Chapter 6 Configure Policies; Tune Your Policies - McAfee M-1250 - Network Security Platform Manual

C 6
H A P T E R
Configure policies
Your policy determines what traffic analysis your McAfee
(Sensor) will perform. McAfee
templates to get you started toward your ultimate goal: prevent attacks from damaging
your network, and limit the alerts displayed in the Threat Analyzer to those which are valid
and useful for your analysis.
There are two stages to this process: initial policy configuration and policy tuning. Policy
tuning is renowned to be a tedious task. However, because networks and attacks
constantly evolve, the policy tuning process is never truly complete. Instead, you might
equate it to a disk defragmentation; the more often you do it, the less time each check
takes. The ultimate goal of policy tuning is to eliminate
overwhelming quantities of legitimate, but anticipated alerts.

Tune your policies

The default McAfee Network Security Platform policy templates are provided as a generic
starting point; you will want to customize one of these policies for your needs. So the first
step in tuning is to clone the most appropriate policy for your network and your goals, and
then customize it. (You can also edit the policy directly.) This process is involved, and is
discussed in detail in
policies:
•
We ask that you set your expectations appropriately regarding the elimination of false
positives and noise. A proper Network Security Platform implementation includes
multiple tuning phases. False positives and excess noise are routine for the first 3 to 4
weeks. Once properly tuned, however, they can be reduced to a rare occurrence.
•
When initially deployed, Network Security Platform frequently exposes unexpected
conditions in the existing network and application configuration. What may at first
seem like a false positive might actually be the manifestation of a misconfigured router
or Web application, for example.
•
Before you begin, be aware of the network topology and the hosts in your network, so
you can enable the policy to detect the correct set of attacks for your environment.
•
Take steps to reduce false positives and noise from the start. If you allow a large
number of "noisy" alerts to continue to sound on a very busy network, parsing and
pruning the database can quickly become cumbersome tasks. It is preferable to all
parties involved to put energy into preventing false positives than into working around
them. One method may be is to disable all alerts that are obviously not applicable to
the hosts you will protect. For example, if you use only Apache Web servers, you may
wish to disable IIS-related attacks.
®
Network Security Platform provides a number of policy
IPS Configuration Guide
. Some things to remember when tuning your
13
®
Network Security Sensor
false positives
and noise and avoid