Professional Documents
Culture Documents
Contents
Introduction 3
Understanding deployment needs 3
Selecting placement points 5
Choosing the right IPS to meet your needs 5
Tuning and configuring 6
Ready for prevention 8
Other useful tips and practices 8
External notification 8
IPS authorized privileges 9
Retention considerations 9
Summary 9
Introduction
Interest in intrusion prevention has been gaining ground since late 2006. There
are a number of reasons for this, not least of which is the thinking that a defensein-depth strategy is essential in any enterprise network environment. Regulatory
compliance reports and other requirements are also leading many to consider
implementing intrusion prevention systems (IPSs) as a next-generation security
technology. Whatever the reason, it is important to not only select the right technology but to deploy this technology correctly. To enable the accomplishment
of both objectives, this white paper will outline the criteria for a successful IPS
deployment. First, it is important to remember that IPS can refer to network- and
host-based IPS, firewalls, and modified networking equipment like routers and
switches. Because of the limitations of certain network equipment and IPS solutions that are host-based, this white paper will only focus on the best practices
related to deploying a dedicated network IPS.
This process should also account for the confidence score that a particular
detected event is actually malicious. Some products may have this capability built
in and offer you a more granular level of tuning. This can be tremendously beneficial because it allows you the capability to configure the level of prevention based
on the confidence score associated with a given security event. An attack with a
known signature match should get a high confidence score while suspicious activity that may be ambiguous in nature will be given a lower confidence score. As the
user, you could set the IPS to block attacks that score 90 percent or higher. This
ensures that you can prevent serious attacks while not risking the possibility of
inadvertently blocking legitimate traffic.
Once you have done your initial tuning, and any necessary remediation, you may
think you are ready for the next step. But many applications do not run all the time,
where they would be seen early and often by an IPS. Many, like backups, run only
at night or on odd days. Financial and payroll applications may only run weekly
or monthly. Accounting packages may only run at month-, quarter-, or year-end.
So, although the bulk of the tuning can be done at the beginning, you will most
likely have to revisit this process over the course of the next few days, weeks, or
months. A common approach is to tune initially, and then tune again one weekend
and one month- or quarter-end later.
An easy place to start is with inspection for known malware and/or malicious code
execution. This will offer immediate benefits because the IPS immediately will
begin mitigating worms and viruses at the point of deployment. It is also important
to bear in mind that systems already infected with malware can be carried into
your network from the outside. Some consideration should be made to identify
internally infected resources. Once you have conducted your advanced tuning
regarding external threats, you can then create rules and policies for your IPS to
address internal compromised resources. Laptops are prime targets since they
are often used outside the protective corporate environment for extended periods. The backdoor communications of these infected systems is what gives them
away. Certain malware and spyware have a replication and reporting component
where the infected system tries to communicate with a master system while it tries
to spread its infection. For example, an exploit may launch its own email server
and then emails out its infection to every person listed in your address book. This
can be detected by looking for outgoing email traffic coming from an email server
not identified as a corporate mail server. It may even be sending over a nonstandard mail IP port number.
Summary
Leading a successful IPS deployment will require the following steps:
Understanding your needs for real-time threat protection
Selecting the right IPS product for your organization
Determining the right placement points for your IPS deployment
Taking the time to tune your system right
Setting up your compliance-reporting parameters
Configuring your IPS for data retention and backup
Periodicbut necessaryevaluation of your overall system use
CHECK POINTOFFICES
Worldwide Headquarters
5 HaSolelim Street
Tel Aviv 67897, Israel
Tel: 972-3-753 4555
Fax: 972-3-624-1100
email: info@checkpoint.com
U.S. Headquarters
800 Bridge Parkway
Redwood City, CA 94065
Tel: 800-429-4391 ; 650-628-2000
Fax: 650-654-4233
URL: http://www.checkpoint.com
20032008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point
Endpoint Security, Check Point Endpoint Security On Demand, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL,
Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance,
CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1
GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity
Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall,
Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security,
the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform
Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1,
SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard,
SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor,
SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering,
TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security,
VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX,
VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence,
ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro,
ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software
Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein
are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent
No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign
patents, or pending applications.
May 30, 2008 P/N 503062