Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuring IPS Policies<br />
Overview of IPS policies<br />
<strong>Host</strong> intrusion prevention signatures<br />
<strong>Host</strong> IPS protection resides on individual systems such as servers, workstations or laptop. The<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> client inspects traffic flowing into or out of a system and examines<br />
the behavior of the applications and operating system <strong>for</strong> attacks. When an attack is detected,<br />
the client can block it at the network segment connection, or can issue commands to stop the<br />
behavior initiated by the attack. For example, buffer overflow is prevented by blocking malicious<br />
programs inserted into the address space exploited by an attack. Installation of back door<br />
programs with applications like Internet Explorer is blocked by intercepting and denying the<br />
application’s “write file” command.<br />
Benefits of host IPS<br />
• Protects against an attack and the results of an attack, such as preventing a program from<br />
writing a file.<br />
• Protects laptops when they are outside the protected network.<br />
• Protects against local attacks introduced by CDs or USB devices. These attacks often focus<br />
on escalating the user’s privileges to “root” or “administrator” to compromise other systems<br />
in the network.<br />
• Provides a last line of defense against attacks that have evaded other security tools.<br />
• Prevents internal attack or misuse of devices located on the same network segment.<br />
• Protects against attacks where the encrypted data stream terminates at the system being<br />
protected by examining the decrypted data and behavior.<br />
• Independent of network architecture; protects systems on obsolete or unusual network<br />
architectures such as Token Ring or FDDI.<br />
Network intrusion prevention signatures<br />
Network IPS protection also resides on individual systems. All data that flows between the<br />
protected system and the rest of the network is examined <strong>for</strong> an attack. When an attack is<br />
identified, the offending data is discarded or blocked from passing through the system.<br />
Benefits of network IPS<br />
• Protects systems located downstream in a network segment.<br />
• Protects servers and the systems that connect to them.<br />
• Protects against network denial-of-service attacks and bandwidth-oriented attacks that deny<br />
or degrade network traffic.<br />
Behavioral rules<br />
Behavioral rules define legitimate activity. Activity not matching the rules is considered suspicious<br />
and triggers a response. For example, a behavioral rule might state that only a web server<br />
process should access HTML files. If any other process attempts to access HTML files, action<br />
is taken. These rules provide protection against zero-day and buffer overflow attacks.<br />
Behavioral rules define a profile of legitimate activity. Activity that does not match the profile<br />
triggers an event. For example, you can set a rule stating that only a web server process should<br />
access web files. If another process attempts to access a web file, this behavioral rule triggers<br />
an event.<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong><br />
25