I haven't dealt with SmartDefense for a long time - but when I did, the advantages was that there was no political battle to fight for getting another device to go inline of traffic - as folks are already accustomed to having the firewall there inspecting traffic, to some degree.
The disadvantages (from my perspective only at the time) was that the individual tuning parameters were not extremely granular... so when there were false positives triggered for blocking, it was 'an all or nothing' remediation required to address the issue - i.e. turn the signature off alltogether. So - in a practical sense, it comes down to requirements. If it is simply to address an 'audit or compliance checkmark' requirement, then something like SmartDefense was fantastic for an enterprise who already had deployed Checkpoint as a firewall and was well used to administering and maintaining the solution. However, to achieve real detective vigilance I would recommend augmenting the solution with passive IDS at key monitoring points. In my experience, you will rarely get a specific directive from anyone in the enterprise that will clarify this for you - you sort of have to get a gut feel. Sorry for the 'gray' answer, but thats simply my opinion based on what I have seen. :) (Also, please note that I havent dealt with Checkpoint now in several years, so there may have been significant advancements made to SmartDefenses tunability since then) Hope this helps... Tommy ----- Original Message ----- From: "a bv" <[email protected]> To: [email protected] Sent: Tuesday, April 28, 2009 4:00:52 AM GMT -05:00 US/Canada Eastern Subject: Checkpoints Smartdefense as an IPS Hi list, I want to ask to list for the opinion on Checkpoints Smartdefense. For the past and current users , how enough/successfull do you find it as an ips for your enterprise? Do you use additional ids/ips if so what purposes and to monitor what segments/parts of your infrastructure.? And how do you deploy,manage Smartdefense? Regards
