Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jon_Crotteau
Participant

To enable or not to enable an IPS signature...

I would like to know your thoughts...

If your organization has a public facing web server that the server team has applied a patch to mitigate a vulnerability, and your Check Point IPS has a signature that can also prevent that at the perimeter, do you use the signature at the perimeter as well as knowing the endpoint was patched, or do you not and leave it up to the endpoint to protect itself? 

I've heard answers to both before. Some say not to enable the signature at the perimeter if the endpoint is already protected because it simply increases load on the perimeter firewall. On the other hand, I've heard some say yes because they have a defense in depth security posture. 

What is your thought?

0 Kudos
7 Replies
Jamey_Herr
Explorer

Hi. I prefer to stop them at the perimeter and apply the patch especially if the perimeter firewall is not stressed.

Matt_Ricketts
Employee
Employee

I do a combination of both. I would set the signature to prevent for at least a month or so, just in case the patch isn't a final patch. Once the signature date is older and the patch hasn't had any updates, or patches for the patch, then I disable the signature.

John_Mok
Explorer

Hi, I prefer dual controls, especially the controls work on different technology layers.

Joe_Sullivan
Explorer

I apply the IPS - sometimes patches don't work as intended.

0 Kudos
Pedro_Espindola
Advisor

In theory you could safely disable that signature, but in the real world there are many cases in which it would not be that safe.

In the future someone might add a secondary server of the same type and not patch it right away.

Or you might confuse that signature with a new one which prevents an unpatched vulnerability.

Also, the patch might not work correctly and the signature will probably be updated before you install the new patch.

While CPU is not an issue, I believe it is better to enable all recent protections to your servers. It makes it much easier to manage and leaves you some spare time to focus on disabling features you actually don't have in your network.

Daniel_Taney
Advisor

I've been calling it "Patching with IPS" and do it all the time. I've found that most of the time Check Point's turnaround on IPS signatures is way faster than a vendor can supply a patch. Generally, I try to get the IPS signature enabled ASAP to keep us guarded while we await and QA patches. 

R80 CCSA / CCSE
0 Kudos
Gaurav_Pandya
Advisor

I will prefer to stop at both level. IPS and patch. We can easily put prevention through IPS and then we can apply patch. It will be like 2 layer security.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events