Check Point Advisories

Updating IPS, SmartDefense, and Web Intelligence with the Latest Dynamic Defenses

Check Point Reference: SBP-2006-05
Date Published: 30 Aug 2006
Severity: High
Last Updated: 3 Dec 2010
Source:

SmartDefense Research Center

Protection Provided by:

Security Gateway

  • R75
  • R71
  • R70

VPN-1

  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54

VSX

  • NGX
  • NGX R65

InterSpect

  • NGX
  • 2.0 and 1.x

Connectra

  • NGX R62
  • NGX R61
  • NGX
  • 2.0

IPS-1

  • IPS-1

Who is Vulnerable?

Security Gateway
VPN-1, InterSpect and Connectra modules
IPS-1

Vulnerability Description

SmartDefense dynamic updates are available to customers who have purchased the SmartDefense subscription service. Customers with valid subscription license can choose the attacks to defend against, read detailed information about the attack, configure parameters for each attack defense, including logging options, receive real-time information on attacks, and update SmartDefense with new capabilities.

Keeping up-to-date with the latest SmartDefense defenses does not require up-to-the-minute technical knowledge. A single click on the Online Update button updates SmartDefense and Web Intelligence with all the latest defenses from the SmartDefense website.

Vulnerability Details

When you buy a SmartDefense subscription, you are given a license that enables you to download IPS/SmartDefense and Web Intelligence updates.  IPS/SmartDefense and Web Intelligence updates are sent to your computer from one of the SmartCenter enforcement modules.

Protection Overview

In this section you can learn how to obtain the latest IPS/SmartDefense and Web Intelligence defenses for all Security Gateway, VPN-1, InterSpect, Connectra and IPS-1 versions.

To activate the downloaded IPS/SmartDefense updates, you must Install security policy (Policy > Install) in Security Gateway and VPN-1 modules or Activate Settings (Action > Activate Settings) in InterSpect modules.

To configure the defense, select your product from the list below and follow the related protection steps.



How Can I Protect My Network?
To obtain the latest IPS dynamic update:

1. In the IPS tab, click Download Updates.
2. In the configuration pane, under Download Updates, click Update Now.
3. Install security policy (Policy > Install).

How Do I Know if My Network is Under Attack?
When IPS detects an attack a log is generated and appears in SmartView Tracker > Network & Endpoint Queries > Predefined Network Security Blades > IPS Blade All.




How Can I Protect My Network?
To obtain the latest IPS dynamic update:

1. In the IPS tab, click Download Updates.
2. In the configuration pane, under Download Updates, click Online Update.
3. Install security policy (Policy > Install).

How Do I Know if My Network is Under Attack?
When IPS detects an attack a log is generated and appears in SmartView Tracker > Network & Endpoint Queries> Predefined > Network Security Blades > IPS Blade > All.




How Can I Protect My Network?
To obtain the latest SmartDefense dynamic update:

1. In the SmartDashboard toolbar, click the SmartDefense tab.
2. In the SmartDefense tree, click Download Updates.
3. In the configuration pane, under SmartDefense Services, click Online Update.
4. Install security policy (Policy > Install).

How Do I Know if My Network is Under Attack?
When SmartDefense detects an attack a log is generated and appears in SmartView Tracker > Log Queries >Predefined > SmartDefense.



How Can I Protect My Network?
VPN-1 NGX R61 introduces the SmartDefense Services tab. The SmartDefense Services tab allows you to update all available products from a central location.

To obtain the latest SmartDefense dynamic update:

1. Click the SmartDefense Services tab; the Download Updates page opens.
2. Click Update Now.

3. Install security policy (Policy > Install).

How Do I Know if My Network is Under Attack?
When SmartDefense detects an attack a log is generated and appears in SmartView Tracker > Log Queries >Predefined > SmartDefense.


How Can I Protect My Network?
To obtain the latest SmartDefense dynamic update:

1. In the SmartDashboard toolbar, click the SmartDefense tab.
2. Click the General page and then click Online Update.

3. Install security policy (Policy > Install).

How Do I Know if My Network is Under Attack?
When SmartDefense detects an attack, a log is generated and appears in SmartView Tracker > Log Queries >Predefined > SmartDefense.


How Can I Protect My Network?
To obtain the latest SmartDefense dynamic update:

1. In the SmartDashboard toolbar, click the SmartDefense tab.
2. Click the General page and then click Update Now.

3. Install security policy (Policy > Install).

How Do I Know if My Network is Under Attack?
With VPN-1 NG with Application Intelligence R55 and VPN-1 VSX NGX, when SmartDefense detects an attack, SmartView Tracker usually logs a rule number. The rules will appear in SmartView Tracker > Log Queries >Predefined > SmartDefense. Note that for Check Point InterSpect and NG with Application Intelligence R55W, logged events are descriptive.

An example of a rule number: SmartView Tracker logged rule 92101, meaning ‘Windows SMB Protection Violation: Buffer overflow attempt’, advisory number CPAI-2005-111. All the rules can be found in the Secure Knowledge site  under solution sk26226 titled ‘SmartDefense dynamic Updates rule numbers and definitions’.


How Can I Protect My Network?
To obtain the latest SmartDefense dynamic update:

1. In the SmartDashboard toolbar, click the SmartDefense tab.
2. In the SmartDefense tree, click Download Updates.
3. In the configuration pane, under SmartDefense Services, click Online Update.
4. Install security policy (Policy > Install).

How Do I Know if My Network is Under Attack?
When SmartDefense detects an attack a log is generated and appears in SmartView Tracker > Log Queries >Predefined > SmartDefense.


How Can I Protect My Network?
To obtain the latest SmartDefense dynamic update:

1. In the SmartDeashboard toolbar, click the SmartDefense tab.
2. Click the General page and then click Update Now.

3. Install security policy (Policy > Install).

How Do I Know if My Network is Under Attack?
With VPN-1 VSX NGX and VPN-1 NG with Application Intelligence R55, when SmartDefense detects an attack, SmartView Tracker usually logs a rule number. The rules will appear in SmartView Tracker > Log Queries >Predefined > SmartDefense. Note that for Check Point InterSpect and NG with Application Intelligence R55W, logged events are descriptive.

An example of a rule number: SmartView Tracker logged rule 92101, meaning ‘Windows SMB Protection Violation: Buffer overflow attempt’, advisory number CPAI-2005-111. All the rules can be found in the Secure Knowledge site  under solution sk26226 titled ‘SmartDefense dynamic Updates rule numbers and definitions’.


How Can I Protect My Network?
To obtain the latest SmartDefense dynamic update:

1. On the navigation tree, select Profiles > SmartDefense Service; the SmartDefense Service page opens.

2. In the SmartDefense page, click Online Update.
3. Click Activate Settings.

How Do I Know if My Network is Under Attack?
When SmartDefense detects an attack a log is generated and appears in SmartView Tracker > Log Queries >Predefined > SmartDefense.


How Can I Protect My Network?
To obtain the latest SmartDefense dynamic update:

1. Click the SmartDefense tab > General.
2. In the General page click Online Update.
3. Click Activate Settings.

How Do I Know if My Network is Under Attack?
When SmartDefense detects an attack a log is generated and appears in SmartView Tracker > Log Queries >Predefined > SmartDefense.


How Can I Protect My Network?
To obtain the latest SmartDefense dynamic update:

1. On the navigation tree, click Security > SmartDefense Updates.

2. In the Download updated content pane, enter your credentials and click Download Updates. You are informed that the SmartDefense content was updated successfully.

4. Click Install Policy.

How Do I Know if My Network is Under Attack?
To view event logs, go to SmartCenter and Logs > Traffic Log on the navigation tree.


How Can I Protect My Network?
To obtain the latest SmartDefense update:

1. On the navigation tree, click Security > SmartDefense Service.

2. In the Download updated content pane, enter your credentials and click Download Updates. You are informed the the SmartDefense content is updated successfully.

3. Click Install Policy.

How Do I Know if My Network is Under Attack?
To view event logs, go to SmartCenter and Logs > Traffic Log on the navigation tree.


How Can I Protect My Network?
To obtain the latest SmartDefense dynamic update:

1. In the IPS-1 Management Dashboard toolbar, click Management > Policy.
2. In the IPS-1 Policy Manager, click on the Protection tab.
3. In the tree, click on Download Updates. In the IPS-1 SmartDefense Services pane, click Online Update.
4. Click on Install Policy.

How Do I Know if My Network is Under Attack?
When IPS-1 detects an attack a log is generated and appears in the IPS-1 Management Alert Browser window.