McAfee HISCDE-AB-IA Product Guide - Page 20
Adaptive mode, might deem certain script processing as illegal behavior, but certain systems in your
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 20 highlights
Managing Your Protection Policy management should see the client rules that indicate which client exception rules are being created. By analyzing this data, you begin to tune the deployment. To analyze event data, view the Events tab of the Host IPS tab under Reporting. You can drill down to the details of an event, such as which process triggered the event, when the event was generated, and which client generated the event. Analyze the event and take the appropriate action to tune the Host Intrusion Prevention deployment to provide better responses to attacks. The Events tab displays all Host IPS events, including NIPS, Firewall intrusions, and TrustedSource block events. To analyze client rules, view the IPS Client Rules and Firewall Client Rules tabs. You can see which rules are being created, aggregate them to find the most prevalent common rules, and move the rules directly to a policy for application to other clients. In addition, the ePolicy Orchestrator Reporting module provides detailed reports based on events, client rules, and the Host Intrusion Prevention configuration. Use these queries to communicate environment activity to other members of your team and management. Adaptive mode A major element in the tuning process includes placing Host Intrusion Prevention clients in adaptive mode for IPS and Firewall. This mode allow computers to create client exception rules to administrative policies. Adaptive mode does this automatically without user interaction. This mode analyzes events first for the most malicious attacks, such as buffer overflow. If the activity is considered regular and necessary for business, client exception rules are created. By setting representative clients in adaptive mode, you can create a tuning configuration for them. Host Intrusion Prevention then allows you to take any, all, or none of the client rules and convert them to server-mandated policies. When tuning is complete, turn off adaptive mode to tighten the system's intrusion prevention protection. • Run clients in adaptive mode for at least a week. This allows the clients time to encounter all the activity they would normally encounter. Try to do this during times of scheduled activity, such as backups or script processing. • As each activity is encountered, IPS events are generated and exceptions are created. Exceptions are activities that are distinguished as legitimate behavior. For example, a policy might deem certain script processing as illegal behavior, but certain systems in your engineering groups need to perform such tasks. Allow exceptions to be created for those systems, so they can function normally while the policy continues to prevent this activity on other systems. Then make these exceptions part of a server-mandated policy to cover only the engineering group. • You might require software applications for normal business in some areas of the company, but not in others. For example, you might allow Instant Messaging in your Technical Support organization, but prevent its use in your Finance department. You can establish the application as trusted on the systems in Technical Support to allow users full access to it. • The Firewall feature acts as a filter between a computer and the network or the Internet. The firewall scans all incoming and outgoing traffic at the packet level. As it reviews each arriving or departing packet, the firewall checks its list of firewall rules, which is a set of criteria with associated actions. If a packet matches all the criteria in a rule, the firewall performs the action specified by the rule - which allows the packet through the firewall, or blocks it. 20 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5