NDR Sensors

Overview

How NDR works:

A network sensor extracts log fields from the network traffic to create a record with these and other fields:

• Source and destination

• IP Internet Protocol addresses

• Ports

• Quantity of data transferred

• URLs

• Application categorization

• Risk categorization

• User identity

In return, NDR Network Detection and Response delivers threat indicators to the sensor.

Supported Sensor Types:

• NDR-Managed: Check Point Security Gateways (Quantum or CloudGuard)

• Non NDR-Managed: Check Point Security Gateways (Quantum, CloudGuard, and Quantum Spark), and Check Point Harmony Endpoint

  In addition, the sensor can deliver threat indicators to third-party devices.

If the sensors are managed by NDR, they are managed from a Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. hosted by the NDR Indicator Management application. This means that you do not need to install a Management Server, SmartEvent, SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. or provision policy.

A non NDR-Managed sensor sends its logs to a Management Server or Log Server Dedicated Check Point server that runs Check Point software to store and process logs., and Check Point Log Exporter forward the logs to NDR to process. In addition, you must configure the sensor separately to subscribe to NDR Intel feeds.

Check Point Quantum NDR Sensors

You can easily convert any Check Point Quantum Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. appliance into an NDR-Managed NDR Sensor. The appliance's control layer is then slaved to the NDR application, and all control layer communications, with policy, logs, ThreatCloud queries, NTP, DNS, etc. are tunnelled over a mutually-authenticated SSL Security Socket Layer VPN tunnel to the NDR cloud. Traffic inspection is done through Monitor Mode interfaces attached to switch mirror ports. In addition, inline environment (Bridge Mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology.) is supported - with fail-open network interfaces.

In NDR mode, the appliance applies Check Point's real-time advanced SNBT threat detection engines on the mirrored network traffic, with:

• IDS Intrusion Detections System/IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).

• Application fingerprinting

• Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.

• Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. (evasion-resistant sandboxing)

NDR sends analytical conclusions as log records to the NDR back end for more analysis.

Check Point CloudGuard NDR Sensors

You can apply the same NDR mode conversion process you use for Quantum NDR sensors (as described in Preparing an NDR Sensor on CloudGuard and Open Server Physical computer manufactured and distributed by a company, other than Check Point. Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. installations. There are some differences in interface names and license, but the SNBT functionality is the same on these sensors. A major difference is how virtualization specifically impacts the data layer attachment:

• Fail-open interfaces are unavailable - Therefore, the inline environment is not supported, only Monitor Mode.

• CloudGuard for VMware ESX deployments operate similar to physical appliances, through mirroring.

• The NDR application automatically provisions CloudGuard for AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., with AWS Lambda serverless computing to manage cloud-native traffic mirroring APIs. The CloudGuard Network Security instance is deployed out of band for its Compute capabilities, with no effect on business traffic.

• CloudGuard for GCP operates similarly to AWS, but mirroring is currently manually provisioned.

• As an alternative for all environments, you can deploy a CloudGuard Network Security instance, and convert it into NDR mode. You can provision traffic mirroring on a separate computer or appliance (for example, Check Point CloudGuard Network Security configured with a Mirror and Decrypt policy) on VXLAN.

Log Server Registration

If you have a Check Point Management Server or Log Server that collects logs from Check Point Security Gateways or Check Point Harmony Endpoint, or both, you can export the logs to NDR Indicator Management for NDR visualizations and analysis, as detailed inNDR Log Server Registration.

The server is considered non NDR-Managed.