Re: Checkpoints Smartdefense as an IPS

[John Jasen <jjasen () realityfailure org>]

a bv wrote:
> Hi list,
>
> I want to ask to list for the opinion on Checkpoints Smartdefense. For
> the past and current users , how enough/successfull  do you find it as
> an ips for your enterprise? Do you use additional ids/ips if so what
> purposes and to monitor what segments/parts of your infrastructure.?
> And how do you deploy,manage Smartdefense?

SmartDefense is not recommended in the slightest.

Entirely too many of the signatures are obsolete and/or just plain wrong.

The FTP and SMTP security servers will break traffic in obscure ways
without any logs.

Log correlation to a SmartDefense rule or setting can involve a lot of
reading, sometimes guesswork, and occasionally a bit of luck.

SmartDefense is incredibly CPU intensive. You won't be able to enable
most of it unless you buy $MORE, where $MORE is defined as one or more
of: bigger hardware, multi-CPU licenses, coreXL, clusterXL.

As others have indicated, tuning SmartDefense is most of the time "rule
on" or "rule off". See the luck required for log correlation above for
some of the more obscure cases ....

Unlike snort, you have no visibility into what the rule is checking for
or doing.

And, to add the icing on the cake, Checkpoint has replaced SmartDefense
with their reworking of NFS's IPS in R70. So, SmartDefense is dead, and
unlamented.

-- 
-- John E. Jasen (jjasen () realityfailure org)
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring