We installed the Check Point IPS-1 Sensor 200C on our production network. The IPS-1 Sensor 200C has four IPS interfaces which are paired into two sets of fail-open (or fail-closed, if you want) Gigabit Ethernet ports.
We installed the Check Point IPS-1 Sensor 200C on our production network. The IPS-1 Sensor 200C has four IPS interfaces which are paired into two sets of fail-open (or fail-closed, if you want) gigabit Ethernet ports. Although the IPS-1 Sensor 200C has additional ports on the back which can also be used for IDS, Check Point only allows for a single policy per sensor, so we stuck with the two IPS links. We inserted the IPS-1 in-line with an Ethernet link serving about 1,000 DSL subscribers, and a second link protecting a heavily used Internet server farm with 42 Web servers on it. In both cases, we ran the IPS-1 in "detect only" mode for two weeks before turning on blocking.
We installed the IPS-1 management server using the SecurePlatform CD onto a Compaq DL360 server with 8GB of memory and two 3.0GHz CPUs. We installed the Windows client tool on an existing Windows workstation, a single CPU 3.0GHz client with 3GB of memory.
Check Point doesn't have normal instructor-led or Web-based training available for the IPS-1 product yet, so we went one-on-one with a sales engineer over the phone. After a one hour training session, we dove into tuning the IPS for our environment. Over two weeks of observation, we edited policy, analyzed events and tried to put the analysis part of the system through its paces.
After two weeks, we turned the IPS into blocking mode, keeping careful watch on potential false positives and other interruptions to normal traffic. Over two weeks, none of the users or servers being sent through the IPS logged help desk calls — although we did see a bit of BitTorrent blocking that the users didn't notice (or at least didn't complain about).
After the in-line test was over, we pulled the IPS out and used the Mu Dynamics Mu-4000 Service Analyzer to test the IPS. For the Mu-4000 testing, we focused on published vulnerability attacks. We broke up our testing into two directions: client to server, and server to client. In an IPS deployment, the IPS is generally either protecting end users or servers. In the end user case, the IPS is programmed to protect users who are browsing the Internet or downloading files and thus are susceptible to certain types of attacks focused on client applications, such as Web browsers and PDF readers. In the server case, the IPS is programmed differently, protecting Web, e-mail, and other types of servers against attacks initiated by malicious users.
We used the policy that Check Point had initially set up, and which we tuned over the four weeks of testing. Our policy was used to both protect users and servers, but we tested these attacks separately with the Mu-4000. The Mu-4000 client profile had approximately 525 attacks, while the server profile had approximately 600. We counted an attack as "missed" if the IPS-1 let the attack through, and generated a percentage of attacks missed score.
< Return to test: Check Point IPS-1 fills a gap in its product line >
Learn more about this topic
Payscale uses alumni post-grad pay to rank 187 colleges and universities with computer science...
Vint Cerf is known as a "father of the Internet," and like any good parent, he worries about his...
How mainstream is big data? We asked two speakers at HP's Big Data Conference 2015 in Boston whether...
Sponsored by SevOne
Sponsored by HP
Windows 10 in August set a record for a one-month increase in user share for any operating system.
So many big data and analytics-focused startups are getting funding these days that I’ve been inspired...
Peruse all the products being released at VMworld in San Francisco this week
VMware CEO Pat Gelsinger heads into VMworld 2015 with the unified hybrid cloud on his mind