McAfee HISCDE-AB-IA Product Guide - Page 19

Clients and planning your deployment, Client data and what it tells

Get McAfee HISCDE-AB-IA - Host Intrusion Prevention PDF manuals and user guides View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals

Page 19 highlights

Managing Your Protection Policy management • For IPS protection, monitor events for false positives and create exceptions or trusted applications to prevent these events from reoccurring. • For firewall protection, monitor network traffic and add trusted networks to allow appropriate network traffic. • Monitor the effects of the new exceptions, trusted applications, and trusted networks. • If these rules succeed in preventing false positives, keeping network traffic to a minimum, and allowing legitimate activity, make them part of a new or existing policy. • Apply the new policy to a set of computers and monitor the results. • Repeat this process with each production group type. Automatic tuning Automatic tuning removes the need to constantly monitor all events and activities for all users. • Apply adaptive mode for IPS and Firewall policies. • In adaptive mode, IPS events are not triggered and activity is not blocked, except for malicious exploits. Client rules are created automatically to allow legitimate activity. • Review the lists of client rules. • Promote appropriate client rules to administrative policy rules. • After a few weeks, turn off the adaptive mode. • Monitor the test group for a few days to be sure the policy settings are appropriate and offer the desired protection. • Repeat this process with each production group type. Clients and planning your deployment The Host Intrusion Prevention client is the essential component providing protection. When deploying clients, we recommend a phased approach: • Determine your initial client rollout plan. Although you can deploy Host Intrusion Prevention clients to every host (servers, desktops, and laptops) in your company, McAfee recommends that you start by installing clients on a limited number of representative systems and tuning their configuration. After you have fine-tuned the deployment, you can then deploy more clients and leverage the policies, exceptions, and client rules created in the initial rollout. • Establish a naming convention for your clients. Clients are identified by name in the System Tree, in certain reports, and in event data generated by activity on the client. Clients can take the names of the hosts where they are installed, or you can assign a specific client name during installation. McAfee recommends establishing a naming convention for clients that is easy to interpret by anyone working with the Host Intrusion Prevention deployment. • Install the clients. Clients can be installed with a default set of IPS and firewall policies. New policies with updated rules can later be pushed from the server. • Group the clients logically. Clients can be grouped according to any criteria that fits in the System Tree hierarchy. For example, you might group clients according to their geographic location, corporate function, or the characteristics of the system. Client data and what it tells you After you install and group your clients, the deployment is complete. You should begin to see events triggered by activity on the clients. If you have placed clients in adaptive mode, you McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 19

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
For IPS protection, monitor events for false positives and create exceptions or trusted
applications to prevent these events from reoccurring.
For firewall protection, monitor network traffic and add trusted networks to allow appropriate
network traffic.
Monitor the effects of the new exceptions, trusted applications, and trusted networks.
If these rules succeed in preventing false positives, keeping network traffic to a minimum,
and allowing legitimate activity, make them part of a new or existing policy.
Apply the new policy to a set of computers and monitor the results.
Repeat this process with each production group type.
Automatic tuning
Automatic tuning removes the need to constantly monitor all events and activities for all users.
Apply adaptive mode for IPS and Firewall policies.
In adaptive mode, IPS events are not triggered and activity is not blocked, except for
malicious exploits. Client rules are created automatically to allow legitimate activity.
Review the lists of client rules.
Promote appropriate client rules to administrative policy rules.
After a few weeks, turn off the adaptive mode.
Monitor the test group for a few days to be sure the policy settings are appropriate and offer
the desired protection.
Repeat this process with each production group type.
Clients and planning your deployment
The Host Intrusion Prevention client is the essential component providing protection. When
deploying clients, we recommend a phased approach:
Determine your initial client rollout plan
. Although you can deploy Host Intrusion
Prevention clients to every host (servers, desktops, and laptops) in your company, McAfee
recommends that you start by installing clients on a limited number of representative systems
and tuning their configuration. After you have fine-tuned the deployment, you can then
deploy more clients and leverage the policies, exceptions, and client rules created in the
initial rollout.
Establish a naming convention for your clients
. Clients are identified by name in the
System Tree, in certain reports, and in event data generated by activity on the client. Clients
can take the names of the hosts where they are installed, or you can assign a specific client
name during installation. McAfee recommends establishing a naming convention for clients
that is easy to interpret by anyone working with the Host Intrusion Prevention deployment.
Install the clients
. Clients can be installed with a default set of IPS and firewall policies.
New policies with updated rules can later be pushed from the server.
Group the clients logically
. Clients can be grouped according to any criteria that fits in
the System Tree hierarchy. For example, you might group clients according to their geographic
location, corporate function, or the characteristics of the system.
Client data and what it tells you
After you install and group your clients, the deployment is complete. You should begin to see
events triggered by activity on the clients. If you have placed clients in adaptive mode, you
Managing Your Protection
Policy management
19
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5