27
McAfee® Host Intrusion Prevention6.1 Product Guide Using ePolicy Orchestrator
Host Intrusion Prevention operations 3
Deploying Host Intrusion Prevention clientsClients are the element that provide protection in a Host Intrusion Prevention
deployment. Ideally, every system in a working environment is protected by client
software. We recommend a phased approach to deployment:
Determine your initial client rollout plan. Although you will deploy Host Intrusion
Prevention clients to every host (servers and desktops) in your company, we
recommend that you start by installing clients on a limited number of representative
systems and tuning their configuration. After you have fine-tuned the deployment,
you can then deploy more clients and leverage the policies, exceptions, and client
rules created in the initial rollout.
Establish a naming convention for your clients. Clients are identified by name in
the console tree, in certain reports, and in event data generated by activity on the
client. Clients can take the names of the hosts on which they are installed, or you
can assign a specific client name during installation. We recommend establishing a
naming convention for clients that is easy to interpret by anyone working with the
Host Intrusion Prevention deployment.
Install the clients. Clients are installed with a default set of IPS, firewall, application
blocking, and general rule policies. New policies with updated rules can later be
pushed from the server.
Group the clients logically. Clients can be grouped according to any criteria that
fits in the console tree hierarchy. For example, you might group clients according to
their geographic location, corporate function, or the characteristics of the system.
For detailed instructions, refer to the Host Intrusion Prevention Installation Guide.
Viewing and working with client dataAfter you have installed and grouped your clients, you have completed the deployment.
You should begin to see events triggered by activity on the clients in violation of the set
IPS security policy. If you have placed clients in Adaptive mode, you should see the
client rules that indicate which client exception rules are being created. By analyzing
this data, you begin to tune the deployment.
To analyze event data, view the IPS Event tab in the IPS Feature.You can drill down to
the details of an event, such as which process triggered the event, when the event was
generated, and which client generated the event. Analyze the event and take the
appropriate action to tune the Host Intrusion Prevention deployment to provide better
responses to attacks. The IPS Event tab displays default client-based and network-based
intrusion prevention signatures as well as custom host-based signatures.
To analyze client rules, view the Client Rules tab. Client Rules also appear in the firewall
and application blocking features. You can see which rules are being created,
aggregate them to find the most prevalent common rules, and move the rule directly
to a policy for application to other clients.
In addition, the Reporting feature provides detailed reports based on events, client
rules, and the Host Intrusion Prevention configuration. Use these reports to
communicate environment activity to other members of your team and management.