Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee

More documents

Recommendations

Info

Introducing Host Intrusion Prevention 7.0 Types of Host Intrusion Prevention policies Basic protection Host Intrusion Prevention ships with a set of default settings that provide basic “out-of-the-box” protection for your environment. These settings include: • IPS protection is enabled; high severity signatures are prevented and all other signatures are ignored. • Firewall, quarantine, and application blocking protection are not enabled. • McAfee applications are listed as trusted applications for all rules except IPS self-protection rules. • Predefined applications and processes are protected. Advanced protection For advanced protection, switch from the default settings to stronger preset settings, or create custom settings. Start with a sample deployment to monitor and tune the new settings. Tuning involves balancing intrusion prevention protection and access to required information and applications per group type. You can do this manually or automatically by enabling learn or adaptive mode. Types of Host Intrusion Prevention policies IPS policies A policy is a collection of settings that you configure and enforce through the ePolicy Orchestrator console. Applying policies ensures that your security needs on managed systems are met. Host Intrusion Prevention provides four policy features, each with a set of security options. These are: IPS, Firewall, Application Blocking and General. Except for General, each feature contains a “rules” policy with rules that define behavior, and an “options” policy that enables or disables application of the rules. Ownership of policies is assigned in the Policy Catalog. After a policy is created, it can be edited or deleted only by the creator of the policy, the person associated as an owner of the policy, or the global administrator. Deleting a policy can be done only in the Policy Catalog. The IPS (Intrusion Prevention System) feature contains three policies that protect computers with host intrusion prevention technology. It details exceptions, signatures, application protection rules, events, and client-generated exceptions. • IPS Options. Turns on or off IPS protection and application of adaptive mode. • IPS Protection. Defines the reaction to events that signatures generate. • IPS Rules. Defines exceptions, signatures, and application protection rules. This policy, referred to as a multiple-instance policy, allows for a profile of settings through the application of multiple policies under a single policy instance. Firewall policies The Firewall feature contains four policies that filter network traffic, allowing legitimate traffic through the firewall and blocking the rest. 8 McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0
Introducing Host Intrusion Prevention 7.0 Policy management • Firewall Options. Turns on or off firewall protection and application of adapative or learn mode. • Firewall Rules. Defines firewall rules. • Quarantine Options. Turns on or off quarantine mode. • Quarantine Rules. Defines firewall rules applied during quarantine. Application Blocking policies The Application Blocking feature contains two policies that manage application creation and application hooking. • Application Blocking Options. Turns on or off blocking for application creation and hooking and application of adaptive and learn mode. • Application Blocking Rules. Defines application blocking rules that prevent unknown and unwanted applications from running or binding with other applications. General policies The General feature contains three policies that apply to all features. • Client UI. Defines access to the Host Intrusion Prevention user interface on Windows client systems, and password-protection on all client systems. • Trusted Networks. Lists IP addresses and networks that are safe for communication • Trusted Applications. Lists applications that are trusted to perform most operations. Policy management The ePolicy Orchestrator console allows you to configure Host Intrusion Prevention policies from a central location. How policies are enforced When you change Host Intrusion Prevention policies in the ePolicy Orchestrator console, the changes take effect on the managed systems at the next agent-server communication. This interval is set to occur once every 60 minutes by default. To enforce policies immediately, you can send an agent wake-up call from the ePolicy Orchestrator console. Policies and their categories Policy information for Host Intrusion Prevention is grouped by feature and category. Each policy category refers to a specific subset of policies. A policy is a configured group of settings for a specific purpose. You can create, modify, or delete as many policies as needed. Each policy has a preconfigured McAfee Default policy, which cannot be edited or deleted. Except for IPS Rules and Trusted Applications, all policies also have an editable My Default policy based on the default policy. Some policy categories include several read-only preconfigured policies. If these preconfigured policies meet your needs, you can apply any one of them. These read-only policies, like all policies, can be duplicated and the duplicate customized, if needed. McAfee Host Intrusion Prevention 7.0 Product Guide for use with ePolicy Orchestrator 4.0 9
Page 1 and 2: McAfee Host Intrusion Prevention 7.
Page 3 and 4: Contents Introducing Host Intrusion
Page 5 and 6: Contents Creating firewall rule gro
Page 7: Introducing Host Intrusion Preventi
Page 11 and 12: Introducing Host Intrusion Preventi
Page 13 and 14: Managing Your Protection Management
Page 25 and 26: Configuring IPS Policies Overview o
Page 27 and 28: Configuring IPS Policies Working wi
Page 45 and 46: Configuring Firewall Policies The F
Page 47 and 48: Configuring Firewall Policies Overv
Page 57 and 58: Configuring Firewall Policies Worki
Page 59 and 60:
Configuring Firewall Policies Worki
Page 61 and 62:
Page 63 and 64:
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Configuring Application Blocking Po
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Configuring General Policies Workin
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Working with Host Intrusion Prevent
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Index clients (continued) updating
Page 109 and 110:
Index McAfee Default policy (contin
Page 111 and 112:
Index T troubleshooting, Host IPS C
show all

Host Intrusion Prevention 7.0.0 for ePO 4.0 Product Guide - McAfee

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?