Manualshelf

User guide

ManualsBrandsIBM Manualscomputers & electronicsProventia G, Mntc
61626364656667686970
Chapter 7: Configuring Responses
68
About Responses
Introduction Your response policy controls how the appliance responds when it detects intrusions or
other important events. You create responses and then apply them to events as necessary.
You can configure the following response types:
Email. Send email alerts to an individual address or email group.
Log Evidence. Log alert information to a saved file.
Quarantine. Quarantine the attack.
SNMP. Send SNMP traps to a consolidated SNMP server.
User Specified. Process alerts using your custom programs or scripts.
Block response The Block response is a default response that blocks attacks by dropping packets and
sending resets to TCP connections. The Block response differs depending on the
appliance's operation mode, as follows:
The appliance mode is set when the appliance is installed. For more information, see
“Managing Network Adapter Cards” on page 125.
Ignore response You can set the Ignore response for security events, which tells the appliance to disregard
packets that match criteria specified within an event. You can also set this response
through response filters. If you select this response when you create response filters or
security events, the appliance does not act when it detects the matching packets.
Use the Ignore response only to filter security events that do not threaten the network. For
more information, see “Configuring Response Filters” on page 86.
Response objects in
SiteProtector
If you are managing the appliance through SiteProtector and you want to configure
responses for events, select Response Objects. Response objects enable you to centralize
data. If the data changes, you can modify the response object instead of each instance of
the data.
Note: If you are using SiteProtector to manage the appliance, ISS recommends that you
use Central Responses to create event responses. See “Configuring Central Responses” in
the SiteProtector Help for more information.
In this mode... The appliance...
Passive Monitoring Responds to intrusions with a traditional block response.
Inline Simulation Monitors network traffic and generates alerts but does not block the
offending traffic.
Inline Protection Blocks attacks by dropping packets and sending resets to TCP
connections.
Table 29: Appliance modes and the Block response