Documente Academic
Documente Profesional
Documente Cultură
TM
July 2006
Contents
Preface
Who Should Use This Guide.............................................................................. 10 Summary of Contents ....................................................................................... 11 Related Documentation .................................................................................... 12 More Information ............................................................................................. 15 Feedback ........................................................................................................ 16
Chapter 1
Introduction
Overview and Purpose ...................................................................................... 18 SmartDefense............................................................................................. 18 Web Intelligence......................................................................................... 19 Obtaining the Latest Version of the Documentation ............................................. 20 Structure of the Guide...................................................................................... 21 How to Read this Document:............................................................................. 22
Chapter 2
Network Security
Introduction .................................................................................................... 24 Denial Of Service ............................................................................................. 25 Teardrop .................................................................................................... 25 Ping of Death ............................................................................................. 26 LAND ........................................................................................................ 27 Non TCP Flooding ....................................................................................... 28 IP and ICMP ................................................................................................... 29 Packet Sanity ............................................................................................. 29 Max Ping Size ............................................................................................ 30 IP Fragments.............................................................................................. 31 Network Quota............................................................................................ 32 Block Welchia ICMP.................................................................................... 33 Block CISCO IOS DOS................................................................................. 34 Block Null Payload ICMP............................................................................. 35 TCP................................................................................................................ 36 SYN Attack Configuration ............................................................................ 36 Small PMTU............................................................................................... 37 Spoofed Reset Protection ............................................................................ 38 Sequence Verifier ....................................................................................... 39 Fingerprint Scrambling..................................................................................... 40 ISN Spoofing.............................................................................................. 40 TTL ........................................................................................................... 41 IP ID ......................................................................................................... 42 Successive Events............................................................................................ 43 Address Spoofing ........................................................................................ 43 Denial of Service ........................................................................................ 44 Local Interface Spoofing.............................................................................. 45
Table of Contents
Successive Alerts........................................................................................ 46 Successive Multiple Connections.................................................................. 47 DShield Storm Center ...................................................................................... 48 Retrieve and Block Malicious IPs ................................................................. 48 Report to DShield ....................................................................................... 49 Port Scan........................................................................................................ 50 Host Port Scan ........................................................................................... 50 Sweep Scan ............................................................................................... 51 Dynamic Ports ................................................................................................. 52 Block Data Connections to Low Ports ............................................................ 52
Chapter 3
Application Intelligence
Introduction .................................................................................................... 54 Mail ............................................................................................................... 55 POP3 / IMAP Security ................................................................................. 55 Mail Security Server .................................................................................... 56 Block ASN.1 Bitstring Encoding Attack over SMTP ........................................ 57 FTP ................................................................................................................ 58 FTP Bounce ............................................................................................... 58 FTP Security Server .................................................................................... 59 Microsoft Networks .......................................................................................... 60 File and Print Sharing ................................................................................. 60 Block Null CIFS Sessions ............................................................................ 61 Block Popup Messages ................................................................................ 62 Block ASN.1 Bitstring Encoding Attack......................................................... 63 Block WINS Replication Attack .................................................................... 64 Block WINS Name Validation Attack............................................................. 65 Peer to Peer .................................................................................................... 66 Excluded Services/Network Objects .............................................................. 66 All Protocols through Port 80 ....................................................................... 67 All Protocols............................................................................................... 68 Instant Messengers .......................................................................................... 69 Excluded Services/Network Objects .............................................................. 69 MSN Messenger over SIP............................................................................. 70 MSN Messenger over MSNMS...................................................................... 71 Skype ........................................................................................................ 72 Yahoo! Messenger ....................................................................................... 73 ICQ ........................................................................................................... 74 DNS ............................................................................................................... 75 Protocol Enforcement - TCP ......................................................................... 75 Protocol Enforcement - UDP ........................................................................ 76 Domain Block List ...................................................................................... 77 Cache Poisoning Protections ........................................................................ 78 Resource Records Enforcements .................................................................. 79 VoIP ............................................................................................................... 80 DOS Protection........................................................................................... 80 H323 ........................................................................................................ 81 SIP............................................................................................................ 82
MGCP (allowed commands) ......................................................................... 86 SCCP (Skinny) ............................................................................................ 87 SNMP............................................................................................................. 88 Allow Only SNMPv3 Traffic .......................................................................... 88 Drop Requests to Default Community Strings................................................. 89 VPN Protocols ................................................................................................. 90 PPTP Enforcement...................................................................................... 90 SSL Enforcement........................................................................................ 91 Block IKE Aggressive Exchange.................................................................... 92 IKE Enforcement ........................................................................................ 93 SSH - Detect SSH over Non-Standard Ports................................................... 94 SSH Enforcement ....................................................................................... 95 Content Protection ........................................................................................... 96 Malformed JPEG......................................................................................... 96 Malformed ANI File..................................................................................... 97 MS-RPC.......................................................................................................... 98 DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135 .. 98 Drop Unauthenticated DCOM ....................................................................... 99 MS-RPC Program Lookup ............................................................................ 99 MS-SQL........................................................................................................ 100 MS-SQL Monitor Protocol .......................................................................... 100 MS-SQL Server Protocol ............................................................................ 101 Routing Protocols .......................................................................................... 102 OSPF....................................................................................................... 102 BGP (block non-MD5 authenticated BGP connections) ................................. 103 RIP ......................................................................................................... 104 IGMP....................................................................................................... 105 SUN-RPC...................................................................................................... 106 SUN-RPC Program Lookup ........................................................................ 106 DHCP ........................................................................................................... 107 SOCKS ......................................................................................................... 108
Chapter 4
Web Intelligence
Introduction .................................................................................................. 110 Malicious Code .............................................................................................. 111 General HTTP Worm Catcher...................................................................... 111 Malicious Code Protector ........................................................................... 112 Application Layer........................................................................................... 113 Cross Site Scripting .................................................................................. 113 LDAP Injection ......................................................................................... 114 SQL Injection ........................................................................................... 115 Command Injection................................................................................... 116 Directory Traversal .................................................................................... 117 Information Disclosure ................................................................................... 118 Header Spoofing ....................................................................................... 118 Directory Listing ....................................................................................... 119 Error Concealment .................................................................................... 120 HTTP Protocol Inspection ............................................................................... 121
Table of Contents
HTTP Format Sizes ................................................................................... ASCII Only Request .................................................................................. ASCII Only Response Headers.................................................................... Header Rejection ...................................................................................... HTTP Methods ......................................................................................... Block HTTP on Non-Standard Port ............................................................. Block Malicious HTTP Encodings ...............................................................
Index.......................................................................................................... 137
Preface
Preface
P
page 10 page 11 page 12 page 15 page 16
In This Chapter
Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback
10
Summary of Contents
Summary of Contents
This guide contains the following chapters: Chapter Chapter 1, Introduction Description Provides system administrators with an understanding about the implication of each protection when installing a policy on previous releases (in other words, backwards compatibility). Provides information about each Network Security Protection. Provides information about each Application Intelligence Protection. Provides information about each Web Intelligence Protection.
Preface
11
Related Documentation
Related Documentation
The release includes the following documentation:
TABLE P-1 VPN-1 Power documentation suite documentation
Description Contains an overview of NGX R65 and step by step product installation and upgrade procedures. This document also provides information about Whats New, Licenses, Minimum hardware and software requirements, etc. Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. Explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.
Upgrade Guide
12
Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued)
Description Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform and explains Dynamic Routing (Unicast and Multicast) protocols. Explains the Provider-1/SiteManager-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.
TABLE P-2
Title Integrity Advanced Server Installation Guide Integrity Advanced Server Administrator Console Reference
Description Explains how to install, configure, and maintain the Integrity Advanced Server. Provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system. Explains how to managing administrators and endpoint security with Integrity Advanced Server. Provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package.
Integrity Advanced Server Administrator Guide Integrity Advanced Server Gateway Integration Guide
Preface
13
Title Integrity Advanced Server System Requirements Integrity Agent for Linux Installation and Configuration Guide Integrity XML Policy Reference Guide Integrity Client Management Guide
Description Provides information about client and server requirements. Explains how to install and configure Integrity Agent for Linux. Provides the contents of Integrity client XML policy files. Explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior.
14
More Information
More Information
For additional technical information about Check Point products, consult Check Points SecureKnowledge at https://secureknowledge.checkpoint.com/.
See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents.
Preface
15
Feedback
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com
16
Chapter Introduction
In This Chapter
Overview and Purpose Obtaining the Latest Version of the Documentation Structure of the Guide How to Read this Document:
1
page 18 page 20 page 21 page 22
17
The intention of this guide is to provide system administrators with an understanding about the implication of each protection when installing a policy on previous releases (in other words, backwards compatibility). To fully understand SmartDefense and Web Intelligence protections it is recommended that you familiarize yourself with NGX R60 behavior. To do this, refer to the CheckPoint R65 Firewall SmartDefense Administration Guide.
SmartDefense
Check Point SmartDefense provides a unified security framework for various components that identify and prevent attacks. SmartDefense actively defends your network, even when the protection is not explicitly defined in the Security Rule Base. It unobtrusively analyzes activity across your network, tracking potentially threatening events and optionally sending notifications. It protects organizations from all known, and most unknown, network attacks using intelligent security technology. Keeping up-to-date with the latest defenses does not require up-to-the-minute technical knowledge. A single click updates SmartDefense with all the latest defenses from the SmartDefense website. SmartDefense provides a console that can be used to: Choose the attacks that you wish to defend against, and read detailed information about the attack. Easily configure parameters for each attack, including logging options. Receive real-time information on attacks, and update SmartDefense with new capabilities.
18
Web Intelligence
Web Intelligence
Check Point Web Intelligence enables customers to configure, enforce and update attack protections for web servers and applications. Web Intelligence protections are designed specifically for web-based attacks, and complement the network and application level protections offered by SmartDefense. In addition, Web Intelligence Advisories published online by Check Point provide information and add new attack defenses. Web Intelligence not only protects against a range of known attacks, varying from attacks on the web server itself to databases used by web applications, but also incorporates intelligent security technologies that protect against entire categories of emerging, or unknown, attacks. Unlike web firewalls and traditional intrusion protection systems, Web Intelligence provides proactive attack protections. It ensures that communications between clients and web servers comply with published standards and security best practices, restricts hackers from executing irrelevant system commands, and inspects traffic passing to web servers to ensure that they don't contain dangerous malicious code. Web Intelligence allows organizations to permit access to their web servers and applications without sacrificing either security or performance.
Chapter 1
Introduction
19
20
Chapter 1
Introduction
21
*Enforced
indicates that the protection is active, but that it did not exist when R55 was released. Before this protection can be active it requires a SmartDashboard update.
22
2
page 24 page 25 page 29 page 36 page 40 page 43 page 48 page 50 page 52
23
Introduction
Introduction
Application Intelligence is primarily associated with application level defenses. However, in practice many attacks aimed at network applications actually target the network and transport layers. Hackers target these lower layers as a means to access the application layer, and ultimately the application and data itself. Also, by targeting lower layers, attacks can interrupt or deny service to legitimate users and applications (e.g., DoS attacks). For these reasons, SmartDefense addresses not only the application layer, but also network and transport layers. Preventing malicious manipulation of network-layer protocols (e.g., IP, ICMP) is a crucial requirement for multi-level security gateways. The most common vehicle for attacks against the network layer is the Internet Protocol (IP), whose set of services resides within this layer. As with the network layer, the transport layer and its common protocols (TCP, UDP) provide popular access points for attacks on applications and their data. The pages to follow contain information that will help you configure various SmartDefense protections against attacks on the network and transport level from versions prior to NGX R60. These pages allow you to configure protection against attacks which attempt to target network components or the firewall directly. The effect of such attacks, on the IP, TCP, UDP or ICMP network protocols, range from simple identification of the operating systems used in your organization, to denial of service attacks on hosts and servers on the network.
24
Denial Of Service
Denial Of Service
Denial of Service (DoS) attacks are aimed at disrupting normal operations of a service. The attacks in this section exploit bugs in operating systems to remotely crash the machines. The detections in this protection depend on logs generated by SmartDefense. These logs can be configured per attack.
Teardrop
When tracking a Teardrop attack you will be notified of any attempt to exploit the fragmentation of large packets with erroneous offset values in the second or later fragment. Selecting this protection will block an attempted Teardrop attack. This attack will be blocked even if the checkbox is not selected, and logged as Virtual defragmentation error: Overlapping fragments.
Table 2-1
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
Chapter 2
Network Security
25
Ping of Death
Ping of Death
When tracking this type of attack you will be notified of any attempt in which an IP packet larger than 64KB has being sent to your network. Selecting this protection will block an attempted Ping of Death attack. This attack will be blocked even if the checkbox is not selected, and logged as "Virtual defragmentation error: Packet too big".
Table 2-3
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
26
LAND
LAND
With this protection you can block LAND crafted packets. When tracking this type of attack you will be notified of any attempt in which a packet is sent to your machine with the same source host/port. Selecting this protection will block an attempted LAND attack. LAND crafted packets will be blocked when this protection is activated.
Table 2-5
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 2
Network Security
27
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
28
IP and ICMP
IP and ICMP
The protections in this section allow you to enable a comprehensive sequence of layer 3 checks (IP and ICMP protocols) and some layer 4 verifications (UDP, TCP and IP options sanity checks).
Packet Sanity
This protection performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options and verifying the TCP flags. With this protection you can configure whether logs will be issued for offending packets. A Monitor Only mode makes it possible to track unauthorized traffic without blocking it. However, setting this protection to Monitor Only means that badly fragmented packets pass unfiltered. Any type of attack may be hidden in fragmented packets. This setting exposes the network to attack. Although Packet Sanity is turned off in Monitor Only mode, the following sanity verifications are still enforced and when applicable these packets are dropped: - UDP packets with invalid UDP Length - TCP packets with a corrupt header In each of the above cases, SmartDefense logs will be generated.
Table 2-9
On Protection accelerated.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Always On feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
feature behavior when protection is in Monitor-Only mode in NGX R60 Management Always On
Network Security 29
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
30
IP Fragments
IP Fragments
This protection allows you to configure whether fragmented IP packets can pass SmartDefense gateways. It is possible to set a limit upon the number of fragmented packets (incomplete packets) that are allowed. It is also possible to define a timeout for holding unassembled packets before discarding them.
Table 2-13
Table 2-14
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
Chapter 2
Network Security
31
Network Quota
Network Quota
Network Quota enforces a limit upon the number of connections that are allowed from the same source IP, to protect against Denial Of Service attacks. When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source or track the event.
Table 2-15
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Note - In the R55W Network Quota protection, Monitor Only was referred to as Only track the event.
32
Off Welchia/Nachi Worm ICMP Packet Detected None (ICMP is not accelerated).
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 2
Network Security
33
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
34
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 2
Network Security
35
TCP
TCP
The protections in this section allow you to configure a comprehensive set of TCP tests.
Off Disables acceleration for TCP sessions (disables templates). In relay mode - al session handshake is forwarded to FW.
Table 2-24
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
36
Small PMTU
Small PMTU
In this protection the configuration option "Minimal MTU size" controls the allowed packet size. An exceedingly small value will not prevent an attack, while an unnecessarily large value might result in legitimate requests to be dropped, causing "black hole" effects and degrading performance.
Table 2-25
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 2
Network Security
37
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
38
Sequence Verifier
Sequence Verifier
Sequence Verifier is a mechanism matching the current TCP packet's sequence number against a TCP connection state. Packets that match the connection in terms of the TCP session but have incorrect sequence numbers are either dropped when the packet's sequence may compromise security, or stripped of data. With this protection you can select the appropriate tracking option and define the type of out-of-sequence packets to be tracked.
Table 2-29
Off None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 2
Network Security
39
Fingerprint Scrambling
Fingerprint Scrambling
SmartDefense can scramble some of the fields commonly used for fingerprinting, masking the original identity of hosts behind the firewall. Please note, however, that totally preventing fingerprinting is next to impossible. Also note that while this feature makes fingerprinting the hosts protected by the firewall harder, it does little to hide the fact that there is a firewall here (i.e. - fingerprinting the firewall's existence is still possible). With this protection you can choose whether to spoof fingerprints for unencrypted (plain) connections, for encrypted connection (for example, a VPN connection, or an HTTPS connection), or both. SmartDefense can scramble some of the fields commonly used for fingerprinting, masking the original identity of hosts behind the firewall.
ISN Spoofing
The ISN scrambler counters this attack by creating a difference between the sequence numbers used by the server and the sequence numbers perceived by the client. This difference has high entropy using cryptographic functions, and effectively makes it impossible to guess the server's ISN. If the real server has a higher entropy than the entropy selected for the ISN scrambler, the higher entropy will pass through to the client.
Table 2-31
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
40
TTL
TTL
With this protection you can enable or disable the use of TTL, and define how to identify a packet as a TTL packet. You can change the TTL field of all packets (or all outgoing packets) to a given number. This achieves two goals. Using this approach it is not possible to know how many routers (hops) the host is from the listener, and the listener cannot know what is the original TTL value.
Table 2-33
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 2
Network Security
41
IP ID
IP ID
With this protection you can override the original IP ID with an ID generated by the firewall, thus masking the algorithm used by the original operating system, masking the operating system's identity. The three available algorithms used by the various operating systems are: Random, Incremental, and Incremental LE (little endian).
Table 2-35
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
42
Successive Events
Successive Events
The protections in this section allow you to configure different kinds of Check Point Malicious Activity Detections, including some general attributes. All of these detections depend on logs generated by SmartDefense. By default, Check Point Malicious Activity Detections do not block the detected attacks but rather generate an Alert. It is possible to configure that other actions will be taken, for example User Defined Alerts.
Address Spoofing
This protection allows you to define parameters that are specific to the defense against Address Spoofing attempts. An attack is detected (defined) as Address Spoofing when more than a specific number of events are detected over a period of a specific number of seconds.
Table 2-37
Off None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
Chapter 2
Network Security
43
Denial of Service
Denial of Service
To protect the network from DOS attacks, SmartDefense employs a threshold. The threshold detects DOS events when more than a specific amount occurs over a specific amount of time. When the threshold limit is reached, the incidents of DOS events are logged and an alert is issued. With this protection you can define the frequency of events that will be treated as a DoS attack, and the Action to be taken when one of these attacks is detected.
Table 2-39
Off None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
44
Off None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
Chapter 2
Network Security
45
Successive Alerts
Successive Alerts
With this protection you can define parameters that are specific to the defense against Successive Alerts attempts. An attack is detected (defined) as Successive Alerts when more than a specific number of events are detected over a period of a specific number of seconds.
Table 2-43
Off None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
46
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
Chapter 2
Network Security
47
Off None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
48
Report to DShield
Report to DShield
With this protection you can send logs to the Storm Center in order to help other organizations combat the threats that were directed at your own network.
Table 2-49
Off None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 2
Network Security
49
Port Scan
Port Scan
The protections in this section allow you to discover incidences of intelligence gathering so that the information in question cannot be used to attack vulnerable computers. Port Scanning is a method of collecting information about open TCP and UDP ports in a network. Gathering information is not in itself an attack, but the information can be used later to target and attack vulnerable computers. Port scanning can be performed either by a hacker using a scanning utility such as nmap, or by a worm trying to spread itself to other computers. Port Scanning is most commonly done by trying to access a port and waiting for a response. The response indicates whether or not the port is open
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
50
Sweep Scan
Sweep Scan
SmartDefense has three levels of port scan detection sensitivity. Each level represents the amount of inactive ports scanned during a certain amount of time. When port scan is detected a log or alert is issued.
Table 2-53
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
Chapter 2
Network Security
51
Dynamic Ports
Dynamic Ports
If this protection is enabled, when a client tries to open a dynamic connection to such a protected port, the connection is dropped.
On None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
52
3
page 54 page 55 page 58 page 60 page 66 page 69 page 75 page 80 page 88 page 90 page 96 page 98 page 100 page 102 page 106 page 107 page 108
53
Introduction
Introduction
A growing number of attacks attempt to exploit vulnerabilities in network applications rather than target the firewall directly. Check Point Application Intelligence is a set of advanced capabilities, integrated into Firewall and SmartDefense, which detects and prevents application-level attacks. Based on INSPECT intelligent inspection technology, Check Point Application Intelligence gives SmartDefense the ability to protect against application attacks and hazards.
Figure 3-1 OSI (Open Systems Interconnection) Reference Model
Note - The OSI Reference Model is a framework, or guideline, for describing how data is transmitted between devices on a network.
The Application Layer is not the actual end-user software application, but a set of services that allows the software application to communicate via the network. Distinctions between layers 5, 6, and 7 are not always clear, and some competing models combine these layers, as does this user guide.
Application Intelligence protections allow you to configure various protections at the application layer, using SmartDefense's Application Intelligence capabilities.
54
Mail
The protections in this section allow you to select what types of enforcement will be applied to Mail traffic.
Table 3-58
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
55
On - only for connections related to resources used in the rule base. Disables SMTP acceleration and enables Security servers.
Table 3-60
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
56
Off MS-ASN.1 Enforcement Violation Disables acceleration of the relevant protocols for which the protection is turned on.
Table 3-62
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
57
FTP
FTP
The protections in this section allow you to configure various protections related to the FTP protocol.
FTP Bounce
With this protection you can neutralize an FTP bounce attack aimed at the firewall. SmartDefense neutralizes the attack by performing tests in the kernel. SmartDefense performs a mandatory protection against the FTP bounce attack, verifying the destination of the FTP PORT command. In addition, SmartDefense blocks connections to Dynamic Ports, as defined in the Dynamic Ports tab, under Network Security.
Table 3-63
On None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
58
On - only for connections related to resources used in the rule base. Disables FTP acceleration and enables Security servers.
Table 3-66
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 3
Application Intelligence
59
Microsoft Networks
Microsoft Networks
The protections in this section allow you to select what types of enforcement will be applied to Microsoft networking protocols.
Table 3-68
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
60
Table 3-70
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management *Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
61
Table 3-72
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management *Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
62
Off MS-ASN.1 Enforcement Violation Disables acceleration of the relevant protocols for which the protection is turned on.
Table 3-74
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
63
Off MS WINS Replication Protocol Enforcement Violation Disables acceleration of Microsoft WINS traffic on the client to server connection.
Table 3-76
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
64
Off MS WINS Name Validation Enforcement Violation Disables acceleration of Microsoft WINS traffic on the client to server connection.
Table 3-78
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
65
Peer to Peer
Peer to Peer
The protections in this section enable you to block Peer To Peer traffic. In this section the protections allow you to prevent the use of peer to peer applications used for message transfer and file sharing (for example, Kazaa and Gnutella). For Peer to Peer applications that masquerade as HTTP you can define HTTP patterns that you wish to block. By identifying fingerprints and HTTP headers SmartDefense detects peer to peer sessions regardless of the TCP port that it is using.
Off None.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
66
Table 3-81
Table 3-82
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
67
All Protocols
All Protocols
With these protections you can block one of the supported peer to peer applications: KaZaA Gnutella eMule BitTorrent SoulSeek IRC
For older versions (FP3 to R55) if you turn on Header Rejection, HTTP will be protected.
Table 3-83
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
68
Instant Messengers
Instant Messengers
The protections in this section allow you to block Instant Messaging applications that use Instant Messaging protocols. Instant Messaging applications have many capabilities, including voice calls, message transfer, and file sharing.
Off
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
69
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
70
Table 3-90
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 3
Application Intelligence
71
Skype
Skype
SmartDefense can block Skype traffic by identifying Skype fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port being used to initiate the peer to peer session. Skype uses UDP or TCP port 1024 and higher or HTTP for peer to peer telephony. Since Skype uses a session similar to SSL to bypass firewalls, it is now required to either completely block SSL ports or activate the "Block SSL null-pointer assignment" protection, under the VPN Protocols branch. SmartDefense inspects Peer to Peer connections over HTTP requests and responses.
Table 3-91
Table 3-92
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
72
Yahoo! Messenger
Yahoo! Messenger
SmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port that is being used to initiate the peer to peer session. Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer. SmartDefense inspects Peer to Peer request and response connections over HTTP.
Table 3-93
Table 3-94
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
73
ICQ
ICQ
SmartDefense can block ICQ traffic by identifying ICQ's fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port that is being used to initiate the peer to peer session. ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP port 3574/7320. SmartDefense inspects Peer to Peer request and response connections over HTTP.
Table 3-95
Table 3-96
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
74
DNS
DNS
With the protection in this section you can prevent various DNS related vulnerabilities and prevent protocol violations by performing DNS protocol enforcement and validation (TCP and UDP).
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
Chapter 3
Application Intelligence
75
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
76
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
77
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
78
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
79
VoIP
VoIP
With the protections in this section you can enable protection against Dos attacks directed against VoIP networks. The VoIP pages you can configure protections for VoIP protocols. SmartDefense validates the addresses of the caller and receiver, and ensures that the caller and receiver are allowed to make and receive VoIP calls. In addition, SmartDefense examines the contents of the packets passing through every allowed port, to make sure they contain proper information. Full stateful inspection on H.323, SIP, MGCP and SCCP commands ensures that all VoIP packets are structurally valid, and that they arrive in a valid sequence according to RFC standards.
DOS Protection
A rogue IP phone could make Denial of Service attacks by flooding the network with calls, thereby interfering with proper use of the phone network. This protection allows you to protect against Denial of Service attacks by limiting the number of call attempts per minutes that the VPN-1 Power Gateway will allow from any given IP address. Calls from handover devices are not counted, because they make a large number of calls.
Table 3-107
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
80
H323
H323
In this window you can perform the following application layer checks: Strict enforcement of the protocol, including the order and direction of H.323 packets. If the phone number sent is longer than 24 characters the packet is dropped. This prevents buffer overruns in the server. Dynamic ports will only be opened if the port is not used by another service. For example: If the Connect message sends port 80 for the H.245 it will not be opened. This prevents well-known ports being used illegally.
Table 3-109
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 3
Application Intelligence
81
SIP
SIP
With this protection you can verify content in the SIP header. If this option is selected and there are explicit SIP rules in the Rule Base, SmartDefense will validate the SIP headers and look for invalid characters inside them.
Table 3-111
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same except : block specific applications (video, audio, instant messaging) and default registration timeout, which are not enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same "Block SIP calls that use " and " Drop unknown SIP message" are not enforced) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
82
SIP
Block SIP Calls the User Two Different Voice Connections (RTP) for incoming Audio and Outgoing Audio
Table 3-113
Chapter 3
Application Intelligence
83
SIP
Off for all versions prior to R60 / On for R60 VoIP traffic is not accelerated.
Off for all versions prior to R60 / On for R60 VoIP traffic is not accelerated.
84
SIP
Chapter 3
Application Intelligence
85
Off for all versions prior to R60 / On for R60 VoIP traffic is not accelerated.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
86
SCCP (Skinny)
SCCP (Skinny)
SCCP (Skinny Client Control Protocol) controls telephony gateways from external call control devices called Call Agents (also known as Media Gateway Controllers). SmartDefense provides full connectivity and network level and security for SCCP based VoIP communication. All SCCP traffic is inspected, and legitimate traffic is allowed to pass while attacks are blocked. All SmartDefense capabilities are supported, such as anti- spoofing and protection against Denial of Service attacks. Fragmented packets are examined and secured using kernel based streaming. However, NAT on SCCP devices is not supported. In addition, SmartDefense restricts handover locations, and controls signalling and data connections. SmartDefense tracks state and verifies that the state is valid for all SCCP message. For a number of key messages, it also verifies of existence and correctness of the message parameters. SmartDefense can perform additional content security checks for SCCP connections, thereby providing a greater level of protection.
Table 3-129
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
Chapter 3
Application Intelligence
87
SNMP
SNMP
With the protections in this section you can protect against SNMP vulnerabilities by providing the option of enforcing SNMPv3 (the latest SNMP version) while rejecting previous versions. In addition, in this window you can allow all SNMP versions while dropping requests with SNMPv1 and SNMPv2 default community strings.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
88
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
89
VPN Protocols
VPN Protocols
The protections in this section allow you to select what types of enforcement will be applied to VPN (Virtual Private Network) protocols.
PPTP Enforcement
This protection enforces the PPTP protocol. PPTP sessions are forced to comply with the RFC standard including message type, and packet length. In case the PPTP control connection unexpectedly terminates, the GRE tunnel will be terminated automatically. In addition, enabling this protection will allow Hide NAT as well as Static NAT to be performed on PPTP connections.
Table 3-135
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
90
SSL Enforcement
SSL Enforcement
When this protection is enabled, SmartDefense will identify and drop malformed SSL Client Hello packets.
Table 3-137
Off Invalid SSL Packet Disables acceleration of SSL traffic passing through the gateway.
Table 3-138
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
91
Off IKE Aggressive Packet Detected Disables acceleration of IKE traffic on the client to server direction passing through the gateway. Server to client is still accelerated.
Table 3-140
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
92
IKE Enforcement
IKE Enforcement
This protection enforces the compliance of the IKE protocol to RFC 2409 in terms of payload type and length, maximal payload number, and packet length. By enabling "IKE payload enforcement" SmartDefense will perform additional checks on the IKE Security Association payload. A monitor-only mode makes it possible to track IKE protocol violation without blocking the connection.
Table 3-141
Off IKE Enforcement Violation Disables acceleration of IKE traffic on the client to server direction passing through the gateway. Server to client is still accelerated.
Table 3-142
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
93
Table 3-143
Off SSH Connection on a Non-Standard Port Disables session rate acceleration on all traffic.
Table 3-144
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
94
SSH Enforcement
SSH Enforcement
SSH Enforcement protection applies to SSH traffic on TCP port 22. SSH Enforcement enables you to select and deselect specific defense attributes. By selecting Block SSH v1, only SSH version 2 will be enabled over TCP port 22.
Table 3-145
Table 3-146
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
95
Content Protection
Content Protection
The protections in this section allow you to block malicious content over multiple protocols.
Malformed JPEG
By enabling this protection, SmartDefense will block malformed formatted JPEG files on all services with Protocol Type 'HTTP'. Enabling "Perform strict enforcement" enables JPEG file detection based on its content.
Table 3-147
Off JPEG Content Protection Violation Disables acceleration altogether for HTTP.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
96
Off ANI Content Protection Violation Disables acceleration altogether for HTTP.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Application Intelligence
97
MS-RPC
MS-RPC
DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135
This protection will allow specific MS-RPC interfaces, such as DCOM interface, if they are allowed in the rule base. You can use the DCE-RPC services to create them and apply the protections in this page. SmartDefense unconditionally blocks the "Blaster" worm and its variants, while allowing legitimate DCOM traffic.
Table 3-151
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management *Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
98
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management *Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 3
Application Intelligence
99
MS-SQL
MS-SQL
The protections in this section allow you to configure various protections related to the MS SQL Server protocols.
Off MS-SQL Monitor Protocol Enforcement Violation Disables acceleration of MS-SQL traffic.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
100
Off MS-SQL Server Protocol Enforcement Violation Disables acceleration of MS-SQL traffic.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
Routing Protocols
Routing Protocols
The protections in this section allow you to select what types of enforcement will be applied to routing protocols.
OSPF
By enabling this protection, SmartDefense will enforce the validity of the OSPF packet header, including protocol version, message type and packet length. In addition, SmartDefense is able to detect and block OSPF traffic that is non-MD5 authenticated, which is considered insecure.
Table 3-161
Off OSPF enforcement violation Performance Pack - None. It is not accelerated. Nokia - Disables acceleration of these protocols.
Table 3-162
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
102
Off BGP Enforcement Violation Performance Pack - None. It is not accelerated. Nokia - Disables acceleration of these protocols.
Table 3-164
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
RIP
RIP
By enabling this protection, SmartDefense will enforce the validity of the RIP packet header. In addition, SmartDefense is able to detect and block RIP traffic that is non-MD5 authenticated, which is considered insecure.
Table 3-165
Off RIP Enforcement Violation Performance Pack - None. It is not accelerated. Nokia - Disables acceleration of these protocols.
Table 3-166
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
104
IGMP
IGMP
By enabling this protection, SmartDefense will enforce the validity of the IGMP packet header. In addition, SmartDefense is able to detect and block IGMP traffic that is non-MD5 authenticated, which is considered insecure.
Table 3-167
Off IGMP protocol Enforcement Violation Performance Pack - None. It is not accelerated. Nokia - Disables acceleration of these protocols.
Table 3-168
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
SUN-RPC
SUN-RPC
The protections in this section allow you to select what types of enforcement will be applied to SUN-RPC (Remote Procedure Calls) protocols.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
106
DHCP
DHCP
By enabling this protection, SmartDefense will enforce the validity of the DHCP packet header and options.
Table 3-171
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 3
SOCKS
SOCKS
This protection provides enforcement of the SOCKS protocol. Non SOCKS protocol communication over the SOCKS protocol port (1080 by default) will be blocked. You may also block SOCKS version 4 only or any unauthenticated SOCKS communication (often used by trojans to tunnel information).
Table 3-173
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
108
4
page 110 page 111 page 113 page 118 page 121
109
Introduction
Introduction
Web Intelligence is based on Check Point's Stateful Inspection, Application Intelligence, and Malicious Code Protector technologies, so that it is possible to block not only specific attacks, but also entire categories of attacks, while allowing legitimate traffic to pass. Malicious Code Protector is a Check Point patent-pending technology that blocks hackers from sending malicious code to target web servers and applications. It can detect malicious executable code within web communications by identifying not only the existence of executable code in a data stream but its potential for malicious behavior. Malicious Code Protector is a kernel-based protection delivering almost wire-speed performance. Application Intelligence is a set of technologies that detect and prevent application-level attacks by integrating a deeper understanding of application behavior into network security defenses. Stateful Inspection analyzes information flow into and out of a network so that real-time security decisions can be based on communication session information as well as on application information. It accomplishes this by tracking the state and context of all communications traversing the firewall gateway, even when the connection involves complex protocols.
Web intelligence is an add-on for VPN-1 Power. Customers who purchase the SmartDefense Subscription service can automatically update both SmartDefense and Web Intelligence with a single click. Updates are released frequently, and are obtained from the Check Point SmartDefense site: http://www.checkpoint.com/techsupport/documentation/smartdefense/index.html Customers with a valid subscription license also receive special SmartDefense Advisories that provide updated SmartDefense and Web Intelligence attack protections, as well as information, tools and best practice methods to mitigate different attacks.
Tip - It is recommended to keep your gateway version up-to-date, as the newest defenses are incorporated into the latest version of Check Point software.
110
Malicious Code
Malicious Code
The protections in this section allow you to prevent attacks that run malicious code on web servers or clients.
On for defined web servers Worm catcher pattern found. cmd.exe None (works only on C2S traffic, which is accelerated)
Table 4-176
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 4
Off Malicious code detected in URL None (works only on C2S traffic, which is accelerated)
Table 4-178
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same (except for Solaris) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
112
Application Layer
Application Layer
The protections in this section prevent hackers from introducing text, tags, commands, or other characters that a web application will interpret as special instructions. Introducing these characters in forms or URLs can allow a hacker to steal private data, redirect a communication session to a malicious web site, steal information from a database, gain unauthorized access, or execute restricted commands.
On for defined web servers Cross Site Scripting detected in URL: 'script' None (works only on C2S traffic, which is accelerated)
Table 4-180
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 4
LDAP Injection
LDAP Injection
This protection protects LDAP servers by identifying attempted misuse of LDAP queries in forms and URLs submitted to Web applications. If an attack is detected, the connection is rejected. To provide good protection with the optimum detection sensitivity, three levels of protection are available. For details, see the online help. The list of LDAP fields that is examined can be customized, which makes it possible to control the use of customized LDAP fields, as well as standard ones.
Table 4-181
On for defined web servers LDAP Injection detected in URL: 'uid' None (works only on C2S traffic, which is accelerated)
Table 4-182
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
114
SQL Injection
SQL Injection
Web Intelligence looks for SQL commands in forms and in URLs. If it finds them, the connection is rejected. To provide good protection with a minimum number of false positives, three levels of protection are available. They make it possible to choose the appropriate trade-off between a high detection rate on the one hand and a low level of false positives on the other. The protection level can be changed at any time to suit the environment. For details, see the online help.
Table 4-183
On for defined web servers SQL Injection detected in URL: 'select' None (works only on C2S traffic, which is accelerated)
Table 4-184
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 4
Command Injection
Command Injection
This protection looks for system commands in forms and in URLs. If it finds them, the connection is rejected. To provide good protection with a minimum number of false positives, three levels of protection are available. They make it possible to choose the appropriate trade-off between a high detection rate on the one hand and a low level of false positives on the other. The protection level can be changed at any time to suit the environment. For details, see the online help.
Table 4-185
On for defined web servers Command Injection detected in URL: 'chown' None (works only on C2S traffic, which is accelerated)
Table 4-186
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
116
Directory Traversal
Directory Traversal
This protection verifies that the URL does not contain an illegal combination directory traversal characters. Requests in which the URL contains an illegal directory request are blocked.
Table 4-187
On for defined web servers directory traversal overflow http://1.2.3.4/../../ None (works only on C2S traffic, which is accelerated)
Table 4-188
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 4
Information Disclosure
Information Disclosure
One of the first steps an attacker may take before attacking a web site is to gather information about the site. The goal of the hacker is to get the web server to reveal information that hacker can use to tailor an attack. This is known as "fingerprinting". The protections in this section allow you to prevent the web server revealing information that is not required by users.
Header Spoofing
This protection allows you to remove or change a specific header (that can appear either in the HTTP Request or Response) by giving a regular expression to identify the header name and header value. For example, a typical server header will contain the web server name and version number. Use this protection to spoof out the version information.
Note - Activating this protection decreases performance for Web traffic to which this protection is applied.
Table 4-189
Off Header Spoofing, replacing header, new header is 'IIS' Disables acceleration on all HTTP traffic.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
118
Directory Listing
Directory Listing
This protection identifies web pages containing directory listings and blocks them. To provide good protection with the optimum detection sensitivity, three levels of protection are available. For details, see the online help.
Table 4-191
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 4
Error Concealment
Error Concealment
This protection looks for web server error messages in HTTP responses, and if it finds them, prevents the web page reaching the user. Error messages are detected and concealed in two ways. The first way conceals HTTP Responses containing those 4XX and 5XX error status codes that reveal unnecessary information. It is possible to choose the status codes that will be concealed. The second way hides error messages generated by the web application engine. This approach is needed when the application engine does not tell the web server it has an error, in which case the web server displays error information that it should not. It is possible to configure patterns that identify messages from particular application engines. If these patterns are detected the pages are blocked.
Table 4-193
Off Concealed HTTP response status code: '413' Disables acceleration on all HTTP traffic.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
120
On
Chapter 4
Off Request body length exceeded allowed maximum length of 49152 bytes None (works only on C2S traffic, which is accelerated)
Table 4-197
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
On for defined web servers URL length exceeded allowed maximum length of 2048 bytes None (works only on C2S traffic, which is accelerated)
Table 4-199
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
122
On for defined web servers 'host' header length exceeded maximum allowed length None (works only on C2S traffic, which is accelerated)
Table 4-201
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
On for defined web servers Number of HTTP headers exceeded allowed maximum of 500 None (works only on C2S traffic, which is accelerated)
Table 4-203
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 4
On for defined web servers Invalid character detected in request URL: '0xff' None (works only on C2S traffic, which is accelerated)
Table 4-205
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
124
With this page you can force all HTTP headers to be ASCII only. This will prevent some malicious content from passing in the HTTP protocol headers.
Table 4-206
Off Invalid character detected in response headers: '0xff' Disables acceleration on all HTTP traffic.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
Chapter 4
Header Rejection
Header Rejection
This protection allows you to reject HTTP requests that contains specific headers and header values. The HTTP header name and value are defined using case-sensitive regular expressions.
Table 4-208
Off Header Rejection pattern found in request None (works only on C2S traffic, which is accelerated).
Table 4-209
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (previously referred to as Peer to Peer) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
126
HTTP Methods
HTTP Methods
This protection can be used to control which HTTP methods can be used in HTTP requests. Web Intelligence divides the HTTP methods into three groups: Standard safe (GET, HEAD and POST), standard unsafe (the other standard HTTP methods), and WebDAV. By default, all methods are blocked other than the standard safe methods. To allow users access to popular applications such as Microsoft Hotmail, Outlook Web Access, and FrontPage, the non-RFC compliant WebDAV HTTP methods can be allowed. It is possible to choose exactly which methods to block. For example, if only GET and POST methods are allowed, and all others are blocked, the following HTTP request using a WebDav method will be rejected: MKCOL / HTTP/1.0.
Table 4-210
On for defined web servers Blocked Method: 'PUT' None (works only on C2S traffic, which is accelerated).
Table 4-211
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 4
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
128
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced (R54, FP3) Same (R55 only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced (R54, FP3) Same (R55 only)
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 4
130
131
The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
132
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. The PHP License, version 3.0 Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at group@php.net. For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>. This product includes software written by Tim Hudson (tjh@cryptsoft.com). THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
133
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved. Confidential Copyright Notice Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed. Trademark Notice The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600. U.S. Government Restricted Rights The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987). Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations. Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT. Limitation of Liability
134
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU. Copyright ComponentOne, LLC 1991-2002. All Rights Reserved. BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")) Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself. Written by: Philip Hazel <ph10@cam.ac.uk> University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. Copyright (c) 1997-2004 University of Cambridge All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Eventia Reporter includes software whose copyright is owned by, or licensed from, MySQL AB.
135
136
Index
A
Address Spoofing 43 Allow Only SNMPv3 Traffic 88 Allowed 22 Always On 22 Application Intelligence 110 Application Layer 113 ASCII Only Request 124 ASCII Only Response Headers 125
C
Cache Poisoning Protections 78 Command Injection 116 Content Protection 96 Cross Site Scripting 113
G
General HTTP Worm Catcher 111
H
H323 81 Header Rejection 126 Header Spoofing 118 Host Port Scan 50 HTTP Format Sizes 121 HTTP Methods 127 HTTP Protocol Inspection 121
D
DCOM 98 Denial Of Service 25 Denial of Service 44 DHCP 107 Directory Listing 119 Directory Traversal 117 DNS 75 Domain Block List 77 DOS Protection 80 Drop Requests to Default Community Strings 89 Drop Unauthenticated DCOM 99 DShield Storm Center 48 Dynamic Ports 52
B
BGP 103 Block ASN.1 Bitstring Encoding Attack 63 Block ASN.1 Bitstring Encoding Attack over SMTP 57 Block CISCO IOS DOS 34 Block Data Connections to Low Ports 52 Block HTTP on Non-Standard Port 128 Block IKE Aggressive Exchange 92, 93 Block Malicious HTTP Encodings 129 Block Null CIFS Sessions 61 Block Null Payload ICMP 35 Block Popup Messages 62 Block SSL Null-Pointer Assignment 91 Block Welchia ICMP 33 Block WINS Name Validation Attack 65 Block WINS Replication Attack 64
I
ICQ 74 IGMP 105 Information Disclosure 118 Instant Messengers 69 IP and ICMP 29 IP Fragments 31 IP ID 42 ISN Spoofing 40
E
Enforced 22 Error Concealment 120
L
LAND 27 LDAP Injection 114 Local Interface Spoofing 45
F
File and Print Sharing 60 Fingerprint Scrambling 40 FTP 58 FTP Bounce 58 FTP Security Server 59
M
Mail 55 Mail Security Server 56 Malformed ANI File 97
February 2007
137
Malformed JPEG 96 Malicious Code 111 Malicious Code Protector 110, 112 Max Ping Size 30 Maximum Header Value Length 123 Maximum Number of Headers 123 Maximum Request Body Size 83, 122 Maximum URL Length 122 MGCP (allowed commands) 86 Microsoft Networks 60 MSN Messenger over MSNMS 71 MSN Messenger over SIP 70 MS-RPC 98 MS-RPC Program Lookup 99 MS-SQL 100 MS-SQL Monitor Protocol 100 MS-SQL Server Protocol 101
Peer to Peer 66 Ping of Death 26 POP3 / IMAP Security 55 Port Scan 50 PPTP Enforcement 90 Protocol Enforcement - TCP 75 Protocol enforcement - UDP 76
T
TCP 36 Teardrop 25 TTL 41
V R
Report to DShield 49 Resource Records Enforcements 79 Retrieve and Block Malicious IPs 48 RIP 104 Routing Protocols 102 VoIP 80 VPN Protocols 90
W
Web Intelligence 19
S
Same 22 SCCP (Skinny) 87 Sequence Verifier 39 SIP 82 Skype 72 Small PMTU 37 SmartDefense 18 SNMP 88 SOCKS 108 Spoofed Reset Protection 38 SQL Injection 115 SSH - Detect SSH over NonStandard Ports 94 SSH Enforcement 95 Stateful Inspection 110 Successive Alerts 46 Successive Events 43 Successive Multiple Connections 47 SUN-RPC 106 SUN-RPC Program Lookup 106 Sweep Scan 51 SYN Attack Configuration 36
Y
Yahoo! Messenger 73
N
N/A 22 Network Quota 32 NG FP3 18 NG R55W 18 NG With Application Intelligence R54 18 NG With Application Intelligence R55 18 Non TCP Flooding 28 Not Enforced 22
O
Off 22 On 22 OSPF 102
P
Packet Sanity 29
138