Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Guide d'installation télécharger pdf (Page 23)

5. Activate adaptive mode (optional)

After completing a business cycle with the software in place, begin to implement well-targeted

rules to create custom policy sets. These policies can be defined manually, but adaptive mode

provides a powerful tool for creating IPS rules policies based on host activity, without

administrator interaction. As an application is used, an exception is created to allow each action.

Adaptive mode triggers no IPS events and blocks no activity, except for malicious exploits

(high-severity signatures). Exceptions are logged by the ePO server as IPS Client Rules, so that

you can monitor progress.

By setting representative hosts in adaptive mode during the pilot, you create a tuning

configuration for each usage profile or application. The IPS feature then allows you to take any,

all, or none of the client rules and convert them to server-mandated policies. When you finish

tuning, turn off adaptive mode to tighten the system’s intrusion prevention.

Logging mode helped you understand the frequency of activities. Correspondingly, adaptive

mode tells you the full range and type of activities. These two tools used together provide a

good functional baseline for your organization’s legitimate business activities. You should expect

that there will be irregular activities that won’t be captured during the pilot cycle, so be prepared

to review exceptions and manually create rules as needed. A user might run an in-house

application once every four months, for example, and miss both the logging and the adaptive

mode cycles.

Adaptive mode blocks all high-severity signatures by default, so use adaptive mode to manage

both medium- and high-severity signatures. This combination gives you a good overview of

activity without too much noise.

Adaptive mode creates exception rules very efficiently. However, it’s unlikely that all activities

on a given system should be allowed, or you would not be considering new protections. For

this reason, you should use adaptive mode for a limited time. Review each exception created

(there’s only one instance of each exception), and disable unacceptable rules that adaptive

mode creates.

When you apply adaptive mode, choose the policy option Retain Client Rules. Otherwise,

the new rules are deleted at each policy enforcement interval and need to be relearned.

Eventually, when you turn off adaptive mode and move to enforcement, turn off the option

Retain Client Rules and eliminate any rule that is not enforced by an ePO-delivered policy.

Applying adaptive mode

1 Apply adaptive mode for a specific period (from one to four weeks).

2 Evaluate client rules.

3 Disable inappropriate rules.

4 On the IPS Client Rules tab, move legitimate client rules directly to a policy for application

to other clients.

5 Turn off adaptive mode.

6 Turn off the Retain Client Rules option if set.

TIP: Remember to turn off adaptive mode, so no rules are created without your knowledge.

Best practices

• Run clients in adaptive mode for at least a week to encounter all normal activity. Choose

times of scheduled activity, such as backups or script processing.

Best Practices for Quick Success

5. Activate adaptive mode (optional)

23McAfee Host Intrusion Prevention 8.0 Installation Guide

1 2 ... 18 19 20 21 22 23 24 25 26 27 28 ... 48 49

Commentaires sur ces manuels

Pas de commentaire

Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Guide d'installation Page 23

Commentaires sur ces manuels