What is our primary use case?
We use this solution to secure the organization against any attack coming into the network via the internet, a third party, or any other connected network. It is used to detect and prevent identified threats at the perimeter level so attacks do not penetrate the network.
With so many access points present on a typical business network, it is essential that we have a way to monitor for signs of potential violations, incidents, and imminent threats.
We also use it to provide flexibility for the SOC admin to identify any suspicious activity and either detect and allow (IDS) or prevent (IPS) the threat. It logs and reports any such incident to the centralized logger so the required action can be taken by the SOC team.
How has it helped my organization?
This IPS device is protecting the organization's assets from any know vulnerability or threats that are coming from the network and vice versa.
It protects against specific known exploits but also, with SandBlast integration, it is able to protect against unknown or zero-day attacks at the perimeter level. An example of this is C&C communication, which is getting trigger by compromised systems.
It's able to detect and prevent any tunneling attempt that is happening via compromised systems, thereby avoiding data leakage.
It provides the capability to enable security policy based on templates, which can be enabled by the organization, depending upon their need. For example, enabling the highest security with the lowest performance impact is a matter of selecting templates accordingly.
What is most valuable?
IPS can be enabled on the same security gateway and does not require any additional hardware purchase or additional network connectivity.
It provides complete visibility and reporting on a single dashboard for the entire NG firewall, including the IPS blade on the Smart Console.
Signatures are constantly updated and it also provides virtual patching protection up to a certain extent.
It provides a detect-only mode for IPS Security policy that the admin can enable on a required segment for monitoring, giving an opportunity to observe prior to blocking.
What needs improvement?
There is a performance impact on the NGFW post-enabling the IPS blade/Module, which can even lead to downtime if IPS starts to monitor or block high-volume traffic.
There is no separate, dedicated appliance for IPS.
In the case of the IPS blade enabled on the NG firewall, it does not provide flexibility to monitor specific segments as easily as the IPS policies that are applied on the security gateway. There is lots of configuration and exclusion policy that need to be configured to bypass traffic from IPS Policy.
IPS gets bypass in case performance goes above certain limit. This is the default setting that is provided.
For how long have I used the solution?
I have been using Check Point IPS for more than six years.
What do I think about the stability of the solution?
This is a stable product.
What do I think about the scalability of the solution?
Most of the organization is deployed on the NGFW and it has scaled accordingly, with most devices in HA mode.
How are customer service and technical support?
Technical support is excellent.
Which solution did I use previously and why did I switch?
We did not use another solution prior to this one.
How was the initial setup?
This is a blade/module that needs to be enabled, selected, and applied across the security gateway.
What about the implementation team?
Our in-house team was responsible for deployment.
What's my experience with pricing, setup cost, and licensing?
Enabling IPS does not require any additional license purchase from OEM, as it comes by default with the NGFW bundle. This blade/module can be enabled based on the requirement and can be pushed to the security gateway.
Which other solutions did I evaluate?
We did not evaluate other options.
Which deployment model are you using for this solution?