12
McAfee
®
IntruShield
®
IPS System IntruShield Best Practices
Special Topics: Best Practices Creating rule sets
1
Creating rule sets
Proper creation of rule sets is essential to eliminating false positives and ensure
maximum protection on your network. These best practices can assist when creating
rules sets in the IntruShield Manager.
Default Inline IPS
A rule set is configured based on attack category, operating system, protocol,
application, severity, and benign trigger probability options. Each rule in a set is either
an include rule or an exclude rule. An include rule (which should always start a rule set)
is a set of parameters that encompass a broad range of well-known attacks for
detection. An exclude rule removes elements from the include rule in order to focus the
policy's rule set.
There are two best practice methods employed for creating rule sets.
General-to-specific rule creation. The first method is general-to-specific. Start
with an include rule that covers a broad range of OSs, applications, protocols. After
this, create one or more exclude rules to strip away specific OSs, protocols, et
cetera, thus focusing the rule set on the environment where it will be enforced. For
example, start with an include rule for all Exploit category attacks. Follow this with
multiple exclusion rules that strip away protocols, applications, severities, et cetera,
that are rarely or never seen in a zone of your network.
Collaborative rule creation. The second method is collaboration: Create multiple
include rules within one rule set for each category, OS, et cetera, combination that
needs to be detected. Each criterion must be matched in order for an alert to be
triggered. For example, create the first rule in the set with the Exploit category, Unix
as the OS, Sendmail as the application, and SMTP as the protocol. Next, create
another include rule for Exploit, Windows 2000, WindMail, and so forth in the same
manner. Each include rule added broadens the scope of the detection.
Port clustering on asymmetric networks
Port clustering, referred to as Interface Groups in the IntruShield Manager interface,
enables multiple ports on a single sensor to be grouped together for effective traffic
monitoring. It is a best practice to implement a port clustering configuration when
dealing with asymmetrically routed networks. Asymmetric networks are common in
load balancing and active/passive configurations, and a complete transmission may be
received on one segment, but depart on another. Thus keeping state of asymmetric
transmissions is essential for successfully monitoring the traffic. Interface groups
normalize the impact of traffic flows split across multiple interfaces, thus maintaining
state to avoid information loss.
Once configured, an interface group appears in the System Configuration tool's
Resource Tree as a single interface node (icon) under the sensor where the ports are
located. All of the ports that make up the interface are configured as one logical entity,
keeping the configuration consistent.
Note
See Chapter 7 of the Manager Administrator’s Guide for more details about rule
set creation.
(44 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales