CheckPoint NGX SmartDefense Protections Reference Guide

Check Point NGX SmartDefense
Protections Reference Guide

Version NGX and above
July 2006
2003-2006 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,
distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written
authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or
omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer
Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
2003-2006 Check Point Software Technologies Ltd. All rights reserved.
Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, ConnectControl, Connectra, Cooperative
Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer,
FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle
Management, Provider-1, Safe@Office, SecureClient, SecureKnowledge, SecuRemote, SecurePlatform, SecureServer, SecureUpdate, SecureXL, SecureXL
Turbocard, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartDashboard, SmartDefense, SmartDefense Advisor,
Smarter Security, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare,
SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1
UTM Edge, VPN-1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge,
VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, Zone Labs, and
the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned
herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No.
5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.
For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
Contents
Preface
Chapter 1
Who Should Use This Guide.............................................................................. 10

Summary of Contents ....................................................................................... 11
Related Documentation .................................................................................... 12
More Information ............................................................................................. 15
Introduction
Overview and Purpose ...................................................................................... 18
SmartDefense............................................................................................. 18
Web Intelligence......................................................................................... 19
Obtaining the Latest Version of the Documentation ............................................. 20
Structure of the Guide...................................................................................... 21
How to Read this Document:............................................................................. 22
Chapter 2
Network Security
Introduction .................................................................................................... 24
Denial Of Service ............................................................................................. 25
Teardrop .................................................................................................... 25
Ping of Death ............................................................................................. 26
LAND ........................................................................................................ 27
Non TCP Flooding ....................................................................................... 28
IP and ICMP ................................................................................................... 29
Packet Sanity ............................................................................................. 29
Max Ping Size ............................................................................................ 30
IP Fragments.............................................................................................. 31
Network Quota............................................................................................ 32
Block Welchia ICMP.................................................................................... 33
Block CISCO IOS DOS................................................................................. 34
Block Null Payload ICMP............................................................................. 35
TCP................................................................................................................ 36
SYN Attack Configuration ............................................................................ 36
Small PMTU............................................................................................... 37
Spoofed Reset Protection ............................................................................ 38
Sequence Verifier ....................................................................................... 39
Fingerprint Scrambling..................................................................................... 40
ISN Spoofing.............................................................................................. 40
TTL ........................................................................................................... 41
IP ID ......................................................................................................... 42
Successive Events............................................................................................ 43
Address Spoofing ........................................................................................ 43
Denial of Service ........................................................................................ 44
Local Interface Spoofing.............................................................................. 45
Successive Alerts ........................................................................................ 46
Table of Contents
Successive Multiple Connections.................................................................. 47

DShield Storm Center ...................................................................................... 48
Retrieve and Block Malicious IPs ................................................................. 48
Report to DShield ....................................................................................... 49
Port Scan........................................................................................................ 50
Host Port Scan ........................................................................................... 50
Sweep Scan ............................................................................................... 51
Dynamic Ports ................................................................................................. 52
Block Data Connections to Low Ports ............................................................ 52
Chapter 3
Application Intelligence
Introduction .................................................................................................... 54
Mail ............................................................................................................... 55
POP3 / IMAP Security ................................................................................. 55
Mail Security Server .................................................................................... 56
Block ASN.1 Bitstring Encoding Attack over SMTP ........................................ 57
FTP ................................................................................................................ 58
FTP Bounce ............................................................................................... 58
FTP Security Server .................................................................................... 59
Microsoft Networks .......................................................................................... 60
File and Print Sharing ................................................................................. 60
Block Null CIFS Sessions ............................................................................ 61
Block Popup Messages ................................................................................ 62
Block ASN.1 Bitstring Encoding Attack......................................................... 63
Block WINS Replication Attack .................................................................... 64
Block WINS Name Validation Attack............................................................. 65
Peer to Peer .................................................................................................... 66
Excluded Services/Network Objects .............................................................. 66
All Protocols through Port 80 ....................................................................... 67
All Protocols............................................................................................... 68
Instant Messengers .......................................................................................... 69
Excluded Services/Network Objects .............................................................. 69
MSN Messenger over SIP............................................................................. 70
MSN Messenger over MSNMS...................................................................... 71
Skype ........................................................................................................ 72
Yahoo! Messenger ....................................................................................... 73
ICQ ........................................................................................................... 74
DNS ............................................................................................................... 75
Protocol Enforcement - TCP ......................................................................... 75
Protocol Enforcement - UDP ........................................................................ 76
Domain Block List ...................................................................................... 77
Cache Poisoning Protections ........................................................................ 78
Resource Records Enforcements .................................................................. 79
VoIP ............................................................................................................... 80
DOS Protection........................................................................................... 80
H323 ........................................................................................................ 81
SIP............................................................................................................ 82
MGCP (allowed commands) ......................................................................... 86
SCCP (Skinny) ............................................................................................ 87

SNMP............................................................................................................. 88
Allow Only SNMPv3 Traffic .......................................................................... 88
Drop Requests to Default Community Strings................................................. 89
VPN Protocols ................................................................................................. 90
PPTP Enforcement...................................................................................... 90
SSL Enforcement........................................................................................ 91
Block IKE Aggressive Exchange .................................................................... 92
IKE Enforcement ........................................................................................ 93
SSH - Detect SSH over Non-Standard Ports................................................... 94
SSH Enforcement ....................................................................................... 95
Content Protection ........................................................................................... 96
Malformed JPEG......................................................................................... 96
Malformed ANI File..................................................................................... 97
MS-RPC.......................................................................................................... 98
DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135 .. 98
Drop Unauthenticated DCOM ....................................................................... 99
MS-RPC Program Lookup ............................................................................ 99
MS-SQL ........................................................................................................ 100
MS-SQL Monitor Protocol .......................................................................... 100
MS-SQL Server Protocol ............................................................................ 101
Routing Protocols .......................................................................................... 102
OSPF....................................................................................................... 102
BGP (block non-MD5 authenticated BGP connections) ................................. 103
RIP ......................................................................................................... 104
IGMP....................................................................................................... 105
SUN-RPC...................................................................................................... 106
SUN-RPC Program Lookup ........................................................................ 106
DHCP ........................................................................................................... 107
SOCKS ......................................................................................................... 108
Chapter 4
Web Intelligence
Introduction .................................................................................................. 110
Malicious Code .............................................................................................. 111
General HTTP Worm Catcher...................................................................... 111
Malicious Code Protector ........................................................................... 112
Application Layer........................................................................................... 113
Cross Site Scripting .................................................................................. 113
LDAP Injection ......................................................................................... 114
SQL Injection ........................................................................................... 115
Command Injection................................................................................... 116
Directory Traversal .................................................................................... 117
Information Disclosure ................................................................................... 118
Header Spoofing ....................................................................................... 118
Directory Listing ....................................................................................... 119
Error Concealment .................................................................................... 120
HTTP Protocol Inspection ............................................................................... 121
HTTP Format Sizes ................................................................................... 121
Table of Contents
ASCII Only Request ..................................................................................

ASCII Only Response Headers....................................................................
Header Rejection ......................................................................................
HTTP Methods .........................................................................................
Block HTTP on Non-Standard Port .............................................................
Block Malicious HTTP Encodings ...............................................................
124
125
126
127
128
129
Index .......................................................................................................... 135
Preface
Preface
In This Chapter
Who Should Use This Guide
page 10
Summary of Contents
page 11
Related Documentation
page 12
More Information
page 15

This guide is intended for administrators responsible for maintaining network
security within an enterprise, including policy management and user support.
This guide assumes a basic understanding of
10
System administration.
The underlying operating system.
Internet protocols (IP, TCP, UDP etc.).
Summary of Contents
Summary of Contents
This guide contains the following chapters:
Chapter
Description
Chapter 1, Introduction
Provides system administrators with an

understanding about the implication of each
protection when installing a policy on previous
releases (in other words, backwards
compatibility).
Chapter 2, Network
Security
Provides information about each Network

Security Protection.
Chapter 3, Application
Intelligence
Provides information about each Application

Intelligence Protection.
Chapter 4, Web
Intelligence
Provides information about each Web

Intelligence Protection.
Preface
11
The NGX R62 release includes the following documentation
TABLE P-1
12
VPN-1 Power/UTM suite documentation
Title
Description
Getting Started Guide
The Getting Started guide contains an overview of

NGX R62 and step by step product installation and
upgrade procedures. This document also provides
information about Whats New, Licenses, Minimum
hardware and software requirements, etc.
Upgrade Guide
The Upgrade guide explains all available upgrade

paths for Check Point products from VPN-1/FireWall-1
NG forward. This guide is specifically geared towards
upgrading to NGX R62.
SmartCenter Guide
The SmartCenter Guide explains SmartCenter

Management solutions. This guide provides solutions
for control over configuring, managing, and
monitoring security deployments at the perimeter,
inside the network, at all user endpoints.
Firewall and
SmartDefense Guide
The Firewall and SmartDefense guide is divided into

the following topics:
Controlling and securing network access.
Establishing network connectivity.
Using SmartDefense to protect against network

and application level attacks.
Using Web Intelligence to protect web servers and

applications, and integrated web security
capabilities.
Using Content Vectoring Protocol (CVP)

applications for anti-virus protection, and URL
Filtering (UFP) applications for limiting access to
web sites
Securing VoIP traffic
TABLE P-1
VPN-1 Power/UTM suite documentation (continued)
Title
Description
Eventia Reporter
The Eventia Reporter guide explains how to monitor

and audit traffic, and generate detailed or
summarized reports in the format of your choice (list,
vertical bar, pie chart etc.) for all events logged by
Check Point VPN-1 Power/UTM, SecureClient and
SmartDefense.
SmartView Tracker
Guide
The SmartView chapter provides information about

how to collect comprehensive information on your
network activity in the form of logs. In this chapter
you learn how to use SmartView Tracker to audit these
logs at any given time, analyze traffic patterns and
troubleshoot networking and security issues.
SecurePlatform Guide
The SecurePlatform guide explains how to install and

configure SecurePlatform. This guide will also teach
you how to manage your SecurePlatform and explains
Dynamic Routing (Unicast and Multicast) protocols.
Provider-1 Guide
The Provider-1 guide explains the

Provider-1/SiteManager-1 security management
solution. This guide provides details about a
three-tier, multi-policy management architecture and
a host of Network Operating Center oriented features
that automate time-consuming repetitive tasks
common in Network Operating Center environments.
Preface
13
TABLE P-2
14
Integrity Server documentation
Title
Description
Integrity Advanced
Server Installation
Guide
Integrity Advanced Server Installation Guide explains

how to install, configure, and maintain the Integrity
Advanced Server.
Integrity Advanced
Server Administrator
Console Reference
The Integrity Advanced Server Administrator Console

Reference guide provides screen-by-screen
descriptions of user interface elements, with
cross-references to relevant chapters of the
Administrator Guide. This document contains an
overview of Administrator Console navigation,
including use of the help system.
Integrity Advanced
Server Administrator
Guide
The Integrity Advanced Server Administrator Guide

explains how to managing administrators and
endpoint security with Integrity Advanced Server.
Integrity Advanced
Server Gateway
Integration Guide
Integrity Advanced Server Gateway Integration Guide

provides information about how to integrating your
Virtual Private Network gateway device with Integrity
Advanced Server. This guide also contains information
regarding deploying the unified SecureClient/Integrity
client package.
Integrity Advanced
Server System
Requirements
The Integrity Advanced Server System Requirements

provides information about client and server
requirements.
Integrity Agent for Linux

Installation and
Configuration Guide
The Integrity Agent for Linux Installation and

Configuration Guide explains how to install and
configure Integrity Agent for Linux.
Integrity XML Policy

Reference Guide
The Integrity XML Policy Reference Guide provides

the contents of Integrity client XML policy files.
Integrity Client
Management Guide
The Integrity Client Management Guide explains how

to use of command line parameters to control Integrity
client installer behavior and post-installation behavior.
More Information
More Information
For additional technical information about Check Point products, consult Check
Points SecureKnowledge at https://secureknowledge.checkpoint.com/.
See the latest version of this document in the User Center at

http://www.checkpoint.com/support/technical/documents.
Preface
15
More Information
16
Chapter
Introduction
In This Chapter
Overview and Purpose
page 18
Obtaining the Latest Version of the Documentation
page 20
Structure of the Guide
page 21
How to Read this Document:
page 22
17

This guide is divided into a number of sections and chapters that provide an
overview of how NGX R60 SmartDefense and Web Intelligence protections work
with the following previous versions:
NG FP3
NG With Application Intelligence R54
NG With Application Intelligence R55 (including R55P)
NG With Application Intelligence R55W
The intention of this guide is to provide system administrators with an

understanding about the implication of each protection when installing a policy on
previous releases (in other words, backwards compatibility).
To fully understand SmartDefense and Web Intelligence protections it is
recommended that you familiarize yourself with NGX R60 behavior. To do this, refer
to the NGX R60 Firewall and SmartDefense Guide.
SmartDefense
Check Point SmartDefense provides a unified security framework for various
components that identify and prevent attacks. SmartDefense actively defends your
network, even when the protection is not explicitly defined in the Security Rule
Base. It unobtrusively analyzes activity across your network, tracking potentially
threatening events and optionally sending notifications. It protects organizations
from all known, and most unknown, network attacks using intelligent security
technology.
Keeping up-to-date with the latest defenses does not require up-to-the-minute
technical knowledge. A single click updates SmartDefense with all the latest
defenses from the SmartDefense website.
SmartDefense provides a console that can be used to:
18
Choose the attacks that you wish to defend against, and read detailed
information about the attack.
Easily configure parameters for each attack, including logging options.
Receive real-time information on attacks, and update SmartDefense with new

capabilities.
Web Intelligence
Web Intelligence
Check Point Web Intelligence enables customers to configure, enforce and update
attack protections for web servers and applications. Web Intelligence protections
are designed specifically for web-based attacks, and complement the network and
application level protections offered by SmartDefense. In addition, Web Intelligence
Advisories published online by Check Point provide information and add new attack
defenses.
Web Intelligence not only protects against a range of known attacks, varying from
attacks on the web server itself to databases used by web applications, but also
incorporates intelligent security technologies that protect against entire categories
of emerging, or unknown, attacks.
Unlike web firewalls and traditional intrusion protection systems, Web Intelligence
provides proactive attack protections. It ensures that communications between
clients and web servers comply with published standards and security best
practices, restricts hackers from executing irrelevant system commands, and
inspects traffic passing to web servers to ensure that they don't contain dangerous
malicious code. Web Intelligence allows organizations to permit access to their web
servers and applications without sacrificing either security or performance.
Chapter 1
Introduction
19
Obtaining the Latest Version of the Documentation
Obtaining the Latest Version of the

Documentation
SmartDefense and Web Intelligence protections are being continuously updated.
For this reason, see the latest available online version of this document in the User
Center at http://www.checkpoint.com/support/technical/documents/docs_r62.html.
For additional information contact your Check Point partner.
20

This guide is divided into a number of chapters:
Chapter 2, Network Security gives an overview of Network Security protections,
which enable protection against attacks on the network and transport level.
Chapter 3, Application Intelligence gives an overview of Application Intelligence
protections, which enable the configuration of various protections at the application
layer, using SmartDefense's Application Intelligence capabilities.
Chapter 4, Web Intelligence provides high performance attack protection for web
servers and applications. It provides proactive attack protection by looking for
malicious code and ensuring adherence to protocols and security best practice.
Chapter 1
Introduction
21

In this guide the condition of each protection in a specific scenario is represented
by a status. The following represent all of the possible statuses:
On
indicates that the protection is on by default. However, within the protection
options may be off/on by default.
Off
indicates that the protection is off by default.
Same
indicates that the protections behavior is the same as in NGX R60.
Always On
indicates that the protection cannot be turned off on modules from this release
even though it is configured as Off in NGX R60 Management.
Enforced
indicates that the protection is active.
*Enforced
indicates that the protection is active, but that it did not exist when R55 was
released. Before this protection can be active it requires a SmartDashboard
update.
Not Enforced
indicates that the protection is not active.
Allowed
indicates all commands are allowed.
N/A
indicates not applicable.
22
Chapter
Network Security
In This Chapter
Introduction
page 24
Denial Of Service
page 25
IP and ICMP
page 29
TCP
page 36
Fingerprint Scrambling
page 40
Successive Events
page 43
DShield Storm Center
page 48
Port Scan
page 50
Dynamic Ports
page 52
23
Introduction
Introduction
Application Intelligence is primarily associated with application level defenses.
However, in practice many attacks aimed at network applications actually target the
network and transport layers.
Hackers target these lower layers as a means to access the application layer, and
ultimately the application and data itself. Also, by targeting lower layers, attacks
can interrupt or deny service to legitimate users and applications (e.g., DoS
attacks). For these reasons, SmartDefense addresses not only the application layer,
but also network and transport layers.
Preventing malicious manipulation of network-layer protocols (e.g., IP, ICMP) is a
crucial requirement for multi-level security gateways. The most common vehicle for
attacks against the network layer is the Internet Protocol (IP), whose set of services
resides within this layer.
As with the network layer, the transport layer and its common protocols (TCP, UDP)
provide popular access points for attacks on applications and their data.
The pages to follow contain information that will help you configure various
SmartDefense protections against attacks on the network and transport level from
versions prior to NGX R60. These pages allow you to configure protection against
attacks which attempt to target network components or the firewall directly.
The effect of such attacks, on the IP, TCP, UDP or ICMP network protocols, range
from simple identification of the operating systems used in your organization, to
denial of service attacks on hosts and servers on the network.
24
Denial Of Service
Denial Of Service
Denial of Service (DoS) attacks are aimed at disrupting normal operations of a
service. The attacks in this section exploit bugs in operating systems to remotely
crash the machines.
The detections in this protection depend on logs generated by SmartDefense. These
logs can be configured per attack.
Teardrop
When tracking a Teardrop attack you will be notified of any attempt to exploit the
fragmentation of large packets with erroneous offset values in the second or later
fragment. Selecting this protection will block an attempted Teardrop attack.
This attack will be blocked even if the checkbox is not selected, and logged as
Virtual defragmentation error: Overlapping fragments.
Table 2-1
Default Flag Settings:
On
Log Generated by Protection:
Teardrop attack detected
NGX Performance Impact:
Does not impact performance.
Table 2-2
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
N/A
Same
N/A
Chapter 2
Network Security
25
Ping of Death
Ping of Death
When tracking this type of attack you will be notified of any attempt in which an IP
packet larger than 64KB has being sent to your network.
Selecting this protection will block an attempted Ping of Death attack.
This attack will be blocked even if the checkbox is not selected, and logged as
"Virtual defragmentation error: Packet too big".
Table 2-3
On
Ping of Death
Table 2-4
NG FP3 to R55
26
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
N/A
Same
N/A
LAND
LAND
With this protection you can block LAND crafted packets. When tracking this type
of attack you will be notified of any attempt in which a packet is sent to your
machine with the same source host/port.
Selecting this protection will block an attempted LAND attack.
LAND crafted packets will be blocked when this protection is activated.
Table 2-5
On
Land Attack
Table 2-6
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
Chapter 2
Network Security
27
Non TCP Flooding
Non TCP Flooding

With this protection you can protect against non-TCP Flooding attacks by limiting
the percentage of open non-TCP connections. By setting this threshold,
SmartDefense prevents more than a specific percentage of the bandwidth being
used for non-TCP connections.
In addition, you can track non-TCP connections which exceed the threshold.
Table 2-7
Off

The feature is fully accelerated.
Table 2-8
NG FP3 to R55
28
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
IP and ICMP
IP and ICMP
The protections in this section allow you to enable a comprehensive sequence of
layer 3 checks (IP and ICMP protocols) and some layer 4 verifications (UDP, TCP
and IP options sanity checks).
Packet Sanity
This protection performs several Layer 3 and Layer 4 sanity checks. These include
verifying packet size, UDP and TCP header lengths, dropping IP options and
verifying the TCP flags.
With this protection you can configure whether logs will be issued for offending
packets.
A Monitor Only mode makes it possible to track unauthorized traffic without
blocking it. However, setting this protection to Monitor Only means that badly
fragmented packets pass unfiltered. Any type of attack may be hidden in
fragmented packets. This setting exposes the network to attack.
Although Packet Sanity is turned off in Monitor Only mode, the following sanity
verifications are still enforced and when applicable these packets are dropped:
- UDP packets with invalid UDP Length
- TCP packets with a corrupt header
In each of the above cases, SmartDefense logs will be generated.
Table 2-9
On

Protection accelerated.
Table 2-10
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Always On
Enforced
Always On
Always On
Chapter 2
Network Security
29
Max Ping Size
Max Ping Size

This protection allows you to limit the maximum allowed data size for an ICMP
echo request. This should not be confused with "Ping of Death", in which the
request is malformed.
Table 2-11
On

Table 2-12
NG FP3 to R55
30
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
IP Fragments
IP Fragments
This protection allows you to configure whether fragmented IP packets can pass
SmartDefense gateways. It is possible to set a limit upon the number of fragmented
packets (incomplete packets) that are allowed.
It is also possible to define a timeout for holding unassembled packets before
discarding them.
Table 2-13
Allowed

Fragments pass to the FW. Non-fragmented

traffic is not impacted.
Table 2-14
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
N/A
Same
N/A
Chapter 2
Network Security
31
Network Quota
Network Quota
Network Quota enforces a limit upon the number of connections that are allowed
from the same source IP, to protect against Denial Of Service attacks.
When a certain source exceeds the number of allowed connections, Network Quota
can either block all new connection attempts from that source or track the event.
Table 2-15
Off
Network Quota
Disables templates.
Table 2-16
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Same
Same
Same
Note - In the R55W Network Quota protection, Monitor Only was referred to as Only track the
event.
32
Block Welchia ICMP
Block Welchia ICMP

When this protection is enabled, SmartDefense will identify and drop the Welchia
worm specific ping packets.
Table 2-17
Off
Welchia/Nachi Worm ICMP Packet Detected
None (ICMP is not accelerated).
Table 2-18
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Same
Same
Same
Chapter 2
Network Security
33
Block CISCO IOS DOS
Block CISCO IOS DOS

This protection allows you to configure which protocols should be protected against
this attack. You can also define how many hops away from the enforcement module
will Cisco routers be protected.
Table 2-19
Off
Cisco IOS Enforcement Violation
Table 2-20
NG FP3 to R55
34
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Same
Same
Same
Block Null Payload ICMP
Block Null Payload ICMP

When this protection is enabled, SmartDefense will identify and drop the null
payload ping packets.
Using SmartView Tracker, VPN-1 NG AI R55 will identify Drop log entries against
rule number 99501.
Table 2-21
Off
Null Payload Echo Request
Table 2-22
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Same
Same
Same
Chapter 2
Network Security
35
TCP
TCP
The protections in this section allow you to configure a comprehensive set of TCP
tests.
SYN Attack Configuration

This protection allows you to configure how an SYN attack is detected and how to
protect your network from this attack. With this protection you can select whether
to activate the SYN attack protection configuration in one place (that is, via
SmartDefense), and specify the protection parameters for all modules (that is,
gateways), or you can activate previous SYNDefender configuration versions for all
current gateway versions.
The SYN attack protection can be configured for each module separately. This page
allows you to override the modules' specific configuration.
Table 2-23
Off

Disables acceleration for TCP sessions

(disables templates). In relay mode - al
session handshake is forwarded to FW.
Table 2-24
NG FP3 to R55
36
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Small PMTU
Small PMTU
In this protection the configuration option "Minimal MTU size" controls the allowed
packet size. An exceedingly small value will not prevent an attack, while an
unnecessarily large value might result in legitimate requests to be dropped, causing
"black hole" effects and degrading performance.
Table 2-25
Off

None (Accelerated).
Table 2-26
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Chapter 2
Network Security
37
Spoofed Reset Protection
Spoofed Reset Protection

This protection enforces a threshold on the number of RST packets allowed per
connection during a pre-defined period of time.
It is possible to exclude specific services from this protection. Services such as
HTTP that are characterized by relatively short sessions are not affected by this
attack. It is therefore advisable for performance reasons to exclude those services
from the protection.
Table 2-27
Off

Forwards RST packets to the Firewall.
Table 2-28
NG FP3 to R55
38
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Sequence Verifier
Sequence Verifier
Sequence Verifier is a mechanism matching the current TCP packet's sequence
number against a TCP connection state. Packets that match the connection in
terms of the TCP session but have incorrect sequence numbers are either dropped
when the packet's sequence may compromise security, or stripped of data.
With this protection you can select the appropriate tracking option and define the
type of out-of-sequence packets to be tracked.
Table 2-29
Off

None.
Table 2-30
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 2
Network Security
39
SmartDefense can scramble some of the fields commonly used for fingerprinting,
masking the original identity of hosts behind the firewall. Please note, however,
that totally preventing fingerprinting is next to impossible. Also note that while this
feature makes fingerprinting the hosts protected by the firewall harder, it does little
to hide the fact that there is a firewall here (i.e. - fingerprinting the firewall's
existence is still possible).
With this protection you can choose whether to spoof fingerprints for unencrypted
(plain) connections, for encrypted connection (for example, a VPN connection, or
an HTTPS connection), or both.
SmartDefense can scramble some of the fields commonly used for fingerprinting,
masking the original identity of hosts behind the firewall.
ISN Spoofing
The ISN scrambler counters this attack by creating a difference between the
sequence numbers used by the server and the sequence numbers perceived by the
client. This difference has high entropy using cryptographic functions, and
effectively makes it impossible to guess the server's ISN. If the real server has a
higher entropy than the entropy selected for the ISN scrambler, the higher entropy
will pass through to the client.
Table 2-31
Off

Disables acceleration on TCP traffic.
Table 2-32
NG FP3 to R55
40
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
TTL
TTL
With this protection you can enable or disable the use of TTL, and define how to
identify a packet as a TTL packet.
You can change the TTL field of all packets (or all outgoing packets) to a given
number. This achieves two goals. Using this approach it is not possible to know
how many routers (hops) the host is from the listener, and the listener cannot know
what is the original TTL value.
Table 2-33
Off

Table 2-34
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 2
Network Security
41
IP ID
IP ID
With this protection you can override the original IP ID with an ID generated by the
firewall, thus masking the algorithm used by the original operating system, masking
the operating system's identity. The three available algorithms used by the various
operating systems are: Random, Incremental, and Incremental LE (little endian).
Table 2-35
Off

Table 2-36
NG FP3 to R55
42
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Successive Events
Successive Events
The protections in this section allow you to configure different kinds of Check Point
Malicious Activity Detections, including some general attributes.
All of these detections depend on logs generated by SmartDefense. By default,
Check Point Malicious Activity Detections do not block the detected attacks but
rather generate an Alert. It is possible to configure that other actions will be taken,
for example User Defined Alerts.
Address Spoofing
This protection allows you to define parameters that are specific to the defense
against Address Spoofing attempts. An attack is detected (defined) as Address
Spoofing when more than a specific number of events are detected over a period of
a specific number of seconds.
Table 2-37
Off

None.
Table 2-38
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Chapter 2
Network Security
43
Denial of Service
Denial of Service
To protect the network from DOS attacks, SmartDefense employs a threshold. The
threshold detects DOS events when more than a specific amount occurs over a
specific amount of time.
When the threshold limit is reached, the incidents of DOS events are logged and an
alert is issued.
With this protection you can define the frequency of events that will be treated as
a DoS attack, and the Action to be taken when one of these attacks is detected.
Table 2-39
Off

None.
Table 2-40
NG FP3 to R55
44
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Local Interface Spoofing
Local Interface Spoofing

With this protection you can define parameters that are specific to the defense
against Local Interface Spoofing attempts. An attack is detected (defined) as Local
Interface Spoofing when more than a specific number of events are detected over a
period of a specific number of seconds.
Table 2-41
Off

None.
Table 2-42
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Chapter 2
Network Security
45
Successive Alerts
Successive Alerts
With this protection you can define parameters that are specific to the defense
against Successive Alerts attempts. An attack is detected (defined) as Successive
Alerts when more than a specific number of events are detected over a period of a
specific number of seconds.
Table 2-43
Off

None.
Table 2-44
NG FP3 to R55
46
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Successive Multiple Connections

This protection allows you to define parameters that are specific to the defense
against Successive Multiple Connections attempts. An attack is detected (defined)
as Successive Multiple Connections when more than a specific number of events
are detected over a period of a specific number of seconds.
Table 2-45
Off
None.
Table 2-46
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Chapter 2
Network Security
47

Storm Centers gather logging information about attacks. This information is
voluntarily provided by organizations from across the world for the benefit of all.
Storm Centers collate and present reports on real-time threats to network security
in a way that is immediately useful.
The SmartDefense Storm Center Module enables a two way information flow
between the network Storm Centers, and the organizations requiring network
security information.
With the protections in this section you can retrieve a list of malicious IPs from he
DShield Storm Center and block those IPs. You can also submit logs to DShield.
Retrieve and Block Malicious IPs

With this protection you can decide whether to block all the malicious IP addresses
received from DShield.org (one of the leading Storm Centers) or whether to block
them for specific gateways.
Table 2-47
Off

None.
Table 2-48
NG FP3 to R55
48
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Report to DShield
Report to DShield
With this protection you can send logs to the Storm Center in order to help other
organizations combat the threats that were directed at your own network.
Table 2-49
Off

None.
Table 2-50
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 2
Network Security
49
Port Scan
Port Scan
The protections in this section allow you to discover incidences of intelligence
gathering so that the information in question cannot be used to attack vulnerable
computers.
Port Scanning is a method of collecting information about open TCP and UDP ports
in a network. Gathering information is not in itself an attack, but the information
can be used later to target and attack vulnerable computers.
Port scanning can be performed either by a hacker using a scanning utility such as
nmap, or by a worm trying to spread itself to other computers. Port Scanning is
most commonly done by trying to access a port and waiting for a response. The
response indicates whether or not the port is open
Host Port Scan

SmartDefense has three levels of port scan detection sensitivity. Each level
represents the amount of inactive ports scanned during a certain amount of time.
When port scan is detected a log or alert is issued.
Table 2-51
Off
Port Scan
None.
Table 2-52
NG FP3 to R55
50
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Sweep Scan
Sweep Scan
SmartDefense has three levels of port scan detection sensitivity. Each level
represents the amount of inactive ports scanned during a certain amount of time.
When port scan is detected a log or alert is issued.
Table 2-53
Off
Port Scan
None.
Table 2-54
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Chapter 2
Network Security
51
Dynamic Ports
Dynamic Ports
If this protection is enabled, when a client tries to open a dynamic connection to
such a protected port, the connection is dropped.
Block Data Connections to Low Ports

Block data connections to low ports specifies whether or not dynamically opened
ports below 1024 are permitted. The low port range is used by many standard
services, so you will not normally permit low ports.
Table 2-55
On

None.
Table 2-56
NG FP3 to R55
52
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
Chapter
In This Chapter
Introduction
page 54
Mail
page 55
FTP
page 58
Microsoft Networks
page 60
Peer to Peer
page 66
Instant Messengers
page 69
DNS
page 75
VoIP
page 80
SNMP
page 88
VPN Protocols
page 90
Content Protection
page 96
MS-RPC
page 98
MS-SQL
page 100
Routing Protocols
page 102
SUN-RPC
page 106
DHCP
page 107
SOCKS
page 108
53
Introduction
Introduction
A growing number of attacks attempt to exploit vulnerabilities in network
applications rather than target the firewall directly. Check Point Application
Intelligence is a set of advanced capabilities, integrated into Firewall and
SmartDefense, which detects and prevents application-level attacks. Based on
INSPECT intelligent inspection technology, Check Point Application Intelligence
gives SmartDefense the ability to protect against application attacks and hazards.
Figure 3-1
OSI (Open Systems Interconnection) Reference Model
Note - The OSI Reference Model is a framework, or guideline, for describing how data is
transmitted between devices on a network.
The Application Layer is not the actual end-user software application, but a set of services that allows
the software application to communicate via the network. Distinctions between layers 5, 6, and 7 are
not always clear, and some competing models combine these layers, as does this user guide.
Application Intelligence protections allow you to configure various protections at

the application layer, using SmartDefense's Application Intelligence capabilities.
54
Mail
Mail
The protections in this section allow you to select what types of enforcement will
be applied to Mail traffic.
POP3 / IMAP Security

With this protection you enable limitations on email messages delivered to the
network using POP3/IMAP protocols. These options make it possible to recognize
and stop malicious behavior. For example, SmartDefense can enforce the length of
a username and password (as done in a Buffer Overrun attack), the effect of which
will prevent the use of a long string of characters that can potentially crash the
machine.
SmartDefense can also prevent a situation in which the use of network resources is
deliberately discontinued. It can limit the number of NOOP commands (that is, a
no operation command) that may be used in a Denial of Service attack.
Table 3-57
Off

Disables POP3/IMAP acceleration and

enables Security servers.
Table 3-58
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
55
Mail Security Server
Mail Security Server

With this protection you can select what types of enforcement will be applied to
SMTP connections passing through the security server.
The SMTP security server allows strict enforcement of the SMTP protocol. Usually
the security server is activated by specifying resources or authentication rules in
the standard security policy.
Table 3-59
On - only for connections related to

resources used in the rule base.

Disables SMTP acceleration and enables

Security servers.
Table 3-60
NG FP3 to R55
56
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Block ASN.1 Bitstring Encoding Attack over SMTP
Block ASN.1 Bitstring Encoding Attack over SMTP

SmartDefense provides protection against this vulnerability by analyzing the
communication, looking for ASN.1 encoding within GSSAPI structures in SMTP
authentication.
Note that SMTP Security Servers already block the GSSAPI authentication method.
Table 3-61
Off
MS-ASN.1 Enforcement Violation
Disables acceleration of the relevant

protocols for which the protection is turned
on.
Table 3-62
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
57
FTP
FTP
The protections in this section allow you to configure various protections related to
the FTP protocol.
FTP Bounce
With this protection you can neutralize an FTP bounce attack aimed at the firewall.
SmartDefense neutralizes the attack by performing tests in the kernel.
SmartDefense performs a mandatory protection against the FTP bounce attack,
verifying the destination of the FTP PORT command. In addition, SmartDefense
blocks connections to Dynamic Ports, as defined in the Dynamic Ports tab, under
Network Security.
Table 3-63
On

None.
Table 3-64
NG FP3 to R55
58
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
FTP Security Server
FTP Security Server

With this protection you can access Authentication services and Content Security
based on FTP commands (PUT/GET), file name restrictions, and CVP checking (for
example, for viruses). In addition, the FTP Security Server logs FTP get and put
commands, as well as the associated file names, if the rule's Track is Log.
Usually the Security Servers are enabled by specifying rules in the security policy.
Table 3-65
On - only for connections related to

resources used in the rule base.

Disables FTP acceleration and enables

Security servers.
Table 3-66
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 3
59
Microsoft Networks
Microsoft Networks
be applied to Microsoft networking protocols.
File and Print Sharing

This protection allows you to configure worm signatures that will be detected and
blocked by the CIFS Worm Defender.
Table 3-67
Off

Disables acceleration of Microsoft Network

Protocols.
Table 3-68
NG FP3 to R55
60
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
Block Null CIFS Sessions
Block Null CIFS Sessions

When this protection is enabled, SmartDefense will block null session attempts.
Table 3-69
Off

Disables session rate acceleration for the

CIFS protocol.
Table 3-70
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
*Enforced
Not Enforced
Same
Same
Chapter 3
61
Block Popup Messages
Block Popup Messages

When this protection is enabled, any attempt to send a Windows popup message
will be blocked.
Table 3-71
Off

Disables acceleration of Microsoft Network

Protocols.
Table 3-72
NG FP3 to R55
62
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
*Enforced
Not Enforced
Same
Same
Block ASN.1 Bitstring Encoding Attack
Block ASN.1 Bitstring Encoding Attack

SmartDefense provides protection against this vulnerability by analyzing the
communication, looking for ASN.1 BER encoding within GSS-API structures, in
different protocols.
Table 3-73
Off
MS-ASN.1 Enforcement Violation
Disables acceleration of the relevant

protocols for which the protection is turned
on.
Table 3-74
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
63
Block WINS Replication Attack
Block WINS Replication Attack

With this protection SmartDefense is able to recognize an illegal WINS packet. This
ability enables SmartDefense to catch potentially harmful packets before they enter
the network.
Table 3-75
Off
MS WINS Replication Protocol Enforcement

Violation
Disables acceleration of Microsoft WINS

traffic on the client to server connection.
Table 3-76
NG FP3 to R55
64
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Block WINS Name Validation Attack
Block WINS Name Validation Attack

With this protection SmartDefense is able to recognize an illegal NBNS packet.
This enables SmartDefense to catch potentially harmful packets before they enter
the network.
Table 3-77
Off
MS WINS Name Validation Enforcement

Violation
Disables acceleration of Microsoft WINS

traffic on the client to server connection.
Table 3-78
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
65
Peer to Peer
Peer to Peer
The protections in this section enable you to block Peer To Peer traffic.
In this section the protections allow you to prevent the use of peer to peer
applications used for message transfer and file sharing (for example, Kazaa and
Gnutella). For Peer to Peer applications that masquerade as HTTP you can define
HTTP patterns that you wish to block.
By identifying fingerprints and HTTP headers SmartDefense detects peer to peer
sessions regardless of the TCP port that it is using.
Excluded Services/Network Objects

Since R55W we were able to create a white list of hosts and ports that will not be
scanned for peer to peer protocols. However, since this capability does not exist on
pre-R55 modules installing the protections on older modules will cause the
protections to be active even on the excluded objects.
Table 3-79
Off

None.
Table 3-80
NG FP3 to R55
66
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
All Protocols through Port 80
All Protocols through Port 80

With these protections you can block one of the supported peer to peer
applications:
KaZaA
Gnutella
eMule
BitTorrent
SoulSeek
IRC
Table 3-81
Off

Disables session rate acceleration on Port

80.
Table 3-82
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
67
All Protocols
All Protocols
With these protections you can block one of the supported peer to peer
applications:
KaZaA
Gnutella
eMule
BitTorrent
SoulSeek
IRC
For older versions (FP3 to R55) if you turn on Header Rejection, HTTP will be
protected.
Table 3-83
Off

Disables session rate acceleration.
Table 3-84
NG FP3 to R55
68
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Instant Messengers
Instant Messengers
The protections in this section allow you to block Instant Messaging applications
that use Instant Messaging protocols. Instant Messaging applications have many
capabilities, including voice calls, message transfer, and file sharing.
Excluded Services/Network Objects

Since R55W we were able to create a white list of hosts and ports that will not be
scanned for peer to peer protocols. However, since this capability does not exist on
pre-R55 modules installing the protections on older modules will cause the
protections to be active even on the excluded objects.
Table 3-85
Off

Table 3-86
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
69
MSN Messenger over SIP
MSN Messenger over SIP

With this protection you can block everything sent from SIP-based MSN Messenger,
or specific MSN Messenger applications: file-transfer, application-sharing,
white-boarding, and remote-assistant.
SmartDefense verifies compliance to Session Initiation Protocol (SIP) RFC 3261.
MSN messenger can be either blocked completely, or its applications can be
selectively blocked (file-transfer, application sharing, white-boarding, and remote
assistant).
If "block sip based instant messaging" in SmartDefense > Application Intelligence
> VoIP > SIP is selected, all MSN over SIP applications will be blocked
automatically.
Table 3-87
Off

SIP traffic is not accelerated.
Table 3-88
NG FP3 to R55
70
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
MSN Messenger over MSNMS
MSN Messenger over MSNMS

With this protection you can block specific MSN Messenger applications: video,
audio, file-transfer, application-sharing, white-boarding, and remote-assistant.
MSN messenger can be either blocked completely, or its applications can be
selectively blocked (audio, video, file-transfer, application sharing, white-boarding,
and remote assistant).
To completely block MSN Messenger over MSNMS, no configuration is needed,
because a security rule is required to allow it.
To selectively block SIP-based instant messenger applications, you must define a
security rule with the MSNMS service (TCP1863), that allows them, and then
configure SmartDefense.
Table 3-89
Off

VPN-1 - Disables session rate acceleration

Interspect - None
Table 3-90
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Chapter 3
71
Skype
Skype
SmartDefense can block Skype traffic by identifying Skype fingerprints and HTTP
headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP
port being used to initiate the peer to peer session. Skype uses UDP or TCP port
1024 and higher or HTTP for peer to peer telephony.
Since Skype uses a session similar to SSL to bypass firewalls, it is now required to
either completely block SSL ports or activate the "Block SSL null-pointer
assignment" protection, under the VPN Protocols branch.
SmartDefense inspects Peer to Peer connections over HTTP requests and
responses.
Table 3-91
Off


Interspect - None
Table 3-92
NG FP3 to R55
72
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Yahoo! Messenger
Yahoo! Messenger
SmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and
HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the
TCP port that is being used to initiate the peer to peer session.
Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP
port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer.
SmartDefense inspects Peer to Peer request and response connections over HTTP.
Table 3-93
Off


Interspect - None
Table 3-94
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
73
ICQ
ICQ
SmartDefense can block ICQ traffic by identifying ICQ's fingerprints and HTTP
headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP
port that is being used to initiate the peer to peer session.
ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP
port 3574/7320.
SmartDefense inspects Peer to Peer request and response connections over HTTP.
Table 3-95
Off


Interspect - None
Table 3-96
NG FP3 to R55
74
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
DNS
DNS
With the protection in this section you can prevent various DNS related
vulnerabilities and prevent protocol violations by performing DNS protocol
enforcement and validation (TCP and UDP).
Protocol Enforcement - TCP

SmartDefense is able to recognize a DNS packet that has been altered. This ability
enables SmartDefense to catch potentially harmful packets before they enter the
network.
With this protection you can enforce TCP protocols. Only pure DNS packets sent
over TCP will be able to enter the network. In this case, all DNS port connections
over TCP will be monitored to verify that every DNS packet attempting to enter the
network has not been altered.
With the enforcement of the TCP protocol the potential for maliciously altered DNS
packets to enter the system is decreased.
Table 3-97
On

Disables DNS/TCP acceleration.
Table 3-98
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Chapter 3
75
Protocol Enforcement - UDP
Protocol Enforcement - UDP

SmartDefense is able to recognize a DNS packet that has been altered. This ability
enables SmartDefense to catch potentially harmful packets before they enter the
network.
In this window you can enforce UDP protocols. Only pure DNS packets sent over
UDP will be able to enter the network. In this case, all DNS port connections over
UDP will be monitored to verify that every DNS packet attempting to enter the
network has not been altered.
With the enforcement of the UDP protocol the potential for maliciously altered DNS
packets to enter the system is decreased.
Table 3-99
On

Disables DNS/UDP acceleration.
Table 3-100
NG FP3 to R55
76
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
N/A
Domain Block List
Domain Block List

With this protection you can create a Block List for the purpose of filtering out
undesirable traffic.
SmartDefense contains a Block list for the purpose of filtering out undesirable
traffic. SmartDefense will not allow a user to access a domain address specified in
the Block list. The domain Block list is updated manually.
Table 3-101
Off

Disables DNS acceleration.
Table 3-102
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
77
Cache Poisoning Protections
Cache Poisoning Protections

The Cache Poisoning protections enable you to configure Cache Poisoning
protection.
To reduce DNS traffic, name severs maintain cache. The DNS cache is updated
according to the TTL of each zone. Cache Poisoning occurs when DNS caches
receive mapping information that was deliberately altered from a remote name
server. The DNS server caches the incorrect information and sends it out as the
requested information. As a result, email messages and URL addresses can be
redirected and the information sent by a user can be captured and corrupted.
Table 3-103
Off

Table 3-104
NG FP3 to R55
78
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Resource Records Enforcements
Resource Records Enforcements

This protection allows you to set the maximum number of allowed Answer, Authority
and Additional Resource Records within a reply to a DNS query sent over TCP.
Table 3-105
Off
DNS Enforcement Violation
Table 3-106
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
79
VoIP
VoIP
With the protections in this section you can enable protection against Dos attacks
directed against VoIP networks. The VoIP pages you can configure protections for
VoIP protocols.
SmartDefense validates the addresses of the caller and receiver, and ensures that
the caller and receiver are allowed to make and receive VoIP calls. In addition,
SmartDefense examines the contents of the packets passing through every allowed
port, to make sure they contain proper information. Full stateful inspection on
H.323, SIP, MGCP and SCCP commands ensures that all VoIP packets are
structurally valid, and that they arrive in a valid sequence according to RFC
standards.
DOS Protection
A rogue IP phone could make Denial of Service attacks by flooding the network
with calls, thereby interfering with proper use of the phone network.
This protection allows you to protect against Denial of Service attacks by limiting
the number of call attempts per minutes that the VPN-1 Power Gateway will allow
from any given IP address. Calls from handover devices are not counted, because
they make a large number of calls.
Table 3-107
Off

VoIP traffic is not accelerated.
Table 3-108
NG FP3 to R55
80
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
H323
H323
In this window you can perform the following application layer checks:
Strict enforcement of the protocol, including the order and direction of H.323
packets.
If the phone number sent is longer than 24 characters the packet is dropped.
This prevents buffer overruns in the server.
Dynamic ports will only be opened if the port is not used by another service.
For example: If the Connect message sends port 80 for the H.245 it will not be
opened. This prevents well-known ports being used illegally.
Table 3-109
On

Table 3-110
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 3
81
SIP
SIP
With this protection you can verify content in the SIP header. If this option is
selected and there are explicit SIP rules in the Rule Base, SmartDefense will
validate the SIP headers and look for invalid characters inside them.
Table 3-111
On

Table 3-112
NG FP3 to R55
82
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
except : block
specific
applications
(video, audio,
instant
messaging) and
default
registration
timeout, which
are not
enforced
Not Enforced
Same
"Block SIP calls
that use "
and " Drop
unknown SIP
message" are
not enforced)
Not Enforced
SIP
Block SIP Calls the User Two Different Voice

Connections (RTP) for incoming Audio and Outgoing
Audio
Table 3-113
Off

Table 3-114
feature behavior when

protection is on in R55

protection is on in
R55W

protection is on in
R60
Enforced
Enforced
Enforced
Verify SIP Header Content

Table 3-115
On

Table 3-116


protection is on in
R55W

protection is on in
R60
Enforced
Enforced
Enforced
Chapter 3
83
SIP
Block SIP-base Video/Audio

Table 3-117
Off for all versions prior to R60 / On for R60

Table 3-118


protection is on in
R55W

Not Enforced
Enforced
Enforced
Block SIP-based Instant Messaging

Table 3-119

Table 3-120
84

protection is on in
R55

protection is on in
R55W

Enforced
Enforced
Enforced
SIP
Drop Unknown SIP Messages

Table 3-121
On

Table 3-122

protection is on in
R55

protection is on in
R55W

Not Enforced
Not Enforced
Enforced
Default Proxy Registration Expiration Time Period

Table 3-123
600 seconds

Table 3-124

protection is on in
R55

protection is on in
R55W

Not Enforced
Not Enforced
Enforced
Chapter 3
85
MGCP (allowed commands)
Block the Destination from Re-inviting Calls

Table 3-125

Table 3-126

protection is on in
R55

protection is on in
R55W

Enforced
Enforced
Enforced
MGCP (allowed commands)

SmartDefense provides full network level security for MGCP. SmartDefense enforces
strict compliance with RFC-2705, RFC-3435 (version 1.0) and ITU TGCP
specification J.171. In addition, all SmartDefense capabilities are supported, such
as inspection of fragmented packets, anti spoofing, protection against Denial of
Service attacks. Note however that NAT on MGCP is not supported.
In addition, SmartDefense restricts handover locations and controls signalling and
data connections.
Table 3-127
Allowed

Table 3-128
NG FP3 to R55
86
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
SCCP (Skinny)
SCCP (Skinny)
SCCP (Skinny Client Control Protocol) controls telephony gateways from external
call control devices called Call Agents (also known as Media Gateway Controllers).
SmartDefense provides full connectivity and network level and security for SCCP
based VoIP communication. All SCCP traffic is inspected, and legitimate traffic is
allowed to pass while attacks are blocked. All SmartDefense capabilities are
supported, such as anti- spoofing and protection against Denial of Service attacks.
Fragmented packets are examined and secured using kernel based streaming.
However, NAT on SCCP devices is not supported.
In addition, SmartDefense restricts handover locations, and controls signalling and
data connections.
SmartDefense tracks state and verifies that the state is valid for all SCCP message.
For a number of key messages, it also verifies of existence and correctness of the
message parameters.
SmartDefense can perform additional content security checks for SCCP
connections, thereby providing a greater level of protection.
Table 3-129
On

Table 3-130
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Chapter 3
87
SNMP
SNMP
With the protections in this section you can protect against SNMP vulnerabilities by
providing the option of enforcing SNMPv3 (the latest SNMP version) while rejecting
previous versions. In addition, in this window you can allow all SNMP versions
while dropping requests with SNMPv1 and SNMPv2 default community strings.
Allow Only SNMPv3 Traffic

This protection prevents the use of previous SNMP versions. By forcing the network
to work with SNMPv3, SmartDefense employs authentication features that are not
available with previous SNMP versions (that is, SNMPv1 and SNMPv2).
Table 3-131
Off

Disables acceleration of SNMP traffic.
Table 3-132
NG FP3 to R55
88
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Drop Requests to Default Community Strings
Drop Requests to Default Community Strings

Drop requests with default community strings for SNMPv1 and SNMPv2 prevents
unencrypted text associated with SNMPv1 and SNMPv2 from being sent over the
network.
Table 3-133
Off

Disables acceleration of SNMP traffic.
Table 3-134
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
89
VPN Protocols
VPN Protocols
be applied to VPN (Virtual Private Network) protocols.
PPTP Enforcement
This protection enforces the PPTP protocol. PPTP sessions are forced to comply
with the RFC standard including message type, and packet length. In case the
PPTP control connection unexpectedly terminates, the GRE tunnel will be
terminated automatically. In addition, enabling this protection will allow Hide NAT
as well as Static NAT to be performed on PPTP connections.
Table 3-135
On

Disables acceleration of PPTP traffic.
Table 3-136
NG FP3 to R55
90
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
SSL Enforcement
SSL Enforcement
When this protection is enabled, SmartDefense will identify and drop malformed
SSL Client Hello packets.
Table 3-137
Off
Invalid SSL Packet
Disables acceleration of SSL traffic passing

through the gateway.
Table 3-138
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
91
Block IKE Aggressive Exchange
Block IKE Aggressive Exchange

When this protection is enabled, SmartDefense will identify and drop IKE
aggressive exchanges.
Table 3-139
Off
IKE Aggressive Packet Detected
Disables acceleration of IKE traffic on the

client to server direction passing through the
gateway.
Server to client is still accelerated.
Table 3-140
NG FP3 to R55
92
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
IKE Enforcement
IKE Enforcement
This protection enforces the compliance of the IKE protocol to RFC 2409 in terms
of payload type and length, maximal payload number, and packet length. By
enabling "IKE payload enforcement" SmartDefense will perform additional checks
on the IKE Security Association payload. A monitor-only mode makes it possible to
track IKE protocol violation without blocking the connection.
Table 3-141
Off
IKE Enforcement Violation
Disables acceleration of IKE traffic on the

client to server direction passing through the
gateway.
Server to client is still accelerated.
Table 3-142
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
93
SSH - Detect SSH over Non-Standard Ports
SSH - Detect SSH over Non-Standard Ports

SSH versions 1 and 2 are typically used over TCP port 22. This protection provides
two possible actions (Block All SSH Versions and Run SSH Enforcement).
When you select Block All SSH Versions, SSH traffic (associated with any SSH
version), on all possible TCP ports will be blocked.
When you select Run SSH Enforcement, the SSH Enforcement protection will be
applied to all non standard ports including TCP port 22.
Table 3-143
Off
SSH Connection on a Non-Standard Port
Disables session rate acceleration on all

traffic.
Table 3-144
NG FP3 to R55
94
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
SSH Enforcement
SSH Enforcement
SSH Enforcement protection applies to SSH traffic on TCP port 22. SSH
Enforcement enables you to select and deselect specific defense attributes. By
selecting Block SSH v1, only SSH version 2 will be enabled over TCP port 22.
Table 3-145
Off

Disables session rate acceleration on SSH

traffic.
Table 3-146
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
95
Content Protection
Content Protection
The protections in this section allow you to block malicious content over multiple
protocols.
Malformed JPEG
By enabling this protection, SmartDefense will block malformed formatted JPEG
files on all services with Protocol Type 'HTTP'.
Enabling "Perform strict enforcement" enables JPEG file detection based on its
content.
Table 3-147
Off
JPEG Content Protection Violation
Disables acceleration altogether for HTTP.
Table 3-148
NG FP3 to R55
96
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Malformed ANI File
Malformed ANI File

By enabling this protection, SmartDefense will block malformed formatted ANI files
on all services with Protocol Type 'HTTP'.
Table 3-149
Off
ANI Content Protection Violation
Disables acceleration altogether for HTTP.
Table 3-150
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
97
MS-RPC
MS-RPC
DCOM - Allow DCE-RPC interfaces other than
End-Point Mapper on Port 135
This protection will allow specific MS-RPC interfaces, such as DCOM interface, if
they are allowed in the rule base. You can use the DCE-RPC services to create them
and apply the protections in this page.
SmartDefense unconditionally blocks the "Blaster" worm and its variants, while
allowing legitimate DCOM traffic.
Table 3-151
Off

Disables acceleration of RPC traffic.
Table 3-152
NG FP3 to R55
98
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
*Enforced
Not Enforced
Same
Same
Drop Unauthenticated DCOM
Drop Unauthenticated DCOM

Table 3-153
Off

Table 3-154
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
*Enforced
Not Enforced
Same
Same
MS-RPC Program Lookup

This protection blocks Lookup operation requests and prevents the exploitation of
this vulnerability.
Table 3-155
Off

Table 3-156
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Chapter 3
99
MS-SQL
MS-SQL
The protections in this section allow you to configure various protections related to
the MS SQL Server protocols.
MS-SQL Monitor Protocol

With this protection you can configure different protections to be applied to the MS
SQL Monitor protocol (running on port 1434/UDP).
Table 3-157
Off
MS-SQL Monitor Protocol Enforcement

Violation
Disables acceleration of MS-SQL traffic.
Table 3-158
NG FP3 to R55
100
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
MS-SQL Server Protocol
MS-SQL Server Protocol

With this protection you can configure several protections to the MS SQL Server
protocol (running on tcp/1433).
Table 3-159
Off
MS-SQL Server Protocol Enforcement

Violation
Disables acceleration of MS-SQL traffic.
Table 3-160
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
Application Intelligence 101
Routing Protocols
Routing Protocols
be applied to routing protocols.
OSPF
By enabling this protection, SmartDefense will enforce the validity of the OSPF
packet header, including protocol version, message type and packet length. In
addition, SmartDefense is able to detect and block OSPF traffic that is non-MD5
authenticated, which is considered insecure.
Table 3-161
Off
OSPF enforcement violation
Performance Pack - None. It is not

accelerated. Nokia - Disables acceleration of
these protocols.
Table 3-162
NG FP3 to R55
102
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
BGP (block non-MD5 authenticated BGP connections)
BGP (block non-MD5 authenticated BGP

connections)
By enabling this protection, SmartDefense will detect and block BGP traffic that is
non-MD5 authenticated, which is considered insecure.
Table 3-163
Off
BGP Enforcement Violation

these protocols.
Table 3-164
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
RIP
RIP
By enabling this protection, SmartDefense will enforce the validity of the RIP
packet header. In addition, SmartDefense is able to detect and block RIP traffic
that is non-MD5 authenticated, which is considered insecure.
Table 3-165
Off
RIP Enforcement Violation

these protocols.
Table 3-166
NG FP3 to R55
104
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
IGMP
IGMP
By enabling this protection, SmartDefense will enforce the validity of the IGMP
packet header. In addition, SmartDefense is able to detect and block IGMP traffic
that is non-MD5 authenticated, which is considered insecure.
Table 3-167
Off
IGMP protocol Enforcement Violation

these protocols.
Table 3-168
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
SUN-RPC
SUN-RPC
be applied to SUN-RPC (Remote Procedure Calls) protocols.
SUN-RPC Program Lookup

This protection, available for NG with Application Intelligence (R55) and above,
will block SUN-RPC interface scanning.
Table 3-169
Off
SUN-RPC Enforcement Violation
Disables acceleration of SUN - RPC traffic.
Table 3-170
NG FP3 to R55
106
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
DHCP
DHCP
By enabling this protection, SmartDefense will enforce the validity of the DHCP
packet header and options.
Table 3-171
Off
DHCP Protocol Enforcement Violation
None.
Table 3-172
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter 3
SOCKS
SOCKS
This protection provides enforcement of the SOCKS protocol. Non SOCKS protocol
communication over the SOCKS protocol port (1080 by default) will be blocked.
You may also block SOCKS version 4 only or any unauthenticated SOCKS
communication (often used by trojans to tunnel information).
Table 3-173
Off
SOCKS Enforcement Violation
None.
Table 3-174
NG FP3 to R55
108
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same (R55 Only)
Same
Same
Chapter
Web Intelligence
In This Chapter
Introduction
page 110
Malicious Code
page 111
Application Layer
page 113
Information Disclosure
page 118
HTTP Protocol Inspection
page 121
109
Introduction
Introduction
Web Intelligence is based on Check Point's Stateful Inspection, Application
Intelligence, and Malicious Code Protector technologies, so that it is possible to
block not only specific attacks, but also entire categories of attacks, while allowing
legitimate traffic to pass.
Malicious Code Protector is a Check Point patent-pending technology that blocks

hackers from sending malicious code to target web servers and applications. It
can detect malicious executable code within web communications by
identifying not only the existence of executable code in a data stream but its
potential for malicious behavior. Malicious Code Protector is a kernel-based
protection delivering almost wire-speed performance.
Application Intelligence is a set of technologies that detect and prevent

application-level attacks by integrating a deeper understanding of application
behavior into network security defenses.
Stateful Inspection analyzes information flow into and out of a network so that
real-time security decisions can be based on communication session
information as well as on application information. It accomplishes this by
tracking the state and context of all communications traversing the firewall
gateway, even when the connection involves complex protocols.
Web intelligence is an add-on for VPN-1 Power. Customers who purchase the
SmartDefense Subscription service can automatically update both SmartDefense
and Web Intelligence with a single click. Updates are released frequently, and are
obtained from the Check Point SmartDefense site:
http://www.checkpoint.com/techsupport/documentation/smartdefense/index.html
Customers with a valid subscription license also receive special SmartDefense
Advisories that provide updated SmartDefense and Web Intelligence attack
protections, as well as information, tools and best practice methods to mitigate
different attacks.
Tip - It is recommended to keep your gateway version up-to-date, as the newest defenses are
incorporated into the latest version of Check Point software.
110
Malicious Code
Malicious Code
The protections in this section allow you to prevent attacks that run malicious code
on web servers or clients.
General HTTP Worm Catcher

With this protection you can configure worm signatures that will be detected and
blocked based pre-defined patterns. This detection takes place in the kernel, and
so is performed very quickly. It does not require a security server.
This protection can be applied either to all traffic or to specific web servers. When
the attack is blocked, users can be informed via a customizable web page.
Table 4-175
On for defined web servers
Worm catcher pattern found. cmd.exe
None (works only on C2S traffic, which is

accelerated)
Table 4-176
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Chapter 4
Web Intelligence 111
Malicious Code Protector
Malicious Code Protector

This protection analyzes URLs, HTTP request headers and HTTP request bodies by
disassembling machine code. It assesses the danger, and allows or rejects
connections accordingly. Because it analyzes assembler code dynamically, it is able
to protect against most future vulnerabilities without the need for patterns or
updates.
To provide good protection with a minimum number of false positives, three levels
of protection are available. They make it possible to choose the appropriate
trade-off between a high detection rate on the one hand and a low level of false
positives on the other. The protection level can be changed at any time to suit the
environment. For details, see the online help.
This protection is available for Web Servers running on the platforms specified in
the online help.
Table 4-177
Off
Malicious code detected in URL

accelerated)
Table 4-178
NG FP3 to R55
112
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same (except
for Solaris)
Same
Application Layer
Application Layer
The protections in this section prevent hackers from introducing text, tags,
commands, or other characters that a web application will interpret as special
instructions. Introducing these characters in forms or URLs can allow a hacker to
steal private data, redirect a communication session to a malicious web site, steal
information from a database, gain unauthorized access, or execute restricted
commands.
Cross Site Scripting

To protect against Cross-Site Scripting attacks, HTTP requests sent using the POST
command, that contain scripting code are rejected. This protection also
understands the encoded data sent as part of the URL, which is an alternative way
of submitting information. The scripting code is not stripped from the request, but
rather the whole request is rejected.
Table 4-179
Cross Site Scripting detected in URL:

'script'

accelerated)
Table 4-180
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Chapter 4
LDAP Injection
LDAP Injection
This protection protects LDAP servers by identifying attempted misuse of LDAP
queries in forms and URLs submitted to Web applications. If an attack is detected,
the connection is rejected.
To provide good protection with the optimum detection sensitivity, three levels of
protection are available. For details, see the online help.
The list of LDAP fields that is examined can be customized, which makes it
possible to control the use of customized LDAP fields, as well as standard ones.
Table 4-181
LDAP Injection detected in URL: 'uid'

accelerated)
Table 4-182
NG FP3 to R55
114
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
SQL Injection
SQL Injection
Web Intelligence looks for SQL commands in forms and in URLs. If it finds them,
Table 4-183
SQL Injection detected in URL: 'select'

accelerated)
Table 4-184
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 4
Command Injection
Command Injection
This protection looks for system commands in forms and in URLs. If it finds them,
Table 4-185
Command Injection detected in URL:

'chown'

accelerated)
Table 4-186
NG FP3 to R55
116
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Directory Traversal
Directory Traversal
This protection verifies that the URL does not contain an illegal combination
directory traversal characters. Requests in which the URL contains an illegal
directory request are blocked.
Table 4-187
directory traversal overflow

http://1.2.3.4/../../

accelerated)
Table 4-188
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 4
One of the first steps an attacker may take before attacking a web site is to gather
information about the site. The goal of the hacker is to get the web server to reveal
information that hacker can use to tailor an attack. This is known as
"fingerprinting".
The protections in this section allow you to prevent the web server revealing
information that is not required by users.
Header Spoofing
This protection allows you to remove or change a specific header (that can appear
either in the HTTP Request or Response) by giving a regular expression to identify
the header name and header value. For example, a typical server header will
contain the web server name and version number. Use this protection to spoof out
the version information.
Note - Activating this protection decreases performance for Web traffic to which this
protection is applied.
Table 4-189
Off
Header Spoofing, replacing header, new

header is 'IIS'
Disables acceleration on all HTTP traffic.
Table 4-190
NG FP3 to R55
118
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Directory Listing
Directory Listing
This protection identifies web pages containing directory listings and blocks them.
To provide good protection with the optimum detection sensitivity, three levels of
protection are available. For details, see the online help.
Table 4-191
Off
Directory Listing detected
Table 4-192
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Chapter 4
Error Concealment
Error Concealment
This protection looks for web server error messages in HTTP responses, and if it
finds them, prevents the web page reaching the user.
Error messages are detected and concealed in two ways.
The first way conceals HTTP Responses containing those 4XX and 5XX error status
codes that reveal unnecessary information. It is possible to choose the status codes
that will be concealed.
The second way hides error messages generated by the web application engine.
This approach is needed when the application engine does not tell the web server
it has an error, in which case the web server displays error information that it
should not. It is possible to configure patterns that identify messages from
particular application engines. If these patterns are detected the pages are blocked.
Table 4-193
Off
Concealed HTTP response status code:

'413'
Table 4-194
NG FP3 to R55
120
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced

HTTP Protocol Inspection provides strict enforcement of the HTTP protocol,
ensuring these sessions comply with RFC standards and common security
practices.
Web Intelligence performs high performance kernel-level inspection of all
connections passing through enforcement modules of version NG with Application
Intelligence (R55W) or higher.
For enforcement modules of versions of version NG with Application Intelligence
(R55) or lower, there is a choice. It is possible to choose whether to perform HTTP
protocol inspection using the kernel for optimized performance, or using the HTTP
Security Server for strict protocol enforcement. A third option applies the options
only to connections related to resources used in the Rule Base, and enforces the
options using the Security Server.
HTTP Format Sizes

It is good security practice to limit the sizes of different elements in HTTP request
and response. This reduces the chance for buffer overruns and limits the size of
code that can be inserted into the header.
This protection allows you to configure upper bounds to different elements in the
HTTP request and response. You can also impose limits on specific headers using
a regular expression to describe the header name. If the inspected HTTP
connection contains more than one request, the limits are imposed on each request
separately.
Table 4-195
On
Chapter 4
HTTP Format Sizes
Maximum Request Body Size:

Table 4-196
Off
Request body length exceeded allowed

maximum length of 49152 bytes

accelerated)
Table 4-197
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Maximum URL Length:

Table 4-198
URL length exceeded allowed maximum

length of 2048 bytes

accelerated)
Table 4-199
NG FP3 to R55
122
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
HTTP Format Sizes
Maximum Header Value Length:

Table 4-200
'host' header length exceeded maximum

allowed length

accelerated)
Table 4-201
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Maximum Number of Headers:

Table 4-202
Number of HTTP headers exceeded allowed

maximum of 500

accelerated)
Table 4-203
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Chapter 4
ASCII Only Request
ASCII Only Request

This protection makes it possible to selectively block non-ASCII characters in HTTP
requests. It is possible to block HTTP request headers and Form fields. When a
user submits a web form, the data can be carried in the query section of the URL
or in the body of the HTTP request.
Table 4-204
Invalid character detected in request URL:

'0xff'

accelerated)
Table 4-205
NG FP3 to R55
124
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
ASCII Only Response Headers
ASCII Only Response Headers

This protection drops responses which contain non ASCII values.
Note - Activating this protection decreases performance for Web traffic to which this
protection is applied.
With this page you can force all HTTP headers to be ASCII only. This will prevent
some malicious content from passing in the HTTP protocol headers.
Table 4-206
Off
Invalid character detected in response

headers: '0xff'
Table 4-207
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Chapter 4
Header Rejection
Header Rejection
This protection allows you to reject HTTP requests that contains specific headers
and header values.
The HTTP header name and value are defined using case-sensitive regular
expressions.
Table 4-208
Off
Header Rejection pattern found in request

accelerated).
Table 4-209
NG FP3 to R55
126
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
(previously
referred to as
Peer to Peer)
Enforced
Same
Same
HTTP Methods
HTTP Methods
This protection can be used to control which HTTP methods can be used in HTTP
requests.
Web Intelligence divides the HTTP methods into three groups: Standard safe (GET,
HEAD and POST), standard unsafe (the other standard HTTP methods), and
WebDAV. By default, all methods are blocked other than the standard safe methods.
To allow users access to popular applications such as Microsoft Hotmail, Outlook
Web Access, and FrontPage, the non-RFC compliant WebDAV HTTP methods can
be allowed.
It is possible to choose exactly which methods to block. For example, if only GET
and POST methods are allowed, and all others are blocked, the following HTTP
request using a WebDav method will be rejected: MKCOL / HTTP/1.0.
Table 4-210
Blocked Method: 'PUT'

accelerated).
Table 4-211
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 4
Block HTTP on Non-Standard Port
Block HTTP on Non-Standard Port

SmartDefense is able to detect and block HTTP traffic on any TCP port not
configured by the security administrator as an allowed port for the use of HTTP.
For more details on how to allow HTTP traffic on non standard ports, please refer to
the above CPSA-2005-01 advisory.
Table 4-212
Off

Table 4-213
NG FP3 to R55
128
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Block Malicious HTTP Encodings

NULL encoding in URIs are mostly used when trying to bypass URI based
restrictions or take advantage of the fact that some web servers ignore parameters
after a NULL character.
This protection allows you to block HTTP requests which contain NULL encoding in
the path part of the URI.
Table 4-214
Off

Table 4-215
NG FP3 to R55
R55W
feature behavior
when protection is
on in NGX R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced (R54,

FP3)
Same (R55 only)
Not Enforced (R54,

FP3)
Same (R55 only)
Same
Same
Chapter 4
130
THIRD PARTY TRADEMARKS AND COPYRIGHTS

Entrust is a registered trademark of Entrust Technologies, Inc. in the United
States and other countries. Entrusts logos and Entrust product and service
names are also trademarks of Entrust Technologies, Inc. Entrust
Technologies Limited is a wholly owned subsidiary of Entrust Technologies,
Inc. FireWall-1 and SecuRemote incorporate certificate management
technology from Entrust.
Verisign is a trademark of Verisign Inc.
The following statements refer to those portions of the software copyrighted
by University of Michigan. Portions of the software copyright 1992-1996
Regents of the University of Michigan. All rights reserved. Redistribution and
use in source and binary forms are permitted provided that this notice is
preserved and that due credit is given to the University of Michigan at Ann
Arbor. The name of the University may not be used to endorse or promote
products derived from this software without specific prior written permission.
This software is provided as is without express or implied warranty.
Copyright Sax Software (terminal emulation only).
by Carnegie Mellon University.
Copyright 1997 by Carnegie Mellon University. All Rights Reserved.
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided
that the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting
documentation, and that the name of CMU not be used in advertising or
publicity pertaining to distribution of the software without specific, written
prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO
THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE
FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH
THE USE OR PERFORMANCE OF THIS SOFTWARE.
by The Open Group.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN
GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
OR OTHER DEALINGS IN THE SOFTWARE.
by The OpenSSL Project. This product includes software developed by the
OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND
ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS''
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE. Copyright 1998 The Open Group.
by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly
and Mark Adler. This software is provided 'as-is', without any express or
implied warranty. In no event will the authors be held liable for any damages
arising from the use of this software. Permission is granted to anyone to use
this software for any purpose, including commercial applications, and to alter
it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim
that you wrote the original software. If you use this software in a product, an
acknowledgment in the product documentation would be appreciated but is
not required.
2. Altered source versions must be plainly marked as such, and must not be
misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
by the Gnu Public License. This program is free software; you can
redistribute it and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version. This program is distributed in
the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more
details.You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA.
by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c)
2001, 2002 Expat maintainers. Permission is hereby granted, free of charge,
to any person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the Software without
restriction, including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to the
following conditions: The above copyright notice and this permission notice
shall be included in all copies or substantial portions of the Software. THE
SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
GDChart is free for use in your applications and for chart generation. YOU
Check Point Software Technologies Ltd.

U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.com
International Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com
MAY NOT re-distribute or represent the code as your own. Any redistributions of the code MUST reference the author, and include any and all
original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000,
2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41RR02188 by the National Institutes of Health. Portions copyright 1996,
1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating
to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions
relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions
relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson
(ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John
Ellson (ellson@graphviz.org). Portions relating to JPEG and to color
quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C)
1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane.
This software is based in part on the work of the Independent JPEG Group.
See the file README-JPEG.TXT for more information. Portions relating to
WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den
Brande. Permission has been granted to copy, distribute and modify gd in
any context without fee, including a commercial application, provided that
this notice is present in user-accessible supporting documentation. This
does not affect your ownership of the derived work itself, and the intent is to
assure proper credit for the authors of gd, not to interfere with your
productive use of gd. If you have questions, ask. "Derived works" includes all
programs that utilize the library. Credit must be given in user-accessible
documentation. This software is provided "AS IS." The copyright holders
disclaim all warranties, either express or implied, including but not limited to
implied warranties of merchantability and fitness for a particular purpose,
with respect to this code and accompanying documentation. Although their
code does not appear in gd 2.0.4, the authors wish to thank David Koblas,
David Rowley, and Hutchison Avenue Software Corporation for their prior
contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain a
copy of the License at http://www.apache.org/licenses/LICENSE-2.0
The curl license
COPYRIGHT AND PERMISSION NOTICE
Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights
reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO
EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR
ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not
be used in advertising or otherwise to promote the sale, use or other dealings
in this Software without prior written authorization of the copyright holder.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,

this list of conditions and the following disclaimer in the documentation and/
or other materials provided with the distribution.
3. The name "PHP" must not be used to endorse or promote products
derived from this software without prior written permission. For written
permission, please contact group@php.net.
4. Products derived from this software may not be called "PHP", nor may
"PHP" appear in their name, without prior written permission from
group@php.net. You may indicate that your software works in conjunction
with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"
5. The PHP Group may publish revised and/or new versions of the license
from time to time. Each version will be given a distinguishing version
number. Once covered code has been published under a particular version
of the license, you may always continue to use it under the terms of that
version. You may also choose to use such covered code under the terms of
any subsequent version of the license published by the PHP Group. No one
other than the PHP Group has the right to modify the terms applicable to
covered code created under this License.
6. Redistributions of any form whatsoever must retain the following
acknowledgment:
"This product includes PHP, freely available from <http://www.php.net/>".
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM `ÀS
IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals
on behalf of the PHP Group. The PHP Group can be contacted via Email at
group@php.net.
For more information on the PHP Group and the PHP project, please see
<http://www.php.net>. This product includes the Zend Engine, freely
available at <http://www.zend.com>.
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Copyright (c) 2003, Itai Tzur <itzur@actcom.co.il>
All rights reserved.
modification, are permitted provided that the following conditions are met:
Redistribution of source code must retain the above copyright notice, this list
of conditions and the following disclaimer.
Neither the name of Itai Tzur nor the names of other contributors may be
used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The material in document is provided with "RESTRICTED RIGHTS." Software

and accompanying documentation are provided to the U.S. government
("Government") in a transaction subject to the Federal Acquisition
Regulations with Restricted Rights. The Government's rights to use, modify,
reproduce, release, perform, display or disclose are
restricted by paragraph (b)(3) of the Rights in Noncommercial Computer
Software and Noncommercial Computer Soft-ware Documentation clause at
DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in
paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14,
Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to
do so, subject to the following conditions: The above copyright notice and this
permission notice shall be included in all copies or substantial portions of the
Software.
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.
Confidential Copyright Notice
Except as stated herein, none of the material provided as a part of this
document may be copied, reproduced, distrib-uted, republished,
downloaded, displayed, posted or transmitted in any form or by any means,
including, but not lim-ited to, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of NextHop
Technologies, Inc. Permission is granted to display, copy, distribute and
download the materials in this doc-ument for personal, non-commercial use
only, provided you do not modify the materials and that you retain all copyright and other proprietary notices contained in the materials unless
otherwise stated. No material contained in this document may be "mirrored"
on any server without written permission of NextHop. Any unauthorized use
of any material contained in this document may violate copyright laws,
trademark laws, the laws of privacy and publicity, and communications
regulations and statutes. Permission terminates automatically if any of these
terms or condi-tions are breached. Upon termination, any downloaded and
printed materials must be immediately destroyed.
Use of the material in this document by the Government constitutes

acknowledgment of NextHop's proprietary rights in them, or that of the
original creator. The Contractor/Licensor is NextHop located at 1911
Landings Drive, Mountain View, California 94043. Use, duplication, or
disclosure by the Government is subject to restrictions as set forth in
applicable laws and regulations.
Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer
Warranty
THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT
WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE
FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW,
NEXTHOP DISCLAIMS ALL WARRANTIES,
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED
PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS.
NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF
MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY
REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR
RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHERWISE
RESPECTING, THE MATERIAL IN THIS DOCUMENT.
Limitation of Liability
UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY
DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL
DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT,
ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN
THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED
REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS
IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT
OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR
CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION
MAY NOT FULLY APPLY TO YOU.
Trademark Notice
Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.
The trademarks, service marks, and logos (the "Trademarks") used and
displayed in this document are registered and unregistered Trademarks of
NextHop in the US and/or other countries. The names of actual companies
and products mentioned herein may be Trademarks of their respective
owners. Nothing in this document should be construed as granting, by
implication, estoppel, or otherwise, any license or right to use any Trademark
displayed in the document. The owners aggressively enforce their intellectual
property rights to the fullest extent of the law. The Trademarks may not be
used in any way, including in advertising or publicity pertaining to distribution
of, or access to, materials in
this document, including use, without prior, written permission. Use of
Trademarks as a "hot" link to any website is prohibited unless establishment
of such a link is approved in advance in writing. Any questions concerning
the use of these Trademarks should be referred to NextHop at U.S. +1 734
222 1600.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc.
("ISC"))
Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
PCRE LICENCE
PCRE is a library of functions to support regular expressions whose syntax
and semantics are as close as possible to those of the Perl 5 language.
Release 5 of PCRE is distributed under the terms of the "BSD" licence, as
specified below. The documentation for PCRE, supplied in the "doc"
directory, is distributed under the same terms as the software itself.
Written by: Philip Hazel <ph10@cam.ac.uk>
University of Cambridge Computing Service, Cambridge, England. Phone:
U.S. Government Restricted Rights
+44 1223 334714.

Copyright (c) 1997-2004 University of Cambridge All rights reserved.
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation and/
or other materials provided with the distribution.
* Neither the name of the University of Cambridge nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
Index
A
Address Spoofing 43
Allow Only SNMPv3 Traffic 88
Allowed 22
Always On 22
Application Layer 113
ASCII Only Request 124
ASCII Only Response
Headers 125
Cache Poisoning Protections 78

Command Injection 116
Content Protection 96
Cross Site Scripting 113
General HTTP Worm Catcher 111
B
BGP 103
Block ASN.1 Bitstring Encoding
Attack 63
Block ASN.1 Bitstring Encoding
Attack over SMTP 57
Block CISCO IOS DOS 34
Block Data Connections to Low
Ports 52
Block HTTP on Non-Standard
Port 128
Block IKE Aggressive
Exchange 92, 93
Block Malicious HTTP
Encodings 129
Block Null CIFS Sessions 61
Block Null Payload ICMP 35
Block Popup Messages 62
Block SSL Null-Pointer
Assignment 91
Block Welchia ICMP 33
Block WINS Name Validation
Attack 65
Block WINS Replication
Attack 64
August 2006
D
DCOM 98
Denial Of Service 25
Denial of Service 44
DHCP 107
Directory Listing 119
Directory Traversal 117
DNS 75
Domain Block List 77
DOS Protection 80
Drop Requests to Default
Community Strings 89
Drop Unauthenticated DCOM 99
DShield Storm Center 48
Dynamic Ports 52
H
H323 81
Header Rejection 126
Header Spoofing 118
Host Port Scan 50
HTTP Format Sizes 121
HTTP Methods 127
HTTP Protocol Inspection 121
I
ICQ 74
IGMP 105
Information Disclosure 118
Instant Messengers 69
IP and ICMP 29
IP Fragments 31
IP ID 42
ISN Spoofing 40
Enforced 22
Error Concealment 120
LAND 27
LDAP Injection 114
Local Interface Spoofing 45
File and Print Sharing 60

Fingerprint Scrambling 40
FTP 58
FTP Bounce 58
FTP Security Server 59
M
Mail 55
Mail Security Server 56
Malformed ANI File 97
135
Malformed JPEG 96
Malicious Code 111
Malicious Code Protector 110,
112
Max Ping Size 30
Maximum Header Value
Length 123
Maximum Number of
Headers 123
Maximum Request Body Size 83,
122
Maximum URL Length 122
MGCP (allowed commands) 86
Microsoft Networks 60
MSN Messenger over MSNMS 71
MSN Messenger over SIP 70
MS-RPC 98
MS-RPC Program Lookup 99
MS-SQL 100
MS-SQL Monitor Protocol 100
MS-SQL Server Protocol 101
Peer to Peer 66
Ping of Death 26
POP3 / IMAP Security 55
Port Scan 50
PPTP Enforcement 90
Protocol Enforcement - TCP 75
Protocol enforcement - UDP 76
Same 22
SCCP (Skinny) 87
Sequence Verifier 39
SIP 82
Skype 72
Small PMTU 37
SmartDefense 18
SNMP 88
SOCKS 108
Spoofed Reset Protection 38
SQL Injection 115
SSH - Detect SSH over NonStandard Ports 94
SSH Enforcement 95
Stateful Inspection 110
Successive Alerts 46
Successive Events 43
Successive Multiple
Connections 47
SUN-RPC 106
SUN-RPC Program Lookup 106
Sweep Scan 51
SYN Attack Configuration 36
N/A 22
Network Quota 32
NG FP3 18
NG R55W 18
NG With Application Intelligence
R54 18
NG With Application Intelligence
R55 18
Non TCP Flooding 28
Not Enforced 22
O
Off 22
On 22
OSPF 102
P
Packet Sanity 29
136
T
TCP 36
Teardrop 25
TTL 41
V
R
Report to DShield 49
Resource Records
Enforcements 79
Retrieve and Block Malicious
IPs 48
RIP 104
Routing Protocols 102
VoIP 80
VPN Protocols 90
W
Web Intelligence 19
Y
Yahoo! Messenger 73

CheckPoint NGX SmartDefense Protections Reference Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CheckPoint NGX SmartDefense Protections Reference Guide

Uploaded by

Copyright:

Available Formats

Check Point NGX SmartDefense

Protections Reference Guide

2003-2006 Check Point Software Technologies Ltd.

Who Should Use This Guide.............................................................................. 10

Successive Multiple Connections.................................................................. 47

SCCP (Skinny) ............................................................................................ 87

ASCII Only Request ..................................................................................

Index .......................................................................................................... 135

Who Should Use This Guide

Who Should Use This Guide

The underlying operating system.

Internet protocols (IP, TCP, UDP etc.).

Provides system administrators with an

Provides information about each Network

Provides information about each Application

Provides information about each Web

VPN-1 Power/UTM suite documentation

Getting Started Guide

The Getting Started guide contains an overview of

The Upgrade guide explains all available upgrade

The SmartCenter Guide explains SmartCenter

The Firewall and SmartDefense guide is divided into

Controlling and securing network access.

Establishing network connectivity.

Using SmartDefense to protect against network

Using Web Intelligence to protect web servers and

Using Content Vectoring Protocol (CVP)

Securing VoIP traffic

VPN-1 Power/UTM suite documentation (continued)

The Eventia Reporter guide explains how to monitor

The SmartView chapter provides information about

The SecurePlatform guide explains how to install and

The Provider-1 guide explains the

Integrity Server documentation

Integrity Advanced Server Installation Guide explains

The Integrity Advanced Server Administrator Console

The Integrity Advanced Server Administrator Guide

Integrity Advanced Server Gateway Integration Guide

The Integrity Advanced Server System Requirements

Integrity Agent for Linux

The Integrity Agent for Linux Installation and

Integrity XML Policy

The Integrity XML Policy Reference Guide provides

The Integrity Client Management Guide explains how

See the latest version of this document in the User Center at

Obtaining the Latest Version of the Documentation

Structure of the Guide

How to Read this Document:

Overview and Purpose

Overview and Purpose

NG With Application Intelligence R54

NG With Application Intelligence R55 (including R55P)

NG With Application Intelligence R55W

The intention of this guide is to provide system administrators with an

Easily configure parameters for each attack, including logging options.

Receive real-time information on attacks, and update SmartDefense with new

Obtaining the Latest Version of the Documentation

Obtaining the Latest Version of the

Structure of the Guide

Structure of the Guide

How to Read this Document:

How to Read this Document:

DShield Storm Center

Default Flag Settings: