Filter
Top Products
28
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Using ePolicy Orchestrator
Host Intrusion Prevention operations
3
Placing clients in Adaptive or Learn mode
A major element in the tuning process placing Host Intrusion Prevention clients in
Adaptive mode for IPS, firewall, and application blocking, or Learn mode for firewall and
application blocking. These modes allow clients to create client exception rules to
administrative policies. Adaptive mode does this automatically without user interaction,
while Learn mode requires the user to tell the system what to do when an event is
generated.
These modes analyze events first for the most malicious attacks, such as buffer
overflow. If the activity is considered regular and necessary for business, client
exception rules are created. By setting representative clients in Adaptive or Learn
mode, you can obtain a tuning configuration for them. Host Intrusion Prevention then
allows you to take any, all or none of the client rules and convert them to
server-mandated policies. When tuning is complete, turn off the Adaptive or Learn
modes to tighten the system’s intrusion prevention protection.
Run clients in Adaptive or Learn mode for at least a week. This allows the clients
time to encounter all the activity they would normally encounter. Try to do this
during times of scheduled activity, such as backups or script processing.
As each activity is encountered, IPS events are generated and exceptions are
created. Exceptions are activities that are distinguished as legitimate behavior. For
example, a policy might deem certain script processing as illegal behavior, but
certain systems in your engineering groups need to perform such tasks. Allow
exceptions to be created for those systems so they can continue to function
normally while the policy continues to prevent this activity on other systems. Then
make these exceptions part of a server-mandated policy to cover only the
engineering group.
You might have particular software applications that are required for normal
business in some areas of the company, but are prevented in others. For example,
you might allow Instant Messaging in your Engineering and Technical Support
organizations, but prevent its use in your Finance and HR departments. You can
establish the application as trusted on the systems in your Engineering and
Technical Support organizations to allow users full access to it.
The Firewall feature acts as a filter between a computer and the network or Internet.
The firewall scans all incoming and outgoing traffic at the packet level. As it reviews
each arriving or departing packet, the firewall checks its list of firewall rules, which
is a set of criteria with associated actions. If a packet matches all the criteria in a
rule, the firewall performs the action specified by the rule — either allowing the
packet through the firewall, or blocking it.