Focus on IDS
Yanýt: Checkpoints Smartdefense as an IPS May 15 2009 08:42AM
a bv (vbavbalist gmail com)
Thanks for the answers, and let me go to further questions.

If you are using smartdefense how do you manage/how often do you
update/and what do you do to get most from it?

regards

2009/4/29, John Jasen <jjasen (at) realityfailure (dot) org [email concealed]>:
> a bv wrote:
>> Hi list,
>>
>> I want to ask to list for the opinion on Checkpoints Smartdefense. For
>> the past and current users , how enough/successfull do you find it as
>> an ips for your enterprise? Do you use additional ids/ips if so what
>> purposes and to monitor what segments/parts of your infrastructure.?
>> And how do you deploy,manage Smartdefense?
>
> SmartDefense is not recommended in the slightest.
>
> Entirely too many of the signatures are obsolete and/or just plain wrong.
>
> The FTP and SMTP security servers will break traffic in obscure ways
> without any logs.
>
> Log correlation to a SmartDefense rule or setting can involve a lot of
> reading, sometimes guesswork, and occasionally a bit of luck.
>
> SmartDefense is incredibly CPU intensive. You won't be able to enable
> most of it unless you buy $MORE, where $MORE is defined as one or more
> of: bigger hardware, multi-CPU licenses, coreXL, clusterXL.
>
> As others have indicated, tuning SmartDefense is most of the time "rule
> on" or "rule off". See the luck required for log correlation above for
> some of the more obscure cases ....
>
> Unlike snort, you have no visibility into what the rule is checking for
> or doing.
>
> And, to add the icing on the cake, Checkpoint has replaced SmartDefense
> with their reworking of NFS's IPS in R70. So, SmartDefense is dead, and
> unlamented.
>
> --
> -- John E. Jasen (jjasen (at) realityfailure (dot) org [email concealed])
> -- No one will sorrow for me when I die, because those who would
> -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus