This is it. You’re at the helm of one of the most advanced intrusion prevention systems (IPS) on the market today, capable of deep packet inspection and seamless attack detection and prevention. What’s next? How do you avoid many of the common problems that befall mismanaged IPS systems while keeping your network as safe as possible? Let’s take a look.
Lack of a sensible update schedule
Many firewall admins may be tempted to treat IPS as a “set it and forget it” endeavor, but that simply isn’t a viable approach if you want to maintain an effective strategy for keeping up with the emerging threat landscape. New exploits and vulnerabilities are being discovered constantly. So, you’ll want to have a game plan for ensuring that you can stay reasonably up-to-date with the newest signatures from Check Point. We typically recommend a monthly update schedule for most of our customers to accomplish this. On the other side of the coin, you’ll also want to be as flexible as possible for high-profile protections from Check Point that might require an out-of-band update. A recent example of this would be the protection released for the Heartbleed exploit, which some of our managed customers had us apply the same day that it was released.
Failure to back up before updates
Unfortunately, as with any production updates, there is always a risk involved. We have seen bad signature updates released that have stopped production traffic and even brought down entire networks from time to time. The easiest way to avoid this problem is to simply take a full policy export before every IPS signature update. An important distinction to make is that this should be done via command line rather than simply doing a database revision in SmartDashboard. You will want a completely separate copy of your policy; in the event that disaster strikes, this should allow you to be completely back up and running within 5-10 minutes.
Improper object definition
This is something that is often missed. In the Check Point firewall policy, you can actually define if an object is running a web, mail or DNS server. Since signatures are tailored toward specific services and protocols, it is best practice to set this up so that the IPS engine can best protect the services that your host is running.
Using “any” when creating IPS exceptions
We have all been there. There’s a problem with traffic and time is ticking while you configure an exception to restore production services. It can be all too tempting to simply set up a blanket exception to get back up and running quickly, but that can easily cripple the ability of your IPS to protect against future attacks. It is well worth the time and effort to set up exceptions with only the specific hosts or networks that are problematic. Your future self will thank you.
Falling too far behind on Check Point software upgrades
This falls under best practices in general when maintaining a distributed firewall environment, but if you let the versions of your management server and firewalls fall too far behind you’ll no longer be able to take advantage of all the newest IPS signatures updates that Check Point provides. Check Point stops releasing certain IPS protections for older versions before they actually go out of support, so it is one more incentive to maintain a reasonable upgrade schedule.
In addition to the items that I have listed here, it is also worth noting that the Check Point user center will allow you to sign up for a mailing list so that you can stay up-to-date with all the latest IPS updates. If you are a Hurricane Labs managed customer, we will also contact you with security bulletins regarding critical signature updates so that you can stay ahead of the game.