Deployment Scenario For Intermediate Users; Deployment Scenario For Advanced Users - McAfee M-1250 - Network Security Platform Deployment Manual

McAfee® Network Security Platform 6.0
3
4
5
6
7
8
9

Deployment scenario for intermediate users

The pre-configured policies have an umbrella effect—you're protected from all attacks
defined in the policy. This enables you to get up and running quickly, but it also may
protect you against attacks you do not care about. For example, if you have an entirely
Solaris environment, you may not care if someone is initiating IIS attacks against the
network, because these attacks are irrelevant to you. Some administrators prefer to see all
network activity, including unsuccessful attacks, to get a complete picture of what is
occurring on the network. Others want to reduce the "noise" generated by irrelevant
attacks. Tuning your policies to delete attacks that do not apply to your environment
reduces the amount of unimportant alerts generated by your Sensors.
To tune your deployment, you might do the following:





Deployment scenario for advanced users

An advanced deployment of Network Security Platform utilizes more of Network Security
Platform's features to best tune your system. Once you are more familiar with Network
Security Platform, you might do the following:

Configure the Sensor and add it to the Manager as described in
Configuration Guide
.
On the Manager, check the Sensor's port configuration to be sure that it matches the
way you have deployed the Sensor. Make changes as necessary.
Download and apply the latest Sensor software and signature file from the Update
Server.
Send all configuration changes to the Sensor.
If you want, set up alert notification to email or pager by attack severity.
Using the Report Generator and the Threat Analyzer, examine the resulting alerts for
patterns, to help you tune your policies.
Back up your data.
Try a more advanced deployment mode. If you were running in SPAN mode, you may
choose to try another deployment mode, such as tap mode.
Take advantage of the Sensor's ability to apply multiple policies to multiple interfaces.
Instead of applying a single policy to the entire Sensor, you may try applying different
policies to dedicated interfaces of the Sensor. You can go a step further and segment
your traffic into VLAN tags or CIDR blocks, create sub-interfaces, and apply policies to
the Sensor's sub-interfaces.
Tune your policies. Pick the policy that best matches your needs and clone the policy
(or create a policy from scratch). Then remove any irrelevant attacks, add any
additional attacks, and configure appropriate response actions to respond to detected
attacks.
Generate reports and view alerts. Look at the data generated by the system to help
you further tune your policies, and if necessary, implement more granular monitoring
or delegation of monitoring activities to others.
Try running in in-line mode.
In-line mode enables you to drop malicious traffic and thus
prevent attacks from ever reaching their targets.
27
Deployment Scenarios
CLI Guide, Device