Threat Prevention Policies
IPS
A Check Point Firewall can block traffic based on source, destination and port information. You can increase network security with the IPS Software Blade and analyze traffic for possible risks. The IPS detection engine has multiple defense layers, detects and prevents against known threats, and often protects against future ones.
For example IPS protects against drive-by-downloads, where a user can go to a legitimate web site and unknowingly download malware. The malware can exploit a browser vulnerability that lets it create a special HTTP response that sends the malware to the client. The Firewall allows the HTTP traffic from the web site and the computer is at risk for this malware. IPS protects the computer, it can identify and then block the drive-by download connection.
For more about using the IPS Software Blade, see the R76 IPS Administration Guide.
IPS Protection Profiles
An IPS protection is a set of rules that lets you define how IPS analyzes network traffic. Create IPS profiles to easily configure one or more protections for groups of Security Gateways. You can customize the profile for the specified protections to identify specified attacks. These profiles can then be applied to the groups of Security Gateways to protect them against those attacks.
To create a new IPS protection profile:
- In the tab, select .
- Click and select .
The page of the window opens.
- Enter the .
- In , select the default action for an IPS protection.
- - Protections block traffic that matches the definitions.
- - Protections log traffic that matches the definitions.
- In , select if protections are enabled automatically or manually.
- From the navigation tree, click > .
- Select the default IPS Mode for new protections that are downloaded: or .
- Click to create the profile.
Enabling IPS
The Enforcing Gateways page in the IPS tab shows all the Security Gateways that the IPS Software Blade is enabled. You can enable IPS on a Security Gateway that has the Firewall Software Blade enabled.
To enable IPS on a Security Gateway:
- From the tab, click .
The page opens.
- Click .
The window opens.
- Select a Security Gateway and click .
IPS is enabled on the Security Gateway and it is shown in the page.
- Install the policy.
Using IPS Profiles
The page shows all the Security Gateways that have the IPS Software Blade enabled. From this page, you can open the window and assign an IPS profile to a Security Gateway.
To assign a profile to a gateway:
- In the tab, select .
- Select a gateway and click .
The page of the window opens.
- From Assign profile, select an IPS profile.
- Click OK.
To show the Security Gateways for a profile:
- In the tab, select .
- Select the IPS profile.
- Click .
The window opens and shows the Security Gateways that are assigned to the IPS profile.
Adding Network Exceptions
You can configure exceptions for a protection with the action, so that it does not identify the specified traffic. These are some situations where it is helpful to use exceptions:
- Traffic that is legitimate for some machines or services can match the protection criteria for malware.
- A server that does not comply with RFC standards.
Adding an IPS Exception
To add a new exception:
- In the tab, select .
- Click .
The window opens.
- From , select a profile or .
- From , select the excluded protection(s).
- - Click and then select the protection.
- - Only protections that support the Network Exceptions feature are excluded.
- Define the and , and for the excluded protection.
- To use a SmartDashboard object, click and then select the object.
- To enter a value, click or and then enter the value.
- Define on which Security Gateways this exception is installed. Select one of these options:
-
- and select the Security Gateway object.
- Click and then install the policy.
Browsing IPS Protections
The window lets you quickly see IPS protections and shows a summary of each protection.
To browse IPS protections:
Click the tab and from the navigation tree click .
These columns give information about the IPS protections.
Column
|
Description
|
Protection
|
Name of the protection.
|
Severity
|
Probable severity of a successful attack on your environment.
|
Confidence Level
|
How confident IPS is that recognized attacks are actually undesirable traffic.
|
Performance Impact
|
How much this protection affects the performance of a Security Gateway.
|
Industry Reference
|
International CVE or CVE candidate name for attack.
|
Release Date
|
Date the protection was released by Check Point.
|
Follow Up 
|
Shows if this protection is marked for Follow Up.
|
Products
|
Shows if this protection is enforced by IPS Software Blades or IPS-1 Sensors.
|
Supported
|
Which Security Gateway versions support this protection.
|
Has an Exception 
|
Shows if this protection has a network exception.
|
<profile_name>
|
There is a separate column for each IPS Profile. The cell shows the Activation setting for the protection.
|
Updating IPS Protections
Check Point is constantly developing and improving its protections against the latest threats. You can manually update the IPS protections and also set a schedule when updates are automatically downloaded and installed.
|
Note - The Security Gateways with IPS enabled only get the updates after you install the policy.
|
To show the IPS update settings:
Click the tab and from the navigation tree click .
IPS Update Options
You can use these IPS update options to easily manage new IPS protections:
- - New protections can be automatically marked with a flag and are listed on the page in the tab. Click to change these settings.
- - Automatically create a database revision before the IPS protections are updated. You can revert the SmartDashboard database back to the earlier IPS protections. For more information about Database Revision Control, see the R76 Security Management Administration Guide.
Configuring Geo Protections
Geo Protection lets you control network traffic for specified countries. An IP-to-country database connects packet IP addresses to the countries. Configure one set of policies for each Profile to block or allow traffic for one or more countries. Configure a different policy that applies to the other countries. Private IP addresses are allowed unless the other side of the connection is explicitly blocked. Check Point control connections (such as between Security Gateways and the Security Management Server) are always allowed, regardless of the Geo Protection policy.
Configure the Geo Protections for each of the IPS Profiles separately. Policies with a Block action for and are only enabled when the is set to .
To configure Geo Protection for specified countries:
- Click the tab and from the navigation tree click .
The page opens.
- Select the IPS and one of these Geo Protection for this Profile:
- - The actions for these countries are enabled.
- - All traffic is allowed. Traffic that matches a policy with a Block action is logged.
- - Geo Protection is disabled.
- Click and configure exceptions for the Geo Protection for this Profile.
- To configure new Geo Protection policies, click .
The window opens.
- Click and select the country for this policy.
- Select the traffic for this country.
- From , select or .
- From , select a logging option.
If a connection matches more than one Geo Protection policy, the first policy is logged.
- Click .
- Configure the Geo Protection policy for the other countries.
- From the drop-down menu, select or .
- From , select a logging option.
- Do these steps for all the IPS Profiles.
- Install the policy.
We recommend that after some days, you review the Geo Protection logs.
Anti-Bot and Anti-Virus
Protecting Networks from Bots
A bot is malicious software that can infect your computer. There are many infection methods, for example:
- Opening attachments that exploit a vulnerability
- Accessing a web site that results in a malicious download
When a bot infects a computer, it:
- Takes control of the computer and neutralizes its Anti-Virus defenses. It is not easy to find bots on your computer, they hide and change how they look to Anti-Virus software.
- Connects to a C&C (Command and Control center) for instructions from cyber criminals. The cyber criminals, or bot herders, can remotely control it and instruct it to do illegal activities without your knowledge. Your computer can do one or more of these activities:
- Steal data (personal, financial, intellectual property, organizational)
- Send spam
- Attack resources (Denial of Service Attacks)
- Consume network bandwidth and reduce productivity
One bot can often create multiple threats. Bots are frequently used as part of (APTs) where cyber criminals try to damage individuals or organizations. A botnet is a collection of compromised and infected computers.
The Anti-Bot Software Blade detects and prevents these bot and botnet threats. For more about using the Anti-Bot Software Blade, see the R76 Anti-Bot and Anti-Virus Administration Guide.
Identifying Bot Infected Computers
The Anti-Bot Software Blade uses these procedures to identify bot infected computers:
These web sites are constantly changing and new sites are added on an hourly basis. Bots can attempt to connect to thousands of potentially dangerous sites. It is a challenge to know which sites are legitimate and which are not.
These communication fingerprints are different for each family and can be used to identify a botnet family. Research is done for each botnet family to identify the unique language that it uses. There are thousands of existing different botnet families and new ones are constantly emerging.
Identify specified actions for a bot such as, when the computer sends spam or participates in DOS attacks.
Check Point uses the ThreatSpect engine and ThreatCloud repository to find bots based on these procedures.
Protecting Networks from Viruses
The Anti-Virus Software Blade inspects connections to the Internet and scans file transfers and downloads to the internal network to find and prevent malware attacks. It also gives pre-infection protection from external malware and malicious servers.
ThreatSpect Engine and ThreatCloud Repository
The ThreatSpect engine is a unique multi-tiered engine that analyzes network traffic and correlates information across multiple layers to find bots and other malware. It combines information on remote operator hideouts, unique botnet traffic patterns and behavior to identify thousands of different botnet families and outbreak types.
The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.
The Security Gateway gets automatic binary signature and reputation updates from the ThreatCloud repository. It can query the cloud for new, unclassified IP/URL/DNS resources that it finds.
The layers of the ThreatSpect engine:
- - Analyzes the reputation of URLs, IP addresses and external domains that computers in the organization access. The engine searches for known or suspicious activity, such as a C&C.
- - Detects threats by identifying unique patterns in files or in the network.
- - Detects infected machines in the organization based on analysis of outgoing mail traffic.
- - Detects unique patterns that indicate the presence of a bot. For example, how a C&C communicates with a bot-infected machine.
Learning about Malware
The Threat Wiki is an easy to use tool that lets you search and filter the ThreatCloud repository to find more information about identified malware. The Threat Wiki helps you to learn more about malware, you can:
- Filter by category, tag, or malware family
- Search for a malware
To show the Threat Wiki:
In the tab, click . The page opens.
Examining Anti-Bot and Anti-Virus Protections
The browser shows information about the Anti-Bot and Anti-Virus protections.
To show the Protections browser:
In the tab, click . The lower pane shows a detailed description of the protection type.
Column
|
Description
|
Protection
|
Name of the protection type.
|
Blade
|
If the protection is used by the Anti-Bot or Anti-Virus Software Blade.
|
Engine
|
Layer of the ThreatSpect engine that is protecting the network.
|
Known Today
|
Number of known protections.
|
Performance Impact
|
Impact on the performance of a Security Gateway.
|
<Profile Name>
|
For each profile, shows the action for each protection:
- - Blocks traffic that matches the protection
- - Allows all traffic and logs traffic that matches the protection
- - Protection is disabled
Protections can have more than one action. This column shows the percentage of protections set to each action.
|
Enabling the Anti-Bot and Anti-Virus Software Blades
Enable one or more of these Software Blades on a Security Gateway: Anti-Bot and Anti-Virus.
To enable the Software Blades:
- In SmartDashboard, right-click the gateway object and select .
The window opens.
- In tab, select , or both of them.
The window opens.
- Select one of the activation mode options:
- - Enable the Anti-Bot and Anti-Virus Software Blades and use the profile settings in the Anti-Bot and Anti-Virus policy.
- - Packets are allowed, but the traffic is logged according to the settings in the Rule Base.
- Click and then install the policy.
Anti-Bot and Anti-Virus Rule Base
There is a different Rule Base for Anti-Bot and Anti-Virus. The Anti-Bot and Anti-Virus rules use the Malware database and network objects. Security Gateways that have Identity Awareness enabled can also use Access Role objects as the in a rule. The Access Role objects let you easily make rules for individuals or different groups of users.
The first Anti-Bot or Anti-Virus rule that matches the traffic is applied. There are no implied rules in this Rule Base, all traffic is allowed unless it is explicitly blocked. A rule that is set to the action, blocks activity and communication for that malware.
When necessary, you can add an exception directly to a rule. The object in the , can have a different from the specified Anti-Bot and Anti-Virus rule. Here are some examples of exception rules:
- A profile that only detects protections. You can set one or more of the protections for a user to .
- The RnD network is included in a profile with the action. You can set that network to .
Managing the Anti-Bot and Anti-Virus Rule Base
These are the fields that manage the rules for the Anti-Bot and Anti-Virus threat prevention policy.
Field
|
Description
|
No.
|
Rule number in the Rule Base. An exception rule contains the letter and a digit that represents the exception number. For example, is the second exception for the second rule.
|
Name
|
Name that the system administrator gives this rule.
|
Protected Scope
|
Objects that are protected against bots and viruses. Traffic to and from these objects is inspected even if the objects did not open the connection.
|
Protection
|
For rules, the value for this field is always . The protections are set according the profile in the field.
For exceptions, set this field to one or more specified protections.
|
Action
|
For rules, the value for this field is an Anti-Bot and Anti-Virus profile.
For exceptions, set this field to or .
|
Track
|
Tracking and logging action that is done when traffic matches the rule.
|
Install On
|
Network objects that get this rule. The default setting is and installs the policy on all Security Gateways that have Anti-Bot and Anti-Virus enabled.
|
Sample Rule Base
This table shows a sample Anti-Bot and Anti-Virus Rule Base. (The column is not shown and is set to .)
No.
|
Name
|
Protected Scope
|
Protection
|
Action
|
Track
|
1
|
High Security
|
Finance_
server
Corporate_
internal
Corporate_
finance
|
- n/a
|
High_Security_
Profile
|
Log
Packet Capture
|
2
|
Malware Rule
|
Any
|
- n/a
|
Recommended_
Profile
|
Log
|
E-2.1
|
RnD Server
|
Server_1
|
Backdoor.Win32.Shark.A
|
Detect
|
Log
|
E-2.2
|
Users_3
|
Users_3
|
Adware.Win32.CashFiesta.A
RogueSoftware.Win32.
Ackantta.A
Trojan.Win32.Agent.BA
|
Detect
|
Log
|
1. - Traffic for the Finance server and two corporate networks are inspected for bots and viruses according to the settings in the High_Security profile. The traffic is logged and the packets are captured for analysis in SmartView Tracker.
2. - All traffic in the network is inspected for bots and viruses according to the settings in the Recommend_Profile.
E-2.1 r - A global exception rule for the Server-1 object, that only detects the protection.
E-2.2 - An exception rule for the Users_3 Access Role, that only detects some protections.
Anti-Spam
Employees waste more and more time to sort through bulk emails commonly known as spam. The amount of resources (disk space, network bandwidth, CPU) devoted to handling spam also increases from year to year. In addition, unwanted emails continue to grow and can be an unexpected security threat to networks. Cyber-criminals can use emails to let viruses and malware into your network. The Anti-Spam and Mail Software Blade gives system administrators an easy and central tool to eliminate most of the spam that reaches their networks.
These are some of the Anti-Spam features. For more about using Anti-Spam, see the R76 Anti-Bot and Anti-Virus Administration Guide.
Enabling Anti-Spam
Use the page in the tab to enable Anti-Spam on a Security Gateway.
To enable Anti-Spam:
- In the tab, select .
- Click .
The window opens.
- Select one or more Security Gateways.
- Click .
Sample Configuration
Feature
|
Setting
|
Description
|
Content based Anti-Spam
|
|
Identifies spam based on email content
|
IP Reputation Anti-Spam
|
|
Identifies spam based on IP address database of known spammers
|
Block List Anti-Spam
|
|
Identifies spam based on domains or IP addresses that you define
|
Mail Anti-Virus
|
|
Scans and filters emails for viruses and other malware
|
Zero hour malware protection
|
|
Does not scan the Internet to identify and filter new virus email attacks
|
The feature is set to because enabling the feature has a negative effect on network performance.
|
