- Nokia's new N97 vs. the iPhone
- 10 Microsoft research projects
- Hard to get justice in MySpace case
- Smartphone smackdown: Storm vs. iPhone
- Apple removes antivirus support page
We installed the Check Point IPS-1 Sensor 200C on our production network. The IPS-1 Sensor 200C has four IPS interfaces which are paired into two sets of fail-open (or fail-closed, if you want) gigabit Ethernet ports. Although the IPS-1 Sensor 200C has additional ports on the back which can also be used for IDS, Check Point only allows for a single policy per sensor, so we stuck with the two IPS links. We inserted the IPS-1 in-line with an Ethernet link serving about 1,000 DSL subscribers, and a second link protecting a heavily used Internet server farm with 42 Web servers on it. In both cases, we ran the IPS-1 in "detect only" mode for two weeks before turning on blocking.
We installed the IPS-1 management server using the SecurePlatform CD onto a Compaq DL360 server with 8GB of memory and two 3.0GHz CPUs. We installed the Windows client tool on an existing Windows workstation, a single CPU 3.0GHz client with 3GB of memory.
Check Point doesn't have normal instructor-led or Web-based training available for the IPS-1 product yet, so we went one-on-one with a sales engineer over the phone. After a one hour training session, we dove into tuning the IPS for our environment. Over two weeks of observation, we edited policy, analyzed events and tried to put the analysis part of the system through its paces.
After two weeks, we turned the IPS into blocking mode, keeping careful watch on potential false positives and other interruptions to normal traffic. Over two weeks, none of the users or servers being sent through the IPS logged help desk calls — although we did see a bit of BitTorrent blocking that the users didn't notice (or at least didn't complain about).
After the in-line test was over, we pulled the IPS out and used the Mu Dynamics Mu-4000 Service Analyzer to test the IPS. For the Mu-4000 testing, we focused on published vulnerability attacks. We broke up our testing into two directions: client to server, and server to client. In an IPS deployment, the IPS is generally either protecting end users or servers. In the end user case, the IPS is programmed to protect users who are browsing the Internet or downloading files and thus are susceptible to certain types of attacks focused on client applications, such as Web browsers and PDF readers. In the server case, the IPS is programmed differently, protecting Web, e-mail, and other types of servers against attacks initiated by malicious users.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment