This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
anisbank
Explorer
‎2020-05-26 09:19 PM

IPS Signatures best practices

Dear CheckMates,
I am a senior security analyst and have given the Task of reviewing the IPS Signatures in our organization. We are using a Checkpoint IPS/Firewall versions R77.30 and R80.10. Out of the total 10,000 plus signatures currently only 1000 plus signatures are in detect or prevent mode and the rest are inactive. Is there any best practices which I can refer to to decide which signatures to set to monitor or which ones to prevent. Any Standard operating procedures.

I proposed that for better visibility so enable all the signature to monitoring mode as this traffic is also captured in SIEM tool. Now I have been asked to filter the IPS signatures based on port so that we can enable only those ports open by Firewall to Monitoring mode and the rest can be Inactive. Is there any way by which I can filter the IPS signatures based on Port numbers. Any help or explanation is much appreciated. 

Thanks and regards

Mohammed Anis Ismail

Labels
0 Kudos
2 Replies
Timothy_Hall
Legend Legend
Legend
‎2020-05-27 07:17 AM

For your first question, you will need to get most of those IPS protections into at least Detect to figure out which ones you actually need.  Check out the TailoredSafe tool here which can be very helpful:

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Moving-from-Detect-to-Prevent-TechT...

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/SmartEvent-View-From-IPS-Detect-pro...

For your second query, IPS protections don't directly care about port numbers and are usually looking for exploits in certain protocols, which typically have "native" port numbers they use.  The closest you can get to what you want is to expose the Protocol column for the IPS signatures as shown here:

 

ips_proto.png

 

The IPS blade and its configuration can look pretty daunting which is why I released my IPS Immersion Video Series that is 8 hours of nothing but the IPS blade and how best to work with it.  Check Point has a healthy amount of good reference documentation for IPS, but not a lot of "how-to" and day-to-day operational guides.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
anisbank
Explorer
‎2020-05-27 07:10 PM
In response to Timothy_Hall

Thank you for the Reply Tim,
I will try to follow the steps to enable protocol in the report.


In the TailoredSafe tool , what I can understand is that by default all the signatures should be in Detect mode. Then there are several methods to decide which ones to set to prevent mode. Am I correct?

Is there any signature we can set as inactive because its obsolete , or the last update date is too long ?

Last month we tried to change about 700 signatures to detect mode and we got performance issues.
Lets say , If I want to stage all the 10,000 plus signature to Detect mode , which is the ideal situation , is there any minimum system requirements for this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events