Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Managing Your Protection<br />
Management of policies<br />
• Establish a naming convention <strong>for</strong> your clients. Clients are identified by name in the<br />
System Tree, in certain reports, and in event data generated by activity on the client. Clients<br />
can take the names of the hosts on which they are installed, or you can assign a specific<br />
client name during installation. <strong>McAfee</strong> recommends establishing a naming convention <strong>for</strong><br />
clients that is easy to interpret by anyone working with the <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong><br />
deployment.<br />
• Install the clients. Clients are installed with a default set of IPS, Firewall, Application<br />
Blocking, and General rule policies. New policies with updated rules can later be pushed<br />
from the server.<br />
• Group the clients logically. Clients can be grouped according to any criteria that fits in<br />
the System Tree hierarchy. For example, you might group clients according to their geographic<br />
location, corporate function, or the characteristics of the system.<br />
Client data and what it tells you<br />
After you have installed and grouped your clients, you have completed the deployment. You<br />
should begin to see events triggered by activity on the clients. If you have placed clients in<br />
adaptive mode, you should see the client rules that indicate which client exception rules are<br />
being created. By analyzing this data, you begin to tune the deployment.<br />
To analyze event data, view the Events tab of the <strong>Host</strong> IPS tab under Reporting. You can<br />
drill down to the details of an event, such as which process triggered the event, when the event<br />
was generated, and which client generated the event. Analyze the event and take the appropriate<br />
action to tune the <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> deployment to provide better responses to attacks.<br />
The Events tab displays all <strong>Host</strong> IPS events, including quarantine and application blocking,<br />
marked as intrusion, HIPS, or NIPS.<br />
To analyze client rules, view the IPS, Firewall, and Application Blocking Client Rules<br />
tabs. You can see which rules are being created, aggregate them to find the most prevalent<br />
common rules, and move the rules directly to a policy <strong>for</strong> application to other clients.<br />
In addition, the Reporting module provides detailed reports based on events, client rules, and<br />
the <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> configuration. Use these queries to communicate environment<br />
activity to other members of your team and management.<br />
Automatic tuning with clients<br />
A major element in the tuning process includes placing <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> clients in<br />
adaptive mode <strong>for</strong> IPS, firewall, and application blocking, or learn mode <strong>for</strong> firewall and<br />
application blocking. These modes allow computers to create client exception rules to<br />
administrative policies. Adaptive mode does this automatically without user interaction, while<br />
learn mode requires the user to tell the system what to do when an event is generated.<br />
These modes analyze events first <strong>for</strong> the most malicious attacks, such as buffer overflow. If<br />
the activity is considered regular and necessary <strong>for</strong> business, client exception rules are created.<br />
By setting representative clients in adaptive or learn mode, you can create a tuning configuration<br />
<strong>for</strong> them. <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> then allows you to take any, all, or none of the client rules<br />
and convert them to server-mandated policies. When tuning is complete, turn off adaptive or<br />
learn modes to tighten the system’s intrusion prevention protection.<br />
• Run clients in adaptive or learn mode <strong>for</strong> at least a week. This allows the clients time to<br />
encounter all the activity they would normally encounter. Try to do this during times of<br />
scheduled activity, such as backups or script processing.<br />
• As each activity is encountered, IPS events are generated and exceptions are created.<br />
Exceptions are activities that are distinguished as legitimate behavior. For example, a policy<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />
19