Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Installationsanleitung PDF herunterladen (Seite 20)

1 Check that the Host IPS services (FireSvc.exe, mfefire.exe, mfevtp.exe) and framework

service (McAfeeFramework.exe) are started.

2 Very Important! Run simple applications, such as accounting, document editing, email,

Internet access, multi-media, or development tools, to test that they operate correctly.

Can your users perform their standard jobs? You are looking to demonstrate and validate

proper operational detection.

3 If you see issues on the client, you can examine IPS client logs and client operating system

logs for errors. See

Working with Host Intrusion Prevention Clients

in the product guide.

4 Repeat these steps to expand to more systems until you have populated the pilot group.

TIP: Remember to test at each installation or policy change to ensure that end users can perform

their jobs successfully. This testing may be the most valuable activity in ensuring a successful

rollout.

4. Do initial tuning

With your pilot group up and running, you now wait and watch. Allow two to seven days for

events to accumulate, and be responsive to any support calls.

Daily monitoring

Allow a few minutes every day to review IPS event logs and monitor activity volumes and types.

This habit helps you gain a baseline of normal operational levels and activity patterns. For

instance, in daily monitoring you should notice the regular processes and activity levels of server

maintenance and application updates. With this knowledge of activities, you will immediately

recognize any unusual activity that arises.

Your daily reviews should help refine rules, policies, and exceptions as new events occur. Host

IPS provides fine-grained control because it can monitor all system and API calls and block

those that might result in malicious activity. Similar to a network IPS system, additional rule

tuning is necessary occasionally as applications, business needs, and policy requirements change.

Ongoing maintenance of a Host IPS deployment includes monitoring, analyzing, and reacting

to activities; changing and updating policies; and performing system tasks, such as setting up

user permissions, server tasks, notifications, and content updating. These activities need to be

budgeted for at an operational level to maintain the health and effectiveness of the IPS functions.

Review logs

Event log data can help you refine policies to balance protection against freedom of access to

information and applications. This balance usually differs for each user type. At this stage you

should tune policies manually through the ePO server. For automatic policy tuning, see 5.

Activate adaptive mode (optional).

Event information is accessible from the Host IPS 8.0 | Events tab under Reporting on the

ePO server. You can drill down to the details of an event, including which process triggered the

event, when the event was generated, and which client generated the event. You are looking

for red flags, such as false positives or high-severity triggered signatures.

Check that processes and services are correct. Applications you expect to run should be running,

while applications you don’t expect should not appear. If you see logged events based on

Best Practices for Quick Success

4. Do initial tuning

McAfee Host Intrusion Prevention 8.0 Installation Guide20

1 2 ... 15 16 17 18 19 20 21 22 23 24 25 ... 48 49

Kommentare zu diesen Handbüchern

Keine Kommentare

Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Installationsanleitung Seite 20

Kommentare zu diesen Handbüchern