IDS mailing list archives
Yanıt: Checkpoints Smartdefense as an IPS
From: a bv <vbavbalist () gmail com>
Date: Fri, 15 May 2009 11:42:56 +0300
Thanks for the answers, and let me go to further questions. If you are using smartdefense how do you manage/how often do you update/and what do you do to get most from it? regards 2009/4/29, John Jasen <jjasen () realityfailure org>:
a bv wrote:Hi list, I want to ask to list for the opinion on Checkpoints Smartdefense. For the past and current users , how enough/successfull do you find it as an ips for your enterprise? Do you use additional ids/ips if so what purposes and to monitor what segments/parts of your infrastructure.? And how do you deploy,manage Smartdefense?SmartDefense is not recommended in the slightest. Entirely too many of the signatures are obsolete and/or just plain wrong. The FTP and SMTP security servers will break traffic in obscure ways without any logs. Log correlation to a SmartDefense rule or setting can involve a lot of reading, sometimes guesswork, and occasionally a bit of luck. SmartDefense is incredibly CPU intensive. You won't be able to enable most of it unless you buy $MORE, where $MORE is defined as one or more of: bigger hardware, multi-CPU licenses, coreXL, clusterXL. As others have indicated, tuning SmartDefense is most of the time "rule on" or "rule off". See the luck required for log correlation above for some of the more obscure cases .... Unlike snort, you have no visibility into what the rule is checking for or doing. And, to add the icing on the cake, Checkpoint has replaced SmartDefense with their reworking of NFS's IPS in R70. So, SmartDefense is dead, and unlamented. -- -- John E. Jasen (jjasen () realityfailure org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
Current thread:
- Yanıt: Checkpoints Smartdefense as an IPS a bv (May 15)