McAfee HISCDE-AB-IA Product Guide - Page 39
How IPS signatures work, Medium, Information, Host IPS signatures
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 39 highlights
Configuring IPS Policies Define IPS protection • Marking an application as Trusted for IPS or Firewall takes precedence even if the same application is not marked as Trusted for that feature in another assigned Trusted Applications policy. How IPS signatures work Signatures describe security threats, attack methodologies, and network intrusions. Each signature has a default severity level, which describes the potential danger of an attack: • High - Signatures that protect against clearly identifiable security threats or malicious actions. Most of these signatures are specific to well-identified exploits and are mostly non-behavioral in nature. They should be prevented on every host. • Medium - Signatures that are behavioral in nature and deal with preventing applications from operating outside of their environment (relevant for clients protecting web servers and Microsoft SQL Server 2000). On critical servers, you might want to prevent those signatures after fine-tuning. • Low - Signatures that are behavioral in nature and shield applications. Shielding means locking down application and system resources so that they cannot be changed. Preventing these signatures increases the security of the underlying system, but requires additional fine-tuning. • Information - Indicates a modification to the system configuration that might create a benign security risk or an attempt to access sensitive system information. Events at this level occur during normal system activity and generally are not evidence of an attack. Types of signatures The IPS Rules policy can contain three types of signatures: • Host IPS signatures - Default host intrusion prevention signatures. • Custom IPS signatures - Custom host intrusion prevention signatures that you create. • Network IPS signatures - Default network intrusion prevention signatures. Host IPS signatures Host-based intrusion prevention signatures detect and prevent system operations activity attacks, and includes File, Registry, Service, and HTTP rules. They are developed by the Host Intrusion Prevention security experts and are delivered with the product and with content updates. Each signature has a description and a default severity level. With appropriate privilege levels, an administrator can modify the severity level of a signature. When triggered, host-based signatures generate an IPS event that appears in the Events tab of the Host IPS tab under Reporting. Custom IPS signatures Custom signatures are host-based signatures that you can create for protection beyond the default protection. For example, when you create a new folder with important files, you can create a custom signature to protect it. NOTE: You cannot create network-based custom signatures. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 39