Check Point Lab R80.40 - 11. IPS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello youtubers welcome to johnny's youtube netsec channel today i'm gonna talk about the checkpoint ips braid this is checkpoint page regarding ips so we're gonna tell you what this ips why we should use ips to make it simple from my opinion ips technology is the most effective way to provide multi-layered defense and protecting your internal network at the parameter level it will dramatically reduce your internal network's vulnerabilities to be exploited by hikers so let's start to work on here is my diagram we can see we have checkpoint firewall we have internal machine and we also have management server smart console and our router internet it is same topology i use for other blades first thing we need to enable our ips blade our gateway so checkpoint dr firewall is the one i'm using today for this lab double click on it you will get the checkpoint gateway properties page i already enabled some networks security bridge but for a sled protection blade i haven't enabled anything so today we're gonna enable ips just by simply click on it you can enable it so there are two options according to the threat prevention policy or detection only this is a lab so i'm going to choose according to the threat protection policy but if you are working on your production environment you may want to start with detection only and then you will go to list according to the threat prevention policy after you finish your testing simple click ips choose the production click ok the blade is enabled you also can verify ips settings from the properties you can see this activation mode to mode we are using according to threat prevention policy mode for other changes you can keep it the same the second step we need to do is enable the policy by default you may already have the settings there first time the policy going to be loaded may take a while okay we have two policy rules one rule is for our mta traffic it's automatically rule for empty traffic when you enable that option in the gateway properties the second law is default law as well basically it's allowed any protected internal network to be using action as optimized action there's a couple of other profiles you can use basic and strict we will clone one and make some changes for our testing and then we will assign that profile to here later and you will be installed on policy target so we don't need to change this policy by default basically everything will be protected by ips law if you go down to slot tools and you will see profiles here as i said before there's three profiles basic optimized and strict right now by default they're using optimized but in this lab i'm gonna use in strict for testing purpose i'm gonna make a clone strict policy i will say this is test street policy scroll we create our test strict chrome profile we're gonna apply it into our policy so we're gonna change that change the secondary to using test street clone profile then we're gonna install policy push publish and install that's basically what you need to do to enable ips protection it's very simple and easy on checkpoint firewater the policy has been completed around 99 percent and now it's succeeded installed next step is gonna testing of ips policy there's multiple ways you can do this testing you can use in metasploit to explore your vulnerabilities and also you can use some one of these scanning tools to scan your internal network close the firewall of course and here i'm gonna show you an easiest way to test your ips policy if you go to ips protections you will see all protection signatures for ftp for dhdms for dhcp oh friend yes thousand protection signature available and it's pretty defined and you will need keep updating these once you have subscription from checkpoint today i'm going to show you a way to test this using the ping command so when you search the pin signature you have found a tool front the first one is max pin size so basically the pin is sending around 40 bytes packet 32 bytes data and the eight bytes header in windows but for linux the pin gonna sending around 64 bytes package to the destination the ips core protection profile is fully signaturely only used on optimize profile they are not used into any profile so for us we have to change it to test strict that's the key step if you don't know that least signature will not work for your profile which we created based on strict profile that's the first tab you can put the exception and here is a behavior the default action is accept we gonna change it to job so if your pin size is too high too big which we can define here right now is 2500 we if we sending any pin size as i said pin size is very small like 6 4 bytes or maybe 40 bytes based on your operating system but we can simply simply sending and a packet higher than 25 hundred pin side packet then it should be dropped let's try that right now if we try with high higher pin side packet it will not dropped because we are not enforce that policy so our ip is 192.168.2.71 we're gonna pin we're gonna ping our internal server 192.168.2.242 with package size i'm going to put 6000 and we're going to repeat it for 10 times it's working because we didn't enforce that policy on our strict profile so right now we changed it we enforced this policy lure to test strict profile now we need to install policy okay policy has been installed succeeded now we're gonna try with normal pin [Music] it's working we're gonna try with a bigger size 6000 package size interesting it's not working as we expected that ips blocked this packet let's verify that you can go to logs and monitors and we can refresh at 4 46 right now it's 4 47 so 446 we send out the packet and it has been detected by ips blade and you can see the attack information echo request too big there's a cv numbers relating to this attack and the protection type is protocol anomaly it's preventing maximum pin size originally from 192.168 to 271 against 192.168.2 to 242 attack name is large pin so here's the result we test it successfully our ips is working it's protecting our internal networks we can tell how easy we can use the checkpoint firewall to activate ips to protect your internal network and reduce the chance to expose your internal networks and vulnerability to the public thank you for watching [Music] you

Info

Channel: Johnny Netsec

Views: 2,234

Rating: undefined out of 5

Keywords: Security, 51Sec, NetSec, Cyber Security, ITProSec, Learning and Sharing, Check Point, Checkpoint, R80.40, IPS, Intrusion Prevention System

Id: Z2vN_-bdERE

Channel Id: undefined

Length: 12min 50sec (770 seconds)

Published: Tue Oct 13 2020