McAfee HISCDE-AB-IA Product Guide - Page 11
Tuning, Dashboards and queries, adaptive, exception rules, trusted applications, firewall rules
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 11 highlights
Introducing Host Intrusion Prevention Host IPS policy tracking and tuning is permitted when clients are placed in adaptive mode. In adaptive mode, client rules are created without interaction from the user. After client rules are created, you need to carefully analyze them and decide which to convert to server-mandated policies. Often in a large organization, avoiding disruption to business takes priority over security concerns. For example, new applications might need to be installed periodically on some computers, and you might not have the time or resources to immediately tune them. Host Intrusion Prevention enables you to place specific computers in adaptive mode for IPS protection. Those computers can profile a newly installed application, and forward the resulting client rules to the ePolicy Orchestrator server. The administrator can promote these client rules to an existing or new policy, then apply the policy to other computers to handle the new software. Systems in adaptive mode have virtually no protection, so the adaptive mode should be used only for tuning an environment and eventually turned off to tighten the system's protection. Tuning As part of Host Intrusion Prevention deployment, you need to identify a small number of distinct usage profiles and create policies for them. The best way to achieve this is to set up a test deployment, then begin reducing the number of false positives and generated events. This process is called tuning. Stronger IPS rules target a wider range of violations and generate more events than in a basic environment. If you apply advanced protection, McAfee recommends using the IPS Protection policy to stagger the impact. This entails mapping each of the severity levels (High, Medium, Low, and Information) to a reaction (Prevent, Log, Ignore). By initially setting all severity reactions except High to Ignore, only the High severity signatures are applied. The other levels can be raised incrementally as tuning progresses. You can reduce the number of false positives by creating exception rules, trusted applications, and firewall rules. • Exception rules are mechanisms for overriding an IPS signature in specific circumstances. • Trusted applications are application processes that ignore all IPS or Firewall rules. • Firewall rules determine whether traffic is permissible, and block packet reception or allow or block packet transmission. Dashboards and queries Dashboards enable you to track your environment by displaying several queries at once. These queries can be constantly refreshed or run at a specified frequency. Queries enable you to obtain data about a particular item and filter the data for specific subsets of that data; for example, high-level events reported by particular clients for a specified time period. Reports can be scheduled and sent as an email message. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 11