What is our primary use case?
The Check Point IPS module is applied to both internal and external traffic.
Many times, we only think about protecting ourselves from what comes from the Internet but it is also good to analyze what passes inside between one network and another and what goes out to the Internet.
I'll never forget the first backdoor report. We immediately activated email alerts for the most important reports and it was an email that indicated the compromised server. There were three of us and it took two hours to discover that through the image upload form, there had been an attempt to upload a backdoor. This IPS module had blocked this attempt.
How has it helped my organization?
The Check Point IPS module certainly is of great support in ensuring the security of every organization. You cannot say that users only surf the internet and you do not need this type of protection because the danger does not come only from the internet, but also from within.
We immediately implemented the module on internal traffic and if there is any server or user that does something that should not be done, it is immediately identified.
Valid support also comes from applying, before their official publication, the protections inherent to server and application updates. In this way, we are not forced to install updates on the servers as soon as they are published. Rather, we can also schedule updates and incorporate a delay. This protects us from the possible publication of incorrect updates that are withdrawn immediately afterward.
What is most valuable?
The Check Point IPS module allows me granularity in creating rules. I can specify which definition to apply and to which scope or network.
I can create multiple profiles, which is helpful. Profiles are the set of rules and I can choose which one to apply. Having more profiles and more options, we have not always moved in a guaranteed way with respect to internal traffic, and rigorously with respect to external traffic.
From the outside, we block directly without waiting to look at the logs. If anything, then we will allow this traffic. From the inside, we allow traffic by default and maybe we will block it after looking at the logs.
These decisions were also supported by the degree of reliability declared by Check Point itself. If we are talking about a high degree of reliability combined with a dangerous vulnerability then you can immediately block traffic with greater confidence in not having false positives
The logs and related functionality are done very well.
What needs improvement?
To use the Check Point IPS module, you need a dedicated team who must know both the business reality and be sensitive to the dangers coming from the Internet. You can't leave everything to the application to run automatically.
If you leave it on automatic then you run two fundamental risks; the first is the blocking of the firewall due to excessive use of resources, and the second is the sudden halt of your services due to the blocking of a malicious application. By optimizing the resources requested by this module and sending more specific alerts regarding blocks, you can certainly obtain an improvement in performance and usability.
Having additional reports available would be helpful.
For how long have I used the solution?
I have been using Check Point IPS for twenty years.
What do I think about the stability of the solution?
This has always scared me because it is known that activating this module in an inconsiderate way causes malfunctions of the firewall. However, Check Point tells you to apply only the IPS definitions that are useful in your environment and warns with specific pop-ups when you want to activate a definition that requires a lot of resources.
What do I think about the scalability of the solution?
In case of high volumes of traffic, it is possible to balance the same by adding other nodes to the cluster.
How are customer service and technical support?
It was certainly a good experience, a daily challenge to overcome oneself and compete with the world.
Which solution did I use previously and why did I switch?
Prior to this product, we did not use a similar solution.
How was the initial setup?
The initial setup is complex and must be done by a team, necessarily also made up of internal staff, who are highly skilled.
In the beginning, it is good to evaluate the single definitions in order to reduce the false positives and to avoid a waste of firewall resources. Subsequently, the new definitions released must be reviewed daily.
What about the implementation team?
We implemented it with the support of an external team that proved to be up to the task entrusted to it.
What's my experience with pricing, setup cost, and licensing?
The module has a considerable cost but you can save by purchasing a package with several modules instead of making a single purchase.
The implementation has a high initial and management cost.
Which other solutions did I evaluate?
We did not evaluate other options.
What other advice do I have?
In summary, this is a well-made product and I don't feel like I would suggest improvements other than having more reports. I recommend its adoption to those who have the availability of a team, internal or external, that has the ability to manage it and the knowledge of the company.
Which deployment model are you using for this solution?