Faq - Multiple-Instance Policies - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Configuring IPS Policies
Define IPS protection
FAQ — Multiple-instance policies
Host Intrusion Prevention offers two multiple-instance policies: IPS Rules and Trusted
Applications. These policies allow the application of more than one policy concurrently on a
single client. All other policies are single-instance policies.
The McAfee Default versions of these policies are automatically updated each time Host Intrusion
Prevention security content is updated. For this reason, these policies always need to be assigned
to clients to ensure that security content updates are applied. When more than one instance is
applied, what results is a union of all the instances, called the effective policy .
How can I use multi-slot policy assignment to streamline my deployment?
First, define groups of users for the deployment that have an essential property in common
that dictates what resources need to be protected and what resources need exceptions to work
properly. This property could be based on:
• Department — Each department should require protection of a unique set of resources and
exceptions for a unique set of business activities.
• Location — Each location may have its own unique security standards or unique set of
resources that need to be protected, and exceptions required for business activity.
• Computer type — Each type of computer (laptops, workstations, servers ) might have a
unique set of applications that need to be protected but also allowed to perform essential
business functions.
Next, protect resources and create exceptions and trusted applications for each group. You can
use adaptive mode to determine which resources to protect or trust for a given group. After
this, create instances of IPS Rules and Trusted Applications policies for each group of users
(one IPS Rules policy for a particular department, one for a particular location, and one for a
particular computer type), then apply the appropriate instance. Without a multiple-instance IPS
Rules policy, a combination of three departments, three locations, and three computer types
would require 27 policies; with the multiple-instance approach, only nine are needed.
But rules in different assigned policies contradict each other! How is the effective
policy calculated?
It is possible that a rule in one instance has settings that contradict those for the same rule in
another policy instance. Host IPS has rules for handling these conflicts in establishing the total
effective policy.
For IPS Rules:
• The effective severity for a signature is the highest customized severity. The precedence is:
High, Medium, Low, Information, Disabled. If the severity is not customized, the default
value is applied.
• The effective log status for a signature is the customized log status. If customized in two or
more applied IPS Rules policies, enabled customized log status takes precedence over
disabled. If the log status is not customized, the default value is applied.
• The effective client rules setting for a signature is the customized setting. If customized in
two or more assigned IPS Rules policies, enabled customized client rules takes precedence
over disabled. If the client rules setting is not customized, the default value is applied.
• The effective set of exceptions is the union of all applied exceptions.
For Trusted Applications:
• The effective set of Trusted Applications is the union of all Trusted Applications.
38 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5