Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Configuring IPS Policies<br />
Overview of IPS policies<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> combines the use of signature rules and hard-coded behavioral rules.<br />
This hybrid method detects most known attacks as well as previously unknown or zero-day<br />
attacks.<br />
Events<br />
Reactions<br />
IPS events are generated when a client recognizes a violation of a signature or behavioral rule.<br />
Events are logged in the Events tab of the IPS Rules tab under Reporting. Administrators can<br />
view and monitor these events to analyze system rule violations. They can then adjust event<br />
reactions or create exceptions or trusted application rules to reduce the number of events and<br />
fine-tune the protection settings.<br />
A reaction is what a client does when it recognizes a signature of a specific severity.<br />
A client reacts in one of three ways:<br />
• Ignore — No reaction; the event is not logged and the operation is not prevented.<br />
• Log — The event is logged but the operation is not prevented.<br />
• Prevent — The event is logged and the operation is prevented.<br />
A security policy may state, <strong>for</strong> example, that when a client recognizes an In<strong>for</strong>mation level<br />
signature, it logs the occurrence of that signature and allows the operation to occur; and when<br />
it recognizes a High level signature, it prevents the operation.<br />
NOTE: Logging can be enabled directly on each signature.<br />
Exception rules<br />
An exception is a rule <strong>for</strong> overriding blocked activity. In some cases, behavior that a signature<br />
defines as an attack may be part of a user’s normal work routine or an activity that is legal <strong>for</strong><br />
a protected application. To override the signature, you can create an exception that allows<br />
legitimate activity. For example, an exception might state that <strong>for</strong> a particular client, an operation<br />
is ignored.<br />
You can create these exceptions manually, or place clients in adaptive mode and allow them<br />
to create client exception rules. To ensure that some signatures are never overridden, edit the<br />
signature and disable the Allow Client Rules options. You can track the client exceptions in<br />
the ePolicy Orchestrator console, viewing them in a regular, filtered, and aggregated views.<br />
Use these client rules to create new policies or add them to existing policies that you can apply<br />
to other clients.<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> clients contain a set of IPS signature rules that determine whether<br />
activity on the client computer is benign or malicious. When malicious activity is detected, alerts<br />
known as events are sent to the <strong>ePO</strong> server and appear in the <strong>Host</strong> IPS tab under Reporting.<br />
The protection level set <strong>for</strong> signatures in the IPS Protection policy determines which action a<br />
client takes when an event occurs. Reactions include ignore, log, or prevent the activity.<br />
Events from legitimate activity that are false positives can be overridden by creating an exception<br />
to the signature rule or by qualifying applications as trusted. Clients in adaptive mode<br />
automatically create exceptions, called client rules. Administrators can manually create exceptions<br />
at any time.<br />
Monitoring events and client exception rules helps determine how to tune the deployment <strong>for</strong><br />
the most effective IPS protection.<br />
26<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong>