McAfee 6.1 manual Deployment and management, Preset protection, Adaptive and Learn mode

Deployment and management

The deployment and management of Host Intrusion Prevention clients are handled from ePolicy Orchestrator. In the ePO console tree you can group clients hierarchically by attributes. For example, you might group a first level by geographic location and a second level by operating system platform or IP address. We recommend grouping clients by Host Intrusion Prevention configuration criteria, including system type (server or desktop), use of major applications (web, database, or mail server), and strategic locations (DMZ or intranet). You can place clients that fit a common usage profile into a common group on the console tree. In fact, you might name a group after its usage profile, for example, Web Servers.

With computer grouped in the console tree according to type, function, or geographic location, you can easily divide administrative functions along the same lines. With Host Intrusion Prevention you can also divide administrative duties based on product features, such as IPS or firewall.

With this release of Host Intrusion Prevention and ePolicy Orchestrator, policies are independent entities that are shareable across multiple nodes. You assign one policy for each category in a feature of Host Intrusion Prevention. Some categories, such as IPS rules, allow for several policies, with some either inherited from a parent node or applied at the node itself. In this instance, Host Intrusion Prevention handles conflicts by applying the stricter rule first. Through inheritance in ePolicy Orchestrator, when you assign a group node the appropriate policies, every system under that node automatically inherits its parent’s configuration.

Deploying Host Intrusion Prevention clients to thousands of computers is easily managed because most clients fit into a few usage profiles. Managing a large deployment is reduced to maintaining a few policy rules. As a deployment grows, newly added systems should fit one or more existing profiles, and can be placed under the correct group node on the console tree.

Preset protection

Host Intrusion Prevention offers basic protection through the McAfee default policy settings. This “out-of-the-box” protection requires no tuning and generates few events. Clients can be initially deployed on a large scale, even before you tune the deployment. For many environments where the client is installed on workstations and laptops, this basic protection may be sufficient.

Advanced protection is also available from some preset IPS and firewall policies. A profile for servers, for example, needs stronger protection than that offered in basic workstation protection. Or you can use the preset advanced protection policies as a basis for creating custom policies.

Adaptive and Learn mode

To further tune protection settings, Host Intrusion Prevention clients can create client-side exception rules to server-mandated policies that block legitimate activity. The creation of client rules is permitted when clients are placed in Adaptive or Learn mode. In Adaptive mode, available for IPS, Firewall, and Application Blocking features, client rules are created without interaction from the user. In Learn mode, available for Firewall and Application Blocking features, the user must tell the system whether or not to create a client rule.

21