Check Point IPS-1 fills a gap in its product line

Check Point has finally delivered some useful fruit of its December 2006 acquisition of NFR Security.

In late April, the company shipped IPS-1, the first version of the NFR intrusion prevention/detection system (IDS/IPS) to be integrated into Check Point's own security wares. Both the IPS sensor and its management toolkit now reside on Check Point's own SecurePlatform, a self-installing Linux-based security operating system that Check Point also uses for its other security products and management platforms.

IPS-1 does not replace Check Point's older IPS technology, SmartDefense, at least not in the short term. Check Point firewall users looking for firewall-integrated basic threat protection with minimal management and forensics capabilities will stick with SmartDefense. For standalone devices, a broader range of protections, and for extensive event analysis tools, IPS-1 sensors are Check Point's answer.

Check Point offers the IPS-1 sensor both in appliance format, with its IPS-1 Sensor appliances (ranging in price from $7,000 to $115,000 and in-line performance from 50Mbps to 2000Mbps), and as a software-only product, OpenSensor, for installation on the hardware of your choice.

We tested IPS-1 using Check Point's IPS-1 Sensor 200C platform, a 200Mbps IPS with four ports of fail-open IPS capability at a price of $16,000. (Compare Network IPS products.) Check Point's SmartCenter management system costs $10,000. Existing Check Point customers with SmartCenter won't have to pony up for a new license, and can simply add IPS-1 sensors into an existing SmartCenter.

In this exclusive Clear Choice Test, we found that IPS-1 offers a strong set of IPS protections and a cutting-edge IDS in an easy-to-control package. Management rough spots in IPS-1 should be easy to fix as IPS-1 merges more closely into Check Point's existing management infrastructure. IPS-1 still shows its IDS heritage, with a very strong set of policy and misuse detection tools, so existing Check Point customers looking to combine IDS and IPS functionality will find this an especially compelling product line.

While IPS-1 management is now integrated with SecurePlatform, it is not integrated with Check Point's other security product management, most notably its firewall management tools.

This is a disappointing fact, because it means that one of Check Point's best features, its strong, policy-based management, is not available to IPS-1 network managers. While existing Check Point customers will take to the familiar look-and-feel in this IPS-1 release, the true value of Check Point's management tools hasn't been realized. Check Point says it does offer some log integration with its own Evenita security information and event management product, but we did not verify that claim with this single product test. (See comparative SIEM test.)

This lack of full integration leaves some astonishing gaps in IPS-1 management. If you want to generate a report summarizing data out of IPS-1, it's your responsibility to set up your own reporting tool, such as Crystal Reports, to work against the built-in database, or send events to an external database for full control of archiving and retention. Another critical lacuna is the lack of shared objects between firewall and IPS policies. This means that a firewall manager who has made the effort to map their network using Check Point's powerful object definition tools will have to start over from scratch when defining IPS policies in IPS-1.

Despite our disappointment with lack of management ties to other Check Point products, we were impressed at the snappy performance of the IPS-1 management system when we were viewing security IPS and IDS events. IPS-1 uses a client/server architecture, with a Windows-based client connected to a back-end management server. The client is limited to viewing 30,000 events at any moment, but because it does operate out of local memory (rather than having the server do sorting and combining of events), it's wonderfully fast. Compared with other Web-based IPS management tools, IPS-1 is a joy to use. The client glides through the data and updates the screen almost instantaneously for many operations.

More importantly than speed, though, is that the IPS-1 client gives the security analyst sufficient tools to make good use of the information provided by the sensors. As an IDS-turned-IPS, the analysis features of IPS-1 will make most security managers pretty happy. Some innovative display tools, especially the constantly-updating Timeline, are excellent ways to gain instant visibility into the security posture of a network using simple visualizations and graphics.

Although there are some silly gaps, such as an inability to take a detailed look at more than one event or packet at a time, any security analyst will find the IPS-1 client to be responsive, full-featured, mature and very well designed.

Click to see: Check Point’s IPS-1 line represents the first fruit of the company’s December 2006 acquisition of NFR Security. Our test shows it provides formidable intrusion protection but doesn’t tap fully into Check Point’s policy-management tools.

Check Point has also tried to put some target-based IDS features into its product by allowing the network manager to manually import Nessus network scans and then query that information while analyzing events. It would be a useful trick, but this feature is as immature as a week-old cheddar. This feature will need a lot of work to be very useful to an analyst who wants to prioritize their work on vulnerable and critical systems. Hopefully, if Check Point does finally integrate the IPS-1 management with firewall management, some of the criticality and exposure information already available in the firewall can be shared with the security analyst.