Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Przewodnik Instalacji Pobierz pdf (Strona 22)

legitimate applications, and you do not need to permit these behaviors. Validate that the

user application functions correctly and continue blocking.

TIP: It is common for events to be generated and blocked with no visible effect on the user or

the operation of the application. For example, VMware envelopes and Adobe applications

frequently exhibit this behavior. It is safe to ignore these events if you can confirm that the

user experience is unchanged. You may be closing a loophole, such as a cross-site scripting

vulnerability, that might otherwise be exploited.

Tuning process

Have you received any complaints from users? Communicate directly with them to validate that

their applications are operating appropriately. As you make decisions about tuning during the

pilot, follow this process:

1 Edit policies—Use ePolicy Orchestrator to edit and create policies and reactions.

2 Apply policies selectively—Use ePolicy Orchestrator to apply the policies to the target

systems (not automatic).

3 Activate the changes—When you change Host IPS policies in the ePO console, the

changes take effect on the managed systems at the next agent-server communication. By

default, this interval occurs once every 60 minutes. To enforce policies immediately, send

an agent wake-up call from the ePO console.

4 Test your changes—Revalidate operational success for these changes, including

compatibility with business systems (allowing legitimate activity). Look to see that IPS

network traffic is minimized and that you are reducing the false positives you were targeting.

5 Apply policies more broadly—If the new policies work, apply them to relevant systems.

6 Continue daily monitoring.

See

Configuring IPS Policies

in the product guide for details on working with IPS policies,

including setting signature reactions, and creating exceptions and trusted applications from

events; See

Configuring Firewall Policies

in the product guide for details on working with firewall

policies.

Configure dashboards and reports

Now that you have imposed more order and accuracy on your events, you can use the ePO

server to improve organization and communication of IPS and firewall information.

• Configure ePO dashboards for a quick overview of ongoing policy compliance, event trends,

query results, and issues. Save unique dashboards to reflect daily monitoring, weekly reviews,

and any management reports.

• Configure notifications to alert specific individuals when particular events occur. For example,

a notification can be sent when a high-severity event is triggered on a particular server.

• Schedule reports to run automatically and be sent to appropriate parties as an email message

See

Managing your protection

in the product guide for details on working with dashboards and

reports.

Wait and watch

Monitor events daily for at least another two weeks, checking for help desk calls, anomalies,

and false positives. With this relatively conservative rollout strategy, there should not be many

support calls or issues, so there should not be many adjustments.

Be sure to disable workarounds to prevent users and malware from circumventing IPS protection.

Do not allow disabling of modules and the removal of the Host IPS client.

Best Practices for Quick Success

4. Do initial tuning

McAfee Host Intrusion Prevention 8.0 Installation Guide22

1 2 ... 17 18 19 20 21 22 23 24 25 26 27 ... 48 49

Komentarze do niniejszej Instrukcji

Brak uwag

Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Przewodnik Instalacji Strona 22

Komentarze do niniejszej Instrukcji