Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Defending Against Network Intrusions

In This Section:

Overview of IPS

IPS Protection Profiles

Enabling IPS

Using IPS Profiles

Adding Network Exceptions

Browsing IPS Protections

Updating IPS Protections

Configuring Geo Protections

Overview of IPS

Check Point IPS Software Blade analyzes traffic for possible risks, to enhance network security of your organization. The IPS detection engine has multiple defense layers, detects and prevents against known threats, and often protects against future ones.

For example IPS protects against drive-by downloads, where a user can go to a legitimate web site and unknowingly download malware. The malware can exploit a browser vulnerability that lets it create a special HTTP response that sends the malware to the client. The firewall allows the HTTP traffic from the web site and the computer is at risk for this malware. IPS protects the computer, it can identify and then block the drive-by download connection.

For more about using the IPS Software Blade, see the R77 IPS Administration Guide.

IPS Protection Profiles

An IPS protection is a set of rules that lets you define how IPS analyzes network traffic. Create IPS profiles to easily configure one or more protections for groups of Security Gateways. You can customize the profile for the specified protections to identify specified attacks. These profiles can then be applied to the groups of Security Gateways to protect them against those attacks.

To create a new IPS protection profile:

  1. In the IPS tab, select Profiles.
  2. Click New and select Create New Profile.

    The General page of the Profile Properties window opens.

  3. Enter the Profile Name.
  4. In IPS Mode, select the default action for an IPS protection.
    • Prevent - Protections block traffic that matches the definitions.
    • Detect - Protections log traffic that matches the definitions.
  5. In Protections Activation, select if protections are enabled automatically or manually.
  6. From the navigation tree, click IPS Policy > Updates Policy.
  7. Select the default IPS Mode for new protections that are downloaded: Prevent or Detect.
  8. Click OK to create the profile.

Enabling IPS

The Enforcing Gateways page in the IPS tab shows all the Security Gateways that the IPS Software Blade is enabled. You can enable IPS on a Security Gateway that has the Firewall Software Blade enabled.

To enable IPS on a Security Gateway:

  1. From the IPS tab, click Enforcing Gateways.

    The Enforcing Gateways page opens.

  2. Click Add.

    The Assign Profile window opens.

  3. Select a Security Gateway and click OK.

    IPS is enabled on the Security Gateway and it is shown in the Enforcing Gateways page.

  4. Install the policy.

Using IPS Profiles

The Enforcing Gateways page shows all the Security Gateways that have the IPS Software Blade enabled. From this page, you can open the Gateway Properties window and assign an IPS profile to a Security Gateway.

To assign a profile to a gateway:

  1. In the IPS tab, select Enforcing Gateways.
  2. Select a gateway and click Edit.

    The IPS page of the Gateway Properties window opens.

  3. From Assign profile, select an IPS profile.
  4. Click OK.

To show the Security Gateways for a profile:

  1. In the IPS tab, select Profiles.
  2. Select the IPS profile.
  3. Click Actions > Show Protected Gateways.

    The Protected Gateways window opens and shows the Security Gateways that are assigned to the IPS profile.

Adding Network Exceptions

You can configure exceptions for a protection with the Prevent action, so that it does not identify the specified traffic. These are some situations where it is helpful to use exceptions:

  • Traffic that is legitimate for some machines or services can match the protection criteria for malware.
  • A server that does not comply with RFC standards.

Adding an IPS Exception

To add a new exception:

  1. In the IPS tab, select Network Exceptions.
  2. Click New.

    The Add/Edit Exception Rule window opens.

  3. From Profile, select a profile or Any.
  4. From Protection, select the protections to exclude.
    • Single protection - Click Select and then select the protection.
    • All supported protections - Only protections that support the Network Exceptions feature are excluded.
  5. Define the Source and Destination, and Service for the excluded protection.
    • To use a SmartDashboard object, click Manage and then select the object.
    • To enter a value, click IP Address or Port and then enter the value.
  6. Define on which Security Gateways this exception is installed. Select one of these options:
    • All R70 gateways
    • Apply this exception and select the Security Gateway object.
  7. Click OK and then install the policy.

Browsing IPS Protections

The Protections window lets you quickly see IPS protections and shows a summary of each protection.

To browse IPS protections:

Click the IPS tab and from the navigation tree click Protections.

These columns give information about the IPS protections.

Column

Description

Protection

Name of the protection.

Severity

Probable severity of a successful attack on your environment.

Confidence Level

How confident IPS is that recognized attacks are actually undesirable traffic.

Performance Impact

How much this protection affects the performance of a Security Gateway.

Industry Reference

International CVE or CVE candidate name for attack.

Release Date

Date the protection was released by Check Point.

Follow Up

Shows if this protection is marked for Follow Up.

Products

Shows if this protection is enforced by IPS Software Blades.

Supported

Which Security Gateway versions support this protection.

Has an Exception

Shows if this protection has a network exception.

<profile_name>

There is a separate column for each IPS Profile. The cell shows the Activation setting for the protection.

Updating IPS Protections

Check Point is constantly developing and improving its protections against the latest threats. You can manually update the IPS protections and also set a schedule when updates are automatically downloaded and installed.

Note - The Security Gateways with IPS enabled only get the updates after you install the Policy.

To show the IPS update settings:

Click the IPS tab and from the navigation tree click Download Updates.

IPS Update Options

You can use these IPS update options to easily manage new IPS protections:

  • New protections are marked for Follow Up - New protections can be automatically marked with a flag and are listed on the Follow Up page in the IPS tab. Click Configure to change these settings.
  • Use SmartDashboard Revision Control - Automatically create a database revision before the IPS protections are updated. You can revert the SmartDashboard database back to the earlier IPS protections. For more information about Database Revision Control, see the R77 Security Management Administration Guide.

Configuring Geo Protections

Geo Protection lets you control network traffic for specified countries. An IP-to-country database connects packet IP addresses to the countries. Configure one set of policies for each Profile to block or allow traffic for one or more countries. Configure a different policy that applies to the other countries. Private IP addresses are allowed unless the other side of the connection is explicitly blocked. Check Point control connections (such as between Security Gateways and the Security Management Server) are always allowed, regardless of the Geo Protection policy.

Configure the Geo Protections for each IPS Profile separately. Policies with a Block action for Specific and Other Countries are only enabled when the Profile Action is set to Prevent.

To configure Geo Protection for specified countries:

  1. Click the IPS tab and from the navigation tree click Geo Protection.

    The Geo Protection page opens.

  2. Select the IPS Profile and one of these Geo Protection Actions for this Profile:
    • Prevent - The Block actions for these countries are enabled.
    • Detect - All traffic is allowed. Traffic that matches a policy with a Block action is logged.
    • Inactive - Geo Protection is disabled.
  3. Optional: Click Exceptions and configure exceptions for the Geo Protection for this Profile.
  4. To configure new Geo Protection policies, click Add.

    The Geo Protection window opens.

    1. Click Country and select the country for this policy.
    2. Select the traffic Direction for this country.
    3. From Action, select Block or Allow.
    4. From Track, select a logging option.

      If a connection matches more than one Geo Protection policy, the first policy is logged.

    5. Click OK.
  5. Configure the Geo Protection policy for the other countries.
    1. From the drop-down menu, select Block or Allow.
    2. From Track, select a logging option.
  6. Do these steps for all the IPS Profiles.
  7. Install the policy.

    We recommend that after some days, you review the Geo Protection logs.

 
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print