Best practices regarding Intrusion Prevention System technology
|Article:TECH95347|||||Created: 2009-01-03|||||Updated: 2012-09-27|||||Article URL http://www.symantec.com/docs/TECH95347|
You have Symantec Endpoint Protection. You need to know whether you should enable Intrusion Prevention System (IPS).
Note: To quickly check if the system in question is configured according to this best practice, download and run SymHelp.
Intrusion Prevention System technology significantly increases the level of protection that Symantec Endpoint Security gives to your network. You should always have IPS enabled on your network.
What does Intrusion Prevention do that Antivirus protection does not?
Antivirus technology is strong, effective technology that protects your computer from files that are on the hard drive. Intrusion Prevention System technology is strong, effective technology that prevents malicious files from getting to your hard drive in the first place.
Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.
For example, the Downadup/Conficker worm uses a known vulnerability, the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, to spread to unpatched computers. When the worm was released, antivirus technology could not stop the infection until virus definitions were written for the file. Since IPS already had signatures for the RPC Handling vulnerability, however, computers running IPS were protected before the worm was ever released.
IPS is very good at detecting "drive-by" downloads of malware and fake antivirus scanner web pages, which Auto-Protect cannot prevent. In today's complex threat environment, this technology is an effective complement to antivirus technology, and its usage should be considered a necessity on any network that is connected to the Internet.
IPS and servers
IPS is fully compatible with Windows server operating systems. For more information on the limitations of IPS on high availability/high bandwidth SEPMs, see Best Practices for employing Intrusion Prevention System (IPS) to high-availability/high bandwidth servers.
Note: Proactive Threat Protection is not the same thing as IPS. SEP 11.X Proactive Threat Protection is not compatible with server operating systems.
IPS and client firewall
In Symantec Endpoint Protection 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function.
In order to enable IPS in Symantec Endpoint Protection 11.x, you must have the client firewall portion of Symantec Endpoint Protection installed and running. This can seem like a problem if you want to run IPS but do not want to use the firewall. To work around this, withdraw the firewall policy. This ensures that IPS is enabled and protecting your network without forcing you to use the client firewall.
To withdraw the firewall policy
- In the console, click Policies.
- On the Policies page, under View Policies, click Firewall Policies.
- In the Firewall Policies pane, click the specific policy that you want to withdraw.
- On the Policies page, under Tasks, click Withdraw the Policy.
- In the Withdraw Policy dialog box, check the groups and locations from which you want to withdraw the policy.
- Click Withdraw.
- When you are prompted to confirm the withdrawal of the policy from the groups and locations, click Yes.
Installing IPS on your network
If you do not have IPS installed on the clients on your network, you can use Symantec Endpoint Protection Manager to add the feature to managed clients, or use Add or Remove Programs to add IPS to unmanaged clients. For instructions, read the document How to add or remove features to existing Symantec Endpoint Protection client installations.
Article URL http://www.symantec.com/docs/TECH95347