Scribd
Upload
17 views

Advanced IPS

This document discusses Check Point's Advanced IPS training course. The course provides an in-depth review of IPS technology, including the architecture and best practices for implementation and usage. It covers topics such as IPS management, monitoring, tuning, debugging, and the lab topology used. The training aims to help attendees better configure, test and troubleshoot the IPS software blade to enhance network protection.

Uploaded by

punitdubey.ece
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
17 views

Advanced IPS

This document discusses Check Point's Advanced IPS training course. The course provides an in-depth review of IPS technology, including the architecture and best practices for implementation and usage. It covers topics such as IPS management, monitoring, tuning, debugging, and the lab topology used. The training aims to help attendees better configure, test and troubleshoot the IPS software blade to enhance network protection.

Uploaded by

punitdubey.ece
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 203

Advanced IPS

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties
Preface

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 3
Training Blades and Certification

2 WAYS to EXTEND CCSA / CCSE for 1 YEAR

1.
Take and pass
any 2 Training
Blades OR
+
AppControl Introduction to IPS

Attend and pass


1 Instructor-led Based on a 2 day course
class

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 4
Certification Renewal Examples

CCSA Certification CCSE Certification


Extension Options Extension Options

• Application Control • Advanced GAiA ILT


Training Blade • Advanced IPS ILT
• DLP Training Blade • SmartConsole
• Introduction to IPS Managed VSX ILT
Training Blade • P1 Managed VSX ILT
• All ILT • Endpoint ILT
• CCSA exam • CCSE exam

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 5
Check Point Advanced IPS

Key Course Elements

 In-depth review of IPS technology


 Overview of IPS intrusion prevention architecture
 Best practices implementation and usage of IPS
software blade

 IPS fine-tuning instructions


 Basic IPS troubleshooting tips

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 6
Advanced IPS Course Chapters

1. IPS Management
2. IPS Monitoring
3. IPS Architecture
4. IPS Tuning
5. IPS Debugging

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 7
Lab Topology

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 8
Check Point 3D Security

 Policies that support business needs and transform


security into a business process

 Security that involves People in policy definition,


education and incident remediation

 Enforce, consolidate and control all layers of


security- network, data, application, content and user

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 9
Check Point 3D Security

 Security is a process
– A network is never 100% secure
– IT security policy must be transparent
– Challenges to IT involve security, deployment, management,
and compliance
– Security products are tools to avoid risk

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 10
Check Point 3D Security

IT security best practices:

1. Perform a risk assessment


2. Develop and enforce a policy
3. Address known vulnerabilities
4. Control and monitor devices
5. Conduct audits

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 11
IPS Management

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 12
IPS Management

Learning Objectives

 Configure the IPS Blade


 Test IPS Functionality

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 13
IPS Management

Check Point IPS Overview

 IPS another layer of defense


– Analyze traffic contents for risk
– Protects both clients and servers
– Controls network usage of certain applications

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 14
IPS Management

Check Point IPS Overview

 Check Point IPS can be deployed in two ways:


– IPS Software Blade
– IPS-1 Sensor

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 15
IPS Management

Check Point IPS Overview

 The layers of IPS engine protection include the


detection and prevention of:
– Known exploits
– Vulnerabilities
– Protocol misuse
– Outbound malware communication
– Tunneling attempts
– Certain Applications
– Generic attack types
9

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 16
IPS Management

Check Point IPS Overview

 IPS Capabilities
– Simple management interface
– Reduced management
– Unified control
– Easy navigation
– Gbp throughput
– #1 security coverage for Microsoft and Adobe
– Resource throttling
– Complete integration with Check Point tools
10

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 17
IPS Management

Check Point IPS Overview

 IPS Example
– Malware can be downloaded by a user unknowingly
when browsing to a legitimate web site, also known as a
drive-by-download.
– The malware may exploit a browser vulnerability by
creating a special HTTP response and sending it to the
client.
– IPS can identify and block this type of attack even
though the firewall may be configured to allow the HTTP
traffic to pass
10

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 18
IPS Management

IPS in SmartDashboard

11

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 19
IPS Management

IPS in My Organization

11

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 20
IPS Management

IPS in My Organization

12

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 21
IPS Management

Security Status

13

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 22
IPS Management

Security Status

 If the current number of attacks is much higher than the


average:
– This may indicate a security issue that you should handle
immediately.
– For example, if more than 500 critical attacks were handled by
IPS in the past 24 hours
– And the average is 45
– Your organization has been targeted with critical persistent
attacks
– This should be handled urgently.

13

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 23
IPS Management

Security Status

 If the current number of attacks is much lower than the


average:
– This may indicate an issue with IPS usage that you should
troubleshoot.
– For example, if less than 10 critical attacks were handled by IPS
in the past 24 hours
– With the average of 45
– There is a possible issue with IPS configuration
– Perhaps a gateway was installed with a policy that didn't include
an IPS profile.

13

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 24
IPS Management

Security Center

14

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 25
IPS Management

IPS Profiles

 IPS profiles enable you to configure sets of protections for


groups of gateways.
 Without profiles you would have to configure IPS in a
global policy for all your devices and network behavior, or
configure each device separately.
 With profiles, you have both customization and efficiency.
 Each profile defines the IPS policy, which is the activation
mode of each protection - detect or prevent and the policy
for automatic activation. 14

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 26
IPS Management

IPS Profiles

 A Profile is a container for the IPS policy


 A Profile can be shared between multiple gateways
 A gateway can only have one Profile
 All protections and most settings are included in a profile –
across all engines
 During policy compilation the management will assign the
correct set of protections and settings to the specific engine
14

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 27
IPS Management

Protection Types

 IPS provides for both Client and Server protections:


– Client protections — Protections that mainly look for
malicious data in the stream from the server to the client.
Protects the OS and applications on the client.

– Server protections — Protections that mainly look for


malicious data in the stream from the client to the server.
Protects the OS and applications on the server

15

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 28
IPS Management

Creating Profiles

 When you create a profile, you create a new


SmartDashboard object.
 Protections can be activated, deactivated or given specific
settings to allow the profile to focus on identifying certain
attacks.
 The profiles can then be applied to groups of devices that
need to be protected against those certain attacks.

15

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 29
IPS Management

Creating Profiles

 To create a profile:
1.In the IPS tab, select Profiles.
2.Click New and choose an
option:
3.Configure the General
Properties
4.Select IPS Policy
5.Click OK to create the profile

16

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 30
IPS Management

Predefined Profiles

 Check Point IPS blade provides two out-of-the-box, pre-


defined profiles that immediately enforce IPS protection in
your environment:
– Default_Protection
– Recommended_Protection

 Users can deploy these IPS Profiles as their IPS policy, or as


a starting point in their IPS definitions, then move the Profile to
the associated Security Gateways.

17

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 31
IPS Management

Settings for Predefined Profiles

17

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 32
IPS Management

IPS Mode

 IPS Mode determines the default action of IPS protections

– Detect – detects and tracks traffic events identified as a threat

– Prevent. – detects tracks and blocks traffic identified as a threat

 Detect mode is typically used to passively monitor traffic and


to test new protections, configurations or profile changes.

18

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 33
IPS Management

Severity

 The severity is assigned by the following criteria:


– Public opinion of attack
– How high SANS, CVSS, and Snort rate the severity of the exploit
– Vendor ratings (Adobe, Microsoft)
– Check Point’s rating
– Each vulnerability includes a severity rating according to the vendor
– Result/impact of attack:
– Intrusion
– Remote code execution
– DoS - restart, shutdown, crash, memory leak
– Information leak - P2P
– Resource abuse 18

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 34
IPS Management

Severity (cont.)

 Ease of post-attack recovery


 Randomness of attack
 The probability of the attack being generated maliciously as opposed to innocently
 Attack's spreading capabilities (worms)
 Locality of attack (system-wide, local application, etc.)
 Type/popularity of attack
 An attack effecting a widespread application will receive a higher severity
 Frequency of attack
18

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 35
IPS Management

Confidence Level

 For every event that traverses the gateway, IPS calculates the
likelihood that the event is indeed an attack.
– Low: likely or known false positive
– High: likely to indicate an attack

 Between these two are:


– Medium-Low
– Medium
– Medium-High

19

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 36
IPS Management

Performance Impact

 The Performance Impact of a protection is based on its impact


on the entire enforcement module performance.
 The performance impact is derived from the complexity of the
protection
– how much inspection/protocol decoding is required
– how much traffic is inspected due to the nature of the protocol
(for example: HTTP - lots of traffic, Telnet - little traffic).

19

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 37
IPS Management

Performance Impact

 The Performance Impact of a protection is based on its impact


on the entire enforcement module performance.
 The performance impact is derived from the complexity of the
protection
– how much inspection/protocol decoding is required
– how much traffic is inspected due to the nature of the protocol
(for example: HTTP - lots of traffic, Telnet - little traffic).

 the impact of executing a single protection over HTTP, and


500 protections over HTTP is almost the same
19

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 38
IPS Management

Protocol Anomalies

 Protocol anomaly protections compare traffic to the protocol


standard.
 An invalid bind ack is an example of a protocol standard
violation.

20

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 39
IPS Management

Category

 The IPS protections are grouped into 3 main categories which


are further divided into sub-categories. The main categories
are:
– Network Security
– Application Security
– Web Intelligence

20

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 40
IPS Management

Updating Policy

 The update policy defines the protection mode


(detect/prevent) of new protections.
 New protections are automatically downloaded and deployed
according to the IPS Profile policy.
 IPS can be configured to automatically download and push
new signatures as per the IPS Profile. Also,
 Update Policy customers can configure all newly downloaded
protections to be deployed in detect or prevent mode.
20

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 41
IPS Management

Network Exceptions

 Network exceptions allow customers to create legitimate


exceptions to their defined IPS policy.
 For example:
– A typical IPS policy will block network scanning.
– If customers want to regularly run a network scanner, they create
an IPS network exception to allow the scan to run from a specific
IP address.

20

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 42
IPS Management

Profile Workflow

 This is the recommended workflow while defining a new


profile, or while tuning a pre-defined profile:
1. Set detection mode
2. Choose what assets to protect
3. Deactivate risky protections
4. Set your update policy
5. Tune protections manually

20

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 43
IPS Management

Automatically Activating Protections

 To simplify the management of the IPS protections settings, a


profile can be configured to automatically enable protections
based on user defined.
 When the IPS Policy activates a protection, the protection will
enforce the action set in the IPS Mode, either Detect or
Prevent.
 In some instances a protection will be set to Detect if it meets
the criteria to be set to Inactive, but does not support the
Inactive status.
21

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 44
IPS Management

Automatically Activating Protections (cont.)

 There are numerous protections available in IPS.


 Some are easily configured for basic security without going
too deeply into the details of the threat and the protection.
 Many protections can be safely activated automatically.
 It is recommended that you allow IPS to activate protections
according to the IPS policy in the beginning. Then you can
manually modify the protection settings as needed according
to your monitored traffic.
21

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 45
IPS Management

Automatically Activating Protections (cont.)

 In the Protections to Deactivate area, select relevant criteria


and then select the value that fits:
– Protections have severity
– Protections have confidence level
– Protections have performance impact
– Protection Anomalies

21

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 46
IPS Management

Protection Browser

23

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 47
IPS Management

Customizing the Protection Browser View

 To change which columns are


visible:
1. Click View > Customize.
2. The Customize window opens.
3. Any column you do not want to
appear, move to the Available
fields list; any you do want to
see, let them remain in the
Visible fields list.
4. Click OK.

23

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 48
IPS Management

Filtering Protections

 Use the Protections page for filtering the complete protections


list. You can filter by:
– Protection name
– CVE number
– Any information type that is displayed in the columns.

24

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 49
IPS Management

Sorting Protections

 Filtering by information type has a draw-back, you have to


know valid values for the information. To sort the protections
list by information:
– Click the column header of the information that you want.
– For example, to see protections ordered by Severity, beginning
with Critical, click the Severity column header.
– You can sort the list with multiple criteria: first sort by criteria A
and then by criteria B.

25

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 50
IPS Management

Sorting Protections

 For example, you want to see


protections marked for Follow Up,
but you want to start with the most
critical protections, sort by Follow
Up and by Severity.

 To sort by multiple values:


1. Click View > Sort
2. Choose the column headers by
which you want to sort the list
and then click OK.

26

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 51
IPS Management

Exporting Protections List

 To enable administrators to analyze protections in alternative applications,


you can export the Protections list as a comma-delimited file.

 The exported information includes all protections, with all table fields
regardless of any applied sorting or filtering.

 To export the Protections list:


1. Click View > Export View.
2. In the Save As dialog box provide a filename and click Save.

26

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 52
IPS Management

Protection Parameters

 Most protections have graded parameters, provided to help you decide


which protections to activate for security and which can be safely
deactivated, for connectivity and performance.

27

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 53
IPS Management

Explanation of Protection Parameters

27

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 54
IPS Management

Explanation of Protection Parameters by Type

28

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 55
IPS Management

Protection Mode

 Each protection has a mode, which determines whether IPS inspects


packets for this protection, and if so, what it does if the packet matches a
threat symptom.
– Inactive
– Active
– Prevent
– Detect

28

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 56
IPS Management

IPS Updates

 Check Point is constantly working to improve its protections and develop


protections to protect against the latest threats.

 You can update your IPS protections manually at any time.


 You can also download and install updates with a schedule.
 You must re-install the security policy on the Enforcing Gateways after
running an update before the gateways will receive the updates.

29

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 57
IPS Management

Configure Update Options

 Before downloading the latest protections, configure the following options:


– Mark new protections for follow-up
– Enter proxy server information
– Apply Revision Control automatically
– Check for new updates - SmartDashboard

29

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 58
IPS Management

Updating IPS Manually

 You can immediately update IPS with real-time information on attacks and all the
latest protections from the IPS website.

 You can only manually update IPS if a proxy is defined in Internet Explorer settings.
 To obtain updates of all the latest protections from the IPS website:
1. Configure the settings for the proxy server in Internet Explorer.
In Microsoft Internet Explorer, open Tools > Internet Options > Connections tab > LAN
Settings. The LAN Settings window opens.
Select Use a proxy server for your LAN.
Configure the IP address and port number for the proxy server.
Click OK.
2. In the IPS tab, select Download Updates and click Update Now.
If you chose to automatically mark new protections for Follow Up,
you have the option to open the Follow Up page directly to see the new protections.
30

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 59
IPS Management

Scheduling IPS Updates

31

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 60
IPS Management

Scheduling IPS Updates

 New protections can be enabled as


Detect or Prevent, per profile.

 A downloaded protection will always


be considered as new.

 Only existing built in protections will


honor the main Detect/Prevent
settings.

 If you set the Update Policy setting to


Detect, you must manually change
protections to Prevent, to enforce the
protection.
32

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 61
IPS Management

Offline Update

32

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 62
IPS Management

Network Exceptions

 For most signature protections, exceptions are checked after the first tier of the
pattern matcher.

 For most Application Control and Protocol Anomalies, protections exceptions are
checked first.

 To apply the Network Exceptions to a pattern, add them to the new protection
converted from the relevant pattern.

 Check Point components can use non-standard HTTP and SSL ports to
communicate. Implied exceptions exclude this traffic from IPS inspection.

33

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 63
IPS Management

Network Exceptions

33

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 64
IPS Management

Network Exceptions - Performance

 Signature protections:
– Adding many exceptions does not have a performance impact –
most traffic does not make it through the first tier of the PM
– Adding exceptions to help when you are having a performance
issue does not help

 Application Control and Protocol Anomalies


– Adding many exceptions can have a small performance impact
– Adding exceptions can help to fix performance issues

34

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 65
IPS Management

Tracking Protections Using Follow Up

 The Follow Up mark provides monitoring features for IPS


protections:
– one-stop page for protections to monitor
– quick view of protection parameters
– easy access to newly updated protections.

 You can mark individual protections for Follow Up,


allowing you to quickly review them

34

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 66
IPS Management

Tracking Protections Using Follow Up

35

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 67
IPS Management

Geo Protection

 Geo Protection allows you to control traffic by country.


 You can define a policy to block or allow traffic to or from
specific countries, and a policy that applies to all other
countries.
 To operate Geo Protection, you are required to have:
– A valid IPS contract.
– A Software Blade license for each Security Gateway that
enforces Geo Protection, and for the Security Management
Server.
35

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 68
IPS Management

Geo Protection

36

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 69
IPS Management

Bypass Under Load

 You have the option to temporarily stop IPS inspection on


a gateway if it comes under heavy load.
– Use the Bypass Under Load mechanism to automatically
disable the IPS in the unlikely event of high load (be
careful!)
– When the CPU or memory usage exceeds a certain
threshold, IPS inspection will be disabled until the low
thresholds are reached.

36

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 70
IPS Management

Bypass Under Load

37

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 71
IPS Management

Review Questions

1. What ways can IPS be deployed?

39

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 72
IPS Management

Review Questions

1. What ways can IPS be deployed?


– IPS Software Blade
– IPS-1 Sensor.

39

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 73
IPS Management

Review Questions

2. If your IPS Security Status shows lower than


average attacks, this may indicate what?

39

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 74
IPS Management

Review Questions

2. If your IPS Security Status shows lower than


average attacks, this may indicate what?
– An issue with IPS configuration.

39

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 75
IPS Management

Review Questions

3. What are the IPS blade predefined profiles?

39

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 76
IPS Management

Review Questions

3. What are the IPS blade predefined profiles?


– Default_Protection – excellent performance, with basic
protection.
– Recommended_Protection – excellent security, with
good performance.

39

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 77
IPS Management

Lab Practice

 Lab 1: Deploying IPS


 Lab 2: Deploying Geo Protection In IPS

41

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 78
IPS Monitoring

93

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 79
IPS Monitoring

Learning Objectives

 Test the Default_Protection Profile


 Define a New Profile
 Identify Attacks with SmartEvent Viewer

94

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 80
IPS Monitoring

IPS Event Analysis

 IPS Event Analysis provides tools for translating IPS logs into a
complete picture of your security.

 By automating the aggregation and correlation of raw log data,


IPS Event Analysis minimizes the amount of data that needs to
be reviewed and isolates and prioritizes the real security threats.

 These threats may not have been otherwise detected when


viewed in isolation, but pattern anomalies appear when data is
correlated over time.

 With IPS Event Analysis, you can focus on understanding the


impact on your business and concentrate on mitigating the
threats that pose the greatest risks. 95

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 81
IPS Monitoring

Scalable, Distributed Architectuere

 IPS Event Analysis delivers a flexible, scalable


platform capable of managing millions of logs per day
per correlation.
 IPS Event Analysis can be installed on a single server
but has the flexibility to spread processing load
across multiple correlation units and reduce network
load.

95

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 82
IPS Monitoring

Easy Deployment

 IPS Event Analysis is preconfigured for tight


integration
 It interfaces with existing Security Management log
servers
 All objects defined in the Security Management
server are automatically accessed and used by the
IPS Event Analysis server
 An enterprise can install and have IPS Event Analysis
detecting threats in hours. 95

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 83
IPS Monitoring

Event Investigation Tracking

 IPS Event Analysis enables administrators to


investigate threats using flexible data queries which
are presented in timelines or charts.
 Once suspect traffic is identified, actions taken to
resolve the threats are tracked using work tickets,
allowing you to keep a record of progress made using
statuses and comments.
 Daily or weekly events reports can be distributed
automatically for incident management and decision
95
support.
©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 84
IPS Monitoring

IPS Event Analysis Architecture

96

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 85
IPS Monitoring

Data Analysis and Event Identifications

 The Correlation Unit is responsible for analyzing the log entries


and identifying events. The Correlation Unit does one of the
following:
– Marks log entries that by themselves are not events, but may
be part of a larger pattern to be identified.
– Takes a log entry that meets one of the criteria set in the
Events Policy and generates an event.
– Takes a log entry that is part of a group of items that depict a
security event together.
– Discards all log entries that do not meet event criteria

97

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 86
IPS Monitoring

IPS Event Analysis Client

 The IPS Event Analysis client provide the tools necessary for
configuring definitions which will recognize security-related
issues in the network infrastructure.

 What can I do with the IPS Event Analysis client?


– Real-time Monitoring
– Event Investigation
– Resolution Tracking
– Security Status Reporting

97

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 87
IPS Monitoring

SmartEvent

98

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 88
IPS Monitoring

IPS Event Analysis Client Tools – Overview Tab

99

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 89
IPS Monitoring

IPS Event Analysis Client Tools – Events Tab

99

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 90
IPS Monitoring

IPS Event Analysis Client Tools – Timeline Tab

100

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 91
IPS Monitoring

IPS Event Analysis Client Tools – Charts Tab

100

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 92
IPS Monitoring

IPS Event Analysis Client Tools – Maps Tab

101

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 93
IPS Monitoring

IPS Event Analysis Client Tools – Reports Tab

101

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 94
IPS Monitoring

Review Questions

1. What are the major components in IPS Event


Analysis Architecture?

103

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 95
IPS Monitoring

Review Questions

1. What are the major components in IPS Event Analysis


Architecture?
– IPS Event Correlation Unit - analyses log entries on
log servers.
– IPS Event Analysis Server - contains the Events
Database.
– IPS Event Analysis Client - manages IPS Event
Analysis

103

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 96
IPS Monitoring

Review Questions

2. What can you do with the IPS Event Analysis Client?

103

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 97
IPS Monitoring

Review Questions

2. What can you do with the IPS Event Analysis Client?


– Real-time monitoring
– Event investigation
– Resolution tracking
– Security status reporting

103

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 98
IPS Monitoring

Lab Practice

 Lab 3: Using Profiles in IPS

105

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 99
IPS Architecture

121

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 100
IPS Architecture

Learning Objectives

 Download and install IPS Protections


 Use the IPS follow up protection review process
 Enable and test IPS Troubleshooting Mode
 Modify and test the Bypass Under Load settings

122

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 101
IPS Architecture

Key IPS Architecture Design Elements

 Secure
 Fast Performance
 Accurate
 Reliable
 Updatable
 Application Aware
 Granular Control 123

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 102
IPS Architecture

Key IPS Architecture Design Elements

 Secure
– 0-day threat prevention
– Malicious code detection
– Anomalous behavior detection
– Anomalous protocol detection
– Command injection attack detection
– Phishing attack detection

123

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 103
IPS Architecture

Key IPS Architecture Design Elements

 Fast performance
– Fast no matter how enabled
– Fast no matter how security intensive

123

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 104
IPS Architecture

Key IPS Architecture Design Elements

 Accurate
– Distinguish false positives

123

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 105
IPS Architecture

Key IPS Architecture Design Elements

 Reliable
– Predictable solution
– Try in passive mode
– Tune for prevention
– Maintain connectivity

123

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 106
IPS Architecture

Key IPS Architecture Design Elements

 Updatable
– Evolving solution
– Identify changing genres of attacks
– Real-time threat protection updates

124

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 107
IPS Architecture

Key IPS Architecture Design Elements

 Application Aware
– Peer applications can transfer company confidential
data
– Enforce company policy on applications

124

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 108
IPS Architecture

Key IPS Architecture Design Elements

 Granular Control
– Setting network exceptions
– Forensic tool access

124

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 109
IPS Architecture

Performance – Accelerated Integrated IPS

 When a packet reaches the Security Gateway:


– Firewall checks security policy for allowed connection
– Packet is accelerated and connection offloaded to SecureXL
– SecureXL can be implemented at hardware layer using network processors
– SecureXL can be implemented at virtualized software layer on open servers

124

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 110
IPS Architecture

Performance – Accelerated Integrated IPS

125

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 111
IPS Architecture

Secure – Multi-threat Detection Engine

126

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 112
IPS Architecture

Passive Streaming Library

 Passive Streaming Library (PSL) technology:


– Ensures only valid packets are allowed to destination
– PSL layer can receive packets from firewall chain and SecureXL module
– PSL servers as middle-man between security applications and network
packets
– PSL reassembles TCP packets into a protocol message for inspection
– Prevents TCP hacks which would bypass inspection

126

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 113
IPS Architecture

Unified Streaming

 Applications get streamed data from the PSL layer


 PSL makes sure packets are in order and continuous data available
 If application decides packet is malicious, PSL terminates the connection
 PSL can also work in non-streaming mode
 Non-streaming mode used to inspect UDP connections
 To debug PSL:
– fw ctl zdebug + tcpstr

 To debug Unified Streaming:


– fw ctl zdebug + spii 127

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 114
IPS Architecture

ASPII

 Accelerated Stateful Protocol Inspection Infrastructure


 The infrastructure that manages which protections run on which
connection:
– Fully supports running from SXL context
– Manages Policy - which protection is Detect Only

127

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 115
IPS Architecture

ASPII

 Example:
List of protections for this connection
1. Detect Bittorent
2. Detect Skype
3. Detect...
4. Block Malformed HTTP Connections
.
.
.
37. Block Malformed jpeg

 To debug ASPI: fw ctl zdebug + aspii

128

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 116
IPS Architecture

Protocol Parsers

 The Protocol Parsers:


– Ensure compliance to protocol standards
– Detect anomalies
– Assemble data for further inspection
– Includes HTTP, SMTP, DNS, IMAP, Citrix, etc.
– Heart of the IPS system

128

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 117
IPS Architecture

Protocol Parsers

128

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 118
IPS Architecture

Context Management Infrastructure

 The Context Management Infrastructure (CMI)::


– Is the brain of the IPS engine
– Coordinates different components
– Decides which protections should run
– Decides final action to be performed
– Issues event log

129

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 119
IPS Architecture

Context Management Infrastructure

 When a protection is activated the CMI is responsible for final action,


considering:
– Activation status of the protection
– Exceptions on traffic or protection
– Bypass mode status
– Troubleshooting mode status
– Protecting internal network only, or all traffic

129

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 120
IPS Architecture

Context Management Infrastructure

 When a protocol parser recognized a context, it will


notify CMI.

 Then CMI will execute all relevant protections


(signatures and inspect handlers) for this context.

 Introduce a “ first tier” scan to improve performance:

 Execute an Aho-Corasick algorithm on the context –


a fast search for the longest simple string that
represents the protection.

 We will execute only protections that were matched


by the Aho-Corasick. This is the “second tier” -
inspect code/RX.

 CMI will inform the parser the results of the 130


execution.

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 121
IPS Architecture

Pattern Matcher

 The Pattern Matcher is:


– Fundamental engine in new enforcement architecture
– Identifies harmless packets
– Identifies common signatures in malicious packets
– Does 2nd level analysis to reduce false positives

 Two-tier inspection process:


– 1st tier filters out majority of harmless traffic by looking for signatures
– If common attack signature is identified, passes connection to 2 nd tier

131

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 122
IPS Architecture

Compound Signature Identification

 Compound Signature Identification (CSI):


– Sophisticated signature inspections
– Application identification
– Matches signatures from multiple parts of traffic
– Addresses signatures on multiple parts of a packet, protocol, or connection

131

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 123
IPS Architecture

Compound Signature Identification

132

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 124
IPS Architecture

INSPECTv2

 INSPECT:
– Provides scalable open approach to generic traffic analysis

 INSPECTv2 extends to improve performance


– Increases ease of writing new protections
– Meets complex parsing requirements
– Offers many programming language tools for writing protections
– Loops, conditions, states, calculations, etc.
– Accelerated across multiple CoreXL cores

132

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 125
IPS Architecture

How the Architecture Runs IPS

133-134

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 126
IPS Architecture

Review Questions

1. What is the role of the Passive Streaming Library?

137

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 127
IPS Architecture

Review Questions

1. What is the role of the Passive Streaming Library?


– Reassemble TCP packets into an ordered
protocol message to allow inspection.

137

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 128
IPS Architecture

Review Questions

2. What do the Protocol Parsers do?

137

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 129
IPS Architecture

Review Questions

2. What do the Protocol Parsers do?


– Ensures compliance to well-defined protocol
standards, to detect anomalies.

137

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 130
IPS Architecture

Lab Practice

 Lab 4: Manually Updating IPS Protections (Optional)


 Lab 5: IPS Troubleshooting Features

137

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 131
IPS Tuning

175

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 132
IPS Tuning

Learning Objectives

 Configure Protection Engine Settings


 Identify Top Events and Protections
 Modify Protections to defend against common attacks
 Debug the logging mechanism

176

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 133
IPS Tuning

Managing Performance Impact

 A Check Point Security Gateway performs many functions to


secure your network.
 At times of high network traffic load, security functions may
impact gateway's ability to quickly pass traffic.
 IPS includes features which balance security needs, with the
need to maintain high network performance.

177

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 134
IPS Tuning

Gateway Protection Scope

 By default, gateways inspect inbound and outbound traffic for


threats.
 This behavior protects network from threats from outside of
network, and from your network.
 Changing this setting to only protect internal hosts will
improve the performance of your gateway.

177

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 135
IPS Tuning

Gateway Protection Scope

177

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 136
IPS Tuning

Gateway Protection Scope

178

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 137
IPS Tuning

Web Protection Scope

 Allows the administrator to choose only to apply a protection


to traffic associated with specific servers.
 Limits the inspection activities for that protection only to the
traffic which is most likely to be subjected to an attack.
 For example:
– HTTP protections should be applied only to servers or clients
involved in HTTP traffic.
– Web Intelligence can be tuned for greater Web server security
at the expense of connectivity and performance, or vice versa.
178

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 138
IPS Tuning

Bypass Under Load

179

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 139
IPS Tuning

Cluster Failover Management

180

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 140
IPS Tuning

Tuning Protections

 IPS profiles allow you to apply all of the protections as a group to specific
gateways.

 It is recommended to create separate profiles for different gateway


location types.
– For example, the group of gateways at the perimeter should have a
separate profile than the group of gateways protecting the data
centers.

 Because newer versions includes some features that are not supported
by older gateways (or have a different effect there), it is recommended to
apply different profiles for current gateways and for older gateways.
180-181

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 141
IPS Tuning

IPS Policy Settings

 IPS Policy settings allow you to control the entire body of protections with
few basic decisions.

 Activating a large number of protections, including those with low severity


or a low confidence level, protects against a wide range of attacks, but
can also create a volume of logs and alerts difficult to manage.

 This level of security may be necessary for highly sensitive data and
resources; however it can create system resource and log management
challenges when applied to data and resources that do not require high
security.

181

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 142
IPS Tuning

IPS Policy Settings

 It is recommended to adjust the IPS Policy settings to focus the


inspection effort in the most efficient manner.

 Once system performance and log generation reaches a comfortable


level, the IPS Policy settings can be changed to include more protections
and increase the level of security.

 Individual protections can be set to override the IPS Policy settings.


 A careful risk assessment should be performed before disabling any IPS
protections.

181

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 143
IPS Tuning

Focus on High Severity Protections

 IPS protections are categorized according to severity.


 An administrator may decide that certain attacks present minimal risk to a
network environment
– also known as low severity attacks.

 Consider turning on only protections with a higher severity to focus the


system resources and logging on defending against attacks that pose
greater risk.

181

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 144
IPS Tuning

Focus on High Confidence Level Protections

 Broad protection definitions are required to detect certain attacks that are
elusive.

 These low confidence protections can inspect and generate logs in


response to traffic that are system anomalies or homegrown applications,
not an actual attack.

 Consider turning on only protections with higher confidence levels to


focus on protections that detect attacks with certainty.

 PS Network Exceptions can also be helpful to avoid logging non-


threatening traffic.

181

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 145
IPS Tuning

Focus on Low Performance Impact Protections

 IPS is designed to provide analysis of traffic while maintaining multi-


gigabit throughput.

 Some protections may require more system resources to inspect traffic


for attacks.

 Consider turning on only protections with lower impact to reduce the


amount system resources used by the gateway.

182

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 146
IPS Tuning

Enhancing System Performance

 Check Point offers Performance Pack to improve gateway performance.


 For SecurePlatform and Gaia gateways running on multi-core hardware,
installing CoreXL on the gateway will allow the gateway to leverage the
multiple cores to more efficiently handle network traffic.

182

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 147
IPS Tuning

Configure Servers

 Protections for some hosts, such as DNS Servers, Web Servers and Mail
Servers require additional configuration.

 Making sure these hosts are properly configured for IPS allows for more
accurate alerting, and performance improvement.

182

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 148
IPS Tuning

DNS Servers

182

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 149
IPS Tuning

Web Servers

 The Web protocol protections


prevent attacks that use web
protocols and vulnerabilities to:
– Damage your network
– Use your network resources to
attack other networks.

 Web servers require special


protection from these attacks.

183

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 150
IPS Tuning

Mail Servers

 The Mail protocol protections prevent improper POP3, IMAP and


SMTP traffic from damaging your network

184

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 151
IPS Tuning

Servers to Check

 Servers to check/configure for IPS, if they are in your network:


– DNS servers
– SMTP servers
– Web servers
– CA servers
– Exchange servers
– SNMP servers
– Trend servers
– Veritas servers
– And more...

184

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 152
IPS Tuning

Engine Settings

185

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 153
IPS Tuning

Example – MS-RPC

185

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 154
IPS Tuning

Example – MS-RPC

186

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 155
IPS Tuning

Review Questions

1. On the Gateway, you have a choice of protecting


internal hosts only, or perform IPS inspection on all
traffic. Why would you choose to protect internal
hosts only?

187

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 156
IPS Tuning

Review Questions

1. On the Gateway, you have a choice of protecting


internal hosts only, or perform IPS inspection on all
traffic. Why would you choose to protect internal
hosts only?
– To improve Gateway performance.

187

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 157
IPS Tuning

Review Questions

2. What do IPS profiles allow you to do?

187

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 158
IPS Tuning

Review Questions

2. What do IPS profiles allow you to do?


– Apply protections as a group to specific gateways.

187

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 159
IPS Tuning

Lab Practice

 Lab 6: Tuning IPS Performance

189

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 160
IPS Debugging

219

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 161
IPS Debugging

Learning Objectives

 Use debug to gather IPS statistics


 Use tcpdump to identify the source of an attack
 Modify protections to prevent attack source
 View Security Gateway messages

220

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 162
IPS Debugging

IPS Debug Tools

 Tools most often used:


– SmartView Tracker (logs)
– Packet Capture
– Kernel Debug

221

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 163
IPS Debugging

SmartView Tracker

221

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 164
IPS Debugging

SmartView Tracker

 The SmartDashboard allows you to customize your tracking


settings for each Rule Base
– By specifying per-rule whether or not to track the events that
match it.

 To track events that match a rule, choose from a variety of


tracking options, based on the information's urgency.
 For example, you can choose:
– Standard log
– Account log
221-222
– Alert
©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 165
IPS Debugging

SmartView Tracker
 The gateways on which this Policy is installed collect data as specified in the
Policy, and forward the logs to the Security Management server (and/or to Log
Servers, depending on their settings).

 The logs are organized in files according to the order in which they arrived to the
Security Management server.

 All new logs are saved to the fw.log file, except for audit (management-related)
logs, which are saved to the fw.adtlog file.

 The Security Management server makes these logs available for inspection via
SmartView Tracker.

 The Security Management server also performs the operations specified in the
Policy for events matching certain rules (e.g., issuing an alert, sending
email, running a user-defined script etc.). 222

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 166
IPS Debugging

SmartView Tracker

 Other tracking and auditing capabilities:


– SmartView Monitor allows you to manage, view and test the
status of various Check Point components throughout the
system, as well as to generate reports on traffic on interfaces,
specific Check Point products, and other Check Point system
counters.
– SmartReporter allows you to save consolidated records (as
opposed to "raw" logs) and conveniently focus on events of
interest.

222

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 167
IPS Debugging

Tracking Network Traffic

 The SmartView Tracker can track daily network traffic and


activity logged by any Check Point and OPSEC Partners
log-generating product.
 Network administrators can use the log information for:
– Detecting and monitoring security-related events.
– Collection information about problematic issues.
– Statistical purposes such as analyzing network traffic patterns.

222

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 168
IPS Debugging

Log Suppression

 The SmartView Tracker efficiently presents the logs that are


generated from Check Point products.
 To avoid displaying log entries for frequently repeating
events, SmartView Tracker displays the first instance of the
event, then counts subsequent instances which occur in the
next two minutes.
 For as long as the event continues to occur, every two
minutes, SmartView Tracker shows a Log Suppression
Report containing the details of the event as well as the
223
number of times the event occurred.
©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 169
IPS Debugging

SmartView Tracker GUI

 In SmartView Tracker, an entry in the Records pane, is a


record of an event that was logged according to a specific
rule in the Rule Base.
 New records that are added to the fw.log file are
automatically added to the Records pane as well.

224

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 170
IPS Debugging

SmartView Tracker GUI


1. The Network & Endpoint,
Active and Management
modes display different
types of logs.

2. The Query Tree pane


displays the Predefined and
Custom queries.

3. The Query Properties pane


displays the properties of the
fields in the Records pane.

4. The Records pane displays


the fields of each record in
the log file. 224

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 171
IPS Debugging

IPS Column

 The Protection Type column is relevant to IPS protection incidents. You can filter
for any of these types:
– Application Control
– Engine Settings
– Geo Protection
– Protocol Anomaly
– Signature

 Other columns specific to the IPS Software Blade:


– Protected Server
– Source Reputation
– Destination Reputation
– Client Type 225

– Server Type
©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 172
IPS Debugging

SmartView Tracker Modes

 SmartView Tracker Modes


 SmartView Tracker consists of three different modes:
 Log, the default mode, displays all logs in the current fw.log
file.
 Active allows you to focus on connections that are currently
open through the Security Gateways.
 Audit allows you to focus on management-related records
227

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 173
IPS Debugging

Packet Capture

 Familiar with network protocols? View packets that were


tracked by to understand the nature of the attack.
 Capturing a Packet for Every Log
– To capture packet data for a protection for every malicious packet
that is logged, turn on the packet capture option in that protection.
This attaches a packet capture to every log generated by the
protection.

227

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 174
IPS Debugging

Packet Capture

 Automatic Packet Capture in the First Log


– Captured malicious traffic is automatically attached to the first log
generated by a protection since policy installation, even if the packet
capture option in the protection is not turned on. This is economical
with system resources because only one packet capture is saved for
each attack.

227

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 175
IPS Debugging

Packet Capture

 Attaching a Packet Capture to Every Log


 A packet capture is automatically attached to the first log generated by a
protection. However, if you want to capture packet data for a protection for every
malicious packet that is logged, turn on the packet capture option in that
protection. To attach a packet capture to every log

1. Open the protection for which you want to track the packet data.
2. Make sure the protection is activated (either Detect or Prevent).
3. Double-click on the profile for which you want packet capture data.
4. In the Action area, select any tracking action other than None and then select
Capture Packets. 227-228

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 176
IPS Debugging

Packet Capture

 Viewing Packet Capture Data in SmartView Tracker


 A packet capture is automatically attached to the first packet logged by a
protection since policy installation. If packet capture is turned on for a protection,
a packet capture is attached to every log generated by the protection. From the
protection page that has Capture Packets selected, click View Logs.

1. SmartView Tracker opens. Wait until the log window for the specific protection opens.

2. If searching for automatically captured packets, make sure the Packet Capture column is
showing

3. Locate the item

4. Right-click the item in the protection's SmartView Tracker log and select View packet
capture. 228
(cont.)

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 177
IPS Debugging

Packet Capture

5. Select Internal Viewer and click OK.

You may also use a third-party packet capture application by selecting Choose program and
specifying the application in the Program Name field.
(cont.)

228

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 178
IPS Debugging

Packet Capture

229

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 179
IPS Debugging

Kernel Debugging

 Kernel Debugging is recommended for more advanced


troubleshooting. The debugging commands can be found on
the Check Point Support Site
 Advanced debugging procedures should be executed in
conjunction with the Check Point Escalation engineers, as
part of a Service Request. troubleshooting session.
 Debugging should only be performed when the described
issue can be captured

229

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 180
IPS Debugging

IPS Debugging Scenarios – False Positives

 Each IPS protection has a confidence grade. In rare cases, it


is possible that legitimate packets are mistakenly identified
as malicious.

230

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 181
IPS Debugging

IPS Debugging Scenarios – False Positives

 When you suspect that you might have a


false positive, follow these steps:

1. Enable INSPECT debugging in GUIDBedit


enable_inspect_debug_compilation

2. Install Policy

3. Set debug
fw ctl zdebug + drop

4. Simulate the suspected traffic

231

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 182
IPS Debugging

IPS Debugging Scenarios – False Positives

 Now, every dropped packet will generate a more elaborate drop message, for example:

 fw_log_drop: Packet proto=<ip_proto> <source IP>-> <Dest IP> dropped by


fwpslglue_chain Reason: PSL Reject: <Reject Reason>

 Based on the <Reject Reason> run debug:

231
*Add cifs if you suspect an issue with SMB traffic (port 445).

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 183
IPS Debugging

IPS Debugging Scenarios – Performance Issues

 Each IPS protection has a Performance Impact grade. When the gateway is under heavy
load, or under specific traffic blends, this impact might be substantial.

232

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 184
IPS Debugging

IPS Debugging Scenarios – Performance Issues

 Possible actions
– Deactivate protections with critical or high performance impact.
– If this is due to automatic activation settings, reconfigure these.
– Consider activating the “Bypass SmartDefense under load
option.
– Consider activating the “Protect Internal Hosts Only” feature.
This requires a correct configuration of the gateway’s
interfaces.

233

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 185
IPS Debugging

IPS Debugging Scenarios – Performance Issues

233

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 186
IPS Debugging

IPS Debugging Scenarios – Hidden Profiling Tool

 Each enforcement module (R70 and above) includes a hidden profiling


tool. This tool can generate statistics reports in a two step process:

1. Run the sdstat tool on the gateway during load.


2. Run the sdstat_analyse script on the management station.
 The performance counters tool measures only IPS and does not compare
IPS to other VPN-1/UTM-1 features which might be the actual problem.

 Supported management stations for sdstat_analyse tool are:


SecurePlatform, IPSO, Linux, Solaris.

233

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 187
IPS Debugging

IPS Debugging Scenarios – Hidden Profiling Tool

 Usage in the module:


– fw ctl zdebug > & <file_name> &
– fw ctl sdstat start (wait ~ 30 seconds during load)
– fw ctl sdstat stop
– fg and stop the original debug

 The “&” will run the “fw ctl adebug” command in the background, to stop it
you need to being the process to the foreground by executing the “fg”
command, and then terminate the program by clicking “Ctrl+C”.

234

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 188
IPS Debugging

IPS Debugging Scenarios – Hidden Profiling Tool

 On the SmartCenter:
– Copy the file collected on the module to the Management under $FWDIR/
scripts/
– Change folder to $FWDIR/scripts/
– Run the command: ./sdstat_analyse.csh <file_name>
– The output file will be <file_name>.csv
– Copy the file to a host, and open it.

234

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 189
IPS Debugging

IPS Debugging Scenarios – Hidden Profiling Tool

235

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 190
IPS Debugging

IPS Debugging Scenarios – Hidden Profiling Tool

236

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 191
IPS Debugging

Logging Issues

 If you suspect that packets are being dropped with no log, it is possible to
debug the logging mechanism:

fw ctl zdebug + log dynlog

236

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 192
IPS Debugging

Pattern Match Debug – Usage in the kernel

 fw ctl debug —m kiss + <debug flags>


– sm — first tier
– rem — used for second tier
– dfa — building and executing the dfa
– pmdump — dumping xmls of dfas
– pm — compilation, verification, and general flag

237

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 193
IPS Debugging

Pattern Match Debug – Usage in the User-Space

 Set environment variable:


KISS_DEBUG to “<debug flags>”

 Use the module global parameter


kiss_pm_stats_pattern to get statistics

Usage:

 fw ctl set str kiss_pm_stats_pattern


 “.*ab(ee|tt).*” will print the statistics of the PM holding this pattern
 fw ctl set str kiss_pm_stats_pattern “ALL” will print the
statistics of all PMs we hold
237

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 194
IPS Debugging

Packet Dump Buffer


 Global parameters enable debug with packet dump:
fw ctl set int <var_name> 1

 The possible var_names are:


 ASPII: aspii_debug_dump_buffer
 Inspect Streaming: fw_spii_str_log_dump_buffer
 CMI: cmi_dump_buffer
 The buffer dump will appear in your next debug printout. Turn this off using:
fw cti set int var_name 0

 This may be problematic on heavy loads, as the debug buffer might be full.
Packet capture is often just as helpful. 237

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 195
IPS Debugging

Debug Flags Overview

238

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 196
IPS Debugging

Review Questions

1. What are the tools most often used to debug IPS


issues?

239

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 197
IPS Debugging

Review Questions

1. What are the tools most often used to debug IPS


issues?
– SmartView Tracker
– Packet Capture
– Kernel Debug

239

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 198
IPS Debugging

Review Questions

2. SmartView tracker log suppression counts similar events


over what time period?

239

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 199
IPS Debugging

Review Questions

2. SmartView tracker log suppression counts similar events


over what time period?
– Every two minutes

239

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 200
IPS Debugging

Review Questions

3. What are the SmartView tracker modes?

239

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 201
IPS Debugging

Review Questions

3. What are the SmartView tracker modes?


– Log (default)
– Active - focuses on connections
– Audit - focuses on management related records

239

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 202
IPS Debugging

Lab Practice

 Lab 7: Advanced IPS Troubleshooting

241

©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties | 203
Advanced IPS

©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
©2012 Check Point Software Technologies Ltd. [Confidential] — For Check Point users and approved third parties

You might also like