IPS BestPractices Short v1

IPS BEST PRACTICES
Peter Elmer | Threat Prevention Solutions Expert, Europe

pelmer@checkpoint.com
November 2016
©2016 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 1
Understanding the NGTP Engine
Maintaining the IPS Profile
Obtaining Visibility
Introduction to Check Point IPS
• Check Point IPS is working as using the NGTP Packet

Processing infrastructure.
̶ This presentation includes information about this
infrastructure. Some slides are hidden but the reader is
encouraged to study them all 
• Before enabling IPS get familiar with the health status

of your Security Gateway.
̶ The IPS functionality adds load to the system. It is
recommended to optimize the system before you enable
IPS.
The better You know Your system
the quicker You are troubleshooting it.
IPS Signature Update Mailing List
• IPS Update Advisories
Subscribe to: https://www.checkpoint.com/advisories/

Innovative Protections against Ransomware
• Blocking the outbreak of Ransomware
File Server in
Data Center
Computer infected with Ransomware

• There are various IPS enforcement elements

̶ Engine Settings
̶ Signatures
̶ Protocol Anomalies
̶ Application Controls
• Looking at a Signature
• Enable Troubleshooting Mode for a Profile
Integrating
the IPS
Integrating the Check Point IPS
Where to place the IPS functionality?
• Close to the resources You want to protect.
• Why?
̶ You want to limit...
̶ the resources used
̶ the protections enabled
̶ the number of possible events
̶ the risk of false positives and false negatives
You want to achieve a clear reporting to be quick

in following up the events.
Integrating the Check Point IPS
External API Security Management

Data Center
Systems 3 Party
rd
Service
Management
Update Service
Internet
Local Security Gateway

Data Center
Services
Protection Scope Users

Users
Maintaining the IPS Policy
Detect Learn
Revise Decide
Create a Profile
Observe what is matching
Observe Performance Impact
Decide if what you see is what you expect
Revise the Profile Definitions
Protections and Profiles
• A Profile is
̶ Including a list of protections
̶ Applied to a gateway
• Activate the protections needed for the protection

scope
• Select Protection Categories that do not apply for this

protection scope
• Use the “Follow Up” flag
• Use the “Follow Up” flag and “right click” menu
IPS Updates
• Consider to work with Database Revision Control
Remember that Revision Control is not supported

when managing VSX Gateways (sk65420)
Protections For Specific hosts
Application Intelligence
• Host objects may be flagged as a server to have

specific IPS Protections will be applied to this host
Protections for specific hosts
Web Intelligence
• HTTP Methods
Protections For Specific hosts
Application Intelligence
• Mail: POP3/IMAP
Monitoring
• Check Point Support sk43733 documents a tool to

measure the CPU resources
̶ Learn which IPS Protections are causing High CPU Load
̶ The script collects information to csv files
• In addition statistics about the Pattern Matcher can be

collected.
̶ These information can be analyzed by Check Point R&D
Monitoring and Performance Tuning
• Use SNMP to monitor the CPU and memory usage
• Extract from “IPS Best Practices Guide”

̶ Average load of the CPUs should be lower than 30%
̶ Peak load of the CPUs should not exceed 50%
̶ At least 20% of RAM should be free
Detect and Prevent Action have almost the same

performance impact.
• Consider if you need IPS Protections with

Performance Impact “Critical”.
• Best Practices for

Performance Tuning
are documented in
sk98348
IPS Reporting
IPS Reporting using R80 SmartEvent
• Flexible Reporting
NSS Labs
NGIPS Results 2016
NSS Labs NGIPS 2016
• Security Value Map
NSS Labs NGIPS 2016
Coverage by Attack Vector
NSS Labs NGIPS 2016
Concurrent TCP Connections
NSS Labs NGIPS 2016
“Real World” traffic mix performance
Performance given in the Datasheet
THANK YOU!

IPS BestPractices Short v1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPS BestPractices Short v1

Uploaded by

Copyright:

Available Formats

IPS BEST PRACTICES

Peter Elmer | Threat Prevention Solutions Expert, Europe

• Check Point IPS is working as using the NGTP Packet

• Before enabling IPS get familiar with the health status

• IPS Update Advisories

Subscribe to: https://www.checkpoint.com/advisories/

• Blocking the outbreak of Ransomware

Computer infected with Ransomware

• There are various IPS enforcement elements

• Enable Troubleshooting Mode for a Profile

• Close to the resources You want to protect.

You want to achieve a clear reporting to be quick

External API Security Management

Local Security Gateway

Protection Scope Users

• Activate the protections needed for the protection

• Select Protection Categories that do not apply for this

• Use the “Follow Up” flag

• Use the “Follow Up” flag and “right click” menu

• Consider to work with Database Revision Control

Remember that Revision Control is not supported

• Host objects may be flagged as a server to have

• Check Point Support sk43733 documents a tool to

• In addition statistics about the Pattern Matcher can be

• Use SNMP to monitor the CPU and memory usage

• Extract from “IPS Best Practices Guide”

Detect and Prevent Action have almost the same

• Consider if you need IPS Protections with

• Best Practices for

• Security Value Map

Coverage by Attack Vector

Concurrent TCP Connections

“Real World” traffic mix performance

Performance given in the Datasheet

You might also like