HP X Unified Security Platform Filter Components, Categories and Category Settings

Chapter 3 IPS Filtering

IPS filters have the following components which determine the identity the filter type, global and customized settings, and how the device will respond when the Threat Suppression Engine finds traffic matching the filter:

•Category — defines the type of network protection provided by the filter. The category is also used to locate the filter in the LSM and to control the global filter settings using the Category Setting configuration.

•Action set — defines the actions that execute when the filter is matched.

•Adaptive Filter Configuration State — allows you to override the global Adaptive Filter configuration settings so that the filter is not affected by adaptive filtering (see “Adaptive Filter Configuration” on page 60 for additional information)

•State — Indicates if the filter is enabled, disabled, or invalid. If the filter is disabled, the Threat Suppression Engine does not use the filter to evaluate traffic.

Categories and category settings are used to configure global settings for all filters within a specified category group.

DV Filters are organized into Categories and groups based on the type of protection provided:

•Application Protection Filters — defend against known exploits and exploits that may take advantage of known vulnerabilities targeting applications and operating systems. This filter type includes the following sub-categories: Exploits, Identity Theft, Reconnaissance (includes Port Scan/ Host Sweep filters), Security Policy, Spyware, Virus, and Vulnerabilities.

•Infrastructure Protection Filters — protect network bandwidth and network infrastructure elements such as routers and firewalls from attack by using protocols and detecting statistical anomalies. These filter types includes the sub-categories Network Equipment and Traffic Normalization.

•Performance Protection Filters —block or rate-limit traffic from applications that can consume excessive bandwidth, leaving network resources available for use by key applications. This filter type includes the following sub-categories: IM, P2P, and Streaming Media.

These Categories are used to locate filters. Category Settings are used to assign global configuration settings to filters within a category. For example, if you want don’t want to use any filters to monitor P2P traffic, you can the disable the P2P group in the Performance Protection category. You can configure the following global parameters:

•State — determines whether filters within the Category are enabled or disabled. If a category is disabled, all filters in the Category are disabled.

•Action Set — determines the action set that filters within a Category will execute when a filter match occurs. If the Recommended action set is configured, filters within the category are configured with the settings recommended by the Digital Vaccine team, the group can have different settings.

For the best system performance, we recommend that you use global Category Settings and the Recommended action set for all DV filters. However, in some cases, you may need to override the category settings and recommended action for individual filters due to specific network requirements, or in cases where the recommended settings for a filter interact poorly with your network.

24 X Family LSM User’s Guide V 2.5.1