Focus on IDS
Checkpoints Smartdefense as an IPS Apr 28 2009 08:00AM
a bv (vbavbalist gmail com) (4 replies)
Re: Checkpoints Smartdefense as an IPS Apr 29 2009 06:13PM
John Jasen (jjasen realityfailure org)
a bv wrote:
> Hi list,
>
> I want to ask to list for the opinion on Checkpoints Smartdefense. For
> the past and current users , how enough/successfull do you find it as
> an ips for your enterprise? Do you use additional ids/ips if so what
> purposes and to monitor what segments/parts of your infrastructure.?
> And how do you deploy,manage Smartdefense?

SmartDefense is not recommended in the slightest.

Entirely too many of the signatures are obsolete and/or just plain wrong.

The FTP and SMTP security servers will break traffic in obscure ways
without any logs.

Log correlation to a SmartDefense rule or setting can involve a lot of
reading, sometimes guesswork, and occasionally a bit of luck.

SmartDefense is incredibly CPU intensive. You won't be able to enable
most of it unless you buy $MORE, where $MORE is defined as one or more
of: bigger hardware, multi-CPU licenses, coreXL, clusterXL.

As others have indicated, tuning SmartDefense is most of the time "rule
on" or "rule off". See the luck required for log correlation above for
some of the more obscure cases ....

Unlike snort, you have no visibility into what the rule is checking for
or doing.

And, to add the icing on the cake, Checkpoint has replaced SmartDefense
with their reworking of NFS's IPS in R70. So, SmartDefense is dead, and
unlamented.

--
-- John E. Jasen (jjasen (at) realityfailure (dot) org [email concealed])
-- No one will sorrow for me when I die, because those who would
-- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring

[ reply ]
Re: Checkpoints Smartdefense as an IPS Apr 28 2009 09:15PM
Jaime Díaz (jndiaz gmail com)
Re: Checkpoints Smartdefense as an IPS Apr 28 2009 05:07PM
Laurens Vets (laurens daemon be)
Re: Checkpoints Smartdefense as an IPS Apr 28 2009 03:59PM
Tommy May (tommymay comcast net)


 

Privacy Statement
Copyright 2010, SecurityFocus