McAfee HISCDE-AB-IA Product Guide - Page 35
Set the reaction for IPS signatures, Policy selections
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 35 highlights
Configuring IPS Policies Set the reaction for IPS signatures Task For option definitions, click ? in the interface. 1 Click Menu | Policy | Policy Catalog and select Host Intrusion Prevention:IPS in the Product list and IPS Options in the Category list. The list of policies appears. 2 In the IPS Options policy list, click Edit under Actions to change the settings for a custom policy. NOTE: For editable policies, other options include: Rename, Duplicate, Delete, and Export. For non-editable policies, options include View and Duplicate. 3 In the IPS Options page that appears, make any needed changes, including status, startup, and network IPS settings, then click Save. Set the reaction for IPS signatures The IPS Protection policy sets the protective reaction for signature severity levels. These settings instruct clients what to do when an attack or suspicious behavior is detected. Each signature has one of four severity levels: • High - Signatures of clearly identifiable security threats or malicious actions. These signatures are specific to well-identified exploits and are mostly non-behavioral in nature. Prevent these signatures on every system. • Medium - Signatures of behavioral activity where applications operate outside their envelope. Prevent these signatures on critical systems, as well as on web servers and SQL servers. • Low - Signatures of behavioral activity where applications and system resources are locked and cannot be changed. Preventing these signatures increases the security of the underlying system, but additional fine-tuning is needed. • Information - Signatures of behavioral activity where applications and system resources are modified and might indicate a benign security risk or an attempt to access sensitive system information. Events at this level occur during normal system activity and generally are not evidence of an attack. These severity levels indicate potential danger to a system and enable you to define specific reactions for different levels of potential harm. You can modify the severity levels and reactions for all signatures. For example, when suspicious activity is unlikely to cause damage, you can select ignore as the reaction. When an activity is likely to be dangerous, you can set prevent as the reaction. Policy selections This policy category contains six preconfigured policies and an editable My Default policy, based on the McAfee Default policy. You can view and duplicate preconfigured policies; you can, create, edit, rename, duplicate, delete, and export custom policies. Preconfigured policies include: Table 6: IPS Protection policies Name Function Basic Protection (McAfee Default) Prevent high-severity signatures and ignore the rest. Enhanced Protection Prevent high- and medium-severity signatures and ignore the rest. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 35