cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

To enable or not to enable an IPS signature...

I would like to know your thoughts...

If your organization has a public facing web server that the server team has applied a patch to mitigate a vulnerability, and your Check Point IPS has a signature that can also prevent that at the perimeter, do you use the signature at the perimeter as well as knowing the endpoint was patched, or do you not and leave it up to the endpoint to protect itself? 

I've heard answers to both before. Some say not to enable the signature at the perimeter if the endpoint is already protected because it simply increases load on the perimeter firewall. On the other hand, I've heard some say yes because they have a defense in depth security posture. 

What is your thought?

Tags (2)
0 Kudos
7 Replies

Re: To enable or not to enable an IPS signature...

Hi. I prefer to stop them at the perimeter and apply the patch especially if the perimeter firewall is not stressed.

Employee+
Employee+

Re: To enable or not to enable an IPS signature...

I do a combination of both. I would set the signature to prevent for at least a month or so, just in case the patch isn't a final patch. Once the signature date is older and the patch hasn't had any updates, or patches for the patch, then I disable the signature.

John_Mok
Ivory

Re: To enable or not to enable an IPS signature...

Hi, I prefer dual controls, especially the controls work on different technology layers.

Re: To enable or not to enable an IPS signature...

I apply the IPS - sometimes patches don't work as intended.

0 Kudos

Re: To enable or not to enable an IPS signature...

In theory you could safely disable that signature, but in the real world there are many cases in which it would not be that safe.

In the future someone might add a secondary server of the same type and not patch it right away.

Or you might confuse that signature with a new one which prevents an unpatched vulnerability.

Also, the patch might not work correctly and the signature will probably be updated before you install the new patch.

While CPU is not an issue, I believe it is better to enable all recent protections to your servers. It makes it much easier to manage and leaves you some spare time to focus on disabling features you actually don't have in your network.

Re: To enable or not to enable an IPS signature...

I've been calling it "Patching with IPS" and do it all the time. I've found that most of the time Check Point's turnaround on IPS signatures is way faster than a vendor can supply a patch. Generally, I try to get the IPS signature enabled ASAP to keep us guarded while we await and QA patches. 

0 Kudos

Re: To enable or not to enable an IPS signature...

I will prefer to stop at both level. IPS and patch. We can easily put prevention through IPS and then we can apply patch. It will be like 2 layer security.

0 Kudos