Yanıt: Checkpoints Smartdefense as an IPS

[a bv <vbavbalist () gmail com>]

Thanks for the answers, and let me go to further questions.

If you are using smartdefense how do you manage/how often do you
update/and what do you do to get most from it?

regards

2009/4/29, John Jasen <jjasen () realityfailure org>:
> a bv wrote:
> > Hi list,
> >
> > I want to ask to list for the opinion on Checkpoints Smartdefense. For
> > the past and current users , how enough/successfull  do you find it as
> > an ips for your enterprise? Do you use additional ids/ips if so what
> > purposes and to monitor what segments/parts of your infrastructure.?
> > And how do you deploy,manage Smartdefense?
>
> SmartDefense is not recommended in the slightest.
>
> Entirely too many of the signatures are obsolete and/or just plain wrong.
>
> The FTP and SMTP security servers will break traffic in obscure ways
> without any logs.
>
> Log correlation to a SmartDefense rule or setting can involve a lot of
> reading, sometimes guesswork, and occasionally a bit of luck.
>
> SmartDefense is incredibly CPU intensive. You won't be able to enable
> most of it unless you buy $MORE, where $MORE is defined as one or more
> of: bigger hardware, multi-CPU licenses, coreXL, clusterXL.
>
> As others have indicated, tuning SmartDefense is most of the time "rule
> on" or "rule off". See the luck required for log correlation above for
> some of the more obscure cases ....
>
> Unlike snort, you have no visibility into what the rule is checking for
> or doing.
>
> And, to add the icing on the cake, Checkpoint has replaced SmartDefense
> with their reworking of NFS's IPS in R70. So, SmartDefense is dead, and
> unlamented.
>
> --
> -- John E. Jasen (jjasen () realityfailure org)
> -- No one will sorrow for me when I die, because those who would
> -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring