Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Getting Started with IPS

In This Chapter

Choosing the Level of Protection

Changing the Assigned Profile

Recommendations for Initial Deployment

Installing the Policy

IPS can be configured for many levels of control over network traffic, but it is also designed to provide IPS protection right out of the box for IPS Software Blades and IPS-1 Sensors.

  • IPS Software Blades - When you enable the IPS Software Blade on a Security Gateway object, the gateway is automatically added to the list of Enforcing Gateways and it is assigned the Default Protection profile. You also have the option to assign the Recommended Protection profile to the gateway or to create a customized profile and assign it to the gateway.
  • IPS-1 Sensors - When you add a new IPS-1 Sensor object, the sensor is automatically added to the list of Enforcing Gateways and it is assigned the IPS-1 Recommended Protection profile.

The next time you install a policy on the gateway, the IPS profile is also installed on the gateway and the gateway immediately begins enforcing IPS protection on network traffic.

In addition to assigning your gateway an IPS profile, you should also review the Recommendations for Initial Deployment.

Choosing the Level of Protection

Check Point IPS is a system that can give you instant protection based on pre-defined profiles, or it can be customized and controlled on a very detailed level.

To learn more about profiles, see IPS Profiles.

Basic IPS Protection

IPS provides three pre-defined profiles that can be used to immediately enforce IPS protection in your environment:

  • Default_Protection - provides excellent performance with a sufficient level of protection using only IPS Software Blade protections.
  • Recommended_Protection - provides the best security with a sufficient level of performance using only IPS Software Blade protections.
  • IPS-1_Recommended_Protection - provides a sufficient level of protection using both IPS Software Blade and IPS-1 Sensor protections.

Application Control protections are not activated by default in any of the pre-defined profiles.

Default Protection

The Default Protection profile is defined with these parameters:

  • IPS Mode: Prevent
  • IPS Policy: All Signature protections with Very Low Performance Impact are activated
  • Updates Policy: Protections downloaded using Online Updates are set to Prevent.

Recommended Protection

The Recommended Protection profile is defined with these parameters:

  • IPS Mode: Prevent
  • IPS Policy: All Signature and Protocol Anomaly protections with Low Severity and Medium or higher Confidence-level are activated, excluding protections with Critical Performance Impact.
  • Updates Policy: Protections downloaded using Online Updates are set to Detect.

IPS-1 Recommended Protection

The IPS-1 Recommended Protection profile is defined with these parameters:

  • IPS Mode: Prevent
  • IPS Policy: All Signature and Protocol Anomaly protections with Low Severity and Medium-low or higher Confidence-level are activated, excluding protections with Critical Performance Impact.
  • Updates Policy: Protections downloaded using Online Updates are set to Detect.

Advanced IPS Protection

For organizations particularly focused on network security, IPS allows you to customize profiles that will meet the needs of your organization.

Ideally, you might want to set all IPS protections to Prevent in order to protect against all potential threats. However, to allow your gateway processes to focus on handling the most important traffic and to report on only the most concerning threats, you will need to determine the most effective way to apply the IPS protections.

By making a few policy decisions, you can create an IPS Policy which activates only the protections that you need and prevents only the attacks that most threaten your network.

To apply protections based on an IPS Policy, create a new profile and select Activate protections according to IPS Policy in the IPS Policy page.

Changing the Assigned Profile

To assign an IPS profile:

  1. Select IPS > Enforcing Gateways.

    This page lists all gateways with the IPS Software Blade enabled.

  2. Select a gateway and click Edit.
  3. In Assign IPS Profile, select the profile that you want to assign to this gateway.

    The gateway will begin enforcing the protections according to the assigned profile after you install the policy.

Recommendations for Initial Deployment

In addition to choosing a level of IPS Protection, we recommend that you use certain IPS settings for your initial deployment of IPS.

Once you are satisfied with the protection and performance of IPS, you can change the system's settings to focus on the attacks that concern you the most.

Troubleshooting

It is recommended to enable Detect-Only for Troubleshooting on the profile during the initial installation of IPS. This option overrides any protections that are set to Prevent so that they will not block any traffic. During this time you can analyze the alerts that IPS generates to see how IPS will handle network traffic, while avoiding any impact on the flow of traffic. Once you have used this information to customize the IPS protections to suit your needs, disable Detect-Only for Troubleshooting to allow IPS protections set to Prevent to block identified traffic on the gateways.

Protect Internal Hosts Only

IPS is designed to detect attacks threatening the internal network, as well as those which may originate from the internal network. However, most organizations' primary concern is on the traffic which enters the organizations' internal networks. In the initial deployment, it is recommended to set the enforcing gateways' Protection Scope to only protect internal hosts. This will focus the gateway's inspection efforts to traffic which may directly threaten the internal network.

For information on Protection Scope, see Gateway Protection Scope.

Bypass Under Load

To help customers easily integrate the use of IPS into their environment, activating the Bypass Under Load feature will disengage IPS activities during times of heavy network usage. IPS will allow traffic to pass smoothly through the gateway without inspection, and IPS will resume inspection once the high traffic levels have been reduced.

Because this feature creates a situation where IPS protections are temporarily disabled, it is recommended only to apply it during the initial deployment of IPS. After optimizing the protections and performance of your gateway, it is recommended to disable Bypass Under Load to ensure that your network is always protected against attack.

For information, see Bypass Under Load.

Installing the Policy

After preparing the IPS profiles according to your needs, apply the IPS changes to your gateway by installing the policy.

To install the policy:

  1. Select File > Save.
  2. Select Policy > Install.
  3. Click OK.
  4. Select the gateways on which the policy is to be installed, and click OK.

Your environment is now protected by Check Point IPS.

Periodically review IPS events in SmartView Tracker to see the traffic that IPS identifies as a result of your IPS configuration.

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print