Firewall

Question 1

Give a high level overview of Firewall

Answer 1

protects systems, network resources, and applications from external and internal attacks.

Firewall scans all incoming and outgoing traffic and compares it to its list of firewall rules, which is a set of
criteria with associated actions. If a packet matches all criteria in a rule, the firewall acts according to the rule,
blocking or allowing the packet through the firewall.

Question 2

What features make up the “Protect” section of Firewall?

Answer 2

Rules, Rule Groups, Stateful Packet Filtering and inspection, Reputation Based Control

Question 3

What features make up the “Detect” section of Firewall?

Answer 3

Dashboards and Monitors, Queries and Reports, Alerts, Log Traffic

Question 4

What features make up the “Correct” section of Firewall?

Answer 4

Adaptive Mode, Defined Networks, Trusted Executables, Firewall Catalog, Client Options, Dashboards and monitors

Question 5

Give a High Level Explanation of Firewall “Rules”

Answer 5

A way to define the criteria Firewall uses to determine whether to block or allow incoming and outgoing traffic.

Question 6

Give a High Level Explanation of Firewall “Rule Groups”

Answer 6

Organize firewall rules for easy management, enabling you to apply rules manually or on a schedule, and to only process traffic based on connection type.

Question 7

Give a High Level Explanation of “Stateful packet filtering and inspection”

Answer 7

Track network connection state and characteristics in a state table, allowing only packets that match a known open connection.

Question 8

Give a High Level Explanation of Firewall “Reputation-based control”

Answer 8

Block untrusted executables, or all traffic from an untrusted network, based on reputation

Question 9

Give a High Level Explanation of Adaptive mode

Answer 9

Create rules automatically on the client system to allow legitimate activity.
Once created, analyze client rules to decide which to convert to server-mandated policies.

Question 10

Give a High Level Explanation of “Defined Networks”

Answer 10

Define trusted networks to allow traffic from networks that your organization considers safe

Question 11

Give a High Level Explanation of “Firewall Catalog”

Answer 11

Define rules and groups to add to multiple policies, or networks and applications to add to firewall rules

Question 12

How does Firewall work?

Answer 12

It scans all incoming and outgoing traffic at the packet level and compares packets to the configured firewall rules to determine whether to allow or block the traffic

1 The administrator configures firewall rules in McAfee ePO and enforces the policy to the client system.

2 The user performs a task that initiates network activity and generates traffic.

3 Firewall scans all incoming and outgoing traffic and compares packets to configured rules. If the traffic
matches a rule, Firewall blocks or allows it, based on the rule criteria.

4 Firewall logs the details, then generates and sends an event to McAfee ePO.

Question 13

How do firewall rules work?

Answer 13

• Determine how to handle network traffic
• Each rule provides a set of conditions that traffic must meet, and an action to allow or block traffic
• When firewall finds traffic that matches a rule’s conditions, it performs the associated action

Question 14

How does the order of firewall rules affect the way they’re used?

Answer 14

Firewall uses precedence to apply rules:

1 Firewall applies the rule at the top of the firewall rules list. If the traffic meets this rule’s conditions, Firewall allows or blocks the traffic. It doesn’t try to apply any other rules in the list.

2 If the traffic doesn’t meet the first rule’s conditions, Firewall continues to the next rule in the list until it finds
a rule that the traffic matches.

3 If no rule matches, the firewall automatically blocks the traffic.

Question 15

What happens if all of the configured Firewall rules are applied and none match the sample?

Answer 15

It’s automatically blocked

Question 16

What happens if all of the configured Firewall rules are applied and none match the sample, and adaptive mode is active?

Answer 16

an Allow rule is created for the traffic

Question 17

What happens if intercepted traffic matches more than one rule in the list?

Answer 17

Firewall applies only the first matching rule in the list

Question 18

What is the best practice in regards to rule order?

Answer 18

The more specific rules should be placed at the top of the list, and the more general rules at the bottom, which ensures that Firewall filters traffic appropriately

Question 19

How do firewall rule groups work?

Answer 19

Firewall rule groups organize firewall rules for easy management. They do not affect the way Firewall handles rules; the software processes rules from top to bottom

Question 20

Does FIrewall prioritize the settings of a rule group first in processing, or the settings for the individual rules it contains?

Answer 20

It processes the settings for the group first.

Question 21

If a conflict exists between the settings of a firewall group, and the rules it contains, what happens?

Answer 21

The group settings take precedence

Question 22

What are Timed Groups?

Answer 22

Timed groups are Firewall rule groups that are active for a set time.

For example, a timed group can be enabled to allow a client system to connect to a public network and establish a VPN connection

Groups can be activated either: on a specified schedule, or manually by selecting options from the McAfee system tray icon

Question 23

What are Connection Isolation Groups?

Answer 23

Process only traffic that matches a defined connection type and group criteria

Question 24

What are the predefined firewall rule groups in ePO

Answer 24

McAfee core networking - Contains the core networking rules provided by McAfee and includes rules to allow
McAfee applications and DNS.
ePO Server - Contains rules to allow McAfee ePO services to run.
Basic Networking - Contains rules to allow basic networking services, such as DNS, to run.
VPN - Contains rules to allow VPN services to run.
ICMP - Contains rules to allow all ICMP traffic.
Windows AD Authentication - Contains rules to allow Windows Active Directory authentication.
NetBIOS - Contains rules to allow inbound and outbound NetBIOS services and sessions, and
block untrusted NetBIOS services.
Web/FTP - Contains rules to allow outbound HTTPS and FTP services.
Mail clients - Contains rules to allow outbound mail services, such as POP.
Network tools - Contains rules to allow Remote Desktop (RDP) connections.

Question 25

What are the predefined firewall rule groups on the client?

Answer 25

McAfee core networking - Contains the core networking rules provided by McAfee and includes rules to allow McAfee applications and DNS

Admin-defined - Contains rules defined by the administrator of the management server

User-defined - Contains rules defined on the ENS Client

Adaptive - Contains client exception rules that are created automatically when the system is in Adaptive mode

Default - Contains default rules provided by McAfee

Question 26

What are the parameters for allowed connections that can be included after enabling location status and naming the location in a location aware group?

Answer 26

• Connection-specific DNS suffix
• Primary WINS server IP address
• Default gateway IP address
• Secondary WINS server IP address
• DHCP server IP address
• Domain reachability (HTTPS)
• DNS server queried to resolve URLs
• Registry key
• Single IP address
• Range
• Subnet

Question 27

How does the connection isolation setting work?

Answer 27

Prevent undesirable traffic from accessing a designated network

When connection isolation is enabled for a group, and an active Network Interface Card matches the group criteria, Firewall only process traffic that matches:

• Allow rules above the group in the firewall rules list
• Group criteria

All other traffic is blocked

Question 28

What is stateful packet filtering?

Answer 28

The stateful tracking of TCP/UDP/ICMP protocol information at Transport Layer 4 and lower of the OSI network stack.

Question 29

What is the state table?

Answer 29

The state table dynamically tracks connections previously previously matched against a static rule set, and reflects the current connection state of the TCP/UD{/ICMP protocols. If an inspected packet matches an existing entry in the state table, the packet is allowed without further scrutiny. When a connection is closed or times out, its entry is removed from the state table.

Question 30

What is stateful packet inspection?

Answer 30

The process of stateful packet filtering and tracking commands at Application Layer 7 of the OSI network stack. This combination offers a strong definition of the computer’s connection state. Access to the application-level commands provides error-free inspection and securing of the FTP protocol

Question 31

How does stateful packet filtering work?

Answer 31

Each packet is examined, if the inspected packet matches an existing firewall allow rule, the packet is allowed an entry is made in the state table.

Question 32

What do entries in a state table base their definitions of connections on?

Answer 32

• Protocol — The predefined way one service talks with another; includes TCP, UDP, and ICMP protocols.
• IP addresses for local and remote computers — Each computer is assigned a unique IP address. IPv4, the
current standard for IP addresses, permits addresses 32 bits long, whereas IPv6, a newer standard, permits
addresses 128 bits long. Many operating systems, including Windows Vista and later, support IPv6. Firewall
supports both standards.
• Port numbers for local and remote computers — A computer sends and receives services using numbered
ports. For example, HTTP service typically is available on port 80, and FTP services on port 21. Port numbers
range from 0–65535.
• Process ID (PID) — A unique identifier for the process associated with a connection’s traffic.
• Timestamp — The time of the last incoming or outgoing packet associated with the connection.
• Timeout — The time limit (in seconds) after which the entry is removed from the table if no packet matching
the connection is received. The timeout for TCP connections is enforced only when the connection isn’t
established.
• Direction — The direction (incoming or outgoing) of the traffic that triggered the entry. After a connection is
established, bidirectional traffic is allowed even with unidirectional rules, provided the entry matches the
connection’s parameters in the state table.

Question 33

If firewall rule sets change, what happens in the state table?

Answer 33

All active connections are checked against the new rule set. If no matching rule is found, the connection entry is discarded from the state table

Question 34

If an adapter obtains a new IP address, what happens in the state table?

Answer 34

The firewall recognizes the new configuration and drops all state table entries with invalid local IP addresses

Question 35

What happens in the state table when a process ends>

Answer 35

all entries in the state table associated with a process are deleted

Question 36

How does stateful packet inspection work??

Answer 36

combines stateful filtering with access to application level commands, which secure protocols such as FTP

Question 37

How is UDP protocol handled by Firewall?

Answer 37

A UDP connection is added to the state table when a matching static rule is found and the action
from the rule is Allow. Generic UDP connections remain in the state table as long as the
connection isn’t idle longer than the specified timeout period. These connections carry
application-level protocols unknown to the firewall.

Question 38

How is ICMPv4/v6 protocol handled by Firewall?

Answer 38

Only ICMP Echo Request and Echo Reply message types are tracked.
In contrast to the reliable connection-oriented TCP protocol, UDP and ICMPv4/v6 are less reliable,
connectionless protocols. To secure these protocols, the firewall considers generic UDP and ICMP
connections to be virtual connections. Virtual connections are held only as long as the connection
isn’t idle longer than the timeout period specified for the connection. Set the timeout for virtual
connections in the Firewall Options settings.

Question 39

How is TCP protocol handled by Firewall?

Answer 39

TCP protocol works on the S3-way handshake.
1 The client computer initiates a new connection, sending a packet to its target with a SYN bit set.
2 The target responds by sending a packet to the client with a SYN-ACK bit set.
3 The client responds by sending a packet with an ACK bit set and the stateful connection is
established.
All outgoing packets are allowed, but only incoming packets that are part of the established
connection are allowed. An exception is when the firewall first queries the TCP protocol and adds
all pre-existing connections that match the static rules. Pre-existing connections without a
matching static rule are blocked. The TCP connection timeout is enforced only when the
connection isn’t established. A second or forced TCP timeout applies to established TCP
connections only. A registry setting controls this timeout, which has a default value of one hour.
Every four minutes the firewall queries the TCP stack and discards connections that TCP doesn’t
report.

Question 40

How is DNS Protocol handled by Firewall?

Answer 40

Query/response matching makes sure that DNS responses are only allowed:
• To the local port that originated the query
• From a remote IP address that has been queried during the UDP Virtual Connection Timeout
interval
Incoming DNS responses are allowed if:
• The connection in the state table hasn’t expired.
• The response comes from the same remote IP address and port where the request was sent.

Question 41

How is DHCP Protocol handled by Firewall?

Answer 41

Query/response matching makes sure that return packets are allowed only for legitimate queries.
Thus incoming DHCP responses are allowed if:
• The connection in the state table hasn’t expired.
• The response transaction ID matches the one from the request.

Question 42

How do Trusted Networks work

Answer 42

Trusted networks are IP addresses, IP address ranges, and subnets that your organization considers safe.

Defining a network as trsuted causes Firewall to create an internal bi-directional Allow rule with remote network criteria set to the trusted network. Any traffic to and from the trusted networks is allowed

Question 43

How do Trusted Executables and Applications work?

Answer 43

Configuring a trusted executable creates a bi-directional allow for that executable at the top of the Firewall rules list.

Maintaining a list of safe executables for a system reduces or eliminates most false positives.

Question 44

What is the firewall catalog?

Answer 44

found in McAfee ePO under Policy, includes previously added firewall rule and firewall group items.

When referencing a catalog item, you create a dependent link between it and a firewall rule or group. Any change to the item in the catalog also changes the item wherever it is used

Question 45

What is the Link Layer?

Answer 45

The link layer protocol describes the media access control (MAC) method, and some minor error-detection
facilities.

Ethernet LAN (802.3), wireless Wi-Fi (802.11x), and virtual LAN (VPN) are in this layer. Both firewall rules and
groups distinguish between wired, wireless, and virtual links.

Question 46

What is the Network Layer?

Answer 46

The network layer protocols define whole-network addressing schemes, routing, and network control schemes.

It also supports arbitrary non-IP protocols, but can’t detect any network or transport layer parameters for them.

At best, this layer allows the administrator to block or allow these network layer protocols.

Question 47

What is TCP

Answer 47

TCP is a connection-oriented, reliable transport protocol. It guarantees that the data contained in
network packets are delivered reliably, and in order. It also controls the rate at which data is
received and transmitted. This control requires a certain amount of overhead, and makes the
timing of TCP operations unpredictable when network conditions are suboptimal.

TCP is the transport layer for most application protocols. HTTP, FTP, SMTP, RDP, SSH, POP, and
IMAP all use TCP.

TCP multiplexes between application-layer protocols using the concept of “ports.” Each TCP
packet contains a source and destination port number, from 0–65535. Usually, the server end of
a TCP connection listens for connections on a fixed port

Question 48

What is UDP

Answer 48

User Datagram Protocol is a connectionless best-effort transport protocol. It makes no
guarantees about reliability or packet order, and lacks flow control features. In practice, it has
some desirable properties for certain classes of traffic.

UDP is often used as a transport protocol for performance-critical applications. It is also used in
real-time multi-media applications. A dropped packet causes only a momentary glitch in the
datastream and is more acceptable than a stream that stops to wait for retransmission. IP
telephony and videoconferencing software often uses UDP, as do some multi-player video games.

The UDP multiplexing scheme is identical to that of TCP: each datagram has a source and
destination port, ranging from 0–65535.

Question 49

What is ICMP?

Answer 49

Internet Control Message Protocol, version 4 (ICMPv4) and version 6 (ICMPv6), is used as an
out-of-band communication channel between IP hosts. It is useful in troubleshooting, and
needed for the proper function of an IP network, because it is the error reporting mechanism.

IPv4 and IPv6 have separate, unrelated ICMP protocol variants. ICMPv4 is often called simply
ICMP.

ICMPv6 is important in an IPv6 network. It is used for several critical tasks, such as neighbor
discovery (which ARP handles in an IPv4 network). Users are discouraged from blocking ICMPv6
traffic if IPv6 is supported on their network.

Instead of port numbers, both versions of ICMP define message types. Echo Request and Echo
Reply are used for ping. Destination Unreachable messages indicate routing failures. ICMP also
implements a Traceroute facility, though UDP and TCP can also be used for this purpose.

Question 50

How does Firewall handle common unsupported protocols?

Answer 50

Traffic belonging to these protocols, usually with an unparsable EtherType, is always blocked or always allowed, depending on the selection in the options setting.

Question 51

How does McAfee GTI work with Firewall

Answer 51

Firewall uses the value of the Incoming network-reputation threshold and Outgoing network-reputation threshold options to create internal rules on the client system. If incoming or outgoing traffic matches these rules, Firewall queries McAfee GTI for the reputation of the source or destination IP address. Firewall uses this
information to determine whether to block incoming or outgoing traffic.

• Treat match as intrusion — Treats traffic that matches the McAfee GTI block threshold setting as an
intrusion and displays an alert.
• Log matching traffic — Treats traffic that matches the McAfee GTI block threshold setting as a detection
and displays an event in the Event Log on the Endpoint Security Client. Firewall also sends an event to
McAfee ePO.

Question 52

What are the reputation levels used with GTI & FireWall?

Answer 52

• Do not block (minimal risk) — This is a legitimate source or destination of content/traffic.
• High Risk — This source/destination sends or hosts potentially malicious content/traffic that McAfee
considers risky.
• Medium Risk — This source/destination shows behavior that McAfee considers suspicious. Any content/
traffic from the site requires special scrutiny.
• Unverified — This site appears to be a legitimate source or destination of content/traffic, but also
displays properties suggesting that further inspection is needed.

Question 53

Does McAfee GTI introduce latency? How much?

Answer 53

When McAfee GTI is contacted to do a reputation lookup, some latency is inevitable. McAfee does
everything possible to minimize this latency. McAfee GTI:
• Checks reputations only when the options are selected.
• Uses an intelligent caching architecture. In normal network usage patterns, the cache resolves most
wanted connections without a live reputation query.

Question 54

If Firewall can’t reach the McAfee GTI servers, does traffic stop?

Answer 54

If McAfee GTI is not reachable, you can configure Firewall to either block all traffic by default or allow
traffic unless firewall rules specifically block it.

Question 55

How does tuning work?

Answer 55

Involves balancing intrusion prevention protection with access to required information and applications per group type.

Question 56

According to the product guide, for at least how long should you leave Firewall in adaptive mode?

Answer 56

For at least a week

Question 57

When is a rule not created automatically with Adaptive mode?

Answer 57

• There is no application associated with the packet when examined in the client activity log. Some of
the most common examples include:
• Incoming requests for services that aren’t running, such as FTP or telnet
• Incoming ICMP, such as an echo request
• Incoming or outgoing ICMP on Windows Vista
• TCP packets to port 139 (NetBIOS SSN) or 445 (MSDS), which might be required for Windows file
sharing
• IPsec packets associated with VPN client solutions
• There is already a rule that blocks or allows the packet.
• The applied Rules policy has a location-aware group with connection isolation enabled and the
following is true:
• An active NIC matches the group.
• The packet is sent or received on a NIC that doesn’t match the group.
• The packet isn’t TCP, UDP, or ICMP.
• More than one user is logged on to the system, or no user is logged on to the system