RE: Checkpoint smart defance as IPS

["Erik Ilves" <green.boy () mail ee>]

Hey,

I'm not 100% sure, but i don't think any IPS provider can look into SSL
traffic itself. Most of the IPS that i know can look at the key negotations
taking place between the client and the server, but not the traffic itself.
If he really wanted to look into what is happening inside SSL then i suggest
buying a F5 or  a similar load balancer device that terminates the SSL in
itself and the traffic to the backend would not be encrypted anymore and IPS
can look at that traffic. As for the best IPS, read Q4 NSS labs test - you
have to register @ http://www.nsslab.com/ to get the document, but basically
the best IPS vendors at the moment are Sourcefire, Mcafee and IBM. I have
tested Sourcefire and Mcafee and found the Mcafee GUI a bit illlogical.
Sourcefire one looked logical and the functionality more than satisfactory
and the upgrades are smooth, so my company went with them (Support for
Sourcefire boxes is incredible! I think they honestly have the best support
for any appliance out there). I have not tested IBM, but NSS recommends it,
so i think there are a lot of good features in the IBM boxes as well, so
recommend one of these 3 to your customer.  

As for Smartdefence as IPS. Sorry, but that is a laugh! Checkpoints
Smartdefence "IPS" causes more trouble than good. More false
positives/negatives and random drops than any other system out there and it
is deprecated, the new IPS that Checkpoint provides with R70.x is better,
but it is nowhere near the what a dedicated IPS provider like SF/Mcafee/IBM
gives to the administrator. Checkpoint does firewalls and great ones at
that, but IPS, not their thing or league.  

Br,

Erik

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of mzcohen2682 () aim com
Sent: Thursday, May 27, 2010 11:50 PM
To: security-basics () securityfocus com
Subject: Checkpoint smart defance as IPS

Hi list friends !!!

I did a pentest for a client's web site and found many holes most of them
because of Sql injection which can be fixed with a good practice of input
validation. I also recommended installing an IPS. the client has checkpoint
smart defance module installed on his FW but I guess that this module is not
enough because 1. one cant write signatures 2. 
the clients uses SSL on his web site so the IPS cant see the attack. AM I
WRONG?? I think that the client needs to buy a real IPS which can also open
the encrypted traffic.

which IPS you recommend for doing the task?


thanks a lot,

Marco


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate.  We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------