QOS and IPS

Check Point QoS is a Security Policy based, Quality of

Service (QoS) solution for VPNs, private WANs, and
Internet links.

Check Point QoS optimizes network performance, by
prioritizing business-critical applications and end-user
traffic. It can prioritizes business-critical traffic, such as
enterprise resource planning (ERP), database and Web
service traffic, over less time-critical traffic.

Check Point QoS guarantees bandwidth and control
latency for streaming applications, such as Voice over IP
(VoIP) and video conferencing. With highly granular
controls, Check Point QoS enables priority access to
specific employees, even if they are remotely accessing
network resources through a VPN tunnel.
QOS Key Terms
Stateful Inspection: is very important to control the state
and the sanity of a packet from the header to the
payload(data). Checkpoint also uses the stateful
inspection technology to implement QOS as well.

With the Checkpoint QOS, its going to leverage the
Stateful packet inspection which captures and
dynamically updates detailed state information on the
network traffic that passes through the Firewall. This
information will then be used to classify the traffic by
service or application and after it has classsified that
type of traffic, it will use the process called as weighted
fair queuing to apply QOS to those packets to make sure
we get a proper bandwidth control mechanism in place
Retransmission Detection Early Drop: prevents
retransmitted tcp streams on the network. It
helps in a cleaner flow of packets on wire.

Weighted Flow Random Early Drop: It is a
mechanism for managing packet buffers by
selectively dropping packets during periods of
network congestion. Its transparent to users and
does not require any administrator configuration.
Once the QOs is enabled and the policy is
installed to the firewall, WFRED process daemon
gets started automatically. It also helps in a
cleaner flow of packets on wire.
Intelligent Queuing Engine: it uses state
derived information from stateful inspection to
classify the traffic and place it in the proper
transmission queue.


QOS Rulebase Actions:

Weight
Guarantee
Limit
Weight: Its the relative portion of the availabile
bandwidth thats allocated to a rule. Using this item we
can set a weight on the QOS rule as to how much
bandwidth a particular service can utilize

Guarantee: It allocates the amount of bandwidth
matching with a particular rule.


Limit: It specifies the maximum bandwidth assigned to
all connections. It defines a point beyond which
connections under a rule are not allocated the
bandwidth even if there is unused bandwidth available
Types of Policies in QOS:

Express mode (simple) policy and Traditional

Express mode (simple) policy: will allow
administrator to define basic policies to quickly
impose a QOS policy in the network

Traditional mode Policy: it will incorporate
more advance features of QOS
Sub rules: are the rules that exist under the
default rule of cp QOS policy. As an example
we may have a rule stating that we have a
weight or a guarantee of 20 on a SMTP packet
but we also have a policy for same service that
says SMTP from a specific host or a specific
vendor should get a higher value than the
default SMTP rule. In this case we use a Sub
rule.
Differentiated Services: DiffServ is an architecture for
providing different types or levels of service for network
traffic. Packets are marked in the IP header TOS byte, inside
the enterprise network as belonging to a certain Class of
Serviceor QoS Class.

These packets are then granted priority on the public
network.

DiffServ markings have meaning on the public network, not
inside the enterprise network.

We can typically see diffserv used where ISP is going to be
able to honor types of traffic based on the dif serv markings
that is applied to it. As an example for a Voice and video
traffic a marking will be applied to the TOS (Type of Service)
packet header as it traverses through different locations.
Authenticated QOS: Check Point
Authenticated QoS provides Quality of Service
(QoS) for end-users in dynamic IP
environments, such as remote access and
DHCP environments. This enables priority
users, such as corporate CEOs, to receive
priority service when remotely connecting to
corporate resources.
Configuring QOS:
Enable QOS

Enable Monitoring

Edit the FW object:
1. Under Topology: Go to edit external interface and define QOS parameters
here
2. Make sure QOS logging is enabled under logs and masters > Additional
Logging


Under Global Properties
Global properties > QOS > set it to KBps
Create a Rule and a Sub rule

Verify under Smartview Monitor

Verify under Smartview Tracker
IPS
Intrusion prevention systems (IPS) are
network security appliances that monitor
network or system activities for malicious
activity. The main functions of intrusion
prevention systems are to identify malicious
activity, log information about the said
activity, attempt to block/stop activity, and
report activity.
IPS can send an alarm, drop the malicious packets,
resetting the connection and/or blocking the traffic
from the offending IP address.

The detections can be either signature-based or
statistical anomaly-based

Signature-based detection: This method of detection
utilizes signatures, which are attack patterns that are
preconfigured and predetermined. A signature-based
intrusion prevention system monitors the network
traffic for matches to these signatures. Once a match is
found the intrusion prevention system takes the
appropriate action.


Statistical anomaly-based detection: This
method of detection baselines performance of
average network traffic conditions. After a
baseline is created, the system intermittently
samples network traffic, using statistical
analysis to compare the sample to the set
baseline. If the activity is outside the baseline
parameters, the intrusion prevention system
takes the appropriate action.

Confidence Level
How confident IPS is that recognized attacks
are actually undesirable traffic. The higher the
Confidence Level of a protection, the more
confident Check Point is that recognized
attacks are indeed attacks; lower Confidence
Levels indicate that some legitimate traffic may
be identified as an attack.