Professional Documents
Culture Documents
July 2006
Contents
Preface
Chapter 1
Introduction
Overview and Purpose ...................................................................................... 18
SmartDefense............................................................................................. 18
Web Intelligence......................................................................................... 19
Obtaining the Latest Version of the Documentation ............................................. 20
Structure of the Guide...................................................................................... 21
How to Read this Document:............................................................................. 22
Chapter 2
Network Security
Introduction .................................................................................................... 24
Denial Of Service ............................................................................................. 25
Teardrop .................................................................................................... 25
Ping of Death ............................................................................................. 26
LAND ........................................................................................................ 27
Non TCP Flooding ....................................................................................... 28
IP and ICMP ................................................................................................... 29
Packet Sanity ............................................................................................. 29
Max Ping Size ............................................................................................ 30
IP Fragments.............................................................................................. 31
Network Quota............................................................................................ 32
Block Welchia ICMP.................................................................................... 33
Block CISCO IOS DOS................................................................................. 34
Block Null Payload ICMP............................................................................. 35
TCP................................................................................................................ 36
SYN Attack Configuration ............................................................................ 36
Small PMTU............................................................................................... 37
Spoofed Reset Protection ............................................................................ 38
Sequence Verifier ....................................................................................... 39
Fingerprint Scrambling..................................................................................... 40
ISN Spoofing.............................................................................................. 40
TTL ........................................................................................................... 41
IP ID ......................................................................................................... 42
Successive Events............................................................................................ 43
Address Spoofing ........................................................................................ 43
Denial of Service ........................................................................................ 44
Local Interface Spoofing.............................................................................. 45
Successive Alerts ........................................................................................ 46
Table of Contents
Chapter 3
Application Intelligence
Introduction .................................................................................................... 54
Mail ............................................................................................................... 55
POP3 / IMAP Security ................................................................................. 55
Mail Security Server .................................................................................... 56
Block ASN.1 Bitstring Encoding Attack over SMTP ........................................ 57
FTP ................................................................................................................ 58
FTP Bounce ............................................................................................... 58
FTP Security Server .................................................................................... 59
Microsoft Networks .......................................................................................... 60
File and Print Sharing ................................................................................. 60
Block Null CIFS Sessions ............................................................................ 61
Block Popup Messages ................................................................................ 62
Block ASN.1 Bitstring Encoding Attack......................................................... 63
Block WINS Replication Attack .................................................................... 64
Block WINS Name Validation Attack............................................................. 65
Peer to Peer .................................................................................................... 66
Excluded Services/Network Objects .............................................................. 66
All Protocols through Port 80 ....................................................................... 67
All Protocols............................................................................................... 68
Instant Messengers .......................................................................................... 69
Excluded Services/Network Objects .............................................................. 69
MSN Messenger over SIP............................................................................. 70
MSN Messenger over MSNMS...................................................................... 71
Skype ........................................................................................................ 72
Yahoo! Messenger ....................................................................................... 73
ICQ ........................................................................................................... 74
DNS ............................................................................................................... 75
Protocol Enforcement - TCP ......................................................................... 75
Protocol Enforcement - UDP ........................................................................ 76
Domain Block List ...................................................................................... 77
Cache Poisoning Protections ........................................................................ 78
Resource Records Enforcements .................................................................. 79
VoIP ............................................................................................................... 80
DOS Protection........................................................................................... 80
H323 ........................................................................................................ 81
SIP............................................................................................................ 82
MGCP (allowed commands) ......................................................................... 86
Chapter 4
Web Intelligence
Introduction .................................................................................................. 110
Malicious Code .............................................................................................. 111
General HTTP Worm Catcher...................................................................... 111
Malicious Code Protector ........................................................................... 112
Application Layer........................................................................................... 113
Cross Site Scripting .................................................................................. 113
LDAP Injection ......................................................................................... 114
SQL Injection ........................................................................................... 115
Command Injection................................................................................... 116
Directory Traversal .................................................................................... 117
Information Disclosure ................................................................................... 118
Header Spoofing ....................................................................................... 118
Directory Listing ....................................................................................... 119
Error Concealment .................................................................................... 120
HTTP Protocol Inspection ............................................................................... 121
HTTP Format Sizes ................................................................................... 121
Table of Contents
124
125
126
127
128
129
Preface
Preface
In This Chapter
Who Should Use This Guide
page 10
Summary of Contents
page 11
Related Documentation
page 12
More Information
page 15
10
System administration.
Summary of Contents
Summary of Contents
This guide contains the following chapters:
Chapter
Description
Chapter 1, Introduction
Chapter 2, Network
Security
Chapter 3, Application
Intelligence
Chapter 4, Web
Intelligence
Preface
11
Related Documentation
Related Documentation
The NGX R62 release includes the following documentation
TABLE P-1
12
Title
Description
Upgrade Guide
SmartCenter Guide
Firewall and
SmartDefense Guide
Related Documentation
TABLE P-1
Title
Description
Eventia Reporter
SmartView Tracker
Guide
SecurePlatform Guide
Provider-1 Guide
Preface
13
Related Documentation
TABLE P-2
14
Title
Description
Integrity Advanced
Server Installation
Guide
Integrity Advanced
Server Administrator
Console Reference
Integrity Advanced
Server Administrator
Guide
Integrity Advanced
Server Gateway
Integration Guide
Integrity Advanced
Server System
Requirements
Integrity Client
Management Guide
More Information
More Information
For additional technical information about Check Point products, consult Check
Points SecureKnowledge at https://secureknowledge.checkpoint.com/.
Preface
15
More Information
16
Chapter
Introduction
In This Chapter
Overview and Purpose
page 18
page 20
page 21
page 22
17
NG FP3
SmartDefense
Check Point SmartDefense provides a unified security framework for various
components that identify and prevent attacks. SmartDefense actively defends your
network, even when the protection is not explicitly defined in the Security Rule
Base. It unobtrusively analyzes activity across your network, tracking potentially
threatening events and optionally sending notifications. It protects organizations
from all known, and most unknown, network attacks using intelligent security
technology.
Keeping up-to-date with the latest defenses does not require up-to-the-minute
technical knowledge. A single click updates SmartDefense with all the latest
defenses from the SmartDefense website.
SmartDefense provides a console that can be used to:
18
Choose the attacks that you wish to defend against, and read detailed
information about the attack.
Web Intelligence
Web Intelligence
Check Point Web Intelligence enables customers to configure, enforce and update
attack protections for web servers and applications. Web Intelligence protections
are designed specifically for web-based attacks, and complement the network and
application level protections offered by SmartDefense. In addition, Web Intelligence
Advisories published online by Check Point provide information and add new attack
defenses.
Web Intelligence not only protects against a range of known attacks, varying from
attacks on the web server itself to databases used by web applications, but also
incorporates intelligent security technologies that protect against entire categories
of emerging, or unknown, attacks.
Unlike web firewalls and traditional intrusion protection systems, Web Intelligence
provides proactive attack protections. It ensures that communications between
clients and web servers comply with published standards and security best
practices, restricts hackers from executing irrelevant system commands, and
inspects traffic passing to web servers to ensure that they don't contain dangerous
malicious code. Web Intelligence allows organizations to permit access to their web
servers and applications without sacrificing either security or performance.
Chapter 1
Introduction
19
20
Chapter 1
Introduction
21
On
indicates that the protection is on by default. However, within the protection
options may be off/on by default.
Off
indicates that the protection is off by default.
Same
indicates that the protections behavior is the same as in NGX R60.
Always On
indicates that the protection cannot be turned off on modules from this release
even though it is configured as Off in NGX R60 Management.
Enforced
indicates that the protection is active.
*Enforced
indicates that the protection is active, but that it did not exist when R55 was
released. Before this protection can be active it requires a SmartDashboard
update.
Not Enforced
indicates that the protection is not active.
Allowed
indicates all commands are allowed.
N/A
indicates not applicable.
22
Chapter
Network Security
In This Chapter
Introduction
page 24
Denial Of Service
page 25
IP and ICMP
page 29
TCP
page 36
Fingerprint Scrambling
page 40
Successive Events
page 43
page 48
Port Scan
page 50
Dynamic Ports
page 52
23
Introduction
Introduction
Application Intelligence is primarily associated with application level defenses.
However, in practice many attacks aimed at network applications actually target the
network and transport layers.
Hackers target these lower layers as a means to access the application layer, and
ultimately the application and data itself. Also, by targeting lower layers, attacks
can interrupt or deny service to legitimate users and applications (e.g., DoS
attacks). For these reasons, SmartDefense addresses not only the application layer,
but also network and transport layers.
Preventing malicious manipulation of network-layer protocols (e.g., IP, ICMP) is a
crucial requirement for multi-level security gateways. The most common vehicle for
attacks against the network layer is the Internet Protocol (IP), whose set of services
resides within this layer.
As with the network layer, the transport layer and its common protocols (TCP, UDP)
provide popular access points for attacks on applications and their data.
The pages to follow contain information that will help you configure various
SmartDefense protections against attacks on the network and transport level from
versions prior to NGX R60. These pages allow you to configure protection against
attacks which attempt to target network components or the firewall directly.
The effect of such attacks, on the IP, TCP, UDP or ICMP network protocols, range
from simple identification of the operating systems used in your organization, to
denial of service attacks on hosts and servers on the network.
24
Denial Of Service
Denial Of Service
Denial of Service (DoS) attacks are aimed at disrupting normal operations of a
service. The attacks in this section exploit bugs in operating systems to remotely
crash the machines.
The detections in this protection depend on logs generated by SmartDefense. These
logs can be configured per attack.
Teardrop
When tracking a Teardrop attack you will be notified of any attempt to exploit the
fragmentation of large packets with erroneous offset values in the second or later
fragment. Selecting this protection will block an attempted Teardrop attack.
This attack will be blocked even if the checkbox is not selected, and logged as
Virtual defragmentation error: Overlapping fragments.
Table 2-1
On
Table 2-2
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
N/A
Same
N/A
Chapter 2
Network Security
25
Ping of Death
Ping of Death
When tracking this type of attack you will be notified of any attempt in which an IP
packet larger than 64KB has being sent to your network.
Selecting this protection will block an attempted Ping of Death attack.
This attack will be blocked even if the checkbox is not selected, and logged as
"Virtual defragmentation error: Packet too big".
Table 2-3
On
Ping of Death
Table 2-4
NG FP3 to R55
26
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
N/A
Same
N/A
LAND
LAND
With this protection you can block LAND crafted packets. When tracking this type
of attack you will be notified of any attempt in which a packet is sent to your
machine with the same source host/port.
Selecting this protection will block an attempted LAND attack.
LAND crafted packets will be blocked when this protection is activated.
Table 2-5
On
Land Attack
Table 2-6
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
Chapter 2
Network Security
27
Off
Table 2-8
NG FP3 to R55
28
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
IP and ICMP
IP and ICMP
The protections in this section allow you to enable a comprehensive sequence of
layer 3 checks (IP and ICMP protocols) and some layer 4 verifications (UDP, TCP
and IP options sanity checks).
Packet Sanity
This protection performs several Layer 3 and Layer 4 sanity checks. These include
verifying packet size, UDP and TCP header lengths, dropping IP options and
verifying the TCP flags.
With this protection you can configure whether logs will be issued for offending
packets.
A Monitor Only mode makes it possible to track unauthorized traffic without
blocking it. However, setting this protection to Monitor Only means that badly
fragmented packets pass unfiltered. Any type of attack may be hidden in
fragmented packets. This setting exposes the network to attack.
Although Packet Sanity is turned off in Monitor Only mode, the following sanity
verifications are still enforced and when applicable these packets are dropped:
- UDP packets with invalid UDP Length
- TCP packets with a corrupt header
In each of the above cases, SmartDefense logs will be generated.
Table 2-9
On
Protection accelerated.
Table 2-10
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Always On
Enforced
Always On
Always On
Chapter 2
Network Security
29
On
Table 2-12
NG FP3 to R55
30
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
IP Fragments
IP Fragments
This protection allows you to configure whether fragmented IP packets can pass
SmartDefense gateways. It is possible to set a limit upon the number of fragmented
packets (incomplete packets) that are allowed.
It is also possible to define a timeout for holding unassembled packets before
discarding them.
Table 2-13
Allowed
Table 2-14
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
N/A
Same
N/A
Chapter 2
Network Security
31
Network Quota
Network Quota
Network Quota enforces a limit upon the number of connections that are allowed
from the same source IP, to protect against Denial Of Service attacks.
When a certain source exceeds the number of allowed connections, Network Quota
can either block all new connection attempts from that source or track the event.
Table 2-15
Off
Network Quota
Disables templates.
Table 2-16
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Same
Same
Same
Note - In the R55W Network Quota protection, Monitor Only was referred to as Only track the
event.
32
Off
Table 2-18
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Same
Same
Same
Chapter 2
Network Security
33
Off
Table 2-20
NG FP3 to R55
34
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Same
Same
Same
Off
Table 2-22
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Same
Same
Same
Chapter 2
Network Security
35
TCP
TCP
The protections in this section allow you to configure a comprehensive set of TCP
tests.
Off
Table 2-24
NG FP3 to R55
36
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Small PMTU
Small PMTU
In this protection the configuration option "Minimal MTU size" controls the allowed
packet size. An exceedingly small value will not prevent an attack, while an
unnecessarily large value might result in legitimate requests to be dropped, causing
"black hole" effects and degrading performance.
Table 2-25
Off
None (Accelerated).
Table 2-26
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Chapter 2
Network Security
37
Off
Table 2-28
NG FP3 to R55
38
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Sequence Verifier
Sequence Verifier
Sequence Verifier is a mechanism matching the current TCP packet's sequence
number against a TCP connection state. Packets that match the connection in
terms of the TCP session but have incorrect sequence numbers are either dropped
when the packet's sequence may compromise security, or stripped of data.
With this protection you can select the appropriate tracking option and define the
type of out-of-sequence packets to be tracked.
Table 2-29
Off
None.
Table 2-30
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 2
Network Security
39
Fingerprint Scrambling
Fingerprint Scrambling
SmartDefense can scramble some of the fields commonly used for fingerprinting,
masking the original identity of hosts behind the firewall. Please note, however,
that totally preventing fingerprinting is next to impossible. Also note that while this
feature makes fingerprinting the hosts protected by the firewall harder, it does little
to hide the fact that there is a firewall here (i.e. - fingerprinting the firewall's
existence is still possible).
With this protection you can choose whether to spoof fingerprints for unencrypted
(plain) connections, for encrypted connection (for example, a VPN connection, or
an HTTPS connection), or both.
SmartDefense can scramble some of the fields commonly used for fingerprinting,
masking the original identity of hosts behind the firewall.
ISN Spoofing
The ISN scrambler counters this attack by creating a difference between the
sequence numbers used by the server and the sequence numbers perceived by the
client. This difference has high entropy using cryptographic functions, and
effectively makes it impossible to guess the server's ISN. If the real server has a
higher entropy than the entropy selected for the ISN scrambler, the higher entropy
will pass through to the client.
Table 2-31
Off
Table 2-32
NG FP3 to R55
40
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
TTL
TTL
With this protection you can enable or disable the use of TTL, and define how to
identify a packet as a TTL packet.
You can change the TTL field of all packets (or all outgoing packets) to a given
number. This achieves two goals. Using this approach it is not possible to know
how many routers (hops) the host is from the listener, and the listener cannot know
what is the original TTL value.
Table 2-33
Off
Table 2-34
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 2
Network Security
41
IP ID
IP ID
With this protection you can override the original IP ID with an ID generated by the
firewall, thus masking the algorithm used by the original operating system, masking
the operating system's identity. The three available algorithms used by the various
operating systems are: Random, Incremental, and Incremental LE (little endian).
Table 2-35
Off
Table 2-36
NG FP3 to R55
42
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Successive Events
Successive Events
The protections in this section allow you to configure different kinds of Check Point
Malicious Activity Detections, including some general attributes.
All of these detections depend on logs generated by SmartDefense. By default,
Check Point Malicious Activity Detections do not block the detected attacks but
rather generate an Alert. It is possible to configure that other actions will be taken,
for example User Defined Alerts.
Address Spoofing
This protection allows you to define parameters that are specific to the defense
against Address Spoofing attempts. An attack is detected (defined) as Address
Spoofing when more than a specific number of events are detected over a period of
a specific number of seconds.
Table 2-37
Off
None.
Table 2-38
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Chapter 2
Network Security
43
Denial of Service
Denial of Service
To protect the network from DOS attacks, SmartDefense employs a threshold. The
threshold detects DOS events when more than a specific amount occurs over a
specific amount of time.
When the threshold limit is reached, the incidents of DOS events are logged and an
alert is issued.
With this protection you can define the frequency of events that will be treated as
a DoS attack, and the Action to be taken when one of these attacks is detected.
Table 2-39
Off
None.
Table 2-40
NG FP3 to R55
44
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Off
None.
Table 2-42
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Chapter 2
Network Security
45
Successive Alerts
Successive Alerts
With this protection you can define parameters that are specific to the defense
against Successive Alerts attempts. An attack is detected (defined) as Successive
Alerts when more than a specific number of events are detected over a period of a
specific number of seconds.
Table 2-43
Off
None.
Table 2-44
NG FP3 to R55
46
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Off
None.
Table 2-46
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Chapter 2
Network Security
47
Off
None.
Table 2-48
NG FP3 to R55
48
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Report to DShield
Report to DShield
With this protection you can send logs to the Storm Center in order to help other
organizations combat the threats that were directed at your own network.
Table 2-49
Off
None.
Table 2-50
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 2
Network Security
49
Port Scan
Port Scan
The protections in this section allow you to discover incidences of intelligence
gathering so that the information in question cannot be used to attack vulnerable
computers.
Port Scanning is a method of collecting information about open TCP and UDP ports
in a network. Gathering information is not in itself an attack, but the information
can be used later to target and attack vulnerable computers.
Port scanning can be performed either by a hacker using a scanning utility such as
nmap, or by a worm trying to spread itself to other computers. Port Scanning is
most commonly done by trying to access a port and waiting for a response. The
response indicates whether or not the port is open
Off
Port Scan
None.
Table 2-52
NG FP3 to R55
50
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Sweep Scan
Sweep Scan
SmartDefense has three levels of port scan detection sensitivity. Each level
represents the amount of inactive ports scanned during a certain amount of time.
When port scan is detected a log or alert is issued.
Table 2-53
Off
Port Scan
None.
Table 2-54
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Chapter 2
Network Security
51
Dynamic Ports
Dynamic Ports
If this protection is enabled, when a client tries to open a dynamic connection to
such a protected port, the connection is dropped.
On
None.
Table 2-56
NG FP3 to R55
52
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
Chapter
Application Intelligence
In This Chapter
Introduction
page 54
page 55
FTP
page 58
Microsoft Networks
page 60
Peer to Peer
page 66
Instant Messengers
page 69
DNS
page 75
VoIP
page 80
SNMP
page 88
VPN Protocols
page 90
Content Protection
page 96
MS-RPC
page 98
MS-SQL
page 100
Routing Protocols
page 102
SUN-RPC
page 106
DHCP
page 107
SOCKS
page 108
53
Introduction
Introduction
A growing number of attacks attempt to exploit vulnerabilities in network
applications rather than target the firewall directly. Check Point Application
Intelligence is a set of advanced capabilities, integrated into Firewall and
SmartDefense, which detects and prevents application-level attacks. Based on
INSPECT intelligent inspection technology, Check Point Application Intelligence
gives SmartDefense the ability to protect against application attacks and hazards.
Figure 3-1
Note - The OSI Reference Model is a framework, or guideline, for describing how data is
transmitted between devices on a network.
The Application Layer is not the actual end-user software application, but a set of services that allows
the software application to communicate via the network. Distinctions between layers 5, 6, and 7 are
not always clear, and some competing models combine these layers, as does this user guide.
54
Mail
The protections in this section allow you to select what types of enforcement will
be applied to Mail traffic.
Off
Table 3-58
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
Application Intelligence
55
Table 3-60
NG FP3 to R55
56
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Off
Table 3-62
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
Application Intelligence
57
FTP
FTP
The protections in this section allow you to configure various protections related to
the FTP protocol.
FTP Bounce
With this protection you can neutralize an FTP bounce attack aimed at the firewall.
SmartDefense neutralizes the attack by performing tests in the kernel.
SmartDefense performs a mandatory protection against the FTP bounce attack,
verifying the destination of the FTP PORT command. In addition, SmartDefense
blocks connections to Dynamic Ports, as defined in the Dynamic Ports tab, under
Network Security.
Table 3-63
On
None.
Table 3-64
NG FP3 to R55
58
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
Table 3-66
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 3
Application Intelligence
59
Microsoft Networks
Microsoft Networks
The protections in this section allow you to select what types of enforcement will
be applied to Microsoft networking protocols.
Off
Table 3-68
NG FP3 to R55
60
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Same
Off
Table 3-70
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
*Enforced
Not Enforced
Same
Same
Chapter 3
Application Intelligence
61
Off
Table 3-72
NG FP3 to R55
62
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
*Enforced
Not Enforced
Same
Same
Off
Table 3-74
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
Application Intelligence
63
Off
Table 3-76
NG FP3 to R55
64
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Off
Table 3-78
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
Application Intelligence
65
Peer to Peer
Peer to Peer
The protections in this section enable you to block Peer To Peer traffic.
In this section the protections allow you to prevent the use of peer to peer
applications used for message transfer and file sharing (for example, Kazaa and
Gnutella). For Peer to Peer applications that masquerade as HTTP you can define
HTTP patterns that you wish to block.
By identifying fingerprints and HTTP headers SmartDefense detects peer to peer
sessions regardless of the TCP port that it is using.
Off
None.
Table 3-80
NG FP3 to R55
66
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
KaZaA
Gnutella
eMule
BitTorrent
SoulSeek
IRC
Table 3-81
Off
Table 3-82
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
Application Intelligence
67
All Protocols
All Protocols
With these protections you can block one of the supported peer to peer
applications:
KaZaA
Gnutella
eMule
BitTorrent
SoulSeek
IRC
For older versions (FP3 to R55) if you turn on Header Rejection, HTTP will be
protected.
Table 3-83
Off
Table 3-84
NG FP3 to R55
68
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Instant Messengers
Instant Messengers
The protections in this section allow you to block Instant Messaging applications
that use Instant Messaging protocols. Instant Messaging applications have many
capabilities, including voice calls, message transfer, and file sharing.
Off
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
Application Intelligence
69
Off
Table 3-88
NG FP3 to R55
70
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Off
Table 3-90
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Chapter 3
Application Intelligence
71
Skype
Skype
SmartDefense can block Skype traffic by identifying Skype fingerprints and HTTP
headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP
port being used to initiate the peer to peer session. Skype uses UDP or TCP port
1024 and higher or HTTP for peer to peer telephony.
Since Skype uses a session similar to SSL to bypass firewalls, it is now required to
either completely block SSL ports or activate the "Block SSL null-pointer
assignment" protection, under the VPN Protocols branch.
SmartDefense inspects Peer to Peer connections over HTTP requests and
responses.
Table 3-91
Off
Table 3-92
NG FP3 to R55
72
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Yahoo! Messenger
Yahoo! Messenger
SmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and
HTTP headers. SmartDefense is able to detect peer to peer traffic regardless of the
TCP port that is being used to initiate the peer to peer session.
Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP
port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer.
SmartDefense inspects Peer to Peer request and response connections over HTTP.
Table 3-93
Off
Table 3-94
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
Application Intelligence
73
ICQ
ICQ
SmartDefense can block ICQ traffic by identifying ICQ's fingerprints and HTTP
headers. SmartDefense is able to detect peer to peer traffic regardless of the TCP
port that is being used to initiate the peer to peer session.
ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP
port 3574/7320.
SmartDefense inspects Peer to Peer request and response connections over HTTP.
Table 3-95
Off
Table 3-96
NG FP3 to R55
74
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
DNS
DNS
With the protection in this section you can prevent various DNS related
vulnerabilities and prevent protocol violations by performing DNS protocol
enforcement and validation (TCP and UDP).
On
Table 3-98
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Chapter 3
Application Intelligence
75
On
Table 3-100
NG FP3 to R55
76
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
N/A
Off
Table 3-102
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
Application Intelligence
77
Off
Table 3-104
NG FP3 to R55
78
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Off
Table 3-106
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
Application Intelligence
79
VoIP
VoIP
With the protections in this section you can enable protection against Dos attacks
directed against VoIP networks. The VoIP pages you can configure protections for
VoIP protocols.
SmartDefense validates the addresses of the caller and receiver, and ensures that
the caller and receiver are allowed to make and receive VoIP calls. In addition,
SmartDefense examines the contents of the packets passing through every allowed
port, to make sure they contain proper information. Full stateful inspection on
H.323, SIP, MGCP and SCCP commands ensures that all VoIP packets are
structurally valid, and that they arrive in a valid sequence according to RFC
standards.
DOS Protection
A rogue IP phone could make Denial of Service attacks by flooding the network
with calls, thereby interfering with proper use of the phone network.
This protection allows you to protect against Denial of Service attacks by limiting
the number of call attempts per minutes that the VPN-1 Power Gateway will allow
from any given IP address. Calls from handover devices are not counted, because
they make a large number of calls.
Table 3-107
Off
Table 3-108
NG FP3 to R55
80
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
H323
H323
In this window you can perform the following application layer checks:
Strict enforcement of the protocol, including the order and direction of H.323
packets.
If the phone number sent is longer than 24 characters the packet is dropped.
This prevents buffer overruns in the server.
Dynamic ports will only be opened if the port is not used by another service.
For example: If the Connect message sends port 80 for the H.245 it will not be
opened. This prevents well-known ports being used illegally.
Table 3-109
On
Table 3-110
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Not Enforced
Same
Not Enforced
Chapter 3
Application Intelligence
81
SIP
SIP
With this protection you can verify content in the SIP header. If this option is
selected and there are explicit SIP rules in the Rule Base, SmartDefense will
validate the SIP headers and look for invalid characters inside them.
Table 3-111
On
Table 3-112
NG FP3 to R55
82
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
except : block
specific
applications
(video, audio,
instant
messaging) and
default
registration
timeout, which
are not
enforced
Not Enforced
Same
"Block SIP calls
that use "
and " Drop
unknown SIP
message" are
not enforced)
Not Enforced
SIP
Off
Table 3-114
Enforced
Enforced
Enforced
On
Table 3-116
Enforced
Enforced
Enforced
Chapter 3
Application Intelligence
83
SIP
Table 3-118
Not Enforced
Enforced
Enforced
Table 3-120
84
Enforced
Enforced
Enforced
SIP
On
Table 3-122
Not Enforced
Not Enforced
Enforced
600 seconds
Table 3-124
Not Enforced
Not Enforced
Enforced
Chapter 3
Application Intelligence
85
Table 3-126
Enforced
Enforced
Enforced
Allowed
Table 3-128
NG FP3 to R55
86
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
SCCP (Skinny)
SCCP (Skinny)
SCCP (Skinny Client Control Protocol) controls telephony gateways from external
call control devices called Call Agents (also known as Media Gateway Controllers).
SmartDefense provides full connectivity and network level and security for SCCP
based VoIP communication. All SCCP traffic is inspected, and legitimate traffic is
allowed to pass while attacks are blocked. All SmartDefense capabilities are
supported, such as anti- spoofing and protection against Denial of Service attacks.
Fragmented packets are examined and secured using kernel based streaming.
However, NAT on SCCP devices is not supported.
In addition, SmartDefense restricts handover locations, and controls signalling and
data connections.
SmartDefense tracks state and verifies that the state is valid for all SCCP message.
For a number of key messages, it also verifies of existence and correctness of the
message parameters.
SmartDefense can perform additional content security checks for SCCP
connections, thereby providing a greater level of protection.
Table 3-129
On
Table 3-130
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
N/A
Chapter 3
Application Intelligence
87
SNMP
SNMP
With the protections in this section you can protect against SNMP vulnerabilities by
providing the option of enforcing SNMPv3 (the latest SNMP version) while rejecting
previous versions. In addition, in this window you can allow all SNMP versions
while dropping requests with SNMPv1 and SNMPv2 default community strings.
Off
Table 3-132
NG FP3 to R55
88
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Off
Table 3-134
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
Application Intelligence
89
VPN Protocols
VPN Protocols
The protections in this section allow you to select what types of enforcement will
be applied to VPN (Virtual Private Network) protocols.
PPTP Enforcement
This protection enforces the PPTP protocol. PPTP sessions are forced to comply
with the RFC standard including message type, and packet length. In case the
PPTP control connection unexpectedly terminates, the GRE tunnel will be
terminated automatically. In addition, enabling this protection will allow Hide NAT
as well as Static NAT to be performed on PPTP connections.
Table 3-135
On
Table 3-136
NG FP3 to R55
90
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
SSL Enforcement
SSL Enforcement
When this protection is enabled, SmartDefense will identify and drop malformed
SSL Client Hello packets.
Table 3-137
Off
Table 3-138
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
Application Intelligence
91
Off
Table 3-140
NG FP3 to R55
92
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
IKE Enforcement
IKE Enforcement
This protection enforces the compliance of the IKE protocol to RFC 2409 in terms
of payload type and length, maximal payload number, and packet length. By
enabling "IKE payload enforcement" SmartDefense will perform additional checks
on the IKE Security Association payload. A monitor-only mode makes it possible to
track IKE protocol violation without blocking the connection.
Table 3-141
Off
Table 3-142
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
Application Intelligence
93
When you select Block All SSH Versions, SSH traffic (associated with any SSH
version), on all possible TCP ports will be blocked.
When you select Run SSH Enforcement, the SSH Enforcement protection will be
applied to all non standard ports including TCP port 22.
Table 3-143
Off
Table 3-144
NG FP3 to R55
94
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
SSH Enforcement
SSH Enforcement
SSH Enforcement protection applies to SSH traffic on TCP port 22. SSH
Enforcement enables you to select and deselect specific defense attributes. By
selecting Block SSH v1, only SSH version 2 will be enabled over TCP port 22.
Table 3-145
Off
Table 3-146
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 3
Application Intelligence
95
Content Protection
Content Protection
The protections in this section allow you to block malicious content over multiple
protocols.
Malformed JPEG
By enabling this protection, SmartDefense will block malformed formatted JPEG
files on all services with Protocol Type 'HTTP'.
Enabling "Perform strict enforcement" enables JPEG file detection based on its
content.
Table 3-147
Off
Table 3-148
NG FP3 to R55
96
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Off
Table 3-150
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
Application Intelligence
97
MS-RPC
MS-RPC
DCOM - Allow DCE-RPC interfaces other than
End-Point Mapper on Port 135
This protection will allow specific MS-RPC interfaces, such as DCOM interface, if
they are allowed in the rule base. You can use the DCE-RPC services to create them
and apply the protections in this page.
SmartDefense unconditionally blocks the "Blaster" worm and its variants, while
allowing legitimate DCOM traffic.
Table 3-151
Off
Table 3-152
NG FP3 to R55
98
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
*Enforced
Not Enforced
Same
Same
Off
Table 3-154
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
*Enforced
Not Enforced
Same
Same
Off
Table 3-156
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Chapter 3
Application Intelligence
99
MS-SQL
MS-SQL
The protections in this section allow you to configure various protections related to
the MS SQL Server protocols.
Off
Table 3-158
NG FP3 to R55
100
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Off
Table 3-160
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
Routing Protocols
Routing Protocols
The protections in this section allow you to select what types of enforcement will
be applied to routing protocols.
OSPF
By enabling this protection, SmartDefense will enforce the validity of the OSPF
packet header, including protocol version, message type and packet length. In
addition, SmartDefense is able to detect and block OSPF traffic that is non-MD5
authenticated, which is considered insecure.
Table 3-161
Off
Table 3-162
NG FP3 to R55
102
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Off
Table 3-164
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
RIP
RIP
By enabling this protection, SmartDefense will enforce the validity of the RIP
packet header. In addition, SmartDefense is able to detect and block RIP traffic
that is non-MD5 authenticated, which is considered insecure.
Table 3-165
Off
Table 3-166
NG FP3 to R55
104
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
IGMP
IGMP
By enabling this protection, SmartDefense will enforce the validity of the IGMP
packet header. In addition, SmartDefense is able to detect and block IGMP traffic
that is non-MD5 authenticated, which is considered insecure.
Table 3-167
Off
Table 3-168
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
SUN-RPC
SUN-RPC
The protections in this section allow you to select what types of enforcement will
be applied to SUN-RPC (Remote Procedure Calls) protocols.
Off
Table 3-170
NG FP3 to R55
106
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
DHCP
DHCP
By enabling this protection, SmartDefense will enforce the validity of the DHCP
packet header and options.
Table 3-171
Off
None.
Table 3-172
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter 3
SOCKS
SOCKS
This protection provides enforcement of the SOCKS protocol. Non SOCKS protocol
communication over the SOCKS protocol port (1080 by default) will be blocked.
You may also block SOCKS version 4 only or any unauthenticated SOCKS
communication (often used by trojans to tunnel information).
Table 3-173
Off
None.
Table 3-174
NG FP3 to R55
108
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same (R55
Only)
Same
Same
Chapter
Web Intelligence
In This Chapter
Introduction
page 110
Malicious Code
page 111
Application Layer
page 113
Information Disclosure
page 118
page 121
109
Introduction
Introduction
Web Intelligence is based on Check Point's Stateful Inspection, Application
Intelligence, and Malicious Code Protector technologies, so that it is possible to
block not only specific attacks, but also entire categories of attacks, while allowing
legitimate traffic to pass.
Stateful Inspection analyzes information flow into and out of a network so that
real-time security decisions can be based on communication session
information as well as on application information. It accomplishes this by
tracking the state and context of all communications traversing the firewall
gateway, even when the connection involves complex protocols.
Web intelligence is an add-on for VPN-1 Power. Customers who purchase the
SmartDefense Subscription service can automatically update both SmartDefense
and Web Intelligence with a single click. Updates are released frequently, and are
obtained from the Check Point SmartDefense site:
http://www.checkpoint.com/techsupport/documentation/smartdefense/index.html
Customers with a valid subscription license also receive special SmartDefense
Advisories that provide updated SmartDefense and Web Intelligence attack
protections, as well as information, tools and best practice methods to mitigate
different attacks.
Tip - It is recommended to keep your gateway version up-to-date, as the newest defenses are
incorporated into the latest version of Check Point software.
110
Malicious Code
Malicious Code
The protections in this section allow you to prevent attacks that run malicious code
on web servers or clients.
Table 4-176
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Chapter 4
Off
Table 4-178
NG FP3 to R55
112
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same (except
for Solaris)
Same
Application Layer
Application Layer
The protections in this section prevent hackers from introducing text, tags,
commands, or other characters that a web application will interpret as special
instructions. Introducing these characters in forms or URLs can allow a hacker to
steal private data, redirect a communication session to a malicious web site, steal
information from a database, gain unauthorized access, or execute restricted
commands.
Table 4-180
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Chapter 4
LDAP Injection
LDAP Injection
This protection protects LDAP servers by identifying attempted misuse of LDAP
queries in forms and URLs submitted to Web applications. If an attack is detected,
the connection is rejected.
To provide good protection with the optimum detection sensitivity, three levels of
protection are available. For details, see the online help.
The list of LDAP fields that is examined can be customized, which makes it
possible to control the use of customized LDAP fields, as well as standard ones.
Table 4-181
Table 4-182
NG FP3 to R55
114
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
SQL Injection
SQL Injection
Web Intelligence looks for SQL commands in forms and in URLs. If it finds them,
the connection is rejected.
To provide good protection with a minimum number of false positives, three levels
of protection are available. They make it possible to choose the appropriate
trade-off between a high detection rate on the one hand and a low level of false
positives on the other. The protection level can be changed at any time to suit the
environment. For details, see the online help.
Table 4-183
Table 4-184
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 4
Command Injection
Command Injection
This protection looks for system commands in forms and in URLs. If it finds them,
the connection is rejected.
To provide good protection with a minimum number of false positives, three levels
of protection are available. They make it possible to choose the appropriate
trade-off between a high detection rate on the one hand and a low level of false
positives on the other. The protection level can be changed at any time to suit the
environment. For details, see the online help.
Table 4-185
Table 4-186
NG FP3 to R55
116
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Directory Traversal
Directory Traversal
This protection verifies that the URL does not contain an illegal combination
directory traversal characters. Requests in which the URL contains an illegal
directory request are blocked.
Table 4-187
Table 4-188
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 4
Information Disclosure
Information Disclosure
One of the first steps an attacker may take before attacking a web site is to gather
information about the site. The goal of the hacker is to get the web server to reveal
information that hacker can use to tailor an attack. This is known as
"fingerprinting".
The protections in this section allow you to prevent the web server revealing
information that is not required by users.
Header Spoofing
This protection allows you to remove or change a specific header (that can appear
either in the HTTP Request or Response) by giving a regular expression to identify
the header name and header value. For example, a typical server header will
contain the web server name and version number. Use this protection to spoof out
the version information.
Note - Activating this protection decreases performance for Web traffic to which this
protection is applied.
Table 4-189
Off
Table 4-190
NG FP3 to R55
118
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Directory Listing
Directory Listing
This protection identifies web pages containing directory listings and blocks them.
To provide good protection with the optimum detection sensitivity, three levels of
protection are available. For details, see the online help.
Table 4-191
Off
Table 4-192
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Chapter 4
Error Concealment
Error Concealment
This protection looks for web server error messages in HTTP responses, and if it
finds them, prevents the web page reaching the user.
Error messages are detected and concealed in two ways.
The first way conceals HTTP Responses containing those 4XX and 5XX error status
codes that reveal unnecessary information. It is possible to choose the status codes
that will be concealed.
The second way hides error messages generated by the web application engine.
This approach is needed when the application engine does not tell the web server
it has an error, in which case the web server displays error information that it
should not. It is possible to configure patterns that identify messages from
particular application engines. If these patterns are detected the pages are blocked.
Table 4-193
Off
Table 4-194
NG FP3 to R55
120
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
On
Chapter 4
Off
Table 4-197
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Table 4-199
NG FP3 to R55
122
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Table 4-201
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Table 4-203
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
Chapter 4
Table 4-205
NG FP3 to R55
124
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Same
With this page you can force all HTTP headers to be ASCII only. This will prevent
some malicious content from passing in the HTTP protocol headers.
Table 4-206
Off
Table 4-207
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Enforced
Same
Enforced
Chapter 4
Header Rejection
Header Rejection
This protection allows you to reject HTTP requests that contains specific headers
and header values.
The HTTP header name and value are defined using case-sensitive regular
expressions.
Table 4-208
Off
Table 4-209
NG FP3 to R55
126
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
(previously
referred to as
Peer to Peer)
Enforced
Same
Same
HTTP Methods
HTTP Methods
This protection can be used to control which HTTP methods can be used in HTTP
requests.
Web Intelligence divides the HTTP methods into three groups: Standard safe (GET,
HEAD and POST), standard unsafe (the other standard HTTP methods), and
WebDAV. By default, all methods are blocked other than the standard safe methods.
To allow users access to popular applications such as Microsoft Hotmail, Outlook
Web Access, and FrontPage, the non-RFC compliant WebDAV HTTP methods can
be allowed.
It is possible to choose exactly which methods to block. For example, if only GET
and POST methods are allowed, and all others are blocked, the following HTTP
request using a WebDav method will be rejected: MKCOL / HTTP/1.0.
Table 4-210
Table 4-211
NG FP3 to R55
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Same
Same
Chapter 4
Off
NG FP3 to R55
128
R55W
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Not Enforced
Not Enforced
Not Enforced
Not Enforced
Off
NG FP3 to R55
R55W
feature behavior
when protection is
on in NGX R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
feature behavior
when protection
is on in NGX
R60
Management
feature behavior
when protection is
in Monitor-Only
mode in NGX R60
Management
Same
Same
Chapter 4
130
MAY NOT re-distribute or represent the code as your own. Any redistributions of the code MUST reference the author, and include any and all
original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000,
2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000,
2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41RR02188 by the National Institutes of Health. Portions copyright 1996,
1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating
to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions
relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions
relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson
(ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John
Ellson (ellson@graphviz.org). Portions relating to JPEG and to color
quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C)
1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane.
This software is based in part on the work of the Independent JPEG Group.
See the file README-JPEG.TXT for more information. Portions relating to
WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den
Brande. Permission has been granted to copy, distribute and modify gd in
any context without fee, including a commercial application, provided that
this notice is present in user-accessible supporting documentation. This
does not affect your ownership of the derived work itself, and the intent is to
assure proper credit for the authors of gd, not to interfere with your
productive use of gd. If you have questions, ask. "Derived works" includes all
programs that utilize the library. Credit must be given in user-accessible
documentation. This software is provided "AS IS." The copyright holders
disclaim all warranties, either express or implied, including but not limited to
implied warranties of merchantability and fitness for a particular purpose,
with respect to this code and accompanying documentation. Although their
code does not appear in gd 2.0.4, the authors wish to thank David Koblas,
David Rowley, and Hutchison Avenue Software Corporation for their prior
contributions.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain a
copy of the License at http://www.apache.org/licenses/LICENSE-2.0
The curl license
COPYRIGHT AND PERMISSION NOTICE
Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights
reserved.
Permission to use, copy, modify, and distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright
notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO
EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR
ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
Except as contained in this notice, the name of a copyright holder shall not
be used in advertising or otherwise to promote the sale, use or other dealings
in this Software without prior written authorization of the copyright holder.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, is permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd
Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to
do so, subject to the following conditions: The above copyright notice and this
permission notice shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved.
Confidential Copyright Notice
Except as stated herein, none of the material provided as a part of this
document may be copied, reproduced, distrib-uted, republished,
downloaded, displayed, posted or transmitted in any form or by any means,
including, but not lim-ited to, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of NextHop
Technologies, Inc. Permission is granted to display, copy, distribute and
download the materials in this doc-ument for personal, non-commercial use
only, provided you do not modify the materials and that you retain all copyright and other proprietary notices contained in the materials unless
otherwise stated. No material contained in this document may be "mirrored"
on any server without written permission of NextHop. Any unauthorized use
of any material contained in this document may violate copyright laws,
trademark laws, the laws of privacy and publicity, and communications
regulations and statutes. Permission terminates automatically if any of these
terms or condi-tions are breached. Upon termination, any downloaded and
printed materials must be immediately destroyed.
Trademark Notice
Copyright ComponentOne, LLC 1991-2002. All Rights Reserved.
The trademarks, service marks, and logos (the "Trademarks") used and
displayed in this document are registered and unregistered Trademarks of
NextHop in the US and/or other countries. The names of actual companies
and products mentioned herein may be Trademarks of their respective
owners. Nothing in this document should be construed as granting, by
implication, estoppel, or otherwise, any license or right to use any Trademark
displayed in the document. The owners aggressively enforce their intellectual
property rights to the fullest extent of the law. The Trademarks may not be
used in any way, including in advertising or publicity pertaining to distribution
of, or access to, materials in
this document, including use, without prior, written permission. Use of
Trademarks as a "hot" link to any website is prohibited unless establishment
of such a link is approved in advance in writing. Any questions concerning
the use of these Trademarks should be referred to NextHop at U.S. +1 734
222 1600.
BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc.
("ISC"))
Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release
PCRE LICENCE
PCRE is a library of functions to support regular expressions whose syntax
and semantics are as close as possible to those of the Perl 5 language.
Release 5 of PCRE is distributed under the terms of the "BSD" licence, as
specified below. The documentation for PCRE, supplied in the "doc"
directory, is distributed under the same terms as the software itself.
Written by: Philip Hazel <ph10@cam.ac.uk>
University of Cambridge Computing Service, Cambridge, England. Phone:
Index
A
Address Spoofing 43
Allow Only SNMPv3 Traffic 88
Allowed 22
Always On 22
Application Intelligence 110
Application Layer 113
ASCII Only Request 124
ASCII Only Response
Headers 125
B
BGP 103
Block ASN.1 Bitstring Encoding
Attack 63
Block ASN.1 Bitstring Encoding
Attack over SMTP 57
Block CISCO IOS DOS 34
Block Data Connections to Low
Ports 52
Block HTTP on Non-Standard
Port 128
Block IKE Aggressive
Exchange 92, 93
Block Malicious HTTP
Encodings 129
Block Null CIFS Sessions 61
Block Null Payload ICMP 35
Block Popup Messages 62
Block SSL Null-Pointer
Assignment 91
Block Welchia ICMP 33
Block WINS Name Validation
Attack 65
Block WINS Replication
Attack 64
August 2006
D
DCOM 98
Denial Of Service 25
Denial of Service 44
DHCP 107
Directory Listing 119
Directory Traversal 117
DNS 75
Domain Block List 77
DOS Protection 80
Drop Requests to Default
Community Strings 89
Drop Unauthenticated DCOM 99
DShield Storm Center 48
Dynamic Ports 52
H
H323 81
Header Rejection 126
Header Spoofing 118
Host Port Scan 50
HTTP Format Sizes 121
HTTP Methods 127
HTTP Protocol Inspection 121
I
ICQ 74
IGMP 105
Information Disclosure 118
Instant Messengers 69
IP and ICMP 29
IP Fragments 31
IP ID 42
ISN Spoofing 40
Enforced 22
Error Concealment 120
LAND 27
LDAP Injection 114
Local Interface Spoofing 45
M
Mail 55
Mail Security Server 56
Malformed ANI File 97
135
Malformed JPEG 96
Malicious Code 111
Malicious Code Protector 110,
112
Max Ping Size 30
Maximum Header Value
Length 123
Maximum Number of
Headers 123
Maximum Request Body Size 83,
122
Maximum URL Length 122
MGCP (allowed commands) 86
Microsoft Networks 60
MSN Messenger over MSNMS 71
MSN Messenger over SIP 70
MS-RPC 98
MS-RPC Program Lookup 99
MS-SQL 100
MS-SQL Monitor Protocol 100
MS-SQL Server Protocol 101
Peer to Peer 66
Ping of Death 26
POP3 / IMAP Security 55
Port Scan 50
PPTP Enforcement 90
Protocol Enforcement - TCP 75
Protocol enforcement - UDP 76
Same 22
SCCP (Skinny) 87
Sequence Verifier 39
SIP 82
Skype 72
Small PMTU 37
SmartDefense 18
SNMP 88
SOCKS 108
Spoofed Reset Protection 38
SQL Injection 115
SSH - Detect SSH over NonStandard Ports 94
SSH Enforcement 95
Stateful Inspection 110
Successive Alerts 46
Successive Events 43
Successive Multiple
Connections 47
SUN-RPC 106
SUN-RPC Program Lookup 106
Sweep Scan 51
SYN Attack Configuration 36
N/A 22
Network Quota 32
NG FP3 18
NG R55W 18
NG With Application Intelligence
R54 18
NG With Application Intelligence
R55 18
Non TCP Flooding 28
Not Enforced 22
O
Off 22
On 22
OSPF 102
P
Packet Sanity 29
136
T
TCP 36
Teardrop 25
TTL 41
V
R
Report to DShield 49
Resource Records
Enforcements 79
Retrieve and Block Malicious
IPs 48
RIP 104
Routing Protocols 102
VoIP 80
VPN Protocols 90
W
Web Intelligence 19
Y
Yahoo! Messenger 73