McAfee HISCDE-AB-IA Product Guide - Page 31
Signatures, Host IPS signatures
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 31 highlights
Configuring IPS Policies Overview of IPS policies SQL database signatures implement database shielding to protect the database's data files, services, and resources. In addition, they implement database enveloping to ensure that the database operates within its well-defined, behavioral profile. Signatures Signatures are collections of intrusion prevention rules that can be matched against a traffic stream. For example, a signature might look for a specific string in an HTTP request. If the string matches one in a known attack, action is taken. These rules provide protection against known attacks. Signatures are designed for specific applications and specific operating systems; for example, web servers such as Apache and IIS. The majority of signatures protect the entire operating system, while some protect specific applications. Host IPS signatures Host Intrusion Prevention protection resides on individual systems such as servers, workstations, or laptop. The Host Intrusion Preventionn client inspects traffic flowing into or out of a system and examines the behavior of the applications and operating system for attacks. When an attack is detected, the client can block it at the network segment connection, or can issue commands to stop the behavior initiated by the attack. For example, buffer overflow is prevented by blocking malicious programs inserted into the address space exploited by an attack. Installation of back door programs with applications like Internet Explorer is blocked by intercepting and denying the application's "write file" command. These signatures: • Protect against an attack and the results of an attack, such as preventing a program from writing a file. • Protect laptops when they are outside the protected network. • Protect against local attacks introduced by CDs or USB devices. These attacks often focus on escalating the user's privileges to "root" or "administrator" to compromise other systems in the network. • Provide a last line of defense against attacks that have evaded other security tools. • Prevent internal attack or misuse of devices located on the same network segment. • Protect against attacks where the encrypted data stream terminates at the system being protected by examining the decrypted data and behavior. • Protect systems on obsolete or unusual network architectures such as Token Ring or FDDI. Host Intrusion Prevention contains a large default list of host IPS signatures for all platforms. You can edit the severity level, log status, and client rule creation setting of these signatures, or add custom signatures to the list. The list of signatures is updated if needed whenever you install a content update. Network IPS signatures Network IPS protection also resides on individual systems. All data that flows between the protected system and the rest of the network is examined for an attack. When an attack is identified, the offending data is discarded or blocked from passing through the system. These signatures: • Protect systems located downstream in a network segment. • Protect servers and the systems that connect to them. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 31