McAfee 6.1 manual Tuning, Reports

In both modes, events are first analyzed for the most malicious attacks, such as buffer overflow. If the activity is considered regular and necessary for business, Host Intrusion Prevention clients create client rules to allow operations that would otherwise be blocked. By placing clients in Adaptive or Learn mode, you can obtain a tuning configuration for them. Host Intrusion Prevention then allows you to take any, all, or none of the client rules and convert them to server-mandated policies. The Adaptive and Learn Modes can be turned off at any time to tighten the system’s intrusion prevention protection.

Often in a large organization, avoiding disruption to business takes priority over security concerns. For example, new applications may need to be installed periodically on some client computers, and you may not have the time or resources to immediately tune them. Host Intrusion Prevention enables you to place specific clients in Adaptive mode for IPS protection. Those computers will profile a newly installed application, and forward the resulting client rules to the server. The administrator can promote these client rules to an existing or new policy and then apply the policy to other computers to handle the new software.

Tuning

As part of Host Intrusion Prevention deployment, you need to identify a small number of distinct usage profiles and create policies for them. The best way to achieve this is to set up a test deployment, then begin reducing the number of false positives and generated events. This process is called tuning.

Stronger IPS rules, for example, offer more signatures that target a wider range of violations, and generate many more events than in a basic environment. If you apply advanced protection, we recommend using the IPS Protection policy to stagger the impact. This entails mapping each of the severity levels (High, Medium, Low, and Information) to a reaction (Prevent, Log, Ignore). By initially setting all severity reactions except High to Ignore, only the High severity signatures will be applied. The other levels can be raised incrementally as tuning progresses.

You can reduce the number of false positives by creating exception rules, trusted applications, and firewall rules. Exception rules are mechanisms for overriding a security policy in specific circumstances. Trusted applications are application processes that are always permissible. Firewall rules determine whether traffic is permissible, and either allow or block packet transmission.

Reports

Reports enable you to obtain data about a particular item and filter it for specific subsets of that data, for example high-level events reported by particular clients for a specified time period. Reports can be scheduled and sent as an email message.

22