Policy Best Practices

When creating and deploying policies, CA recommends the following best practices:

• Policy Creation
  • Use the test harness utility outlined in the Learning Mode section of this document on a sample client computer to collect applications for the White list and to detect what TCP/IP ports and other resources are used in your environment. The most typical use of the Learning Mode utility is to collect company specific applications into a White list.

    For information on Learning Mode, see the Learning Mode Tasks chapter of this document.

  • There are baseline policies and add-on policies provided with HIPS. Initially deploy the built-in baseline policies to provide protection while creating your specific policies. Next, add on custom policies that handles a few specific exceptions to the generic baseline policies before creating a full policy specific to your needs.

    For information on the Default Policies and Policy File Types, see the Default Policies and Policy File Types section of the CA Host-Based Intrusion Prevention System Administrator Guide.

  • The built-in rule sets used in the default policies are read only. You can, however, modify some common objects that are referenced in these rules. For example:
    • If you use the OS System Security - Base rule set, prevent an application from running by assigning that application to the Black List application group in the Application Repository.
    • If you use the Firewall - Restricted rule set, modify the Intranet IP address object referenced in the NetworkClients application group to define your company LAN layout.
    • If you use the OS System Security - Base rule set, edit the ReadOnly Files and Hidden Protected Files file objects to achieve file access prevention for applications outside the defined White List.

      For more information on modifying common objects, see the Common Objects chapter of the CA Host-Based Intrusion Prevention System Administrator Guide.

  • Examine the 100 Unknown Applications Report to see what applications were found in your environment that are not present in your application repository or in the Known Applications database. If you wish to allow these applications, enroll the applications using the "Add Unknown Applications" button found in the Application Repository page.

    For information on the various reports, see the Report Tasks chapter of the CA Host-Based Intrusion Prevention System Administrator Guide. For information on the Application Repository Page, see the Application Repository section of the CA Host-Based Intrusion Prevention System Administrator Guide.

  • Do not use the (High) Restricted Policy unless you have properly defined your application White List.

    For information on the Default Policies and Policy File Types, see the Default Policies and Policy File Types section of the CA Host-Based Intrusion Prevention System Administrator Guide.

    For information on defining your application white list, see the Learning Mode Tasks chapter of this document.

  • After creating your rules, check the order the rules are applied on your clients. You do not want your rules to overwrite or block each other. To check the order, use the rule filter's auto sorting feature in HIPS.

    For more information on filtering the rules, see the Rule Filters section of the CA Host-Based Intrusion Prevention System Administrator Guide.

• Policy Deployment
  • First deploy the Monitor only policy after running the test harness utility to confirm your clients can communicate properly on and off the network. Make sure that the client has the ability to operate normally with your network resources. This would include, but not be limited to, VPN clients, dial up connections, web connections, locate network resources, and such.

    For information on deploying a policy, see the Deploy Policies section of the CA Host-Based Intrusion Prevention System Administrator Guide.

    For information on the Default Policies and Policy File Types, see the Default Policies and Policy File Types section of the CA Host-Based Intrusion Prevention System Administrator Guide.

    For information on the test harness utility, see the Learning Mode Tasks chapter of this document.

  • Deploy your HIPS policies to a smaller scale test group before an extensive roll-out to your full user population. Use this testing to ensure that the desired applications in use and policies deployed are well characterized and not overly restrictive, minimizing the possibility of adversely affecting your users.
  • Back up your previous policy before deploying the new policy. If you find that the new policy does not work well, you can revert to the older policy while correcting the new policy.

    For information on backing up HIPS server information, see the Import, Export, Backup or Restore CA HIPS Server Policies section of the CA Host-Based Intrusion Prevention System Administrator Guide.

  • If you plan to use the (High) Restricted Policy, first use the Monitor Policy and review the details in the Event Viewer. If there are no problems, deploy the (High) Restricted Policy. The rules of these two policies are the same with the only difference being the option Allow/Monitor or Prevent/Monitor.
  • Use caution when deploying restrictive policies. A restrictive policy can hinder your end user from performing their day to day job. For example, if you are not careful, a restrictive HIPS policy can prevent a client from:
    • Accessing the corporate network through the approved VPN client while working remote
    • Attaching to a wireless network either at home or while traveling
    • Use of approved corporate applications
    • Access to the corporate webmail
    • Logging into their local workstation

      You may want to use the Policy Creation Wizard to create and deploy the monitor only policy or when deploying for a small scale test. For information on the Policy Creation Wizard, see the Policy Creation Wizard section of the CA Host-Based Intrusion Prevention System Administrator Guide.