that triggered the entry. After a connection is established, bidirectional traffic is allowed even with unidirectional rules, provided the entry matches the connection’s parameters in the state table.

Answer 9

All active connections are checked against the new rule set. If no matching rule is found, the connection entry is discarded from the state table

Answer 10

The firewall recognizes the new configuration and drops all state table entries with invalid local IP addresses

Answer 11

all entries in the state table associated with a process are deleted

Answer 12

combines stateful filtering with access to application level commands, which secure protocols such as FTP

Answer 13

A UDP connection is added to the state table when a matching static rule is found and the action from the rule is Allow. Generic UDP connections remain in the state table as long as the connection isn't idle longer than the specified timeout period. These connections carry application-level protocols unknown to the firewall.

Answer 14

Only ICMP Echo Request and Echo Reply message types are tracked. In contrast to the reliable connection-oriented TCP protocol, UDP and ICMPv4/v6 are less reliable, connectionless protocols. To secure these protocols, the firewall considers generic UDP and ICMP connections to be virtual connections. Virtual connections are held only as long as the connection isn't idle longer than the timeout period specified for the connection. Set the timeout for virtual connections in the Firewall Options settings.

Answer 15

TCP protocol works on the S3-way handshake. 1 The client computer initiates a new connection, sending a packet to its target with a SYN bit set. 2 The target responds by sending a packet to the client with a SYN-ACK bit set. 3 The client responds by sending a packet with an ACK bit set and the stateful connection is established. All outgoing packets are allowed, but only incoming packets that are part of the established connection are allowed. An exception is when the firewall first queries the TCP protocol and adds all pre-existing connections that match the static rules. Pre-existing connections without a matching static rule are blocked. The TCP connection timeout is enforced only when the connection isn't established. A second or forced TCP timeout applies to established TCP connections only. A registry setting controls this timeout, which has a default value of one hour. Every four minutes the firewall queries the TCP stack and discards connections that TCP doesn't report.

Answer 16

Query/response matching makes sure that DNS responses are only allowed: • To the local port that originated the query • From a remote IP address that has been queried during the UDP Virtual Connection Timeout interval Incoming DNS responses are allowed if: • The connection in the state table hasn't expired. • The response comes from the same remote IP address and port where the request was sent.

Answer 17

Query/response matching makes sure that return packets are allowed only for legitimate queries. Thus incoming DHCP responses are allowed if: • The connection in the state table hasn't expired. • The response transaction ID matches the one from the request.

Answer 18

Trusted networks are IP addresses, IP address ranges, and subnets that your organization considers safe. Defining a network as trsuted causes Firewall to create an internal bi-directional Allow rule with remote network criteria set to the trusted network. Any traffic to and from the trusted networks is allowed

Answer 19

Configuring a trusted executable creates a bi-directional allow for that executable at the top of the Firewall rules list. Maintaining a list of safe executables for a system reduces or eliminates most false positives.

Answer 20

found in McAfee ePO under Policy, includes previously added firewall rule and firewall group items. When referencing a catalog item, you create a dependent link between it and a firewall rule or group. Any change to the item in the catalog also changes the item wherever it is used

Answer 21

The link layer protocol describes the media access control (MAC) method, and some minor error-detection facilities. ``` Ethernet LAN (802.3), wireless Wi-Fi (802.11x), and virtual LAN (VPN) are in this layer. Both firewall rules and groups distinguish between wired, wireless, and virtual links. ```

Answer 22

The network layer protocols define whole-network addressing schemes, routing, and network control schemes. It also supports arbitrary non-IP protocols, but can't detect any network or transport layer parameters for them. At best, this layer allows the administrator to block or allow these network layer protocols.

Answer 23

TCP is a connection-oriented, reliable transport protocol. It guarantees that the data contained in network packets are delivered reliably, and in order. It also controls the rate at which data is received and transmitted. This control requires a certain amount of overhead, and makes the timing of TCP operations unpredictable when network conditions are suboptimal. TCP is the transport layer for most application protocols. HTTP, FTP, SMTP, RDP, SSH, POP, and IMAP all use TCP. TCP multiplexes between application-layer protocols using the concept of “ports.” Each TCP packet contains a source and destination port number, from 0–65535. Usually, the server end of a TCP connection listens for connections on a fixed port

Answer 24

User Datagram Protocol is a connectionless best-effort transport protocol. It makes no guarantees about reliability or packet order, and lacks flow control features. In practice, it has some desirable properties for certain classes of traffic. UDP is often used as a transport protocol for performance-critical applications. It is also used in real-time multi-media applications. A dropped packet causes only a momentary glitch in the datastream and is more acceptable than a stream that stops to wait for retransmission. IP telephony and videoconferencing software often uses UDP, as do some multi-player video games. The UDP multiplexing scheme is identical to that of TCP: each datagram has a source and destination port, ranging from 0–65535.

Answer 25

Internet Control Message Protocol, version 4 (ICMPv4) and version 6 (ICMPv6), is used as an out-of-band communication channel between IP hosts. It is useful in troubleshooting, and needed for the proper function of an IP network, because it is the error reporting mechanism. IPv4 and IPv6 have separate, unrelated ICMP protocol variants. ICMPv4 is often called simply ICMP. ICMPv6 is important in an IPv6 network. It is used for several critical tasks, such as neighbor discovery (which ARP handles in an IPv4 network). Users are discouraged from blocking ICMPv6 traffic if IPv6 is supported on their network. Instead of port numbers, both versions of ICMP define message types. Echo Request and Echo Reply are used for ping. Destination Unreachable messages indicate routing failures. ICMP also implements a Traceroute facility, though UDP and TCP can also be used for this purpose.

Answer 26

Traffic belonging to these protocols, usually with an unparsable EtherType, is always blocked or always allowed, depending on the selection in the options setting.

Answer 27

Firewall uses the value of the Incoming network-reputation threshold and Outgoing network-reputation threshold options to create internal rules on the client system. If incoming or outgoing traffic matches these rules, Firewall queries McAfee GTI for the reputation of the source or destination IP address. Firewall uses this information to determine whether to block incoming or outgoing traffic. • Treat match as intrusion — Treats traffic that matches the McAfee GTI block threshold setting as an intrusion and displays an alert. • Log matching traffic — Treats traffic that matches the McAfee GTI block threshold setting as a detection and displays an event in the Event Log on the Endpoint Security Client. Firewall also sends an event to McAfee ePO.

Answer 28

• Do not block (minimal risk) — This is a legitimate source or destination of content/traffic. • High Risk — This source/destination sends or hosts potentially malicious content/traffic that McAfee considers risky. • Medium Risk — This source/destination shows behavior that McAfee considers suspicious. Any content/ traffic from the site requires special scrutiny. • Unverified — This site appears to be a legitimate source or destination of content/traffic, but also displays properties suggesting that further inspection is needed.

Answer 29

When McAfee GTI is contacted to do a reputation lookup, some latency is inevitable. McAfee does everything possible to minimize this latency. McAfee GTI: • Checks reputations only when the options are selected. • Uses an intelligent caching architecture. In normal network usage patterns, the cache resolves most wanted connections without a live reputation query.

Answer 30

If McAfee GTI is not reachable, you can configure Firewall to either block all traffic by default or allow traffic unless firewall rules specifically block it.

Answer 31

Involves balancing intrusion prevention protection with access to required information and applications per group type.

Answer 32

For at least a week

Answer 33

• There is no application associated with the packet when examined in the client activity log. Some of the most common examples include: • Incoming requests for services that aren't running, such as FTP or telnet • Incoming ICMP, such as an echo request • Incoming or outgoing ICMP on Windows Vista • TCP packets to port 139 (NetBIOS SSN) or 445 (MSDS), which might be required for Windows file sharing • IPsec packets associated with VPN client solutions • There is already a rule that blocks or allows the packet. • The applied Rules policy has a location-aware group with connection isolation enabled and the following is true: • An active NIC matches the group. • The packet is sent or received on a NIC that doesn't match the group. • The packet isn't TCP, UDP, or ICMP. • More than one user is logged on to the system, or no user is logged on to the system