Start using smartdefense, best practice ?

[joris]

Hi,

Since our IDS is EOL we need to think for something new. So why not use smartdefense .... :)

How do you should start using smartdefense. Turn everything on and wait for problems to turn things of.
Look at the rulebase and turn only protocol related thing on?

grtz,
-jd-

[chuachongchee]

From the sound of it... the older versions, chances are that smartdefense is already runing and it cannot be "taken out"

I dont think you are running R65 right?

[MarioL]

Best way to do it is probably to turn it all on but only in monitoring mode. Then you can deal with the alarms without breaking anything. When it looks alright you can then remove the monitor only mode.

[chuachongchee]

Quote:

Originally Posted by MarioL

Best way to do it is probably to turn it all on but only in monitoring mode. Then you can deal with the alarms without breaking anything. When it looks alright you can then remove the monitor only mode.

lol... depends on the options/features.... most smartdef options "monitor-only" will start to block stuff... depending on your checkpoint version... it may be wise to test in a non-production environment

[MarioL]

I like your suggestion chuachongchee, test in a non-production environment. There is only a tiny little problem... unless he replicates his entire network/systems (and that of his business partners, etc) in the "non-production environment" the test isn't relevant, because it won't highlight any of the problems he will have in the real world.

[melipla]

Quote:

Originally Posted by chuachongchee

most smartdef options "monitor-only" will start to block stuff...

I wouldn't say "Most" but there are some that will block even if they're set to "monitor-only". And as Mario points out, the problem with using a test environment is that its harder to create the diverse traffic that a live firewall generates...

Sadly I don't think I'd recommend using SMDF, but on the flip side I've yet to find an alternative.

[chuachongchee]

Quote:

Originally Posted by melipla

I wouldn't say "Most" but there are some that will block even if they're set to "monitor-only". And as Mario points out, the problem with using a test environment is that its harder to create the diverse traffic that a live firewall generates...

Sadly I don't think I'd recommend using SMDF, but on the flip side I've yet to find an alternative.

If you are looking for a more "robust" device to complement a firewall... i'll strongly recomend a IPS.... it can do alot more stuff... and besides... it covers our own backside... lol

"Oh yea.. that hacker was good... and yep... even our ips couldnt stop it.. thats not my problem"

[chillyjim]

For a stand-alone IPS check out IPS-1 from Check Point (Was NFR before CHKP acquired it last year).

SMDF is a good start, but it does have a tendency of being overly aggressive some times.

[chuachongchee]

Quote:

Originally Posted by chillyjim

For a stand-alone IPS check out IPS-1 from Check Point (Was NFR before CHKP acquired it last year).

SMDF is a good start, but it does have a tendency of being overly aggressive some times.

Smartdef isnt overly aggressive... thats called dumb... lol

For the IPS-1, i havent really used it before... but i have seen the ui once... doesn't seem like feature packed? besides, it like a 3-tier approach right? For big entreprises, yes. this seems gd.. that you can expand... but what about users who intend to buy only one? Doens't seem cost effective to me...

[MarioL]

There are a lot of variables here. Maybe joris should tell us what he has and how much to spend and more importantly, what he wants to achieve.

[joris]

The story goes like this. We have a IDS appliance that's EndOfLife and we're gonna remove it from out network.
We have a small team but manage a large network and have not enough manpower to manage a full blow IPS/IDS.
Offcourse we want to protect our network and therefor I thought SMDF would be usefull. We do have a LAB environment that were we can test but we could never simulate real-life traffic.

cheers,

[chuachongchee]

Quote:

Originally Posted by joris

The story goes like this. We have a IDS appliance that's EndOfLife and we're gonna remove it from out network.
We have a small team but manage a large network and have not enough manpower to manage a full blow IPS/IDS.
Offcourse we want to protect our network and therefor I thought SMDF would be usefull. We do have a LAB environment that were we can test but we could never simulate real-life traffic.

cheers,

Well.. SmartDef you could try, but its pretty resource intensive....

Next, a full ips solution is not hard to manage, what gave you the concept that an ips is hard? How much harder can an ips be when an ids is simply logging and logging and you have to manually go thru the logs day after day after day?

ips that i have deployed before are "manless" they update signatures automatically, alert you in event of more "pontential" problems... otherwise you can simply forgot they even existed..

[stuartgreen]

smart defense isn't that resource hungry to be fair. So long as you're using R62 or above you should be fine to set everything to monitor only mode to get an idea of what sort of traffic will be blocked if you set it to active.

('monitor only' mode didn't really work so well in versions prior to R62. eg, it still blocked the traffic...)

[abusharif]

Most of the settings that degrade performance are HTTP/URL related.
Some of protections will disable acceleration on certain types traffic as well.

I recommend you to check (search it via secureknowledge) Smartdefense reference guide. It explains most of (not all) protections in SD and their impact on the system.