IDS mailing list archives
RE: Checkpoint SmartDefense
From: charles.fasching () milestonesystems com
Date: Fri, 20 May 2005 14:40:49 -0500
Another option that can be used instead of the default SQL injection protection is the "worm catcher" - you can write pretty good regular expressions here that are much more granular than the SQL Injection checks. Just keep in mind - I would never *ever* enable the worm catcher for "all traffic" - I would apply it to defined servers - otherwise - in large environments that serve a lot of HTTP traffic, it can and will bring your firewall to it's knees. Chuck "Spence" Fasching Senior Systems Engineer 952.767.5111 - Office 612.616.5080 - Mobile Milestone Systems charles.fasching () milestonesystems com -----Original Message----- From: Ofer.Shezaf [mailto:Ofer.Shezaf () breach com] Sent: Thursday, May 19, 2005 6:13 PM To: ferg; focus-ids Subject: RE: Checkpoint SmartDefense
From: Fergus Brooks [mailto:fergwa () gmail com] Sent: Wednesday, May 18, 2005 2:10 PM
....
I am getting some mixed messages regarding this feature. 1) Does it detect zero day attacks in real time and recommend/implement remediation
As my expertise is web applications security, I can comment only on the web (port 80/443) functionality of SmartDefence (as well as WebIntelligence, its younger sibling). SmartDefence may provide better value for other protocols. Zero day attack detection is a tricky business. Behind the marketing brochures, SmartDefence and WebInteligence are mostly misuse based (i.e. signature based) and therefore are not well adjusted to zero day protection. I personally feel that the signatures are also on the weak side for attacks such as SQL injection or XSS, especially since tighter security (that is more signatures) is usually not practical, as discussed below.
2) How intelligent is it?
The one feature that seems to be more intelligent is detecting of binary code in input. It also seems like the one that has potential to detect zero day attacks for buffer overflows. I don't have personal experience with this one (always off). Any input is welcomed.
3) Is it difficult to configure & maintain?
It is actually too easy to maintain. It has very "buzzword" centric configuration (block "XSS", block "SQL injection" - no finer configuration). As configuration being is on the rough side I think that in real world situation many of the protections have to be either off or on low (options are usually: off, low, medium and high). For example, medium security for SQL injection includes detecting words such as select or join - both impractical in real world. Lack of fine grained configuration is not limited to signatures, it is also true for applications - the security level for each category is determined on a site level, so if you have an free text field that is prone to include the word "select" you cannot exclude it but rather have to lower security for the entire site.
4) Is this feature different on the Interspect and standard FW-1 boxes Any comments and real world examples greatly appreciated! Thanks & regards.
Bottom line - if web security is your concern this is hardly the way to protect your site. It may be better for other protocols. I would go for mod_security, which provides much better configurability for a much lower price, or a full blown application firewall which provides much more security. ~ Ofer Ofer Shezaf CTO, Breach Security Phone (US): +1 (760) 268.1924 ext. 702 Phone (Israel): +972 (9) 956.0036 ext.212 Cell: +972 (54) 443.1119 ofers () breach com http://www.breach.com ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Checkpoint SmartDefense Fergus Brooks (May 18)
- RE: Checkpoint SmartDefense Net Shark (May 19)
- RE: Checkpoint SmartDefense Dimitrios Patsos (May 19)
- <Possible follow-ups>
- RE: Checkpoint SmartDefense Ofer Shezaf (May 19)
- RE: Checkpoint SmartDefense THolman (May 19)
- RE: Checkpoint SmartDefense charles . fasching (May 24)
- RE: Checkpoint SmartDefense THolman (May 28)