Solved: Re: checkpoint IPS blade functioning.

gautam_kumar1 · ‎2019-05-28

Hello everyone,

I am a bit confused about the functioning of the IPS blade, how does it inspect the traffic and on what factors it filter the traffic?

And How does it different from the conventional signature based Anti-Virus.

One more thing, how does it defend or prevent unknown attacks?

Thanks in advance!

G_W_Albrecht · ‎2019-05-28

Read that all and more here: sk95193: ATRG: IPS

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

Timothy_Hall · ‎2019-05-29

This is a common question; IPS was kind of the original "Threat Prevention" blade long before many of the so-called "next generation" firewall features like APCL and the other four Threat Prevention blades hit the scene. Generally the IPS blade is only looking for known attacks, but can sometimes pick up on unknown attacks while looking for protocol anomalies or nonstandard behavior of a protocol. Here is a bit of the intro from my IPS Immersion class establishing the historical context of the IPS blade up to the current day which should answer your other questions:

Click to Expand

Module 1 – History of IDS/SmartDefense/IPS
• The first popular Intrusion Detection System (IDS) was introduced in 1999 and called SNORT. It essentially tried to look for
known attacks in network traffic. Note that Check Point did add the ability to import SNORT signatures into the IPS blade in
release R76 and later.

• Until 2004 Check Point did not have any IDS functionality built–in but could participate in “Intruder Shunning”, via the
dynamic addition of Suspicious Activity Monitoring (SAM) rules via the fw sam command.

• NG FP3 (R53) introduced the initial elements of SmartDefense which was Check Point’s first Intrusion Prevention System
(IPS) implementation, but did not see widespread use until the R54 NG w/ Application Intelligence (AI) release.

• SmartDefense was tightly integrated with the firewall’s stateful inspection engine, and could sometimes be difficult to disable.
Exceptions could not be easily created!

• With the introduction of CoreXL in version R70, SmartDefense was renamed IPS and significant changes were introduced to
the IPS configuration in the SmartDashboard GUI, as well as the underlying gateway inspection architecture, including the
creation of the gateway’s Medium Inspection Path (PXL) and a reworking of the INSPECT language used by the gateway.
Many of these changes were based on the earlier acquisition of a company called Network Flight Recorder (NFR).

• While now considered a separate blade/feature in release R70, IPS was still closely integrated with the gateway’s stateful inspection
architecture, and Exceptions could be created to disable portions of IPS enforcement.

• Other Threat Prevention features began to be introduced in version R75 and configured separately from IPS in the
SmartDashboard.

• IPS is generally considered a “pre–infection” blade by Check Point, but can also in some cases indicate post–infection (if attacks
discovered by IPS are coming from the inside network).

• The IPS feature itself had only minor enhancements until the R80.10 gateway release, when at long last its configuration was
fully integrated with the four other Threat Prevention blades in the SmartConsole: Anti–Virus (pre–infection), Anti–Bot (post–
infection), Threat Emulation (pre–infection), and Threat Extraction.

IPS R77.XX –> R80.10
• The main function of Check Point IPS is to look for known attacks in network traffic, most of the time by inspecting the
payload/data of packets, and looking for traffic patterns matching an IPS Protection.

• IPS also performs some checking of connection attributes & protocol behavior prior to any actual payload/data being sent.

• Prior to the introduction of the other four Threat Prevention blades, IPS performed many functions that would later be moved
into other blades such as Application Control and Anti–bot in the R80.10 release.

• As an example the original IPS protections Instant Messengers, Scada Modbus Report Slave ID, SCADA DNP3 abort file
function code, and SCADA DNP3 broadcast were moved into the Application Control blade in R80.10.

• A few other examples: original IPS protections WebAttacker, Spyware Drive Cleaner 1, and Gator were moved into the Anti–
Bot blade in R80.10.

• The full list of IPS protections migrated to other blades in R80.10 is documented here: sk103766: List of IPS Protections removed in R80.x
There is also an informative discussion at CheckMates titled “Where did all my IPS Protections go?”: https://community.checkpoint.com/message/6315

• The wholesale changes made to the IPS blade in R80.10 present some special challenges when managing pre–R80.10 gateways
(including the Gaia Embedded appliances 1200R–1400) from an R80+ Security Management Server (SMS) or Customer
Management Add–on (CMA); we will cover these challenges in detail!

• Note that using only the IPS blade in isolation without any other Threat Prevention features (or Application Control) is
NOT a complete Threat Prevention solution, especially on an R80.10 gateway!

• Check Point offers a free Security Advisories mailing list for real–time notifications of the latest threats including updates of
IPS Protections, see https://www.checkpoint.com/advisories/ for more information.

Module 1 – History of IDS/SmartDefense/IPS• The first popular Intrusion Detection System (IDS) was introduced in 1999 and called SNORT. It essentially tried to look forknown attacks in network traffic. Note that Check Point did add the ability to import SNORT signatures into the IPS blade inrelease R76 and later. • Until 2004 Check Point did not have any IDS functionality built–in but could participate in “Intruder Shunning”, via thedynamic addition of Suspicious Activity Monitoring (SAM) rules via the fw sam command. • NG FP3 (R53) introduced the initial elements of SmartDefense which was Check Point’s first Intrusion Prevention System(IPS) implementation, but did not see widespread use until the R54 NG w/ Application Intelligence (AI) release. • SmartDefense was tightly integrated with the firewall’s stateful inspection engine, and could sometimes be difficult to disable.Exceptions could not be easily created! • With the introduction of CoreXL in version R70, SmartDefense was renamed IPS and significant changes were introduced tothe IPS configuration in the SmartDashboard GUI, as well as the underlying gateway inspection architecture, including thecreation of the gateway’s Medium Inspection Path (PXL) and a reworking of the INSPECT language used by the gateway.Many of these changes were based on the earlier acquisition of a company called Network Flight Recorder (NFR). • While now considered a separate blade/feature in release R70, IPS was still closely integrated with the gateway’s stateful inspectionarchitecture, and Exceptions could be created to disable portions of IPS enforcement. • Other Threat Prevention features began to be introduced in version R75 and configured separately from IPS in theSmartDashboard. • IPS is generally considered a “pre–infection” blade by Check Point, but can also in some cases indicate post–infection (if attacksdiscovered by IPS are coming from the inside network). • The IPS feature itself had only minor enhancements until the R80.10 gateway release, when at long last its configuration wasfully integrated with the four other Threat Prevention blades in the SmartConsole: Anti–Virus (pre–infection), Anti–Bot (post–infection), Threat Emulation (pre–infection), and Threat Extraction. IPS R77.XX –> R80.10• The main function of Check Point IPS is to look for known attacks in network traffic, most of the time by inspecting thepayload/data of packets, and looking for traffic patterns matching an IPS Protection. • IPS also performs some checking of connection attributes & protocol behavior prior to any actual payload/data being sent. • Prior to the introduction of the other four Threat Prevention blades, IPS performed many functions that would later be movedinto other blades such as Application Control and Anti–bot in the R80.10 release. • As an example the original IPS protections Instant Messengers, Scada Modbus Report Slave ID, SCADA DNP3 abort filefunction code, and SCADA DNP3 broadcast were moved into the Application Control blade in R80.10. • A few other examples: original IPS protections WebAttacker, Spyware Drive Cleaner 1, and Gator were moved into the Anti–Bot blade in R80.10. • The full list of IPS protections migrated to other blades in R80.10 is documented here: sk103766: List of IPS Protections removed in R80.x There is also an informative discussion at CheckMates titled “Where did all my IPS Protections go?”: https://community.checkpoint.com/message/6315 • The wholesale changes made to the IPS blade in R80.10 present some special challenges when managing pre–R80.10 gateways(including the Gaia Embedded appliances 1200R–1400) from an R80+ Security Management Server (SMS) or CustomerManagement Add–on (CMA); we will cover these challenges in detail! • Note that using only the IPS blade in isolation without any other Threat Prevention features (or Application Control) isNOT a complete Threat Prevention solution, especially on an R80.10 gateway! • Check Point offers a free Security Advisories mailing list for real–time notifications of the latest threats including updates ofIPS Protections, see https://www.checkpoint.com/advisories/ for more information.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

G_W_Albrecht · ‎2019-05-28

Read that all and more here: sk95193: ATRG: IPS

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

asafav · ‎2019-05-29

IPS is focusing on malicious network traffic and protect against application and server vulnerabilities.

AV is focusing on malicious files and preventing them reaching into your system.

Timothy_Hall · ‎2019-05-29