Introduction

In This Section: Choosing IPS Protections Overview of the Tuning Process

IPS is not a “set and forget” solution. To maximize your network’s security and performance, configure it to best fit the unique traffic of each organization. The world of cyber-threats and your network are dynamic. Therefore, it is necessary to consistently tune and maintain IPS. Check Point recommends you update to the latest IPS update. The update process can be scheduled for a specific date and time.

The goal of this guide is to assist you in the initial and ongoing tuning of your IPS Software Blade.

Choosing IPS Protections

The IPS tuning best practices are based on knowledge from Check Point’s ThreatCloud Managed Security Service that continuously monitors and manages of hundreds of IPS gateways for Check Point customers.

When you tune IPS, you must decide which protections to enable. For each enabled protection, you must select Prevent or Detect mode. In addition, network environments and the threat landscape are very dynamic. To ensure maximum protection, the IPS security policy must adapt accordingly. IPS tuning must be a continual process to address the changing threat landscape, changing network configuration, newly released and updated protections, new gateway capabilities, and more. The bottom line is that IPS tuning is a continuous task that needs to be managed professionally at all times.

This guide explains the best practice guidelines to help you manage the Check Point IPS Software Blade. One of the key elements to maintain an effective IPS policy is to monitor IPS events in real-time:

• Understand how IPS protections process traffic and protocols across the network.
• Identify where it is necessary to tune IPS and exclude unique traffic protocols.

This guide does not explain how to mitigate malware attacks.

When you tune the IPS policy, consider these areas:

• Coverage – Does the IPS policy cover all critical network assets and services, vulnerabilities, and threats?
• Accuracy – Do all the protections in the IPS policy alert only for real threats, and not for legitimate traffic?
• Performance – Is there enough CPU and memory to run the new IPS policy?

IPS tuning is the science (and art) of balancing the trade-offs between these three areas with corporate security, compliance and operational requirements.

Most of this guide focuses on how you can optimize security coverage and accuracy. Performance Tuning is discussed in a separate section.

Overview of the Tuning Process

It takes approximately one to two weeks to tune your IPS policy. We recommend that you follow this checklist during the tuning process, and refer to additional information and instructions as necessary for each step.

Getting started:

1. Update the IPS package. Make sure that the Security Gateway is up-to-date with the most recent protection signatures.
2. Set the default IPS action to Prevent. This action gives maximum network protection.
3. Set the default IPS action for newly downloaded protections to Prevent.
4. Clone the Recommended Profile. Create a backup copy and make sure that all changes are only on the cloned profile.

   The security requirements for the different segments in your network often depend on the specified traffic types and network objects for each segment. For deployments with a Multi-Domain Server or several gateways, consider creating separate IPS policies and perform these steps for each segment.

5. Enable Troubleshooting mode.

   During the initial tuning process, the IPS Software Blade inspects the network’s unique traffic, but does not block it. When you use Troubleshooting mode, even though all protections are set to Prevent, the gateway only detects possible threats and generates logs for the traffic.

6. Click Follow Up. Select Mark newly downloaded protections for Follow Up to help the analysis and tuning of new protections.
7. Configure the gateway. Assign the active profile to the relevant gateways.

   To make sure that IPS analysis does not have a negative impact on network traffic, enable Bypass IPS inspection when gateway is under heavy load is a consideration.

8. Install the policy on the gateways. New IPS updates and changes in the active profile are not automatically deployed. You must install the policy and push it to the gateways.
9. Collect the logs. After you install the policy, IPS starts to inspect the traffic and generate logs. We recommend that you collect logs for at least a week, and ideally for two weeks.

   Note - The IPS Software Blade does not block malicious traffic when Troubleshooting mode is enabled.

Initial IPS tuning:

1. Review the logs. Decide which protections to run in Protect or Detect mode, and which ones require more fine-tuning and analysis.
2. Disable Troubleshooting mode.

   The IPS Software Blade now protects the network.

3. Change the settings for Updates policy. Configure updates to Newly downloaded protections will be set to Detect.

   When new IPS protections are deployed, they are set to Detect mode.

4. Clear the Follow up or Newly downloaded flags for all protections reviewed during the tuning process.

Ongoing maintenance and tuning:

We recommend that twice a month you tune the new IPS protections, and look for changes in the behavior of the ones that you already tuned.

Performance tuning:

Monitor the gateway performance and configure the applicable settings to give the best network security and performance.