CheckPoint NGX SmartDefense Protections Reference Guide

Check Point NGX SmartDefense Protections
TM
Reference Guide For NGX R60 and Above
July 2006
2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: 2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
Contents
Preface
Who Should Use This Guide.............................................................................. 10 Summary of Contents ....................................................................................... 11 Related Documentation .................................................................................... 12 More Information ............................................................................................. 15 Feedback ........................................................................................................ 16
Chapter 1
Introduction
Overview and Purpose ...................................................................................... 18 SmartDefense............................................................................................. 18 Web Intelligence......................................................................................... 19 Obtaining the Latest Version of the Documentation ............................................. 20 Structure of the Guide...................................................................................... 21 How to Read this Document:............................................................................. 22
Chapter 2
Network Security
Introduction .................................................................................................... 24 Denial Of Service ............................................................................................. 25 Teardrop .................................................................................................... 25 Ping of Death ............................................................................................. 26 LAND ........................................................................................................ 27 Non TCP Flooding ....................................................................................... 28 IP and ICMP ................................................................................................... 29 Packet Sanity ............................................................................................. 29 Max Ping Size ............................................................................................ 30 IP Fragments.............................................................................................. 31 Network Quota............................................................................................ 32 Block Welchia ICMP.................................................................................... 33 Block CISCO IOS DOS................................................................................. 34 Block Null Payload ICMP............................................................................. 35 TCP................................................................................................................ 36 SYN Attack Configuration ............................................................................ 36 Small PMTU............................................................................................... 37 Spoofed Reset Protection ............................................................................ 38 Sequence Verifier ....................................................................................... 39 Fingerprint Scrambling..................................................................................... 40 ISN Spoofing.............................................................................................. 40 TTL ........................................................................................................... 41 IP ID ......................................................................................................... 42 Successive Events............................................................................................ 43 Address Spoofing ........................................................................................ 43 Denial of Service ........................................................................................ 44 Local Interface Spoofing.............................................................................. 45
Table of Contents
Successive Alerts........................................................................................ 46 Successive Multiple Connections.................................................................. 47 DShield Storm Center ...................................................................................... 48 Retrieve and Block Malicious IPs ................................................................. 48 Report to DShield ....................................................................................... 49 Port Scan........................................................................................................ 50 Host Port Scan ........................................................................................... 50 Sweep Scan ............................................................................................... 51 Dynamic Ports ................................................................................................. 52 Block Data Connections to Low Ports ............................................................ 52
Chapter 3
Application Intelligence
Introduction .................................................................................................... 54 Mail ............................................................................................................... 55 POP3 / IMAP Security ................................................................................. 55 Mail Security Server .................................................................................... 56 Block ASN.1 Bitstring Encoding Attack over SMTP ........................................ 57 FTP ................................................................................................................ 58 FTP Bounce ............................................................................................... 58 FTP Security Server .................................................................................... 59 Microsoft Networks .......................................................................................... 60 File and Print Sharing ................................................................................. 60 Block Null CIFS Sessions ............................................................................ 61 Block Popup Messages ................................................................................ 62 Block ASN.1 Bitstring Encoding Attack......................................................... 63 Block WINS Replication Attack .................................................................... 64 Block WINS Name Validation Attack............................................................. 65 Peer to Peer .................................................................................................... 66 Excluded Services/Network Objects .............................................................. 66 All Protocols through Port 80 ....................................................................... 67 All Protocols............................................................................................... 68 Instant Messengers .......................................................................................... 69 Excluded Services/Network Objects .............................................................. 69 MSN Messenger over SIP............................................................................. 70 MSN Messenger over MSNMS...................................................................... 71 Skype ........................................................................................................ 72 Yahoo! Messenger ....................................................................................... 73 ICQ ........................................................................................................... 74 DNS ............................................................................................................... 75 Protocol Enforcement - TCP ......................................................................... 75 Protocol Enforcement - UDP ........................................................................ 76 Domain Block List ...................................................................................... 77 Cache Poisoning Protections ........................................................................ 78 Resource Records Enforcements .................................................................. 79 VoIP ............................................................................................................... 80 DOS Protection........................................................................................... 80 H323 ........................................................................................................ 81 SIP............................................................................................................ 82
MGCP (allowed commands) ......................................................................... 86 SCCP (Skinny) ............................................................................................ 87 SNMP............................................................................................................. 88 Allow Only SNMPv3 Traffic .......................................................................... 88 Drop Requests to Default Community Strings................................................. 89 VPN Protocols ................................................................................................. 90 PPTP Enforcement...................................................................................... 90 SSL Enforcement........................................................................................ 91 Block IKE Aggressive Exchange.................................................................... 92 IKE Enforcement ........................................................................................ 93 SSH - Detect SSH over Non-Standard Ports................................................... 94 SSH Enforcement ....................................................................................... 95 Content Protection ........................................................................................... 96 Malformed JPEG......................................................................................... 96 Malformed ANI File..................................................................................... 97 MS-RPC.......................................................................................................... 98 DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135 .. 98 Drop Unauthenticated DCOM ....................................................................... 99 MS-RPC Program Lookup ............................................................................ 99 MS-SQL........................................................................................................ 100 MS-SQL Monitor Protocol .......................................................................... 100 MS-SQL Server Protocol ............................................................................ 101 Routing Protocols .......................................................................................... 102 OSPF....................................................................................................... 102 BGP (block non-MD5 authenticated BGP connections) ................................. 103 RIP ......................................................................................................... 104 IGMP....................................................................................................... 105 SUN-RPC...................................................................................................... 106 SUN-RPC Program Lookup ........................................................................ 106 DHCP ........................................................................................................... 107 SOCKS ......................................................................................................... 108
Chapter 4
Web Intelligence
Introduction .................................................................................................. 110 Malicious Code .............................................................................................. 111 General HTTP Worm Catcher...................................................................... 111 Malicious Code Protector ........................................................................... 112 Application Layer........................................................................................... 113 Cross Site Scripting .................................................................................. 113 LDAP Injection ......................................................................................... 114 SQL Injection ........................................................................................... 115 Command Injection................................................................................... 116 Directory Traversal .................................................................................... 117 Information Disclosure ................................................................................... 118 Header Spoofing ....................................................................................... 118 Directory Listing ....................................................................................... 119 Error Concealment .................................................................................... 120 HTTP Protocol Inspection ............................................................................... 121
Table of Contents
HTTP Format Sizes ................................................................................... ASCII Only Request .................................................................................. ASCII Only Response Headers.................................................................... Header Rejection ...................................................................................... HTTP Methods ......................................................................................... Block HTTP on Non-Standard Port ............................................................. Block Malicious HTTP Encodings ...............................................................
121 124 125 126 127 128 129
Index.......................................................................................................... 137
Preface
Preface
P
page 10 page 11 page 12 page 15 page 16
In This Chapter
Who Should Use This Guide Summary of Contents Related Documentation More Information Feedback
Who Should Use This Guide
Who Should Use This Guide

This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of System administration. The underlying operating system. Internet protocols (IP, TCP, UDP etc.).
10
Summary of Contents
Summary of Contents
This guide contains the following chapters: Chapter Chapter 1, Introduction Description Provides system administrators with an understanding about the implication of each protection when installing a policy on previous releases (in other words, backwards compatibility). Provides information about each Network Security Protection. Provides information about each Application Intelligence Protection. Provides information about each Web Intelligence Protection.
Chapter 2, Network Security Chapter 3, Application Intelligence Chapter 4, Web Intelligence
Preface
11
Related Documentation
Related Documentation
The release includes the following documentation:
TABLE P-1 VPN-1 Power documentation suite documentation
Title Internet Security Product Suite Getting Started Guide
Description Contains an overview of NGX R65 and step by step product installation and upgrade procedures. This document also provides information about Whats New, Licenses, Minimum hardware and software requirements, etc. Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. Explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.
Upgrade Guide
SmartCenter Administration Guide
Firewall and SmartDefense Administration Guide
Virtual Private Networks Administration Guide
12
Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued)
Title Eventia Reporter Administration Guide
Description Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform and explains Dynamic Routing (Unicast and Multicast) protocols. Explains the Provider-1/SiteManager-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.
SecurePlatform/ SecurePlatform Pro Administration Guide Provider-1/SiteManager-1 Administration Guide
TABLE P-2
Integrity Server documentation
Title Integrity Advanced Server Installation Guide Integrity Advanced Server Administrator Console Reference
Description Explains how to install, configure, and maintain the Integrity Advanced Server. Provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system. Explains how to managing administrators and endpoint security with Integrity Advanced Server. Provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package.
Integrity Advanced Server Administrator Guide Integrity Advanced Server Gateway Integration Guide
Preface
13
Related Documentation TABLE P-2 Integrity Server documentation (continued)
Title Integrity Advanced Server System Requirements Integrity Agent for Linux Installation and Configuration Guide Integrity XML Policy Reference Guide Integrity Client Management Guide
Description Provides information about client and server requirements. Explains how to install and configure Integrity Agent for Linux. Provides the contents of Integrity client XML policy files. Explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior.
14
More Information
More Information
For additional technical information about Check Point products, consult Check Points SecureKnowledge at https://secureknowledge.checkpoint.com/.
See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents.
Preface
15
Feedback
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com
16
Chapter Introduction
In This Chapter
Overview and Purpose Obtaining the Latest Version of the Documentation Structure of the Guide How to Read this Document:
1
page 18 page 20 page 21 page 22
17
Overview and Purpose
Overview and Purpose

This guide is divided into a number of sections and chapters that provide an overview of how NGX R60 SmartDefense and Web Intelligence protections work with the following previous versions: NG FP3 NG With Application Intelligence R54 NG With Application Intelligence R55 (including R55P) NG With Application Intelligence R55W
The intention of this guide is to provide system administrators with an understanding about the implication of each protection when installing a policy on previous releases (in other words, backwards compatibility). To fully understand SmartDefense and Web Intelligence protections it is recommended that you familiarize yourself with NGX R60 behavior. To do this, refer to the CheckPoint R65 Firewall SmartDefense Administration Guide.
SmartDefense
Check Point SmartDefense provides a unified security framework for various components that identify and prevent attacks. SmartDefense actively defends your network, even when the protection is not explicitly defined in the Security Rule Base. It unobtrusively analyzes activity across your network, tracking potentially threatening events and optionally sending notifications. It protects organizations from all known, and most unknown, network attacks using intelligent security technology. Keeping up-to-date with the latest defenses does not require up-to-the-minute technical knowledge. A single click updates SmartDefense with all the latest defenses from the SmartDefense website. SmartDefense provides a console that can be used to: Choose the attacks that you wish to defend against, and read detailed information about the attack. Easily configure parameters for each attack, including logging options. Receive real-time information on attacks, and update SmartDefense with new capabilities.
18
Web Intelligence
Web Intelligence
Check Point Web Intelligence enables customers to configure, enforce and update attack protections for web servers and applications. Web Intelligence protections are designed specifically for web-based attacks, and complement the network and application level protections offered by SmartDefense. In addition, Web Intelligence Advisories published online by Check Point provide information and add new attack defenses. Web Intelligence not only protects against a range of known attacks, varying from attacks on the web server itself to databases used by web applications, but also incorporates intelligent security technologies that protect against entire categories of emerging, or unknown, attacks. Unlike web firewalls and traditional intrusion protection systems, Web Intelligence provides proactive attack protections. It ensures that communications between clients and web servers comply with published standards and security best practices, restricts hackers from executing irrelevant system commands, and inspects traffic passing to web servers to ensure that they don't contain dangerous malicious code. Web Intelligence allows organizations to permit access to their web servers and applications without sacrificing either security or performance.
Chapter 1
Introduction
19
Obtaining the Latest Version of the Documentation
Obtaining the Latest Version of the Documentation

SmartDefense and Web Intelligence protections are being continuously updated. For this reason, see the latest available online version of this document in the User Center at http://www.checkpoint.com/support/technical/documents. For additional information contact your Check Point partner.
20
Structure of the Guide
Structure of the Guide

This guide is divided into a number of chapters: Chapter 2, Network Security gives an overview of Network Security protections, which enable protection against attacks on the network and transport level. Chapter 3, Application Intelligence gives an overview of Application Intelligence protections, which enable the configuration of various protections at the application layer, using SmartDefense's Application Intelligence capabilities. Chapter 4, Web Intelligence provides high performance attack protection for web servers and applications. It provides proactive attack protection by looking for malicious code and ensuring adherence to protocols and security best practice.
Chapter 1
Introduction
21
How to Read this Document:
How to Read this Document:

In this guide the condition of each protection in a specific scenario is represented by a status. The following represent all of the possible statuses: On indicates that the protection is on by default. However, within the protection options may be off/on by default. Off indicates that the protection is off by default. Same indicates that the protections behavior is the same as in NGX R60. Always On indicates that the protection cannot be turned off on modules from this release even though it is configured as Off in NGX R60 Management. Enforced indicates that the protection is active.
*Enforced
indicates that the protection is active, but that it did not exist when R55 was released. Before this protection can be active it requires a SmartDashboard update.
Not Enforced indicates that the protection is not active.
Allowed indicates all commands are allowed.
N/A indicates not applicable.
22
Chapter Network Security

In This Chapter
Introduction Denial Of Service IP and ICMP TCP Fingerprint Scrambling Successive Events DShield Storm Center Port Scan Dynamic Ports
2
page 24 page 25 page 29 page 36 page 40 page 43 page 48 page 50 page 52
23
Introduction
Introduction
Application Intelligence is primarily associated with application level defenses. However, in practice many attacks aimed at network applications actually target the network and transport layers. Hackers target these lower layers as a means to access the application layer, and ultimately the application and data itself. Also, by targeting lower layers, attacks can interrupt or deny service to legitimate users and applications (e.g., DoS attacks). For these reasons, SmartDefense addresses not only the application layer, but also network and transport layers. Preventing malicious manipulation of network-layer protocols (e.g., IP, ICMP) is a crucial requirement for multi-level security gateways. The most common vehicle for attacks against the network layer is the Internet Protocol (IP), whose set of services resides within this layer. As with the network layer, the transport layer and its common protocols (TCP, UDP) provide popular access points for attacks on applications and their data. The pages to follow contain information that will help you configure various SmartDefense protections against attacks on the network and transport level from versions prior to NGX R60. These pages allow you to configure protection against attacks which attempt to target network components or the firewall directly. The effect of such attacks, on the IP, TCP, UDP or ICMP network protocols, range from simple identification of the operating systems used in your organization, to denial of service attacks on hosts and servers on the network.
24
Denial Of Service
Denial Of Service
Denial of Service (DoS) attacks are aimed at disrupting normal operations of a service. The attacks in this section exploit bugs in operating systems to remotely crash the machines. The detections in this protection depend on logs generated by SmartDefense. These logs can be configured per attack.
Teardrop
When tracking a Teardrop attack you will be notified of any attempt to exploit the fragmentation of large packets with erroneous offset values in the second or later fragment. Selecting this protection will block an attempted Teardrop attack. This attack will be blocked even if the checkbox is not selected, and logged as Virtual defragmentation error: Overlapping fragments.
Table 2-1
Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

Table 2-2
On Teardrop attack detected Does not impact performance.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management N/A
Chapter 2
Network Security
25
Ping of Death
Ping of Death
When tracking this type of attack you will be notified of any attempt in which an IP packet larger than 64KB has being sent to your network. Selecting this protection will block an attempted Ping of Death attack. This attack will be blocked even if the checkbox is not selected, and logged as "Virtual defragmentation error: Packet too big".
Table 2-3

Table 2-4
On Ping of Death Does not impact performance.
26
LAND
LAND
With this protection you can block LAND crafted packets. When tracking this type of attack you will be notified of any attempt in which a packet is sent to your machine with the same source host/port. Selecting this protection will block an attempted LAND attack. LAND crafted packets will be blocked when this protection is activated.
Table 2-5

Table 2-6
On Land Attack Does not impact performance.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Chapter 2
Network Security
27
Non TCP Flooding
Non TCP Flooding

With this protection you can protect against non-TCP Flooding attacks by limiting the percentage of open non-TCP connections. By setting this threshold, SmartDefense prevents more than a specific percentage of the bandwidth being used for non-TCP connections. In addition, you can track non-TCP connections which exceed the threshold.
Table 2-7

Table 2-8
Off The feature is fully accelerated.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
28
IP and ICMP
IP and ICMP
The protections in this section allow you to enable a comprehensive sequence of layer 3 checks (IP and ICMP protocols) and some layer 4 verifications (UDP, TCP and IP options sanity checks).
Packet Sanity
This protection performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options and verifying the TCP flags. With this protection you can configure whether logs will be issued for offending packets. A Monitor Only mode makes it possible to track unauthorized traffic without blocking it. However, setting this protection to Monitor Only means that badly fragmented packets pass unfiltered. Any type of attack may be hidden in fragmented packets. This setting exposes the network to attack. Although Packet Sanity is turned off in Monitor Only mode, the following sanity verifications are still enforced and when applicable these packets are dropped: - UDP packets with invalid UDP Length - TCP packets with a corrupt header In each of the above cases, SmartDefense logs will be generated.
Table 2-9

Table 2-10
On Protection accelerated.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Always On feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
R55W feature behavior when protection is on in NGX R60 Management Always On

Chapter 2
feature behavior when protection is in Monitor-Only mode in NGX R60 Management Always On
Network Security 29
Max Ping Size
Max Ping Size

This protection allows you to limit the maximum allowed data size for an ICMP echo request. This should not be confused with "Ping of Death", in which the request is malformed.
Table 2-11

Table 2-12
On Does not impact performance.
30
IP Fragments
IP Fragments
This protection allows you to configure whether fragmented IP packets can pass SmartDefense gateways. It is possible to set a limit upon the number of fragmented packets (incomplete packets) that are allowed. It is also possible to define a timeout for holding unassembled packets before discarding them.
Table 2-13
Allowed Fragments pass to the FW. Non-fragmented traffic is not impacted.
Table 2-14
Chapter 2
Network Security
31
Network Quota
Network Quota
Network Quota enforces a limit upon the number of connections that are allowed from the same source IP, to protect against Denial Of Service attacks. When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source or track the event.
Table 2-15

Table 2-16
Off Network Quota Disables templates.
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
Note - In the R55W Network Quota protection, Monitor Only was referred to as Only track the event.
32
Block Welchia ICMP
Block Welchia ICMP

When this protection is enabled, SmartDefense will identify and drop the Welchia worm specific ping packets.
Table 2-17

Table 2-18
Off Welchia/Nachi Worm ICMP Packet Detected None (ICMP is not accelerated).
Chapter 2
Network Security
33
Block CISCO IOS DOS
Block CISCO IOS DOS

This protection allows you to configure which protocols should be protected against this attack. You can also define how many hops away from the enforcement module will Cisco routers be protected.
Table 2-19

Table 2-20
Off Cisco IOS Enforcement Violation None (ICMP is not accelerated).
34
Block Null Payload ICMP
Block Null Payload ICMP

When this protection is enabled, SmartDefense will identify and drop the null payload ping packets. Using SmartView Tracker, VPN-1 NG AI R55 will identify Drop log entries against rule number 99501.
Table 2-21

Table 2-22
Off Null Payload Echo Request None (ICMP is not accelerated).
Chapter 2
Network Security
35
TCP
TCP
The protections in this section allow you to configure a comprehensive set of TCP tests.
SYN Attack Configuration

This protection allows you to configure how an SYN attack is detected and how to protect your network from this attack. With this protection you can select whether to activate the SYN attack protection configuration in one place (that is, via SmartDefense), and specify the protection parameters for all modules (that is, gateways), or you can activate previous SYNDefender configuration versions for all current gateway versions. The SYN attack protection can be configured for each module separately. This page allows you to override the modules' specific configuration.
Table 2-23
Off Disables acceleration for TCP sessions (disables templates). In relay mode - al session handshake is forwarded to FW.
Table 2-24
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
36
Small PMTU
Small PMTU
In this protection the configuration option "Minimal MTU size" controls the allowed packet size. An exceedingly small value will not prevent an attack, while an unnecessarily large value might result in legitimate requests to be dropped, causing "black hole" effects and degrading performance.
Table 2-25

Table 2-26
Off None (Accelerated).
Chapter 2
Network Security
37
Spoofed Reset Protection
Spoofed Reset Protection

This protection enforces a threshold on the number of RST packets allowed per connection during a pre-defined period of time. It is possible to exclude specific services from this protection. Services such as HTTP that are characterized by relatively short sessions are not affected by this attack. It is therefore advisable for performance reasons to exclude those services from the protection.
Table 2-27

Table 2-28
Off Forwards RST packets to the Firewall.
R55W feature behavior when protection is on in NGX R60 Management Not Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
38
Sequence Verifier
Sequence Verifier
Sequence Verifier is a mechanism matching the current TCP packet's sequence number against a TCP connection state. Packets that match the connection in terms of the TCP session but have incorrect sequence numbers are either dropped when the packet's sequence may compromise security, or stripped of data. With this protection you can select the appropriate tracking option and define the type of out-of-sequence packets to be tracked.
Table 2-29

Table 2-30
Off None.
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 2
Network Security
39
Fingerprint Scrambling
Fingerprint Scrambling
SmartDefense can scramble some of the fields commonly used for fingerprinting, masking the original identity of hosts behind the firewall. Please note, however, that totally preventing fingerprinting is next to impossible. Also note that while this feature makes fingerprinting the hosts protected by the firewall harder, it does little to hide the fact that there is a firewall here (i.e. - fingerprinting the firewall's existence is still possible). With this protection you can choose whether to spoof fingerprints for unencrypted (plain) connections, for encrypted connection (for example, a VPN connection, or an HTTPS connection), or both. SmartDefense can scramble some of the fields commonly used for fingerprinting, masking the original identity of hosts behind the firewall.
ISN Spoofing
The ISN scrambler counters this attack by creating a difference between the sequence numbers used by the server and the sequence numbers perceived by the client. This difference has high entropy using cryptographic functions, and effectively makes it impossible to guess the server's ISN. If the real server has a higher entropy than the entropy selected for the ISN scrambler, the higher entropy will pass through to the client.
Table 2-31

Table 2-32
Off Disables acceleration on TCP traffic.
40
TTL
TTL
With this protection you can enable or disable the use of TTL, and define how to identify a packet as a TTL packet. You can change the TTL field of all packets (or all outgoing packets) to a given number. This achieves two goals. Using this approach it is not possible to know how many routers (hops) the host is from the listener, and the listener cannot know what is the original TTL value.
Table 2-33

Table 2-34
Chapter 2
Network Security
41
IP ID
IP ID
With this protection you can override the original IP ID with an ID generated by the firewall, thus masking the algorithm used by the original operating system, masking the operating system's identity. The three available algorithms used by the various operating systems are: Random, Incremental, and Incremental LE (little endian).
Table 2-35

Table 2-36
42
Successive Events
Successive Events
The protections in this section allow you to configure different kinds of Check Point Malicious Activity Detections, including some general attributes. All of these detections depend on logs generated by SmartDefense. By default, Check Point Malicious Activity Detections do not block the detected attacks but rather generate an Alert. It is possible to configure that other actions will be taken, for example User Defined Alerts.
Address Spoofing
This protection allows you to define parameters that are specific to the defense against Address Spoofing attempts. An attack is detected (defined) as Address Spoofing when more than a specific number of events are detected over a period of a specific number of seconds.
Table 2-37

Table 2-38
Off None.
R55W feature behavior when protection is on in NGX R60 Management Same feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
Chapter 2
Network Security
43
Denial of Service
Denial of Service
To protect the network from DOS attacks, SmartDefense employs a threshold. The threshold detects DOS events when more than a specific amount occurs over a specific amount of time. When the threshold limit is reached, the incidents of DOS events are logged and an alert is issued. With this protection you can define the frequency of events that will be treated as a DoS attack, and the Action to be taken when one of these attacks is detected.
Table 2-39

Table 2-40
Off None.
44
Local Interface Spoofing
Local Interface Spoofing

With this protection you can define parameters that are specific to the defense against Local Interface Spoofing attempts. An attack is detected (defined) as Local Interface Spoofing when more than a specific number of events are detected over a period of a specific number of seconds.
Table 2-41

Table 2-42
Off None.
Chapter 2
Network Security
45
Successive Alerts
Successive Alerts
With this protection you can define parameters that are specific to the defense against Successive Alerts attempts. An attack is detected (defined) as Successive Alerts when more than a specific number of events are detected over a period of a specific number of seconds.
Table 2-43

Table 2-44
Off None.
46
Successive Multiple Connections
Successive Multiple Connections

This protection allows you to define parameters that are specific to the defense against Successive Multiple Connections attempts. An attack is detected (defined) as Successive Multiple Connections when more than a specific number of events are detected over a period of a specific number of seconds.
Table 2-45

Table 2-46
Off Successive Multiple Connections None.
Chapter 2
Network Security
47
DShield Storm Center
DShield Storm Center

Storm Centers gather logging information about attacks. This information is voluntarily provided by organizations from across the world for the benefit of all. Storm Centers collate and present reports on real-time threats to network security in a way that is immediately useful. The SmartDefense Storm Center Module enables a two way information flow between the network Storm Centers, and the organizations requiring network security information. With the protections in this section you can retrieve a list of malicious IPs from he DShield Storm Center and block those IPs. You can also submit logs to DShield.
Retrieve and Block Malicious IPs

With this protection you can decide whether to block all the malicious IP addresses received from DShield.org (one of the leading Storm Centers) or whether to block them for specific gateways.
Table 2-47

Table 2-48
Off None.
48
Report to DShield
Report to DShield
With this protection you can send logs to the Storm Center in order to help other organizations combat the threats that were directed at your own network.
Table 2-49

Table 2-50
Off None.
Chapter 2
Network Security
49
Port Scan
Port Scan
The protections in this section allow you to discover incidences of intelligence gathering so that the information in question cannot be used to attack vulnerable computers. Port Scanning is a method of collecting information about open TCP and UDP ports in a network. Gathering information is not in itself an attack, but the information can be used later to target and attack vulnerable computers. Port scanning can be performed either by a hacker using a scanning utility such as nmap, or by a worm trying to spread itself to other computers. Port Scanning is most commonly done by trying to access a port and waiting for a response. The response indicates whether or not the port is open
Host Port Scan

SmartDefense has three levels of port scan detection sensitivity. Each level represents the amount of inactive ports scanned during a certain amount of time. When port scan is detected a log or alert is issued.
Table 2-51

Table 2-52
Off Port Scan None.
50
Sweep Scan
Sweep Scan
SmartDefense has three levels of port scan detection sensitivity. Each level represents the amount of inactive ports scanned during a certain amount of time. When port scan is detected a log or alert is issued.
Table 2-53

Table 2-54
Off Port Scan None.
Chapter 2
Network Security
51
Dynamic Ports
Dynamic Ports
If this protection is enabled, when a client tries to open a dynamic connection to such a protected port, the connection is dropped.
Block Data Connections to Low Ports

Block data connections to low ports specifies whether or not dynamically opened ports below 1024 are permitted. The low port range is used by many standard services, so you will not normally permit low ports.
Table 2-55

Table 2-56
On None.
52
Chapter Application Intelligence

In This Chapter
Introduction Mail FTP Microsoft Networks Peer to Peer Instant Messengers DNS VoIP SNMP VPN Protocols Content Protection MS-RPC MS-SQL Routing Protocols SUN-RPC DHCP SOCKS
3
page 54 page 55 page 58 page 60 page 66 page 69 page 75 page 80 page 88 page 90 page 96 page 98 page 100 page 102 page 106 page 107 page 108
53
Introduction
Introduction
A growing number of attacks attempt to exploit vulnerabilities in network applications rather than target the firewall directly. Check Point Application Intelligence is a set of advanced capabilities, integrated into Firewall and SmartDefense, which detects and prevents application-level attacks. Based on INSPECT intelligent inspection technology, Check Point Application Intelligence gives SmartDefense the ability to protect against application attacks and hazards.
Figure 3-1 OSI (Open Systems Interconnection) Reference Model
Note - The OSI Reference Model is a framework, or guideline, for describing how data is transmitted between devices on a network.
The Application Layer is not the actual end-user software application, but a set of services that allows the software application to communicate via the network. Distinctions between layers 5, 6, and 7 are not always clear, and some competing models combine these layers, as does this user guide.
Application Intelligence protections allow you to configure various protections at the application layer, using SmartDefense's Application Intelligence capabilities.
54
Mail
Mail
The protections in this section allow you to select what types of enforcement will be applied to Mail traffic.
POP3 / IMAP Security

With this protection you enable limitations on email messages delivered to the network using POP3/IMAP protocols. These options make it possible to recognize and stop malicious behavior. For example, SmartDefense can enforce the length of a username and password (as done in a Buffer Overrun attack), the effect of which will prevent the use of a long string of characters that can potentially crash the machine. SmartDefense can also prevent a situation in which the use of network resources is deliberately discontinued. It can limit the number of NOOP commands (that is, a no operation command) that may be used in a Denial of Service attack.
Table 3-57
Off Disables POP3/IMAP acceleration and enables Security servers.
Table 3-58
Chapter 3
55
Mail Security Server
Mail Security Server

With this protection you can select what types of enforcement will be applied to SMTP connections passing through the security server. The SMTP security server allows strict enforcement of the SMTP protocol. Usually the security server is activated by specifying resources or authentication rules in the standard security policy.
Table 3-59
On - only for connections related to resources used in the rule base. Disables SMTP acceleration and enables Security servers.
Table 3-60
56
Block ASN.1 Bitstring Encoding Attack over SMTP
Block ASN.1 Bitstring Encoding Attack over SMTP

SmartDefense provides protection against this vulnerability by analyzing the communication, looking for ASN.1 encoding within GSSAPI structures in SMTP authentication. Note that SMTP Security Servers already block the GSSAPI authentication method.
Table 3-61
Off MS-ASN.1 Enforcement Violation Disables acceleration of the relevant protocols for which the protection is turned on.
Table 3-62
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (R55 Only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same (R55 Only)
Chapter 3
57
FTP
FTP
The protections in this section allow you to configure various protections related to the FTP protocol.
FTP Bounce
With this protection you can neutralize an FTP bounce attack aimed at the firewall. SmartDefense neutralizes the attack by performing tests in the kernel. SmartDefense performs a mandatory protection against the FTP bounce attack, verifying the destination of the FTP PORT command. In addition, SmartDefense blocks connections to Dynamic Ports, as defined in the Dynamic Ports tab, under Network Security.
Table 3-63

Table 3-64
On None.
58
FTP Security Server
FTP Security Server

With this protection you can access Authentication services and Content Security based on FTP commands (PUT/GET), file name restrictions, and CVP checking (for example, for viruses). In addition, the FTP Security Server logs FTP get and put commands, as well as the associated file names, if the rule's Track is Log. Usually the Security Servers are enabled by specifying rules in the security policy.
Table 3-65
On - only for connections related to resources used in the rule base. Disables FTP acceleration and enables Security servers.
Table 3-66
Chapter 3
59
Microsoft Networks
Microsoft Networks
The protections in this section allow you to select what types of enforcement will be applied to Microsoft networking protocols.
File and Print Sharing

This protection allows you to configure worm signatures that will be detected and blocked by the CIFS Worm Defender.
Table 3-67
Off Disables acceleration of Microsoft Network Protocols.
Table 3-68
60
Block Null CIFS Sessions
Block Null CIFS Sessions

When this protection is enabled, SmartDefense will block null session attempts.
Table 3-69
Off Disables session rate acceleration for the CIFS protocol.
Table 3-70
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management *Enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
Chapter 3
61
Block Popup Messages
Block Popup Messages

When this protection is enabled, any attempt to send a Windows popup message will be blocked.
Table 3-71
Off Disables acceleration of Microsoft Network Protocols.
Table 3-72
62
Block ASN.1 Bitstring Encoding Attack
Block ASN.1 Bitstring Encoding Attack

SmartDefense provides protection against this vulnerability by analyzing the communication, looking for ASN.1 BER encoding within GSS-API structures, in different protocols.
Table 3-73
Off MS-ASN.1 Enforcement Violation Disables acceleration of the relevant protocols for which the protection is turned on.
Table 3-74
Chapter 3
63
Block WINS Replication Attack
Block WINS Replication Attack

With this protection SmartDefense is able to recognize an illegal WINS packet. This ability enables SmartDefense to catch potentially harmful packets before they enter the network.
Table 3-75
Off MS WINS Replication Protocol Enforcement Violation Disables acceleration of Microsoft WINS traffic on the client to server connection.
Table 3-76
64
Block WINS Name Validation Attack
Block WINS Name Validation Attack

With this protection SmartDefense is able to recognize an illegal NBNS packet. This enables SmartDefense to catch potentially harmful packets before they enter the network.
Table 3-77
Off MS WINS Name Validation Enforcement Violation Disables acceleration of Microsoft WINS traffic on the client to server connection.
Table 3-78
Chapter 3
65
Peer to Peer
Peer to Peer
The protections in this section enable you to block Peer To Peer traffic. In this section the protections allow you to prevent the use of peer to peer applications used for message transfer and file sharing (for example, Kazaa and Gnutella). For Peer to Peer applications that masquerade as HTTP you can define HTTP patterns that you wish to block. By identifying fingerprints and HTTP headers SmartDefense detects peer to peer sessions regardless of the TCP port that it is using.
Excluded Services/Network Objects

Since R55W we were able to create a white list of hosts and ports that will not be scanned for peer to peer protocols. However, since this capability does not exist on pre-R55 modules installing the protections on older modules will cause the protections to be active even on the excluded objects.
Table 3-79

Table 3-80
Off None.
66
All Protocols through Port 80
All Protocols through Port 80

With these protections you can block one of the supported peer to peer applications: KaZaA Gnutella eMule BitTorrent SoulSeek IRC
Table 3-81
Off Disables session rate acceleration on Port 80.
Table 3-82
Chapter 3
67
All Protocols
All Protocols
With these protections you can block one of the supported peer to peer applications: KaZaA Gnutella eMule BitTorrent SoulSeek IRC
For older versions (FP3 to R55) if you turn on Header Rejection, HTTP will be protected.
Table 3-83

Table 3-84
Off Disables session rate acceleration.
68
Instant Messengers
Instant Messengers
The protections in this section allow you to block Instant Messaging applications that use Instant Messaging protocols. Instant Messaging applications have many capabilities, including voice calls, message transfer, and file sharing.
Excluded Services/Network Objects

Since R55W we were able to create a white list of hosts and ports that will not be scanned for peer to peer protocols. However, since this capability does not exist on pre-R55 modules installing the protections on older modules will cause the protections to be active even on the excluded objects.
Table 3-85

Table 3-86
Off
Chapter 3
69
MSN Messenger over SIP
MSN Messenger over SIP

With this protection you can block everything sent from SIP-based MSN Messenger, or specific MSN Messenger applications: file-transfer, application-sharing, white-boarding, and remote-assistant. SmartDefense verifies compliance to Session Initiation Protocol (SIP) RFC 3261. MSN messenger can be either blocked completely, or its applications can be selectively blocked (file-transfer, application sharing, white-boarding, and remote assistant). If "block sip based instant messaging" in SmartDefense > Application Intelligence > VoIP > SIP is selected, all MSN over SIP applications will be blocked automatically.
Table 3-87

Table 3-88
Off SIP traffic is not accelerated.
70
MSN Messenger over MSNMS
MSN Messenger over MSNMS

With this protection you can block specific MSN Messenger applications: video, audio, file-transfer, application-sharing, white-boarding, and remote-assistant. MSN messenger can be either blocked completely, or its applications can be selectively blocked (audio, video, file-transfer, application sharing, white-boarding, and remote assistant). To completely block MSN Messenger over MSNMS, no configuration is needed, because a security rule is required to allow it. To selectively block SIP-based instant messenger applications, you must define a security rule with the MSNMS service (TCP1863), that allows them, and then configure SmartDefense.
Table 3-89
Off VPN-1 - Disables session rate acceleration Interspect - None
Table 3-90
Chapter 3
71
Skype
Skype
SmartDefense can block Skype traffic by identifying Skype fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port being used to initiate the peer to peer session. Skype uses UDP or TCP port 1024 and higher or HTTP for peer to peer telephony. Since Skype uses a session similar to SSL to bypass firewalls, it is now required to either completely block SSL ports or activate the "Block SSL null-pointer assignment" protection, under the VPN Protocols branch. SmartDefense inspects Peer to Peer connections over HTTP requests and responses.
Table 3-91
Table 3-92
72
Yahoo! Messenger
Yahoo! Messenger
SmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port that is being used to initiate the peer to peer session. Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer. SmartDefense inspects Peer to Peer request and response connections over HTTP.
Table 3-93
Table 3-94
Chapter 3
73
ICQ
ICQ
SmartDefense can block ICQ traffic by identifying ICQ's fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port that is being used to initiate the peer to peer session. ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP port 3574/7320. SmartDefense inspects Peer to Peer request and response connections over HTTP.
Table 3-95
Table 3-96
74
DNS
DNS
With the protection in this section you can prevent various DNS related vulnerabilities and prevent protocol violations by performing DNS protocol enforcement and validation (TCP and UDP).
Protocol Enforcement - TCP

SmartDefense is able to recognize a DNS packet that has been altered. This ability enables SmartDefense to catch potentially harmful packets before they enter the network. With this protection you can enforce TCP protocols. Only pure DNS packets sent over TCP will be able to enter the network. In this case, all DNS port connections over TCP will be monitored to verify that every DNS packet attempting to enter the network has not been altered. With the enforcement of the TCP protocol the potential for maliciously altered DNS packets to enter the system is decreased.
Table 3-97

Table 3-98
On Disables DNS/TCP acceleration.
Chapter 3
75
Protocol Enforcement - UDP
Protocol Enforcement - UDP

SmartDefense is able to recognize a DNS packet that has been altered. This ability enables SmartDefense to catch potentially harmful packets before they enter the network. In this window you can enforce UDP protocols. Only pure DNS packets sent over UDP will be able to enter the network. In this case, all DNS port connections over UDP will be monitored to verify that every DNS packet attempting to enter the network has not been altered. With the enforcement of the UDP protocol the potential for maliciously altered DNS packets to enter the system is decreased.
Table 3-99

Table 3-100
On Disables DNS/UDP acceleration.
76
Domain Block List
Domain Block List

With this protection you can create a Block List for the purpose of filtering out undesirable traffic. SmartDefense contains a Block list for the purpose of filtering out undesirable traffic. SmartDefense will not allow a user to access a domain address specified in the Block list. The domain Block list is updated manually.
Table 3-101

Table 3-102
Off Disables DNS acceleration.
Chapter 3
77
Cache Poisoning Protections
Cache Poisoning Protections

The Cache Poisoning protections enable you to configure Cache Poisoning protection. To reduce DNS traffic, name severs maintain cache. The DNS cache is updated according to the TTL of each zone. Cache Poisoning occurs when DNS caches receive mapping information that was deliberately altered from a remote name server. The DNS server caches the incorrect information and sends it out as the requested information. As a result, email messages and URL addresses can be redirected and the information sent by a user can be captured and corrupted.
Table 3-103

Table 3-104
Off Disables DNS acceleration.
78
Resource Records Enforcements
Resource Records Enforcements

This protection allows you to set the maximum number of allowed Answer, Authority and Additional Resource Records within a reply to a DNS query sent over TCP.
Table 3-105

Table 3-106
Off DNS Enforcement Violation Disables DNS acceleration.
Chapter 3
79
VoIP
VoIP
With the protections in this section you can enable protection against Dos attacks directed against VoIP networks. The VoIP pages you can configure protections for VoIP protocols. SmartDefense validates the addresses of the caller and receiver, and ensures that the caller and receiver are allowed to make and receive VoIP calls. In addition, SmartDefense examines the contents of the packets passing through every allowed port, to make sure they contain proper information. Full stateful inspection on H.323, SIP, MGCP and SCCP commands ensures that all VoIP packets are structurally valid, and that they arrive in a valid sequence according to RFC standards.
DOS Protection
A rogue IP phone could make Denial of Service attacks by flooding the network with calls, thereby interfering with proper use of the phone network. This protection allows you to protect against Denial of Service attacks by limiting the number of call attempts per minutes that the VPN-1 Power Gateway will allow from any given IP address. Calls from handover devices are not counted, because they make a large number of calls.
Table 3-107

Table 3-108
Off VoIP traffic is not accelerated.
80
H323
H323
In this window you can perform the following application layer checks: Strict enforcement of the protocol, including the order and direction of H.323 packets. If the phone number sent is longer than 24 characters the packet is dropped. This prevents buffer overruns in the server. Dynamic ports will only be opened if the port is not used by another service. For example: If the Connect message sends port 80 for the H.245 it will not be opened. This prevents well-known ports being used illegally.
Table 3-109

Table 3-110
On VoIP traffic is not accelerated.
Chapter 3
81
SIP
SIP
With this protection you can verify content in the SIP header. If this option is selected and there are explicit SIP rules in the Rule Base, SmartDefense will validate the SIP headers and look for invalid characters inside them.
Table 3-111

Table 3-112
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same except : block specific applications (video, audio, instant messaging) and default registration timeout, which are not enforced feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
R55W feature behavior when protection is on in NGX R60 Management Same "Block SIP calls that use " and " Drop unknown SIP message" are not enforced) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced
82
SIP
Block SIP Calls the User Two Different Voice Connections (RTP) for incoming Audio and Outgoing Audio
Table 3-113

Table 3-114
Off VoIP traffic is not accelerated.
feature behavior when protection is on in R55 Enforced
feature behavior when protection is on in R55W Enforced
Verify SIP Header Content

Table 3-115

Table 3-116
Chapter 3
83
SIP
Block SIP-base Video/Audio

Table 3-117

Table 3-118
Off for all versions prior to R60 / On for R60 VoIP traffic is not accelerated.
feature behavior when protection is on in R55 Not Enforced
Block SIP-based Instant Messaging

Table 3-119

Table 3-120
84
SIP
Drop Unknown SIP Messages

Table 3-121

Table 3-122
feature behavior when protection is on in R55W Not Enforced
Default Proxy Registration Expiration Time Period

Table 3-123

Table 3-124
600 seconds VoIP traffic is not accelerated.
feature behavior when protection is on in R55W Not Enforced
Chapter 3
85
MGCP (allowed commands)
Block the Destination from Re-inviting Calls

Table 3-125

Table 3-126
MGCP (allowed commands)

SmartDefense provides full network level security for MGCP. SmartDefense enforces strict compliance with RFC-2705, RFC-3435 (version 1.0) and ITU TGCP specification J.171. In addition, all SmartDefense capabilities are supported, such as inspection of fragmented packets, anti spoofing, protection against Denial of Service attacks. Note however that NAT on MGCP is not supported. In addition, SmartDefense restricts handover locations and controls signalling and data connections.
Table 3-127

Table 3-128
Allowed VoIP traffic is not accelerated.
86
SCCP (Skinny)
SCCP (Skinny)
SCCP (Skinny Client Control Protocol) controls telephony gateways from external call control devices called Call Agents (also known as Media Gateway Controllers). SmartDefense provides full connectivity and network level and security for SCCP based VoIP communication. All SCCP traffic is inspected, and legitimate traffic is allowed to pass while attacks are blocked. All SmartDefense capabilities are supported, such as anti- spoofing and protection against Denial of Service attacks. Fragmented packets are examined and secured using kernel based streaming. However, NAT on SCCP devices is not supported. In addition, SmartDefense restricts handover locations, and controls signalling and data connections. SmartDefense tracks state and verifies that the state is valid for all SCCP message. For a number of key messages, it also verifies of existence and correctness of the message parameters. SmartDefense can perform additional content security checks for SCCP connections, thereby providing a greater level of protection.
Table 3-129

Table 3-130
Chapter 3
87
SNMP
SNMP
With the protections in this section you can protect against SNMP vulnerabilities by providing the option of enforcing SNMPv3 (the latest SNMP version) while rejecting previous versions. In addition, in this window you can allow all SNMP versions while dropping requests with SNMPv1 and SNMPv2 default community strings.
Allow Only SNMPv3 Traffic

This protection prevents the use of previous SNMP versions. By forcing the network to work with SNMPv3, SmartDefense employs authentication features that are not available with previous SNMP versions (that is, SNMPv1 and SNMPv2).
Table 3-131

Table 3-132
Off Disables acceleration of SNMP traffic.
88
Drop Requests to Default Community Strings
Drop Requests to Default Community Strings

Drop requests with default community strings for SNMPv1 and SNMPv2 prevents unencrypted text associated with SNMPv1 and SNMPv2 from being sent over the network.
Table 3-133

Table 3-134
Off Disables acceleration of SNMP traffic.
Chapter 3
89
VPN Protocols
VPN Protocols
The protections in this section allow you to select what types of enforcement will be applied to VPN (Virtual Private Network) protocols.
PPTP Enforcement
This protection enforces the PPTP protocol. PPTP sessions are forced to comply with the RFC standard including message type, and packet length. In case the PPTP control connection unexpectedly terminates, the GRE tunnel will be terminated automatically. In addition, enabling this protection will allow Hide NAT as well as Static NAT to be performed on PPTP connections.
Table 3-135

Table 3-136
On Disables acceleration of PPTP traffic.
90
SSL Enforcement
SSL Enforcement
When this protection is enabled, SmartDefense will identify and drop malformed SSL Client Hello packets.
Table 3-137
Off Invalid SSL Packet Disables acceleration of SSL traffic passing through the gateway.
Table 3-138
Chapter 3
91
Block IKE Aggressive Exchange
Block IKE Aggressive Exchange

When this protection is enabled, SmartDefense will identify and drop IKE aggressive exchanges.
Table 3-139
Off IKE Aggressive Packet Detected Disables acceleration of IKE traffic on the client to server direction passing through the gateway. Server to client is still accelerated.
Table 3-140
92
IKE Enforcement
IKE Enforcement
This protection enforces the compliance of the IKE protocol to RFC 2409 in terms of payload type and length, maximal payload number, and packet length. By enabling "IKE payload enforcement" SmartDefense will perform additional checks on the IKE Security Association payload. A monitor-only mode makes it possible to track IKE protocol violation without blocking the connection.
Table 3-141
Off IKE Enforcement Violation Disables acceleration of IKE traffic on the client to server direction passing through the gateway. Server to client is still accelerated.
Table 3-142
Chapter 3
93
SSH - Detect SSH over Non-Standard Ports
SSH - Detect SSH over Non-Standard Ports

SSH versions 1 and 2 are typically used over TCP port 22. This protection provides two possible actions (Block All SSH Versions and Run SSH Enforcement). When you select Block All SSH Versions, SSH traffic (associated with any SSH version), on all possible TCP ports will be blocked. When you select Run SSH Enforcement, the SSH Enforcement protection will be applied to all non standard ports including TCP port 22.
Table 3-143
Off SSH Connection on a Non-Standard Port Disables session rate acceleration on all traffic.
Table 3-144
94
SSH Enforcement
SSH Enforcement
SSH Enforcement protection applies to SSH traffic on TCP port 22. SSH Enforcement enables you to select and deselect specific defense attributes. By selecting Block SSH v1, only SSH version 2 will be enabled over TCP port 22.
Table 3-145
Off Disables session rate acceleration on SSH traffic.
Table 3-146
Chapter 3
95
Content Protection
Content Protection
The protections in this section allow you to block malicious content over multiple protocols.
Malformed JPEG
By enabling this protection, SmartDefense will block malformed formatted JPEG files on all services with Protocol Type 'HTTP'. Enabling "Perform strict enforcement" enables JPEG file detection based on its content.
Table 3-147

Table 3-148
Off JPEG Content Protection Violation Disables acceleration altogether for HTTP.
96
Malformed ANI File
Malformed ANI File

By enabling this protection, SmartDefense will block malformed formatted ANI files on all services with Protocol Type 'HTTP'.
Table 3-149

Table 3-150
Off ANI Content Protection Violation Disables acceleration altogether for HTTP.
Chapter 3
97
MS-RPC
MS-RPC
DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135
This protection will allow specific MS-RPC interfaces, such as DCOM interface, if they are allowed in the rule base. You can use the DCE-RPC services to create them and apply the protections in this page. SmartDefense unconditionally blocks the "Blaster" worm and its variants, while allowing legitimate DCOM traffic.
Table 3-151

Table 3-152
Off Disables acceleration of RPC traffic.
98
Drop Unauthenticated DCOM
Drop Unauthenticated DCOM

Table 3-153

Table 3-154
MS-RPC Program Lookup

This protection blocks Lookup operation requests and prevents the exploitation of this vulnerability.
Table 3-155

Table 3-156
Chapter 3
99
MS-SQL
MS-SQL
The protections in this section allow you to configure various protections related to the MS SQL Server protocols.
MS-SQL Monitor Protocol

With this protection you can configure different protections to be applied to the MS SQL Monitor protocol (running on port 1434/UDP).
Table 3-157

Table 3-158
Off MS-SQL Monitor Protocol Enforcement Violation Disables acceleration of MS-SQL traffic.
100
MS-SQL Server Protocol
MS-SQL Server Protocol

With this protection you can configure several protections to the MS SQL Server protocol (running on tcp/1433).
Table 3-159

Table 3-160
Off MS-SQL Server Protocol Enforcement Violation Disables acceleration of MS-SQL traffic.
Chapter 3
Application Intelligence 101
Routing Protocols
Routing Protocols
The protections in this section allow you to select what types of enforcement will be applied to routing protocols.
OSPF
By enabling this protection, SmartDefense will enforce the validity of the OSPF packet header, including protocol version, message type and packet length. In addition, SmartDefense is able to detect and block OSPF traffic that is non-MD5 authenticated, which is considered insecure.
Table 3-161
Off OSPF enforcement violation Performance Pack - None. It is not accelerated. Nokia - Disables acceleration of these protocols.
Table 3-162
102
BGP (block non-MD5 authenticated BGP connections)
BGP (block non-MD5 authenticated BGP connections)

By enabling this protection, SmartDefense will detect and block BGP traffic that is non-MD5 authenticated, which is considered insecure.
Table 3-163
Off BGP Enforcement Violation Performance Pack - None. It is not accelerated. Nokia - Disables acceleration of these protocols.
Table 3-164
Chapter 3
RIP
RIP
By enabling this protection, SmartDefense will enforce the validity of the RIP packet header. In addition, SmartDefense is able to detect and block RIP traffic that is non-MD5 authenticated, which is considered insecure.
Table 3-165
Off RIP Enforcement Violation Performance Pack - None. It is not accelerated. Nokia - Disables acceleration of these protocols.
Table 3-166
104
IGMP
IGMP
By enabling this protection, SmartDefense will enforce the validity of the IGMP packet header. In addition, SmartDefense is able to detect and block IGMP traffic that is non-MD5 authenticated, which is considered insecure.
Table 3-167
Off IGMP protocol Enforcement Violation Performance Pack - None. It is not accelerated. Nokia - Disables acceleration of these protocols.
Table 3-168
Chapter 3
SUN-RPC
SUN-RPC
The protections in this section allow you to select what types of enforcement will be applied to SUN-RPC (Remote Procedure Calls) protocols.
SUN-RPC Program Lookup

This protection, available for NG with Application Intelligence (R55) and above, will block SUN-RPC interface scanning.
Table 3-169

Table 3-170
Off SUN-RPC Enforcement Violation Disables acceleration of SUN - RPC traffic.
106
DHCP
DHCP
By enabling this protection, SmartDefense will enforce the validity of the DHCP packet header and options.
Table 3-171

Table 3-172
Off DHCP Protocol Enforcement Violation None.
Chapter 3
SOCKS
SOCKS
This protection provides enforcement of the SOCKS protocol. Non SOCKS protocol communication over the SOCKS protocol port (1080 by default) will be blocked. You may also block SOCKS version 4 only or any unauthenticated SOCKS communication (often used by trojans to tunnel information).
Table 3-173

Table 3-174
Off SOCKS Enforcement Violation None.
108
Chapter Web Intelligence

In This Chapter
Introduction Malicious Code Application Layer Information Disclosure HTTP Protocol Inspection
4
page 110 page 111 page 113 page 118 page 121
109
Introduction
Introduction
Web Intelligence is based on Check Point's Stateful Inspection, Application Intelligence, and Malicious Code Protector technologies, so that it is possible to block not only specific attacks, but also entire categories of attacks, while allowing legitimate traffic to pass. Malicious Code Protector is a Check Point patent-pending technology that blocks hackers from sending malicious code to target web servers and applications. It can detect malicious executable code within web communications by identifying not only the existence of executable code in a data stream but its potential for malicious behavior. Malicious Code Protector is a kernel-based protection delivering almost wire-speed performance. Application Intelligence is a set of technologies that detect and prevent application-level attacks by integrating a deeper understanding of application behavior into network security defenses. Stateful Inspection analyzes information flow into and out of a network so that real-time security decisions can be based on communication session information as well as on application information. It accomplishes this by tracking the state and context of all communications traversing the firewall gateway, even when the connection involves complex protocols.
Web intelligence is an add-on for VPN-1 Power. Customers who purchase the SmartDefense Subscription service can automatically update both SmartDefense and Web Intelligence with a single click. Updates are released frequently, and are obtained from the Check Point SmartDefense site: http://www.checkpoint.com/techsupport/documentation/smartdefense/index.html Customers with a valid subscription license also receive special SmartDefense Advisories that provide updated SmartDefense and Web Intelligence attack protections, as well as information, tools and best practice methods to mitigate different attacks.
Tip - It is recommended to keep your gateway version up-to-date, as the newest defenses are incorporated into the latest version of Check Point software.
110
Malicious Code
Malicious Code
The protections in this section allow you to prevent attacks that run malicious code on web servers or clients.
General HTTP Worm Catcher

With this protection you can configure worm signatures that will be detected and blocked based pre-defined patterns. This detection takes place in the kernel, and so is performed very quickly. It does not require a security server. This protection can be applied either to all traffic or to specific web servers. When the attack is blocked, users can be informed via a customizable web page.
Table 4-175
On for defined web servers Worm catcher pattern found. cmd.exe None (works only on C2S traffic, which is accelerated)
Table 4-176
Chapter 4
Web Intelligence 111
Malicious Code Protector
Malicious Code Protector

This protection analyzes URLs, HTTP request headers and HTTP request bodies by disassembling machine code. It assesses the danger, and allows or rejects connections accordingly. Because it analyzes assembler code dynamically, it is able to protect against most future vulnerabilities without the need for patterns or updates. To provide good protection with a minimum number of false positives, three levels of protection are available. They make it possible to choose the appropriate trade-off between a high detection rate on the one hand and a low level of false positives on the other. The protection level can be changed at any time to suit the environment. For details, see the online help. This protection is available for Web Servers running on the platforms specified in the online help.
Table 4-177
Off Malicious code detected in URL None (works only on C2S traffic, which is accelerated)
Table 4-178
R55W feature behavior when protection is on in NGX R60 Management Same (except for Solaris) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Same
112
Application Layer
Application Layer
The protections in this section prevent hackers from introducing text, tags, commands, or other characters that a web application will interpret as special instructions. Introducing these characters in forms or URLs can allow a hacker to steal private data, redirect a communication session to a malicious web site, steal information from a database, gain unauthorized access, or execute restricted commands.
Cross Site Scripting

To protect against Cross-Site Scripting attacks, HTTP requests sent using the POST command, that contain scripting code are rejected. This protection also understands the encoded data sent as part of the URL, which is an alternative way of submitting information. The scripting code is not stripped from the request, but rather the whole request is rejected. To provide good protection with a minimum number of false positives, three levels of protection are available. They make it possible to choose the appropriate trade-off between a high detection rate on the one hand and a low level of false positives on the other. The protection level can be changed at any time to suit the environment. For details, see the online help.
Table 4-179
On for defined web servers Cross Site Scripting detected in URL: 'script' None (works only on C2S traffic, which is accelerated)
Table 4-180
Chapter 4
LDAP Injection
LDAP Injection
This protection protects LDAP servers by identifying attempted misuse of LDAP queries in forms and URLs submitted to Web applications. If an attack is detected, the connection is rejected. To provide good protection with the optimum detection sensitivity, three levels of protection are available. For details, see the online help. The list of LDAP fields that is examined can be customized, which makes it possible to control the use of customized LDAP fields, as well as standard ones.
Table 4-181
On for defined web servers LDAP Injection detected in URL: 'uid' None (works only on C2S traffic, which is accelerated)
Table 4-182
114
SQL Injection
SQL Injection
Web Intelligence looks for SQL commands in forms and in URLs. If it finds them, the connection is rejected. To provide good protection with a minimum number of false positives, three levels of protection are available. They make it possible to choose the appropriate trade-off between a high detection rate on the one hand and a low level of false positives on the other. The protection level can be changed at any time to suit the environment. For details, see the online help.
Table 4-183
On for defined web servers SQL Injection detected in URL: 'select' None (works only on C2S traffic, which is accelerated)
Table 4-184
Chapter 4
Command Injection
Command Injection
This protection looks for system commands in forms and in URLs. If it finds them, the connection is rejected. To provide good protection with a minimum number of false positives, three levels of protection are available. They make it possible to choose the appropriate trade-off between a high detection rate on the one hand and a low level of false positives on the other. The protection level can be changed at any time to suit the environment. For details, see the online help.
Table 4-185
On for defined web servers Command Injection detected in URL: 'chown' None (works only on C2S traffic, which is accelerated)
Table 4-186
116
Directory Traversal
Directory Traversal
This protection verifies that the URL does not contain an illegal combination directory traversal characters. Requests in which the URL contains an illegal directory request are blocked.
Table 4-187
On for defined web servers directory traversal overflow http://1.2.3.4/../../ None (works only on C2S traffic, which is accelerated)
Table 4-188
Chapter 4
Information Disclosure
Information Disclosure
One of the first steps an attacker may take before attacking a web site is to gather information about the site. The goal of the hacker is to get the web server to reveal information that hacker can use to tailor an attack. This is known as "fingerprinting". The protections in this section allow you to prevent the web server revealing information that is not required by users.
Header Spoofing
This protection allows you to remove or change a specific header (that can appear either in the HTTP Request or Response) by giving a regular expression to identify the header name and header value. For example, a typical server header will contain the web server name and version number. Use this protection to spoof out the version information.
Note - Activating this protection decreases performance for Web traffic to which this protection is applied.
Table 4-189

Table 4-190
Off Header Spoofing, replacing header, new header is 'IIS' Disables acceleration on all HTTP traffic.
118
Directory Listing
Directory Listing
This protection identifies web pages containing directory listings and blocks them. To provide good protection with the optimum detection sensitivity, three levels of protection are available. For details, see the online help.
Table 4-191

Table 4-192
Off Directory Listing detected Disables acceleration on all HTTP traffic.
Chapter 4
Error Concealment
Error Concealment
This protection looks for web server error messages in HTTP responses, and if it finds them, prevents the web page reaching the user. Error messages are detected and concealed in two ways. The first way conceals HTTP Responses containing those 4XX and 5XX error status codes that reveal unnecessary information. It is possible to choose the status codes that will be concealed. The second way hides error messages generated by the web application engine. This approach is needed when the application engine does not tell the web server it has an error, in which case the web server displays error information that it should not. It is possible to configure patterns that identify messages from particular application engines. If these patterns are detected the pages are blocked.
Table 4-193

Table 4-194
Off Concealed HTTP response status code: '413' Disables acceleration on all HTTP traffic.
120
HTTP Protocol Inspection
HTTP Protocol Inspection

HTTP Protocol Inspection provides strict enforcement of the HTTP protocol, ensuring these sessions comply with RFC standards and common security practices. Web Intelligence performs high performance kernel-level inspection of all connections passing through enforcement modules of version NG with Application Intelligence (R55W) or higher. For enforcement modules of versions of version NG with Application Intelligence (R55) or lower, there is a choice. It is possible to choose whether to perform HTTP protocol inspection using the kernel for optimized performance, or using the HTTP Security Server for strict protocol enforcement. A third option applies the options only to connections related to resources used in the Rule Base, and enforces the options using the Security Server.
HTTP Format Sizes

It is good security practice to limit the sizes of different elements in HTTP request and response. This reduces the chance for buffer overruns and limits the size of code that can be inserted into the header. This protection allows you to configure upper bounds to different elements in the HTTP request and response. You can also impose limits on specific headers using a regular expression to describe the header name. If the inspected HTTP connection contains more than one request, the limits are imposed on each request separately.
Table 4-195
Default Flag Settings:
On
Chapter 4
HTTP Format Sizes
Maximum Request Body Size:

Table 4-196
Off Request body length exceeded allowed maximum length of 49152 bytes None (works only on C2S traffic, which is accelerated)
Table 4-197
Maximum URL Length:

Table 4-198
On for defined web servers URL length exceeded allowed maximum length of 2048 bytes None (works only on C2S traffic, which is accelerated)
Table 4-199
122
HTTP Format Sizes
Maximum Header Value Length:

Table 4-200
On for defined web servers 'host' header length exceeded maximum allowed length None (works only on C2S traffic, which is accelerated)
Table 4-201
Maximum Number of Headers:

Table 4-202
On for defined web servers Number of HTTP headers exceeded allowed maximum of 500 None (works only on C2S traffic, which is accelerated)
Table 4-203
Chapter 4
ASCII Only Request
ASCII Only Request

This protection makes it possible to selectively block non-ASCII characters in HTTP requests. It is possible to block HTTP request headers and Form fields. When a user submits a web form, the data can be carried in the query section of the URL or in the body of the HTTP request.
Table 4-204
On for defined web servers Invalid character detected in request URL: '0xff' None (works only on C2S traffic, which is accelerated)
Table 4-205
124
ASCII Only Response Headers
ASCII Only Response Headers

This protection drops responses which contain non ASCII values.
Note - Activating this protection decreases performance for Web traffic to which this protection is applied.
With this page you can force all HTTP headers to be ASCII only. This will prevent some malicious content from passing in the HTTP protocol headers.
Table 4-206

Table 4-207
Off Invalid character detected in response headers: '0xff' Disables acceleration on all HTTP traffic.
Chapter 4
Header Rejection
Header Rejection
This protection allows you to reject HTTP requests that contains specific headers and header values. The HTTP header name and value are defined using case-sensitive regular expressions.
Table 4-208
Off Header Rejection pattern found in request None (works only on C2S traffic, which is accelerated).
Table 4-209
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Same (previously referred to as Peer to Peer) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Enforced
126
HTTP Methods
HTTP Methods
This protection can be used to control which HTTP methods can be used in HTTP requests. Web Intelligence divides the HTTP methods into three groups: Standard safe (GET, HEAD and POST), standard unsafe (the other standard HTTP methods), and WebDAV. By default, all methods are blocked other than the standard safe methods. To allow users access to popular applications such as Microsoft Hotmail, Outlook Web Access, and FrontPage, the non-RFC compliant WebDAV HTTP methods can be allowed. It is possible to choose exactly which methods to block. For example, if only GET and POST methods are allowed, and all others are blocked, the following HTTP request using a WebDav method will be rejected: MKCOL / HTTP/1.0.
Table 4-210
On for defined web servers Blocked Method: 'PUT' None (works only on C2S traffic, which is accelerated).
Table 4-211
Chapter 4
Block HTTP on Non-Standard Port
Block HTTP on Non-Standard Port

SmartDefense is able to detect and block HTTP traffic on any TCP port not configured by the security administrator as an allowed port for the use of HTTP. For more details on how to allow HTTP traffic on non standard ports, please refer to the above CPSA-2005-01 advisory.
Table 4-212

Table 4-213
128
Block Malicious HTTP Encodings

NULL encoding in URIs are mostly used when trying to bypass URI based restrictions or take advantage of the fact that some web servers ignore parameters after a NULL character. This protection allows you to block HTTP requests which contain NULL encoding in the path part of the URI.
Table 4-214

Table 4-215
NG FP3 to R55 feature behavior when protection is on in NGX R60 Management Not Enforced (R54, FP3) Same (R55 only) feature behavior when protection is in Monitor-Only mode in NGX R60 Management Not Enforced (R54, FP3) Same (R55 only)
Chapter 4
130
THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrusts logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust. Verisign is a trademark of Verisign Inc. The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided as is without express or implied warranty. Copyright Sax Software (terminal emulation only). The following statements refer to those portions of the software copyrighted by Carnegie Mellon University. Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The following statements refer to those portions of the software copyrighted by The Open Group. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998 The Open Group.
131
The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
132
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. The PHP License, version 3.0 Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM `ÀS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at group@php.net. For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>. This product includes software written by Tim Hudson (tjh@cryptsoft.com). THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
133
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved. Confidential Copyright Notice Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed. Trademark Notice The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600. U.S. Government Restricted Rights The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987). Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations. Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT. Limitation of Liability
134
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU. Copyright ComponentOne, LLC 1991-2002. All Rights Reserved. BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")) Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release PCRE LICENCE PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself. Written by: Philip Hazel <ph10@cam.ac.uk> University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. Copyright (c) 1997-2004 University of Cambridge All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Eventia Reporter includes software whose copyright is owned by, or licensed from, MySQL AB.
135
136
Index
A
Address Spoofing 43 Allow Only SNMPv3 Traffic 88 Allowed 22 Always On 22 Application Intelligence 110 Application Layer 113 ASCII Only Request 124 ASCII Only Response Headers 125
C
Cache Poisoning Protections 78 Command Injection 116 Content Protection 96 Cross Site Scripting 113
G
General HTTP Worm Catcher 111
H
H323 81 Header Rejection 126 Header Spoofing 118 Host Port Scan 50 HTTP Format Sizes 121 HTTP Methods 127 HTTP Protocol Inspection 121
D
DCOM 98 Denial Of Service 25 Denial of Service 44 DHCP 107 Directory Listing 119 Directory Traversal 117 DNS 75 Domain Block List 77 DOS Protection 80 Drop Requests to Default Community Strings 89 Drop Unauthenticated DCOM 99 DShield Storm Center 48 Dynamic Ports 52
B
BGP 103 Block ASN.1 Bitstring Encoding Attack 63 Block ASN.1 Bitstring Encoding Attack over SMTP 57 Block CISCO IOS DOS 34 Block Data Connections to Low Ports 52 Block HTTP on Non-Standard Port 128 Block IKE Aggressive Exchange 92, 93 Block Malicious HTTP Encodings 129 Block Null CIFS Sessions 61 Block Null Payload ICMP 35 Block Popup Messages 62 Block SSL Null-Pointer Assignment 91 Block Welchia ICMP 33 Block WINS Name Validation Attack 65 Block WINS Replication Attack 64
I
ICQ 74 IGMP 105 Information Disclosure 118 Instant Messengers 69 IP and ICMP 29 IP Fragments 31 IP ID 42 ISN Spoofing 40
E
Enforced 22 Error Concealment 120
L
LAND 27 LDAP Injection 114 Local Interface Spoofing 45
F
File and Print Sharing 60 Fingerprint Scrambling 40 FTP 58 FTP Bounce 58 FTP Security Server 59
M
Mail 55 Mail Security Server 56 Malformed ANI File 97
February 2007
137
Malformed JPEG 96 Malicious Code 111 Malicious Code Protector 110, 112 Max Ping Size 30 Maximum Header Value Length 123 Maximum Number of Headers 123 Maximum Request Body Size 83, 122 Maximum URL Length 122 MGCP (allowed commands) 86 Microsoft Networks 60 MSN Messenger over MSNMS 71 MSN Messenger over SIP 70 MS-RPC 98 MS-RPC Program Lookup 99 MS-SQL 100 MS-SQL Monitor Protocol 100 MS-SQL Server Protocol 101
Peer to Peer 66 Ping of Death 26 POP3 / IMAP Security 55 Port Scan 50 PPTP Enforcement 90 Protocol Enforcement - TCP 75 Protocol enforcement - UDP 76
T
TCP 36 Teardrop 25 TTL 41
V R
Report to DShield 49 Resource Records Enforcements 79 Retrieve and Block Malicious IPs 48 RIP 104 Routing Protocols 102 VoIP 80 VPN Protocols 90
W
Web Intelligence 19
S
Same 22 SCCP (Skinny) 87 Sequence Verifier 39 SIP 82 Skype 72 Small PMTU 37 SmartDefense 18 SNMP 88 SOCKS 108 Spoofed Reset Protection 38 SQL Injection 115 SSH - Detect SSH over NonStandard Ports 94 SSH Enforcement 95 Stateful Inspection 110 Successive Alerts 46 Successive Events 43 Successive Multiple Connections 47 SUN-RPC 106 SUN-RPC Program Lookup 106 Sweep Scan 51 SYN Attack Configuration 36
Y
Yahoo! Messenger 73
N
N/A 22 Network Quota 32 NG FP3 18 NG R55W 18 NG With Application Intelligence R54 18 NG With Application Intelligence R55 18 Non TCP Flooding 28 Not Enforced 22
O
Off 22 On 22 OSPF 102
P
Packet Sanity 29
138

CheckPoint NGX SmartDefense Protections Reference Guide

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CheckPoint NGX SmartDefense Protections Reference Guide

Încărcat de

Drepturi de autor:

Formate disponibile

Check Point NGX SmartDefense Protections

Reference Guide For NGX R60 and Above

2003-2007 Check Point Software Technologies Ltd.

121 124 125 126 127 128 129

Who Should Use This Guide

Who Should Use This Guide

Chapter 2, Network Security Chapter 3, Application Intelligence Chapter 4, Web Intelligence

Title Internet Security Product Suite Getting Started Guide

SmartCenter Administration Guide

Firewall and SmartDefense Administration Guide

Virtual Private Networks Administration Guide

Title Eventia Reporter Administration Guide

SecurePlatform/ SecurePlatform Pro Administration Guide Provider-1/SiteManager-1 Administration Guide

Integrity Server documentation

Related Documentation TABLE P-2 Integrity Server documentation (continued)

Overview and Purpose

Overview and Purpose

Obtaining the Latest Version of the Documentation

Obtaining the Latest Version of the Documentation

Structure of the Guide

Structure of the Guide

How to Read this Document:

How to Read this Document:

Not Enforced indicates that the protection is not active.

Allowed indicates all commands are allowed.

N/A indicates not applicable.

Chapter Network Security

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

On Teardrop attack detected Does not impact performance.

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

On Ping of Death Does not impact performance.

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

On Land Attack Does not impact performance.

Non TCP Flooding

Non TCP Flooding

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

Off The feature is fully accelerated.

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

R55W feature behavior when protection is on in NGX R60 Management Always On

Max Ping Size

Max Ping Size

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

On Does not impact performance.

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

Allowed Fragments pass to the FW. Non-fragmented traffic is not impacted.

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

Off Network Quota Disables templates.

Block Welchia ICMP

Block Welchia ICMP

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

Block CISCO IOS DOS

Block CISCO IOS DOS

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

Off Cisco IOS Enforcement Violation None (ICMP is not accelerated).

Block Null Payload ICMP

Block Null Payload ICMP

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

Off Null Payload Echo Request None (ICMP is not accelerated).

SYN Attack Configuration

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

Default Flag Settings: Log Generated by Protection: NGX Performance Impact:

Off None (Accelerated).

Spoofed Reset Protection