CheckPoint NGX SmartDefense Protections Reference Guide

Check Point NGX SmartDefense Protections Reference Guide

Version NGX and above

July 2006

2003-2006 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

2003-2006 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Office, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 UTM Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.

Table of Contents 5

Contents

Preface Who Should Use This Guide.............................................................................. 10Summary of Contents ....................................................................................... 11Related Documentation .................................................................................... 12More Information ............................................................................................. 15

Chapter 1 Introduction Overview and Purpose ...................................................................................... 18

SmartDefense............................................................................................. 18Web Intelligence......................................................................................... 19

Obtaining the Latest Version of the Documentation ............................................. 20Structure of the Guide...................................................................................... 21How to Read this Document:............................................................................. 22

Chapter 2 Network Security Introduction .................................................................................................... 24Denial Of Service............................................................................................. 25

Teardrop .................................................................................................... 25Ping of Death ............................................................................................. 26LAND ........................................................................................................ 27Non TCP Flooding....................................................................................... 28

IP and ICMP ................................................................................................... 29Packet Sanity ............................................................................................. 29Max Ping Size ............................................................................................ 30IP Fragments.............................................................................................. 31Network Quota............................................................................................ 32Block Welchia ICMP.................................................................................... 33Block CISCO IOS DOS................................................................................. 34Block Null Payload ICMP............................................................................. 35

TCP................................................................................................................ 36SYN Attack Configuration ............................................................................ 36Small PMTU............................................................................................... 37Spoofed Reset Protection ............................................................................ 38Sequence Verifier ....................................................................................... 39

Fingerprint Scrambling..................................................................................... 40ISN Spoofing.............................................................................................. 40TTL ........................................................................................................... 41IP ID ......................................................................................................... 42

Successive Events............................................................................................ 43Address Spoofing........................................................................................ 43Denial of Service ........................................................................................ 44Local Interface Spoofing.............................................................................. 45Successive Alerts ........................................................................................ 46

6Successive Multiple Connections.................................................................. 47DShield Storm Center ...................................................................................... 48

Retrieve and Block Malicious IPs ................................................................. 48Report to DShield ....................................................................................... 49

Port Scan........................................................................................................ 50Host Port Scan ........................................................................................... 50Sweep Scan ............................................................................................... 51

Dynamic Ports ................................................................................................. 52Block Data Connections to Low Ports ............................................................ 52

Chapter 3 Application Intelligence Introduction .................................................................................................... 54Mail ............................................................................................................... 55

POP3 / IMAP Security ................................................................................. 55Mail Security Server .................................................................................... 56Block ASN.1 Bitstring Encoding Attack over SMTP ........................................ 57

FTP ................................................................................................................ 58FTP Bounce ............................................................................................... 58FTP Security Server .................................................................................... 59

Microsoft Networks .......................................................................................... 60File and Print Sharing ................................................................................. 60Block Null CIFS Sessions ............................................................................ 61Block Popup Messages................................................................................ 62Block ASN.1 Bitstring Encoding Attack......................................................... 63Block WINS Replication Attack .................................................................... 64Block WINS Name Validation Attack............................................................. 65

Peer to Peer .................................................................................................... 66Excluded Services/Network Objects .............................................................. 66All Protocols through Port 80 ....................................................................... 67All Protocols............................................................................................... 68

Instant Messengers .......................................................................................... 69Excluded Services/Network Objects .............................................................. 69MSN Messenger over SIP............................................................................. 70MSN Messenger over MSNMS...................................................................... 71Skype ........................................................................................................ 72Yahoo! Messenger ....................................................................................... 73ICQ ........................................................................................................... 74

DNS ............................................................................................................... 75Protocol Enforcement - TCP......................................................................... 75Protocol Enforcement - UDP ........................................................................ 76Domain Block List ...................................................................................... 77Cache Poisoning Protections ........................................................................ 78Resource Records Enforcements .................................................................. 79

VoIP ............................................................................................................... 80DOS Protection........................................................................................... 80H323 ........................................................................................................ 81SIP............................................................................................................ 82MGCP (allowed commands) ......................................................................... 86

Table of Contents 7

SCCP (Skinny) ............................................................................................ 87SNMP............................................................................................................. 88

Allow Only SNMPv3 Traffic.......................................................................... 88Drop Requests to Default Community Strings................................................. 89

VPN Protocols ................................................................................................. 90PPTP Enforcement...................................................................................... 90SSL Enforcement........................................................................................ 91Block IKE Aggressive Exchange.................................................................... 92IKE Enforcement ........................................................................................ 93SSH - Detect SSH over Non-Standard Ports................................................... 94SSH Enforcement ....................................................................................... 95

Content Protection ........................................................................................... 96Malformed JPEG......................................................................................... 96Malformed ANI File..................................................................................... 97

MS-RPC.......................................................................................................... 98DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135 .. 98Drop Unauthenticated DCOM ....................................................................... 99MS-RPC Program Lookup ............................................................................ 99

MS-SQL........................................................................................................ 100MS-SQL Monitor Protocol .......................................................................... 100MS-SQL Server Protocol ............................................................................ 101

Routing Protocols .......................................................................................... 102OSPF....................................................................................................... 102BGP (block non-MD5 authenticated BGP connections) ................................. 103RIP ......................................................................................................... 104IGMP....................................................................................................... 105

SUN-RPC...................................................................................................... 106SUN-RPC Program Lookup ........................................................................ 106

DHCP ........................................................................................................... 107SOCKS ......................................................................................................... 108

Chapter 4 Web Intelligence Introduction .................................................................................................. 110Malicious Code.............................................................................................. 111

General HTTP Worm Catcher...................................................................... 111Malicious Code Protector ........................................................................... 112

Application Layer........................................................................................... 113Cross Site Scripting .................................................................................. 113LDAP Injection ......................................................................................... 114SQL Injection ........................................................................................... 115Command Injection................................................................................... 116Directory Traversal .................................................................................... 117

Information Disclosure ................................................................................... 118Header Spoofing ....................................................................................... 118Directory Listing ....................................................................................... 119Error Concealment .................................................................................... 120

HTTP Protocol Inspection ............................................................................... 121HTTP Format Sizes ................................................................................... 121

8ASCII Only Request .................................................................................. 124ASCII Only Response Headers.................................................................... 125Header Rejection ...................................................................................... 126HTTP Methods ......................................................................................... 127Block HTTP on Non-Standard Port ............................................................. 128Block Malicious HTTP Encodings ............................................................... 129

Index.......................................................................................................... 135

9Preface PPreface

In This Chapter

Who Should Use This Guide page 10

Summary of Contents page 11

Related Documentation page 12

More Information page 15

Who Should Use This Guide

10

Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of

System administration.

The underlying operating system.

Internet protocols (IP, TCP, UDP etc.).

Summary of Contents

Preface 11

Summary of ContentsThis guide contains the following chapters:

Chapter Description

Chapter 1, Introduction Provides system administrators with an understanding about the implication of each protection when installing a policy on previous releases (in other words, backwards compatibility).

Chapter 2, Network Security

Provides information about each Network Security Protection.

Chapter 3, Application Intelligence

Provides information about each Application Intelligence Protection.

Chapter 4, Web Intelligence

Provides information about each Web Intelligence Protection.

Related Documentation

12

Related DocumentationThe NGX R62 release includes the following documentation

TABLE P-1 VPN-1 Power/UTM suite documentation

Title Description

Getting Started Guide The Getting Started guide contains an overview of NGX R62 and step by step product installation and upgrade procedures. This document also provides information about Whats New, Licenses, Minimum hardware and software requirements, etc.

Upgrade Guide The Upgrade guide explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R62.

SmartCenter Guide The SmartCenter Guide explains SmartCenter Management solutions. This guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints.

Firewall and SmartDefense Guide

The Firewall and SmartDefense guide is divided into the following topics:

Controlling and securing network access.

Establishing network connectivity.

Using SmartDefense to protect against network and application level attacks.

Using Web Intelligence to protect web servers and applications, and integrated web security capabilities.

Using Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites

Securing VoIP traffic


Preface 13

Eventia Reporter The Eventia Reporter guide explains how to monitor and audit traffic, and generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power/UTM, SecureClient and SmartDefense.

SmartView Tracker Guide

The SmartView chapter provides information about how to collect comprehensive information on your network activity in the form of logs. In this chapter you learn how to use SmartView Tracker to audit these logs at any given time, analyze traffic patterns and troubleshoot networking and security issues.

SecurePlatform Guide The SecurePlatform guide explains how to install and configure SecurePlatform. This guide will also teach you how to manage your SecurePlatform and explains Dynamic Routing (Unicast and Multicast) protocols.

Provider-1 Guide The Provider-1 guide explains the Provider-1/SiteManager-1 security management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments.

TABLE P-1 VPN-1 Power/UTM suite documentation (continued)

Title Description


14

TABLE P-2 Integrity Server documentation

Title Description

Integrity Advanced Server Installation Guide

Integrity Advanced Server Installation Guide explains how to install, configure, and maintain the Integrity Advanced Server.

Integrity Advanced Server Administrator Console Reference

The Integrity Advanced Server Administrator Console Reference guide provides screen-by-screen descriptions of user interface elements, with cross-references to relevant chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system.

Integrity Advanced Server Administrator Guide

The Integrity Advanced Server Administrator Guide explains how to managing administrators and endpoint security with Integrity Advanced Server.

Integrity Advanced Server Gateway Integration Guide

Integrity Advanced Server Gateway Integration Guide provides information about how to integrating your Virtual Private Network gateway device with Integrity Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package.

Integrity Advanced Server System Requirements

The Integrity Advanced Server System Requirements provides information about client and server requirements.

Integrity Agent for Linux Installation and Configuration Guide

The Integrity Agent for Linux Installation and Configuration Guide explains how to install and configure Integrity Agent for Linux.

Integrity XML Policy Reference Guide

The Integrity XML Policy Reference Guide provides the contents of Integrity client XML policy files.

Integrity Client Management Guide

The Integrity Client Management Guide explains how to use of command line parameters to control Integrity client installer behavior and post-installation behavior.

More Information

Preface 15

More Information For additional technical information about Check Point products, consult Check

Points SecureKnowledge at https://secureknowledge.checkpoint.com/.

See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents.

More Information

16

17

Chapter 1Introduction

In This Chapter

Overview and Purpose page 18

Obtaining the Latest Version of the Documentation page 20

Structure of the Guide page 21

How to Read this Document: page 22

Overview and Purpose

18

Overview and PurposeThis guide is divided into a number of sections and chapters that provide an overview of how NGX R60 SmartDefense and Web Intelligence protections work with the following previous versions:

NG FP3

NG With Application Intelligence R54

NG With Application Intelligence R55 (including R55P)

NG With Application Intelligence R55W

The intention of this guide is to provide system administrators with an understanding about the implication of each protection when installing a policy on previous releases (in other words, backwards compatibility).

To fully understand SmartDefense and Web Intelligence protections it is recommended that you familiarize yourself with NGX R60 behavior. To do this, refer to the NGX R60 Firewall and SmartDefense Guide.

SmartDefenseCheck Point SmartDefense provides a unified security framework for various components that identify and prevent attacks. SmartDefense actively defends your network, even when the protection is not explicitly defined in the Security Rule Base. It unobtrusively analyzes activity across your network, tracking potentially threatening events and optionally sending notifications. It protects organizations from all known, and most unknown, network attacks using intelligent security technology.

Keeping up-to-date with the latest defenses does not require up-to-the-minute technical knowledge. A single click updates SmartDefense with all the latest defenses from the SmartDefense website.

SmartDefense provides a console that can be used to:

Choose the attacks that you wish to defend against, and read detailed information about the attack.

Easily configure parameters for each attack, including logging options.

Receive real-time information on attacks, and update SmartDefense with new capabilities.

Web Intelligence

Chapter 1 Introduction 19

Web IntelligenceCheck Point Web Intelligence enables customers to configure, enforce and update attack protections for web servers and applications. Web Intelligence protections are designed specifically for web-based attacks, and complement the network and application level protections offered by SmartDefense. In addition, Web Intelligence Advisories published online by Check Point provide information and add new attack defenses.

Web Intelligence not only protects against a range of known attacks, varying from attacks on the web server itself to databases used by web applications, but also incorporates intelligent security technologies that protect against entire categories of emerging, or unknown, attacks.

Unlike web firewalls and traditional intrusion protection systems, Web Intelligence provides proactive attack protections. It ensures that communications between clients and web servers comply with published standards and security best practices, restricts hackers from executing irrelevant system commands, and inspects traffic passing to web servers to ensure that they don't contain dangerous malicious code. Web Intelligence allows organizations to permit access to their web servers and applications without sacrificing either security or performance.

Obtaining the Latest Version of the Documentation

20

Obtaining the Latest Version of the Documentation

SmartDefense and Web Intelligence protections are being continuously updated. For this reason, see the latest available online version of this document in the User Center at http://www.checkpoint.com/support/technical/documents/docs_r62.html. For additional information contact your Check Point partner.

Structure of the Guide

Chapter 1 Introduction 21

Structure of the GuideThis guide is divided into a number of chapters:

Chapter 2, Network Security gives an overview of Network Security protections, which enable protection against attacks on the network and transport level.

Chapter 3, Application Intelligence gives an overview of Application Intelligence protections, which enable the configuration of various protections at the application layer, using SmartDefense's Application Intelligence capabilities.

Chapter 4, Web Intelligence provides high performance attack protection for web servers and applications. It provides proactive attack protection by looking for malicious code and ensuring adherence to protocols and security best practice.

How to Read this Document:

22

How to Read this Document:In this guide the condition of each protection in a specific scenario is represented by a status. The following represent all of the possible statuses:

On

indicates that the protection is on by default. However, within the protection options may be off/on by default.

Off

indicates that the protection is off by default.

Same

indicates that the protections behavior is the same as in NGX R60.

Always On

indicates that the protection cannot be turned off on modules from this release even though it is configured as Off in NGX R60 Management.

Enforced

indicates that the protection is active.

*Enforced

indicates that the protection is active, but that it did not exist when R55 was released. Before this protection can be active it requires a SmartDashboard update.

Not Enforced

indicates that the protection is not active.

Allowed

indicates all commands are allowed.

N/A

indicates not applicable.

23

Chapter 2Network Security

In This Chapter

Introduction page 24

Denial Of Service page 25

IP and ICMP page 29

TCP page 36

Fingerprint Scrambling page 40

Successive Events page 43

DShield Storm Center page 48

Port Scan page 50

Dynamic Ports page 52

Introduction

24

IntroductionApplication Intelligence is primarily associated with application level defenses. However, in practice many attacks aimed at network applications actually target the network and transport layers.

Hackers target these lower layers as a means to access the application layer, and ultimately the application and data itself. Also, by targeting lower layers, attacks can interrupt or deny service to legitimate users and applications (e.g., DoS attacks). For these reasons, SmartDefense addresses not only the application layer, but also network and transport layers.

Preventing malicious manipulation of network-layer protocols (e.g., IP, ICMP) is a crucial requirement for multi-level security gateways. The most common vehicle for attacks against the network layer is the Internet Protocol (IP), whose set of services resides within this layer.

As with the network layer, the transport layer and its common protocols (TCP, UDP) provide popular access points for attacks on applications and their data.

The pages to follow contain information that will help you configure various SmartDefense protections against attacks on the network and transport level from versions prior to NGX R60. These pages allow you to configure protection against attacks which attempt to target network components or the firewall directly.

The effect of such attacks, on the IP, TCP, UDP or ICMP network protocols, range from simple identification of the operating systems used in your organization, to denial of service attacks on hosts and servers on the network.

Denial Of Service

Chapter 2 Network Security 25

Denial Of ServiceDenial of Service (DoS) attacks are aimed at disrupting normal operations of a service. The attacks in this section exploit bugs in operating systems to remotely crash the machines.

The detections in this protection depend on logs generated by SmartDefense. These logs can be configured per attack.

TeardropWhen tracking a Teardrop attack you will be notified of any attempt to exploit the fragmentation of large packets with erroneous offset values in the second or later fragment. Selecting this protection will block an attempted Teardrop attack.

This attack will be blocked even if the checkbox is not selected, and logged as Virtual defragmentation error: Overlapping fragments.

Table 2-1

Default Flag Settings: On

Log Generated by Protection: Teardrop attack detected

NGX Performance Impact: Does not impact performance.

Table 2-2

NG FP3 to R55 R55W

feature behavior when protection is on in NGX R60 Management

feature behavior when protection is in Monitor-Only mode in NGX R60 Management



Same N/A Same N/A

Ping of Death

26

Ping of DeathWhen tracking this type of attack you will be notified of any attempt in which an IP packet larger than 64KB has being sent to your network.

Selecting this protection will block an attempted Ping of Death attack.

This attack will be blocked even if the checkbox is not selected, and logged as "Virtual defragmentation error: Packet too big".

Table 2-3


Log Generated by Protection: Ping of Death


Table 2-4

NG FP3 to R55 R55W





Same N/A Same N/A

LAND


LANDWith this protection you can block LAND crafted packets. When tracking this type of attack you will be notified of any attempt in which a packet is sent to your machine with the same source host/port.

Selecting this protection will block an attempted LAND attack.

LAND crafted packets will be blocked when this protection is activated.

Table 2-5


Log Generated by Protection: Land Attack


Table 2-6

NG FP3 to R55 R55W





Same Not Enforced Same Same

Non TCP Flooding

28

Non TCP FloodingWith this protection you can protect against non-TCP Flooding attacks by limiting the percentage of open non-TCP connections. By setting this threshold, SmartDefense prevents more than a specific percentage of the bandwidth being used for non-TCP connections.

In addition, you can track non-TCP connections which exceed the threshold.

Table 2-7

Default Flag Settings: Off

Log Generated by Protection:

NGX Performance Impact: The feature is fully accelerated.

Table 2-8

NG FP3 to R55 R55W





Not Enforced Not Enforced Same N/A

IP and ICMP


IP and ICMPThe protections in this section allow you to enable a comprehensive sequence of layer 3 checks (IP and ICMP protocols) and some layer 4 verifications (UDP, TCP and IP options sanity checks).

Packet SanityThis protection performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options and verifying the TCP flags.

With this protection you can configure whether logs will be issued for offending packets.

A Monitor Only mode makes it possible to track unauthorized traffic without blocking it. However, setting this protection to Monitor Only means that badly fragmented packets pass unfiltered. Any type of attack may be hidden in fragmented packets. This setting exposes the network to attack.

Although Packet Sanity is turned off in Monitor Only mode, the following sanity verifications are still enforced and when applicable these packets are dropped:

- UDP packets with invalid UDP Length

- TCP packets with a corrupt header

In each of the above cases, SmartDefense logs will be generated.

Table 2-9



NGX Performance Impact: Protection accelerated.

Table 2-10

NG FP3 to R55 R55W





Always On Enforced Always On Always On

Max Ping Size

30

Max Ping SizeThis protection allows you to limit the maximum allowed data size for an ICMP echo request. This should not be confused with "Ping of Death", in which the request is malformed.

Table 2-11




Table 2-12

NG FP3 to R55 R55W






IP Fragments


IP FragmentsThis protection allows you to configure whether fragmented IP packets can pass SmartDefense gateways. It is possible to set a limit upon the number of fragmented packets (incomplete packets) that are allowed.

It is also possible to define a timeout for holding unassembled packets before discarding them.

Table 2-13

Default Flag Settings: Allowed


NGX Performance Impact: Fragments pass to the FW. Non-fragmented traffic is not impacted.

Table 2-14

NG FP3 to R55 R55W





Same N/A Same N/A

Network Quota

32

Network QuotaNetwork Quota enforces a limit upon the number of connections that are allowed from the same source IP, to protect against Denial Of Service attacks.

When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source or track the event.

Table 2-15


Log Generated by Protection: Network Quota

NGX Performance Impact: Disables templates.

Table 2-16

NG FP3 to R55 R55W





Same Same Same Same

Note - In the R55W Network Quota protection, Monitor Only was referred to as Only track the event.

Block Welchia ICMP


Block Welchia ICMPWhen this protection is enabled, SmartDefense will identify and drop the Welchia worm specific ping packets.

Table 2-17


Log Generated by Protection: Welchia/Nachi Worm ICMP Packet Detected

NGX Performance Impact: None (ICMP is not accelerated).

Table 2-18

NG FP3 to R55 R55W





Same Same Same Same

Block CISCO IOS DOS

34

Block CISCO IOS DOSThis protection allows you to configure which protocols should be protected against this attack. You can also define how many hops away from the enforcement module will Cisco routers be protected.

Table 2-19


Log Generated by Protection: Cisco IOS Enforcement Violation


Table 2-20

NG FP3 to R55 R55W





Same Same Same Same

Block Null Payload ICMP


Block Null Payload ICMPWhen this protection is enabled, SmartDefense will identify and drop the null payload ping packets.

Using SmartView Tracker, VPN-1 NG AI R55 will identify Drop log entries against rule number 99501.

Table 2-21


Log Generated by Protection: Null Payload Echo Request


Table 2-22

NG FP3 to R55 R55W





Same Same Same Same

TCP

36

TCPThe protections in this section allow you to configure a comprehensive set of TCP tests.

SYN Attack ConfigurationThis protection allows you to configure how an SYN attack is detected and how to protect your network from this attack. With this protection you can select whether to activate the SYN attack protection configuration in one place (that is, via SmartDefense), and specify the protection parameters for all modules (that is, gateways), or you can activate previous SYNDefender configuration versions for all current gateway versions.

The SYN attack protection can be configured for each module separately. This page allows you to override the modules' specific configuration.

Table 2-23



NGX Performance Impact: Disables acceleration for TCP sessions (disables templates). In relay mode - al session handshake is forwarded to FW.

Table 2-24

NG FP3 to R55 R55W





Same Enforced Same Same

Small PMTU


Small PMTUIn this protection the configuration option "Minimal MTU size" controls the allowed packet size. An exceedingly small value will not prevent an attack, while an unnecessarily large value might result in legitimate requests to be dropped, causing "black hole" effects and degrading performance.

Table 2-25



NGX Performance Impact: None (Accelerated).

Table 2-26

NG FP3 to R55 R55W





Same Enforced Same Same

Spoofed Reset Protection

38

Spoofed Reset ProtectionThis protection enforces a threshold on the number of RST packets allowed per connection during a pre-defined period of time.

It is possible to exclude specific services from this protection. Services such as HTTP that are characterized by relatively short sessions are not affected by this attack. It is therefore advisable for performance reasons to exclude those services from the protection.

Table 2-27



NGX Performance Impact: Forwards RST packets to the Firewall.

Table 2-28

NG FP3 to R55 R55W





Not Enforced Not Enforced Not Enforced Not Enforced

Sequence Verifier


Sequence VerifierSequence Verifier is a mechanism matching the current TCP packet's sequence number against a TCP connection state. Packets that match the connection in terms of the TCP session but have incorrect sequence numbers are either dropped when the packet's sequence may compromise security, or stripped of data.

With this protection you can select the appropriate tracking option and define the type of out-of-sequence packets to be tracked.

Table 2-29



NGX Performance Impact: None.

Table 2-30

NG FP3 to R55 R55W





Same Not Enforced Same Not Enforced

Fingerprint Scrambling

40

Fingerprint ScramblingSmartDefense can scramble some of the fields commonly used for fingerprinting, masking the original identity of hosts behind the firewall. Please note, however, that totally preventing fingerprinting is next to impossible. Also note that while this feature makes fingerprinting the hosts protected by the firewall harder, it does little to hide the fact that there is a firewall here (i.e. - fingerprinting the firewall's existence is still possible).

With this protection you can choose whether to spoof fingerprints for unencrypted (plain) connections, for encrypted connection (for example, a VPN connection, or an HTTPS connection), or both.

SmartDefense can scramble some of the fields commonly used for fingerprinting, masking the original identity of hosts behind the firewall.

ISN SpoofingThe ISN scrambler counters this attack by creating a difference between the sequence numbers used by the server and the sequence numbers perceived by the client. This difference has high entropy using cryptographic functions, and effectively makes it impossible to guess the server's ISN. If the real server has a higher entropy than the entropy selected for the ISN scrambler, the higher entropy will pass through to the client.

Table 2-31



NGX Performance Impact: Disables acceleration on TCP traffic.

Table 2-32

NG FP3 to R55 R55W






TTL


TTLWith this protection you can enable or disable the use of TTL, and define how to identify a packet as a TTL packet.

You can change the TTL field of all packets (or all outgoing packets) to a given number. This achieves two goals. Using this approach it is not possible to know how many routers (hops) the host is from the listener, and the listener cannot know what is the original TTL value.

Table 2-33




Table 2-34

NG FP3 to R55 R55W






IP ID

42

IP IDWith this protection you can override the original IP ID with an ID generated by the firewall, thus masking the algorithm used by the original operating system, masking the operating system's identity. The three available algorithms used by the various operating systems are: Random, Incremental, and Incremental LE (little endian).

Table 2-35




Table 2-36

NG FP3 to R55 R55W






Successive Events


Successive EventsThe protections in this section allow you to configure different kinds of Check Point Malicious Activity Detections, including some general attributes.

All of these detections depend on logs generated by SmartDefense. By default, Check Point Malicious Activity Detections do not block the detected attacks but rather generate an Alert. It is possible to configure that other actions will be taken, for example User Defined Alerts.

Address SpoofingThis protection allows you to define parameters that are specific to the defense against Address Spoofing attempts. An attack is detected (defined) as Address Spoofing when more than a specific number of events are detected over a period of a specific number of seconds.

Table 2-37




Table 2-38

NG FP3 to R55 R55W





Same Enforced Same Enforced

Denial of Service

44

Denial of ServiceTo protect the network from DOS attacks, SmartDefense employs a threshold. The threshold detects DOS events when more than a specific amount occurs over a specific amount of time.

When the threshold limit is reached, the incidents of DOS events are logged and an alert is issued.

With this protection you can define the frequency of events that will be treated as a DoS attack, and the Action to be taken when one of these attacks is detected.

Table 2-39




Table 2-40

NG FP3 to R55 R55W






Local Interface Spoofing


Local Interface SpoofingWith this protection you can define parameters that are specific to the defense against Local Interface Spoofing attempts. An attack is detected (defined) as Local Interface Spoofing when more than a specific number of events are detected over a period of a specific number of seconds.

Table 2-41




Table 2-42

NG FP3 to R55 R55W






Successive Alerts

46

Successive AlertsWith this protection you can define parameters that are specific to the defense against Successive Alerts attempts. An attack is detected (defined) as Successive Alerts when more than a specific number of events are detected over a period of a specific number of seconds.

Table 2-43




Table 2-44

NG FP3 to R55 R55W






Successive Multiple Connections


Successive Multiple ConnectionsThis protection allows you to define parameters that are specific to the defense against Successive Multiple Connections attempts. An attack is detected (defined) as Successive Multiple Connections when more than a specific number of events are detected over a period of a specific number of seconds.

Table 2-45


Log Generated by Protection: Successive Multiple Connections


Table 2-46

NG FP3 to R55 R55W






DShield Storm Center

48

DShield Storm CenterStorm Centers gather logging information about attacks. This information is voluntarily provided by organizations from across the world for the benefit of all. Storm Centers collate and present reports on real-time threats to network security in a way that is immediately useful.

The SmartDefense Storm Center Module enables a two way information flow between the network Storm Centers, and the organizations requiring network security information.

With the protections in this section you can retrieve a list of malicious IPs from he DShield Storm Center and block those IPs. You can also submit logs to DShield.

Retrieve and Block Malicious IPsWith this protection you can decide whether to block all the malicious IP addresses received from DShield.org (one of the leading Storm Centers) or whether to block them for specific gateways.

Table 2-47




Table 2-48

NG FP3 to R55 R55W






Report to DShield


Report to DShieldWith this protection you can send logs to the Storm Center in order to help other organizations combat the threats that were directed at your own network.

Table 2-49




Table 2-50

NG FP3 to R55 R55W






Port Scan

50

Port ScanThe protections in this section allow you to discover incidences of intelligence gathering so that the information in question cannot be used to attack vulnerable computers.

Port Scanning is a method of collecting information about open TCP and UDP ports in a network. Gathering information is not in itself an attack, but the information can be used later to target and attack vulnerable computers.

Port scanning can be performed either by a hacker using a scanning utility such as nmap, or by a worm trying to spread itself to other computers. Port Scanning is most commonly done by trying to access a port and waiting for a response. The response indicates whether or not the port is open

Host Port ScanSmartDefense has three levels of port scan detection sensitivity. Each level represents the amount of inactive ports scanned during a certain amount of time. When port scan is detected a log or alert is issued.

Table 2-51


Log Generated by Protection: Port Scan


Table 2-52

NG FP3 to R55 R55W






Sweep Scan


Sweep ScanSmartDefense has three levels of port scan detection sensitivity. Each level represents the amount of inactive ports scanned during a certain amount of time. When port scan is detected a log or alert is issued.

Table 2-53


Log Generated by Protection: Port Scan


Table 2-54

NG FP3 to R55 R55W






Dynamic Ports

52

Dynamic PortsIf this protection is enabled, when a client tries to open a dynamic connection to such a protected port, the connection is dropped.

Block Data Connections to Low PortsBlock data connections to low ports specifies whether or not dynamically opened ports below 1024 are permitted. The low port range is used by many standard services, so you will not normally permit low ports.

Table 2-55




Table 2-56

NG FP3 to R55 R55W






53

Chapter 3Application Intelligence

In This Chapter

Introduction page 54

Mail page 55

FTP page 58

Microsoft Networks page 60

Peer to Peer page 66

Instant Messengers page 69

DNS page 75

VoIP page 80

SNMP page 88

VPN Protocols page 90

Content Protection page 96

MS-RPC page 98

MS-SQL page 100

Routing Protocols page 102

SUN-RPC page 106

DHCP page 107

SOCKS page 108

Introduction

54

IntroductionA growing number of attacks attempt to exploit vulnerabilities in network applications rather than target the firewall directly. Check Point Application Intelligence is a set of advanced capabilities, integrated into Firewall and SmartDefense, which detects and prevents application-level attacks. Based on INSPECT intelligent inspection technology, Check Point Application Intelligence gives SmartDefense the ability to protect against application attacks and hazards.Figure 3-1 OSI (Open Systems Interconnection) Reference Model

Application Intelligence protections allow you to configure various protections at the application layer, using SmartDefense's Application Intelligence capabilities.

Note - The OSI Reference Model is a framework, or guideline, for describing how data is transmitted between devices on a network.

The Application Layer is not the actual end-user software application, but a set of services that allows the software application to communicate via the network. Distinctions between layers 5, 6, and 7 are not always clear, and some competing models combine these layers, as does this user guide.

Mail

Chapter 3 Application Intelligence 55

MailThe protections in this section allow you to select what types of enforcement will be applied to Mail traffic.

POP3 / IMAP SecurityWith this protection you enable limitations on email messages delivered to the network using POP3/IMAP protocols. These options make it possible to recognize and stop malicious behavior. For example, SmartDefense can enforce the length of a username and password (as done in a Buffer Overrun attack), the effect of which will prevent the use of a long string of characters that can potentially crash the machine.

SmartDefense can also prevent a situation in which the use of network resources is deliberately discontinued. It can limit the number of NOOP commands (that is, a no operation command) that may be used in a Denial of Service attack.

Table 3-57



NGX Performance Impact: Disables POP3/IMAP acceleration and enables Security servers.

Table 3-58

NG FP3 to R55 R55W





Not Enforced Not Enforced Same Same

Mail Security Server

56

Mail Security ServerWith this protection you can select what types of enforcement will be applied to SMTP connections passing through the security server.

The SMTP security server allows strict enforcement of the SMTP protocol. Usually the security server is activated by specifying resources or authentication rules in the standard security policy.

Table 3-59

Default Flag Settings: On - only for connections related to resources used in the rule base.


NGX Performance Impact: Disables SMTP acceleration and enables Security servers.

Table 3-60

NG FP3 to R55 R55W






Block ASN.1 Bitstring Encoding Attack over SMTP


Block ASN.1 Bitstring Encoding Attack over SMTPSmartDefense provides protection against this vulnerability by analyzing the communication, looking for ASN.1 encoding within GSSAPI structures in SMTP authentication.

Note that SMTP Security Servers already block the GSSAPI authentication method.

Table 3-61


Log Generated by Protection: MS-ASN.1 Enforcement Violation

NGX Performance Impact: Disables acceleration of the relevant protocols for which the protection is turned on.

Table 3-62

NG FP3 to R55 R55W





Same (R55 Only)

Same (R55 Only) Same Same

FTP

58

FTPThe protections in this section allow you to configure various protections related to the FTP protocol.

FTP BounceWith this protection you can neutralize an FTP bounce attack aimed at the firewall. SmartDefense neutralizes the attack by performing tests in the kernel.

SmartDefense performs a mandatory protection against the FTP bounce attack, verifying the destination of the FTP PORT command. In addition, SmartDefense blocks connections to Dynamic Ports, as defined in the Dynamic Ports tab, under Network Security.

Table 3-63




Table 3-64

NG FP3 to R55 R55W






FTP Security Server


FTP Security ServerWith this protection you can access Authentication services and Content Security based on FTP commands (PUT/GET), file name restrictions, and CVP checking (for example, for viruses). In addition, the FTP Security Server logs FTP get and put commands, as well as the associated file names, if the rule's Track is Log.

Usually the Security Servers are enabled by specifying rules in the security policy.

Table 3-65

Default Flag Settings: On - only for connections related to resources used in the rule base.


NGX Performance Impact: Disables FTP acceleration and enables Security servers.

Table 3-66

NG FP3 to R55 R55W






Microsoft Networks

60

Microsoft NetworksThe protections in this section allow you to select what types of enforcement will be applied to Microsoft networking protocols.

File and Print SharingThis protection allows you to configure worm signatures that will be detected and blocked by the CIFS Worm Defender.

Table 3-67



NGX Performance Impact: Disables acceleration of Microsoft Network Protocols.

Table 3-68

NG FP3 to R55 R55W






Block Null CIFS Sessions


Block Null CIFS SessionsWhen this protection is enabled, SmartDefense will block null session attempts.

Table 3-69



NGX Performance Impact: Disables session rate acceleration for the CIFS protocol.

Table 3-70

NG FP3 to R55 R55W





*Enforced Not Enforced Same Same

Block Popup Messages

62

Block Popup MessagesWhen this protection is enabled, any attempt to send a Windows popup message will be blocked.

Table 3-71



NGX Performance Impact: Disables acceleration of Microsoft Network Protocols.

Table 3-72

NG FP3 to R55 R55W





*Enforced Not Enforced Same Same

Block ASN.1 Bitstring Encoding Attack


Block ASN.1 Bitstring Encoding AttackSmartDefense provides protection against this vulnerability by analyzing the communication, looking for ASN.1 BER encoding within GSS-API structures, in different protocols.

Table 3-73


Log Generated by Protection: MS-ASN.1 Enforcement Violation

NGX Performance Impact: Disables acceleration of the relevant protocols for which the protection is turned on.

Table 3-74

NG FP3 to R55 R55W





Same (R55 Only)


Block WINS Replication Attack

64

Block WINS Replication AttackWith this protection SmartDefense is able to recognize an illegal WINS packet. This ability enables SmartDefense to catch potentially harmful packets before they enter the network.

Table 3-75


Log Generated by Protection: MS WINS Replication Protocol Enforcement Violation

NGX Performance Impact: Disables acceleration of Microsoft WINS traffic on the client to server connection.

Table 3-76

NG FP3 to R55 R55W





Same (R55 Only)


Block WINS Name Validation Attack


Block WINS Name Validation AttackWith this protection SmartDefense is able to recognize an illegal NBNS packet. This enables SmartDefense to catch potentially harmful packets before they enter the network.

Table 3-77


Log Generated by Protection: MS WINS Name Validation Enforcement Violation

NGX Performance Impact: Disables acceleration of Microsoft WINS traffic on the client to server connection.

Table 3-78

NG FP3 to R55 R55W





Same (R55 Only)


Peer to Peer

66

Peer to PeerThe protections in this section enable you to block Peer To Peer traffic.

In this section the protections allow you to prevent the use of peer to peer applications used for message transfer and file sharing (for example, Kazaa and Gnutella). For Peer to Peer applications that masquerade as HTTP you can define HTTP patterns that you wish to block.

By identifying fingerprints and HTTP headers SmartDefense detects peer to peer sessions regardless of the TCP port that it is using.

Excluded Services/Network ObjectsSince R55W we were able to create a white list of hosts and ports that will not be scanned for peer to peer protocols. However, since this capability does not exist on pre-R55 modules installing the protections on older modules will cause the protections to be active even on the excluded objects.

Table 3-79




Table 3-80

NG FP3 to R55 R55W






All Protocols through Port 80


All Protocols through Port 80With these protections you can block one of the supported peer to peer applications:

KaZaA

Gnutella

eMule

BitTorrent

SoulSeek

IRC

Table 3-81



NGX Performance Impact: Disables session rate acceleration on Port 80.

Table 3-82

NG FP3 to R55 R55W






All Protocols

68

All ProtocolsWith these protections you can block one of the supported peer to peer applications:

KaZaA

Gnutella

eMule

BitTorrent

SoulSeek

IRC

For older versions (FP3 to R55) if you turn on Header Rejection, HTTP will be protected.

Table 3-83



NGX Performance Impact: Disables session rate acceleration.

Table 3-84

NG FP3 to R55 R55W






Instant Messengers


Instant MessengersThe protections in this section allow you to block Instant Messaging applications that use Instant Messaging protocols. Instant Messaging applications have many capabilities, including voice calls, message transfer, and file sharing.

Excluded Services/Network ObjectsSince R55W we were able to create a white list of hosts and ports that will not be scanned for peer to peer protocols. However, since this capability does not exist on pre-R55 modules installing the protections on older modules will cause the protections to be active even on the excluded objects.

Table 3-85



NGX Performance Impact:

Table 3-86

NG FP3 to R55 R55W






MSN Messenger over SIP

70

MSN Messenger over SIPWith this protection you can block everything sent from SIP-based MSN Messenger, or specific MSN Messenger applications: file-transfer, application-sharing, white-boarding, and remote-assistant.

SmartDefense verifies compliance to Session Initiation Protocol (SIP) RFC 3261. MSN messenger can be either blocked completely, or its applications can be selectively blocked (file-transfer, application sharing, white-boarding, and remote assistant).

If "block sip based instant messaging" in SmartDefense > Application Intelligence > VoIP > SIP is selected, all MSN over SIP applications will be blocked automatically.

Table 3-87



NGX Performance Impact: SIP traffic is not accelerated.

Table 3-88

NG FP3 to R55 R55W






MSN Messenger over MSNMS


MSN Messenger over MSNMSWith this protection you can block specific MSN Messenger applications: video, audio, file-transfer, application-sharing, white-boarding, and remote-assistant.

MSN messenger can be either blocked completely, or its applications can be selectively blocked (audio, video, file-transfer, application sharing, white-boarding, and remote assistant).

To completely block MSN Messenger over MSNMS, no configuration is needed, because a security rule is required to allow it.

To selectively block SIP-based instant messenger applications, you must define a security rule with the MSNMS service (TCP1863), that allows them, and then configure SmartDefense.

Table 3-89



NGX Performance Impact: VPN-1 - Disables session rate accelerationInterspect - None

Table 3-90

NG FP3 to R55 R55W





Not Enforced Not Enforced Not Enforced Not Enforced

Skype

72

SkypeSmartDefense can block Skype traffic by identifying Skype fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port being used to initiate the peer to peer session. Skype uses UDP or TCP port 1024 and higher or HTTP for peer to peer telephony.

Since Skype uses a session similar to SSL to bypass firewalls, it is now required to either completely block SSL ports or activate the "Block SSL null-pointer assignment" protection, under the VPN Protocols branch.

SmartDefense inspects Peer to Peer connections over HTTP requests and responses.

Table 3-91




Table 3-92

NG FP3 to R55 R55W






Yahoo! Messenger


Yahoo! MessengerSmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port that is being used to initiate the peer to peer session.

Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer.

SmartDefense inspects Peer to Peer request and response connections over HTTP.

Table 3-93




Table 3-94

NG FP3 to R55 R55W






ICQ

74

ICQSmartDefense can block ICQ traffic by identifying ICQ's fingerprints and HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP port that is being used to initiate the peer to peer session.

ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP port 3574/7320.

SmartDefense inspects Peer to Peer request and response connections over HTTP.

Table 3-95




Table 3-96

NG FP3 to R55 R55W






DNS


DNSWith the protection in this section you can prevent various DNS related vulnerabilities and prevent protocol violations by performing DNS protocol enforcement and validation (TCP and UDP).

Protocol Enforcement - TCPSmartDefense is able to recognize a DNS packet that has been altered. This ability enables SmartDefense to catch potentially harmful packets before they enter the network.

With this protection you can enforce TCP protocols. Only pure DNS packets sent over TCP will be able to enter the network. In this case, all DNS port connections over TCP will be monitored to verify that every DNS packet attempting to enter the network has not been altered.

With the enforcement of the TCP protocol the potential for maliciously altered DNS packets to enter the system is decreased.

Table 3-97



NGX Performance Impact: Disables DNS/TCP acceleration.

Table 3-98

NG FP3 to R55 R55W






Protocol Enforcement - UDP

76

Protocol Enforcement - UDPSmartDefense is able to recognize a DNS packet that has been altered. This ability enables SmartDefense to catch potentially harmful packets before they enter the network.

In this window you can enforce UDP protocols. Only pure DNS packets sent over UDP will be able to enter the network. In this case, all DNS port connections over UDP will be monitored to verify that every DNS packet attempting to enter the network has not been altered.

With the enforcement of the UDP protocol the potential for maliciously altered DNS packets to enter the system is decreased.

Table 3-99



NGX Performance Impact: Disables DNS/UDP acceleration.

Table 3-100

NG FP3 to R55 R55W





Same Not Enforced Same N/A

Domain Block List


Domain Block ListWith this protection you can create a Block List for the purpose of filtering out undesirable traffic.

SmartDefense contains a Block list for the purpose of filtering out undesirable traffic. SmartDefense will not allow a user to access a domain address specified in the Block list. The domain Block list is updated manually.

Table 3-101



NGX Performance Impact: Disables DNS acceleration.

Table 3-102

NG FP3 to R55 R55W






Cache Poisoning Protections

78

Cache Poisoning ProtectionsThe Cache Poisoning protections enable you to configure Cache Poisoning protection.

To reduce DNS traffic, name severs maintain cache. The DNS cache is updated according to the TTL of each zone. Cache Poisoning occurs when DNS caches receive mapping information that was deliberately altered from a remote name server. The DNS server caches the incorrect information and sends it out as the requested information. As a result, email messages and URL addresses can be redirected and the information sent by a user can be captured and corrupted.

Table 3-103



NGX Performance Impact: Disables DNS acceleration.

Table 3-104

NG FP3 to R55 R55W






Resource Records Enforcements


Resource Records EnforcementsThis protection allows you to set the ma

CheckPoint NGX SmartDefense Protections Reference Guide

Documents

Transcript of CheckPoint NGX SmartDefense Protections Reference Guide