CP IPS BestPractices
CP IPS BestPractices
CP IPS BestPractices
IPS
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:[email protected]?subject=Feedback on IPS Tuning - Best
Practices .
Revision History
Date Description
29 June 2016 Updated CPU Load in Overview (on page 18)
Improved formatting
Introduction
In This Section:
Choosing IPS Protections ...............................................................................................5
Overview of the Tuning Process.....................................................................................6
nd performance,
configure it to best-fit the unique traffic of each organization. The world of cyber-threats and your
network are dynamic. Therefore, it is necessary to consistently tune and maintain IPS.
The goal of this guide is to assist you in the initial and ongoing tuning of your IPS Software Blade.
Troubleshooting mode, even though all protections are set to Prevent, the gateway only
detects possible threats and generates logs for the traffic.
6. Click the Follow Up marker. Select the option Mark newly downloaded protections for Follow
Up to help the analysis and tuning of new protections in the future.
7. Configure the gateway. Assign the active profile to the applicable gateways.
To make sure that IPS analysis does not have a negative impact on network traffic, enable the
Bypass IPS inspection when gateway is under heavy load is a consideration option.
8. Install the policy on the gateways. New IPS updates and changes in the active profile are not
automatically deployed. It is necessary to install the policy and push it to the gateways.
9. Collect the logs. After you install the policy, IPS starts to inspect the traffic and generate logs.
We recommend that you collect logs for at least a week, and ideally for two weeks.
Note - The IPS Software Blade does not block malicious traffic because Troubleshooting mode
is enabled.
10. Initial IPS tuning. Review the logs and decide which protections to run in Protect or Detect
mode, and which ones require more fine-tuning and analysis.
11. Disable Troubleshooting mode. The IPS Software Blade is now protecting the network.
12. Change the settings for Updates policy. Configure updates to Newly downloaded protections
will be set to Detect. When new IPS protections are deployed, they are set to Detect mode.
13. Clear the Follow up, or the Newly downloaded flag, for all protections that were reviewed
during the tuning process.
14. Ongoing maintenance and tuning. We recommend that twice a month you tune the new IPS
protections that you downloaded, and look for changes in the behavior of the ones that you
already tuned.
15. Performance tuning. Monitor the gateway performance and configure the applicable settings
to give the best network security and performance.
Implementing IPS
In This Section:
Initial Installation ............................................................................................................8
Collecting IPS Logs .......................................................................................................11
Analyzing the Initial Logs .............................................................................................11
Configuring IPS to Protect the Network ......................................................................12
Initial Installation
The Check Point IPS Software Blade uses thousands of protections to keep your network safe.
When you are setting up IPS for the first time, it is impossible to run a signature analysis for each
protection. During the time that you are implementing IPS, you can use a mirror port or TAP
server or appliance to run an analysis on the traffic. We recommend that when you enable Protect
mode, you deploy IPS in-line.
Check Point defined the Recommended Profile to give excellent security with good performance
for the gateway. This profile enables all protections that:
Protect against important threats
Have an attack confidence level of at least good
Do not have a critical effect on performance
Updating Protections
The IPS Software Blade includes the protections that were available when the software was first
released. The first time that you enable IPS, it is important to update and download the most
recent protections.
Note - During the time that you run IPS analysis, the gateway cannot block IPS attacks,
because all the protections are running in Detect mode (Troubleshooting).
Overview
After you successfully configure the initial IPS installation, most protections are deployed in
Prevent mode and there are a few that remain in Detect mode for additional analysis. However,
new threats continuously emerge and the internal network changes with new applications,
services and protocols. It is necessary to regularly run an analysis on the IPS logs for
maintenance tuning of the policy.
We recommend that you run an IPS analysis twice a month and review IPS updates (on page 14)
for new attacks and other issues.
General Recommendations
This section contains general advice to help you manage the IPS Software Blade.
IPS Updates
Check Point releases new IPS protections packages as necessary, usually at least once a week. It
is important to review the published Check Point IPS update. The update shows new protections
against zero-day vulnerabilities. If the protections are crucial for your network, immediately
deploy them in Prevent mode. There is a risk that a new protection can disrupt legitimate traffic,
but there is a greater benefit in preventing active malware attacks.
Software Upgrades
It is important to review the Release Notes for new software versions, and regularly install
software updates. Check Point IPS combines the features of the IPS engine and new protections
that are continually added. The engine is the core code that parses and inspects the traffic, and it
is often improved as part of software upgrades for Security Gateways. These upgrades give better
IPS protection and performance. For example:
R75.40 improved the Non-Compliant HTTP inspection protection
R76 improved the Non-Compliant DNS protection
Separate Profiles
The initial performance tuning focuses on a single IPS profile that is recommended for many
situations. However, it can be necessary to create different profiles for the specified gateways in
an organization to improve security or performance. Examples of separate profiles:
gateways on the perimeter frequently use a different profile than gateways that protect data
centers
gateways that use different versions of Check Point software can use different profiles
DoS (Denial of Service): There are several protections that look for massive use of Web Server
protocols (UDP, HTTP, SSL). They can detect and protect the network from DoS attacks. Enable
the DoS protections to give additional security to the network. For more about defending the
network from DoS attacks, see DDoS Protection on the Security Gateway Best Practices Guide
http://supportcontent.checkpoint.com/documentation_download?ID=35013.
Note - Do not track traffic for all countries, or IPS generates too many logs.
General HTTP/CIFS Worm Catcher and Header Rejection: These protections let you add and edit
regular expressions so that the Firewall can block the specified HTTP requests. Check Point
occasionally advises customers to add a pattern to these protections as an immediate pre-emptive
action against a new threat. The IPS protections are updated when the new protections package is
available from Check Point.
SNORT Conversion: Gateways that are version R76 and higher can import and convert SNORT
signatures to IPS protections. You can use public-domain and custom signatures to help protect
the network. For more about how to use SNORT signatures for IPS, go to the IPS Administration
Guide for your version.
Email Protections
Activate protections for the protocols that your environment uses for emails and add customized
security to the mail servers.
Performance Tuning
In This Section:
Overview ........................................................................................................................18
Changing IPS Protection Scope ...................................................................................18
Excluding Protections ..................................................................................................19
Gradually Activating Protections .................................................................................20
Monitoring Performance Impact .................................................................................21
Optimizing the Rule Base .............................................................................................21
Monitoring Security Gateway Performance ................................................................21
Overview
When a gateway CPU consistently runs at a high load, it is possible that the active profile is too
heavy for the hardware. We recommend that you change the profile and IPS settings to optimize
IPS for the network.
Use SNMP or SmartView Monitor to monitor CPU load and memory usage for a few days. Make
sure that the gateway meets these hardware statistics to continue to deploy the active profile:
CPU Load - average load is lower than 30% of the number of cores
CPU Peaks - short interval peaks (1 - 2 minutes) lower than 50%
Free RAM - at least 20%
If the gateway does not meet the previous requirements:
Upgrade to an appliance or server with more powerful hardware
Run fewer IPS protections in the network
The following sections show different methods to reduce IPS protections and improve gateway
performance.
Note - The performance impact of a protection is almost the same for Prevent and Detect
modes. Prevent mode sometimes drops traffic and does not inspect it.
3. From the Protection Scope section, click Protect internal hosts only.
4. Click OK.
5. Install the policy on the gateway.
Excluding Protections
It is possible that the IPS profile includes protections that are not necessary for the network. You
can exclude the unnecessary IPS protections for the application or service and improve network
performance. For example, if an organization does not use VoIP services, exclude the IPS
protections for VoIP traffic.
Sample Workflow
1. Disable all IPS protections with that are categorized as Critical or High Performance Impact.
2. Identify the protections that protect high-value assets.
a) Enable one protection.
b) Monitor the performance of the gateway.
c) Make sure that the gateway handles the IPS load.
d) Do the previous steps again for other High Performance Impact protections.