9
McAfee
®
IntruShield
®
IPS System IntruShield Best Practices
Special Topics: Best Practices Initial tuning
1
Auto-negotiation
Auto-negotiation issues typically do not result in link establishment issues. Instead,
auto-negotiation issues mainly result in a loss of performance. When auto-negotiation
leaves one end of the link in, for example, full-duplex mode and the other in half-duplex
(also known as a duplex mismatch), errors and retransmissions can cause
unpredictable behavior in the network. This can cause performance issues, intermittent
connectivity, and loss of communication. Generally these errors are not fatal—traffic
still makes it through—but locating and fixing them is a time-waster.
Situations that may lead to auto-negotiation Issues
Auto-negotiation issues with the IntruShield sensor may result from nonconforming
implementation, hardware incapability, or software defects.
Generally, if the switch used with the sensor adheres to IEEE 802.3u auto-negotiation
specifications and all additional features are disabled, auto-negotiation should properly
negotiate speed and duplex, and no operational issues should exist.
Problems may arise when vendor switches/routers do not conform exactly to the
IEEE specification 802.3u.
Vendor-specific advanced features that are not described in IEEE 802.3u for 10/100
Mbps auto-negotiation (such as auto-polarity or cabling integrity) can also lead to
hardware incompatibility and other issues.
Initial tuning
As of software version 2.1, all sensors, on initial deployment, have the Intrushield
'Default Inline IPS' policy loaded on all interfaces. The “Default Inline IPS’ policy can be
changed at the Root admin layer. McAfee recommends, where appropriate, to use this
or another IntruShield-provide policy as a starting point, but to tune these into
segment-tailored custom policies. These tailored policies can be either cloned versions
of Intrushield pre-configured policies or custom-built policies that employ custom rule
sets. An appropriately tuned policy will reduce false positives.
Though each network environment has unique characteristics, the following best
practices can make tuning more efficient and effective.
High-volume attacks
Take attacks that are generating the most alerts (use the top10 table in the Consolidated
View
within Alert Viewer) and investigate their legitimacy.See Chapter 11 of the Manager
Administrator’s Guide for more details.
Note
Note that as you interact with Intrushield policies, you encounter the term “attack”, not
“signature.” Intrushield defines an attack as being comprised of one or more
signatures, thresholds, anomaly profiles, or correlation rules, where each method is
used to detect an attempt to exploit a particular vulnerability in a system. These
signatures and checks may contain very specific means for identifying a specific known
exploit of the vulnerability, or more generic detection methods that aid in detecting
unknown exploits for the vulnerability.
(44 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales