Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

The Check Point IPS Solution

In This Section:

Tour of IPS

SmartDashboard Toolbar

IPS Overview

The IPS Software Blade is integrated with the Security Gateway analyzes traffic contents to find potential risks to your organization. This gives another layer of security on top of Check Point firewall technology. IPS protects both clients and servers, and lets you control the network usage of certain applications. The new, hybrid IPS detection engine provides multiple defense layers which allows it excellent detection and prevention capabilities of known threats, and in many cases future attacks as well. It also allows unparalleled deployment and configuration flexibility and excellent performance.

Layers of Protection

The layers of the IPS engine include:

  • Detection and prevention of specific known exploits.
  • Detection and prevention of vulnerabilities, including both known and unknown exploit tools, for example protection from specific CVEs.
  • Detection and prevention of protocol misuse which in many cases indicates malicious activity or potential threat. Examples of commonly manipulated protocols are HTTP, SMTP, POP, and IMAP.
  • Detection and prevention of outbound malware communications.
  • Detection and prevention of tunneling attempts. These attempts may indicate data leakage or attempts to circumvent other security measures such as web filtering.
  • Detection, prevention or restriction of certain applications which, in many cases, are bandwidth consuming or may cause security threats to the network, such as Peer to Peer and Instant Messaging applications.
  • Detection and prevention of generic attack types without any pre-defined signatures, such as Malicious Code Protector.

IPS has deep coverage of dozens of protocols with thousands of protections. Check Point constantly updates the library of protections to stay ahead of emerging threats.

Capabilities of IPS

The unique capabilities of the Check Point IPS engine include:

  • Clear, simple management interface
  • Reduced management overhead by using one management console for all Check Point products
  • Integrated management with SmartDashboard.
  • Easy navigation from business-level overview to a packet capture for a single attack
  • Up to 15 Gbps throughput with optimized security, and up to 2.5 Gbps throughput with all IPS protections activated
  • #1 security coverage for Microsoft and Adobe vulnerabilities
  • Resource throttling so that high IPS activity will not impact other blade functionality
  • Complete integration with Check Point configuration and monitoring tools, such as SmartEvent, SmartView Tracker and SmartDashboard, to let you take immediate action based on IPS information

For example, some malware can be downloaded by a user unknowingly when browsing to a legitimate web site, also known as a drive-by-download. This malware can exploit a browser vulnerability to create a special HTTP response and sending it to the client. IPS can identify and block this type of attack even though the firewall may be configured to allow the HTTP traffic to pass.

Tour of IPS

The IPS tree in provides easy access to IPS features, specific protections, and expert configurations. The tree is divided into the following sections:

Overview

Dashboard for viewing IPS status, activity and updates

Enforcing Gateways

List of gateways enforcing IPS protections

Profiles

Settings for IPS profiles

Protections

Settings for individual protections

Geo Protection

Protection enforcement by source or destination country

Network Exceptions

Resources that are not subject to IPS inspection

Download Updates

Manual or Automatic updates to IPS protections

Follow Up

Protections marked for follow up action

Additional Settings

HTTP and HTTPS Inspection

SmartDashboard Toolbar

You can use the SmartDashboard toolbar to do these actions:

Icon

Description

Open the SmartDashboard menu. When instructed to select menu options, click this button to show the menu.

For example, if you are instructed to select Manage > Users and Administrators, click this button to open the Manage menu and then select the Users and Administrators option.

Save current policy and all system objects.

Open a policy package, which is a collection of Policies saved together with the same name.

Refresh policy from the Security Management Server.

Open the Database Revision Control window.

Change global properties.

Verify Rule Base consistency.

Install the policy on Security Gateways or VSX Gateways.

Open SmartConsole.

IPS Overview

The IPS Overview page provides quick access to the latest and most important information.

In My Organization

IPS in My Organization summarizes gateway and profile information.

The table of the configured profiles displays the following information:

  • Profile — the name of the profile
  • IPS Mode — whether the profile is set to just Detect attacks or to prevent them as well
  • Activation — the method of activating protections; either IPS Policy or Manual
  • Gateways — the number of gateways enforcing the profile

Double-clicking a profile opens the profile's Properties window.

Messages and Action Items

Messages and Action Items give quick access to:

  • Protection update information
  • Protections marked for Follow Up
  • IPS contract status
  • Links to events and reports

Security Status

Security Status provides an up-to-the-minute display of the number of Detect and Prevent events that IPS handled over a selected time period, delineated by severity. You can rebuild the chart with the latest statistics by clicking on Refresh.

Note - Security Status graphs compile data from gateways of version R70 and above.

The Average shows the number of handled attacks that is average for the selected time period in your company.

For example, if you choose to see the status of attacks in the past 24 hours and the average of critical attacks is 45. This indicates that in your organization the average number of attacks during a 24-hour period is 45.

  • If the current number of attacks is much higher than the average, it may indicate a security issue that you should handle immediately. For example, if more than 500 critical attacks were handled by IPS in the past 24 hours, and the average is 45, you can see quickly that your organization has been targeted with critical attacks in a persistent manner and you should handle this urgently.
  • If the current number of attacks is much lower than the average, it may indicate an issue with IPS usage that you should troubleshoot. For example, if less than 10 critical attacks were handled by IPS in the past 24 hours, with the average of 45, you can see that there is a possible issue with IPS configuration; perhaps a gateway was installed with a policy that didn't include an IPS profile.

Security Center

Security Center is a scrolling list of available protections against new vulnerabilities. The Open link next to a Security Center item takes you to the associated Check Point Advisory.

  
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print