Advanced IPS

Advanced IPS
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties
Preface
©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 3
Training Blades and Certification
2 WAYS to EXTEND CCSA / CCSE for 1 YEAR
1.
Take and pass
any 2 Training
Blades OR
+
AppControl Introduction to IPS
Attend and pass

1 Instructor-led Based on a 2 day course
class
Certification Renewal Examples
CCSA Certification CCSE Certification

Extension Options Extension Options
• Application Control • Advanced GAiA ILT

Training Blade • Advanced IPS ILT
• DLP Training Blade • SmartConsole
• Introduction to IPS Managed VSX ILT
Training Blade • P1 Managed VSX ILT
• All ILT • Endpoint ILT
• CCSA exam • CCSE exam
Check Point Advanced IPS
Key Course Elements
 In-depth review of IPS technology

 Overview of IPS intrusion prevention architecture
 Best practices implementation and usage of IPS
software blade
 IPS fine-tuning instructions

 Basic IPS troubleshooting tips
Advanced IPS Course Chapters
1. IPS Management
2. IPS Monitoring
3. IPS Architecture
4. IPS Tuning
5. IPS Debugging
Lab Topology
Check Point 3D Security
 Policies that support business needs and transform

security into a business process
 Security that involves People in policy definition,

education and incident remediation
 Enforce, consolidate and control all layers of

security- network, data, application, content and user
 Security is a process
– A network is never 100% secure
– IT security policy must be transparent
– Challenges to IT involve security, deployment, management,
and compliance
– Security products are tools to avoid risk
IT security best practices:
1. Perform a risk assessment

2. Develop and enforce a policy
3. Address known vulnerabilities
4. Control and monitor devices
5. Conduct audits
IPS Management
IPS Management
Learning Objectives
 Configure the IPS Blade

 Test IPS Functionality
IPS Management
Check Point IPS Overview
 IPS another layer of defense

– Analyze traffic contents for risk
– Protects both clients and servers
– Controls network usage of certain applications
IPS Management
 Check Point IPS can be deployed in two ways:

– IPS Software Blade
– IPS-1 Sensor
IPS Management
 The layers of IPS engine protection include the

detection and prevention of:
– Known exploits
– Vulnerabilities
– Protocol misuse
– Outbound malware communication
– Tunneling attempts
– Certain Applications
– Generic attack types
9
IPS Management
 IPS Capabilities
– Simple management interface
– Reduced management
– Unified control
– Easy navigation
– Gbp throughput
– #1 security coverage for Microsoft and Adobe
– Resource throttling
– Complete integration with Check Point tools
10
IPS Management
 IPS Example
– Malware can be downloaded by a user unknowingly
when browsing to a legitimate web site, also known as a
drive-by-download.
– The malware may exploit a browser vulnerability by
creating a special HTTP response and sending it to the
client.
– IPS can identify and block this type of attack even
though the firewall may be configured to allow the HTTP
traffic to pass
10
IPS Management
IPS in SmartDashboard
11
IPS Management
IPS in My Organization
11
IPS Management
IPS in My Organization
12
IPS Management
Security Status
13
IPS Management
Security Status
 If the current number of attacks is much higher than the

average:
– This may indicate a security issue that you should handle
immediately.
– For example, if more than 500 critical attacks were handled by
IPS in the past 24 hours
– And the average is 45
– Your organization has been targeted with critical persistent
attacks
– This should be handled urgently.
13
IPS Management
Security Status
 If the current number of attacks is much lower than the

average:
– This may indicate an issue with IPS usage that you should
troubleshoot.
– For example, if less than 10 critical attacks were handled by IPS
in the past 24 hours
– With the average of 45
– There is a possible issue with IPS configuration
– Perhaps a gateway was installed with a policy that didn't include
an IPS profile.
13
IPS Management
Security Center
14
IPS Management
IPS Profiles
 IPS profiles enable you to configure sets of protections for

groups of gateways.
 Without profiles you would have to configure IPS in a
global policy for all your devices and network behavior, or
configure each device separately.
 With profiles, you have both customization and efficiency.
 Each profile defines the IPS policy, which is the activation
mode of each protection - detect or prevent and the policy
for automatic activation. 14
IPS Management
IPS Profiles
 A Profile is a container for the IPS policy

 A Profile can be shared between multiple gateways
 A gateway can only have one Profile
 All protections and most settings are included in a profile –
across all engines
 During policy compilation the management will assign the
correct set of protections and settings to the specific engine
14
IPS Management
Protection Types
 IPS provides for both Client and Server protections:

– Client protections — Protections that mainly look for
malicious data in the stream from the server to the client.
Protects the OS and applications on the client.
– Server protections — Protections that mainly look for

malicious data in the stream from the client to the server.
Protects the OS and applications on the server
15
IPS Management
Creating Profiles
 When you create a profile, you create a new

SmartDashboard object.
 Protections can be activated, deactivated or given specific
settings to allow the profile to focus on identifying certain
attacks.
 The profiles can then be applied to groups of devices that
need to be protected against those certain attacks.
15
IPS Management
Creating Profiles
 To create a profile:
1.In the IPS tab, select Profiles.
2.Click New and choose an
option:
3.Configure the General
Properties
4.Select IPS Policy
5.Click OK to create the profile
16
IPS Management
Predefined Profiles
 Check Point IPS blade provides two out-of-the-box, pre-

defined profiles that immediately enforce IPS protection in
your environment:
– Default_Protection
– Recommended_Protection
 Users can deploy these IPS Profiles as their IPS policy, or as

a starting point in their IPS definitions, then move the Profile to
the associated Security Gateways.
17
IPS Management
Settings for Predefined Profiles
17
IPS Management
IPS Mode
 IPS Mode determines the default action of IPS protections
– Detect – detects and tracks traffic events identified as a threat
– Prevent. – detects tracks and blocks traffic identified as a threat
 Detect mode is typically used to passively monitor traffic and

to test new protections, configurations or profile changes.
18
IPS Management
Severity
 The severity is assigned by the following criteria:

– Public opinion of attack
– How high SANS, CVSS, and Snort rate the severity of the exploit
– Vendor ratings (Adobe, Microsoft)
– Check Point’s rating
– Each vulnerability includes a severity rating according to the vendor
– Result/impact of attack:
– Intrusion
– Remote code execution
– DoS - restart, shutdown, crash, memory leak
– Information leak - P2P
– Resource abuse 18
IPS Management
Severity (cont.)
 Ease of post-attack recovery

 Randomness of attack
 The probability of the attack being generated maliciously as opposed to innocently
 Attack's spreading capabilities (worms)
 Locality of attack (system-wide, local application, etc.)
 Type/popularity of attack
 An attack effecting a widespread application will receive a higher severity
 Frequency of attack
18
IPS Management
Confidence Level
 For every event that traverses the gateway, IPS calculates the
likelihood that the event is indeed an attack.
– Low: likely or known false positive
– High: likely to indicate an attack
 Between these two are:

– Medium-Low
– Medium
– Medium-High
19
IPS Management
Performance Impact
 The Performance Impact of a protection is based on its impact

on the entire enforcement module performance.
 The performance impact is derived from the complexity of the
protection
– how much inspection/protocol decoding is required
– how much traffic is inspected due to the nature of the protocol
(for example: HTTP - lots of traffic, Telnet - little traffic).
19
IPS Management
Performance Impact
 The Performance Impact of a protection is based on its impact

on the entire enforcement module performance.
 The performance impact is derived from the complexity of the
protection
– how much inspection/protocol decoding is required
– how much traffic is inspected due to the nature of the protocol
(for example: HTTP - lots of traffic, Telnet - little traffic).
 the impact of executing a single protection over HTTP, and

500 protections over HTTP is almost the same
19
IPS Management
Protocol Anomalies
 Protocol anomaly protections compare traffic to the protocol

standard.
 An invalid bind ack is an example of a protocol standard
violation.
20
IPS Management
Category
 The IPS protections are grouped into 3 main categories which

are further divided into sub-categories. The main categories
are:
– Network Security
– Application Security
– Web Intelligence
20
IPS Management
Updating Policy
 The update policy defines the protection mode

(detect/prevent) of new protections.
 New protections are automatically downloaded and deployed
according to the IPS Profile policy.
 IPS can be configured to automatically download and push
new signatures as per the IPS Profile. Also,
 Update Policy customers can configure all newly downloaded
protections to be deployed in detect or prevent mode.
20
IPS Management
Network Exceptions
 Network exceptions allow customers to create legitimate

exceptions to their defined IPS policy.
 For example:
– A typical IPS policy will block network scanning.
– If customers want to regularly run a network scanner, they create
an IPS network exception to allow the scan to run from a specific
IP address.
20
IPS Management
Profile Workflow
 This is the recommended workflow while defining a new

profile, or while tuning a pre-defined profile:
1. Set detection mode
2. Choose what assets to protect
3. Deactivate risky protections
4. Set your update policy
5. Tune protections manually
20
IPS Management
Automatically Activating Protections
 To simplify the management of the IPS protections settings, a

profile can be configured to automatically enable protections
based on user defined.
 When the IPS Policy activates a protection, the protection will
enforce the action set in the IPS Mode, either Detect or
Prevent.
 In some instances a protection will be set to Detect if it meets
the criteria to be set to Inactive, but does not support the
Inactive status.
21
IPS Management
Automatically Activating Protections (cont.)
 There are numerous protections available in IPS.

 Some are easily configured for basic security without going
too deeply into the details of the threat and the protection.
 Many protections can be safely activated automatically.
 It is recommended that you allow IPS to activate protections
according to the IPS policy in the beginning. Then you can
manually modify the protection settings as needed according
to your monitored traffic.
21
IPS Management
Automatically Activating Protections (cont.)
 In the Protections to Deactivate area, select relevant criteria

and then select the value that fits:
– Protections have severity
– Protections have confidence level
– Protections have performance impact
– Protection Anomalies
21
IPS Management
Protection Browser
23
IPS Management
Customizing the Protection Browser View
 To change which columns are

visible:
1. Click View > Customize.
2. The Customize window opens.
3. Any column you do not want to
appear, move to the Available
fields list; any you do want to
see, let them remain in the
Visible fields list.
4. Click OK.
23
IPS Management
Filtering Protections
 Use the Protections page for filtering the complete protections

list. You can filter by:
– Protection name
– CVE number
– Any information type that is displayed in the columns.
24
IPS Management
Sorting Protections
 Filtering by information type has a draw-back, you have to

know valid values for the information. To sort the protections
list by information:
– Click the column header of the information that you want.
– For example, to see protections ordered by Severity, beginning
with Critical, click the Severity column header.
– You can sort the list with multiple criteria: first sort by criteria A
and then by criteria B.
25
IPS Management
Sorting Protections
 For example, you want to see

protections marked for Follow Up,
but you want to start with the most
critical protections, sort by Follow
Up and by Severity.
 To sort by multiple values:

1. Click View > Sort
2. Choose the column headers by
which you want to sort the list
and then click OK.
26
IPS Management
Exporting Protections List
 To enable administrators to analyze protections in alternative applications,

you can export the Protections list as a comma-delimited file.
 The exported information includes all protections, with all table fields
regardless of any applied sorting or filtering.
 To export the Protections list:

1. Click View > Export View.
2. In the Save As dialog box provide a filename and click Save.
26
IPS Management
Protection Parameters
 Most protections have graded parameters, provided to help you decide

which protections to activate for security and which can be safely
deactivated, for connectivity and performance.
27
IPS Management
Explanation of Protection Parameters
27
IPS Management
Explanation of Protection Parameters by Type
28
IPS Management
Protection Mode
 Each protection has a mode, which determines whether IPS inspects

packets for this protection, and if so, what it does if the packet matches a
threat symptom.
– Inactive
– Active
– Prevent
– Detect
28
IPS Management
IPS Updates
 Check Point is constantly working to improve its protections and develop

protections to protect against the latest threats.
 You can update your IPS protections manually at any time.

 You can also download and install updates with a schedule.
 You must re-install the security policy on the Enforcing Gateways after
running an update before the gateways will receive the updates.
29
IPS Management
Configure Update Options
 Before downloading the latest protections, configure the following options:

– Mark new protections for follow-up
– Enter proxy server information
– Apply Revision Control automatically
– Check for new updates - SmartDashboard
29
IPS Management
Updating IPS Manually
 You can immediately update IPS with real-time information on attacks and all the
latest protections from the IPS website.
 You can only manually update IPS if a proxy is defined in Internet Explorer settings.
 To obtain updates of all the latest protections from the IPS website:
1. Configure the settings for the proxy server in Internet Explorer.
In Microsoft Internet Explorer, open Tools > Internet Options > Connections tab > LAN
Settings. The LAN Settings window opens.
Select Use a proxy server for your LAN.
Configure the IP address and port number for the proxy server.
Click OK.
2. In the IPS tab, select Download Updates and click Update Now.
If you chose to automatically mark new protections for Follow Up,
you have the option to open the Follow Up page directly to see the new protections.
30
IPS Management
Scheduling IPS Updates
31
IPS Management
Scheduling IPS Updates
 New protections can be enabled as

Detect or Prevent, per profile.
 A downloaded protection will always

be considered as new.
 Only existing built in protections will

honor the main Detect/Prevent
settings.
 If you set the Update Policy setting to

Detect, you must manually change
protections to Prevent, to enforce the
protection.
32
IPS Management
Offline Update
32
IPS Management
Network Exceptions
 For most signature protections, exceptions are checked after the first tier of the
pattern matcher.
 For most Application Control and Protocol Anomalies, protections exceptions are
checked first.
 To apply the Network Exceptions to a pattern, add them to the new protection
converted from the relevant pattern.
 Check Point components can use non-standard HTTP and SSL ports to
communicate. Implied exceptions exclude this traffic from IPS inspection.
33
IPS Management
Network Exceptions
33
IPS Management
Network Exceptions - Performance
 Signature protections:
– Adding many exceptions does not have a performance impact –
most traffic does not make it through the first tier of the PM
– Adding exceptions to help when you are having a performance
issue does not help
 Application Control and Protocol Anomalies

– Adding many exceptions can have a small performance impact
– Adding exceptions can help to fix performance issues
34
IPS Management
Tracking Protections Using Follow Up
 The Follow Up mark provides monitoring features for IPS

protections:
– one-stop page for protections to monitor
– quick view of protection parameters
– easy access to newly updated protections.
 You can mark individual protections for Follow Up,

allowing you to quickly review them
34
IPS Management
Tracking Protections Using Follow Up
35
IPS Management
Geo Protection
 Geo Protection allows you to control traffic by country.

 You can define a policy to block or allow traffic to or from
specific countries, and a policy that applies to all other
countries.
 To operate Geo Protection, you are required to have:
– A valid IPS contract.
– A Software Blade license for each Security Gateway that
enforces Geo Protection, and for the Security Management
Server.
35
IPS Management
Geo Protection
36
IPS Management
Bypass Under Load
 You have the option to temporarily stop IPS inspection on

a gateway if it comes under heavy load.
– Use the Bypass Under Load mechanism to automatically
disable the IPS in the unlikely event of high load (be
careful!)
– When the CPU or memory usage exceeds a certain
threshold, IPS inspection will be disabled until the low
thresholds are reached.
36
IPS Management
Bypass Under Load
37
IPS Management
Review Questions
1. What ways can IPS be deployed?
39
IPS Management
Review Questions
1. What ways can IPS be deployed?

– IPS Software Blade
– IPS-1 Sensor.
39
IPS Management
Review Questions
2. If your IPS Security Status shows lower than

average attacks, this may indicate what?
39
IPS Management
Review Questions
2. If your IPS Security Status shows lower than

average attacks, this may indicate what?
– An issue with IPS configuration.
39
IPS Management
Review Questions
3. What are the IPS blade predefined profiles?
39
IPS Management
Review Questions
3. What are the IPS blade predefined profiles?

– Default_Protection – excellent performance, with basic
protection.
– Recommended_Protection – excellent security, with
good performance.
39
IPS Management
Lab Practice
 Lab 1: Deploying IPS

 Lab 2: Deploying Geo Protection In IPS
41
IPS Monitoring
93
IPS Monitoring
Learning Objectives
 Test the Default_Protection Profile

 Define a New Profile
 Identify Attacks with SmartEvent Viewer
94
IPS Monitoring
IPS Event Analysis
 IPS Event Analysis provides tools for translating IPS logs into a
complete picture of your security.
 By automating the aggregation and correlation of raw log data,

IPS Event Analysis minimizes the amount of data that needs to
be reviewed and isolates and prioritizes the real security threats.
 These threats may not have been otherwise detected when

viewed in isolation, but pattern anomalies appear when data is
correlated over time.
 With IPS Event Analysis, you can focus on understanding the

impact on your business and concentrate on mitigating the
threats that pose the greatest risks. 95
IPS Monitoring
Scalable, Distributed Architectuere
 IPS Event Analysis delivers a flexible, scalable

platform capable of managing millions of logs per day
per correlation.
 IPS Event Analysis can be installed on a single server
but has the flexibility to spread processing load
across multiple correlation units and reduce network
load.
95
IPS Monitoring
Easy Deployment
 IPS Event Analysis is preconfigured for tight

integration
 It interfaces with existing Security Management log
servers
 All objects defined in the Security Management
server are automatically accessed and used by the
IPS Event Analysis server
 An enterprise can install and have IPS Event Analysis
detecting threats in hours. 95
IPS Monitoring
Event Investigation Tracking
 IPS Event Analysis enables administrators to

investigate threats using flexible data queries which
are presented in timelines or charts.
 Once suspect traffic is identified, actions taken to
resolve the threats are tracked using work tickets,
allowing you to keep a record of progress made using
statuses and comments.
 Daily or weekly events reports can be distributed
automatically for incident management and decision
95
support.
IPS Monitoring
IPS Event Analysis Architecture
96
IPS Monitoring
Data Analysis and Event Identifications
 The Correlation Unit is responsible for analyzing the log entries

and identifying events. The Correlation Unit does one of the
following:
– Marks log entries that by themselves are not events, but may
be part of a larger pattern to be identified.
– Takes a log entry that meets one of the criteria set in the
Events Policy and generates an event.
– Takes a log entry that is part of a group of items that depict a
security event together.
– Discards all log entries that do not meet event criteria
97
IPS Monitoring
IPS Event Analysis Client
 The IPS Event Analysis client provide the tools necessary for
configuring definitions which will recognize security-related
issues in the network infrastructure.
 What can I do with the IPS Event Analysis client?

– Real-time Monitoring
– Event Investigation
– Resolution Tracking
– Security Status Reporting
97
IPS Monitoring
SmartEvent
98
IPS Monitoring
IPS Event Analysis Client Tools – Overview Tab
99
IPS Monitoring
IPS Event Analysis Client Tools – Events Tab
99
IPS Monitoring
IPS Event Analysis Client Tools – Timeline Tab
100
IPS Monitoring
IPS Event Analysis Client Tools – Charts Tab
100
IPS Monitoring
IPS Event Analysis Client Tools – Maps Tab
101
IPS Monitoring
IPS Event Analysis Client Tools – Reports Tab
101
IPS Monitoring
Review Questions
1. What are the major components in IPS Event

Analysis Architecture?
103
IPS Monitoring
Review Questions
1. What are the major components in IPS Event Analysis

Architecture?
– IPS Event Correlation Unit - analyses log entries on
log servers.
– IPS Event Analysis Server - contains the Events
Database.
– IPS Event Analysis Client - manages IPS Event
Analysis
103
IPS Monitoring
Review Questions
2. What can you do with the IPS Event Analysis Client?
103
IPS Monitoring
Review Questions
2. What can you do with the IPS Event Analysis Client?

– Real-time monitoring
– Event investigation
– Resolution tracking
– Security status reporting
103
IPS Monitoring
Lab Practice
 Lab 3: Using Profiles in IPS
105
IPS Architecture
121
IPS Architecture
Learning Objectives
 Download and install IPS Protections

 Use the IPS follow up protection review process
 Enable and test IPS Troubleshooting Mode
 Modify and test the Bypass Under Load settings
122
IPS Architecture
Key IPS Architecture Design Elements
 Secure
 Fast Performance
 Accurate
 Reliable
 Updatable
 Application Aware
 Granular Control 123
IPS Architecture
 Secure
– 0-day threat prevention
– Malicious code detection
– Anomalous behavior detection
– Anomalous protocol detection
– Command injection attack detection
– Phishing attack detection
123
IPS Architecture
 Fast performance
– Fast no matter how enabled
– Fast no matter how security intensive
123
IPS Architecture
 Accurate
– Distinguish false positives
123
IPS Architecture
 Reliable
– Predictable solution
– Try in passive mode
– Tune for prevention
– Maintain connectivity
123
IPS Architecture
 Updatable
– Evolving solution
– Identify changing genres of attacks
– Real-time threat protection updates
124
IPS Architecture
 Application Aware
– Peer applications can transfer company confidential
data
– Enforce company policy on applications
124
IPS Architecture
 Granular Control
– Setting network exceptions
– Forensic tool access
124
IPS Architecture
Performance – Accelerated Integrated IPS
 When a packet reaches the Security Gateway:

– Firewall checks security policy for allowed connection
– Packet is accelerated and connection offloaded to SecureXL
– SecureXL can be implemented at hardware layer using network processors
– SecureXL can be implemented at virtualized software layer on open servers
124
IPS Architecture
Performance – Accelerated Integrated IPS
125
IPS Architecture
Secure – Multi-threat Detection Engine
126
IPS Architecture
Passive Streaming Library
 Passive Streaming Library (PSL) technology:

– Ensures only valid packets are allowed to destination
– PSL layer can receive packets from firewall chain and SecureXL module
– PSL servers as middle-man between security applications and network
packets
– PSL reassembles TCP packets into a protocol message for inspection
– Prevents TCP hacks which would bypass inspection
126
IPS Architecture
Unified Streaming
 Applications get streamed data from the PSL layer

 PSL makes sure packets are in order and continuous data available
 If application decides packet is malicious, PSL terminates the connection
 PSL can also work in non-streaming mode
 Non-streaming mode used to inspect UDP connections
 To debug PSL:
– fw ctl zdebug + tcpstr
 To debug Unified Streaming:

– fw ctl zdebug + spii 127
IPS Architecture
ASPII
 Accelerated Stateful Protocol Inspection Infrastructure

 The infrastructure that manages which protections run on which
connection:
– Fully supports running from SXL context
– Manages Policy - which protection is Detect Only
127
IPS Architecture
ASPII
 Example:
List of protections for this connection
1. Detect Bittorent
2. Detect Skype
3. Detect...
4. Block Malformed HTTP Connections
.
.
.
37. Block Malformed jpeg
 To debug ASPI: fw ctl zdebug + aspii
128
IPS Architecture
Protocol Parsers
 The Protocol Parsers:

– Ensure compliance to protocol standards
– Detect anomalies
– Assemble data for further inspection
– Includes HTTP, SMTP, DNS, IMAP, Citrix, etc.
– Heart of the IPS system
128
IPS Architecture
Protocol Parsers
128
IPS Architecture
Context Management Infrastructure
 The Context Management Infrastructure (CMI)::

– Is the brain of the IPS engine
– Coordinates different components
– Decides which protections should run
– Decides final action to be performed
– Issues event log
129
IPS Architecture
 When a protection is activated the CMI is responsible for final action,

considering:
– Activation status of the protection
– Exceptions on traffic or protection
– Bypass mode status
– Troubleshooting mode status
– Protecting internal network only, or all traffic
129
IPS Architecture
 When a protocol parser recognized a context, it will

notify CMI.
 Then CMI will execute all relevant protections

(signatures and inspect handlers) for this context.
 Introduce a “ first tier” scan to improve performance:
 Execute an Aho-Corasick algorithm on the context –

a fast search for the longest simple string that
represents the protection.
 We will execute only protections that were matched

by the Aho-Corasick. This is the “second tier” -
inspect code/RX.
 CMI will inform the parser the results of the 130

execution.
IPS Architecture
Pattern Matcher
 The Pattern Matcher is:

– Fundamental engine in new enforcement architecture
– Identifies harmless packets
– Identifies common signatures in malicious packets
– Does 2nd level analysis to reduce false positives
 Two-tier inspection process:

– 1st tier filters out majority of harmless traffic by looking for signatures
– If common attack signature is identified, passes connection to 2 nd tier
131
IPS Architecture
Compound Signature Identification
 Compound Signature Identification (CSI):

– Sophisticated signature inspections
– Application identification
– Matches signatures from multiple parts of traffic
– Addresses signatures on multiple parts of a packet, protocol, or connection
131
IPS Architecture
Compound Signature Identification
132
IPS Architecture
INSPECTv2
 INSPECT:
– Provides scalable open approach to generic traffic analysis
 INSPECTv2 extends to improve performance

– Increases ease of writing new protections
– Meets complex parsing requirements
– Offers many programming language tools for writing protections
– Loops, conditions, states, calculations, etc.
– Accelerated across multiple CoreXL cores
132
IPS Architecture
How the Architecture Runs IPS
133-134
IPS Architecture
Review Questions
1. What is the role of the Passive Streaming Library?
137
IPS Architecture
Review Questions
1. What is the role of the Passive Streaming Library?

– Reassemble TCP packets into an ordered
protocol message to allow inspection.
137
IPS Architecture
Review Questions
2. What do the Protocol Parsers do?
137
IPS Architecture
Review Questions
2. What do the Protocol Parsers do?

– Ensures compliance to well-defined protocol
standards, to detect anomalies.
137
IPS Architecture
Lab Practice
 Lab 4: Manually Updating IPS Protections (Optional)

 Lab 5: IPS Troubleshooting Features
137
IPS Tuning
175
IPS Tuning
Learning Objectives
 Configure Protection Engine Settings

 Identify Top Events and Protections
 Modify Protections to defend against common attacks
 Debug the logging mechanism
176
IPS Tuning
Managing Performance Impact
 A Check Point Security Gateway performs many functions to

secure your network.
 At times of high network traffic load, security functions may
impact gateway's ability to quickly pass traffic.
 IPS includes features which balance security needs, with the
need to maintain high network performance.
177
IPS Tuning
Gateway Protection Scope
 By default, gateways inspect inbound and outbound traffic for

threats.
 This behavior protects network from threats from outside of
network, and from your network.
 Changing this setting to only protect internal hosts will
improve the performance of your gateway.
177
IPS Tuning
177
IPS Tuning
178
IPS Tuning
Web Protection Scope
 Allows the administrator to choose only to apply a protection

to traffic associated with specific servers.
 Limits the inspection activities for that protection only to the
traffic which is most likely to be subjected to an attack.
 For example:
– HTTP protections should be applied only to servers or clients
involved in HTTP traffic.
– Web Intelligence can be tuned for greater Web server security
at the expense of connectivity and performance, or vice versa.
178
IPS Tuning
Bypass Under Load
179
IPS Tuning
Cluster Failover Management
180
IPS Tuning
Tuning Protections
 IPS profiles allow you to apply all of the protections as a group to specific
gateways.
 It is recommended to create separate profiles for different gateway

location types.
– For example, the group of gateways at the perimeter should have a
separate profile than the group of gateways protecting the data
centers.
 Because newer versions includes some features that are not supported
by older gateways (or have a different effect there), it is recommended to
apply different profiles for current gateways and for older gateways.
180-181
IPS Tuning
IPS Policy Settings
 IPS Policy settings allow you to control the entire body of protections with
few basic decisions.
 Activating a large number of protections, including those with low severity

or a low confidence level, protects against a wide range of attacks, but
can also create a volume of logs and alerts difficult to manage.
 This level of security may be necessary for highly sensitive data and
resources; however it can create system resource and log management
challenges when applied to data and resources that do not require high
security.
181
IPS Tuning
IPS Policy Settings
 It is recommended to adjust the IPS Policy settings to focus the

inspection effort in the most efficient manner.
 Once system performance and log generation reaches a comfortable

level, the IPS Policy settings can be changed to include more protections
and increase the level of security.
 Individual protections can be set to override the IPS Policy settings.

 A careful risk assessment should be performed before disabling any IPS
protections.
181
IPS Tuning
Focus on High Severity Protections
 IPS protections are categorized according to severity.

 An administrator may decide that certain attacks present minimal risk to a
network environment
– also known as low severity attacks.
 Consider turning on only protections with a higher severity to focus the

system resources and logging on defending against attacks that pose
greater risk.
181
IPS Tuning
Focus on High Confidence Level Protections
 Broad protection definitions are required to detect certain attacks that are
elusive.
 These low confidence protections can inspect and generate logs in

response to traffic that are system anomalies or homegrown applications,
not an actual attack.
 Consider turning on only protections with higher confidence levels to

focus on protections that detect attacks with certainty.
 PS Network Exceptions can also be helpful to avoid logging non-

threatening traffic.
181
IPS Tuning
Focus on Low Performance Impact Protections
 IPS is designed to provide analysis of traffic while maintaining multi-

gigabit throughput.
 Some protections may require more system resources to inspect traffic

for attacks.
 Consider turning on only protections with lower impact to reduce the

amount system resources used by the gateway.
182
IPS Tuning
Enhancing System Performance
 Check Point offers Performance Pack to improve gateway performance.

 For SecurePlatform and Gaia gateways running on multi-core hardware,
installing CoreXL on the gateway will allow the gateway to leverage the
multiple cores to more efficiently handle network traffic.
182
IPS Tuning
Configure Servers
 Protections for some hosts, such as DNS Servers, Web Servers and Mail
Servers require additional configuration.
 Making sure these hosts are properly configured for IPS allows for more
accurate alerting, and performance improvement.
182
IPS Tuning
DNS Servers
182
IPS Tuning
Web Servers
 The Web protocol protections

prevent attacks that use web
protocols and vulnerabilities to:
– Damage your network
– Use your network resources to
attack other networks.
 Web servers require special

protection from these attacks.
183
IPS Tuning
Mail Servers
 The Mail protocol protections prevent improper POP3, IMAP and

SMTP traffic from damaging your network
184
IPS Tuning
Servers to Check
 Servers to check/configure for IPS, if they are in your network:

– DNS servers
– SMTP servers
– Web servers
– CA servers
– Exchange servers
– SNMP servers
– Trend servers
– Veritas servers
– And more...
184
IPS Tuning
Engine Settings
185
IPS Tuning
Example – MS-RPC
185
IPS Tuning
Example – MS-RPC
186
IPS Tuning
Review Questions
1. On the Gateway, you have a choice of protecting

internal hosts only, or perform IPS inspection on all
traffic. Why would you choose to protect internal
hosts only?
187
IPS Tuning
Review Questions
1. On the Gateway, you have a choice of protecting

internal hosts only, or perform IPS inspection on all
traffic. Why would you choose to protect internal
hosts only?
– To improve Gateway performance.
187
IPS Tuning
Review Questions
2. What do IPS profiles allow you to do?
187
IPS Tuning
Review Questions
2. What do IPS profiles allow you to do?

– Apply protections as a group to specific gateways.
187
IPS Tuning
Lab Practice
 Lab 6: Tuning IPS Performance
189
IPS Debugging
219
IPS Debugging
Learning Objectives
 Use debug to gather IPS statistics

 Use tcpdump to identify the source of an attack
 Modify protections to prevent attack source
 View Security Gateway messages
220
IPS Debugging
IPS Debug Tools
 Tools most often used:

– SmartView Tracker (logs)
– Packet Capture
– Kernel Debug
221
IPS Debugging
SmartView Tracker
221
IPS Debugging
SmartView Tracker
 The SmartDashboard allows you to customize your tracking

settings for each Rule Base
– By specifying per-rule whether or not to track the events that
match it.
 To track events that match a rule, choose from a variety of

tracking options, based on the information's urgency.
 For example, you can choose:
– Standard log
– Account log
221-222
– Alert
IPS Debugging
SmartView Tracker
 The gateways on which this Policy is installed collect data as specified in the
Policy, and forward the logs to the Security Management server (and/or to Log
Servers, depending on their settings).
 The logs are organized in files according to the order in which they arrived to the
Security Management server.
 All new logs are saved to the fw.log file, except for audit (management-related)
logs, which are saved to the fw.adtlog file.
 The Security Management server makes these logs available for inspection via
SmartView Tracker.
 The Security Management server also performs the operations specified in the
Policy for events matching certain rules (e.g., issuing an alert, sending
email, running a user-defined script etc.). 222
IPS Debugging
SmartView Tracker
 Other tracking and auditing capabilities:

– SmartView Monitor allows you to manage, view and test the
status of various Check Point components throughout the
system, as well as to generate reports on traffic on interfaces,
specific Check Point products, and other Check Point system
counters.
– SmartReporter allows you to save consolidated records (as
opposed to "raw" logs) and conveniently focus on events of
interest.
222
IPS Debugging
Tracking Network Traffic
 The SmartView Tracker can track daily network traffic and

activity logged by any Check Point and OPSEC Partners
log-generating product.
 Network administrators can use the log information for:
– Detecting and monitoring security-related events.
– Collection information about problematic issues.
– Statistical purposes such as analyzing network traffic patterns.
222
IPS Debugging
Log Suppression
 The SmartView Tracker efficiently presents the logs that are

generated from Check Point products.
 To avoid displaying log entries for frequently repeating
events, SmartView Tracker displays the first instance of the
event, then counts subsequent instances which occur in the
next two minutes.
 For as long as the event continues to occur, every two
minutes, SmartView Tracker shows a Log Suppression
Report containing the details of the event as well as the
223
number of times the event occurred.
IPS Debugging
SmartView Tracker GUI
 In SmartView Tracker, an entry in the Records pane, is a

record of an event that was logged according to a specific
rule in the Rule Base.
 New records that are added to the fw.log file are
automatically added to the Records pane as well.
224
IPS Debugging
SmartView Tracker GUI

1. The Network & Endpoint,
Active and Management
modes display different
types of logs.
2. The Query Tree pane

displays the Predefined and
Custom queries.
3. The Query Properties pane

displays the properties of the
fields in the Records pane.
4. The Records pane displays

the fields of each record in
the log file. 224
IPS Debugging
IPS Column
 The Protection Type column is relevant to IPS protection incidents. You can filter
for any of these types:
– Application Control
– Engine Settings
– Geo Protection
– Protocol Anomaly
– Signature
 Other columns specific to the IPS Software Blade:

– Protected Server
– Source Reputation
– Destination Reputation
– Client Type 225
– Server Type
IPS Debugging
SmartView Tracker Modes
 SmartView Tracker Modes

 SmartView Tracker consists of three different modes:
 Log, the default mode, displays all logs in the current fw.log
file.
 Active allows you to focus on connections that are currently
open through the Security Gateways.
 Audit allows you to focus on management-related records
227
IPS Debugging
Packet Capture
 Familiar with network protocols? View packets that were

tracked by to understand the nature of the attack.
 Capturing a Packet for Every Log
– To capture packet data for a protection for every malicious packet
that is logged, turn on the packet capture option in that protection.
This attaches a packet capture to every log generated by the
protection.
227
IPS Debugging
Packet Capture
 Automatic Packet Capture in the First Log

– Captured malicious traffic is automatically attached to the first log
generated by a protection since policy installation, even if the packet
capture option in the protection is not turned on. This is economical
with system resources because only one packet capture is saved for
each attack.
227
IPS Debugging
Packet Capture
 Attaching a Packet Capture to Every Log

 A packet capture is automatically attached to the first log generated by a
protection. However, if you want to capture packet data for a protection for every
malicious packet that is logged, turn on the packet capture option in that
protection. To attach a packet capture to every log
1. Open the protection for which you want to track the packet data.
2. Make sure the protection is activated (either Detect or Prevent).
3. Double-click on the profile for which you want packet capture data.
4. In the Action area, select any tracking action other than None and then select
Capture Packets. 227-228
IPS Debugging
Packet Capture
 Viewing Packet Capture Data in SmartView Tracker

 A packet capture is automatically attached to the first packet logged by a
protection since policy installation. If packet capture is turned on for a protection,
a packet capture is attached to every log generated by the protection. From the
protection page that has Capture Packets selected, click View Logs.
1. SmartView Tracker opens. Wait until the log window for the specific protection opens.
2. If searching for automatically captured packets, make sure the Packet Capture column is
showing
3. Locate the item
4. Right-click the item in the protection's SmartView Tracker log and select View packet
capture. 228
(cont.)
IPS Debugging
Packet Capture
5. Select Internal Viewer and click OK.
You may also use a third-party packet capture application by selecting Choose program and
specifying the application in the Program Name field.
(cont.)
228
IPS Debugging
Packet Capture
229
IPS Debugging
Kernel Debugging
 Kernel Debugging is recommended for more advanced

troubleshooting. The debugging commands can be found on
the Check Point Support Site
 Advanced debugging procedures should be executed in
conjunction with the Check Point Escalation engineers, as
part of a Service Request. troubleshooting session.
 Debugging should only be performed when the described
issue can be captured
229
IPS Debugging
IPS Debugging Scenarios – False Positives
 Each IPS protection has a confidence grade. In rare cases, it

is possible that legitimate packets are mistakenly identified
as malicious.
230
IPS Debugging
 When you suspect that you might have a

false positive, follow these steps:
1. Enable INSPECT debugging in GUIDBedit

enable_inspect_debug_compilation
2. Install Policy
3. Set debug
fw ctl zdebug + drop
4. Simulate the suspected traffic
231
IPS Debugging
 Now, every dropped packet will generate a more elaborate drop message, for example:
 fw_log_drop: Packet proto=<ip_proto> <source IP>-> <Dest IP> dropped by

fwpslglue_chain Reason: PSL Reject: <Reject Reason>
 Based on the <Reject Reason> run debug:
231
*Add cifs if you suspect an issue with SMB traffic (port 445).
IPS Debugging
IPS Debugging Scenarios – Performance Issues
 Each IPS protection has a Performance Impact grade. When the gateway is under heavy
load, or under specific traffic blends, this impact might be substantial.
232
IPS Debugging
 Possible actions
– Deactivate protections with critical or high performance impact.
– If this is due to automatic activation settings, reconfigure these.
– Consider activating the “Bypass SmartDefense under load
option.
– Consider activating the “Protect Internal Hosts Only” feature.
This requires a correct configuration of the gateway’s
interfaces.
233
IPS Debugging
233
IPS Debugging
IPS Debugging Scenarios – Hidden Profiling Tool
 Each enforcement module (R70 and above) includes a hidden profiling

tool. This tool can generate statistics reports in a two step process:
1. Run the sdstat tool on the gateway during load.

2. Run the sdstat_analyse script on the management station.
 The performance counters tool measures only IPS and does not compare
IPS to other VPN-1/UTM-1 features which might be the actual problem.
 Supported management stations for sdstat_analyse tool are:

SecurePlatform, IPSO, Linux, Solaris.
233
IPS Debugging
 Usage in the module:

– fw ctl zdebug > & <file_name> &
– fw ctl sdstat start (wait ~ 30 seconds during load)
– fw ctl sdstat stop
– fg and stop the original debug
 The “&” will run the “fw ctl adebug” command in the background, to stop it
you need to being the process to the foreground by executing the “fg”
command, and then terminate the program by clicking “Ctrl+C”.
234
IPS Debugging
 On the SmartCenter:
– Copy the file collected on the module to the Management under $FWDIR/
scripts/
– Change folder to $FWDIR/scripts/
– Run the command: ./sdstat_analyse.csh <file_name>
– The output file will be <file_name>.csv
– Copy the file to a host, and open it.
234
IPS Debugging
235
IPS Debugging
236
IPS Debugging
Logging Issues
 If you suspect that packets are being dropped with no log, it is possible to
debug the logging mechanism:
fw ctl zdebug + log dynlog
236
IPS Debugging
Pattern Match Debug – Usage in the kernel
 fw ctl debug —m kiss + <debug flags>

– sm — first tier
– rem — used for second tier
– dfa — building and executing the dfa
– pmdump — dumping xmls of dfas
– pm — compilation, verification, and general flag
237
IPS Debugging
Pattern Match Debug – Usage in the User-Space
 Set environment variable:

KISS_DEBUG to “<debug flags>”
 Use the module global parameter

kiss_pm_stats_pattern to get statistics
Usage:
 fw ctl set str kiss_pm_stats_pattern

 “.*ab(ee|tt).*” will print the statistics of the PM holding this pattern
 fw ctl set str kiss_pm_stats_pattern “ALL” will print the
statistics of all PMs we hold
237
IPS Debugging
Packet Dump Buffer

 Global parameters enable debug with packet dump:
fw ctl set int <var_name> 1
 The possible var_names are:

 ASPII: aspii_debug_dump_buffer
 Inspect Streaming: fw_spii_str_log_dump_buffer
 CMI: cmi_dump_buffer
 The buffer dump will appear in your next debug printout. Turn this off using:
fw cti set int var_name 0
 This may be problematic on heavy loads, as the debug buffer might be full.
Packet capture is often just as helpful. 237
IPS Debugging
Debug Flags Overview
238
IPS Debugging
Review Questions
1. What are the tools most often used to debug IPS

issues?
239
IPS Debugging
Review Questions
1. What are the tools most often used to debug IPS

issues?
– SmartView Tracker
– Packet Capture
– Kernel Debug
239
IPS Debugging
Review Questions
2. SmartView tracker log suppression counts similar events

over what time period?
239
IPS Debugging
Review Questions
2. SmartView tracker log suppression counts similar events

over what time period?
– Every two minutes
239
IPS Debugging
Review Questions
3. What are the SmartView tracker modes?
239
IPS Debugging
Review Questions
3. What are the SmartView tracker modes?

– Log (default)
– Active - focuses on connections
– Audit - focuses on management related records
239
IPS Debugging
Lab Practice
 Lab 7: Advanced IPS Troubleshooting
241
Advanced IPS
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties

Advanced IPS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced IPS

Uploaded by

Copyright:

Available Formats

Advanced IPS

2 WAYS to EXTEND CCSA / CCSE for 1 YEAR

Attend and pass

CCSA Certification CCSE Certification

• Application Control • Advanced GAiA ILT

Key Course Elements

 In-depth review of IPS technology

 IPS fine-tuning instructions

 Policies that support business needs and transform

 Security that involves People in policy definition,

 Enforce, consolidate and control all layers of

IT security best practices:

1. Perform a risk assessment

 Configure the IPS Blade

Check Point IPS Overview

 IPS another layer of defense

Check Point IPS Overview

 Check Point IPS can be deployed in two ways:

Check Point IPS Overview

 The layers of IPS engine protection include the

Check Point IPS Overview

Check Point IPS Overview

 If the current number of attacks is much higher than the

 If the current number of attacks is much lower than the

 IPS profiles enable you to configure sets of protections for

 A Profile is a container for the IPS policy

 IPS provides for both Client and Server protections:

– Server protections — Protections that mainly look for

 When you create a profile, you create a new

 Check Point IPS blade provides two out-of-the-box, pre-

 Users can deploy these IPS Profiles as their IPS policy, or as

Settings for Predefined Profiles

 IPS Mode determines the default action of IPS protections

– Detect – detects and tracks traffic events identified as a threat

– Prevent. – detects tracks and blocks traffic identified as a threat

 Detect mode is typically used to passively monitor traffic and

 The severity is assigned by the following criteria:

 Ease of post-attack recovery

 Between these two are:

 The Performance Impact of a protection is based on its impact

 The Performance Impact of a protection is based on its impact

 the impact of executing a single protection over HTTP, and

 Protocol anomaly protections compare traffic to the protocol

 The IPS protections are grouped into 3 main categories which

 The update policy defines the protection mode

 Network exceptions allow customers to create legitimate

 This is the recommended workflow while defining a new

Automatically Activating Protections

 To simplify the management of the IPS protections settings, a

Automatically Activating Protections (cont.)

 There are numerous protections available in IPS.

Automatically Activating Protections (cont.)

 In the Protections to Deactivate area, select relevant criteria

Customizing the Protection Browser View

 To change which columns are

 Use the Protections page for filtering the complete protections

 Filtering by information type has a draw-back, you have to

 For example, you want to see

 To sort by multiple values:

Exporting Protections List

 To enable administrators to analyze protections in alternative applications,

 To export the Protections list:

 Most protections have graded parameters, provided to help you decide

Explanation of Protection Parameters