The Check Point IPS Solution

In This Chapter

Check Point IPS is an Intrusion Prevention System (IPS). Whereas the Security Gateway firewall lets you block traffic based on source, destination and port information, IPS adds another line of defense by analyzing traffic contents to check if it is a risk to your network. IPS protects both clients and servers, and lets you control the network usage of certain applications. The new, hybrid IPS detection engine provides multiple defense layers which allows it excellent detection and prevention capabilities of known threats, and in many cases future attacks as well. It also allows unparalleled deployment and configuration flexibility and excellent performance.

Check Point IPS is available in two deployment methods:

IPS Software Blade - integrated with the Check Point Security Gateway to provide another layer of security in addition to the Check Point firewall technology.
IPS-1 Sensor - installed without the Check Point Firewall and dedicated to protecting network segments against intrusion.

Layers of Protection

The layers of the IPS engine include:

Detection and prevention of specific known exploits.
Detection and prevention of vulnerabilities, including both known and unknown exploit tools, for example protection from specific CVEs.
Detection and prevention of protocol misuse which in many cases indicates malicious activity or potential threat. Examples of commonly manipulated protocols are HTTP, SMTP, POP, and IMAP.
Detection and prevention of outbound malware communications.
Detection and prevention of tunneling attempts. These attempts may indicate data leakage or attempts to circumvent other security measures such as web filtering.
Detection, prevention or restriction of certain applications which, in many cases, are bandwidth consuming or may cause security threats to the network, such as Peer to Peer and Instant Messaging applications.
Detection and prevention of generic attack types without any pre-defined signatures, such as Malicious Code Protector.

In all, IPS has deep coverage of dozens of protocols with thousands of protections. Check Point constantly updates the library of protections to stay ahead of the threats.

Capabilities of IPS

The unique capabilities of the Check Point IPS engine include:

Clear, simple management interface
Reduced management overhead by using one management console for all Check Point products
Unified control of both the IPS-1 Sensors and the integrated IPS Software Blade
Easy navigation from business-level overview to a packet capture for a single attack
Up to 15 Gbps throughput with optimized security, and up to 2.5 Gbps throughput with all IPS protections activated
#1 security coverage for Microsoft and Adobe vulnerabilities
Resource throttling so that high IPS activity will not impact other blade functionality
Complete integration with Check Point configuration and monitoring tools, such as SmartEvent, SmartView Tracker and SmartDashboard, to let you take immediate action based on IPS information

As an example, some malware can be downloaded by a user unknowingly when browsing to a legitimate web site, also known as a drive-by-download. The malware may exploit a browser vulnerability by creating a special HTTP response and sending it to the client. IPS can identify and block this type of attack even though the firewall may be configured to allow the HTTP traffic to pass.

Tour of IPS

The IPS tree in provides easy access to IPS features, specific protections, and expert configurations. The tree is divided into the following sections:

Overview	Dashboard for viewing IPS status, activity and updates
Enforcing Gateways	List of gateways enforcing IPS protections
Profiles	Settings for IPS profiles
Protections	Settings for individual protections
Geo Protection	Protection enforcement by source or destination country
Network Exceptions	Resources that are not subject to IPS inspection
Download Updates	Manual or Automatic updates to IPS protections
Follow Up	Protections marked for follow up action
Additional Settings	HTTP and HTTPS Inspection

IPS Terminology

The following terms are used throughout this guide:

Enforcing Gateways

IPS Software Blade: the Software Blade that can be installed on a Security Gateway for enforcing IPS Software Blade protections.
IPS-1 Sensor: a device that has only the IPS-1 sensor software installed for enforcing IPS-1 sensor protections. A sensor does not have any routing capabilities.

Protections

Protection: a configurable set of rules which IPS uses to analyze network traffic and protect against threats

Activation Settings

Active: the protection action that activates a protection to either Detect or Prevent traffic
Detect: the protection action that allows identified traffic to pass through the gateway but logs the traffic or tracks it according to user configured settings
Inactive: the protection action that deactivates a protection
Prevent: the protection action that blocks identified traffic and logs the traffic or tracks it according to user configured settings

Types of Protections

Application Controls: the group of protections that prevents the use of specific end-user applications
Engine Settings: the group of protections that contain settings that alter the behavior of other protections
Protocol Anomalies: the group of protections that identifies traffic that does not comply with protocol standards
Signatures: the group of protections that identifies traffic that attempts to exploit a specific vulnerability

Protection Parameters

Confidence Level: how confident IPS is that recognized attacks are actually undesirable traffic
Performance Impact: how much a protection affects the gateway's performance
Protections Type: whether a protection applies to server-related traffic or client-related traffic
Severity: the likelihood that an attack can cause damage to your environment; for example, an attack that could allow the attacker to execute code on the host is considered Critical

Functions for Monitoring

Follow Up: a method of identifying protections that require further configuration or attention
Network Exception: a rule which can be used to exclude traffic from IPS inspection based on protections, source, destination, service, and gateway.

Profiles

IPS Mode: the default action, either Detect or Prevent, that an activated protection takes when it identifies a threat
IPS Policy: a set of rules that determines which protections are activated for a profile
Profile: a set of protection configurations, based on IPS Mode and IPS Policy, that can be applied to enforcing gateways
Troubleshooting: options that can be used to temporarily change the behavior of IPS protections, for example, Detect-Only for Troubleshooting

SmartDashboard Toolbar

You can use the SmartDashboard toolbar to do these actions:

Icon	Description
	Open the SmartDashboard menu. When instructed to select menu options, click this button to show the menu. For example, if you are instructed to select Manage > Users and Administrators, click this button to open the Manage menu and then select the Users and Administrators option.
	Save current policy and all system objects.
	Open a policy package, which is a collection of Policies saved together with the same name.
	Refresh policy from the Security Management Server.
	Open the Database Revision Control window.
	Change global properties.
	Verify Rule Base consistency.
	Install the policy on Security Gateways or VSX Gateways.
	Open SmartConsoles.

IPS Overview

The IPS Overview page provides quick access to the latest and most important information.

In My Organization

IPS in My Organization summarizes gateway and profile information.

The table of the configured profiles displays the following information:

Profile — the name of the profile
IPS Mode — whether the profile is set to just Detect attacks or to prevent them as well
Activation — the method of activating protections; either IPS Policy or Manual
Gateways — the number of gateways enforcing the profile

Double-clicking a profile opens the profile's Properties window.

Messages and Action Items

Messages and Action Items gives quick access to:

Protection update information
Protections marked for Follow Up
IPS contract status
Links to events and reports

Security Status

Security Status provides an up-to-the-minute display of the number of Detect and Prevent events that IPS handled over a selected time period, delineated by severity. You can rebuild the chart with the latest statistics by clicking on Refresh.

Note - Security Status graphs compile data from gateways of version R70 and above.

The Average shows the number of handled attacks that is average for the selected time period in your company.

For example, if you choose to see the status of attacks in the past 24 hours and the average of critical attacks is 45. This indicates that in your organization the average number of attacks during a 24-hour period is 45.

If the current number of attacks is much higher than the average, it may indicate a security issue that you should handle immediately. For example, if more than 500 critical attacks were handled by IPS in the past 24 hours, and the average is 45, you can see quickly that your organization has been targeted with critical attacks in a persistent manner and you should handle this urgently.
If the current number of attacks is much lower than the average, it may indicate an issue with IPS usage that you should troubleshoot. For example, if less than 10 critical attacks were handled by IPS in the past 24 hours, with the average of 45, you can see that there is a possible issue with IPS configuration; perhaps a gateway was installed with a policy that didn't include an IPS profile.

Security Center

Security Center is a scrolling list of available protections against new vulnerabilities. The Open link next to a Security Center item takes you to the associated Check Point Advisory.

Top of Page

Download Complete PDF

Send Feedback