Check Point IPS-1 fills a gap in its product line

Review shows a strong security product with weak ties to other CheckPoint management tools

Check Point has finally delivered some useful fruit of its December 2006 acquisition of NFR Security.


How we tested Check Point's IPS

Archive of Network World tests


In late April, the company shipped IPS-1, the first version of the NFR intrusion prevention/detection system (IDS/IPS) to be integrated into Check Point's own security wares. Both the IPS sensor and its management toolkit now reside on Check Point's own SecurePlatform, a self-installing Linux-based security operating system that Check Point also uses for its other security products and management platforms.

IPS-1 does not replace Check Point's older IPS technology, SmartDefense, at least not in the short term. Check Point firewall users looking for firewall-integrated basic threat protection with minimal management and forensics capabilities will stick with SmartDefense. For standalone devices, a broader range of protections, and for extensive event analysis tools, IPS-1 sensors are Check Point's answer.

Check Point offers the IPS-1 sensor both in appliance format, with its IPS-1 Sensor appliances (ranging in price from $7,000 to $115,000 and in-line performance from 50Mbps to 2000Mbps), and as a software-only product, OpenSensor, for installation on the hardware of your choice.

ProductCheck Point IPS-1
VendorCheck Point Software
Price$16,000 for sensor, $10,000 for management platform
ProsOutstanding IDS analysis tools; easy deployment with appliance or software; consistent Check Point GUI; good attack detection.
ConsNot integrated with other Check Point management; missing such advanced IPS features as DoS protection; weak target-based features.
Score3.78
ActionWeightFinal Score
Intrusion protection25%4
Analysis tool kit25%4.5
Network awareness20%3.5
IPS policy management20%3.5
Reporting and documentation10%2.5
Total score 3.78
        Scoring key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Subpar or not available.

We tested IPS-1 using Check Point's IPS-1 Sensor 200C platform, a 200Mbps IPS with four ports of fail-open IPS capability at a price of $16,000. (Compare Network IPS products.) Check Point's SmartCenter management system costs $10,000. Existing Check Point customers with SmartCenter won't have to pony up for a new license, and can simply add IPS-1 sensors into an existing SmartCenter.

In this exclusive Clear Choice Test, we found that IPS-1 offers a strong set of IPS protections and a cutting-edge IDS in an easy-to-control package. Management rough spots in IPS-1 should be easy to fix as IPS-1 merges more closely into Check Point's existing management infrastructure. IPS-1 still shows its IDS heritage, with a very strong set of policy and misuse detection tools, so existing Check Point customers looking to combine IDS and IPS functionality will find this an especially compelling product line.

While IPS-1 management is now integrated with SecurePlatform, it is not integrated with Check Point's other security product management, most notably its firewall management tools.

This is a disappointing fact, because it means that one of Check Point's best features, its strong, policy-based management, is not available to IPS-1 network managers. While existing Check Point customers will take to the familiar look-and-feel in this IPS-1 release, the true value of Check Point's management tools hasn't been realized. Check Point says it does offer some log integration with its own Evenita security information and event management product, but we did not verify that claim with this single product test. (See comparative SIEM test.)

This lack of full integration leaves some astonishing gaps in IPS-1 management. If you want to generate a report summarizing data out of IPS-1, it's your responsibility to set up your own reporting tool, such as Crystal Reports, to work against the built-in database, or send events to an external database for full control of archiving and retention. Another critical lacuna is the lack of shared objects between firewall and IPS policies. This means that a firewall manager who has made the effort to map their network using Check Point's powerful object definition tools will have to start over from scratch when defining IPS policies in IPS-1.

Despite our disappointment with lack of management ties to other Check Point products, we were impressed at the snappy performance of the IPS-1 management system when we were viewing security IPS and IDS events. IPS-1 uses a client/server architecture, with a Windows-based client connected to a back-end management server. The client is limited to viewing 30,000 events at any moment, but because it does operate out of local memory (rather than having the server do sorting and combining of events), it's wonderfully fast. Compared with other Web-based IPS management tools, IPS-1 is a joy to use. The client glides through the data and updates the screen almost instantaneously for many operations.

More importantly than speed, though, is that the IPS-1 client gives the security analyst sufficient tools to make good use of the information provided by the sensors. As an IDS-turned-IPS, the analysis features of IPS-1 will make most security managers pretty happy. Some innovative display tools, especially the constantly-updating Timeline, are excellent ways to gain instant visibility into the security posture of a network using simple visualizations and graphics.

Although there are some silly gaps, such as an inability to take a detailed look at more than one event or packet at a time, any security analyst will find the IPS-1 client to be responsive, full-featured, mature and very well designed.

Check Point’s IPS-1 line represents the first fruit of the company’s December 2006 acquisition of NFR Security. Our test shows it provides formidable intrusion protection but doesn’t tap fully into Check Point’s policy-management tools.

Check Point has also tried to put some target-based IDS features into its product by allowing the network manager to manually import Nessus network scans and then query that information while analyzing events. It would be a useful trick, but this feature is as immature as a week-old cheddar. This feature will need a lot of work to be very useful to an analyst who wants to prioritize their work on vulnerable and critical systems. Hopefully, if Check Point does finally integrate the IPS-1 management with firewall management, some of the criticality and exposure information already available in the firewall can be shared with the security analyst.

Missing features

The IPS features of the IPS-1 are not as well developed as those contained in Check Point's own SmartDefense. For example, the IPS sensor doesn't have any significant denial of service (DoS) protections, and there are no behavior anomaly detection features. We found similar gaps in managing policy for the IPS. Linking from an event to the sensor policy and event documentation is only a single click — a fantastic and speedy feature. But then going that final step and managing policy, such as adding a per-host exception to a rule, a common requirement in a false-positive-sensitive IPS environment, is painfully tedious. Check Point told us it is releasing a "Hot Fix" in August to help resolve this particular pain point.

We also tested the correlation features within the IPS-1 management system. These provide a simple capability to look across alerts for common features or clusters of related alerts. This tool can be of use in both IDS and IPS types of deployments. For example, we created a correlation rule that looked for a cluster of 10 attacks in less than 1 minute from our guest network to our production network, which might indicate a more concerted attempt to break in to our network. Creating and using correlation rules is fairly simple, but the capabilities are simplistic enough that this didn't seem as useful as the correlation tools are in other IPS products we've looked at.

One critical feature that Check Point has, thankfully, left untouched from the original NFR product is the detection engine inside of the IPS-1 sensor. After running — and tuning — an IPS-1 sensor on our network for two weeks, we used the same policy to see how well the IPS-1 would block attacks from our Mu-4000 Service Analyzer. The IPS-1 did extremely well when protecting servers against attacks, missing only about 21% of the Mu-4000 attacks. For comparison, in our recent UTM firewall test, which used a similar methodology (although older version of the Mu-4000 software), the best-scoring product missed 24% of the Mu-4000 server attacks, and the average miss rate was 70%.

For client-side attacks (for example attacks against client applications, such as Web browsers, or attacks embedded in files, such as PDFs), the IPS-1 sensor still turned in a respectable performance, although it missed 53% of the Mu-4000 attacks -- about the same as the best products in our UTM test, and still 15 points better than the average score from that test.

Getting ready for prime time

This release of the IPS-1 product won't be very exciting to anyone already familiar with NFR's pre-Check Point Sentivist product line. However, for Check Point customers looking for something better than Smart Defense, especially in the area of IDS and security visibility, IPS-1 gives Check Point a whole new offering that will be of immediate interest.

We would have preferred to see a better and more complete integration of the IPS-1 management system with Check Point's existing management toolkit. Although existing Check Point customers will occasionally find themselves in abrupt and puzzling dead ends, such as the lack of reporting and no consistent network object list, when applying the standards of Check Point's other security products, we think that this IPS-1 release nicely complements the features of other Check Point products.

Snyder is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

NW Lab Alliance

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

Learn more about this topic

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT