Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Installationsanleitung PDF herunterladen (Seite 24)

• Track client rules in the ePO console, viewing them in regular, filtered, and aggregated

views.

• Use automatically created client rules to define new, more detailed policies, or add the new

rules to existing policies, then apply the updated policies to other clients.

• Select the policy option Retain Client Rules. If not, rules will be deleted after each policy

enforcement interval.

• Review the exceptions that are created. Turn off adaptive mode if you cannot do this review

to avoid allowing risky activities.

• Turn on adaptive mode briefly to create exceptions for a new application, and then promote

them to a policy.

See

Configuring IPS Policies

in the product guide for details on working with IPS policies with

the adaptive mode; see

Configuring Firewall Policies

in the product guide for details on working

with firewall policies with the adaptive mode.

NOTE: Adaptive mode allows both legitimate and non-legitimate activities. Rules that accept

these activities will be created without administrator approval. Only one exception event is

logged per rule created, so the same activities go undocumented after the rule is created. You

receive only one notice, so you must review and respond diligently to prevent unacceptable

rules.

6. Refine tuning

Now that you have established and tuned baseline responses to activities, you can start to

increase levels of protection and enforcement. This is done by selecting the appropriate category

of the IPS Protection policy. You can perform these tuning steps in the context of day-to-day

monitoring, or you might choose to repeat the formal iterative steps of the pilot. After each

step, wait at least two weeks before considering additional changes to ensure systems are

working correctly at their existing levels of protection.

Basic to enhanced to maximum protection

The Enhanced Protection category of the IPS Protection policy prevents high- and

medium-severity level signatures and ignores the res, while the Prepare for Enhanced

Protection category of the policy, takes the interim step of logging the medium-severity levels

first. Remember that logging provides detailed information about which activities are affected

when you raise the protection level. It can guide you to accurate policy management and limiting

surprises.

When you are satisfied that business can continue without disruption, move settings from basic

to enhanced protection. Repeat this for the other systems in your network. The Maximum

Protection category of the policy suits the most dedicated and hardened operating

environments. Since maximum protection blocks even low-severity signatures, it should be

deployed very judiciously after extensive testing. Use the Prepare for Maximum Protection

category as a proving ground to discover the impact of changes prior to activating maximum

protection.

Extremely conservative organizations can roll out each change in protection level as its own

pilot, following the iterative steps we’ve discussed. Remember to enable and disable escape

mechanisms and adaptive mode before and after the testing cycles that validate changes.

Best Practices for Quick Success

6. Refine tuning

McAfee Host Intrusion Prevention 8.0 Installation Guide24

1 2 ... 19 20 21 22 23 24 25 26 27 28 29 ... 48 49

Kommentare zu diesen Handbüchern

Keine Kommentare

Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Installationsanleitung Seite 24

Kommentare zu diesen Handbüchern