Manuals / McAfee / Marine Equipment / Marine Radio

McAfee 6.1 manual Preset IPS policies, Behavioral rules, Benefits of Network IPS

Models: 6.1

1 201

Download 201 pages 13.13 Kb

Page 35

McAfee® Host Intrusion Prevention 6.1 Product Guide	IPS Policies
	Overview

NIPS

NIPS protection also resides on individual systems. All data that flows between the protected system and the rest of the network is examined for an attack. When an attack is identified, the offending data is discarded or blocked from passing through the system.

Benefits of Network IPS

Protects systems located downstream in a network segment.

Protects servers and the systems that connect to them.

Protects against network Denial-of-Service attacks and bandwidth-oriented attacks that deny or degrade network traffic.

4

Behavioral rules

Behavioral rules define a profile of legitimate activity. Activity that does not match the profile triggers an event. For example, you can set a rule stating that only a web server process should access web files. If another process attempts to access a web file, this behavioral rule triggers an event.

Host Intrusion Prevention combines the use of signature rules and hard-wired behavioral rules. This hybrid method of identifying attacks detects most known attacks as well as previously unknown or zero-day attacks.

Preset IPS policies

The Host Intrusion Prevention IPS feature contains three policy categories:

IPS Options: This policy turns on or off both host and network IPS protection. Preset policies include On (McAfee Default), Off, Adaptive.

IPS Protection: This policy sets the reaction to events. Preset policies include Basic (McAfee Default), Prepare for Enhanced, Enhanced, Prepare for Maximum, Maximum, Warning,

IPS Rules: This policy can have one or more policy instances. The preset policy is the default policy (McAfee Default).

35

Image 35

McAfee 6.1 manual Preset IPS policies, Behavioral rules, Benefits of Network IPS

Contents

McAfee Host Intrusion Prevention Page McAfee Host Intrusion Prevention Copyright Contents IPS Policies General Policies 103 Frequently Asked Questions 160 Writing Custom Signatures 164 IntroducingPrevention Host Intrusion Changes from the previous release New featuresWhat’s new in this release Audience Using this guideExample ConventionsThis guide uses the following conventions Bold CondensedStandard documentation Getting product informationContact information Customer ServiceProfessional Services Signature rules IPS featureBasic Concepts Exception rules Behavioral rulesEvents ReactionsClient firewall rules Firewall featureFirewall rules Client application blocking rules Application Blocking featureGeneral feature Policies and policy categories Policy managementPolicy enforcement Policy assignment locking Policy inheritance and assignmentPolicy ownership Deployment and management Preset protectionAdaptive and Learn mode Reports Tuning„ Deploy Host Intrusion Prevention clients Using ePolicy OrchestratorEPolicy Orchestrator console EPolicy Orchestrator consoleAssign Policies Policy managementGenerating notifications Installing the Host Intrusion Prevention serverHost Intrusion Prevention operations Assigning owners to policiesViewing and working with client data Deploying Host Intrusion Prevention clientsPlacing clients in Adaptive or Learn mode Policy viewing alerts Configuring policiesActive X control security warning Fine-tuningHelp navigation procedures Using HelpIPS Signature Rules Help in the user interfaceIPS Events/Signatures IPS Exception RulesOverview IPS PoliciesBenefits of Host IPS Host and network IPS signature rulesBenefits of Network IPS Preset IPS policiesBehavioral rules To configure the IPS Options policy Configuring the IPS Options policyQuick access Select the needed options Click ApplyTo create a new IPS Options policy IPS Options dialog box appearsConfiguring the IPS Protection policy To create a new IPS Protection policy To configure the IPS Protection policySelect the type of reaction for each severity level IPS Protection dialog box appearsTo create a new IPS Rules policy Configuring the IPS Rules policyTo assign IPS Rules policies IPS Rules policy details To create an exception Creating exception rulesTo edit an exception rule Editing exception rulesYou can view and edit details of an existing exception Moving exception rules to another policy To disable/enable an exceptionEnabling and disabling exception rules Deleting exception rulesCustom host signatures SignaturesTypes of signatures Host signaturesIPS Rules-Signatures tab Viewing signaturesTo modify the view of signatures To modify default signaturesModifying host and network signatures Creating custom signaturesTo create signatures using the wizard Using the wizard to create signaturesTo create a signature with the standard mode Using the standard mode to create signaturesNew Custom Signature-General tab To edit a custom signature Editing custom signaturesDeleting custom signatures To use Standard Method To use Expert Method11 Application Protection Rules analysis Application Protection Rules12 IPS Rules-Application Protection Rules To create an application protection rule13 New Trusted Application dialog box-General tab Deleting Application Protection Rules IPS EventsEditing Application Protection Rules Enabling and disabling Application Protection RulesTo view IPS events Viewing eventsTo change the event view Configuring the event viewFiltering events To hide an event Marking eventsTo mark an event as read To mark an event as unreadHidden Marking similar eventsTo mark similar events „ Agent „ Signatures „ User „ Process „ Severity LevelTo view event details Viewing event detailsCreating event-based exceptions and trusted applications To create an event-based trusted application To create an event-based exceptionTo search for a related exception IPS Client RulesSearching for related exceptions To migrate client rules to an IPS Rules policy Regular ViewClick the Aggregate View tab on the IPS Client Rules tab Aggregated ViewTo aggregate client rules To search for exceptions and manage the list of exceptions Search IPS Exception Rules22 Search IPS Exception Rules tab Firewall Policies HIP 6.1 rules HIP 6.0 rulesStateful packet inspection State tableStateful packet filtering Ordering the firewall rule list How firewall rules workStateful filtering process How stateful filtering worksProtocol Description of handling How stateful packet inspection worksStateful protocol tracking TCP Firewall rule groups and connection-aware groupsOverview Stateful filtering Firewall Learn and Adaptive modesQuarantine policies and rules To migrate rules Preset Firewall policiesMigrating custom 6.0 firewall rules to 6.1 rules Learn Configuring the Firewall Options policyTo configure the Firewall Options policy Select For these settings Off McAfee Default„ Select New Policy Create New Policy dialog box appearsTo create a Firewall Rules policy Configuring the Firewall Rules policyCreating new Firewall Rules policies Include Local Subnet Automatically selected Server High Select this For this protection Policy Server MediumAdd Policy or Duplicate Policy Viewing and editing firewall rulesDo any of the following To view and edit a firewall ruleTo create a firewall rule Select the appropriate settings Click OKCreating a new firewall rule or firewall group Type a name for this group in the Name field To create a new rule groupFirewall Rule Group dialog box appears To create a connection-aware groupTo delete a firewall rule or group Deleting a firewall rule or groupTo add predefined rules To modify the view, do any of the following Viewing firewall client rulesTo view all firewall client rules To view details of an aggregated firewall rule To view aggregated firewall client rulesSelect New Policy Configuring the Quarantine Options policyTo configure the Quarantine Options policy To create a Quarantine Rules policy Configuring the Quarantine Rules policyQuarantine Rules policy provides access for Creating new Quarantine Rules policiesClick Properties Viewing and editing quarantine rulesTo view and edit a quarantine rule To delete a quarantine rule or group Creating a new quarantine rule or groupDeleting a quarantine rule or group To create a quarantine ruleApplication creation Application Blocking PoliciesApplication hooking Preset Application Blocking policiesApplication Blocking feature contains two policy categories To apply an Application Blocking Options policy Configuring the Application Blocking Options policySelect this policy For these settings Off McAfee Default Application Blocking Options To create an Application Blocking Rules policy Configuring the Application Blocking Rules policyCreating new Application Blocking Rules policies To view and edit an application blocking rule Viewing and editing Application Blocking Rules100 Creating new Application Blocking RulesTo create a new application blocking rule Application Rule dialog box appearsTo view all client application rules Deleting an application blocking ruleViewing application client rules To delete an application blocking ruleTo view details of an aggregated client application rule To view aggregated client application rulesGeneral Policies General feature contains four policy categories Preset General policiesRegular User Configuring Enforce PoliciesConfiguring the Client UI policy To change the policy settingDisconnected User Administrator UserTo configure a Client UI policy Creating and applying a Client UI policy107 Setting passwords108 To create an administrator passwordClick the Advanced Options tab in the Client UI policy To provide tray icon control of Windows UI To create a time-based passwordTray icon control 110 Configuring the Trusted Networks policyTo configure trusted network options Include Local Subnet Select To do this AddEdit RemoveTrusted Application tab appears Configuring the Trusted Applications policyCreating and applying Trusted Applications policies To create a new policyTo create a trusted application Creating trusted applicationsDeleting trusted applications To disable/enable a trusted applicationEditing trusted applications Enabling and disabling trusted applications115 MaintenanceFine-tuning a deployment Analyzing IPS eventsFor details on working with client rules, see Creating exception rules and trusted application rulesWorking with client exception rules Creating and applying new policiesPolicy inheritance and assignment Policy maintenance and tasksTo view and reset broken inheritance below a specific node Policies tabClick Copy policy assignments To copy and paste policy assignments of a nodeTo view all policies that have been created To view nodes where a policy is assignedPolicy Catalog Viewing policy informationEditing policy information To view the settings and owner of a policyTo view assignments where policy enforcement is disabled To edit a policy Property Translator Running server tasksDirectory Gateway Event ArchiverCreating rules Setting up notifications for eventsHow notifications work 124 Host Intrusion Prevention notificationsReport repository Running reportsPre-defined reports IPS Events Summary by Signature Report content controlHost Intrusion Prevention reports Summary information and detailsSignature IPS Event Summary by TargetNetwork Intrusion Summary by Source IP Filters on platform and signature type Top 10 Attacked Nodes for IPSTop 10 Triggered Signatures Blocked Application SummaryInitial View Drill Down Host Name Failed Quarantine UpdatesTop 10 Blocked Applications From the Task type list, select Repository Pull Checking in the update packageTo add update packages automatically UpdatingUpdating clients To add update packages manuallyTo run an update task To have a client request an updateWindows client Host Intrusion Prevention Client133 System tray iconClient console To customize client options Setting optionsUnlocking the client interface To unlock the Host Intrusion Prevention interfaceSelect For this Error ReportingTroubleshooting Show tray icon Error ReportingSecurity Violations To set IPS logging optionsTo set Firewall logging options 137 AlertsIntrusion alerts Has the Treat rule match as an intrusion option selected To respond to a firewall Learn Mode alertFirewall alerts 138Application Blocking alerts „ The IP address that the traffic pretends to come from 140 Quarantine alertsSpoof Detected alerts IP Spoof Detected Alert dialog box 141142 IPS Policy tabIPS Policy options To customize IPS Policy options143 IPS Policy exception rulesException rules list To edit the exception rules144 Firewall Policy tabFirewall Policy options To customize Firewall Policy options145 Firewall Policy RulesFirewall rules list 146 Application Policy tabApplication Policy options To customize Application Policy options147 Application Policy rulesApplication rules list Column What it shows Blocked Hosts tabBlocked Hosts list 148Until removed To edit the Blocked Hosts list149 150 Application Protection tabApplication Protection list This list shows all monitored processes on the client151 Activity Log tabActivity Log options To customize Activity Log optionsMcAfee Host Intrusion Prevention Options Activity Log list152 Select Create Sniffer Capture...Policy enforcement with the Solaris client TroubleshootingClient installation issues Solaris clientFile/Directory Name Description Client operations issuesRun this command To do this 154155 To stop a Solaris clientTo restart a Solaris client Policy enforcement with the Linux client Linux clientFile Name Description Verifying the client is running158 Troubleshooting tool159 Run the command hipts agent offTo stop a Linux client To restart a Linux client160 Frequently Asked QuestionsWhat is a policy? What is the McAfee Default policy?161 How do I create an exception based on an IPS Event? How do I view IPS events triggered by clients?How do I find existing policies that match a given profile? How do I create custom signatures for an IPS Policy?164 Writing Custom SignaturesRule Structure Basic structure of a rule is the followingSection Name Value Description Mandatory common sections165 Name/domain user name Use of Include and ExcludeUse of the dependencies section Optional common sectionsSection value variables Windows IIS Web Server Use of wildcardsUse of environment variables Use of predefined variables169 MS SQL Database ServerSolaris Apache and iPlanet 170 This topic describes how to write Windows custom signaturesWindows Custom Signatures Class Files171 GUI name Explanation Advanced DetailsClass Isapi Machine where the client is installed in the manner host Windows Custom Signatures Class Registry 177 Section Values Meaning/remarks Class ServicesGUI Name Explanation Possible Values Windows Custom Signatures 181 This topic describes how to write Solaris custom signaturesSolaris Custom Signatures Class UNIXfileDirective File Source File permission New permission Relevant X directives per section183 Advanced DetailsClass UNIXapache Solaris Custom Signatures 185 Linux Custom Signatures186 Summary of parameters and directivesList of parameters according to type List of directives according to type187 GlossaryBlocked host 188Console tree 189EPolicy Orchestrator database server 190See also minimal properties 191Inactive agent 192Policy enforcement interval 193Severity level 194SYN flood 195Index Working with clients Signatures, 46 creating, 48 creating custom Firewall policy tab rules List IPS Policy tab Page Mcafee.com