McAfee M-1250 Network Protection - Page 21

Con policies, Tune your policies

Get McAfee M-1250 - Network Security Platform PDF manuals and user guides View all McAfee M-1250 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 21 highlights

CHAPTER 6 Configure policies Your policy determines what traffic analysis your McAfee® Network Security Sensor (Sensor) will perform. McAfee® Network Security Platform provides a number of policy templates to get you started toward your ultimate goal: prevent attacks from damaging your network, and limit the alerts displayed in the Threat Analyzer to those which are valid and useful for your analysis. There are two stages to this process: initial policy configuration and policy tuning. Policy tuning is renowned to be a tedious task. However, because networks and attacks constantly evolve, the policy tuning process is never truly complete. Instead, you might equate it to a disk defragmentation; the more often you do it, the less time each check takes. The ultimate goal of policy tuning is to eliminate false positives and noise and avoid overwhelming quantities of legitimate, but anticipated alerts. Tune your policies The default McAfee Network Security Platform policy templates are provided as a generic starting point; you will want to customize one of these policies for your needs. So the first step in tuning is to clone the most appropriate policy for your network and your goals, and then customize it. (You can also edit the policy directly.) This process is involved, and is discussed in detail in IPS Configuration Guide. Some things to remember when tuning your policies: • We ask that you set your expectations appropriately regarding the elimination of false positives and noise. A proper Network Security Platform implementation includes multiple tuning phases. False positives and excess noise are routine for the first 3 to 4 weeks. Once properly tuned, however, they can be reduced to a rare occurrence. • When initially deployed, Network Security Platform frequently exposes unexpected conditions in the existing network and application configuration. What may at first seem like a false positive might actually be the manifestation of a misconfigured router or Web application, for example. • Before you begin, be aware of the network topology and the hosts in your network, so you can enable the policy to detect the correct set of attacks for your environment. • Take steps to reduce false positives and noise from the start. If you allow a large number of "noisy" alerts to continue to sound on a very busy network, parsing and pruning the database can quickly become cumbersome tasks. It is preferable to all parties involved to put energy into preventing false positives than into working around them. One method may be is to disable all alerts that are obviously not applicable to the hosts you will protect. For example, if you use only Apache Web servers, you may wish to disable IIS-related attacks. 13

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
C
HAPTER
6
Configure policies
Your policy determines what traffic analysis your McAfee
®
Network Security Sensor
(Sensor) will perform. McAfee
®
Network Security Platform provides a number of policy
templates to get you started toward your ultimate goal: prevent attacks from damaging
your network, and limit the alerts displayed in the Threat Analyzer to those which are valid
and useful for your analysis.
There are two stages to this process: initial
policy configuration
and
policy tuning
. Policy
tuning is renowned to be a tedious task. However, because networks and attacks
constantly evolve, the policy tuning process is never truly complete. Instead, you might
equate it to a disk defragmentation; the more often you do it, the less time each check
takes. The ultimate goal of policy tuning is to eliminate
false positives
and noise and avoid
overwhelming quantities of legitimate, but anticipated alerts.
Tune your policies
The default McAfee Network Security Platform policy templates are provided as a generic
starting point; you will want to customize one of these policies for your needs. So the first
step in tuning is to clone the most appropriate policy for your network and your goals, and
then customize it. (You can also edit the policy directly.) This process is involved, and is
discussed in detail in
IPS Configuration Guide
. Some things to remember when tuning your
policies:
We ask that you set your expectations appropriately regarding the elimination of false
positives and noise. A proper Network Security Platform implementation includes
multiple tuning phases. False positives and excess noise are routine for the first 3 to 4
weeks. Once properly tuned, however, they can be reduced to a rare occurrence.
When initially deployed, Network Security Platform frequently exposes unexpected
conditions in the existing network and application configuration. What may at first
seem like a false positive might actually be the manifestation of a misconfigured router
or Web application, for example.
Before you begin, be aware of the network topology and the hosts in your network, so
you can enable the policy to detect the correct set of attacks for your environment.
Take steps to reduce false positives and noise from the start. If you allow a large
number of “noisy” alerts to continue to sound on a very busy network, parsing and
pruning the database can quickly become cumbersome tasks. It is preferable to all
parties involved to put energy into preventing false positives than into working around
them. One method may be is to disable all alerts that are obviously not applicable to
the hosts you will protect. For example, if you use only Apache Web servers, you may
wish to disable IIS-related attacks.
13