This section answers some practical questions that can arise when using Host Intrusion Prevention 6.0.
What is a policy?
A policy is a customized subset of product settings corresponding to a policy category. You can create, modify, or delete as many named policies as needed for each policy category.
What is the McAfee Default policy?
Upon installation, each policy category contains at least one named policy, McAfee Default. The McAfee Default policies cannot be edited, renamed, or deleted.
What happens to the nodes of the Directory under a node where I assigned a new policy?
All nodes with inheritance enabled for the specific policy category inherit the policy applied to a parent node.
How are the nodes to which a policy is applied affected when the policy is modified?
All nodes to which a policy is applied receive any modification made to the policy at the next agent-server communication or by running an agent wake-up call. The policy is then enforced at each policy enforcement interval.
Why isn’t the new Host Intrusion Prevention policy I assigned being enforced?
New policy assignments are not enforced until the next agent-server communication or by running an agent wake-up call after the assignment has been made. Also, if the client UI is unlocked with a password, no new policy assignments are enforced.
Can I delegate administration of IPS and firewall policies to different administrators in different geographic locations?
Yes. Host Intrusion Prevention enables you to delegate responsibility for all or individual product features such as IPS or Firewall. Finer granularity of roles within the feature, for example, agent management and exception creation, is not supported.
Assign user rights at the site level, one level below the root directory, and the rights are inherited by all nodes under that site. Explicit user permission on nodes below the site level is not supported. To delegate administration by geographic location, designate a geographic location at a site node, and then apply the appropriate user rights.
Can I apply the same security configuration to different systems?
The console tree organizes nodes hierarchically. You assign policies at nodes, so the site-level nodes typically denote profile-based groupings, such as All Servers, All Desktops, IIS Servers, or SQL Servers. This group pattern can be replicated under each site node.
ePolicy Orchestrator enables the creation of policies that are independent of any node, yet shareable across all nodes. When you assign a policy to a node, it is automatically inherited by its children, unless overridden by another policy. You can create a policy matching each profile, such as IIS Server Policy, and apply it to each of the corresponding node groups, such as IIS Servers.
Place a computer with a new Host Intrusion Prevention agent in the appropriate profile group to be assigned the correct security policies. If this is not possible, you can set the policy for an individual agent by modifying the policies at the individual node level. Most inherited policies can be overridden, unless a policy has forced inheritance assigned.
Can I view or edit the policies applicable to a specific node or agent?
Yes. Host Intrusion Prevention policies have specific categories, such as IPS Rules and IPS Protection, each providing specific settings. Under each Host Intrusion Prevention features, you can see the categories for the selected node on the Policies tab. Each category displays the name of its assigned policy (or policies). Most categories, like IPS Protection, display a single policy, while the IPS Rules and Trusted Applications categories display one or more policy instances. To view the details of each policy, click the name of the policy.
How do I view all available policies and the nodes they are assigned to?
The ePolicy Orchestrator tree has a Policy Catalog node, which displays the list of all policies in each category with a count of their assignments. Click the count value to display a list of all nodes where the policy is directly assigned.The count does not include nodes where the policy has been inherited.
How do I view IPS events triggered by agents?
ePolicy Orchestrator does not have its own event viewer, so events are handled by the Host Intrusion Prevention IPS Events tab within the IPS Rules policy. To view the list of events associated with a selected node, click the Policies tab, and then click the IPS Events link. The IPS Events tab displays the combined set of IPS events generated by agents under the selected node for a specific number of days. The view automatically refreshes as new events are triggered, and offers these operations:
How do I create an exception based on an IPS Event?
Select a single event in the IPS Events tab and click Create Exception. A pre-filled New Exception dialog box based on the original event appears. A tab in the New Exception dialog box displays a list of target IPS Rules Policy instances into which you will place this Exception upon creation.
|
The new exception can only be placed in an existing policy that can be edited. Apply an exception to a specific agent or to multiple agents - the target policy for an exception can be a specific agent policy, or one that fits a common profile. However, all policies are shareable by default, and appear in the assignment list for each node. It is recommended that a small number of policies be carefully created and maintained, so that they can collectively satisfy the needs of all agents. Instead of creating a new exception, you can search for and edit an existing exception with similar attributes in an existing policy with the Search Related Exceptions functionality. |
How do I refine IPS Rules policies with automated tuning mechanisms?
Host Intrusion Prevention provides an adaptive mode option, which allows agents to automatically and silently create client rules that allow blocked but non malicious activity to occur. After agents have been in adaptive mode for a time, an administrator can do the following:
How do I create custom signatures for an IPS Policy?
Custom signatures are part of the IPS Rules policy and can be created to meet a profile’s specific security needs. A custom signature wizard is available for simple signatures, while custom signature Standard and Expert modes are available for advanced users.
How do I reorganize existing exceptions and custom signatures into a new policy?
As administrator you have identified some false-positive on a few agents and created exceptions for them. Given that these false-positive events seemed isolated, you initially placed these into various policies. Taking a second look at the exceptions, you see a new pattern – one that can be isolated into its own policy.
To reorganize these exceptions into a new policy, create a new IPS Rules policy and add it to the list of IPS Rules policy for the appropriate node. View the list of all exceptions from the various policies assigned to that node. Select one or more of the appropriate exceptions, and move them to the new policy.
This new policy can then be applied to other agents that fit the newly identified profile, either individually or as a group.
How do I find existing policies that match a given profile?
Typically, an organization will have multiple IPS Rules policies, one per agent profile, such as IIS Server and SQL Server. Given that multiple administrators typically manage different parts of the system, sometimes working in different shifts, it is essential to have a small number well-maintained policies. This will help you as an administrator to quickly understand the current organization of policies and find what you are searching for.
You can use the IPS Exception Search to search for exceptions based on their attributes, and locate their parent policy in the process. The search allows you to: