Optimizing IPS - Custom Threat Prevention
IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). is a robust solution which protects your network from threats. Implementation of the recommendations in this chapter helps maintaining optimal security and performance.During the tuning process, keep in mind that Check Point bases its assessment of performance impact and severity on an industry standard blend of traffic, which places greater weight on protocols such as HTTP, DNS, and SMTP. If your network traffic has high levels of other network protocols, you need to take that into consideration when you assess the inspection impact on the gateway or severity of risk to an attack.
Troubleshooting IPS on a Security Gateway
You can temporarily stop protections on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. set to Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message. from blocking traffic. This is useful when troubleshooting an issue with network traffic.
In the Activation Mode section, click Detect only.
All protections set to Detect UserCheck rule action that allows traffic and files to enter the internal network and logs them. only allow traffic to pass, but continue to track threats according to the Track setting.
Managing Performance Impact
A Check Point Security Gateway performs many functions in order to secure your network. At times of high network traffic load, these security functions may weigh on the gateway's ability to quickly pass traffic. IPS includes features which balance security needs with the need to maintain high network performance.
Bypass Under Load
To help you integrate IPS into your environment, enable Bypass Under Load on the Gateway to disengage IPS activities during times of heavy network usage. IPS inspection can make a difference in connectivity and performance. Usually, the time it takes to inspect packets is not noticeable, but under heavy loads it may be a critical issue. IPS allows traffic to pass through the gateway without inspection, and IPS then resumes inspection after gateway's resources return to acceptable levels.
Best Practice Because IPS protections are temporarily disabled, apply Bypass Under Load only during the initial deployment of Threat Prevention. After you optimize the protections and performance of your Gateway, disable this feature to make sure that your network is protected against attacks. |
Step | Instructions |
---|---|
1 | In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security Gateway. The gateway window opens and shows the General Properties page. |
2 | From the navigation tree, click IPS. |
3 | Select Bypass IPS inspection when gateway is under heavy load. |
4 | To set logs for activity while IPS is off, in the Track drop-down list, select a tracking method. |
5 | To configure the definition of heavy load, click Advanced. |
6 | In the High fields, provide the percentage of CPU Usage and Memory Usage that defines Heavy Load, at which point IPS inspection will be bypassed. |
7 | In the Low fields, provide the percentage of CPU Usage and Memory Usage that defines a return from Heavy Load to normal load. |
8 | Click OK to close the Gateway Load Thresholds window. |
9 | Click OK. |
10 | Install the Threat Prevention Policy. |
Tuning Protections
IPS Policy Settings
The IPS Policy settings allow you to control the entire body of protections by making a few basic decisions. Activating a large number of protections, including those with low severity or a low confidence level, protects against a wide range of attacks, but it can also create a volume of logs and alerts that is difficult to manage. That level of security may be necessary for highly sensitive data and resources; however it may create unintended system resource and log management challenges when applied to data and resources that do not require high security.
Best Practice Adjust the IPS Policy settings to focus the inspection effort in the most efficient manner. Once system performance and log generation reaches a comfortable level, the IPS Policy settings can be changed to include more protections and increase the level of security. Individual protections can be set to override the IPS Policy settings. |
For more information on IPS Policy, see Automatically Activating Protections.
Note - A careful risk assessment should be performed before disabling any IPS protections. |
Focus on High Severity Protections
IPS protections are categorized according to severity. An administrator may decide that certain attacks present minimal risk to a network environment, also known as low severity attacks. Consider turning on only protections with a higher severity to focus the system resources and logging on defending against attacks that pose greater risk.
Focus on High Confidence Level Protections
Although the IPS protections are designed with advanced methods of detecting attacks, broad protection definitions are required to detect certain attacks that are more elusive. These low confidence protections may inspect and generate logs in response to traffic that are system anomalies or homegrown applications, but not an actual attack. Consider turning on only protections with higher confidence levels to focus on protections that detect attacks with certainty.
IPS Network Exceptions can also be helpful to avoid logging non-threatening traffic.
Focus on Low Performance Impact Protections
IPS is designed to provide analysis of traffic while maintaining multi-gigabit throughput. Some protections may require more system resources to inspect traffic for attacks. Consider turning on only protections with lower impact to reduce the amount system resources used by the gateway.