Configuring the IPS Protection policy
The IPS Protection policy sets the protective reaction for signature severity levels. These settings instruct agents what to do when an attack or suspicious behavior is detected. Each signature has one of four severity levels:
- High (Red) — Signature of clearly identifiable security threats or malicious actions. These signatures are specific to well-identified exploits and are mostly non-behavioral in nature. Prevent these signatures on every system.
- Medium (Orange) — Signature of behavioral activity where applications operate outside their envelope. Prevent these signatures on critical systems, as well as on web servers and SQL servers.
- Low (Yellow) — Signatures of behavioral activity where applications and system resources are locked and cannot be changed. Preventing these signatures increases the security of the underlying system, but additional fine-tuning is needed.
- Information (Blue) — Signature of behavioral activity where applications and system resources are modified and might indicate a benign security risk or an attempt to access sensitive system information. Events at this level occur during normal system activity and generally are not evidence of an attack.
These levels indicate potential danger to a system and enable you to define specific reactions for different levels of potential harm. You can modify the severity levels and reactions for all signatures. For example, when suspicious activity is unlikely to cause damage, you can select ignore as the reaction. When an activity is likely to be dangerous, you can set prevent as the reaction.
The IPS Protection policy has several preset policies from which to select. If the preset policies do not provide the selected option combination you want, create a new policy and select the required options. Selections in the IPS Protection policy dialog box vary depending on the selected policy.
To configure the IPS Protection policy:
- Expand the IPS feature, and click Edit on the IPS Protection category line.
- To apply a preset policy, select it in the policy list. Click the policy name icon to view the settings:
Select this policy...
|
For these options...
|
(Basic Protection (McAfee Default))
|
Prevent high severity level signatures and ignore the rest.
|
(Enhanced Protection)
|
Prevent high and medium severity level signatures and ignore the rest.
|
(Maximum Protection)
|
Prevent high, medium, and low severity level signatures and log the rest.
|
(Prepare for Enhanced Protection)
|
Prevent high and log medium severity level signatures and ignore the rest.
|
(Prepare for Maximum Protection)
|
Prevent high and medium severity level signatures, log low severity level signatures, and ignore the rest.
|
(Warning)
|
Log high severity level signatures and ignore the rest.
|
- Click Apply.
To create a new IPS Protection policy:
- Click Edit on the IPS Severity category line, and select New Policy in the policy list.
- In the Create New Policy dialog box, select the policy to duplicate, type the name of the new policy, and then click OK.
|
Create a new, duplicate policy when viewing the details of a preset policy by clicking Duplicate at the bottom of the policy dialog box. Type the name of the new policy and indicate whether to assign the policy immediately to the current node.
|
The IPS Protection dialog box appears.
- Select the type of reaction for each severity level:
For this item...
|
Select...
|
High
|
Ignore to permit the event without logging it.
Log to permit the event and log it.
Prevent to prevent the event and log it,
|
Medium
|
Ignore to permit the event without logging it.
Log to permit the event and log it.
Prevent to prevent the event and log it,
|
Low
|
Ignore to permit the event without logging it.
Log to permit the event and log it.
Prevent to prevent the event and log it,
|
Information
|
Ignore to permit the event without logging it.
Log to permit the event and log it.
|
- Click Apply, and then click Close.
- Click Apply on the IPS Protection category line.
|
Policies can be deleted only in the ePolicy Orchestrator Policy Catalog page and only by global administrators.
|
Copyright © 2006 McAfee, Inc. All Rights Reserved.