McAfee Firewall version 3.0 User Manual

McAfee Firewall

VERSION 3.0

GETTING STARTED

© September 2001 Networks Associates Technology, Inc and its Affiliated Companies. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Network Associates, Inc.

TRADEMARK ATTRIBUTIONS

Active Security, Activehelp, Activeshield, Antivirus Anyware And Design, Bomb Shelter, Building A World Of Trust, Certified Network Expert, Clean-up, Cleanup Wizard, Cloaking, Cnx, Cnx Certification Certified Network Expert And Design, Cybercop, Cybermedia, Cybermedia Uninstaller, Data Security Letter And Design, Design (Logo), Design (Rabbit With Hat), Design (Stylized N), Disk Minder, Distributed Sniffer System, Distributed Sniffer System (In Katakana), Dr Solomon's, Dr Solomon's Label, Enterprise Securecast, Ez Setup, First Aid, Forcefield, Gauntlet, Gmt, Groupshield, Guard Dog, Helpdesk, Homeguard, Hunter, I C Expert, Isdn Tel/scope, Lan Administrature Architecture And Design, Langura, Languru (In Katakana), Lanwords, Leading Help Desk Technology, Lm1, M And Design, Magic Solutions, Magic University, Magicspy, Magictree, Magicword, Mc Afee Associates, Mcafee, Mcafee (In Katakana), Mcafee And Design, Netstalker, Mcafee Associates, Moneymagic, More Power To You, Multimedia Cloaking, Mycio.com, Mycio.com Design (Cio Design), Mycio.com Your Chief Internet Officer & Design, Nai And Design, Net Tools, Net Tools (And In Katakana), Netcrypto, Netoctopus, Netroom, Netscan, Netshield, Netstalker, Network Associates, Network General, Network Uptime!, Netxray, Notesguard, Nuts & Bolts, Oil Change, Pc Medic, Pc Medic 97, Pcnotary, Pgp, Pgp (Pretty Good Privacy), Pocketscope, Powerlogin, Powertelnet, Pretty Good Privacy, Primesupport, Recoverkey, Recoverkey International, Registry Wizard, Reportmagic, Ringfence, Router Pm, Salesmagic, Securecast, Service Level Manager, Servicemagic, Smartdesk, Sniffer, Sniffer (In Hangul), Sniffmaster, Sniffmaster (In Hangul), Sniffmaster (With Katakana), Sniffnet, Stalker, Stalker (Stylized), Statistical Information Retreival (Sir), Supportmagic, Telesniffer, Tis, Tmach, Tmeg, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virus Forum, Viruscan, Virusscan, Vshield, Webscan, Webshield, Websniffer, Webstalker, Webwall, Who's Watching Your Network, Winguage, Your E-business Defender, Zac 2000, Zip Manager are registered trademarks

of Network Associates, Inc. and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ©2001Networks Associates Technology, Inc. All Rights Reserved.

Issued September 2001 / Getting Started v3.0

McAfee Perpetual End User License Agr eement - United Stat es of America

NOTICE TO ALL USERS: CAREFULLY READ T HE FOLLOWING LEGAL AGR EEMENT ("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") PRODUCED BY NETWORK ASSOCIATES, INC. ("McAfee"). BY CLICKING THE ACCEPT BUTTON OR INSTALLING THE SOFTWARE, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE B UT TON THAT INDICATES THAT YOU DO NOT AC CEPT THE TERMS OF T HIS AGREEMENT AND DO NOT INSTALL THE SOFTWARE. (IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.)

1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and conditions of this

Agreement, McAf ee hereby grants to you a non-exclu sive, non-transferable right to u se one copy of the specified version of the Software and the accompanying documentation (the "Documentation"). You may install one copy of the Software on one compute r, work station, person al dig ital assi stant, p ager, "sm art phone " or o ther elec tronic device for which the Software was de signed (each, a "Client Device"). If the Software is licensed as a suite or bundle wi th more than one specified Software product, this license applies to all such specified Software products, subject to any restrictions or usage terms specified on the applicable price list or product packaging that apply to any of such Software products individually.

a. Use. The Software is licensed as a single product; it may not be used on more than one Client Device or by

more than one us er at a ti me, except as set f orth in this Sect ion 1. T he Softwar e is "in use" on a C lient De vice when it is loade d into the te mporar y memory (i .e., rando m-acces s memory o r RAM) or ins talled in to the permanent memory (e.g., hard disk, CD-ROM, or other storage device) of that Client Device. This license authorizes you to make one copy of t he Softw are solel y for b ackup or archi val p urposes, provid ed tha t the copy you make contains all of the Softwa re's proprietary notices unalter ed and unobstructed.

b. Server-Mode Use. You may use the Software on a Client Device as a server ("Server") within a multi-user

or networked environ ment ("Server-Mode") only if such use is p ermitted in the applicable price l ist or product packaging for the Software. A separate license is required for each Client Device or "seat" that may connect to the Server at any time, regardless of whether such licensed Client Devices or seats are concurrently connect ed to, accessi ng or using th e Software . Use of softwar e or hardwar e that reduc es the number of Client De vices or seats directly accessing or utilizing th e Software (e.g., "multiplexing" or "pooling" software or hardware) does not reduce the number of licenses required (i.e., the required number of licenses would equ al the num ber of d istinct input s to the mult iplexing o r pooling software or hardware "front end"). If the number of Client Devices or seats that can connect to the Software can exceed the number of licenses you have ob tained, then yo u must have a reasona ble m echani sm in place to ensure tha t your use of the Softw are do es n ot exce ed the use lim its spe cified f or the lice nses you have obtai ned. Thi s license authorizes you to make or downl oad one copy of the Doc um entation for each Clie nt D evice or seat that is licensed, provided that each such copy contains all of the Documentation's proprietary notices unaltered and unobstr ucted.

c. Volume License Use. If the Soft ware is licen sed with volume license terms specified in th e applicable

product invoicing or product packaging for the Software, you may make, use and install as many additional copies of the Software on the number of Client Devices as the volume license terms specify. You must have a reasonable mech anism in place to ensure that the number of C lient Devices on w hich the Software has been installed does not ex ceed the number of licenses you have obta ined. This license aut horizes you to make or download on e copy of the Documentation for each additional copy authorized by the vol ume license, provided that each such copy contains all of the Documentation's proprietary notices unaltered and unobstructed.

2. Term. This Agreement is effective for an unlimited duration unless and until earlier terminated as set forth herein. This

Agreement will termi nate automa tically i f you fail to comply wi th any of the limitatio ns or othe r requireme nts descri bed herein. Upon any termination or expiration of this Agreement, you must cease use of the Software and destroy all copies of the Software and the Docu mentation.

Getting Started iii

3. Updates. For the time period specified in the applicable product invoicing or product packaging for the Software, you

are entitled to download revisions or updates to the Software when and as McAfee publishes them via its electronic bulletin board system , we bsite or t hro ugh ot her on line ser vice s. For a peri od of n inet y (90) d ay s from t he da te of t he of original pur chase of the So ftwar e, you are enti tled to downlo ad one ( 1) re visio n or upg rade to the Soft ware wh en and as McAfee publishes it via its electronic b ulletin board system , website or throu gh other online servi ces. After the specified time period, you have no further rights to receive any revisions or upgrades without purchase of a new license to the Software.

4. Ownership Rights. The Software is p rotected by United S tates copyright laws a nd international tre aty provisions.

McAfee and its suppliers own and retain all right, title and interest in and to the Software, including al l copyrights, patents, trade secret right s, tradem ark s and o ther i ntelle ctual proper ty rig hts th erein . You r po ssession, in stallatio n, or use of the Software does not transfer to you any title to the intellectual property in the Software, and you will not acquire any rights to the Software except as expressly set forth in this Agreement. All copies of the Software and Documentation m ade hereunder must cont ain the same proprietar y notices that appear on an d in the Software and Documentation.

5. Restrictions. You ma y not sell, lease, license, rent, loan or otherwise tr ansfer, with or without consi deration, the

Software. You shall n ot di sclose the resul ts of an y b enchma rk te st tha t you ma ke of t he Soft ware to any th ird parti es without McAfee' prior written conse nt. Customer agrees not to permit an y third party (other than third parties und er contract with Customer whic h cont ains non disclosure obligat ions no less restr ictive tha n those set forth here in) to use the Licensed Program in any form and shall use all reasonable efforts to ensure that no improper or unauthorized use of the Licensed Program is made. You may not permit third parties to benefit from the use or functionality of the Software via a timesharing, service bureau or other arrangement, except to the extent such use is specified in the applicable list price or product pa ckaging for the Software. You may not tra nsfer any of the rights granted to you under this Agreement. You may not reverse engineer, decompile, or disassemble the Software, except to the extent the foregoing restriction is expressly prohi bited by applicable law. You may not mo dify, or create derivative wo rks based upon, the Software in whole o r in part. You ma y not copy the Softwa re or Documentation except as expressly pe rmitted in Section 1 above. You ma y no t remove any p roprie tary noti ces or la bels on the So ftware . All rig hts not expre ssly set forth hereunder are reserved by McAfee.

6. Warranty and Disclaimer.

a. Limited Warranty. McAfee warrants that for sixty (60) days from the date of original purchase the media

(e.g., diskettes) on which the Software is contained will be free from defects in materials and workmanship.

b. Customer Remedies. McAfee's and its suppliers' entire liability and your exclusive remedy for any breach

of the foregoing war ranty shall be , at McAfe e's option, either (i ) return of t he purchase pri ce paid fo r the license, if any, or (ii) replacement of the defective media in which the Software is contained. You must return the defective media to McAfee at your expense with a copy of your receipt. This limited warranty is void if the defect has re sulted from accident, abuse, or mi sapplication. Any replacement m edia will be warranted for the remainder of the original warranty period. Outside the United States, this remedy is not available to the extent McAfee is subject to restrictions under United States export control laws and regulations.

c. Warranty Disclai mer. Except for the limi ted warra nty set fo rth herei n, THE SOFTWARE IS PROVIDED

"AS IS." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MCAFEE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT WITH RESPECT TO THE SOFTWARE AND THE ACCOMPANYING DOCUMENTATION. YOU ASSUME RESPONSIBILITY FOR SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. WITHOUT LIMITING THE FOREGOING PROVISIONS, MCAFEE MAKES NO WARRANTY THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET YOUR REQUIREMENTS. SOME STATES AND JURISDICTIONS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. The foregoing provisions shall be enforceable to the maximum extent permitted by applicable law.

iv McAfee Firewall

7. Limitation of Liability. UNDER NO C IRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN

TORT, CONTRACT, OR OTHERWISE, SHALL MCAFEE OR ITS SUPPLIERS BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR FOR ANY AND ALL OTHER DAMAGES OR LOSSES. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE LIST PRICE MCAFEE CHARGES FOR A LICENSE TO THE SOFTWARE, EVEN IF MCAFEE SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILIT Y SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT THAT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES AND JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. T he foregoing provisions shall be enforceable to the maximum extent pe rm it te d by a pplicable law.

8. United States Government. The Software and accompanying Documentation are deemed to be "commercial

computer software" and "commercial computer software documentation," respectively, pursuant to DFAR Section

227.7202 and FAR Se ction 12.212, as ap pli ca bl e. Any use, modifica ti on, reproduction, rele ase, performance, di splay or disclosure of the Software and ac compan ying Doc umentati on by th e Unite d States Governme nt shall b e govern ed solely by the terms of this Ag reem ent a nd shall be prohib ited e xcep t to the e xtent expre ssly perm itt ed by th e terms of this Agreement.

9. Export Controls. You are advised that the So ftware is subj ect to the U .S. Export Adm inistration Regulatio ns. You

shall not export, import or transfer Software contrary to U.S. or other applicable laws, whether directly or indirectly, and will not cause, approve or otherwise facilitate others such as agents or any third parties in doing so. You represent and agrees that neither the United States Bureau of Export Administration nor any other federal agency has suspended, revoked or denied your export privileges. You agree not t o use or transfer the Software for end use rel ating to any nuclear, chemical or biological weapons, or missile technology unless authorized by the U.S. Government by regulation or specific license. Ad ditionally, you acknowledg e that the Software is subject to exp ort control regulations in the European Union and yo u here by decl are a nd ag ree t hat t he Soft ware wil l not be use d for a ny other purpose than c ivil (non-military) purposes. The parties agree to cooperate with each other with respect to any application for any required licenses and approval s, ho w ev er, you acknowledge it is your ultimat e re sponsi bi li ty to comply with any and all export and import laws and that McAfee has no further responsibility after the initial sale to you within the original country of sale.

10. High Risk Activities. The Software is not fault-tolerant and is not designed or intended for use in hazardous

environments requiring fail-safe performance, including without limitation, in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, weapons systems, direct life-support machines, or any other application in which the failure of the Software could lead directly to death, personal injury, or severe physical or property damage (c oll e ctively, "High Risk Ac t ivi ties"). McAfee expressly disclaims any expres s or implied warranty of fitness for High Risk Activities.

11. Miscellaneous. This Agreement is governed by the laws of t he United St ates and the St ate of Californi a, without

reference to conflict of laws principles. The application of the United Nations Convention of Contracts for the International Sale of Goods is expressly excluded. This Agreement sets forth all rights for the user of the Software and is the entire agreement between the parties. McAfee reserves the right to periodically audit you to ensure that you are not using any Software in violatio n of this Agreement. During your sta ndard business hours and upon prior w ritten notice, McAfee m ay vi sit you an d you wi ll ma ke a vail able to M cAfee or its rep rese ntativ es an y r ecord s pert aini ng to the Software to McAfe e. T he cost of any requested audit will be solely borne by McAfee, unless such audit di scl ose s an underpayment or a m ount due to McAfee in exce ss of five percent (5%) of the initi al li cense fee for the Software or you are using the Software in an unauthorized manor, in which case you shall pay the cost of the audit. This Agreement supersedes any other co mmuni cations with respect t o the Softw are and Doc ument ation. Thi s Agreeme nt may not be modified except by a written ad dendum issue d by a duly au thorized re presentative of McAfee. No provision here of shall be deemed waived unless such waiver shall be in writing and signed by McAfee or a duly authorized representative of McAfee. If any prov ision of t his Agreem ent i s held i nvali d, th e rem ainder of t his Agreem en t shall c ontin ue in ful l force and effect. The parties confirm that it is the ir wish that this Agreeme nt has been written in the Engli sh la nguage only.

Getting Started v

12. MCAFEE CUSTOMER CONTACT. If you have any questions co ncerning these t erms and conditions, or if you

would like to contact McAfee for any other reason, please call (408) 988-3832, fax (408) 970-9727, or write: Network Associates, Inc., McAfee Software Division, 3965 Freedom Circle, Santa Clara, California 95054. http://www.nai.com.

McAfee Perpetual End User License Agr eement - Canada

NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT ("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") BY NETWORK ASSOCIATES INTERNATIONAL B.V. ("McAfee"). BY CLICKING THE ACCEPT BUTTON OR INSTALLING THE SOFTWARE, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, CLICK THE B UT TON THAT INDICATES THAT YOU DO NOT AC CEPT THE TERMS OF T HIS AGREEMENT AND DO NOT INSTALL THE SOFTWARE. (IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.)

1. License Grant. Subject to the payment of the applicable license fees, and subject to the terms and conditions of this

Agreement, McAf ee hereby grants to you a non-exclu sive, non-transferable right to us e one copy of the specified version of the Software and the accompanying documentation (the "Documentation"). You may install one copy of the Software on one compute r, work station, person al digit al assistant , pager, "smar t phone" or o th er electro nic de vice for which the Software was d esigned (each, a "Clien t D evice"). If the Software is licensed as a s u ite or bundle w ith more than one specified Software product, this license applies to all such specified Software products, subject to any restrictions or usage terms specified on the applicable price list or product packaging that apply to any of such Software products individually which you acknowledge you have received and read.

a. Use. The Software is licensed as a single product; it may not be used on more than one Client Device or by

more than one us er at a ti me, except as set f orth in this Sect ion 1. T he Softwar e is "in use" on a C lient De vice when it is loade d into the t emporar y memory (i .e., rando m-acces s memory or RAM) or ins talled in to the permanent memory (e.g., hard disk, CD-ROM, or other storage device) of that Client Device. This license authorizes you to make one cop y of the Softw are sol ely for b ackup or ar chival p urpo ses, prov ided that t he copy you make contains all of the Software's proprietary notices unaltered and unobstructe d.

b. Server-Mode Use. You may use the Software on a Client Device as a server ("Server") within a multi-user

or networked environ ment ("Server-Mode") only if such use is permitted in the applicable pric e list or product packaging for the Software which you acknowledge you have received and read. A separate license is required for eac h Client De vice or " seat" th at may c onnect to the Serve r at any t ime, reg ardles s of whethe r such licensed Client Devices or seats are concurrently connected to, accessing or using the Software. Use of software or hardware that reduces the number of Client Devices or seats directly accessing or utilizing the Software (e.g., "mul tiplexing" or "pool ing" software or hard ware) doe s not re duce th e number of lice nses required (i.e., the required number of licenses would equal the number of distinct inputs to the multiplexing or pooling software or hardw are "fro nt end" ). If the num ber of C lient Dev ices or sea ts that ca n conne ct to the Software can e xceed the number of licenses you h ave obtained, then you must have a reasonable mechanism in place to ensure that your use of the Software does not exceed the use limits specified for the licenses you have obtained. This license authorizes you to make or download one copy of the Documentation for each Client Device or seat that is licensed, provided that each such copy contains all of the Documentation's proprietary notices unaltered and unobstructed.

c. Volume License Use. If the Software is licensed with volume license terms specified in the applicable price

list or product p ac ka gi ng for the Software, you may make, use and install as ma ny additional copie s of the Software on the numbe r of Clie nt Devices a s the vol ume lice nse autho rizes. Yo u must have a reason able mechanism in place to ensure that the number of Client Devices on which the Software has been installed does not exceed the number of licenses you have obtained. This license authorizes you to make or download one copy of the Docum entation for each additional cop y authorized by th e volume license , provided that each such copy contains all of the Documentatio n's proprietary notices unaltered and unobstructed.

2. Term. This Agreement is effective for an unlimited duration unless and until earlier terminated as set forth herein. This

Agreement will termi nate automa tically if you fail to comply wi th any of t he limitat ions or ot her requir ements descr ibed herein. Upon any termination or expiration of this Agreement, you must cease use of the Software and destroy all copies of the Software and the Documentation.

vi McAfee Firewall

3. Updates. For the time pe riod specified in the ap plicable price list or product packaging for the Software, you a re

entitled to download revisions or updates to the Software when and as McAfee publishes them via its electronic bulletin board system, website or through other online services. For a period of ninety (90) days from the date of the of original purchase of the Software, you are entitled to download one (1) revision or upgrade to the Software when and as McAfee publishes it via its el ectronic bulletin boa rd system, website or thr ough other online servi c es. After the specified t im e period, you have n o further rights to receive any revisions or upgrades without p urchase of a new license to the Software.

4. Ownership Rights. The Software is p rotected by United S tates copyright laws a nd international tre aty provisions.

McAfee and its suppliers own and retain all right, title and interest in and to the Software, including all cop yrights, patents, trade secret right s, trade mark s and o ther i ntelle ctual proper ty rig hts th erein . You r po ssession, in stallatio n, or use of the Software does not transfer to you any title to the intellectual property in the Software, and you will not acquire any rights to the Software except as expressly set forth in this Agreement. All copies of the Software and Documentation m ade hereunder must cont ain the same proprietar y notices that appear on and in the Software and Documentation.

5. Restrictions. You may not sell, lease, l icense, rent, loan or other wise transfer, with or wit hout consideration, the

Software. You shall not discl ose the results o f any b enchm ark t est t hat you m ake of the Softwa re to any th ird pa rties without McAfee's prior written consent. You agree not to permit any third party (other than third parties under contract with you which cont ract contains no ndisclosure obligat ions no less restrictiv e than those set f orth herein) to use t he Software in any form and shall use al l re asonable efforts to ensure th a t th ere is no im proper or unauthorized us e of t he Software. You may not permit third parties to benefit from the use or functionality of the Soft w are via a timesharin g, service bureau or other arrangement, except to the extent such use is specified in the applicable list price or product packaging for the Software. You may not transfer any of the rights granted to you under this Agreement. You may not reverse engineer, d ecompile, or disasse mble the Soft ware, except to the extent th e foregoing rest riction is expre ssly prohibited by applicable law. The interface information necessary to achieve interoperability of the Software with independently created compu ter pro gram s will be sup plied by Mc Afee on re quest and on payme nt of suc h reasona ble costs and expenses of McAfee in su pplying tha t information . You may not m odify, or crea te derivat ive works based upon, the Software in whole or in part. You may not copy the Software or Documentation except as expressly permitted in Section 1 above. You may not remove or alter any proprieta ry notices or labels on the Software or D ocumentation. All rights not expressly set forth hereun de r are reserved by McAfee.

6. Warranty and Disclaimer.

a. Limited Warranty. McAfee warrants that for sixty (60) days from the date of original purchase the media

(e.g., diskettes) on which the Software is contained will be free from defects in materials and workmanship.

b. Customer Remedies. McAfee's and it s s upp lier s' ent ire l ia bil ity and y our exc lus ive r em edy fo r an y br eac h

of the foregoing w arranty shall be, at McAfee 's option, eithe r (i) return of the purch ase price pai d for the license, if any, or (ii) replacement of the defective media in which the Software is contained. You must return the defective media to McAfee at your expense with a copy of your receipt. This limited warranty is void if the defect has re sulted from accident, abuse, or mi sapplication. Any replaceme nt media will be warranted for the remainder of the original warranty period. Outside the United States, this remedy is not available to the extent McAfee is subject to restrictions under United States export control laws and regulations.

Getting Started vii

c. Warranty Disclaimer. Except for the limited warran ty se t fo rth he rein , THE SOFTWARE IS

PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MCAFEE DISCLAIMS ALL WARRANTIES, REPRESENATIONS AND CONDITIONS, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT WITH RESPECT TO THE SOFTWARE AND THE ACCOMPANYING DOCUMENTATION. YOU ASSUME RESPONSIBILITY FOR SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RESULTS, AND FOR THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. WITHOUT LIMITING THE FOREGOING PROVISIONS, MCAFEE MAKES NO WARRANTY, REPRESENTATION OR CONDITION THAT THE SOFTWARE WILL BE ERROR-FREE OR FREE FROM INTERRUPTIONS OR OTHER FAILURES OR THAT THE SOFTWARE WILL MEET YOUR REQUIREMENTS. SOME STATES AND JURISDICTIONS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

7. Limitation of Liability. UNDER NO C IRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER IN

TORT, CONTRACT, OR OTHERWISE, SHALL MCAFEE OR ITS SUPPLIERS BE LIABLE TO YOU OR TO ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR FOR ANY AND ALL OTHER DAMAGES OR LOSSES. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE LIST PRICE MCAFEE CHARGES FOR A LICENSE TO THE SOFTWARE, EVEN IF MCAFEE SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMIT ATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY TO THE EXTENT THAT APPLICABLE LAW PROHIBITS SUCH LIMITATION. FURTHERMORE, SOME STATES AND JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION AND EXCLUSION MAY NOT APPLY TO YOU. Th e foregoing provisions shall be enforceable to the maximum extent pe rm it te d by a pplicable law.

8. United States Government. The Software and accompanying Documentation are deemed to be "commercial

computer software" and "commercial computer software documentation," respectively, pursuant to DFAR Section

227.7202 and FAR Se ction 12.212, as ap pli ca bl e. Any use, modifica ti on, reproduction, release, performance, di splay or disclosure of the Software and ac compan ying Doc umentati on by th e Unite d States Governme nt shall b e govern ed solely by the terms of this Agree men t and sha ll be prohib ited except t o the exte nt ex pressly pe rmitt ed by th e terms of this Agreement.

9. Export Controls. You have been ad vised that t he Software is sub ject to th e U.S. Export Administra tion Regula tions

and applicable loca l export contr ol laws. You sh all not export , import or t ransfer Products c ontrary to U.S. or other applicable local laws, whether directly or indirectly, and will not cause, approve or otherwise facilitate others such as agents or any third parties in doing so. If applicable to you, you represent and agree that neither the United States Bureau of Export Administration nor any other federal agency has suspended, revoked or denied your export privileges. You agree not to u se or t ransfer t he Softwa re for e nd use relating to any n ucle ar, chem ical or bi ologica l weapo ns, or missile technology unless authorized by the U.S. Government and any other applicable local authority by regulation or specific license. Additiona lly, you acknowledge that the Software is subject to e xport control regulations in the European Union and yo u here by decl are and ag ree t hat t he Soft ware will not be used f or a ny ot her pu rpose t han c ivil (non-military) purposes. The parties agree to cooperate with each other with respect to any application for any required licenses and approval s, ho w ever, you acknowledge it is your ulti m at e re sponsibility to comply with any and a ll expo rt and import laws and that McAfee has no further responsibility after the initial sale to you within the original country of sale.

viii McAfee Firewall

10. High Risk Activities. The Software is not fault-tolerant and is not designed or intended for use in hazardous

11. Miscellaneous. This Agreement i s governed by the laws of the Neth erlands. The app lication of the Uni ted Nations

Convention of Contracts for the International Sale of Goods is expressly excluded. Disputes with respect to this Agreement, as well as with respect to its conclusion and execution, will be submitted exclusively to the competent court in Amsterdam. This Agree ment s ets f ort h all rig hts f or the u se r of th e Soft ware a nd is t he en tir e agree ment b et ween th e parties. McAfee reserv es the right to pe riodica lly audi t you t o ensu re tha t you are no t using an y Softwa re in viola tion of this Agreement. During your standard business hours and upon prior written notice, McAfee may visit you and you will make available to McAfee or its representatives any records pertaining to the Software to McAfee. The cost of any requested audit will be solely borne by McAfee, unless such audit discloses an underpayment or amount due to McAfee in excess of five percent (5%) of the initial license fee for the Software or you are using the Software in an unauthorized manor, in which case you shall pay t he cost of the au dit. This Agre eme nt su persed es any ot her co mmu nica tions wi th respect to the Software and Documentation. This Agreement may not be modified except by a written addendum issued by a duly authorized repre sentative of McAfee. No provision hereof shall be deemed waived unl ess such waiver shall be in writing and signed by McAfee or a duly authorized representative of McAfee. If any provision of this Agreement is held invalid, the rem ainde r of this Agre emen t shall c ontin ue in full forc e and e ffect. T he par ties have req uired that this Agreement and all documents relating thereto be drawn up in English. Les parties ont demandé que cette convention ainsi que tous les documents que s'y attachent soient rédigés en anglais.

12. MCAFEE CUSTOMER CONTACT. If you ha ve any questions c oncerning these t erms and conditions, or if you

would like to cont act McAfee for any other reason, please call +31 20 586 61 00 or write: McAfee, Gatwickstraat 25, 1043 GL Amsterdam, Netherlands. You will find our Internet web-site at http://www.nai.com.

Getting Started ix

x McAfee Firewall

Table of Conte nts

Chapter 1. Welcome to McAfee Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

About McAfee Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

New in This Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

How McAfee Firewall Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

About McAfee Firewall Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

McAfee Firewall On-line Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Chapter 2. Installing McAfee Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

About Winsock 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Installation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Troubleshooting installation problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Step 1: Clean up your hard drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Step 2: Remove temporary files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Step 3: Close other software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Chapter 3. The Firewall Inductive User Interface . . . . . . . . . . . . . . . . . . . . . . . .25

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Chapter 4. Intrusion Detection System – (IDS) . . . . . . . . . . . . . . . . . . . . . . . . . .29

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

How to Configure the Intrusion Detection System . . . . . . . . . . . . . . . . . . . . . . . . . . . .30

Chapter 5. McAfee Firewall Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Control Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Default Settings for Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Control System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Default Settings for System Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Password Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Getting Started xi

Instructions for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Configuring Network, Display and Logging Controls . . . . . . . . . . . . . . . . . . . . .34

Configuring Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Configuring System Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Configuration After Adding/Removing Network Devices . . . . . . . . . . . . . . . . .36

Using Password Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Chapter 6. Update your McAfee Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Instant Updater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Why Do You Need to Update? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

How Does the Updating Process Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Instant Updater Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Appendix A. Product Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

How to Contact McAfee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Customer Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

www.McAfee-at-Home.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Appendix B. Common Attacks Recognized by Intrusion Detection . . . . . . . . .43

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

xii McAfee Firewall

1Welcome to McAfee Firewall

About McAfee Fir ewall

Protect yourself while online with the rock solid security of McAfee Firewall. Easy-to-use, yet highly configurable, McAfee Firewall secures your PCs connection to the Internet whether you connect via DSL, cable modem or dial-up. With its new advanced Intrusion Detection System, color coded security alerts, audible alerts, detailed logging and application scan for Internet capable applications with learning mode, McAfee Firewall gives you all the power you need to control the communications into and out of your PC ensuring that your online experience will be as safe as it is enjoyable.

McAfee Firewall:

• Stops fileshare and printshare access attempts.

• Shows who is connecting (i.e., if you allow sharing)

• Stops floods and other attack packets from being received by the Operating System.

• Blocks untrusted applications from communicating over the network.

• Detects hidden programs ("trojans") that can give remote access to your PC or reveal private information (e.g. online banking information).

• Provides detailed information about which sites you have contacted and the type of connection that was made

• Blocks all traffic while you are away, and your PC is connected 24 hours a day.

New in This Release

• Intrusion Detection System - Powerful, yet simple to configure, McAfee Firewall's Intrusion Detection System (IDS) detects all common attack types and other suspicious activity. Users are able to easily block all further communication from offenders.

• System Application Scan & Learning Mode - McAfee Firewall can be set to scan a PC for programs that can communicate over the Internet and present a list of such programs to the user. Selecting the programs you want to allow, McAfee Firewall's Learning Mode will build a custom rule for the application the first time you use it when you go online.

Getting Started 13

Welcome to McAfee Firewall

• Color Coded Firewall Alerts - Easily determine the severity of potential security threats with color coded onscreen alerts similar to modern traffic light patterns. From Green for go, to Yellow for proceed with caution, and Red for the strongest warning to stop and take note of the most serious types of threats, you'll quickly know the level of caution appropriate for each situation.

• Customizable Audible Alerts - Don't miss a security or privacy concern just because you happen not to be looking at your computer screen. You'll now be able to hear differe nt sounds that indicate various levels of s everity according to the types of threats your machine is exposed to. Users can also import their own sounds to be used as audible alerts.

• Scrolling Marquee of Internet Activity - Be informed of the differen t type s of activity occurring on your Internet connection in real time with this customizable onscreen notification.

• ICS/NAT & Home Networking Compatibility - McAfee Internet Security can be used to protect a single machine or number of machines connected together via a small network. Setting up trust relationships within McAfee Firewall for connected machines is a snap.

• Enhanced Graphical Display of Network Activity & Attacks - McAfee Firewall now makes it easier than ever to determine what type of activity is taking place when you go online

• Easy File Sharing Control - McAfee Firewall takes the mystery out of whether or not you have file sharing active on your system and allows you to control file sharing with ease.

• New OS Support - McAfee Internet Security now supports Windows XP and Windows XP themes.

How McAfee Firewall Works

McAfee Firewall is a simple-to-operate security tool for the non-technical users. It dynamically manages your computing security behind the scenes, so that you do not even have to understand networking protocols. It is custom created at the moment it is needed, and only as needed, as you go on to do something else on your computer.

McAfee Firewall filters traffic at the devices that your system uses - network cards and modems. This means that it can reject inbound traffic before that traffic can reach vital functions in your PC and before it can waste valuable system resources.

14 McAfee Firewall

Welcome to McAfee Firewall

It monitors applications that are either trusted or not trusted. When trusted applications need to access a network, it manages everything in the computer to allow that application's traffic. When it detects non-trusted applications trying to access a network, it blocks all traffic to and from that application.

Some network communications are needed to maintain network-based services. These are managed through user defined rules under the SYSTEM button feature of McAfee Firewall. The default SYSTEM settings feature provides protection from hostile threats.

In addition, during the installation process, it will prompt you with some basic questions to set up McAfee Firewall to do specific tasks, according to your needs (e.g. allow sharing of files or not).

NOTE: For more information on how McAfee Firewall works, see

Chapter 5, “McAfee Firewall Configurations.”

About McAfee Firewall Documentation

This Getting Started manual provides the basic information you need to install, setup and use McAfee Firewall. More detailed information on step-by-step instructions on how to perform a task within McAfee Firewall is provided via the Help files which you can access while working within the different windows and dialog boxes. You can also review the Readme.txt file which contain other general information (e.g., frequently asked questions) about the product.

McAfee Firewall On-line Help

To launch Mc Af ee F ir ewa ll he lp:

In the McAfee Firewall main screen, click Help menu; then select Contents. The Help contents is displayed.

You can also search for a help topic via the Index or Find tabs.

• Index tab

1. In the text box, type the first few letters of the word or phrase you are looking for.

2. Locate what you are looking for; then double-click the topic or click the Display button.

• Find tab

Getting Started 15

Welcome to McAfee Firewall

Clicking the Find tab enables you to launch a full text search. When you search for topics via the Find tab for the first time, a Find Setup Wizard is displayed. Follow the instructions on screen to setup the full text search option. After setup is complete:

1. In the text box, type the first few letters of the word or phrase you are looking for. You can also select matching words to narrow your search.

2. Once you have located what you are looking for in the display topic box, click the topic.

Frequently Asked Questions

The following are some frequently asked questions that you can briefly review:

NOTE: To read additional frequently asked questions, refer to the Readme.txt file of McAfee Firewall.

How Will McAfee Firewall Help Me?

McAfee Firewall protects your PC at the network level. It acts as a gatekeeper, checking every data packet going in or out of your PC. It allows only what you tell it to allow.

McAfee Firewall has been designed to be easy to use, while providing you with excellent protection. Once you install and run it, it is configured to block known attacks and to ask you before allowing applications to communicate.

How is my PC at risk on the Internet?

When you connect to the Internet, you share a network with millions of people from around the world. While that is a truly wonderful and amazing accomplishment, it brings with it all the problems of being accessible to complete strangers.

When on the Internet, you need to lock down your PC. When you talk to strangers on IRC (Internet Relay Chat), be cautious of files they send you. This is one way the BO (Back Orifice) program spreads, giving people remote control of your PC. Check files you get for viruses.

When on the Internet, others can try to access your fileshares. You should check that they are not available, or else people can read and delete what is on your system.

16 McAfee Firewall

Welcome to McAfee Firewall

The data you send can be seen by more people than just the intended receiver. Practically any system that is connected to any part of the network path used to relay your data packets can see what is sent. Also, it is hard to know with absolute certainty that you are talking to whom you think you are talking to.

What other protection do I need?

McAfee Firewall provides network level protection. Other important types of protection are:

• Anti-virus programs for application-level protection.

• Logon screens and screen saver passwords to prevent unauthorized access.

• File encryption or encrypting file systems to keep information secret.

• Intrusion detection for an added level of network protection.

• Boot-time passwords to stop someone else from starting your PC.

• Physical access to the computer, e.g. stealing the hard drive.

A separate but also important issue is controlling access to information, misinformation and "filth" that is widely available on the In ternet. You can use a number of content-filtering programs or services such as McAfee’s Internet Guard Dog that can filter the contents of data packets or restrict access to certain sites.

Are there any data packets that McAfee Firewall cannot stop?

Inbound Data: No.

As long as McAfee Firewall supports a network device and is running, it is intercepting all incoming packets and will allow or block according to the way you have it configured. If you choose to block everything, it will.

Outbound Data: Yes and no.

McAfee Firewall intercepts outbound data packets as they are passed to the network device driver. All popular applications communicate this way. A malicious program could communicate by other means, however.

What network devices does McAfee Firewall support?

McAfee Firewall supports Ethernet and Ethernet-like devices on Microsoft Windows 95, 98 and NT 4.0 SP4 and SP5. This includes dial-up connections, most cable and ISDN modems and most Ethernet cards. It does not support Token Ring, FDDI, ATM, Frame Relay and other networks.

Getting Started 17

Welcome to McAfee Firewall

What protocols can McAfee Firewall filter?

McAfee Firewall can filter TCP/IP, UDP/IP, ICMP/IP and ARP. It intercepts all protocols, but others, such as IPX, must be either allowed or blocked - no filtering is done. The Internet uses the IP protocols. No others are sent. Also, IP networks are the most common.

How can I still be harassed, even with McAf ee Firewall?

Many people use McAfee Firewall (and PC FIREWALL) to block the "nukes" that cause their IRC connections to be broken. While McAfee Firewall blocks the nukes, there are other ways that attackers can still cause the connections to be broken:

• Server-side nuking. This is when the "nukes" are sent to th e IRC se r v er, not to your computer, telling the server that you can no longer be reached. To prevent this, the IRC server needs a firewall.

• Flood blocking a TCP connection. If a flood of packets is sent to you from a higher speed connecti on, McA fee Firewall or Con Seal PC FIREWALL can stop the packets, but the flood takes up all your bandwidth. Your system does not get a chance to send anything. Dial-up users are particularly vulnerable since they have the lowest speed connections.

18 McAfee Firewall

2Installing McAfee Firewall

Most installation problems are a caused by having programs running while you try to install new software. Even if the installation appears normal, you won’t be able to run the new pro gram. To avoid installation problems, close a ll open programs before you install McAfee Firewall, including programs that run in the background, such as screen savers or virus checkers.

System requirements

To use McAfee Firewall you need:

• Microsoft ® Windows ® XP Home Edition, Windows XP Professional, Windows 2000, Windows Me, Windows NT Workstation v4.0, Windows 98, or Windows 95B.

• Personal computer with a Pentium 100 MHz or higher processor.

•32 megabytes (MB) of RAM.

• 8 MB of free hard disk space.

•CD ROM drive.

• Internet access required for various features.

About Winsock 2

McAfee Firewall uses an API (Application Programming Interface) that is not supported by versions of Winsock prior to v2.0. McAfee Firewall checks for the presence of Winsock 2 during the installation procedure and will inform you if the system does not have it. If you have the latest browser (e.g., Internet Explorer 5), this component is already built-in and you will not receive this prompt. Otherwise, you can get a free upgrade and is available from http://www.microsoft.com as well as other Web sites.

NOTE: For more information on Winsock 2, refer to the Frequently Asked Question section of McAfee Firewall’s Readme.txt file.

Getting Started 19

Installing McAfee Firewall

Installation Steps

After inserting the McAfee Firewall on your CD-ROM drive, a Firewall Autorun image should automatically display. To install Firewall software

immediately, click Install Firewall, then skip to Step 5 to continue with Setup.

Use the steps below to install your soft ware.

1. If your computer runs Windows NT Workstation v4.0, Windows 2000 Professional, or Windows XP, log on to your system as a user with administrative rights. You must have administrative rights to install this software on your system.

2. Insert the Firewall CD in to your computer’s CD-ROM drive. If the Firewall Installation Wizard does not automatically display, go to Step 3. Otherwise, skip to Step 4.

3. Use the following procedure if the Autorun installation menu does not display, or, if you obtained your software via download at a McAfee web site.

a. From the Windows Start menu, select Run.

The Run dialog box displays.

20 McAfee Firewall

b. Type <X>:\SETUP.EXE in the text box provided, then click OK.

Here, <X> represents the drive letter for your CD-ROM drive or the path to the folder that contains your extracted Firewall files. To search for the correct files on your hard disk or CD-ROM, click Browse.

4. Before proceeding with the installation, Setup first checks to see whether your computer already the Microsoft Windows Installer (MSI) utility running as part of your system software.

a. If your computer runs Windows XP, Windows Me, or Windows

2000, MSI already exists on your system. If your computer runs an earlier Windows release, you may still have MSI in your computer if you previously installed other software that uses MSI. In either of these cases, Setup will display its first wizard panel immediately. Skip to Step 5 to continue.

b. If Setup does not find MSI or an earlier version of MSI is installed in

your com puter, it installs fil es necessary to continue the installation,

then prompts you to restart your computer. Click Restart System.

When your computer restarts, Setup will continue from where it left off.

5. Refer to steps displayed on the Firewall Installation Wizard to complete your installation.

ë TIP: If your computer does not have the required fonts to view the End

User’s License Agreement (EULA), then you may locate the appropriate EULA on your McAfee software installation CD. You must read and agree to the terms of the agreement to complete your installation.

Troubleshooting installation problems

A failed installation can cause software problems that are difficult to track down. The major causes of installation failure are:

• Hard drive errors

• Temporary files that conflict with the installation

• Attempting to install while other software is running

Follow the procedure outlined below to minimize the affect that these common conditions may have on your installation.

Installing McAfee Firewall

Step 1: Clean up your hard drive

Run the Windows 95 hard drive utilities, ScanDisk and Disk Defragmenter to identify and fix any errors on your hard drive:

1. Click Start on the Windows taskbar, point to Programs, then Accessories, then System Tools, and click ScanDisk.

2. In the ScanDisk window, select Standard and Automatically fix errors.

NOTE: These are the default settings.

3. Click Advanced. In the Advanced Settings dialog box, make sure the following settings are selected:

• Only if errors found

•Replace log

•Delete

•Free

Getting Started 21

Installing McAfee Firewall

4. Ignore the other options, and click OK. Click Start. ScanDisk begins scanning your drive for errors. Depending on the size of your hard drive, ScanDisk may take several minutes to complete its job.

5. When ScanDisk is finished, close ScanDisk.

6. Click Start on the Windows taskbar, point to Programs, then Accessories, then System Tools, and click Disk Defragmenter.

7. Click OK to start Disk Defragmenter. Depending on the speed of your computer and the size of your drive, this may take several minutes to complete.

8. Close Disk Defragmenter when it has finished defragmenting your disk.

Step 2: Remove temporary files

Delete the contents of the Windows Temp folder:

1. Double-click the My Computer icon on your desktop. The My Computer window opens. Double-click the C: drive. You are now viewing the contents of your hard drive.

2. Double-click the Windows folder.

3. In the Windows folder, double-click the Temp folder.

4. In the menu, click Edit, then click Select All. All of the items in your Temp folder are highlighted.

5. Press the Delete key on your keyboard to delete the files. If Windows asks about deleting files, click Yes.

6. In the Windows taskbar, click Start, then click Shut Down.

7. Click Restart the computer, then click Yes in the Shut Down Windows dialog box to restart your PC.

Step 3: Close other software

Disable all software running in the background:

1. Hold down the Ctrl and Alt keys on your keyboard, and then press the Delete key once. The Close Program dialog box appears.

2. Click End Task for every item on the list except Explorer.

3. Repeat steps 2 and 3 until you’ve closed everything except Explorer.

22 McAfee Firewall

Installing McAfee Firewall

4. When you see only Explorer in the Close Program dialog box, click Cancel.

You are now ready to install your new software.

Getting Started 23

Installing McAfee Firewall

24 McAfee Firewall

3The Firewall Inductive User

Interface

Introduction

Under the guidance of the Microsoft Corporation, McAfee introduces a new look to McAfee Firewall - the Inductive User Interface (IUI).

What is an Inductive User Interface?

An IUI is similar to common web-style design – each screen within the application focuses on a unique, clearly stated, fundamental purpose. An IUI also allows you to easily navigate from one screen to the next.

How will an IUI help me?

IUI simplifies using McAfee Firewall. On any screen within Firewall, you can easily determine how to complete a task or how to access another related or

different task. You can easily navigate Firewall by selecting the Back, Forward and Home icons. These three icons are common to all Firewall

screens.

How do I use the IUI?

First, start Firewall from the Windows Start menu.

Getting Started 25

The Firewall Inductive User Interface

Figure 3-1. The Firewall Main Window

The Firewall main window is your central entry point to all Firewall tasks, features, and components. The main window displays three regions common to all Firewall screens.

Pick a Task

Select Pick a task to access the primary task screen. From the primary task

screen you can select one of the following tasks:

• Control a program’s access to the Internet.

• View details of Internet activity into and out of your computer.

• Configure advanced settings.

• Setup intrusion detection.

• Shutdown Firewall and exit.

ë TIP: After picking a task, simply follow the on-line instructions to

complete the task. If you would like to start a new task, select Pick a task.

26 McAfee Firewall

The Firewall Inductive User Interface

Quick Jump

The Quick Jump section allows you access a function or program associated

with McAfee Firewall (a function or program may include collection of tasks). For example, from the Quick Jump section you can:

• Select Check for a Firewall Updat e to start McAfee’s Instant Updater.

Instant Updater allows you to download updates to your product.

4Intrusion Detection System – (IDS)

Introduction

Firewall’s Intrusion Detection System (IDS) is designed to help the same users that the Personal Firewall feature protects: small offices without a corporate firewall, corporate users working outside the corporate firewall, or home users. It defends isolated machines against many different kinds of attacks (i.e.: port scans and flood attacks).

All unprotected computers can be victimized. For example, attackers can use a TCP port scan to find out what services you are running on your machine. Once this is accomplished, they can try to connect to those services and attack your machine. If the attacker discovers that you are running a TELNET, ftp, or Web server, the attacker can try each of your computer’s ports sequentially, from 1 to 65535, until an open port is found that they can connect to.

Unlike other intrusion detection tools, McAfee Firewall’s powerful IDS feature is simple to configure and activate. Instead of requiring users to learn and understand a complex set of attacks to build their own defense lines against intrusions, Firewall’s development team created a tool that, when activated with the click of a b utton, detects all common attack types as well as suspicious activity.

McAfee Firewall’s IDS feature looks for specific traffic patterns used by attackers. Firewall checks each packet that your machine receives to detect suspicious or known attack traffic. For example, if McAfee Firewall sees ICMP packets, it analyzes those packets for suspicious traffic patterns by comparing the ICMP traffic against known attack patterns. When McAfee Firewall matches packets with a known attack pattern, the software generates an event to warn you of a possible security breach.

When intrusion detection is on, all traffic is checked by the intrusion detection system. When intrusion detection is active and Firewall detects an attack, you can block further communication from the suspected machine’s IP address indefinitely or for a specific time period. When an attack is detected, McAfee Firewall can alert you with a Windows system tray notification.

¥ NOTE: Because Firewall is analyzing packets and looking for patterns of

packets that identify specific types of attacks, this feature may result in a very slight impact on your machine’s performance.

Getting Started 29

Intrusion Detection System – (IDS)

How to Configure the Intrusion Detection System

Use the steps below to configure McAfee Firew all’s int rusion detection feature:

1. Start McAfee firewall from the Windows Start menu. The Firewall main window displays.

ë TIP: Another way to start McAfee Firewall is to right-click the McAfee

Guardian icon displayed in the Windows system tray, point to McAfee Firewall and select Run Firewall.

2. On the McAfee Firewall main window, select Pick a task.

3. Select Advanced Firewall settings.

4. To activate McAfee Firewall’s intrusion detection system, check the Activate Intrusion Detection check box. Conversely, to deactivate the Intrusion detection system, clear the check mark from the Activate Intrusion Detection check box.

5. To block traffic from an attacker’s IP address, check Automatically block attackers.

30 McAfee Firewall

6. You can control how long McAfee Firewall blocks traffic from the attacker’s IP address:

• To block traffic until you remove the host, click until removed.

• To block traffic from the attacker’s IP address for a specific number of minutes, click For, and enter the number of minutes.

7. To play a sound when attacked, click Play sound when attacked and select a sound from the menu.

8. To display a Windows system tray notification, as an attack occurs, click Show tray notification when attached.

9. Click OK.

5McAfee Firewall Configurations

The configuration of McAfee Firewall is divided into two parts—application and system. Upon installation, a base set of rules for system services such as ICMP, DHCP and ARP is installed (these are considered default settings). The applications part is personalized. Whenever you run a new program that attempts to communicate over the Internet, McAfee Firewall will prompt and ask you whether you want to trust the program or not.

For example, using Internet Explorer, enter an Internet address or URL (i.e: http://www.macafee-at-home.com) in the address bar of your browser and press ENTER. Internet Explorer will attempt to connect to that URL over the Internet. The first time you do this, McAfee Firewall prompts if you "trust" Internet Explorer. If you say "Yes", McAfee Firewall notes Internet Explorer is allowed and whenever you use Internet Explorer in the future, McAfee Firewall will allow its traffic.

Behind the scenes, McAfee Firewall creates a rule allowing Internet Explorer to communicate to the specific URL you have indicated and then deletes the rule once all traffic is received or once you exit Internet Explorer. Additionally, when trojans on your system try to communicate out from your PC, McAfee Firewall will also prompt you whether you trust them or not, and the decision to stop trojans is easy and instantaneous.

Applications

Control Applications

McAfee Firewall monitors network traffic to see which applications are communicating. Depending on your settings, it will allow or block an application's attempt to communicate.

To control which applications may communicate, click the Settings menu item and choose Applications.

If you choose to "Trust all applications" (putting a check mark in the box), then applications will be added to the "Trusted" list automatically and will be allowed to communicate.

If you do not choose to "Trust all applications", as shown in the figure above, then the first time you run an application and it tries to communicate, you will be prompted and asked if you want that application to communicate. You are only prompted once. Known applications are either allowed or blocked, depending on which list they have been put in.

Getting Started 31

McAfee Firewall Configurations

Default Settings for Applications

When installed, the default setting is to prompt the user before allowing an application to communicate. The first time you run an application that uses the network, you will be prompted.

• Yes: Select Yes to allow the application communicate normally.

• No: Select No to block the application. In all likelihood, an error message such as "Network is unavailable" will display.

If you allow an application the first time you are prompted, you may change this and block it at any time: just select the Settings/Applications menu item. There, you can move applications into eith er the "Trusted" list or the "Blocked" list.

When you exit McAfee Firewall, your settings are saved and will be the same the next time it is run.

Systems

Control System

The operating system performs many types of network communication without reporting directly to the user. McAfee Firewall lets the user allow or block different system functions explicitly. Settings may be different for each network device, since a PC may, for example, be on an internal network as well as having a dial-up connection to the Internet.

To control System settings, click on the Settings menu item and choose System. Then choose the network device you want to configure.

You can either double-click on the network device or click once and choose Properties.

You can then choose to allow or block NetBIOS over TCP, Identification, ICMP, ARP, DHCP, RIP, PPTP and other protocols (IP and non-IP).

¥ NOTE: For more information, refer to online Help.

32 McAfee Firewall

Default Settings for System Activity

NetBIOS over TCP: Blocked

This will block all fileshare activity over TCP as well as UDP broadcasts. Your system will not appear in anyone's "Network Neighborhood" and theirs will not appear in yours. If your system is configured to support NetBIOS over other protocols, such as IPX or NetBEUI, then filesharing may be allowed if "non-IP protocols" are allowed (see "Other Protocols" below).

Identification: Allowed

This service is often required when getting email and is required by most IRC servers.

ICMP: Blocked

This protocol is often abused as a method of breaking people's network connections (especially on IRC).

ARP: Allowed

McAfee Firewall Configurations

ARP is a necessary Ethernet protocol and is not known to be a threat.

DHCP: Allowed if your system uses DHCP

The program looks in your system Registry to see if one of your network devices uses DHCP. If so, then DHCP is allowed for all devices. If not, then it is blocked for all devices. If you have more than one network device and one uses DHCP, you should check the DHCP setting for each device and allow only for the device that uses (most often cable or ADSL modems and some internal networks, not for dial-up).

RIP: Blocked

Allow RIP if your administrator or ISP advises you to.

PPTP: Blocked

This should only be altered by the administrator.

Other Protocols: Blocked

If you are on an IPX network, you should allow "non-IP protocols". If you use PPTP, you should allow "other IP protocols". Ask your network administrator before making any change here.

Getting Started 33

McAfee Firewall Configurations

Password Protection

While McAfee Firewall is designed to protect a Windows computer from unwanted network communication, the security it provides can be undermined if the configuration can be altered. This is especially easy on Windows 95 and 98.

This problem is partially addressed by adding password protection to the configuration file. The protection is only partial because only the operating system can provide access control, such as is found in Linux and Unix.

When you use a password to protect your configuration:

• The settings cannot be changed while McAfee Firewall is running unless the correct password has been entered.

• The tampering of the configuration file will be detected the next time McAfee Firewall is run, if (and when) the password is entered

• If the password has not been entered, new networking applications will be blocked automatically.

Instructions for Administrators

Configuring Network, Display and Logging Controls

Network Control

This should usually be set to "Filter Traffic". If it is set to "Block Everything", the system will not be able to communicate over any network device. If it is set to "Allow Everything", nothing will be blocked. When it is set to "Filter Traffic", it controls network communications according to the Application and System settings.

Display Control

It is best to choose Summary mode when setting it up for other users. The information shown in Detail mode is intended for the Administrator and may reduce performance on high-speed networks.

Logging Control

It is impo rtant to log unknown tra ffic if y ou want to review the log fi les to look for intrusion attempts. This option should only be unselected if the computer is on a busy network and large amounts of (harmless) traffic fills the log file.

34 McAfee Firewall

Configuring Applications

The following steps will help the Administrator set up the Applications portion of the configuration. While the configuration file (CPD.SFR) is not intended to be transferable, the Applications settings can be successfully copied from one system to another. The System settings cannot.

1. Select the Settings menu item, and the Applications option on the popup menu.

2. Do not select "Trust all applications" unless you are very sure this is what you want. When selected, all applications are freely allowed to communicate and malicious "trojans" may go unnoticed.

3. Close the Application Settings dialog box, choosing "OK".

4. Add applications you want to communicate to the "Trusted Applications" list by running the application. You will be prompted to allow the application. Choose 'Yes'.

5. Once you have run the applications you want to communicate, review the Trusted and Blocked Applications lists by choosing Applications/Settings again, as in Step (1).

McAfee Firewall Configurations

6. Select the application and click either Add, Remove, or Allow. Click the Trust all applications check box to allow all applications displayed in the list box.

7. Choose "OK" to close the dialog box.

8. Choose File/Save Settings if you want to write this new configuration to disk immediately. Note: the configuration is automatically written to disk when you exit McAfee Firewall.

Configuring System Settings

The following steps will help the Administrator set up the System portion of the configuration. While the configuration file (CPD.SFR) is not intended to be transferable, the Applications settings can be successfully copied from one system to another. The System settings cannot. This is because different systems have different network devices and it is uncommon to find two that are the same.

1. List all the network segments that are connected to computers that are to be configured.

Include internal networks and any connection to an external network (e.g. the Internet) even if it is by modem. This is often a simple task, since most computers have just one or two network connections.

Getting Started 35

McAfee Firewall Configurations

2. Decide what network traffic should be allowed on each network segment.

3. Select the Settings menu item, and the System option on the popup menu.

4. From the list of network devices, determine which device is connected to which network segment you listed in Step (1). If you have one modem but see two "Dial-Up Adapter" entries, one of them may be a Microsoft Virtual Private Network Adapter. Usually, the entry with the lower device number (e.g. [0000]) is the physical device and the other is the virtual device.

5. For each device:

• Highlight the device in the list and select Properties.

• According to the policies you defined in Step (2) above, allow or block the different types of network traffic.

• Choose OK when done. Note: changes take effect for this device when you choose OK on the Properties page. Choosing Cancel on the System/Settings page does not cancel these changes. If in doubt, review the settings later to confirm.

6. Choose OK to close the System/Settings dialog box.

NOTE: You must check System Settings after adding or removing network devices.

Configuration After Adding/Removing Network Devices

The System Settings must be verified after changes are made to network devices. This is especially important if a network device is added or removed. If a device was removed, all settings may have to be re-entered, because they previous settings may now be associated with the wrong device. If a device is added, it will have to be configured for the first time.

1. Select the Settings menu item, and the System option on the popup menu.

2. For each network device:

• Select the device in the list and choose Properties.

• Confirm that the settings displayed are correct. Make changes where necessary.

• Click OK when you are finished.

36 McAfee Firewall

¥ NOTE: Note: Changes take effect for this device when you choose OK

on the Properties page. Choosing Cancel on the System/Settings page does not cancel these changes. If in doubt, review the settings later to confirm.

3. Choose OK to close the System/Settings dialog box.

Using Password Protection

The following steps will help the Administrator protect the configuration. Without using password protection, the only way to make sure that setup has not been altered is to examine all settings. By using password protection, you will be notified if the setup file was altered.

1. Select the File menu item, and the "Password" option on the popup menu. This pops up another menu. Select "Set".

2. Enter a secret password in the two places shown and choose OK.

3. Write the password down and store it in a safe place. There is no mechanism for retrieving the password once it is lost.

The next time the program is run, it will prompt for the password to be entered. If it is not entered (you can press the <Esc> key), the control functions are disabled (shown in gray) and the setup cannot be changed. Once the correct password is entered, the control functions may be used.

McAfee Firewall Configurations

It is really important to choose a password that others will not guess. Choosing words, such as "open sesame" is a poor choice because there are password guessing programs that systematically try every word in the dictionary as well as common phrases, names, dates and other predictable entries. It is better to choose several unrelated words, letters mixed with numbers, or completely random characters. The more, the better. There are password generation programs that can help you choose. They may help.

It is better to use a new password every time you make an important configuration change. Every file you create with a password is "valid" in that McAfee Firewall will see that it matches the password you used for it. Using a new password prevents someone from secretly replacing an older configuration file for a newer one.

Trojans such as BO and Netbus can log keyboard stokes. Therefore, they can log a password as you type it. While McAfee Firewall helps you detect trojans, you must be diligent in keeping them off your computer(s) before they compromise the security systems you put in place.

Getting Started 37

McAfee Firewall Configurations

ë TIP: It is also good to have an anti-virus system such as McAfee

VirusScan installed on your computer to ensure protection from Trojans and other known viruses.

38 McAfee Firewall

6Update your McAfee Product

Instant Updater

As technologies advance, we continually provide updates to McAfee software products. To ensure the highest level of protection, you should always obtain the latest version of your McAfee product.

Updating your software is simple using McAfee's Instant Updater. It is a seamless process and requires minimal interaction on your part.

æ IMPORTANT: Instant Updater is also the mechanism used to register

your product with McAfee. In order to obtain product u pdates, you must register your product with McAfee.

Why Do You Need to Update?

• New features may be released for your McAfee product

• Product fixes are periodically available

• New product content is updated periodically

• Updates to anti-virus signature files are frequently available

How Does the Updating Pro cess Work?

Instant Updater allows you to obtain and apply updates to your McAfee products while connected to the Internet. If an update exists, you will receive a notification. At that time, you can download and apply the updates to your products.

Instant Updater Features

• Auto-Inquiry: Auto-inquiry enabled allows you to receive notification of product updates while connected to the Internet. The default setting for Instant Update is Auto-Inquiry enabled. If you do not connect to the Internet on a regular basis, you may want to disable Auto-Inquiry and use the manual update feature.

Getting Started 39

Update your McAfee Product

ë TIP: We do not recommend Auto-Inquiry enabled if you have slow

internet connection.

• Auto-Update: If you do not want to be bothered with notification messages regarding updates, you can enable Auto-Update. Auto-Update enabled allows you to download and apply product updates without notification messages. Updates are "silently" downloaded and applied to your McAfee product.

• Manual Updating: If you rarely connect to the Internet, you may prefer to use Manual Updating with your McAfee product. You can manually update while connected to the Internet. To do this, select the UPDATE function from within the individual product.

ë TIP: Manual Updating provides you with explicit control of the updating

process.

Configuration

For additional information regarding auto-inquiry and auto-update settings, please refer to on-line help.

40 McAfee Firewall

AProduct Support

BEFORE YOU CONTACT McAfee Software for technical support, locate yourself near the computer with the McAfee product installed and verify the information listed below:

• Version number of your McAfee software

ë TIP: From the McAfee Firewall main window select Help > About to find

this information.

• Windows operating system version number

• Amount of memory (RAM)

• Complete description of the problem

• EXACT error message as on screen

• What steps were performed prior to receiving error message?

• Is the error persistent; can you duplicate the problem

• Model name of hard disk (internal / external)

• Extra cards, boards, or hardware

How to Contact McAfee

Customer Service

To order products or obtain product information, contact the McAfee Customer Service department at (972) 308-9960 or write to the following addresses:

United States: International:

Network Associates 13465 Midway Road Dallas, TX 75244 U.S.A.

Network Associates International B.V. Gatwickstraat 25 1043 GL Amsterdam Nederland +(31) 20 586 6100

McAfee Customer Service P.O Box 898 7301 BC Apeldoorn The Netherlands

Getting Started 41

Product Support

¥ NOTE: (972) 308-9960 is telephone call to the United States of America.

www.McAfee-at-Home.com

McAfee is famous for its dedication to customer satisfaction. We have continued this tradition by making our site on the World Wide Web a valuable resource for answers to your questions about McAfee Consumer Products. We encourage you to visit us at http://www.mcafee-at-home.com and make this your first stop for all of your product support needs.

¥ NOTE: For a status on an existing order, you may send an e-mail

message to salesordersupport@nai.com.

Technical Support

For 24-hour, agent assisted support, please visit http://www.mcafeehelp.com. Our support web site offers 24-hour access to solutions to the most common support requests in our easy-to-use 3 step Answer Wizard. Additionally, you may use our advanced options, which include a Keyword Search and our Help Tree, which have been designed with the more knowledgeable user in mind. If a s olution to your problem cannot be foun d, you may also access our 24-hour FREE Chat Now! and Email Express! options. Chat and E-mail will enable you to quickly reach our qualified support engineers, through the internet, at no cost. Phone support information can also be obtained from our self-help web site at: http://www.mcafeehelp.com.

Support Forums and Telephone Cont act

If you do not find what you need, try one of our automated services at the following locations.

World Wide Web E-commerce Support web site Download web site

CompuServe America Online Microsoft Network

42 McAfee Firewall

www.mcafee-at-home.com http://estore.nai.com http://www.mcafeehelp.com http://www.mcafee-at-home.com/download/de

fault.asp GO MCAFEE keyword MCAFEE mcafee

BCommon Attacks Recognized by

Intrusion Detection

The following table lists attacks recognized by Firewall’s IDS, a description of each attack, and the risk factor assigned to each attack.

Attack Description Risk Factor

Back Orifice Back Orifice is a backdoor program for Windows 9x

written by a group calling themselves the Cult of the Dead Cow. This backdoor allows remote access to the machine once installed, allowing the installer to run commands, get screen shots, modify the registry, and perform other operations. Client programs to access Back Orifice are available for Windows and UNIX.

Bonk Designed to exploit an implementation error in the

first Teardrop patch released by Microsoft, this attack is basically a Windows-specific variant of the original Teardrop attack.

Fraggle This attack is a UDP variant of the Smurf attack. By

sending a forged UDP packet to a particular port on a broadcast address, systems on the “amplifier” network will respond to the target machine with either a UDP response or an ICMP UNREACHABLE packet. This flood of incoming packets results in a denial of service attack against the target machine.

IP Spoofing IP spoofing involves sending data with a falsified

return IP address. There is nothing inherently dangerous about spoofing a source IP address, but this technique can be used in conjunction with others to carry out attacks TCP session hijacking, or to obscure the source of denial of service attacks (SYN flood, PING flood, etc.).

High

Medium

Jolt A remote denial of service attack using specially

crafted ICMP packet fragments. May cause slowdowns or crashes on target systems.

Jolt2 A remote denial of service attack similar to Jolt that

uses specially crafted ICMP or UDP packet fragments. May cause slowdowns or crashes on target systems.

High

Getting Started 43

Common Attacks Recognized by Intrusion Detection

Attack Description Risk Factor

Land This attack is performed by sending a TCP packet to

a running service on the target host, with a source address of the same host. The TCP packet is a SYN packet, used to establish a new connection, and is sent from the same TCP source port as the destination port. When accepted by the target host, this packet causes a loop within the operating system, essentially locking up the system.

Nestea This attack relies on an error in calculating sizes

during packet fragment reassembly. In the reassembly routine of vulnerable systems, there was a failure to account for the length of the IP header field. By sending carefully crafted packets to a vulnerable system, it is possible to crash the target.

Ping Flood This attack involves sending very large numbers of

ICMP ECHO (PING) requests to the host under attack. This attack is particularly effective when the attacker has a faster network connection than the victim.

Ping of Death With this attack, a remote user can cause your

system to reboot or panic by sending it an oversized PING packet. This is done by sending a fragmented packet larger than 65536 bytes in length, causing the remote system to incorrectly process the packet. The result is that the remote system will reboot or panic during processing.

High

Port Scanning While not an attack in and of itself, a port scan often

indicates that an attacker has begun looking at your system for potential weaknesses. A port scan consists of checking every TCP and/or UDP port to see what services (and hence, what vulnerabilities) might be present.

Smurf This attack is carried out by sending an ICMP ECHO

REQUEST (PING) packet with a forged source address matching that of the target system. This packet is sent to “amplifier” networks — networks that allow sending packets to the broadcast address — so that every machine on the amplifier network will respond to what they think is a legitimate request from the target. As a result, the target system is flooded with ICMP ECHO REPLY messages, causing a denial of service attack.

44 McAfee Firewall

Low

High

Common Attacks Recognized by Intrusion Detection

Attack Description Risk Factor

SYN Flood This attack can be used to completely disable your

network services by flooding them with connection requests. This will fill the queue which maintains a list of unestablished incoming connections, forcing it to be unable to accept additional connections.

Teardrop On vulnerable systems, it is possible to take

advantage of a flaw in the way the TCP/IP stack handles fragmented packet reassembly to consume available memory resources. By sending a specially crafted IP datagram, this attack can cause many operating systems to hang or reboot.

UDP Flood A remote denial of service attack designed to flood

the target machine with more data than it can process, thereby preventing legitimate connections from being established.

Machine is inaccessible via TCP/IP.

Occurs when machine is put to sleep and then awakened. Make sure that “Load Only When Needed” is not checked in

the TCP/IP control panel. Then TCP/IP is loaded all the time, allowing Firewall to function while the machine is asleep.

High

Getting Started 45

Common Attacks Recognized by Intrusion Detection

46 McAfee Firewall

Glossary

Address

A data field in a packet header that specifies either the sender or the intended receiver of the packet. Note that computers can often see data packets that are not intended for them.

Administrator

The person responsible for handling computer configurations as well as support.

Allow/Block (packets)

The action to take on a packet. Block means the packet is not sent/received. Allow means it is sent/received.

ARP

Address Resolution Protoc ol. Authentication The property of verifying that a person or system is who or what it claims to be. This

can be achieved via Virtual Private Networks.

Short for "Back Orifice", a trojan remote control program. This program is designed to illustrate the serious security breaches that are possible when using the Windows operating systems. It has been used to cause a lot of mischief and damage. BO's default setup is to listen on UDP port 31337.

BRKill

An attack program that exploits the security implementation weakness of Microsoft's TCP/IP. Starting with the IP address and a good guess of a TCP connection running (particularly on IRC or using PPTP), the attack finds the TCP packet sequence numbers and then attempts to close the connection by sp oof ing a "disco nn ect" packet.

Broadcast (networks)

A message addressed to all computers on a specified subnetwork.

Button

An item on a window that when pressed, causes an action to be performed. Usually by clicking the mouse button when the cursor is on it.

Getting Started 47

Glossary

Connection

A method of data exchange that allows a reliable transfer of data between two computers.

Cookies A file placed on your hard drive by a Web site you visit. The original intent is for

cookies to contain information about your preferences, so they can tailor the appearance according to your needs. This saves time when you visit the site the next time.

The security risk with cookies is that, since they are written directly to the hard drive, they can store something dangerous (e.g., virus) or private (e.g., password). There is also concern that one Web site can get a co okie created by another Web site. It appears that cookies cannot be used to get other data from a user's hard drive (e.g., applications used, database, address book, personal files, etc.). Cookies can also be used to track where a user has been within a Web site.

Netscape Navigator can be set to prompt you whether or not you want to accept a cookie. It is recommended that you do not accept cookies unless you have a reason for doing so.

datagram

A single, unsequenced packet. UDP is a datagram-based protocol.

Default

The configuration and behavior on installation, before any changes are made. DHCP Dynamic Host Configuration Protocol.

Dialog Box

A window used to help the user enter information.

DNS

Domain Name Service, a service for mapping computer names to its IP Address. Email Electronic mail, a method of sending messages to other people via computer networks.

Ephemeral (port)

Used temporarily, in the range 1024-5000. In McAfee Firewall, this range is called the "Temporary Range".

Ethernet

48 McAfee Firewall

Glossary

The most common type of local area network (LAN). Fileshare A file system resource that is available through a network connection. System uses UDP broadcasts to announce its presence on a network and 'listens' to see

who is out there. This is considered appropriate in a trusted office enviro nment, but is completely inappropriate for an Internet connection.

Filter (firewalls)

A tool used to intercept/block all incoming and outgoing network traffic. McAfee Firewall filters traffic.

finger

A service that finds information about a user. Firewall A service that controls the transfer of data between computers. This includes the

surrounding network. The firewall is responsible for filtering all packets and often provides proxy services to protect internal computers.McAfee Firewall is not a traditional firewall, but it does protect your PC in this fashion.

FTP

File Transfer Protocol, a high-level protocol for file transfer.

GRE

Generic Routing Encapsulation. The PPTP uses this protocol. Hacker There are many definitions. The one used here is a person who misuses computer

resources, often finding or damaging information.

HTTP

Hypertext Transfer Protocol, a powerful tool used primarily for browsing the World Wide Web.

HTTPS

Secure HTTP. This is a variation of HTTP that uses encryption to add privacy.

ICMP

Internet Control Message Protocol, a maintenance protocol that handles error messages and helps network debugging. ICMP is carried in IP packets.

Getting Started 49

Glossary

ICMP is easily abused and has become a serious annoyance to IRC chatgroup users. Because other users can find out information abou t you, s uch as your I P address , they can easily send false ICMP messages to your syst em, causing it to promptl y drop your IRC connection.

ICQ

An Internet service that helps people find each other and share information. ICQ has been found to have security weaknesses.

Identification

A service that provides user information to be used on another s ystem, so th ey can try to verify your identity. If you block it, other systems (such as email servers) may refuse you their services.

This service is also known as "ident" or "auth". inbound packet A packet arriving from a remote computer or network.

The essential network protocol of the Internet. It supports TCP, UDP, ICMP and many others. McAfee Firewall filters TCP, UDP and ICMP, and System Settings allow you to allow or block the remaining protocols.

IPX

Network protocol, most commonly used by Novell . It sup po rt s SPX . Also, it can be tunneled over IP. McAfee Firewall can block IPX and other non-IP protocols.

IRC Internet Relay Chat. A service that lets people on the Internet share a typed

conversation. Whatever a person typed is sent to other people in the "chat group". The risk here is that people might become hostile and try to "nuke" you or send you

unpleasant email. Consider NetNanny to screen the messages that are sent in IRC.

ISDN

Integrated Services Digital Network

ISP

Internet Service Provider, the company that sells you access to the Internet. Listening TCP connections are made to a "listening" port that is ready to accept an incoming

connection.

50 McAfee Firewall

Glossary

Local (address or port)

Refers to your machine, as opposed to a remote machine.

Log File

A record kept to track activity. The log file helps monitor what connections your computer has made and where unauthorized access (may have) originated.

Menu A list of commands that are available. If a command is in gray, it is not available.

Message Box

A message window that appears briefly to provide information to the user.

Modem

A device that sends and receives data over a connection, most commonly over a telephone line, cable, ADSL or ISDN.

NetBEUI NetBIOS Extended User Interface. A local-area protocol that operates underneath the

NetBIOS interface. McAfee Firewall does not currently filter NetBEUI.To allow it, you must allow all non-IP protocols.

NetBIOS

A protocol that su pports file an d print sharing . Thi s p rotocol can be carried o ver TCP and UDP or IPX or NetBEUI. You can select "allow me to reach other system's shares", or "allow others to reach my shares".

NetBus

A program designed perfo rm instal lation w ithout t he use r know ing about it and allow remote control of the system, including keybo ard logging and file access. NetBus uses TCP ports 12345 and 12346 by default.

Netware-IP A Netware protocol sent using the IP protocol.

Network

A channel used to support communication between computers, e.g. Ethernet or Internet.

Network Device

A hardware computer component that connects your computer to a network, such as Ethernet or Internet.

Getting Started 51

Glossary

News (NNTP)

A service available through most IS Ps where thousands of newsgroups dis cuss specific topics, and users may post relevant articles. Remember that anything you post will be archived permanently and can be retrieved at s uch website as www.deja.com. Also, if you post using your real email address, you WILL receive an unending stream of "spam" (junk email).

ntp

Network Time Protocol, a service that supplies the time.

Operating System

The low-level program that suppo rts the running of al l other programs o n a computer. OS/2, Linux and Windows are operating systems.

outbound packet

A packet leaving your computer or network to a remote destination.

Packet

A block of data sent over a communication medium, such as the Internet.

Packet Filter

A function of a firewall that checks inbound and outbound packet, and allows or blocks them, depending on predefined rules.

Password A secret character sequence used for authentication. Passwords can be stolen by trojans such as BO and NetBus. For better security,

consider token-based authentication or one-time passwor ds .

Phone Book

A set of dial-up services available on your system (look on your system for Dial-Up Networking).

ping

An ICMP-based service used to verify the availability of computers on a network. POP2 Post Office Protocol, version 2. Used to transfer email.

POP3

Post Office Protocol, version 3. Used to transfer email.

52 McAfee Firewall

Glossary

Port

A number used by protocols such as TCP and UDP to identify a communication instance.

PPP Point-to-Point Protocol, a low-level protocol used to transport higher-level protocols

such as IP.

PPPoE

PPP over Ethernet

PPTP

Point-to-Point Tunneling Protocol

Printshare

A printer resource available through a network connection.

Protocol

A standardized method of communication, e.g. IP.

RARP

Reverse Address Resolution Protocol, an Ethernet protocol used to resolve IP addresses.

RAS

Remote Access Service, a service that supports dial-up connections.

Remote (address or port)

Refers to another machine you might communicate with, as opposed to your (local) machine.

RIP

Routing Information Protocol, a UDP-b ased protocol used to send routing i nformation to systems on a network.

Service An application or function often considered part of the operating system.

SLIP

Serial Line Internet Protocol, a predecessor to PPP.

SMTP

Getting Started 53

Glossary

Simple Mail Transfer Protocol, a popular email protocol. SNMP Simple Network Management Protocol. A protocol used to manage networks and

routing.

SPX

Sequenced Packet Exchange, a connection-based IPX protocol

TCP

A connection-based Internet Protocol carried in IP packets. Examples of TCP-based applications and services are FTP, web browsing, email, and IRC.

Telnet A TCP-based service that supports remote logins (usually to UNIX systems). With

telnet, you are sending your username and passwor d over a networ k and t hey may be stolen by someone and used to break in. Consider a VPN for privacy.

tftp

Trivial file transfer protocol, a UDP-based file transfer protocol. tftp is a security risk because it involves no interaction with the user - it can occur without you knowing about it.

Toggle

A setting that switches between two positions or values. trojan A program or piece of executable code that is transmitted without the user's

knowledge, often allowing outsiders to break into or control the system

Tunnel

Encapsulates one protocol or data stream within another. A Virtual Private Network (VPN) tunnels data by encrypting it and then encapsulating it within a protocol such as TCP (better) or UDP (worse).

UDP

A connectionless (datagram) Internet Protocol carried in IP packets. Examples of services and applications that use UDP are ICQ, DNS, NetBIOS (for broadcasts etc.) and RIP.

Virus (software)

A piece of code that works without the knowledge of the recipient. It is transmitted inside other software, can duplicate itself, spread and damage your data and/or system.

54 McAfee Firewall

Glossary

VPN

Virtual Private Network. A secure private connection, usually through an untrusted network. You can li nk the LAN's of two offices through t he Internet using a VPN, and systems in either office can access those in the o ther, as if they were on the sam e LAN. The route through the Internet is invisible. Hackers or snoopers on the Internet just see encrypted traffic and cannot get your private information.

Another configuration of a VPN is "client/server", where computers, such as laptop PCs connect to a VPN server which gives access to a protected network. Home or mobile workers can connect to the office and have the s ame secure link and can access office systems.

WINS

Windows Internet Name Service, a protocol similar to DNS.

Winsock

A part of the Microsoft Windows operating systems that handles most network connections and some ICMP. It does not handle file or print shares.

Getting Started 55

Glossary

56 McAfee Firewall

Index

About McAfee Firewall 13

Address 47

Administrator 47

Allow/Block (packets) 47

ARP 33

attacks 43

Authentication 47

Auto-Inquiry 39

Auto-Update 40

, 47

descriptions of 43

Back Orifice

attack, description 43

blocking communications

Personal IDS 30

BO 47

bonk attack 43

BRKill 47

Broadcast (networks) 47

Button 47

Configuration after Adding/Removing

Network Devices 36

Configurations 31

configure Personal IDS 29

Configuring Applications 35

Configuring Network, Display and Logging

Controls 34

Configuring System Settings 35

Connection 48

Control applications 31

Control system 32

Cookies 48

datagram 48

Default 48

Default settings for applications 32

descriptions of attacks 43

DHCP 33

Dialog Box 48

DNS 48

, 48

Email 48

End User’s License Agreement 21

Ephemeral (port) 48

Ethernet 48

Fileshare 49

Filter (firewalls) 49

finger 49

Firewall 49

Flash PGPtray icon when attacked

Personal IDS 30

Flood blocking a TCP connection 18

fraggle attack 43

FTP 49

Getting Started 57

Index

GRE 49

Hacker 49

Help 27

Help and Support 27

How is my PC at risk on the Internet? 16

How McAfee Firewall works 13

HTTP 49

HTTPS 49

ICMP 33, 49

Icons 25

ICQ 50

Identification 50

IDS, attacks recognized by 43

Inbound Data 17

inbound packet 50

Inductive User Interface 25

Installation

Autorun does not display 20

Obtained software via download 20

Installing McAfee Firewall 20

Instant Updater 39

Instructions for Administrators 34

IP 50

IP Spoofing

attack, description 43

IPX 50

IPX network 33

ISDN 50

ISP 50

IUI 25

Jolt attack 43

Jolt2 attack 43

land attack 44

Listening 50

Local (address or port) 51

Log File 51

Manual Updating 40

McAfee Firewall filter 18

McAfee on the Web 27

Menu 51

Message Box 51

Modem 51

MSI 20

nestea attack 44

NetBEUI 51

NetBIOS 51

NetBIOS over TCP 33

NetBus 51

Netware-IP 51

Network 51

Network Device 51

New product content 39

News (NNTP) 52

ntp 52

online help 27

Operating System 52

58 McAfee Firewall

Index

Outbound Data 17

outbound packet 52

Outgoing mail (SMTP) server

Personal IDS 30

Packet 52

Packet Filter 52

Password 52

Password Protection 34

Personal IDS

blocking traffic 30

configure 29

Flash PGPtray icon when attacked 30

Outgoing mail (SMTP) server 30

Play sound when attacked 30

Phone Book 52

Pick a task 26

ping 52

ping flood attack 44

ping of death attack 44

Play sound when attacked

Personal IDS 30

POP2 52

POP3 52

port scanning attack 44

PPP 53

PPPoE 53

PPTP 33

Printshare 53

Product fixes 39

Protocol 53

protocols 18

, 53

Quick Jump 27

RARP 53

RAS 53

Remote (address or port) 53

RIP 33

, 53

McAfee Firewall version 3.0 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

1Welcome to McAfee Firewall

About McAfee Fir ewall

New in This Release

How McAfee Firewall Works

About McAfee Firewall Documentation

McAfee Firewall On-line Help

Frequently Asked Questions

2Installing McAfee Firewall

System requirements

About Winsock 2

Installation Steps

Troubleshooting installation problems

Step 1: Clean up your hard drive

Step 2: Remove temporary files

Step 3: Close other software

Introduction

4Intrusion Detection System – (IDS)

Introduction

How to Configure the Intrusion Detection System

5McAfee Firewall Configurations

Applications

Control Applications

Default Settings for Applications

Systems

Control System

Default Settings for System Activity

Password Protection

Instructions for Administrators

Configuring Network, Display and Logging Controls

Configuring Applications

Configuring System Settings

Configuration After Adding/Removing Network Devices

Using Password Protection

6Update your McAfee Product

Instant Updater

Why Do You Need to Update?

How Does the Updating Pro cess Work?

Instant Updater Features

Configuration

AProduct Support

How to Contact McAfee

Customer Service

www.McAfee-at-Home.com

Technical Support

Glossary

Index