We installed the Check Point IPS-1 Sensor 200C on our production network. The IPS-1 Sensor 200C has four IPS interfaces which are paired into two sets of fail-open (or fail-closed, if you want) Gigabit Ethernet ports.
We installed the Check Point IPS-1 Sensor 200C on our production network. The IPS-1 Sensor 200C has four IPS interfaces which are paired into two sets of fail-open (or fail-closed, if you want) gigabit Ethernet ports. Although the IPS-1 Sensor 200C has additional ports on the back which can also be used for IDS, Check Point only allows for a single policy per sensor, so we stuck with the two IPS links. We inserted the IPS-1 in-line with an Ethernet link serving about 1,000 DSL subscribers, and a second link protecting a heavily used Internet server farm with 42 Web servers on it. In both cases, we ran the IPS-1 in "detect only" mode for two weeks before turning on blocking.
We installed the IPS-1 management server using the SecurePlatform CD onto a Compaq DL360 server with 8GB of memory and two 3.0GHz CPUs. We installed the Windows client tool on an existing Windows workstation, a single CPU 3.0GHz client with 3GB of memory.
Check Point doesn't have normal instructor-led or Web-based training available for the IPS-1 product yet, so we went one-on-one with a sales engineer over the phone. After a one hour training session, we dove into tuning the IPS for our environment. Over two weeks of observation, we edited policy, analyzed events and tried to put the analysis part of the system through its paces.
After two weeks, we turned the IPS into blocking mode, keeping careful watch on potential false positives and other interruptions to normal traffic. Over two weeks, none of the users or servers being sent through the IPS logged help desk calls — although we did see a bit of BitTorrent blocking that the users didn't notice (or at least didn't complain about).
After the in-line test was over, we pulled the IPS out and used the Mu Dynamics Mu-4000 Service Analyzer to test the IPS. For the Mu-4000 testing, we focused on published vulnerability attacks. We broke up our testing into two directions: client to server, and server to client. In an IPS deployment, the IPS is generally either protecting end users or servers. In the end user case, the IPS is programmed to protect users who are browsing the Internet or downloading files and thus are susceptible to certain types of attacks focused on client applications, such as Web browsers and PDF readers. In the server case, the IPS is programmed differently, protecting Web, e-mail, and other types of servers against attacks initiated by malicious users.
We used the policy that Check Point had initially set up, and which we tuned over the four weeks of testing. Our policy was used to both protect users and servers, but we tested these attacks separately with the Mu-4000. The Mu-4000 client profile had approximately 525 attacks, while the server profile had approximately 600. We counted an attack as "missed" if the IPS-1 let the attack through, and generated a percentage of attacks missed score.
< Return to test: Check Point IPS-1 fills a gap in its product line >