[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    =?ISO-8859-9?Q?Yan=FDt=3A_Checkpoints_Smartdefense_as_an_IPS?=
From:       a bv <vbavbalist () gmail ! com>
Date:       2009-05-15 8:42:56
Message-ID: 525320ef0905150142n5831d252mc87880266d2a57c7 () mail ! gmail ! com
[Download RAW message or body]

Thanks for the answers, and let me go to further questions.

If you are using smartdefense how do you manage/how often do you
update/and what do you do to get most from it?

regards

2009/4/29, John Jasen <jjasen@realityfailure.org>:
> a bv wrote:
>> Hi list,
>>
>> I want to ask to list for the opinion on Checkpoints Smartdefense. For
>> the past and current users , how enough/successfull  do you find it as
>> an ips for your enterprise? Do you use additional ids/ips if so what
>> purposes and to monitor what segments/parts of your infrastructure.?
>> And how do you deploy,manage Smartdefense?
>
> SmartDefense is not recommended in the slightest.
>
> Entirely too many of the signatures are obsolete and/or just plain wrong.
>
> The FTP and SMTP security servers will break traffic in obscure ways
> without any logs.
>
> Log correlation to a SmartDefense rule or setting can involve a lot of
> reading, sometimes guesswork, and occasionally a bit of luck.
>
> SmartDefense is incredibly CPU intensive. You won't be able to enable
> most of it unless you buy $MORE, where $MORE is defined as one or more
> of: bigger hardware, multi-CPU licenses, coreXL, clusterXL.
>
> As others have indicated, tuning SmartDefense is most of the time "rule
> on" or "rule off". See the luck required for log correlation above for
> some of the more obscure cases ....
>
> Unlike snort, you have no visibility into what the rule is checking for
> or doing.
>
> And, to add the icing on the cake, Checkpoint has replaced SmartDefense
> with their reworking of NFS's IPS in R70. So, SmartDefense is dead, and
> unlamented.
>
> --
> -- John E. Jasen (jjasen@realityfailure.org)
> -- No one will sorrow for me when I die, because those who would
> -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring
>


[prev in list] [next in list] [prev in thread] [next in thread]