Thanks for the answers, and let me go to further questions. If you are using smartdefense how do you manage/how often do you update/and what do you do to get most from it?
regards 2009/4/29, John Jasen <[email protected]>: > a bv wrote: >> Hi list, >> >> I want to ask to list for the opinion on Checkpoints Smartdefense. For >> the past and current users , how enough/successfull do you find it as >> an ips for your enterprise? Do you use additional ids/ips if so what >> purposes and to monitor what segments/parts of your infrastructure.? >> And how do you deploy,manage Smartdefense? > > SmartDefense is not recommended in the slightest. > > Entirely too many of the signatures are obsolete and/or just plain wrong. > > The FTP and SMTP security servers will break traffic in obscure ways > without any logs. > > Log correlation to a SmartDefense rule or setting can involve a lot of > reading, sometimes guesswork, and occasionally a bit of luck. > > SmartDefense is incredibly CPU intensive. You won't be able to enable > most of it unless you buy $MORE, where $MORE is defined as one or more > of: bigger hardware, multi-CPU licenses, coreXL, clusterXL. > > As others have indicated, tuning SmartDefense is most of the time "rule > on" or "rule off". See the luck required for log correlation above for > some of the more obscure cases .... > > Unlike snort, you have no visibility into what the rule is checking for > or doing. > > And, to add the icing on the cake, Checkpoint has replaced SmartDefense > with their reworking of NFS's IPS in R70. So, SmartDefense is dead, and > unlamented. > > -- > -- John E. Jasen ([email protected]) > -- No one will sorrow for me when I die, because those who would > -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring >
