CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: IPS-1 & Hotfixes

  1. #1
    Join Date
    2008-10-15
    Posts
    26
    Rep Power
    0

    Default IPS-1 & Hotfixes

    Hi we recently purchased two(2) IPS-1 5070 Appliances. They both shipped with R71. I am concerned that hotfixes and new builds do not seem to be being created for them. Currently none of the Hotfixes are supported (As far as we can see the devices are running a cut down version of a SecurePlatform R71 installation with only IPS blade). Does anyone know the roadmap for these devices or the process to hotfix/upgrade them or if there will be any hotfixes? Is R75 going to be supported or deployed for them or are we going to have to wait for GIA? I currently feel like we have just purchased the bastard son of the Checkpoint products... although I do like the integration into the entire checkpoint platform.

  2. #2
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    14

    Default Re: IPS-1 & Hotfixes

    I understood that IPS-1 boxes were just like Firewall-1 boxes, but just a different license.

    Someone correct me if I'm wrong, but I understand that the normal HFAs and newer Builds, such as R75, apply to IPS-1 boxes as well.

    What do you get when you execute 'rpm -qa | grep R71' in expert mode?

    Do you see CPsuite package?

  3. #3
    Join Date
    2008-10-15
    Posts
    26
    Rep Power
    0

    Default Re: IPS-1 & Hotfixes

    Yes I see CPSuite:

    # rpm -qa | grep R71
    cp-release-1-R71
    CPsplatIS-R71-00
    CPsuite-R71-00

    Unfortunately attempting to apply hotfix for that build results in an message that the hotfix is not valid for that build. Reading the compatibility notes, it does say however that it should be compatible, i.e. R71.10.

    R71.10 Release Notes, bottom of Page 9:
    Dedicated Gateways
    IPS-1, DLP-1, and VSX-1 are only supported on SecurePlatform.


    Attempting to apply the hotfix results in this message:
    ************************************************** *********
    Welcome to Check Point R71.10 installation
    ************************************************** *********
    ================================================== =================
    The installation is stopped!
    This HFA can not be installed on this machine.
    For additional information please refer to the release notes.
    ================================================== =================

    So this clearly shows that the HFA isn't supported.

  4. #4
    Join Date
    2006-12-04
    Posts
    1,316
    Rep Power
    14

    Default Re: IPS-1 & Hotfixes

    Quote Originally Posted by hewfish View Post
    They both shipped with R71. I am concerned that hotfixes and new builds do not seem to be being created for them. Currently none of the Hotfixes are supported (As far as we can see the devices are running a cut down version of a SecurePlatform R71 installation with only IPS blade).
    We have tried an R71 IPS-1 sensor (special iso with support for HP open server) for about 1 years ago, but due to some performance problem now testing R75.20 Bridge FW with IPS blade.
    As we known since about one year CP do not produce any HFA for IPS-1 Sensors.

    Quote Originally Posted by alienbaby View Post
    I understood that IPS-1 boxes were just like Firewall-1 boxes, but just a different license.

    Someone correct me if I'm wrong, but I understand that the normal HFAs and newer Builds, such as R75, apply to IPS-1 boxes as well.
    ?
    No they use secplat only (current R71) but all others staff is from Network Flight Recorder/NFR (now it is also CP but, ...).
    Last edited by serlud; 2011-08-18 at 09:11.

  5. #5
    Join Date
    2008-10-15
    Posts
    26
    Rep Power
    0

    Default Re: IPS-1 & Hotfixes

    I got a "Semi-Official" answer to this from Checkpoint. I thought I would share both the statement and my own bit of investigative work.

    “The release numbers do not mean the same thing between the two product lines. VSX, for example, is still on the “R6x” train, but that does not mean that all development on it ceased 5-6 years ago. Endpoint is on R80, and it certainly hasn’t warped time and jettisoned itself into the future. Also, R75 is more about the emerging technology blades like DLP and App Control, which are currently irrelevant to IPS-1.

    IPS-1 signature updates are still abundant and there are differentiators IPS-1 offers, such as FONIC, IPv6 support, certain advanced forensic capabilities, and very soon, we hope to deliver a true 10Gbps appliance with an excellent price/performance ratio. There is a long term goal to roll all IPS functionality into a unified product line, and when that happens IPS-1 customers won’t be left behind, but for the moment IPS-1 is alive and well as a fully-maintained distinct product.”
    I have been told that this comes from the IPS Engineering Director, however I cannot confirm/deny if these are his/her real opinions or that he/she wants them shared verbatim **Standard Disclosure**. I am happy to remove this comment if Checkpoint asks.

    The issue I guess I have is that R71 based IPS-1 obviously as per the captures in previous posts use the base R71 (pre-hotfix) builds. Since then fixes have been applied to the IPS engine (HFA's) that have not been applied to the IPS-1 specific blade software. "officially" the IPS-1 does not require these hotfixes as the signatures have been indicated as update enough. I'm unsure about this statement.

    R71.40 HFA includes the following fixes:


    IPS
    00575400 IPS records a log for non-standard HTTP traffic according to IPS protections. Security Gateway
    00613891 Logs and Masters page shows in properties window for IPS Sensor objects in SmartDashboard. Security Management server


    Obviously these are not included in the IPS-1. Admittedly, I could not find any other HFA notes for R71.10-30 that mention fixes for IPS. So the above issues in R71.40 may not be relevant at all. If this is the case, the IPS-1 may not yet require a HFA.

    I also forgot to mention that the IPS-1 does do additional inspection that the "Gateway IPS" blade does not, so there are more features and additions to the IPS-1 appliance range.

    Cheers,
    Hewfish
    Last edited by hewfish; 2011-08-30 at 01:20.

  6. #6
    Join Date
    2011-09-12
    Posts
    3
    Rep Power
    0

    Default Re: IPS-1 & Hotfixes

    Quote Originally Posted by hewfish View Post
    I got a "Semi-Official" answer to this from Checkpoint. I thought I would share both the statement and my own bit of investigative work.



    I have been told that this comes from the IPS Engineering Director, however I cannot confirm/deny if these are his/her real opinions or that he/she wants them shared verbatim **Standard Disclosure**. I am happy to remove this comment if Checkpoint asks.

    The issue I guess I have is that R71 based IPS-1 obviously as per the captures in previous posts use the base R71 (pre-hotfix) builds. Since then fixes have been applied to the IPS engine (HFA's) that have not been applied to the IPS-1 specific blade software. "officially" the IPS-1 does not require these hotfixes as the signatures have been indicated as update enough. I'm unsure about this statement.
    Hi,

    Thanks for the posts, i'm a developer on the IPS-1 team based out of Rockville.

    I believe it's more of an architectural issue than anything else. We do use IPS-1 on SPLAT but typically the fixes you see in HFAs are to the Software Blades running on them.

    In IPS-1, the protocol parsers and most of the actual "guts" of the inspection takes place in N-Code, which is updated with a signature push. So for example:


    Quote Originally Posted by hewfish View Post
    R71.40 HFA includes the following fixes:


    IPS
    00575400 IPS records a log for non-standard HTTP traffic according to IPS protections. Security Gateway
    This type of bug would be repaired in a signature fix, because unlike the Blade, the IPS-1 HTTP protocol parser is written in N-Code just like the protections. Note also IPS-1 does not use the web-based configuration service (it has its own console-based installer) and other than the basic SIC/logging infrastructure, does not use many elements of the management infrastructure that are positioned for the benefit of the Blades except that which it needs to send logs to SmartConsole. So those are huge areas where IPS-1 is mostly exempt from the type of HFAs Check Point provides.

    We have infrequently evaluated HFAs that contain elements that affect the underlying components of the logging infrastructure, or the OS itself. Its very likely the only reason we would ever tie ourselves to a "dot" release would be an outstanding security issue in SPLAT.

    We also periodically issue true hotfixes (not HFAs) to the engine. During my time here for example there were upwards of seven hotfixes to the R65 line of sensors; several alone due to specific issues with the Bivio platform. Typically we would issue these fixes through the support channel, but the fact that we are now cranking out HFAs and HFs in SmartUpdate form will make this a lot less messy going forward.

    All that having been said, we issued an HFA for IPS-1 R71 earlier this year, which does a few notable things:

    - unifies the underlying sensor code between the R65 lines and the R71 lines. This means if you're tied to legacy R65.X management and the old R65.2 Dashboard, you can still install this HFA that will update your sensor engine code to the latest and greatest.
    - contains engine security, stability and performance fixes

    You can deploy this HFA via SmartUpdate, which is also a first for IPS-1 R71. For R65.X sensors, there is an installable RPM.

    See sk64340 for more details and links to the updates.
    Last edited by worgelm; 2011-09-13 at 10:29.

Similar Threads

  1. NGx R70.20 Firewall & IPS with multicore Servers
    By cciesec2006 in forum Installing And Upgrading
    Replies: 4
    Last Post: 2010-02-12, 16:06
  2. Applying Hotfixes..
    By evo22 in forum Check Point SecurePlatform (SPLAT)
    Replies: 1
    Last Post: 2007-07-23, 13:25
  3. More new Connectra hotfixes for OpenSSL
    By RayPesek in forum Mobile Access Blade (Formerly Connectra)
    Replies: 0
    Last Post: 2006-10-08, 17:17
  4. New Connectra security hotfixes for OpenSSL
    By RayPesek in forum Mobile Access Blade (Formerly Connectra)
    Replies: 0
    Last Post: 2006-09-17, 14:57
  5. How can I tell which hotfixes I have loaded on NG FP2 and above?
    By Barry J. Stiefel in forum Miscellaneous
    Replies: 0
    Last Post: 2005-08-13, 15:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •