Filter
Top Products
77
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Firewall Policies
Overview
5
Quarantine policies and rules
When a client returns to the network after a prolonged absence, the quarantine policies
restrict a client’s ability to communicate with the network until ePolicy Orchestrator
verifies that the client has all the latest policies, software updates, and DAT files.
Out-of-date policies and files can create security holes and leave systems vulnerable to
attacks. By quarantining users until ePolicy Orchestrator updates them, unnecessary
security risks are avoided. For example, a quarantine policy is useful for laptops whose
policies and files may become out of date when they are away from the corporate
network for a few days.
When you enable the Quarantine Options policy, both ePolicy Orchestrator and Host
Intrusion Prevention participate. ePolicy Orchestrator detects whether a user has all
the latest information they need. Host Intrusion Prevention enforces the quarantine
until the client has all the necessary policies and files.
When you configure the Quarantine Options policy, you specify a list of quarantined IP
addresses and subnets. Any user assigned one of these addresses is quarantined by
Host Intrusion Prevention upon returning to the network.
When the Quarantine Options policy is applied to a client, Host Intrusion Prevention
uses the ePolicy Orchestrator agent to determine if the client has the most recent
policies and files. This involves checking if all ePolicy Orchestrator tasks have run
properly.
If the user is up-to-date, Host Intrusion Prevention immediately releases the client from
quarantine.
If one or more ePolicy Orchestrator tasks have not run, however, the user is not
up-to-date and Host Intrusion Prevention does not automatically release the quarantine.
The client could remain quarantined for a few minutes while the ePolicy Orchestrator
agent updates policies and files. Host Intrusion Prevention can continue or stop the
quarantine as determined by settings in the Quarantine Options policy. If you configure
Host Intrusion Prevention to continue enforcing the quarantine, clients could remain
quarantined for a prolonged period.
With the quarantine policy, Host Intrusion Prevention enforces a strict set of firewall
quarantine rules that define with whom quarantined clients can communicate.
Note
Host Intrusion Prevention enforces quarantine rules for all ePolicy
Orchestrator-managed applications. If you use ePolicy Orchestrator to manage clients
with VirusScan Enterprise, Host Intrusion Prevention will quarantine any returning client
where VirusScan Enterprise tasks fail to run; for example, if an update task fails to
deliver the latest DAT files.
Note
If your user connects to the network using VPN software, be sure the quarantine rules
allow any traffic required to both connect and authenticate over the VPN.
Note
Quarantine mode requires Firewall be enabled. Even if the Quarantine mode is enabled,
the quarantine does not take effect unless Firewall is also enabled.