McAfee® Host Intrusion Prevention 6.1 Product Guide

Using ePolicy Orchestrator

 

Host Intrusion Prevention operations

3

Deploying Host Intrusion Prevention clients

Clients are the element that provide protection in a Host Intrusion Prevention deployment. Ideally, every system in a working environment is protected by client software. We recommend a phased approach to deployment:

„Determine your initial client rollout plan. Although you will deploy Host Intrusion Prevention clients to every host (servers and desktops) in your company, we recommend that you start by installing clients on a limited number of representative systems and tuning their configuration. After you have fine-tuned the deployment, you can then deploy more clients and leverage the policies, exceptions, and client rules created in the initial rollout.

„Establish a naming convention for your clients. Clients are identified by name in the console tree, in certain reports, and in event data generated by activity on the client. Clients can take the names of the hosts on which they are installed, or you can assign a specific client name during installation. We recommend establishing a naming convention for clients that is easy to interpret by anyone working with the Host Intrusion Prevention deployment.

„Install the clients. Clients are installed with a default set of IPS, firewall, application blocking, and general rule policies. New policies with updated rules can later be pushed from the server.

„Group the clients logically. Clients can be grouped according to any criteria that fits in the console tree hierarchy. For example, you might group clients according to their geographic location, corporate function, or the characteristics of the system.

For detailed instructions, refer to the Host Intrusion Prevention Installation Guide.

Viewing and working with client data

After you have installed and grouped your clients, you have completed the deployment. You should begin to see events triggered by activity on the clients in violation of the set IPS security policy. If you have placed clients in Adaptive mode, you should see the client rules that indicate which client exception rules are being created. By analyzing this data, you begin to tune the deployment.

To analyze event data, view the IPS Event tab in the IPS Feature.You can drill down to the details of an event, such as which process triggered the event, when the event was generated, and which client generated the event. Analyze the event and take the appropriate action to tune the Host Intrusion Prevention deployment to provide better responses to attacks. The IPS Event tab displays default client-based and network-based intrusion prevention signatures as well as custom host-based signatures.

To analyze client rules, view the Client Rules tab. Client Rules also appear in the firewall and application blocking features. You can see which rules are being created, aggregate them to find the most prevalent common rules, and move the rule directly to a policy for application to other clients.

In addition, the Reporting feature provides detailed reports based on events, client rules, and the Host Intrusion Prevention configuration. Use these reports to communicate environment activity to other members of your team and management.

27

Page 26 Page 28
Page 27
Image 27
McAfee 6.1 manual Deploying Host Intrusion Prevention clients, Viewing and working with client data
Page 26 Page 28
Top Page Image Contents