Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Introducing <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0<br />
Policy tracking and tuning<br />
<strong>Prevention</strong> you can divide administrative duties based on product features, such as IPS or<br />
firewall.<br />
Deploying <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> to thousands of computers is easily managed because<br />
most computers fit into a few usage profiles. Managing a large deployment is reduced to<br />
maintaining a few policy rules. As a deployment grows, newly added systems should fit one or<br />
more existing profiles, and can be placed under the correct group on the System Tree.<br />
Preset protection<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> offers two types of protection.<br />
Basic protection is available through the <strong>McAfee</strong> Default policy settings. This “out-of-the-box”<br />
protection requires no tuning and generates few events. Clients can be initially deployed on a<br />
large scale, even be<strong>for</strong>e you tune the deployment. For many environments this basic protection<br />
may be sufficient.<br />
Advanced protection is also available from some preconfigured IPS and firewall policies or by<br />
creating custom policies. Servers, <strong>for</strong> example, need stronger protection than that offered in<br />
basic protection.<br />
Adaptive and learn mode<br />
Tuning<br />
To further tune protection settings, <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> clients can create client-side rules<br />
to server-mandated policies that block legitimate activity. The automatic creation of client rules<br />
is permitted when clients are placed in adaptive or learn mode. In adaptive mode, available <strong>for</strong><br />
IPS, Firewall, and Application Blocking features, client rules are created without interaction from<br />
the user. In learn mode, available <strong>for</strong> Firewall and Application Blocking features, the user<br />
responds to alerts, indicating whether or not to create a client rule.<br />
After client rules are created, you can analyze them decide which if any to convert to to<br />
server-mandated policies. Adaptive and learn modes can be turned off at any time to tighten<br />
the system’s protection.<br />
Often in a large organization, avoiding disruption to business takes priority over security concerns.<br />
For example, new applications may need to be installed periodically on some computers, and<br />
you may not have the time or resources to immediately tune them. <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong><br />
enables you to place specific computers in adaptive mode <strong>for</strong> IPS protection. Those computers<br />
will profile a newly installed application, and <strong>for</strong>ward the resulting client rules to the ePolicy<br />
Orchestrator server. The administrator can promote these client rules to an existing or new<br />
policy, then apply the policy to other computers to handle the new software.<br />
As part of <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> deployment, you need to identify a small number of distinct<br />
usage profiles and create policies <strong>for</strong> them. The best way to achieve this is to set up a test<br />
deployment, then begin reducing the number of false positives and generated events. This<br />
process is called tuning.<br />
Stronger IPS rules, <strong>for</strong> example, target a wider range of violations, and generate more events<br />
than in a basic environment. If you apply advanced protection, <strong>McAfee</strong> recommends using the<br />
IPS Protection policy to stagger the impact. This entails mapping each of the severity levels<br />
(High, Medium, Low, and In<strong>for</strong>mation) to a reaction (Prevent, Log, Ignore). By initially setting<br />
all severity reactions except High to Ignore, only the High severity signatures will be applied.<br />
The other levels can be raised incrementally as tuning progresses.<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />
11