IDS mailing list archives

RE: Checkpoint SmartDefense

From: "Net Shark" <netshark () sexmagnet com>
Date: Wed, 18 May 2005 23:53:18 +0100

-----Original Message-----
From: Fergus Brooks [mailto:fergwa () gmail com]
Sent: quarta-feira, 18 de Maio de 2005 12:10
To: focus-ids () securityfocus com
Subject: Checkpoint SmartDefense

Hi all,

I am getting some mixed messages regarding this feature.

1) Does it detect zero day attacks in real time and
recommend/implement remediation

It can detect some attacks on the fly and stop them.

2) How intelligent is it?

It depends a lot on the type of filtering made. For instance, some DNS
queries are mistaken with DNS buffer overflow attempts, probably because
they're not RFC compliant. The same problem happens with other protocols.
On the other hand it successfully filters most common DoS attacks and worms
(Land, code red & friends)

3) Is it difficult to configure & maintain?

IMHO, Like most checkpoint products the difficulty is the *installation*
phase. 
SmartDefense however, can be very tricky to *tune*, but not to configure, as
the default configuration doesn't harm a fly.

4) Is this feature different on the Interspect and standard FW-1 boxes

Dunno, I'm only using it in a Nokia IP firewall (over their IPSO), and it
seems quite happy.

Any comments and real world examples greatly appreciated!

It doesn't replace nice PC boxes running snort, and other IDS tools. In
fact, is advisable to have a network setup with both.
Some Smartdefense features can cause very obscure errors. I remember having
problems with the Autodesk Mapguide server and Mapguide agent, because the
communication protocol designed by Autodesk was mistaken with the blaster
Worm.

Then again I'm using a 2003 version of smartdefense. The product could have
been improved a lot by now.




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

Checkpoint SmartDefense Fergus Brooks (May 18)
- RE: Checkpoint SmartDefense Net Shark (May 19)
- RE: Checkpoint SmartDefense Dimitrios Patsos (May 19)
- <Possible follow-ups>
- RE: Checkpoint SmartDefense Ofer Shezaf (May 19)
- RE: Checkpoint SmartDefense THolman (May 19)
- RE: Checkpoint SmartDefense charles . fasching (May 24)
- RE: Checkpoint SmartDefense THolman (May 28)