McAfee® Host Intrusion Prevention 6.1 Product Guide

IPS Policies

 

Configuring the IPS Protection policy

4

Select...

To enable...

 

 

Enable Host IPS

Host IPS protection.

Enable Network IPS

Network IPS protection.

 

 

Automatically Block

A client to block network intrusion attacks automatically on a

Network Intruders

host for a set period of time. Select Until removed to block

 

incoming and outgoing traffic on a host until it is manually

 

removed from a blocked list on the client or for (minutes) for a

 

set number of minutes.

 

 

Retain Blocked Hosts

A client to block a host (IP address) until the parameters set

 

under Automatically Block Network Intruders. If not selected,

 

the host is blocked only until the next policy refresh.

 

 

Enable Adaptive Mode

A client to generate client rules automatically.

Automatically add

A client to add applications that are open to code injections,

high-risk applications to

and thus high-risk, automatically to the list of protected

the Application Protection

applications.

list

 

 

 

Retain Client Rules

A client to retain the client rules it created.

 

 

4Click Apply, and then click Close.

5Click Apply on the IPS Options category line.

Policies can be deleted only in the ePolicy Orchestrator Policy Catalog page and only by global administrators.

Configuring the IPS Protection policy

The IPS Protection policy sets the protective reaction for signature severity levels. These settings instruct clients what to do when an attack or suspicious behavior is detected. Each signature has one of four severity levels:

„High (Red) — Signature of clearly identifiable security threats or malicious actions. These signatures are specific to well-identified exploits and are mostly non-behavioral in nature. Prevent these signatures on every system.

„Medium (Orange) — Signature of behavioral activity where applications operate outside their envelope. Prevent these signatures on critical systems, as well as on web servers and SQL servers.

„Low (Yellow) — Signatures of behavioral activity where applications and system resources are locked and cannot be changed. Preventing these signatures increases the security of the underlying system, but additional fine-tuning is needed.

„Information (Blue) — Signature of behavioral activity where applications and system resources are modified and might indicate a benign security risk or an attempt to access sensitive system information. Events at this level occur during normal system activity and generally are not evidence of an attack.

38

Page 38
Image 38
McAfee 6.1 manual Configuring the IPS Protection policy