RE: Checkpoint SmartDefense

["Ofer Shezaf" <Ofer.Shezaf () breach com>]

> From: Fergus Brooks [mailto:fergwa () gmail com]
> Sent: Wednesday, May 18, 2005 2:10 PM
....
> I am getting some mixed messages regarding this feature.
>
> 1) Does it detect zero day attacks in real time and
> recommend/implement remediation

As my expertise is web applications security, I can comment only on the
web (port 80/443) functionality of SmartDefence (as well as
WebIntelligence, its younger sibling). SmartDefence may provide better
value for other protocols.

Zero day attack detection is a tricky business. Behind the marketing
brochures, SmartDefence and WebInteligence are mostly misuse based (i.e.
signature based) and therefore are not well adjusted to zero day
protection.

I personally feel that the signatures are also on the weak side for
attacks such as SQL injection or XSS, especially since tighter security
(that is more signatures) is usually not practical, as discussed below.

> 2) How intelligent is it?

The one feature that seems to be more intelligent is detecting of binary
code in input. It also seems like the one that has potential to detect
zero day attacks for buffer overflows. I don't have personal experience
with this one (always off). Any input is welcomed.

> 3) Is it difficult to configure & maintain?

It is actually too easy to maintain. It has very "buzzword" centric
configuration (block "XSS", block "SQL injection" - no finer
configuration). 

As configuration being is on the rough side I think that in real world
situation many of the protections have to be either off or on low
(options are usually: off, low, medium and high). For example, medium
security for SQL injection includes detecting words such as select or
join - both impractical in real world.

Lack of fine grained configuration is not limited to signatures, it is
also true for applications - the security level for each category is
determined on a site level, so if you have an free text field that is
prone to include the word "select" you cannot exclude it but rather have
to lower security for the entire site. 

> 4) Is this feature different on the Interspect and standard FW-1 boxes
>
>
> Any comments and real world examples greatly appreciated!
>
> Thanks & regards.

Bottom line - if web security is your concern this is hardly the way to
protect your site. It may be better for other protocols. I would go for
mod_security, which provides much better configurability for a much
lower price, or a full blown application firewall which provides much
more security.

~ Ofer

Ofer Shezaf
CTO, Breach Security
Phone (US): +1 (760) 268.1924 ext. 702
Phone (Israel): +972 (9) 956.0036 ext.212
Cell: +972 (54) 443.1119
ofers () breach com
http://www.breach.com

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------