Filter
Top Products
22
McAfee
®
Host Intrusion Prevention 6.1 Installation/Configuration Guide Basic Concepts
Deployment and management
2
In both modes, events are first analyzed for the most malicious attacks, such as buffer
overflow. If the activity is considered regular and necessary for business, Host
Intrusion Prevention clients create client rules to allow operations that would otherwise
be blocked. By placing clients in Adaptive or Learn mode, you can obtain a tuning
configuration for them. Host Intrusion Prevention then allows you to take any, all, or
none of the client rules and convert them to server-mandated policies. The Adaptive
and Learn Modes can be turned off at any time to tighten the system’s intrusion
prevention protection.
Often in a large organization, avoiding disruption to business takes priority over security
concerns. For example, new applications may need to be installed periodically on some
client computers, and you may not have the time or resources to immediately tune
them. Host Intrusion Prevention enables you to place specific clients in Adaptive mode
for IPS protection. Those computers will profile a newly installed application, and
forward the resulting client rules to the server. The administrator can promote these
client rules to an existing or new policy and then apply the policy to other computers to
handle the new software.
Tuning
As part of Host Intrusion Prevention deployment, you need to identify a small number
of distinct usage profiles and create policies for them. The best way to achieve this is
to set up a test deployment, then begin reducing the number of false positives and
generated events. This process is called tuning.
Stronger IPS rules, for example, offer more signatures that target a wider range of
violations, and generate many more events than in a basic environment. If you apply
advanced protection, we recommend using the IPS Protection policy to stagger the
impact. This entails mapping each of the severity levels (High, Medium, Low, and
Information) to a reaction (Prevent, Log, Ignore). By initially setting all severity reactions
except High to Ignore, only the High severity signatures will be applied. The other levels
can be raised incrementally as tuning progresses.
You can reduce the number of false positives by creating exception rules, trusted
applications, and firewall rules. Exception rules are mechanisms for overriding a
security policy in specific circumstances. Trusted applications are application
processes that are always permissible. Firewall rules determine whether traffic is
permissible, and either allow or block packet transmission.
Reports
Reports enable you to obtain data about a particular item and filter it for specific subsets
of that data, for example high-level events reported by particular clients for a specified
time period. Reports can be scheduled and sent as an email message.