McAfee M-1250 Network Protection - Page 21
Con policies, Tune your policies
View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 21 highlights
CHAPTER 6 Configure policies Your policy determines what traffic analysis your McAfee® Network Security Sensor (Sensor) will perform. McAfee® Network Security Platform provides a number of policy templates to get you started toward your ultimate goal: prevent attacks from damaging your network, and limit the alerts displayed in the Threat Analyzer to those which are valid and useful for your analysis. There are two stages to this process: initial policy configuration and policy tuning. Policy tuning is renowned to be a tedious task. However, because networks and attacks constantly evolve, the policy tuning process is never truly complete. Instead, you might equate it to a disk defragmentation; the more often you do it, the less time each check takes. The ultimate goal of policy tuning is to eliminate false positives and noise and avoid overwhelming quantities of legitimate, but anticipated alerts. Tune your policies The default McAfee Network Security Platform policy templates are provided as a generic starting point; you will want to customize one of these policies for your needs. So the first step in tuning is to clone the most appropriate policy for your network and your goals, and then customize it. (You can also edit the policy directly.) This process is involved, and is discussed in detail in IPS Configuration Guide. Some things to remember when tuning your policies: • We ask that you set your expectations appropriately regarding the elimination of false positives and noise. A proper Network Security Platform implementation includes multiple tuning phases. False positives and excess noise are routine for the first 3 to 4 weeks. Once properly tuned, however, they can be reduced to a rare occurrence. • When initially deployed, Network Security Platform frequently exposes unexpected conditions in the existing network and application configuration. What may at first seem like a false positive might actually be the manifestation of a misconfigured router or Web application, for example. • Before you begin, be aware of the network topology and the hosts in your network, so you can enable the policy to detect the correct set of attacks for your environment. • Take steps to reduce false positives and noise from the start. If you allow a large number of "noisy" alerts to continue to sound on a very busy network, parsing and pruning the database can quickly become cumbersome tasks. It is preferable to all parties involved to put energy into preventing false positives than into working around them. One method may be is to disable all alerts that are obviously not applicable to the hosts you will protect. For example, if you use only Apache Web servers, you may wish to disable IIS-related attacks. 13