Optimizing IPS - Custom Threat Prevention

IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). is a robust solution that protects your network from threats. Implementation of the recommendations in this chapter helps you maintain optimal security and performance.

During the tuning process, keep in mind that Check Point assesses performance impact and threat severity based on an industry standard mix of network traffic, with greater emphasis on common protocols such as HTTP, DNS, and SMTP. If your network carries significant volumes of other network protocols, you need to take this into account when evaluating the inspection impact on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and the severity of risk posed by potential attacks.

Troubleshooting IPS on a Security Gateway

When troubleshooting network traffic issues, you can temporarily stop IPS protections from blocking traffic on a Security Gateway configured in PreventClosed UserCheck rule action that blocks traffic and files and can show a UserCheck message. mode.

To do this:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Gateways & Servers view, right-click the required Security Gateway, and select Edit.

  2. From the left navigation tree, select IPS.

  3. In the Activation Mode section, click Detect only.

This sets all IPS protections set to Detect only. The Security Gateway allows traffic to pass, while tracking and logging threats according to the Track setting in the Threat Prevention policy.

Managing Performance Impact

A Check Point Security Gateway secures your network using multiple inspection functions. During periods of high network traffic load, these security functions may limit the Security Gateway's ability to quickly pass traffic. IPS includes features that balance security needs with maintaining high network performance.

Adaptive IPS

Adaptive IPS allows you to configure your Security Gateway to temporarily disable some or all of the IPS protections during periods of heavy network usage. While IPS inspection usually has minimal impact on connectivity and performance, under heavy load it can become a critical issue. When you enable Adaptive IPS, the Security Gateway may allow traffic to bypass IPS inspection, automatically resuming IPS protections after the Security Gateway's resources return to normal levels.

Step

Instructions

1

In SmartConsole, go to the Gateways & Servers view and double-click the relevant Security Gateway.

The Security Gateway object editor opens in the General Properties page.

2

In the left navigation panel, click IPS.

3

Go to IPS functionality when the gateway is under heavy load, and select one of these options:

  • Disable top CPU-consuming protections for [x] hours - Temporarily disables only the IPS protections that consume excessive CPU for the selected number of hours (minimum 1 hour and maximum 24 hours).

  • Disable all IPS protections until CPU and Memory levels are back to normal - Temporarily disables all IPS protections during high load. After the resources return to acceptable levels, the Security Gateway automatically re-enables all IPS protections.

    To configure the thresholds for the Security Gateway's CPU and memory usage, click Advanced:

    • In the High fields, enter the percentage of CPU Usage and Memory Usage that defines heavy load. At these thresholds, the Security Gateway will bypass all IPS protections.

    • In the Low fields, enter the percentage of CPU Usage and Memory Usage that defines a return from heavy load to normal load. At these thresholds, the Security Gateway will re-enable all IPS protections.

    Best Practice - Because all IPS protections are temporarily disabled, use this option only during the initial deployment of Threat Prevention. After you optimize the protections and performance of your Security Gateway, disable this feature to ensure full threat coverage.

4

The Track field controls how bypassed protections are logged:

  • None - No log is generated for bypassed traffic.

  • Log - A log entry is created indicating that the Security Gateway allowed traffic to bypass IPS inspection due to heavy load.

  • Other options (for example: Popup Alert, Mail Alert, SNMP Trap Alert) - Additional notifications or alerts generated when the Security Gateway allows traffic to bypass IPS inspection.

5

Click OK.

6

Install the Threat Prevention Policy.

Tuning Protections

IPS Policy Settings

The IPS Policy settings allow you to control the entire body of protections by making a few basic decisions. Activating a large number of protections, including those with low severity or a low confidence level, protects against a wide range of attacks, but it can also create a volume of logs and alerts that is difficult to manage. That level of security may be necessary for highly sensitive data and resources; however it may create unintended system resource and log management challenges when applied to data and resources that do not require high security.

Best Practice - Adjust the IPS Policy settings to focus the inspection effort in the most efficient manner. Once system performance and log generation reaches a comfortable level, the IPS Policy settings can be changed to include more protections and increase the level of security. Individual protections can be set to override the IPS Policy settings.

For more information on IPS Policy, see Automatically Activating Protections.

Note - A careful risk assessment should be performed before disabling any IPS protections.

Focus on High Severity Protections

IPS protections are categorized according to severity. You may decide that certain attacks present minimum risk to a network environment, also known as low severity attacks. Consider turning on only protections with a higher severity to focus the system resources and logging on defending against attacks that pose greater risk.

Focus on High Confidence Level Protections

Although the IPS protections are designed with advanced methods of detecting attacks, broad protection definitions are required to detect certain attacks that are more elusive. These low confidence protections may inspect and generate logs in response to traffic that are system anomalies or homegrown applications, but not an actual attack. Consider turning on only protections with higher confidence levels to focus on protections that detect attacks with certainty.

IPS Network Exceptions can also be helpful to avoid logging non-threatening traffic.

Focus on Low Performance Impact Protections

IPS is designed to provide analysis of traffic while maintaining multi-gigabit throughput. Some protections may require more system resources to inspect traffic for attacks. Consider turning on only protections with lower impact to reduce the amount system resources used by the Security Gateway.