McAfee GUARD DOG 2 Guía de instalación descargar pdf (Pagina 14)

McAfee

IntruShield

IPS System IntruShield Best Practices

Special Topics: Best Practices Initial tuning

Many of the top alerts seen on the initial deployment of a sensor will be common false

positives seen in many environments. Typically, at the beginning of the tuning process,

it will be evident that your network or security policy will affect the overall level of alerts.

If, for instance, AOL IM is allowed traffic on the network then there might not be a need

to alert on AOL IM set-up flows.

Alert filters

When a particular alert is declared a false positive, the next decision is whether to

disable the corresponding attack altogether or apply a particular alert filter to that attack

that will disable alerting for a particular IP address or range of IP addresses. In almost

all cases, it is a best practice to implement the latter. For instance, an SMS server may

be generating the alert

Netbios: Copy Executable file attempt during the legitimate transfer

of login scripts. Rather than disable the alert altogether, and cancel the possibility of

finding a real attack of this nature, we recommend that you create an alert filter for the

SMS server and applied to this attack.

Every alert filter created is globally stored so that the filter can be applied to any Exploit

or Reconnaissance attack.

It is also a best practice to document all your tuning activities. The Report Generator

can be used to assist the documentation process. The IDS Policy report will deliver

reports that list Alert Filters that have been applied and attacks that have been

otherwise customized.

DoS

It is a best practice to let the sensors learn the profiles of the particular segments they

are monitoring before tuning DoS attacks. This is Learning Mode operation. The

learning process takes two days. During this period it is not unusual to see DoS alerts

associated with normal traffic flows (e.g DoS SYN flood alerts reported outbound on a

firewall interface to the Internet). After a profile has been learned, the particulars of the

profile (number of SYNS, ACKS, etc.) can be viewed per sensor. DoS detection can also

be implemented using the Threshold Mode. This involves setting thresholds manually

for the type of segment characteristics that are learned in Learning Mode.

Implementing this mode successfully is critically dependent on detailed knowledge of

the segments the particular sensors are monitoring.

It is a best practice to have the sensor re-learn the profile when there is a network

change (i.e., you move the sensor from a lab or staging environment to a production

environment) or a configuration change (i.e., you change the CIDR block of a

sub-interface) that causes a significant sudden traffic change on an interface. If the

sensor does not re-learn the new environment, it may issue false alarms or fail to detect

actual attacks during a time period when it is adapting to the new network traffic

conditions. There is no need to re-learn a profile when network traffic increases or

decreases naturally over time (e.g., an eCommerce site that is getting more and more

customers; thus its Web traffic increases in parallel), since the sensor can automatically

adapt to it.

See Chapter 9 of the Manager Administrator’s Guide for more details about re-learn

profile.

Note

See Chapter 11 of the Manager Administrator’s Guide for more details on alert

filters.

1 2 ... 9 10 11 12 13 14 15 16 17 18 19 ... 24 25

Comentarios a estos manuales

Sin comentarios

McAfee GUARD DOG 2 Guía de instalación Pagina 14

Comentarios a estos manuales

Relacionado con productos y manuales para No McAfee GUARD DOG 2