-----Original Message-----
From: Fergus Brooks [mailto:fergwa@gmail.com]
Sent: quarta-feira, 18 de Maio de 2005 12:10
To: focus-ids@securityfocus.com
Subject: Checkpoint SmartDefense
Hi all,
I am getting some mixed messages regarding this feature.
1) Does it detect zero day attacks in real time and
recommend/implement remediation
It can detect some attacks on the fly and stop them.
2) How intelligent is it?
It depends a lot on the type of filtering made. For instance, some DNS
queries are mistaken with DNS buffer overflow attempts, probably because
they're not RFC compliant. The same problem happens with other protocols.
On the other hand it successfully filters most common DoS attacks and worms
(Land, code red & friends)
3) Is it difficult to configure & maintain?
IMHO, Like most checkpoint products the difficulty is the *installation*
phase.
SmartDefense however, can be very tricky to *tune*, but not to configure, as
the default configuration doesn't harm a fly.
4) Is this feature different on the Interspect and standard FW-1 boxes
Dunno, I'm only using it in a Nokia IP firewall (over their IPSO), and it
seems quite happy.
Any comments and real world examples greatly appreciated!
It doesn't replace nice PC boxes running snort, and other IDS tools. In
fact, is advisable to have a network setup with both.
Some Smartdefense features can cause very obscure errors. I remember having
problems with the Autodesk Mapguide server and Mapguide agent, because the
communication protocol designed by Autodesk was mistaken with the blaster
Worm.
Then again I'm using a 2003 version of smartdefense. The product could have
been improved a lot by now.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
