Infinity NDR Sensors

Overview

How Infinity NDR Network Detection and Response works: A network sensor extracts log fields from the network traffic to create a record with these and other fields:

• Source and destination

• IP Internet Protocol addresses

• Ports

• Quantity of data transferred

• URLs

• Application categorization

• Risk categorization

• User identity

In return, Infinity NDR delivers threat indicators to the sensor.

Supported sensor types include Check Point Security Gateways (Quantum, CloudGuard, and Quantum Spark), and Check Point Harmony Endpoint. In addition, the sensor can deliver threat indicators to 3^rd party devices.

If the sensors are managed by NDR, they are managed from a Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. hosted by the Infinity NDR Indicator Management application. This means that you do not need to install a Management Server, SmartEvent, SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. or provision policy.

A non NDR-Managed sensor sends its logs to a Management Server or Log Server Dedicated Check Point server that runs Check Point software to store and process logs., and Check Point Log Exporter forward the logs to Infinity NDR to process. In addition, you must configure the sensor separately to subscribe to Infinity NDR Intel feeds.

Check Point Quantum NDR Sensors

You can easily convert any Check Point Quantum Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. appliance into an NDR-Managed Infinity NDR Sensor. The appliance's control layer is then slaved to the Infinity NDR application, and all control layer communications, with policy, logs, ThreatCloud queries, NTP, DNS, etc. are tunnelled over a mutually-authenticated SSL Security Socket Layer VPN tunnel to the Infinity NDR cloud. Traffic inspection is done through Monitor Mode interfaces attached to switch mirror ports. In addition, inline environment (Bridge Mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology.) is supported - with fail-open network interfaces.

In NDR mode, the appliance applies Check Point's real-time advanced SNBT threat detection engines on the mirrored network traffic, with:

• IDS Intrusion Detections System/IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System).

• Application fingerprinting

• Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.

• Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. (evasion-resistant sandboxing)

NDR sends analytical conclusions as log records to the Infinity NDR back end for more analysis.

Check Point CloudGuard NDR Sensors

You can apply the same NDR mode conversion process you use for Quantum NDR sensors (as described in Preparing an Infinity NDR Sensor on CloudGuard and Open Server Physical computer manufactured and distributed by a company, other than Check Point. Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. installations. There are some differences in interface names and license, but the SNBT functionality is the same on these sensors. A major difference is how virtualization specifically impacts the data layer attachment:

• Fail-open interfaces are unavailable - Therefore, the inline environment is not supported, only Monitor Mode.

• CloudGuard for VMware ESX deployments operate similar to physical appliances, through mirroring.

• The Infinity NDR application automatically provisions CloudGuard for AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services., with AWS Lambda serverless computing to manage cloud-native traffic mirroring APIs. The CloudGuard Network Security instance is deployed out of band for its Compute capabilities, with no effect on business traffic.

• CloudGuard for GCP operates similarly to AWS, but mirroring is currently manually provisioned.

• As an alternative for all environments, you can deploy a CloudGuard Network Security instance, and convert it into NDR mode. You can provision traffic mirroring on a separate computer or appliance (for example, Check Point CloudGuard Network Security configured with a Mirror and Decrypt policy) on VXLAN.

Log Server Registration

If you have a Check Point Management Server or Log Server that collects logs from Check Point Security Gateways or Check Point Harmony Endpoint, or both, you can export the logs to Infinity NDR Indicator Management for NDR visualizations and analysis, as detailed inInfinity NDR Log Server Registration.

The server is considered non NDR-Managed.