RE: Checkpoint SmartDefense

From: Net Shark (netshark_at_sexmagnet.com)
Date: 05/19/05

  • Next message: David W. Goodrum: "Re: Vulnerability vs. Exploit signatures and IPS??" 
    To: <ferg@furg.net>, <focus-ids@securityfocus.com>
Date: Wed, 18 May 2005 23:53:18 +0100

    > -----Original Message-----
    > From: Fergus Brooks [mailto:fergwa@gmail.com]
    > Sent: quarta-feira, 18 de Maio de 2005 12:10
    > To: focus-ids@securityfocus.com
    > Subject: Checkpoint SmartDefense
    >
    > Hi all,
    >
    > I am getting some mixed messages regarding this feature.
    >
    > 1) Does it detect zero day attacks in real time and
    > recommend/implement remediation
    >
    It can detect some attacks on the fly and stop them.

    > 2) How intelligent is it?
    It depends a lot on the type of filtering made. For instance, some DNS
    queries are mistaken with DNS buffer overflow attempts, probably because
    they're not RFC compliant. The same problem happens with other protocols.
    On the other hand it successfully filters most common DoS attacks and worms
    (Land, code red & friends)
     
    > 3) Is it difficult to configure & maintain?
    IMHO, Like most checkpoint products the difficulty is the *installation*
    phase.
    SmartDefense however, can be very tricky to *tune*, but not to configure, as
    the default configuration doesn't harm a fly.

     
    > 4) Is this feature different on the Interspect and standard FW-1 boxes
    Dunno, I'm only using it in a Nokia IP firewall (over their IPSO), and it
    seems quite happy.

    > Any comments and real world examples greatly appreciated!
    It doesn't replace nice PC boxes running snort, and other IDS tools. In
    fact, is advisable to have a network setup with both.
    Some Smartdefense features can cause very obscure errors. I remember having
    problems with the Autodesk Mapguide server and Mapguide agent, because the
    communication protocol designed by Autodesk was mistaken with the blaster
    Worm.

    Then again I'm using a 2003 version of smartdefense. The product could have
    been improved a lot by now.

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: David W. Goodrum: "Re: Vulnerability vs. Exploit signatures and IPS??"

    Relevant Pages

    • RE: Checkpoint SmartDefense
      ... based attacks. ... Interspect is a streamlined version of SmartDefense with no FW-1 ... I am getting some mixed messages regarding this feature. ... Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Microsoft compiler flaw, Cigital responds
      ... Also of interest are various attacks against the ... We never made a claim that the use of the flawed /GS feature exposes code to ... relied on to improve software security. ... a classic criticism against Microsoft is ...
      (Bugtraq)
    • RE: Checkpoint SmartDefense
      ... Regarding your SmartDefense questions, my experience on this CP feature recommends that: ... it supplements the Application Intelligence FW-1 already has. ... Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Checkpoint SmartDefense
      ... I am getting some mixed messages regarding this feature. ... Does it detect zero day attacks in real time and ... Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: is Checkpoint smart defance is enough ?
      ... Checkpoint smartdefense is getting better and NGX smartdefense is providing better HTTP protection. ...
      (Security-Basics)