Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Introducing <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0<br />
Types of <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> policies<br />
Basic protection<br />
<strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> ships with a set of default settings that provide basic “out-of-the-box”<br />
protection <strong>for</strong> your environment. These settings include:<br />
• IPS protection is enabled; high severity signatures are prevented and all other signatures<br />
are ignored.<br />
• Firewall, quarantine, and application blocking protection are not enabled.<br />
• <strong>McAfee</strong> applications are listed as trusted applications <strong>for</strong> all rules except IPS self-protection<br />
rules.<br />
• Predefined applications and processes are protected.<br />
Advanced protection<br />
For advanced protection, switch from the default settings to stronger preset settings, or create<br />
custom settings.<br />
Start with a sample deployment to monitor and tune the new settings. Tuning involves balancing<br />
intrusion prevention protection and access to required in<strong>for</strong>mation and applications per group<br />
type. You can do this manually or automatically by enabling learn or adaptive mode.<br />
Types of <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> policies<br />
IPS policies<br />
A policy is a collection of settings that you configure and en<strong>for</strong>ce through the ePolicy Orchestrator<br />
console. Applying policies ensures that your security needs on managed systems are met. <strong>Host</strong><br />
<strong>Intrusion</strong> <strong>Prevention</strong> provides four policy features, each with a set of security options. These<br />
are: IPS, Firewall, Application Blocking and General. Except <strong>for</strong> General, each feature<br />
contains a “rules” policy with rules that define behavior, and an “options” policy that enables<br />
or disables application of the rules.<br />
Ownership of policies is assigned in the Policy Catalog. After a policy is created, it can be<br />
edited or deleted only by the creator of the policy, the person associated as an owner of the<br />
policy, or the global administrator. Deleting a policy can be done only in the Policy Catalog.<br />
The IPS (<strong>Intrusion</strong> <strong>Prevention</strong> System) feature contains three policies that protect computers<br />
with host intrusion prevention technology. It details exceptions, signatures, application protection<br />
rules, events, and client-generated exceptions.<br />
• IPS Options. Turns on or off IPS protection and application of adaptive mode.<br />
• IPS Protection. Defines the reaction to events that signatures generate.<br />
• IPS Rules. Defines exceptions, signatures, and application protection rules. This policy,<br />
referred to as a multiple-instance policy, allows <strong>for</strong> a profile of settings through the application<br />
of multiple policies under a single policy instance.<br />
Firewall policies<br />
The Firewall feature contains four policies that filter network traffic, allowing legitimate traffic<br />
through the firewall and blocking the rest.<br />
8<br />
<strong>McAfee</strong> <strong>Host</strong> <strong>Intrusion</strong> <strong>Prevention</strong> 7.0 <strong>Product</strong> <strong>Guide</strong> <strong>for</strong> use with ePolicy Orchestrator <strong>4.0</strong>