RE: is Checkpoint smart defance is enough ?

[THolman () toplayer com]

Hi Juan,

SmartDefense is Check Point's Network IPS.  As well as being an add-on
feature for Firewall-1, it is also the basis for the Check Point Entercept
product.
Whilst the concept is good, and the updates pretty regular, performance
across the board is limited by the PC-based systems upon which it runs.
Theoretically, you can only stuff 512Mbs through a PC-based firewall/IPS
with 2 network cards.  The more you then do with the hardware (eg running
firewalls, VPNs, address-translation, logging, management), the less
performance you will get out of it.  
Also, if you were hit by a worm or virus, then SmartDefense would quickly
run out of resources, as there is no effective rate-limiting control (ie
limiting the amount of concurrent TCP Connections or UDP Requests).
I would recommend SmartDefense for low-end perimeter deployments (<10Mb
leased lines), but not for core network use (unless you buy lots and lots of
them, but then it's not very cost effective).
Would you give up on other IDS's?
Well - SmartDefense is an IPS, not an IDS.  A lot of companies will use
these in parallel, so the IPS to remove the white noise from the network in
real-time, and the IDS to perform resource-intensive analysis on the
leftover traffic.
Some companies see IPS as a replacement for IDS - this fits some companies'
security policy quite well, as they're in an industry that requires a
tickbox for IDS OR IPS during audits, but moving to the banking/finance
industry, they need all the security tools they can get, and will commonly
use IPS and IDS - both to pass audits, and to ensure maximum levels of
security insurance for themselves and their customers.
Your decision as to whether or not SmartDefense can replace an IDS is really
down to the big picture, architectural decision as to whether or not you
want to replace, or keep IDS with regards to an effective IPS solution.
If you are in the market for a good IPS solution, then a good place to start
looking is www.nss.co.uk (excellent, industry independent tests), plus SC
Magazine recently published results of their IPS testing -
http://www.scmagazine.com/products/index.cfm?fuseaction=GroupTestDetails&Gro
upId=19076.
It's interesting to note that Check Point feature in neither.
What you make of this is up to you !  :)

Regards,

Tim


-----Original Message-----
From: Juan B [mailto:juanbabi () yahoo com] 
Sent: 02 August 2005 09:21
To: security-basics () lists securityfocus com
Subject: is Checkpoint smart defance is enough ?

Hi,

I was wondering if I enable smartdafance on a network
so I can give up all the other IDS's like snort Iss
etc.

Is smartdefance considered as an IDS at all ?

thanks 

Juan


                
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs