Tuesday, 23 August 2011

Enabling Check Point IPS

I couldn't find any easy / recommended  way to enable the IPS feature on the Checkpoint software blade so I came up with this sequence on my own. If someone does know the correct procedure please enlighten me.

Check Current Status
1) Click on the IPS tab
2) if you look in the "IPS in My Organization" box you should see the following

0 security gateway is enforcing IPS
2 profiles are configured

Enable the IPS
1) Click on the firewall tab
2) On the left double click Network Objects -> Check Point -> myhost (ie cpr75)
3) in the Check Point Gateway window click on the Network Security tab 
4) turn on the IPS function and click okay
5) download this policy to the gateway
6) now check to see if this is enabled by following the above procedure

Testing the IPS

First we need to find a  attack vector that the IPS is configure to protect the network from. So click on the IPS Tab and select Protections on the left hand site. Sort the table by "Default_Protection" column such that all the enabled vectors are listed at the top. I quickly scanned through the list and found LAND (CVE-1999-0016) to be something I could easily simulate. The basic summary of this vector is:

Somebody has released a program, known as land.c, which can be used to launch denial of service attacks against various TCP implementations. The program sends a TCP SYN packet (a connection initiation), giving the target host's address as both source and destination, and using the same port on the target host as both source and destination.

This is easy to simulate using hping. So on pluto run the following command:

zzz# hping -s 135 -p 135 -S -a
HPING (em1 S set, 40 headers + 0 data bytes
len=40 ip= ttl=64 id=45332 sport=135 flags=S seq=0 win=512 rtt=0.4 ms
--- hping statistic ---
19 packets tramitted, 1 packets received, 95% packet loss
round-trip min/avg/max = 0.4/0.4/0.4 ms

If you then check the logs of the gateway using smarttracker you will see the following:

I finally gave up finding an easy method to attach screen shots, so this is the first one on this blog. What i was really after was a confluence style java interface in which I could just paste the clipboard. The current method is to capture, save to disk and then upload.

No comments:

Post a Comment