McAfee® Host Intrusion Prevention 6.1 Product Guide | Using ePolicy Orchestrator |
| Host Intrusion Prevention operations |
3
Placing clients in Adaptive or Learn mode
A major element in the tuning process placing Host Intrusion Prevention clients in Adaptive mode for IPS, firewall, and application blocking, or Learn mode for firewall and application blocking. These modes allow clients to create client exception rules to administrative policies. Adaptive mode does this automatically without user interaction, while Learn mode requires the user to tell the system what to do when an event is generated.
These modes analyze events first for the most malicious attacks, such as buffer overflow. If the activity is considered regular and necessary for business, client exception rules are created. By setting representative clients in Adaptive or Learn mode, you can obtain a tuning configuration for them. Host Intrusion Prevention then allows you to take any, all or none of the client rules and convert them to
Run clients in Adaptive or Learn mode for at least a week. This allows the clients time to encounter all the activity they would normally encounter. Try to do this during times of scheduled activity, such as backups or script processing.
As each activity is encountered, IPS events are generated and exceptions are created. Exceptions are activities that are distinguished as legitimate behavior. For example, a policy might deem certain script processing as illegal behavior, but certain systems in your engineering groups need to perform such tasks. Allow exceptions to be created for those systems so they can continue to function normally while the policy continues to prevent this activity on other systems. Then make these exceptions part of a
You might have particular software applications that are required for normal business in some areas of the company, but are prevented in others. For example, you might allow Instant Messaging in your Engineering and Technical Support organizations, but prevent its use in your Finance and HR departments. You can establish the application as trusted on the systems in your Engineering and Technical Support organizations to allow users full access to it.
The Firewall feature acts as a filter between a computer and the network or Internet. The firewall scans all incoming and outgoing traffic at the packet level. As it reviews each arriving or departing packet, the firewall checks its list of firewall rules, which is a set of criteria with associated actions. If a packet matches all the criteria in a rule, the firewall performs the action specified by the rule — either allowing the packet through the firewall, or blocking it.
28
