4
McAfee
®
IntruShield
®
IPS System IntruShield Best Practices
Special Topics: Best Practices Facilitating troubleshooting
1
Alert Traffic - if “chatty” policies are deployed on the sensors, there is potential to
starve ISM resources as the resulting alerts are passed to the Manager. The more
sensors with high-volume alerting, the more data you will have to sift through as you
tune your policies.
Start up load on the Manager - When the ISM starts, establishing connections
with all sensors can be time consuming, as sensors continue to collect alerts while
communication with the Manager is lost, and each sensor must then pass its alert
data to the Manager when connectivity is re-established.
Concurrent processes - Be aware of the time periods in which your scheduled
processes (such as database backup or report generation) occur, and try not to
attempt other tasks during that time period, as this can lead to process locking. This
includes having many users logged into the system simultaneously.
Staging sensors prior to deployment
With large or very large deployments, and/or if you are planning to release sensors to
various geographical regions or difficult to reach locations, you may want to consider
staging your sensors before you release them to their final destination. For example,
use a Manager in a lab environment to push sensor software to the sensor, bring up
the sensor to establish that it is working to your satisfaction, and then box the
configured sensor and send it to its final destination. Or you might use the TFTP feature
to load the sensor image at one location before shipping the sensor to another.
Deploying sensors in phases
Most IntruShield customers begin their deployment in their lab environment; here they
test the sensor functionality, familiarize themselves with the Manager, create an initial
policy, and once they are comfortable with the product, then they deploy the sensor
into a live environment. The first sensor is always the slowest one to be deployed.
McAfee provides a few recommendations for this process:
Spend time creating effective policies before you deploy. Having more data available
makes the tuning process easier, but policies like the IntruShield provided
All-Inclusive policy can overwhelm you with data if every sensor in a large
deployment is running it without any customization.
Stagger your sensor deployment in phases. As each new batch of sensors provides
you with more data points, you can tune your policies more effectively and become
more aggressive in the number of sensors you deploy in the next phase.
Facilitating troubleshooting
When an in-line device experiences problems, one instinct is to physically pull it out of
the path; to disconnect the cables and let traffic flow unimpeded while the device can
be examined elsewhere. McAfee recommends you first try the following techniques to
troubleshoot a sensor issue:
All sensors have a Layer2 Passthru feature. If you feel your sensor is causing
network disruption, before you remove it from the network, issue the following
command:
layer2 mode assert
(44 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales