cancel
Showing results for 
Search instead for 
Did you mean: 

Intel Security SNS ProTip for Host IPS: Host IPS Effective Policy precedence

Intel Security SNS ProTip for Host IPS: Host IPS Effective Policy precedence

When creating IPS policies for the HIPS product, the HIPS “IPS Rules” and “Trusted Applications” policies use multi-slot policy assignments.  These multi-slot policy assignments are designed to run with two or more policies (one should be “McAfee Default”, plus any other custom policies) combined to create an “effective policy”.  When this “effective policy” is applied to systems, there is an order of priority for rules that may conflict. 

Please refer to page 38 of the HIPS 8.0 Product Guide PD22894 (https://kc.mcafee.com/corporate/index?page=content&id=PD22894) for details about how an “effective policy” is described.
For more resources, visit the ServicePortal and search for related content. Also, visit the HIPS Community at (https://community.mcafee.com/community/business/system/hip).

SNS ProTips help you maximize your protection with troubleshooting, best practices, how-to tips, and links to Knowledge Center resources. To unsubscribe from ProTips or change your SNS settings, visit the SNS Subscription Center.

Tags (1)
Comments
theglot

How about this:

The reason you might want to apply multi-slot, also known as nested, policies is so that you can apply signatures and/or exceptions to specific host or endpoints providing certain services or functions.  For example, you might not want to allow workstations to be allowed to provide services such as web or file shares.  You might not want to create custom IPS rules that only apply to certain type of endpoints such as workstations, laptops, and/or servers.  When you do exceptions, you might be ok with creating an exceptions that is a false positive on an SQL Server, but not be ok with the same exception on a workstation or DC.  You have to have the McAfee Default due to when a new update to IPS Signatures is published/released, it is push via the McAfee Default; if you don't include in the multi-slot policy, then you won't get the updates.

Last lesson learned:  when you can the level of an IPS signature, it makes that signature a custom signature, and the order applied to multi-slot policies is the highest level of custom signatures first.  So, if you change a High to a low or disable in your second IPS Signature policy.  If say Signature 3805 on the McAfee Default is OFF, but on your policy has it as a High, and a thrid policy as a Medium, then when you view effective policy, Signature 3805 would be a high.

If the McAfee Default is High for a signature, and on your IPS Signature policy you have it as disabled, then the effective policy would be disabled.

Just my 2 cents.

Version history
Revision #:
1 of 1
Last update:
‎07-09-2015 07:30 AM
Updated by: