Checkpoint NGX Smart Defense Protections Reference Guide

Check Point NGX SmartDefenseProtections Reference Guide

Administration Guide

For NGX R60 and Above

July 2006

TM

© 2003-2007 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.

Table of Contents 5

Contents

Preface Who Should Use This Guide.............................................................................. 10Summary of Contents ....................................................................................... 11Related Documentation .................................................................................... 12More Information ............................................................................................. 15Feedback ........................................................................................................ 16

Chapter 1 Introduction Overview and Purpose ...................................................................................... 18

SmartDefense............................................................................................. 18Web Intelligence......................................................................................... 19

Obtaining the Latest Version of the Documentation ............................................. 20Structure of the Guide...................................................................................... 21How to Read this Document:............................................................................. 22

Chapter 2 Network Security Introduction .................................................................................................... 24Denial Of Service............................................................................................. 25

Teardrop .................................................................................................... 25Ping of Death ............................................................................................. 26LAND ........................................................................................................ 27Non TCP Flooding....................................................................................... 28

IP and ICMP ................................................................................................... 29Packet Sanity ............................................................................................. 29Max Ping Size ............................................................................................ 30IP Fragments.............................................................................................. 31Network Quota............................................................................................ 32Block Welchia ICMP.................................................................................... 33Block CISCO IOS DOS................................................................................. 34Block Null Payload ICMP............................................................................. 35

TCP................................................................................................................ 36SYN Attack Configuration ............................................................................ 36Small PMTU............................................................................................... 37Spoofed Reset Protection ............................................................................ 38Sequence Verifier ....................................................................................... 39

Fingerprint Scrambling..................................................................................... 40ISN Spoofing.............................................................................................. 40TTL ........................................................................................................... 41IP ID ......................................................................................................... 42

Successive Events............................................................................................ 43Address Spoofing........................................................................................ 43Denial of Service ........................................................................................ 44Local Interface Spoofing.............................................................................. 45

6

Successive Alerts........................................................................................ 46Successive Multiple Connections.................................................................. 47

DShield Storm Center ...................................................................................... 48Retrieve and Block Malicious IPs ................................................................. 48Report to DShield ....................................................................................... 49

Port Scan........................................................................................................ 50Host Port Scan ........................................................................................... 50Sweep Scan ............................................................................................... 51

Dynamic Ports ................................................................................................. 52Block Data Connections to Low Ports ............................................................ 52

Chapter 3 Application Intelligence Introduction .................................................................................................... 54Mail ............................................................................................................... 55

POP3 / IMAP Security ................................................................................. 55Mail Security Server .................................................................................... 56Block ASN.1 Bitstring Encoding Attack over SMTP ........................................ 57

FTP ................................................................................................................ 58FTP Bounce ............................................................................................... 58FTP Security Server .................................................................................... 59

Microsoft Networks .......................................................................................... 60File and Print Sharing ................................................................................. 60Block Null CIFS Sessions ............................................................................ 61Block Popup Messages................................................................................ 62Block ASN.1 Bitstring Encoding Attack......................................................... 63Block WINS Replication Attack .................................................................... 64Block WINS Name Validation Attack............................................................. 65

Peer to Peer .................................................................................................... 66Excluded Services/Network Objects .............................................................. 66All Protocols through Port 80 ....................................................................... 67All Protocols............................................................................................... 68

Instant Messengers .......................................................................................... 69Excluded Services/Network Objects .............................................................. 69MSN Messenger over SIP............................................................................. 70MSN Messenger over MSNMS...................................................................... 71Skype ........................................................................................................ 72Yahoo! Messenger ....................................................................................... 73ICQ ........................................................................................................... 74

DNS ............................................................................................................... 75Protocol Enforcement - TCP......................................................................... 75Protocol Enforcement - UDP ........................................................................ 76Domain Block List ...................................................................................... 77Cache Poisoning Protections ........................................................................ 78Resource Records Enforcements .................................................................. 79

VoIP ............................................................................................................... 80DOS Protection........................................................................................... 80H323 ........................................................................................................ 81SIP............................................................................................................ 82

Table of Contents 7

MGCP (allowed commands) ......................................................................... 86SCCP (Skinny) ............................................................................................ 87

SNMP............................................................................................................. 88Allow Only SNMPv3 Traffic.......................................................................... 88Drop Requests to Default Community Strings................................................. 89

VPN Protocols ................................................................................................. 90PPTP Enforcement...................................................................................... 90SSL Enforcement........................................................................................ 91Block IKE Aggressive Exchange.................................................................... 92IKE Enforcement ........................................................................................ 93SSH - Detect SSH over Non-Standard Ports................................................... 94SSH Enforcement ....................................................................................... 95

Content Protection ........................................................................................... 96Malformed JPEG......................................................................................... 96Malformed ANI File..................................................................................... 97

MS-RPC.......................................................................................................... 98DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135 .. 98Drop Unauthenticated DCOM ....................................................................... 99MS-RPC Program Lookup ............................................................................ 99

MS-SQL........................................................................................................ 100MS-SQL Monitor Protocol .......................................................................... 100MS-SQL Server Protocol ............................................................................ 101

Routing Protocols .......................................................................................... 102OSPF....................................................................................................... 102BGP (block non-MD5 authenticated BGP connections) ................................. 103RIP ......................................................................................................... 104IGMP....................................................................................................... 105

SUN-RPC...................................................................................................... 106SUN-RPC Program Lookup ........................................................................ 106

DHCP ........................................................................................................... 107SOCKS ......................................................................................................... 108

Chapter 4 Web Intelligence Introduction .................................................................................................. 110Malicious Code.............................................................................................. 111

General HTTP Worm Catcher...................................................................... 111Malicious Code Protector ........................................................................... 112

Application Layer........................................................................................... 113Cross Site Scripting .................................................................................. 113LDAP Injection ......................................................................................... 114SQL Injection ........................................................................................... 115Command Injection................................................................................... 116Directory Traversal .................................................................................... 117

Information Disclosure ................................................................................... 118Header Spoofing ....................................................................................... 118Directory Listing ....................................................................................... 119Error Concealment .................................................................................... 120

HTTP Protocol Inspection ............................................................................... 121

8

HTTP Format Sizes ................................................................................... 121ASCII Only Request .................................................................................. 124ASCII Only Response Headers.................................................................... 125Header Rejection ...................................................................................... 126HTTP Methods ......................................................................................... 127Block HTTP on Non-Standard Port ............................................................. 128Block Malicious HTTP Encodings ............................................................... 129

Index.......................................................................................................... 137

9

Preface PPreface

In This Chapter

Who Should Use This Guide page 10

Summary of Contents page 11

Related Documentation page 12

More Information page 15

Feedback page 16

Who Should Use This Guide

10

Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of

• System administration.

• The underlying operating system.

• Internet protocols (IP, TCP, UDP etc.).

Summary of Contents

Preface 11

Summary of ContentsThis guide contains the following chapters:

Chapter Description

Chapter 1, “Introduction” Provides system administrators with an understanding about the implication of each protection when installing a policy on previous releases (in other words, backwards compatibility).

Chapter 2, “Network Security”

Provides information about each Network Security Protection.

Chapter 3, “Application Intelligence”

Provides information about each Application Intelligence Protection.

Chapter 4, “Web Intelligence”

Provides information about each Web Intelligence Protection.

Related Documentation

12

Related DocumentationThe release includes the following documentation:

TABLE P-1 VPN-1 Power documentation suite documentation

Title Description

Internet Security Product Suite Getting Started Guide

Contains an overview of NGX R65 and step by step product installation and upgrade procedures. This document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc.

Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65.

SmartCenter Administration Guide

Explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints.

Firewall and SmartDefense Administration Guide

Describes how to control and secure network access; establish network connectivity; use SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic.

Virtual Private Networks Administration Guide

This guide describes the basic components of a VPN and provides the background for the technology that comprises the VPN infrastructure.


Preface 13

Eventia Reporter Administration Guide

Explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense.

SecurePlatform™/ SecurePlatform Pro Administration Guide

Explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform and explains Dynamic Routing (Unicast and Multicast) protocols.

Provider-1/SiteManager-1 Administration Guide

Explains the Provider-1/SiteManager-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.

TABLE P-2 Integrity Server documentation

Title Description

Integrity Advanced Server Installation Guide

Explains how to install, configure, and maintain the Integrity Advanced Server.

Integrity Advanced Server Administrator Console Reference

Provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system.

Integrity Advanced Server Administrator Guide

Explains how to managing administrators and endpoint security with Integrity Advanced Server.

Integrity Advanced Server Gateway Integration Guide

Provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package.

TABLE P-1 VPN-1 Power documentation suite documentation (continued)

Title Description


14

Integrity Advanced Server System Requirements

Provides information about client and server requirements.

Integrity Agent for Linux Installation and Configuration Guide

Explains how to install and configure Integrity Agent for Linux.

Integrity XML Policy Reference Guide

Provides the contents of Integrity client XML policy files.

Integrity Client Management Guide

Explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior.

TABLE P-2 Integrity Server documentation (continued)

Title Description

More Information

Preface 15

More Information• For additional technical information about Check Point products, consult Check

Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/.

• See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents.

https://secureknowledge.checkpoint.com/

https://secureknowledge.checkpoint.com/

http://www.checkpoint.com/support/technical/documents

http://www.checkpoint.com/support/technical/documents

Feedback

16

FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:

[email protected]

mailto:[email protected]?subject=Check Point User Guide feedback

17

Chapter 1Introduction

In This Chapter

Overview and Purpose page 18

Obtaining the Latest Version of the Documentation page 20

Structure of the Guide page 21

How to Read this Document: page 22

Overview and Purpose

18

Overview and PurposeThis guide is divided into a number of sections and chapters that provide an overview of how NGX R60 SmartDefense and Web Intelligence protections work with the following previous versions:

• NG FP3

• NG With Application Intelligence R54

• NG With Application Intelligence R55 (including R55P)

• NG With Application Intelligence R55W

The intention of this guide is to provide system administrators with an understanding about the implication of each protection when installing a policy on previous releases (in other words, backwards compatibility).

To fully understand SmartDefense and Web Intelligence protections it is recommended that you familiarize yourself with NGX R60 behavior. To do this, refer to the CheckPoint R65 Firewall SmartDefense Administration Guide.

SmartDefenseCheck Point SmartDefense provides a unified security framework for various components that identify and prevent attacks. SmartDefense actively defends your network, even when the protection is not explicitly defined in the Security Rule Base. It unobtrusively analyzes activity across your network, tracking potentially threatening events and optionally sending notifications. It protects organizations from all known, and most unknown, network attacks using intelligent security technology.

Keeping up-to-date with the latest defenses does not require up-to-the-minute technical knowledge. A single click updates SmartDefense with all the latest defenses from the SmartDefense website.

SmartDefense provides a console that can be used to:

• Choose the attacks that you wish to defend against, and read detailed information about the attack.

• Easily configure parameters for each attack, including logging options.

• Receive real-time information on attacks, and update SmartDefense with new capabilities.

Web Intelligence

Chapter 1 Introduction 19

Web IntelligenceCheck Point Web Intelligence enables customers to configure, enforce and update attack protections for web servers and applications. Web Intelligence protections are designed specifically for web-based attacks, and complement the network and application level protections offered by SmartDefense. In addition, Web Intelligence Advisories published online by Check Point provide information and add new attack defenses.

Web Intelligence not only protects against a range of known attacks, varying from attacks on the web server itself to databases used by web applications, but also incorporates intelligent security technologies that protect against entire categories of emerging, or unknown, attacks.

Unlike web firewalls and traditional intrusion protection systems, Web Intelligence provides proactive attack protections. It ensures that communications between clients and web servers comply with published standards and security best practices, restricts hackers from executing irrelevant system commands, and inspects traffic passing to web servers to ensure that they don't contain dangerous malicious code. Web Intelligence allows organizations to permit access to their web servers and applications without sacrificing either security or performance.

Obtaining the Latest Version of the Documentation

20

Obtaining the Latest Version of the Documentation

SmartDefense and Web Intelligence protections are being continuously updated. For this reason, see the latest available online version of this document in the User Center at http://www.checkpoint.com/support/technical/documents/docs_r62.html. For additional information contact your Check Point partner.

http://www.checkpoint.com/support/technical/documents/docs_r62.html

Structure of the Guide

Chapter 1 Introduction 21

Structure of the GuideThis guide is divided into a number of chapters:

Chapter 2, “Network Security” gives an overview of Network Security protections, which enable protection against attacks on the network and transport level.

Chapter 3, “Application Intelligence” gives an overview of Application Intelligence protections, which enable the configuration of various protections at the application layer, using SmartDefense's Application Intelligence capabilities.

Chapter 4, “Web Intelligence” provides high performance attack protection for web servers and applications. It provides proactive attack protection by looking for malicious code and ensuring adherence to protocols and security best practice.

How to Read this Document:

22

How to Read this Document:In this guide the condition of each protection in a specific scenario is represented by a status. The following represent all of the possible statuses:

• On

indicates that the protection is on by default. However, within the protection options may be off/on by default.

• Off

indicates that the protection is off by default.

• Same

indicates that the protections behavior is the same as in NGX R60.

• Always On

indicates that the protection cannot be turned off on modules from this release even though it is configured as Off in NGX R60 Management.

• Enforced

indicates that the protection is active.

• *Enforced

indicates that the protection is active, but that it did not exist when R55 was released. Before this protection can be active it requires a SmartDashboard update.

• Not Enforced

indicates that the protection is not active.

• Allowed

indicates all commands are allowed.

• N/A

indicates not applicable.

23

Chapter 2Network Security

In This Chapter

Introduction page 24

Denial Of Service page 25

IP and ICMP page 29

TCP page 36

Fingerprint Scrambling page 40

Successive Events page 43

DShield Storm Center page 48

Port Scan page 50

Dynamic Ports page 52

Introduction

24

IntroductionApplication Intelligence is primarily associated with application level defenses. However, in practice many attacks aimed at network applications actually target the network and transport layers.

Hackers target these lower layers as a means to access the application layer, and ultimately the application and data itself. Also, by targeting lower layers, attacks can interrupt or deny service to legitimate users and applications (e.g., DoS attacks). For these reasons, SmartDefense addresses not only the application layer, but also network and transport layers.

Preventing malicious manipulation of network-layer protocols (e.g., IP, ICMP) is a crucial requirement for multi-level security gateways. The most common vehicle for attacks against the network layer is the Internet Protocol (IP), whose set of services resides within this layer.

As with the network layer, the transport layer and its common protocols (TCP, UDP) provide popular access points for attacks on applications and their data.

The pages to follow contain information that will help you configure various SmartDefense protections against attacks on the network and transport level from versions prior to NGX R60. These pages allow you to configure protection against attacks which attempt to target network components or the firewall directly.

The effect of such attacks, on the IP, TCP, UDP or ICMP network protocols, range from simple identification of the operating systems used in your organization, to denial of service attacks on hosts and servers on the network.

Denial Of Service

Chapter 2 Network Security 25

Denial Of ServiceDenial of Service (DoS) attacks are aimed at disrupting normal operations of a service. The attacks in this section exploit bugs in operating systems to remotely crash the machines.

The detections in this protection depend on logs generated by SmartDefense. These logs can be configured per attack.

TeardropWhen tracking a Teardrop attack you will be notified of any attempt to exploit the fragmentation of large packets with erroneous offset values in the second or later fragment. Selecting this protection will block an attempted Teardrop attack.

This attack will be blocked even if the checkbox is not selected, and logged as Virtual defragmentation error: Overlapping fragments.

Table 2-1

Default Flag Settings: On

Log Generated by Protection: Teardrop attack detected

NGX Performance Impact: Does not impact performance.

Table 2-2

NG FP3 to R55 R55W

feature behavior when protection is on in NGX R60 Management

feature behavior when protection is in Monitor-Only mode in NGX R60 Management



Same N/A Same N/A

Ping of Death

26

Ping of DeathWhen tracking this type of attack you will be notified of any attempt in which an IP packet larger than 64KB has being sent to your network.

Selecting this protection will block an attempted Ping of Death attack.

This attack will be blocked even if the checkbox is not selected, and logged as "Virtual defragmentation error: Packet too big".

Table 2-3


Log Generated by Protection: Ping of Death


Table 2-4

NG FP3 to R55 R55W





Same N/A Same N/A

LAND


LANDWith this protection you can block LAND crafted packets. When tracking this type of attack you will be notified of any attempt in which a packet is sent to your machine with the same source host/port.

Selecting this protection will block an attempted LAND attack.

LAND crafted packets will be blocked when this protection is activated.

Table 2-5


Log Generated by Protection: Land Attack


Table 2-6

NG FP3 to R55 R55W





Same Not Enforced Same Same

Non TCP Flooding

28

Non TCP FloodingWith this protection you can protect against non-TCP Flooding attacks by limiting the percentage of open non-TCP connections. By setting this threshold, SmartDefense prevents more than a specific percentage of the bandwidth being used for non-TCP connections.

In addition, you can track non-TCP connections which exceed the threshold.

Table 2-7

Default Flag Settings: Off

Log Generated by Protection:

NGX Performance Impact: The feature is fully accelerated.

Table 2-8

NG FP3 to R55 R55W





Not Enforced Not Enforced Same N/A

IP and ICMP


IP and ICMPThe protections in this section allow you to enable a comprehensive sequence of layer 3 checks (IP and ICMP protocols) and some layer 4 verifications (UDP, TCP and IP options sanity checks).

Packet SanityThis protection performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options and verifying the TCP flags.

With this protection you can configure whether logs will be issued for offending packets.

A Monitor Only mode makes it possible to track unauthorized traffic without blocking it. However, setting this protection to Monitor Only means that badly fragmented packets pass unfiltered. Any type of attack may be hidden in fragmented packets. This setting exposes the network to attack.

Although Packet Sanity is turned off in Monitor Only mode, the following sanity verifications are still enforced and when applicable these packets are dropped:

- UDP packets with invalid UDP Length

- TCP packets with a corrupt header

In each of the above cases, SmartDefense logs will be generated.

Table 2-9



NGX Performance Impact: Protection accelerated.

Table 2-10

NG FP3 to R55 R55W





Always On Enforced Always On Always On

Max Ping Size

30

Max Ping SizeThis protection allows you to limit the maximum allowed data size for an ICMP echo request. This should not be confused with "Ping of Death", in which the request is malformed.

Table 2-11




Table 2-12

NG FP3 to R55 R55W






IP Fragments


IP FragmentsThis protection allows you to configure whether fragmented IP packets can pass SmartDefense gateways. It is possible to set a limit upon the number of fragmented packets (incomplete packets) that are allowed.

It is also possible to define a timeout for holding unassembled packets before discarding them.

Table 2-13

Default Flag Settings: Allowed


NGX Performance Impact: Fragments pass to the FW. Non-fragmented traffic is not impacted.

Table 2-14

NG FP3 to R55 R55W





Same N/A Same N/A

Network Quota

32

Network QuotaNetwork Quota enforces a limit upon the number of connections that are allowed from the same source IP, to protect against Denial Of Service attacks.

When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source or track the event.

Table 2-15


Log Generated by Protection: Network Quota

NGX Performance Impact: Disables templates.

Table 2-16

NG FP3 to R55 R55W





Same Same Same Same

Note - In the R55W Network Quota protection, Monitor Only was referred to as Only track the event.

Block Welchia ICMP


Block Welchia ICMPWhen this protection is enabled, SmartDefense will identify and drop the Welchia worm specific ping packets.

Table 2-17


Log Generated by Protection: Welchia/Nachi Worm ICMP Packet Detected

NGX Performance Impact: None (ICMP is not accelerated).

Table 2-18

NG FP3 to R55 R55W





Same Same Same Same

Block CISCO IOS DOS

34

Block CISCO IOS DOSThis protection allows you to configure which protocols should be protected against this attack. You can also define how many hops away from the enforcement module will Cisco routers be protected.

Table 2-19


Log Generated by Protection: Cisco IOS Enforcement Violation


Table 2-20

NG FP3 to R55 R55W





Same Same Same Same

Block Null Payload ICMP


Block Null Payload ICMPWhen this protection is enabled, SmartDefense will identify and drop the null payload ping packets.

Using SmartView Tracker, VPN-1 NG AI R55 will identify Drop log entries against rule number 99501.

Table 2-21


Log Generated by Protection: Null Payload Echo Request


Table 2-22

NG FP3 to R55 R55W





Same Same Same Same

TCP

36

TCPThe protections in this section allow you to configure a comprehensive set of TCP tests.

SYN Attack ConfigurationThis protection allows you to configure how an SYN attack is detected and how to protect your network from this attack. With this protection you can select whether to activate the SYN attack protection configuration in one place (that is, via SmartDefense), and specify the protection parameters for all modules (that is, gateways), or you can activate previous SYNDefender configuration versions for all current gateway versions.

The SYN attack protection can be configured for each module separately. This page allows you to override the modules' specific configuration.

Table 2-23



NGX Performance Impact: Disables acceleration for TCP sessions (disables templates). In relay mode - al session handshake is forwarded to FW.

Table 2-24

NG FP3 to R55 R55W





Same Enforced Same Same

Small PMTU


Small PMTUIn this protection the configuration option "Minimal MTU size" controls the allowed packet size. An exceedingly small value will not prevent an attack, while an unnecessarily large value might result in legitimate requests to be dropped, causing "black hole" effects and degrading performance.

Table 2-25



NGX Performance Impact: None (Accelerated).

Table 2-26

NG FP3 to R55 R55W






Spoofed Reset Protection

38

Spoofed Reset ProtectionThis protection enforces a threshold on the number of RST packets allowed per connection during a pre-defined period of time.

It is possible to exclude specific services from this protection. Services such as HTTP that are characterized by relatively short sessions are not affected by this attack. It is therefore advisable for performance reasons to exclude those services from the protection.

Table 2-27



NGX Performance Impact: Forwards RST packets to the Firewall.

Table 2-28

NG FP3 to R55 R55W





Not Enforced Not Enforced Not Enforced Not Enforced

Sequence Verifier


Sequence VerifierSequence Verifier is a mechanism matching the current TCP packet's sequence number against a TCP connection state. Packets that match the connection in terms of the TCP session but have incorrect sequence numbers are either dropped when the packet's sequence may compromise security, or stripped of data.

With this protection you can select the appropriate tracking option and define the type of out-of-sequence packets to be tracked.

Table 2-29



NGX Performance Impact: None.

Table 2-30

NG FP3 to R55 R55W





Same Not Enforced Same Not Enforced

Fingerprint Scrambling

40

Fingerprint ScramblingSmartDefense can scramble some of the fields commonly used for fingerprinting, masking the original identity of hosts behind the firewall. Please note, however, that totally preventing fingerprinting is next to impossible. Also note that while this feature makes fingerprinting the hosts protected by the firewall harder, it does little to hide the fact that there is a firewall here (i.e. - fingerprinting the firewall's existence is still possible).

With this protection you can choose whether to spoof fingerprints for unencrypted (plain) connections, for encrypted connection (for example, a VPN connection, or an HTTPS connection), or both.

SmartDefense can scramble some of the fields commonly used for fingerprinting, masking the original identity of hosts behind the firewall.

ISN SpoofingThe ISN scrambler counters this attack by creating a difference between the sequence numbers used by the server and the sequence numbers perceived by the client. This difference has high entropy using cryptographic functions, and effectively makes it impossible to guess the server's ISN. If the real server has a higher entropy than the entropy selected for the ISN scrambler, the higher entropy will pass through to the client.

Table 2-31



NGX Performance Impact: Disables acceleration on TCP traffic.

Table 2-32

NG FP3 to R55 R55W






TTL


TTLWith this protection you can enable or disable the use of TTL, and define how to identify a packet as a TTL packet.

You can change the TTL field of all packets (or all outgoing packets) to a given number. This achieves two goals. Using this approach it is not possible to know how many routers (hops) the host is from the listener, and the listener cannot know what is the original TTL value.

Table 2-33




Table 2-34

NG FP3 to R55 R55W






IP ID

42

IP IDWith this protection you can override the original IP ID with an ID generated by the firewall, thus masking the algorithm used by the original operating system, masking the operating system's identity. The three available algorithms used by the various operating systems are: Random, Incremental, and Incremental LE (little endian).

Table 2-35




Table 2-36

NG FP3 to R55 R55W






Successive Events


Successive EventsThe protections in this section allow you to configure different kinds of Check Point Malicious Activity Detections, including some general attributes.

All of these detections depend on logs generated by SmartDefense. By default, Check Point Malicious Activity Detections do not block the detected attacks but rather generate an Alert. It is possible to configure that other actions will be taken, for example User Defined Alerts.

Address SpoofingThis protection allows you to define parameters that are specific to the defense against Address Spoofing attempts. An attack is detected (defined) as Address Spoofing when more than a specific number of events are detected over a period of a specific number of seconds.

Table 2-37




Table 2-38

NG FP3 to R55 R55W





Same Enforced Same Enforced

Denial of Service

44

Denial of ServiceTo protect the network from DOS attacks, SmartDefense employs a threshold. The threshold detects DOS events when more than a specific amount occurs over a specific amount of time.

When the threshold limit is reached, the incidents of DOS events are logged and an alert is issued.

With this protection you can define the frequency of events that will be treated as a DoS attack, and the Action to be taken when one of these attacks is detected.

Table 2-39




Table 2-40

NG FP3 to R55 R55W






Local Interface Spoofing


Local Interface SpoofingWith this protection you can define parameters that are specific to the defense against Local Interface Spoofing attempts. An attack is detected (defined) as Local Interface Spoofing when more than a specific number of events are detected over a period of a specific number of seconds.

Table 2-41




Table 2-42

NG FP3 to R55 R55W






Successive Alerts

46

Successive AlertsWith this protection you can define parameters that are specific to the defense against Successive Alerts attempts. An attack is detected (defined) as Successive Alerts when more than a specific number of events are detected over a period of a specific number of seconds.

Table 2-43




Table 2-44

NG FP3 to R55 R55W






Successive Multiple Connections


Successive Multiple ConnectionsThis protection allows you to define parameters that are specific to the defense against Successive Multiple Connections attempts. An attack is detected (defined) as Successive Multiple Connections when more than a specific number of events are detected over a period of a specific number of seconds.

Table 2-45


Log Generated by Protection: Successive Multiple Connections


Table 2-46

NG FP3 to R55 R55W






DShield Storm Center

48

DShield Storm CenterStorm Centers gather logging information about attacks. This information is voluntarily provided by organizations from across the world for the benefit of all. Storm Centers collate and present reports on real-time threats to network security in a way that is immediately useful.

The SmartDefense Storm Center Module enables a two way information flow between the network Storm Centers, and the organizations requiring network security information.

With the protections in this section you can retrieve a list of malicious IPs from he DShield Storm Center and block those IPs. You can also submit logs to DShield.

Retrieve and Block Malicious IPsWith this protection you can decide whether to block all the malicious IP addresses received from DShield.org (one of the leading Storm Centers) or whether to block them for specific gateways.

Table 2-47




Table 2-48

NG FP3 to R55 R55W






Report to DShield


Report to DShieldWith this protection you can send logs to the Storm Center in order to help other organizations combat the threats that were directed at your own network.

Table 2-49




Table 2-50

NG FP3 to R55 R55W






Port Scan

50

Port ScanThe protections in this section allow you to discover incidences of intelligence gathering so that the information in question cannot be used to attack vulnerable computers.

Port Scanning is a method of collecting information about open TCP and UDP ports in a network. Gathering information is not in itself an attack, but the information can be used later to target and attack vulnerable computers.

Port scanning can be performed either by a hacker using a scanning utility such as nmap, or by a worm trying to spread itself to other computers. Port Scanning is most commonly done by trying to access a port and waiting for a response. The response indicates whether or not the port is open

Host Port ScanSmartDefense has three levels of port scan detection sensitivity. Each level represents the amount of inactive ports scanned during a certain amount of time. When port scan is detected a log or alert is issued.

Table 2-51


Log Generated by Protection: Port Scan


Table 2-52

NG FP3 to R55 R55W






Sweep Scan


Sweep ScanSmartDefense has three levels of port scan detection sensitivity. Each level represents the amount of inactive ports scanned during a certain amount of time. When port scan is detected a log or alert is issued.

Table 2-53


Log Generated by Protection: Port Scan


Table 2-54

NG FP3 to R55 R55W






Dynamic Ports

52

Dynamic PortsIf this protection is enabled, when a client tries to open a dynamic connection to such a protected port, the connection is dropped.

Block Data Connections to Low PortsBlock data connections to low ports specifies whether or not dynamically opened ports below 1024 are permitted. The low port range is used by many standard services, so you will not normally permit low ports.

Table 2-55




Table 2-56

NG FP3 to R55 R55W






53

Chapter 3Application Intelligence

In This Chapter


Mail page 55

FTP page 58

Microsoft Networks page 60

Peer to Peer page 66

Instant Messengers page 69

DNS page 75

VoIP page 80

SNMP page 88

VPN Protocols page 90

Content Protection page 96

MS-RPC page 98

MS-SQL page 100

Routing Protocols page 102

SUN-RPC page 106

DHCP page 107

SOCKS page 108

Introduction

54

IntroductionA growing number of attacks attempt to exploit vulnerabilities in network applications rather than target the firewall directly. Check Point Application Intelligence is a set of advanced capabilities, integrated into Firewall and SmartDefense, which detects and prevents application-level attacks. Based on INSPECT intelligent inspection technology, Check Point Application Intelligence gives SmartDefense the ability to protect against application attacks and hazards.Figure 3-1 OSI (Open Systems Interconnection) Reference Model

Application Intelligence protections allow you to configure various protections at the application layer, using SmartDefense's Application Intelligence capabilities.

Note - The OSI Reference Model is a framework, or guideline, for describing how data is transmitted between devices on a network.

The Application Layer is not the actual end-user software application, but a set of services that allows the software application to communicate via the network. Distinctions between layers 5, 6, and 7 are not always clear, and some competing models combine these layers, as does this user guide.

Mail

Chapter 3 Application Intelligence 55

MailThe protections in this section allow you to select what types of enforcement will be applied to Mail traffic.

POP3 / IMAP SecurityWith this protection you enable limitations on email messages delivered to the network using POP3/IMAP protocols. These options make it possible to recognize and stop malicious behavior. For example, SmartDefense can enforce the length of a username and password (as done in a Buffer Overrun attack), the effect of which will prevent the use of a long string of characters that can potentially crash the machine.

SmartDefense can also prevent a situation in which the use of network resources is deliberately discontinued. It can limit the number of NOOP commands (that is, a no operation command) that may be used in a Denial of Service attack.

Table 3-57



NGX Performance Impact: Disables POP3/IMAP acceleration and enables Security servers.

Table 3-58

NG FP3 to R55 R55W





Not Enforced Not Enforced Same Same

Mail Security Server

56

Mail Security ServerWith this protection you can select what types of enforcement will be applied to SMTP connections passing through the security server.

The SMTP security server allows strict enforcement of the SMTP protocol. Usually the security server is activated by specifying resources or authentication rules in the standard security policy.

Table 3-59

Default Flag Settings: On - only for connections related to resources used in the rule base.


NGX Performance Impact: Disables SMTP acceleration and enables Security servers.

Table 3-60

NG FP3 to R55 R55W






Block ASN.1 Bitstring Encoding Attack over SMTP


Block ASN.1 Bitstring Encoding Attack over SMTPSmartDefense provides protection against this vulnerability by analyzing the communication, looking for ASN.1 encoding within GSSAPI structures in SMTP authentication.

Note that SMTP Security Servers already block the GSSAPI authentication method.

Table 3-61


Log Generated by Protection: MS-ASN.1 Enforcement Violation

NGX Performance Impact: Disables acceleration of the relevant protocols for which the protection is turned on.

Table 3-62

NG FP3 to R55 R55W





Same (R55 Only)

Same (R55 Only) Same Same

FTP

58

FTPThe protections in this section allow you to configure various protections related to the FTP protocol.

FTP BounceWith this protection you can neutralize an FTP bounce attack aimed at the firewall. SmartDefense neutralizes the attack by performing tests in the kernel.

SmartDefense performs a mandatory protection against the FTP bounce attack, verifying the destination of the FTP PORT command. In addition, SmartDefense blocks connections to Dynamic Ports, as defined in the Dynamic Ports tab, under Network Security.

Table 3-63




Table 3-64

NG FP3 to R55 R55W






FTP Security Server


FTP Security ServerWith this protection you can access Authentication services and Content Security based on FTP commands (PUT/GET), file name restrictions, and CVP checking (for example, for viruses). In addition, the FTP Security Server logs FTP get and put commands, as well as the associated file names, if the rule's Track is Log.

Usually the Security Servers are enabled by specifying rules in the security policy.

Table 3-65

Default Flag Settings: On - only for connections related to resources used in the rule base.


NGX Performance Impact: Disables FTP acceleration and enables Security servers.

Table 3-66

NG FP3 to R55 R55W






Microsoft Networks

60

Microsoft NetworksThe protections in this section allow you to select what types of enforcement will be applied to Microsoft networking protocols.

File and Print SharingThis protection allows you to configure worm signatures that will be detected and blocked by the CIFS Worm Defender.

Table 3-67



NGX Performance Impact: Disables acceleration of Microsoft Network Protocols.

Table 3-68

NG FP3 to R55 R55W






Block Null CIFS Sessions


Block Null CIFS SessionsWhen this protection is enabled, SmartDefense will block null session attempts.

Table 3-69



NGX Performance Impact: Disables session rate acceleration for the CIFS protocol.

Table 3-70

NG FP3 to R55 R55W





*Enforced Not Enforced Same Same

Block Popup Messages

62

Block Popup MessagesWhen this protection is enabled, any attempt to send a Windows popup message will be blocked.

Table 3-71



NGX Performance Impact: Disables acceleration of Microsoft Network Protocols.

Table 3-72

NG FP3 to R55 R55W






Block ASN.1 Bitstring Encoding Attack


Block ASN.1 Bitstring Encoding AttackSmartDefense provides protection against this vulnerability by analyzing the communication, looking for ASN.1 BER encoding within GSS-API structures, in different protocols.

Table 3-73


Log Generated by Protection: MS-ASN.1 Enforcement Violation

NGX Performance Impact: Disables acceleration of the relevant protocols for which the protection is turned on.

Table 3-74

NG FP3 to R55 R55W





Same (R55 Only)


Block WINS Replication Attack

64

Block WINS Replication AttackWith this protection SmartDefense is able to recognize an illegal WINS packet. This ability enables SmartDefense to catch potentially harmful packets before they enter the network.

Table 3-75


Log Generated by Protection: MS WINS Replication Protocol Enforcement Violation

NGX Performance Impact: Disables acceleration of Microsoft WINS traffic on the client to server connection.

Table 3-76

NG FP3 to R55 R55W





Same (R55 Only)


Block WINS Name Validation Attack


Block WINS Name Validation AttackWith this protection SmartDefense is able to recognize an illegal NBNS packet. This enables SmartDefense to catch potentially harmful packets before they enter the network.

Table 3-77


Log Generated by Protection: MS WINS Name Validation Enforcement Violation

NGX Performance Impact: Disables acceleration of Microsoft WINS traffic on the client to server connection.

Table 3-78

NG FP3 to R55 R55W





Same (R55 Only)


Peer to Peer

66

Peer to PeerThe protections in this section enable you to block Peer To Peer traffic.

In this section the protections allow you to prevent the use of peer to peer applications used for message transfer and file sharing (for example, Kazaa and Gnutella). For Peer to Peer applications that masquerade as HTTP you can define HTTP patterns that you wish to block.

By identifying fingerprints and HTTP headers SmartDefense detects peer to peer sessions regardless of the TCP port that it is using.

Excluded Services/Network ObjectsSince R55W we were able to create a white list of hosts and ports that will not be scanned for peer to peer protocols. However, since this capability does not exist on pre-R55 modules installing the protections on older modules will cause the protections to be active even on the excluded objects.

Table 3-79




Table 3-80

NG FP3 to R55 R55W






All Protocols through Port 80


All Protocols through Port 80With these protections you can block one of the supported peer to peer applications:

• KaZaA

• Gnutella

• eMule

• BitTorrent

• SoulSeek

• IRC

Table 3-81



NGX Performance Impact: Disables session rate acceleration on Port 80.

Table 3-82

NG FP3 to R55 R55W






All Protocols

68

All ProtocolsWith these protections you can block one of the supported peer to peer applications:

• KaZaA

• Gnutella

• eMule

• BitTorrent

• SoulSeek

• IRC

For older versions (FP3 to R55) if you turn on Header Rejection, HTTP will be protected.

Table 3-83



NGX Performance Impact: Disables session rate acceleration.

Table 3-84

NG FP3 to R55 R55W






Instant Messengers


Instant MessengersThe protections in this section allow you to block Instant Messaging applications that use Instant Messaging protocols. Instant Messaging applications have many capabilities, including voice calls, message transfer, and file sharing.

Excluded Services/Network ObjectsSince R55W we were able to create a white list of hosts and ports that will not be scanned for peer to peer protocols. However, since this capability does not exist on pre-R55 modules installing the protections on older modules will cause the protections to be active even on the excluded objects.

Table 3-85



NGX Performance Impact:

Table 3-86

NG FP3 to R55 R55W






MSN Messenger over SIP

70

MSN Messenger over SIPWith this protection you can block everything sent from SIP-based MSN Messenger, or specific MSN Messenger applications: file-transfer, application-sharing, white-boarding, and remote-assistant.

SmartDefense verifies compliance to Session Initiation Protocol (SIP) RFC 3261. MSN messenger can be either blocked completely, or its applications can be selectively blocked (file-transfer, application sharing, white-boarding, and remote assistant).

If "block sip based instant messaging" in SmartDefense > Application Intelligence > VoIP > SIP is selected, all MSN over SIP applications will be blocked automatically.

Table 3-87



NGX Performance Impact: SIP traffic is not accelerated.

Table 3-88

NG FP3 to R55 R55W






MSN Messenger over MSNMS


MSN Messenger over MSNMSWith this protection you can block specific MSN Messenger applications: video, audio, file-transfer, application-sharing, white-boarding, and remote-assistant.

MSN messenger can be either blocked completely, or its applications can be selectively blocked (audio, video, file-transfer, application sharing, white-boarding, and remote assistant).

To completely block MSN Messenger over MSNMS, no configuration is needed, because a security rule is required to allow it.

To selectively block SIP-based instant messenger applications, you must define a security rule with the MSNMS service (TCP1863), that allows them, and then configure SmartDefense.

Table 3-89



NGX Performance Impact: VPN-1 - Disables session rate accelerationInterspect - None

Table 3-90

NG FP3 to R55 R55W






Skype

72

SkypeSmartDefense can block Skype traffic by identifying Skype fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port being used to initiate the peer to peer session. Skype uses UDP or TCP port 1024 and higher or HTTP for peer to peer telephony.

Since Skype uses a session similar to SSL to bypass firewalls, it is now required to either completely block SSL ports or activate the "Block SSL null-pointer assignment" protection, under the VPN Protocols branch.

SmartDefense inspects Peer to Peer connections over HTTP requests and responses.

Table 3-91




Table 3-92

NG FP3 to R55 R55W






Yahoo! Messenger


Yahoo! MessengerSmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port that is being used to initiate the peer to peer session.

Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer.

SmartDefense inspects Peer to Peer request and response connections over HTTP.

Table 3-93




Table 3-94

NG FP3 to R55 R55W






ICQ

74

ICQSmartDefense can block ICQ traffic by identifying ICQ's fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port that is being used to initiate the peer to peer session.

ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP port 3574/7320.

SmartDefense inspects Peer to Peer request and response connections over HTTP.

Table 3-95




Table 3-96

NG FP3 to R55 R55W






DNS


DNSWith the protection in this section you can prevent various DNS related vulnerabilities and prevent protocol violations by performing DNS protocol enforcement and validation (TCP and UDP).

Protocol Enforcement - TCPSmartDefense is able to recognize a DNS packet that has been altered. This ability enables SmartDefense to catch potentially harmful packets before they enter the network.

With this protection you can enforce TCP protocols. Only pure DNS packets sent over TCP will be able to enter the network. In this case, all DNS port connections over TCP will be monitored to verify that every DNS packet attempting to enter the network has not been altered.

With the enforcement of the TCP protocol the potential for maliciously altered DNS packets to enter the system is decreased.

Table 3-97



NGX Performance Impact: Disables DNS/TCP acceleration.

Table 3-98

NG FP3 to R55 R55W






Protocol Enforcement - UDP

76

Protocol Enforcement - UDPSmartDefense is able to recognize a DNS packet that has been altered. This ability enables SmartDefense to catch potentially harmful packets before they enter the network.

In this window you can enforce UDP protocols. Only pure DNS packets sent over UDP will be able to enter the network. In this case, all DNS port connections over UDP will be monitored to verify that every DNS packet attempting to enter the network has not been altered.

With the enforcement of the UDP protocol the potential for maliciously altered DNS packets to enter the system is decreased.

Table 3-99



NGX Performance Impact: Disables DNS/UDP acceleration.

Table 3-100

NG FP3 to R55 R55W





Same Not Enforced Same N/A

Domain Block List


Domain Block ListWith this protection you can create a Block List for the purpose of filtering out undesirable traffic.

SmartDefense contains a Block list for the purpose of filtering out undesirable traffic. SmartDefense will not allow a user to access a domain address specified in the Block list. The domain Block list is updated manually.

Table 3-101



NGX Performance Impact: Disables DNS acceleration.

Table 3-102

NG FP3 to R55 R55W






Cache Poisoning Protections

78

Cache Poisoning ProtectionsThe Cache Poisoning protections enable you to configure Cache Poisoning protection.

To reduce DNS traffic, name severs maintain cache. The DNS cache is updated according to the TTL of each zone. Cache Poisoning occurs when DNS caches receive mapping information that was deliberately altered from a remote name server. The DNS server caches the incorrect information and sends it out as the requested information. As a result, email messages and URL addresses can be redirected and the information sent by a user can be captured and corrupted.

Table 3-103




Table 3-104

NG FP3 to R55 R55W






Resource Records Enforcements


Resource Records EnforcementsThis protection allows you to set the maximum number of allowed Answer, Authority and Additional Resource Records within a reply to a DNS query sent over TCP.

Table 3-105


Log Generated by Protection: DNS Enforcement Violation


Table 3-106

NG FP3 to R55 R55W





Same (R55 Only)


VoIP

80

VoIPWith the protections in this section you can enable protection against Dos attacks directed against VoIP networks. The VoIP pages you can configure protections for VoIP protocols.

SmartDefense validates the addresses of the caller and receiver, and ensures that the caller and receiver are allowed to make and receive VoIP calls. In addition, SmartDefense examines the contents of the packets passing through every allowed port, to make sure they contain proper information. Full stateful inspection on H.323, SIP, MGCP and SCCP commands ensures that all VoIP packets are structurally valid, and that they arrive in a valid sequence according to RFC standards.

DOS ProtectionA rogue IP phone could make Denial of Service attacks by flooding the network with calls, thereby interfering with proper use of the phone network.

This protection allows you to protect against Denial of Service attacks by limiting the number of call attempts per minutes that the VPN-1 Power Gateway will allow from any given IP address. Calls from handover devices are not counted, because they make a large number of calls.

Table 3-107



NGX Performance Impact: VoIP traffic is not accelerated.

Table 3-108

NG FP3 to R55 R55W






H323


H323In this window you can perform the following application layer checks:

• Strict enforcement of the protocol, including the order and direction of H.323 packets.

• If the phone number sent is longer than 24 characters the packet is dropped. This prevents buffer overruns in the server.

• Dynamic ports will only be opened if the port is not used by another service. For example: If the Connect message sends port 80 for the H.245 it will not be opened. This prevents well-known ports being used illegally.

Table 3-109




Table 3-110

NG FP3 to R55 R55W






SIP

82

SIPWith this protection you can verify content in the SIP header. If this option is selected and there are explicit SIP rules in the Rule Base, SmartDefense will validate the SIP headers and look for invalid characters inside them.

Table 3-111




Table 3-112

NG FP3 to R55 R55W





Sameexcept : block specific applications (video, audio, instant messaging) and default registration timeout, which are not enforced

Not Enforced Same"Block SIP calls that use …" and " Drop unknown SIP message" are not enforced)

Not Enforced

SIP


Block SIP Calls the User Two Different Voice Connections (RTP) for incoming Audio and Outgoing Audio

Verify SIP Header Content

Table 3-113




Table 3-114

feature behavior when protection is on in R55

feature behavior when protection is on in R55W


Enforced Enforced Enforced

Table 3-115




Table 3-116





SIP

84

Block SIP-base Video/Audio

Block SIP-based Instant Messaging

Table 3-117

Default Flag Settings: Off for all versions prior to R60 / On for R60



Table 3-118




Not Enforced Enforced Enforced

Table 3-119




Table 3-120





SIP


Drop Unknown SIP Messages

Default Proxy Registration Expiration Time Period

Table 3-121




Table 3-122




Not Enforced Not Enforced Enforced

Table 3-123

Default Flag Settings: 600 seconds



Table 3-124




Not Enforced Not Enforced Enforced

MGCP (allowed commands)

86

Block the Destination from Re-inviting Calls

MGCP (allowed commands)SmartDefense provides full network level security for MGCP. SmartDefense enforces strict compliance with RFC-2705, RFC-3435 (version 1.0) and ITU TGCP specification J.171. In addition, all SmartDefense capabilities are supported, such as inspection of fragmented packets, anti spoofing, protection against Denial of Service attacks. Note however that NAT on MGCP is not supported.

In addition, SmartDefense restricts handover locations and controls signalling and data connections.

Table 3-125




Table 3-126





Table 3-127

Default Flag Settings: Allowed



Table 3-128

NG FP3 to R55 R55W






SCCP (Skinny)


SCCP (Skinny)SCCP (Skinny Client Control Protocol) controls telephony gateways from external call control devices called Call Agents (also known as Media Gateway Controllers).

SmartDefense provides full connectivity and network level and security for SCCP based VoIP communication. All SCCP traffic is inspected, and legitimate traffic is allowed to pass while attacks are blocked. All SmartDefense capabilities are supported, such as anti- spoofing and protection against Denial of Service attacks. Fragmented packets are examined and secured using kernel based streaming. However, NAT on SCCP devices is not supported.

In addition, SmartDefense restricts handover locations, and controls signalling and data connections.

SmartDefense tracks state and verifies that the state is valid for all SCCP message. For a number of key messages, it also verifies of existence and correctness of the message parameters.

SmartDefense can perform additional content security checks for SCCP connections, thereby providing a greater level of protection.

Table 3-129




Table 3-130

NG FP3 to R55 R55W






SNMP

88

SNMPWith the protections in this section you can protect against SNMP vulnerabilities by providing the option of enforcing SNMPv3 (the latest SNMP version) while rejecting previous versions. In addition, in this window you can allow all SNMP versions while dropping requests with SNMPv1 and SNMPv2 default community strings.

Allow Only SNMPv3 TrafficThis protection prevents the use of previous SNMP versions. By forcing the network to work with SNMPv3, SmartDefense employs authentication features that are not available with previous SNMP versions (that is, SNMPv1 and SNMPv2).

Table 3-131



NGX Performance Impact: Disables acceleration of SNMP traffic.

Table 3-132

NG FP3 to R55 R55W






Drop Requests to Default Community Strings


Drop Requests to Default Community StringsDrop requests with default community strings for SNMPv1 and SNMPv2 prevents unencrypted text associated with SNMPv1 and SNMPv2 from being sent over the network.

Table 3-133



NGX Performance Impact: Disables acceleration of SNMP traffic.

Table 3-134

NG FP3 to R55 R55W






VPN Protocols

90

VPN ProtocolsThe protections in this section allow you to select what types of enforcement will be applied to VPN (Virtual Private Network) protocols.

PPTP EnforcementThis protection enforces the PPTP protocol. PPTP sessions are forced to comply with the RFC standard including message type, and packet length. In case the PPTP control connection unexpectedly terminates, the GRE tunnel will be terminated automatically. In addition, enabling this protection will allow Hide NAT as well as Static NAT to be performed on PPTP connections.

Table 3-135



NGX Performance Impact: Disables acceleration of PPTP traffic.

Table 3-136

NG FP3 to R55 R55W






SSL Enforcement


SSL EnforcementWhen this protection is enabled, SmartDefense will identify and drop malformed SSL Client Hello packets.

Table 3-137


Log Generated by Protection: Invalid SSL Packet

NGX Performance Impact: Disables acceleration of SSL traffic passing through the gateway.

Table 3-138

NG FP3 to R55 R55W





Same (R55 Only)


Block IKE Aggressive Exchange

92

Block IKE Aggressive ExchangeWhen this protection is enabled, SmartDefense will identify and drop IKE aggressive exchanges.

Table 3-139


Log Generated by Protection: IKE Aggressive Packet Detected

NGX Performance Impact: Disables acceleration of IKE traffic on the client to server direction passing through the gateway. Server to client is still accelerated.

Table 3-140

NG FP3 to R55 R55W





Same (R55 Only)


IKE Enforcement


IKE EnforcementThis protection enforces the compliance of the IKE protocol to RFC 2409 in terms of payload type and length, maximal payload number, and packet length. By enabling "IKE payload enforcement" SmartDefense will perform additional checks on the IKE Security Association payload. A monitor-only mode makes it possible to track IKE protocol violation without blocking the connection.

Table 3-141


Log Generated by Protection: IKE Enforcement Violation

NGX Performance Impact: Disables acceleration of IKE traffic on the client to server direction passing through the gateway. Server to client is still accelerated.

Table 3-142

NG FP3 to R55 R55W





Same (R55 Only)


SSH - Detect SSH over Non-Standard Ports

94

SSH - Detect SSH over Non-Standard PortsSSH versions 1 and 2 are typically used over TCP port 22. This protection provides two possible actions (Block All SSH Versions and Run SSH Enforcement).

• When you select Block All SSH Versions, SSH traffic (associated with any SSH version), on all possible TCP ports will be blocked.

• When you select Run SSH Enforcement, the SSH Enforcement protection will be applied to all non standard ports including TCP port 22.

Table 3-143


Log Generated by Protection: SSH Connection on a Non-Standard Port

NGX Performance Impact: Disables session rate acceleration on all traffic.

Table 3-144

NG FP3 to R55 R55W






SSH Enforcement


SSH EnforcementSSH Enforcement protection applies to SSH traffic on TCP port 22. SSH Enforcement enables you to select and deselect specific defense attributes. By selecting Block SSH v1, only SSH version 2 will be enabled over TCP port 22.

Table 3-145



NGX Performance Impact: Disables session rate acceleration on SSH traffic.

Table 3-146

NG FP3 to R55 R55W






Content Protection

96

Content ProtectionThe protections in this section allow you to block malicious content over multiple protocols.

Malformed JPEGBy enabling this protection, SmartDefense will block malformed formatted JPEG files on all services with Protocol Type 'HTTP'.

Enabling "Perform strict enforcement" enables JPEG file detection based on its content.

Table 3-147


Log Generated by Protection: JPEG Content Protection Violation

NGX Performance Impact: Disables acceleration altogether for HTTP.

Table 3-148

NG FP3 to R55 R55W





Same (R55 Only)


Malformed ANI File


Malformed ANI FileBy enabling this protection, SmartDefense will block malformed formatted ANI files on all services with Protocol Type 'HTTP'.

Table 3-149


Log Generated by Protection: ANI Content Protection Violation

NGX Performance Impact: Disables acceleration altogether for HTTP.

Table 3-150

NG FP3 to R55 R55W





Same (R55 Only)


MS-RPC

98

MS-RPC

DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135

This protection will allow specific MS-RPC interfaces, such as DCOM interface, if they are allowed in the rule base. You can use the DCE-RPC services to create them and apply the protections in this page.

SmartDefense unconditionally blocks the "Blaster" worm and its variants, while allowing legitimate DCOM traffic.

Table 3-151



NGX Performance Impact: Disables acceleration of RPC traffic.

Table 3-152

NG FP3 to R55 R55W






Drop Unauthenticated DCOM


Drop Unauthenticated DCOM

MS-RPC Program Lookup This protection blocks Lookup operation requests and prevents the exploitation of this vulnerability.

Table 3-153




Table 3-154

NG FP3 to R55 R55W






Table 3-155




Table 3-156

NG FP3 to R55 R55W






MS-SQL

100

MS-SQLThe protections in this section allow you to configure various protections related to the MS SQL Server protocols.

MS-SQL Monitor ProtocolWith this protection you can configure different protections to be applied to the MS SQL Monitor protocol (running on port 1434/UDP).

Table 3-157


Log Generated by Protection: MS-SQL Monitor Protocol Enforcement Violation

NGX Performance Impact: Disables acceleration of MS-SQL traffic.

Table 3-158

NG FP3 to R55 R55W





Same (R55 Only)


MS-SQL Server Protocol


MS-SQL Server ProtocolWith this protection you can configure several protections to the MS SQL Server protocol (running on tcp/1433).

Table 3-159


Log Generated by Protection: MS-SQL Server Protocol Enforcement Violation

NGX Performance Impact: Disables acceleration of MS-SQL traffic.

Table 3-160

NG FP3 to R55 R55W





Same (R55 Only)


Routing Protocols

102

Routing ProtocolsThe protections in this section allow you to select what types of enforcement will be applied to routing protocols.

OSPFBy enabling this protection, SmartDefense will enforce the validity of the OSPF packet header, including protocol version, message type and packet length. In addition, SmartDefense is able to detect and block OSPF traffic that is non-MD5 authenticated, which is considered insecure.

Table 3-161


Log Generated by Protection: OSPF enforcement violation

NGX Performance Impact: Performance Pack - None. It is not accelerated. Nokia - Disables acceleration of these protocols.

Table 3-162

NG FP3 to R55 R55W





Same (R55 Only)


BGP (block non-MD5 authenticated BGP connections)


BGP (block non-MD5 authenticated BGP connections)

By enabling this protection, SmartDefense will detect and block BGP traffic that is non-MD5 authenticated, which is considered insecure.

Table 3-163


Log Generated by Protection: BGP Enforcement Violation


Table 3-164

NG FP3 to R55 R55W





Same (R55 Only)


RIP

104

RIPBy enabling this protection, SmartDefense will enforce the validity of the RIP packet header. In addition, SmartDefense is able to detect and block RIP traffic that is non-MD5 authenticated, which is considered insecure.

Table 3-165


Log Generated by Protection: RIP Enforcement Violation


Table 3-166

NG FP3 to R55 R55W





Same (R55 Only)


IGMP


IGMPBy enabling this protection, SmartDefense will enforce the validity of the IGMP packet header. In addition, SmartDefense is able to detect and block IGMP traffic that is non-MD5 authenticated, which is considered insecure.

Table 3-167


Log Generated by Protection: IGMP protocol Enforcement Violation


Table 3-168

NG FP3 to R55 R55W





Same (R55 Only)


SUN-RPC

106

SUN-RPCThe protections in this section allow you to select what types of enforcement will be applied to SUN-RPC (Remote Procedure Calls) protocols.

SUN-RPC Program LookupThis protection, available for NG with Application Intelligence (R55) and above, will block SUN-RPC interface scanning.

Table 3-169


Log Generated by Protection: SUN-RPC Enforcement Violation

NGX Performance Impact: Disables acceleration of SUN - RPC traffic.

Table 3-170

NG FP3 to R55 R55W





Same (R55 Only)


DHCP


DHCPBy enabling this protection, SmartDefense will enforce the validity of the DHCP packet header and options.

Table 3-171


Log Generated by Protection: DHCP Protocol Enforcement Violation


Table 3-172

NG FP3 to R55 R55W





Same (R55 Only)


SOCKS

108

SOCKSThis protection provides enforcement of the SOCKS protocol. Non SOCKS protocol communication over the SOCKS protocol port (1080 by default) will be blocked.

You may also block SOCKS version 4 only or any unauthenticated SOCKS communication (often used by trojans to tunnel information).

Table 3-173


Log Generated by Protection: SOCKS Enforcement Violation


Table 3-174

NG FP3 to R55 R55W





Same (R55 Only)


109

Chapter 4Web Intelligence

In This Chapter


Malicious Code page 111

Application Layer page 113

Information Disclosure page 118

HTTP Protocol Inspection page 121

Introduction

110

IntroductionWeb Intelligence is based on Check Point's Stateful Inspection, Application Intelligence, and Malicious Code Protector technologies, so that it is possible to block not only specific attacks, but also entire categories of attacks, while allowing legitimate traffic to pass.

• Malicious Code Protector is a Check Point patent-pending technology that blocks hackers from sending malicious code to target web servers and applications. It can detect malicious executable code within web communications by identifying not only the existence of executable code in a data stream but its potential for malicious behavior. Malicious Code Protector is a kernel-based protection delivering almost wire-speed performance.

• Application Intelligence is a set of technologies that detect and prevent application-level attacks by integrating a deeper understanding of application behavior into network security defenses.

• Stateful Inspection analyzes information flow into and out of a network so that real-time security decisions can be based on communication session information as well as on application information. It accomplishes this by tracking the state and context of all communications traversing the firewall gateway, even when the connection involves complex protocols.

Web intelligence is an add-on for VPN-1 Power. Customers who purchase the SmartDefense Subscription service can automatically update both SmartDefense and Web Intelligence with a single click. Updates are released frequently, and are obtained from the Check Point SmartDefense site:

http://www.checkpoint.com/techsupport/documentation/smartdefense/index.html

Customers with a valid subscription license also receive special SmartDefense Advisories that provide updated SmartDefense and Web Intelligence attack protections, as well as information, tools and best practice methods to mitigate different attacks.

Tip - It is recommended to keep your gateway version up-to-date, as the newest defenses are incorporated into the latest version of Check Point software.

http://www.checkpoint.com/techsupport/documentation/smartdefense/index.html

Malicious Code

Chapter 4 Web Intelligence 111

Malicious CodeThe protections in this section allow you to prevent attacks that run malicious code on web servers or clients.

General HTTP Worm CatcherWith this protection you can configure worm signatures that will be detected and blocked based pre-defined patterns. This detection takes place in the kernel, and so is performed very quickly. It does not require a security server.

This protection can be applied either to all traffic or to specific web servers. When the attack is blocked, users can be informed via a customizable web page.

Table 4-175

Default Flag Settings: On for defined web servers

Log Generated by Protection: Worm catcher pattern found. cmd.exe

NGX Performance Impact: None (works only on C2S traffic, which is accelerated)

Table 4-176

NG FP3 to R55 R55W






Malicious Code Protector

112

Malicious Code ProtectorThis protection analyzes URLs, HTTP request headers and HTTP request bodies by disassembling machine code. It assesses the danger, and allows or rejects connections accordingly. Because it analyzes assembler code dynamically, it is able to protect against most future vulnerabilities without the need for patterns or updates.

To provide good protection with a minimum number of false positives, three levels of protection are available. They make it possible to choose the appropriate trade-off between a high detection rate on the one hand and a low level of false positives on the other. The protection level can be changed at any time to suit the environment. For details, see the online help.

This protection is available for Web Servers running on the platforms specified in the online help.

Table 4-177


Log Generated by Protection: Malicious code detected in URL


Table 4-178

NG FP3 to R55 R55W





Not Enforced Not Enforced Same (except for Solaris)

Same

Application Layer


Application LayerThe protections in this section prevent hackers from introducing text, tags, commands, or other characters that a web application will interpret as special instructions. Introducing these characters in forms or URLs can allow a hacker to steal private data, redirect a communication session to a malicious web site, steal information from a database, gain unauthorized access, or execute restricted commands.

Cross Site ScriptingTo protect against Cross-Site Scripting attacks, HTTP requests sent using the POST command, that contain scripting code are rejected. This protection also understands the encoded data sent as part of the URL, which is an alternative way of submitting information. The scripting code is not stripped from the request, but rather the whole request is rejected.


Table 4-179


Log Generated by Protection: Cross Site Scripting detected in URL: 'script'


Table 4-180

NG FP3 to R55 R55W






LDAP Injection

114

LDAP InjectionThis protection protects LDAP servers by identifying attempted misuse of LDAP queries in forms and URLs submitted to Web applications. If an attack is detected, the connection is rejected.

To provide good protection with the optimum detection sensitivity, three levels of protection are available. For details, see the online help.

The list of LDAP fields that is examined can be customized, which makes it possible to control the use of customized LDAP fields, as well as standard ones.

Table 4-181


Log Generated by Protection: LDAP Injection detected in URL: 'uid'


Table 4-182

NG FP3 to R55 R55W






SQL Injection


SQL InjectionWeb Intelligence looks for SQL commands in forms and in URLs. If it finds them, the connection is rejected.


Table 4-183


Log Generated by Protection: SQL Injection detected in URL: 'select'


Table 4-184

NG FP3 to R55 R55W






Command Injection

116

Command InjectionThis protection looks for system commands in forms and in URLs. If it finds them, the connection is rejected.


Table 4-185


Log Generated by Protection: Command Injection detected in URL: 'chown'


Table 4-186

NG FP3 to R55 R55W






Directory Traversal


Directory TraversalThis protection verifies that the URL does not contain an illegal combination directory traversal characters. Requests in which the URL contains an illegal directory request are blocked.

Table 4-187


Log Generated by Protection: directory traversal overflow http://1.2.3.4/../../


Table 4-188

NG FP3 to R55 R55W






Information Disclosure

118

Information DisclosureOne of the first steps an attacker may take before attacking a web site is to gather information about the site. The goal of the hacker is to get the web server to reveal information that hacker can use to tailor an attack. This is known as "fingerprinting".

The protections in this section allow you to prevent the web server revealing information that is not required by users.

Header SpoofingThis protection allows you to remove or change a specific header (that can appear either in the HTTP Request or Response) by giving a regular expression to identify the header name and header value. For example, a typical server header will contain the web server name and version number. Use this protection to spoof out the version information.

Note - Activating this protection decreases performance for Web traffic to which this protection is applied.

Table 4-189


Log Generated by Protection: Header Spoofing, replacing header, new header is 'IIS'

NGX Performance Impact: Disables acceleration on all HTTP traffic.

Table 4-190

NG FP3 to R55 R55W






Directory Listing


Directory ListingThis protection identifies web pages containing directory listings and blocks them.

To provide good protection with the optimum detection sensitivity, three levels of protection are available. For details, see the online help.

Table 4-191


Log Generated by Protection: Directory Listing detected


Table 4-192

NG FP3 to R55 R55W






Error Concealment

120

Error ConcealmentThis protection looks for web server error messages in HTTP responses, and if it finds them, prevents the web page reaching the user.

Error messages are detected and concealed in two ways.

The first way conceals HTTP Responses containing those 4XX and 5XX error status codes that reveal unnecessary information. It is possible to choose the status codes that will be concealed.

The second way hides error messages generated by the web application engine. This approach is needed when the application engine does not tell the web server it has an error, in which case the web server displays error information that it should not. It is possible to configure patterns that identify messages from particular application engines. If these patterns are detected the pages are blocked.

Table 4-193


Log Generated by Protection: Concealed HTTP response status code: '413'


Table 4-194

NG FP3 to R55 R55W






HTTP Protocol Inspection


HTTP Protocol InspectionHTTP Protocol Inspection provides strict enforcement of the HTTP protocol, ensuring these sessions comply with RFC standards and common security practices.

Web Intelligence performs high performance kernel-level inspection of all connections passing through enforcement modules of version NG with Application Intelligence (R55W) or higher.

For enforcement modules of versions of version NG with Application Intelligence (R55) or lower, there is a choice. It is possible to choose whether to perform HTTP protocol inspection using the kernel for optimized performance, or using the HTTP Security Server for strict protocol enforcement. A third option applies the options only to connections related to resources used in the Rule Base, and enforces the options using the Security Server.

HTTP Format SizesIt is good security practice to limit the sizes of different elements in HTTP request and response. This reduces the chance for buffer overruns and limits the size of code that can be inserted into the header.

This protection allows you to configure upper bounds to different elements in the HTTP request and response. You can also impose limits on specific headers using a regular expression to describe the header name. If the inspected HTTP connection contains more than one request, the limits are imposed on each request separately.

Table 4-195


HTTP Format Sizes

122

Maximum Request Body Size:

Maximum URL Length:

Table 4-196


Log Generated by Protection: Request body length exceeded allowed maximum length of 49152 bytes


Table 4-197

NG FP3 to R55 R55W






Table 4-198


Log Generated by Protection: URL length exceeded allowed maximum length of 2048 bytes


Table 4-199

NG FP3 to R55 R55W






HTTP Format Sizes


Maximum Header Value Length:

Maximum Number of Headers:

Table 4-200


Log Generated by Protection: 'host' header length exceeded maximum allowed length


Table 4-201

NG FP3 to R55 R55W






Table 4-202


Log Generated by Protection: Number of HTTP headers exceeded allowed maximum of 500


Table 4-203

NG FP3 to R55 R55W






ASCII Only Request

124

ASCII Only RequestThis protection makes it possible to selectively block non-ASCII characters in HTTP requests. It is possible to block HTTP request headers and Form fields. When a user submits a web form, the data can be carried in the query section of the URL or in the body of the HTTP request.

Table 4-204


Log Generated by Protection: Invalid character detected in request URL: '0xff'


Table 4-205

NG FP3 to R55 R55W






ASCII Only Response Headers


ASCII Only Response HeadersThis protection drops responses which contain non ASCII values.

With this page you can force all HTTP headers to be ASCII only. This will prevent some malicious content from passing in the HTTP protocol headers.

Note - Activating this protection decreases performance for Web traffic to which this protection is applied.

Table 4-206


Log Generated by Protection: Invalid character detected in response headers: '0xff'


Table 4-207

NG FP3 to R55 R55W






Header Rejection

126

Header RejectionThis protection allows you to reject HTTP requests that contains specific headers and header values.

The HTTP header name and value are defined using case-sensitive regular expressions.

Table 4-208


Log Generated by Protection: Header Rejection pattern found in request

NGX Performance Impact: None (works only on C2S traffic, which is accelerated).

Table 4-209

NG FP3 to R55 R55W





Same (previously referred to as Peer to Peer)

Enforced Same Same

HTTP Methods


HTTP MethodsThis protection can be used to control which HTTP methods can be used in HTTP requests.

Web Intelligence divides the HTTP methods into three groups: Standard safe (GET, HEAD and POST), standard unsafe (the other standard HTTP methods), and WebDAV. By default, all methods are blocked other than the standard safe methods.

To allow users access to popular applications such as Microsoft Hotmail, Outlook Web Access, and FrontPage, the non-RFC compliant WebDAV HTTP methods can be allowed.

It is possible to choose exactly which methods to block. For example, if only GET and POST methods are allowed, and all others are blocked, the following HTTP request using a WebDav method will be rejected: MKCOL / HTTP/1.0.

Table 4-210


Log Generated by Protection: Blocked Method: 'PUT'

NGX Performance Impact: None (works only on C2S traffic, which is accelerated).

Table 4-211

NG FP3 to R55 R55W






Block HTTP on Non-Standard Port

128

Block HTTP on Non-Standard PortSmartDefense is able to detect and block HTTP traffic on any TCP port not configured by the security administrator as an allowed port for the use of HTTP.

For more details on how to allow HTTP traffic on non standard ports, please refer to the above CPSA-2005-01 advisory.

Table 4-212


Log Generated by Protection: Disables session rate acceleration.


Table 4-213

NG FP3 to R55 R55W






Block Malicious HTTP Encodings


Block Malicious HTTP EncodingsNULL encoding in URIs are mostly used when trying to bypass URI based restrictions or take advantage of the fact that some web servers ignore parameters after a NULL character.

This protection allows you to block HTTP requests which contain NULL encoding in the path part of the URI.

Table 4-214


Log Generated by Protection: Disables session rate acceleration.


Table 4-215

NG FP3 to R55 R55W





Not Enforced (R54, FP3)Same (R55 only)

Not Enforced (R54, FP3)Same (R55 only)

Same Same

Block Malicious HTTP Encodings

130

131

THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrust’s logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided “as is” without express or implied warranty. Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by Carnegie Mellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The Open Group.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright © 1998 The Open Group.

132

The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson ([email protected]). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICE

Copyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

133

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from <http://www.php.net/>".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.

This product includes software written by Tim Hudson ([email protected]).

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

134

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.

U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRANTIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

135

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

PCRE LICENCE

PCRE is a library of functions to support regular expressions whose syntax and semantics are as close as possible to those of the Perl 5 language. Release 5 of PCRE is distributed under the terms of the "BSD" licence, as specified below. The documentation for PCRE, supplied in the "doc" directory, is distributed under the same terms as the software itself.

Written by: Philip Hazel <[email protected]>

University of Cambridge Computing Service, Cambridge, England. Phone:

+44 1223 334714.

Copyright (c) 1997-2004 University of Cambridge All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of the University of Cambridge nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Eventia Reporter includes software whose copyright is owned by, or licensed from, MySQL AB.

February 2007 137

Index

AAddress Spoofing 43Allow Only SNMPv3 Traffic 88Allowed 22Always On 22Application Intelligence 110Application Layer 113ASCII Only Request 124ASCII Only Response

Headers 125

BBGP 103Block ASN.1 Bitstring Encoding

Attack 63Block ASN.1 Bitstring Encoding

Attack over SMTP 57Block CISCO IOS DOS 34Block Data Connections to Low

Ports 52Block HTTP on Non-Standard

Port 128Block IKE Aggressive

Exchange 92, 93Block Malicious HTTP

Encodings 129Block Null CIFS Sessions 61Block Null Payload ICMP 35Block Popup Messages 62Block SSL Null-Pointer

Assignment 91Block Welchia ICMP 33Block WINS Name Validation

Attack 65Block WINS Replication

Attack 64

CCache Poisoning Protections 78Command Injection 116Content Protection 96Cross Site Scripting 113

DDCOM 98Denial Of Service 25Denial of Service 44DHCP 107Directory Listing 119Directory Traversal 117DNS 75Domain Block List 77DOS Protection 80Drop Requests to Default

Community Strings 89Drop Unauthenticated DCOM 99DShield Storm Center 48Dynamic Ports 52

EEnforced 22Error Concealment 120

FFile and Print Sharing 60Fingerprint Scrambling 40FTP 58FTP Bounce 58FTP Security Server 59

GGeneral HTTP Worm Catcher 111

HH323 81Header Rejection 126Header Spoofing 118Host Port Scan 50HTTP Format Sizes 121HTTP Methods 127HTTP Protocol Inspection 121

IICQ 74IGMP 105Information Disclosure 118Instant Messengers 69IP and ICMP 29IP Fragments 31IP ID 42ISN Spoofing 40

LLAND 27LDAP Injection 114Local Interface Spoofing 45

MMail 55Mail Security Server 56Malformed ANI File 97

138

Malformed JPEG 96Malicious Code 111Malicious Code Protector 110,

112Max Ping Size 30Maximum Header Value

Length 123Maximum Number of

Headers 123Maximum Request Body Size 83,

122Maximum URL Length 122MGCP (allowed commands) 86Microsoft Networks 60MSN Messenger over MSNMS 71MSN Messenger over SIP 70MS-RPC 98MS-RPC Program Lookup 99MS-SQL 100MS-SQL Monitor Protocol 100MS-SQL Server Protocol 101

NN/A 22Network Quota 32NG FP3 18NG R55W 18NG With Application Intelligence

R54 18NG With Application Intelligence

R55 18Non TCP Flooding 28Not Enforced 22

OOff 22On 22OSPF 102

PPacket Sanity 29

Peer to Peer 66Ping of Death 26POP3 / IMAP Security 55Port Scan 50PPTP Enforcement 90Protocol Enforcement - TCP 75Protocol enforcement - UDP 76

RReport to DShield 49Resource Records

Enforcements 79Retrieve and Block Malicious

IPs 48RIP 104Routing Protocols 102

SSame 22SCCP (Skinny) 87Sequence Verifier 39SIP 82Skype 72Small PMTU 37SmartDefense 18SNMP 88SOCKS 108Spoofed Reset Protection 38SQL Injection 115SSH - Detect SSH over Non-

Standard Ports 94SSH Enforcement 95Stateful Inspection 110Successive Alerts 46Successive Events 43Successive Multiple

Connections 47SUN-RPC 106SUN-RPC Program Lookup 106Sweep Scan 51SYN Attack Configuration 36

TTCP 36Teardrop 25TTL 41

VVoIP 80VPN Protocols 90

WWeb Intelligence 19

YYahoo! Messenger 73

Checkpoint NGX Smart Defense Protections Reference Guide

Documents

Transcript of Checkpoint NGX Smart Defense Protections Reference Guide