Check Point’s Intrusion Prevention System (IPS) is a core component of Threat Prevention, providing proactive protection against a wide range of network threats. Over time, the IPS engine and its signature formats have evolved, leading to the coexistence of "normal" and "version 2 (Ver 2)" signatures. This post explains the technical reasons for maintaining both, their architectural differences, and best practices for deployment.

IPS Architecture Overview

Check Point IPS uses a multi-layered detection engine:

• Passive Streaming Library (PSL): Reconstructs network streams for inspection.
• Protocol Parsers: Identify and separate protocols (HTTP, FTP, DNS, etc.) for context-aware analysis.
• Context Management Infrastructure (CMI): Determines which protections (signatures) apply to each protocol context.
• Pattern Matcher: The detection engine that uses signatures to identify malicious patterns.

IPS Inspection Flow Diagram

Traffic is processed through multiple analysis stages, with signatures applied at different protocol layers.

Normal vs. V2 Signatures: Technical Comparison

• Normal Signatures: Use traditional pattern matching, suitable for legacy environments and lower resource consumption.

• V2 Signatures: Leverage the advanced INSPECTv2 engine, supporting complex logic, context awareness, and better detection of modern threats.

Why Maintain Both Signature Types?

• Backward Compatibility: Some older gateways may not support V2 signatures. Keeping both ensures all devices remain protected.
• Redundancy: If a V2 signature causes issues (e.g., false positives), the normal signature can provide fallback protection.
• Gradual Migration: Allows administrators to test V2 signatures in "Detect" mode before fully switching from normal signatures.
• Maximum Coverage: Certain threats may only be detected by one signature type, so using both maximizes security.

Performance Considerations

• V2 signatures can be more resource-intensive due to deeper inspection and advanced logic.
• IPS Tuning: Administrators can enable/disable specific signatures or use different profiles for perimeter vs. internal gateways.
• Bypass Under Load: IPS can be configured to bypass traffic during high load to prevent bottlenecks, but this should be used cautiously.

Best Practices for Managing Signature Versions

1. Test in Staging: Always test new V2 signatures in a non-production environment.
2. Monitor Updates: Review IPS update notes and apply urgent protections as needed.
3. Separate Profiles: Use different IPS profiles for different gateway roles (e.g., perimeter vs. datacenter).
4. Monitor Logs: Watch for false positives/negatives and adjust protections accordingly.
5. Gradual Rollout: Deploy V2 signatures in "Detect" mode before moving to "Prevent."

Summary

• Normal signatures ensure compatibility and stability.
• V2 signatures provide enhanced detection and future-proofing.
• Maintaining both allows for a safe, flexible, and comprehensive security posture during transitions and upgrades.

References

• ATRG: IPS (sk95193)
• Threat Prevention Administration Guide (R81+)