SmartDefense is a compilation of technologies built into the Check Point enforcement point to add extra fortifications against attacks. The technologies include:
Network Security, which encases Transmission Control Protocol/Internet Protocol (TCP/IP)-level attack security
Application Intelligence, which presents fortifications against Layer 7 attacks by inspecting the data segment of a packet
Web Intelligence, which offers protection to Web services from particular Hypertext Transfer Protocol (HTTP)-based attacks
This chapter covers best practices in terms of implementing and handling these features. You can disable SmartDefense or use it in a monitor-only mode if enhanced protection is not advantageous. A number of features, including buffer size, cannot be disabled but may be modified.
SmartDefense not only protects against a range of known attacks, varying from different classes of Microsoft networking worms to distributed denial of service (DDoS) attacks, but it also incorporates intelligent security technologies that protect against entire categories of emerging and unknown attacks.
SmartDefense is built on Check Point’s Stateful Inspection and Application Intelligence technologies. These enable an administrator to block specific attacks and complete classes of attacks while allowing legitimate traffic to pass. Application Intelligence is a collection of technologies that identify and thwart application-level attacks by integrating a deep conception of application behavior into network security fortifications. The primary functions of Application Intelligence are to:
Validate compliance to standards
Corroborate expected usage of the network and associated protocols
Block malicious data
Control hazardous operations that occur in applications
To configure SmartDefense follow these steps:
In the SmartDashboard window, click the SmartDefense tab. The SmartDefense Settings window opens.
In the SmartDefense Settings window, select the SmartDefense category on which you want to view information.
To view details of a specific attack, click + to expand the subdivision and then select the desired attack.
Determine from which attacks you need to protect your site, and select Settings to configure the various attack classes as well as the specific attacks.
Install the security policy. You must reinstall the security policy to put into operation changes to the SmartDefense configuration.
In this section, we will discuss the best-practice network security provisions of SmartDefense. The Network Security and Application Intelligence technologies are free with SmartDefense. Updates are issued by paid subscription. Check Point clients may gain a benefit from the SmartDefense service, as it provides real-time updates and advisories with additional protection against new and rising threats.
SmartDefense is a management component of Check Point FW-1 and VPN-1 that is designed to allow administrators to organize their network in a manner that allows them to practically defend it from both known and unknown (zero-day) attacks. It presents administrators with the most network and application-level security protection for dynamic Internet threats, including the Cisco IOS Malformed OSPF Denial of Service Attack that resulted in a vulnerable system not being able to respond to ordinary requests.
Check Point SmartDefense is a collection of Active Defense products that actively protect organizations from known and unknown network attacks by using intelligent security technology. SmartDefense blocks attacks by type and class using Check Point’s patented Stateful Inspection technology and provides a single, centralized console to deliver real-time information regarding attacks as well as attack detection, blocking, logging, auditing, and alerting.
The following features are included in Check Point’s SmartDefense:
Centralized, type-based attack prevention designed to provide a single location for the control and blocking of both known and unknown attacks using a novel attack-type classification technology.
Online updates and Web worm prevention which allows for online updates from Check Point’s SmartDefense attack center to thwart new classes of attacks such as Web worms.
Real-time attack information using Check Point’s online attack information center, which provides security administrators with updated information on each attack class.
DoS and DDoS attack protection for the most frequent and damaging classes of Internet attacks that result from attempts to flood networks or servers with fake traffic to prevent legitimate traffic. Check Point’s SmartDefense mitigates risk and loss from DoS and DDoS attacks through the following:
TCP Reservation, which allows a site’s network administrators to reserve a fraction of FW-1 capacity for TCP connections. This shields mission-critical TCP traffic from User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP)-based DoS attacks designed to flood the link.
Client Quotas, which allow administrators to define limits on the number of connections that originate from a single Internet Protocol (IP) address. This effectively detects suspicious traffic so that the administrator can act against a DoS attack prior to it escalating beyond control.
Server Quotas, which allow administrators to define quotas for each corresponding connection to a single system and respond if the quotas are reached. This enables a more thorough recognition and, hence, defense against DDoS attacks.
You can find additional information regarding SmartDefense at www.checkpoint.com/products/protect/smartdefense.html.
A DoS attack is intended to interrupt the normal functioning of a system, site, or service. This disruption is characteristically achieved either by overpowering the target with forged packets such that it may no longer answer legitimate requests, or by exploiting operating systems and application and system vulnerabilities to crash the system remotely. DoS attacks are commonly used to remove hosts so that an attacker can start a man-in-the-middle (MITM) attack.
Check Point SmartDefense provides reinforcement capabilities that aid in defending against many common classes of DoS attacks.
Aggressive Aging manages the connections table capacity and the memory expenditure of the firewall to increase durability and stability. Aggressive Aging uses small timeouts that Check Point designates as “aggressive timeouts.” If an established connection is determined to be idle for longer than the defined (by protocol) aggressive timeout, the inspection engine will mark it eligible for deletion from the state table. As soon as the connections table or memory consumption attains a user-defined threshold (or high-water mark), Aggressive Aging is initiated. You can configure Aggressive Aging timeouts on a per-service basis.
When the set threshold is surpassed, the start of a new incoming connection triggers the deletion of 10 connections from the eligible for deletion table. An additional 10 connections are deleted for each fresh connection until the memory consumption or the connections capacity drops under a predefined low-water mark.
In the event that no eligible for deletion connections exist, the firewall will not delete connections. The table is verified following every subsequent connection that surpasses the high-water mark. The timeout configuration is a primary aspect of memory consumption configuration. Low timeout values will result in connections being removed earlier from the table to make it easier for the firewall to process additional connections at the same time. When memory consumption surpasses the threshold, using shorter timeouts can preserve the connectivity of a majority of the traffic through the firewall.
The chief advantage of Aggressive Aging is that is begins to function when the firewall has existing memory and prior to the connections table becoming completely filled. This feature diminishes the likelihood of connectivity issues that can occur due to circumstances involving low resources.
Aggressive Aging allows the firewall gateway to process an increased volume of unanticipated network traffic as may occur during a DoS attack.
In implementing the TCP/IP protocol stack, a number of systems fail to correctly deal with the reassembly of overlapping IP fragments (see http://insecure.org/sploits/linux.fragmentation.teardrop.html for details).
Conveying multiple IP fragments to the target that are created with overlapping fragment offsets where one fragment is completely enclosed inside the offset of the other can result in the host incorrectly allocating memory. This would remotely crash the vulnerable system that received the packets. Teardrop is a widely available attack tool that exploits this vulnerability. Teardrop is closely related to syndrop, a modified version that exploits a Microsoft SYN sequence bug.
SmartDefense blocks attacks that rely on overlapping IP fragment offsets. The default action is to block attacks and log them as Virtual defragmentation error: Overlapping fragments. Check Point SmartDefense blocks such attacks by default and provides the administrator with the ability to construct alerts, e-mail notices, Simple Network Management Protocol (SNMP) traps, and user-defined actions when these attacks occur.
The Ping of Death is a malformed PING request that is sent in a series of fragment packets, which when reassembled by the target exceeds the maximum IP packet size (65,535 octets). This results in a system that is vulnerable to crashing (see http://insecure.org/sploits/ping-o-death.html for details).
SmartDefense blocks this type of attack by default. The firewall logs blocked attacks with Virtual defragmentation error: Packet too big. SmartDefense provides the administrator with the ability to construct alerts, e-mail notices, SNMP traps, and user-defined actions when these attacks occur.
A LAND attack involves the attacker sending a TCP SYN packet (a connection initiation), giving the target with the source and destination addresses set as the target’s address. It also uses the same port on the target host as both source and destination. Land.c is an easily obtainable attack tool designed to exploit this vulnerability (see http://insecure.org/sploits/land.ip.DOS.html for further information).
Check Point SmartDefense blocks this attack by default and provides the administrator with the ability to construct alerts, e-mail notices, SNMP traps, and user-defined actions when these attacks occur.
An attacker sometimes directly targets security devices such as firewalls. In advanced firewalls, state information regarding connections is maintained in a state table. The state table includes connection-oriented TCP and connectionless non-TCP protocols. Attackers can send high volumes of non-TCP traffic in an effort to fill up a firewall’s state table. This results in a denial of service by preventing the firewall from accepting new connections. Unlike TCP, non-TCP traffic does not provide mechanisms to “reset” or clear a connection.
SmartDefense can restrict non-TCP traffic from occupying more than a predefined percentage of a Check Point enforcement point’s state table. This eliminates the possibility of this class of attack.
Check Point provides a wide-ranging series of tests to ensure the integrity of connections at the network layer. A Check Point enforcement point executes stateful inspection on IP and ICMP connections to identify distinct protocol types, ensuring that they are inspected, monitored, and managed as per the packet flow security definitions. Check Point enforcement points categorize defined IP or ICMP packets by protocol type before executing a protocol header analysis. This process includes protocol flag analysis and verification.
The Packet Sanity option executes a number of Layer 3 and Layer 4 “sanity” checks. These incorporate substantiating packet size, an inspection of UDP and TCP header lengths, dropping IP options, and verifying the TCP flags to ensure that packets have not been selectively crafted by a malicious user. This process also checks that all packet parameters are accurately defined as per standards (such as the RFCs). This validation is always enforced. However, administrators can configure whether logs and/or alerts will be delivered for packets that violate these requirements.
PING (ICMP echo request) is a protocol that is commonly used to confirm whether a remote system is available. The client sends an echo request, and the server responds with an echo reply. This packet also encapsulates the initial client’s IP data. A malicious user can issue an ICMP echo request to a target host with an oversize echo data field to compromise the security and availability of the client’s system. This could cause a buffer overflow. This is different from the Ping of Death, in which the PING request is malformed through a manipulation of IP fragments.
The Max PING Size check can restrict the maximum requested data echo size. The default maximum is 548 bytes as defined from the maximum size in the protocol definition. Administrators can also configure whether logs and/or alerts will be issued for offending packets.
When an IP packet exceeds the allowed size transported on a particular network, it is divided into a number of smaller IP packets and transmitted as fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets. Without reassembling the fragments, it is not always possible to detect such an attack. Consequently, malicious content that is split across fragments can traverse some firewalls. In contrast, a Check Point enforcement point collects and reassembles all the fragments of a given IP packet, verifying that the options for the fragments are consistent (e.g., that Time To Live [TTL] is the same for all fragments) so that security checks can be run against the complete packet contents.
The IP Fragments page allows an administrator to configure whether fragmented IP packets can traverse Check Point gateways. It is also possible to allow fragments, setting a limit on the number of fragments allowed, and to set a timeout period for holding unassembled fragments before discarding them. These measures help to protect against DoS attacks that seek to overwhelm the resources of perimeter security devices by flooding them with spurious packet fragments.
Network Quota enforces a limit on the number of connections that are allowed to the same source IP address. When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source, or track the event. This capability is useful in protecting against DoS attacks, and it can help to limit worm propagation by recognizing an inappropriate increase in traffic from an infected source.
The Network Quota protection enforces a limit on the number of connections that are allowed from the same source IP address. When the number of connection requests from a certain source exceeds the configured limit, Client Quota generates an alert and/or blocks all new connections from that source. This feature is particularly useful for preventing DDoS attacks from overwhelming a server.
The majority of traffic on the Internet today uses TCP as its protocol. Web applications rely on TCP for the reliable transmission of data. SmartDefense is able to inspect TCP segments and examine a packet to verify that it contains only the allowed options. To verify that TCP packets are legitimate, the following tests are conducted:
Protocol type verification
Protocol header analysis
Protocol flags analysis and verification
TCP is a connection-oriented protocol with a defined “handshake” process. To begin a connection, a client sends a SYN (Synchronize) connection request to a target host. The host then replies with an ACK (Acknowledge) response. Finally, the client responds back with a SYN-ACK reply. This process is essential to TCP communications and is used to synchronize the two hosts before communications can begin.
SYN flood attacks consist of initiating a TCP handshake (SYN) and not sending the final reply (SYN-ACK) to the server’s response (ACK) in the handshaking sequence. This results in the server maintaining an open record in its pending connection queue. As a server’s pending connection queue is limited in size, it is relatively simple to completely fill the queue with a flood of fake SYNs. As a result, the server is unable to accept valid TCP connections, resulting in a denial of service.
SmartDefense protects against SYN flood attacks on both protected servers and the Check Point enforcement point. This control keeps attackers from overwhelming servers with false SYN requests. SmartDefense provides two varieties of defense modes against SYN attacks and routinely switches between them as needed:
Passive defense, which is the default behavior
SYN Relay Defense (logged as Active Defense), which automatically activates as soon as a SYN attack is detected
The Passive SYN Gateway control is the default action for SYN protection. Using this mode, the Check Point enforcement point monitors TCP handshake progression. All SYN requests are passed to the target server, and a timer is tracked for each request. If the requesting client does not reply to the target host’s ACK response inside the configured time frame, a TCP reset is delivered to the server, making it drop the connection from the server’s pending connection queue.
As the timeout period is shorter than the pending connection table, this reduces the quantity of pending TCP sessions. This mode provides increased SYN protection at an optimized performance.
When SmartDefense detects a predefined number of unanswered SYN requests per given time period, it switches to SYN Relay Defense. SYN Relay Defense counters the attack by making sure the three-way handshake is completed (i.e., that the connection is valid) before sending a SYN packet to the target host. SYN Relay Defense also ensures that the protected server does not receive any invalid connection attempts, which is advantageous if the server has limited memory or often reaches an overloaded state. In these ways, SYN Relay Defense is a high-performance kernel-level process, which acts as a relay mechanism at the connection level.
The maximum transmission unit (MTU) of a given network link specifies the largest permissible size of an IP packet on that link. PMTU, or “path” MTU, refers to the smallest MTU in the path (i.e., all of the links) from one device to another.
In a small PMTU attack, the attacker deceives a server into transporting large quantities of data using very small packets by setting the PMTU to a very small value. As each packet has a relatively large related overhead in the IP and other headers, the target server can be filled to capacity. The Minimal MTU size configuration option sets a minimum permissible size for packets in a data stream, allowing FireWall-1 to deny connections that attempt to set this size unreasonably low. You should be careful when configuring this option because an exceedingly small value will not prevent an attack, whereas an unnecessarily large value might result in legitimate requests being dropped.
Fingerprinting is a technique by which a remote host gathers information about a host or network by inspecting the unintentional side effects of benign communications. Techniques entail active fingerprinting, by which the attacker sends slightly off-protocol packets and tries to gather information from the responses (or lack thereof), and passive fingerprinting, by which the attacker either generates no traffic at all (or relies on passively received traffic) or generates no more than standard traffic. These controls deal chiefly with scrambling the passive fingerprints of hosts inside the firewall perimeter.
SmartDefense can jumble some of the fields generally used for fingerprinting, disguising the original characteristics of hosts behind the firewall. Completely preventing fingerprinting is nearly impossible, but this control makes it more difficult for the attacker. Also note that although this feature makes it more difficult to fingerprint the hosts protected by the firewall, it does little to hide the fact that there is a firewall here (i.e., fingerprinting the firewall’s existence is still possible).
The first thing that happens when a TCP connection is established is a synchronization of numbers linking the client and the server. This occurs in a process called the TCP three-way handshake. In this progression, the client notifies the server about the sequence numbers for the client side of the connection, and the server notifies the client about the sequence numbers for the server side of the connection. The sequence of numbers chosen during the three-way handshake stage is called the Initial Sequence Number (ISN).
The mere fact that there is dissimilarity among the various algorithms for the different operating systems creates a unique fingerprint for every system. By sending successive SYN requests and checking the difference between the ISNs, a potential attacker can determine the operating system that the server is running. SmartDefense prevents this kind of reconnaissance from occurring by creating a difference between the sequence numbers used by the server and the sequence numbers perceived by the client.
Each IP packet has a field called Time To Live (TTL). Each router along the path or route decrements this value by one. When a router decrements this value to zero it drops the packet and sends an ICMP notification (destination unreachable) to the source. Usually, when a host sends a packet, it sets the TTL to a value that is large enough that the packet can reach its destination under ordinary circumstances. Different operating systems use different default initial values for TTL. Because of this, an attacker can speculate as to the number of routers between it and the sending machine by making an informed postulation concerning the original TTL.
Further, knowledge of the initial TTLs used offers additional information concerning what operating system the host is running. SmartDefense can amend the TTL field of all packets (or selectively on only all outgoing packets) to a given number. Using this approach it is not possible to know how many internal routers (hops) are between the target and the listener, and the listener cannot utilize any knowledge of the default TTL value to speculate as to the operating system of the source host.
IP packets have a 16-bit field called the ID, which is used when an IP packet is fragmented. The ID allows the receiving machine to know which virtual packet the fragmented packets belong to. Although two IP packets must have two distinct IP IDs, there is no official specification as to how to assign the IP ID to each packet.
Different operating systems use different algorithms for assigning IP IDs to packets. Consequently, an attacker can use this information to understand what operating system generated a particular packet. SmartDefense can replace the original IP ID with one generated by the Check Point enforcement point, thus disguising the algorithm used by the original operating system and consequently disguising the operating system’s characteristics from prospective attackers.
Successive Events Detection (formerly known as Malicious Activity Detection) provides a method for detecting malicious or suspicious events and alerting the security administrator.
Successive Events Detection runs on the SmartCenter Server and analyzes logs from Check Point enforcement points by correlating log entries to attack profiles. The security administrator can adjust attack detection parameters, turn detection on or off for particular attacks, or disable the Successive Events feature entirely. Logs that do not arrive at the SmartCenter Server are not analyzed. Local logs and logs sent to a customer log module (CLM), for instance, are not checked.
The classes of malicious activity that can trigger successive events alerts include:
Address spoofing
Local interface spoofing
Successive alerts (an excessive number of alerts generated by policies in the rulebase)
Successive multiple connections (an excessive number of connections opened to a specific destination IP address and port number from the same source IP address)
Successive Events Detection can look for port scanning; however, newer versions of SmartDefense include a new Port Scanning control and should be used over Successive Events Detection. We are discussing this feature here for backward compatibility.
For each, the administrator can configure the number of events needed in a given period to trigger an action, as well as configure the individual action.
The SmartDefense Storm Center Module enables a two-way information flow between the network’s Storm Centers and the organizations requiring network security information. Storm Centers gather logging information about attacks. This information is voluntarily provided by organizations across the globe. Storm Centers then collate and present reports on real-time network security threats in an immediately useful manner.
One of the leading Storm Centers is the SANS Institute’s Dshield.org. Check Point SmartDefense integrates with the SANS DShield.org Storm Center in two ways, as discussed in the following sections.
The DShield.org Storm Center produces a Block List report, which lists address ranges that merit blocking and is regularly updated. The SmartDefense Storm Center Module retrieves and adds this list to the Security Policy in a manner that makes every update instantly effective. SmartDefense enables the system administrator to decide whether to block all the malicious IP addresses received from DShield.org, or whether to block addresses for specific gateways. Additionally, SmartDefense provides the system administrator with the option of being informed using logs, alerts, e-mail messages, and so on when IP addresses from within the IP address ranges in the Block List attempt to contact the network.
Logs can be sent to the Storm Center to help other organizations combat the threats that SmartDefense and Web Intelligence detected. Administrators can decide which Check Point log type to send to the Storm Center.
The logs submitted to the Storm Center contain the following information:
Connection parameters, including the source IP address, destination IP address, source port, destination port (i.e., the service), and IP (such as UDP, TCP, or ICMP)
Rulebase parameters, including time and action
A detailed description of the log
The name of the attack and the detected URL pattern, which are sent for HTTP worm patterns detected by Web Intelligence
To protect a client’s privacy, SmartDefense can delete information from the destination IP address in the submitted log that could be used for identification. Administrators can configure a mask size that defines how much of an internal address to delete. This ensures the privacy of the organization while allowing the Storm Centers to correlate the attack data.
SmartDefense integrates with the SANS DShield.org Storm Center in the following manner (see Figure 7.1):
The DShield.org Storm Center produces a Block List report, which is a frequently updated list of address ranges that are recommended for blocking. The SmartDefense Storm Center Module retrieves and adds this list to the security policy.
The Storm Center sends logs to other organizations to help those organizations combat threats that were directed at the network. To send logs, select the Security Rules and SmartDefense/Web Intelligence controls for which you want to send logs.
To manually configure the blocking of malicious IPs, follow these steps:
In SmartDefense, select Network Security | DShield Storm Center.
Clear the Retrieve and Block Malicious IPs option.
Add the Block List rule (see Table 7.1) and do the following:
Place the Block List rule as high as possible in the Security rulebase, but below all authentication rules and any other rules for trusted sources that should not be blocked.
To retrieve and drop malicious IPs only at particular gateways, specify them in the Install On cell of the rule.
If you are also submitting logs to DShield and want to report logs generated by blocking malicious IPs, ensure that the Track setting is identical to the Submit Logs of Type setting in the SmartDefense DShield Storm Center | Report to DShield section.
Install the Security Policy.
Port scans are reconnaissance attacks that attackers implement to learn information about a network in preparation for an attack. This helps the attacker find potential target hosts and the services running on those hosts. Attackers can then direct their efforts to exploits that take advantage of those services.
A host port scan is a reconnaissance attack directed at a specific host or network. A scan can determine which services a host offers. For instance, a host port scan could determine that a specified host has TCP ports 23, 25, and 110 open, denoting that it may offer the Telnet, Simple Mail Transfer Protocol (SMTP), and Post Office Protocol 3 (POP3) services.
An IP sweep scan looks for a specific open port and determines which hosts are listening in on that port. For example, network worms employ IP sweep scans when they try to find machines they can propagate themselves. For example, the Blaster worm looks for the Remote Procedure Call (RPC) service—searching the complete network looking for that single open service.
A number of application protocols, including the File Transfer Protocol (FTP) and Session Initiation Protocol (SIP), set up connections by opening IP ports dynamically. These ports can sometimes be the same as those employed by a predefined service making use of a well-known port (i.e., lower than 1024). Various attacks take advantage of this fact and attempt to bypass security validation by appearing to be generated by an allowed application that’s opening a port dynamically.
SmartDefense allows you to configure which ports are “privileged ports” that will be protected when opening a connection dynamically (e.g., FTP data connections). These ports are a subset of the ports of the TCP and UDP services defined. When an attacker is trying to open a dynamic connection to such a protected port, the connection is dropped. In addition, it is possible to explicitly protect low ports (those lower than 1024).
Many of the most serious threats from the Internet come from attacks that attempt to exploit application vulnerabilities. Because application-driven attacks tend to be sophisticated in nature, effective defenses must be equally sophisticated and intelligent. Check Point’s Application Intelligence is a set of advanced capabilities which detect and prevent application-level attacks.
In a mail and recipient content attack, e-mail worms and viruses introduce malicious code that can reach your system and infect other users through harmful attachments. In addition, a number of viruses are transmitted through harmless-looking e-mail messages and can run automatically without the need for user intervention.
Initially defined as a text-based message exchange, e-mail today can be employed to exchange nontext file formats such as audio and video across the Internet. The Multipurpose Internet Mail Extension (MIME), RFCs 2045 and 2046, was created as an extension to the basic e-mail protocols to accommodate these other file types. SmartDefense can recognize MIME attachments and limit their potential to introduce malicious content. By default, SmartDefense does not allow multiple content-type headers. Although the security administrator has the option of allowing multiple content-type headers, the SmartDefense default suggests that such a decision can open the network to malicious behavior and as such recommends a limitation of content-type headers.
SmartDefense strips MIME attachments of the particular type from the message. For example, the message/partial MIME type is stripped to prevent fragmented and reassembled messages. The message/partial MIME type can be employed to bypass most of the security restrictions imposed on e-mail messages (as the messages get divided into smaller segments) so that virus scanners or other content-testing mechanisms cannot detect the malicious messages.
The SMTP Security Server allows for the stringent validation of SMTP. It protects against malicious mail messages, provides SMTP-centered security, prevents attempts to bypass the rulebase making use of mail relays, and prevents DoS and spam mail attacks.
Usually, the SMTP Security Server is activated by specifying resources in the rulebase. However, selecting Configuration applies to all connections will forward all SMTP connections to the SMTP Security Server and will enforce the defined settings on all connections; selecting Configurations apply only to connections related to rule base defined objects means that these configurations will apply only to SMTP connections for which a resource is defined in the rulebase.
Note
The settings in the Mail and Recipient Content window apply only if an SMTP resource is defined, even if Configurations apply to all connections is checked. The SMTP Security Server provides content security that enables an administrator to do the following:
Provide mail address translation by hiding any outgoing e-mail’s “From” address behind a standard generic address that conceals internal network structure and real internal users
Perform e-mail filtering based on SMTP addresses and IP addresses
Strip MIME attachments of particular classes from e-mail
Strip the received information from outgoing e-mail, to conceal the internal network structure
Drop e-mail messages larger than a given size
Send many e-mail messages per single connection
Resolve the domain name system (DNS) address for e-mail recipients and their domain on outgoing connections (MX Resolving)
Control the load generated by the e-mail dequeue in two different ways: by controlling the number of connections per site, and by controlling the overall connections generated by the e-mail dequeuer
Provide a rulebase match on the Security Server mail dequeuer which enables an e-mail-user-based policy, better performance of different e-mail content action per recipient of a given e-mail, generation of different e-mail contents on a per-user basis, and application of content security features at the user level
Perform Content Vectoring Protocol (CVP) checking (e.g., for viruses) with a third-party solution
The settings in this section apply only if an SMTP resource is defined, even if all connections in the SMTP Security Server window are checked. The SMTP Security Server does not provide authentication, as there is no person at the system who can be challenged for an authentication. The SMTP Security Server does provide content security that enables the security administrator to supply e-mail address translation by hiding “From” addresses behind a standard generic address that conceals internal network structures and actual internal users, executes e-mail filtering based on SMTP addresses and IP addresses, and strips MIME attachments of particular classes from e-mail.
Here is a summary of the settings on this page:
Allow multiple content-type headers. Unchecked by default; if checked, the SMTP server will allow multiple content-type headers.
Allow multiple “encoding” headers. Unchecked by default; if checked, the SMTP server will allow multiple “encoding” headers.
Allow non-plain “encoding” headers. Unchecked by default; if checked, the SMTP server will allow non-plain “encoding” headers.
Allow unknown encoding. Checked by default; if checked, the SMTP server will allow unknown encoding methods.
Force recipient to have a domain name. Checked by default; if checked, the SMTP server will force the recipient to have a domain name.
Perform aggressive MIME strip. Checked by default:
If checked, the complete e-mail body will be scanned for headers such as Content-Type: text/html; charset=utf-8 and the MIME strip will be performed accordingly.
If unchecked, only the e-mail headers section and the headers of each MIME part will be scanned (if a relevant header is located, the MIME strip will consequently be performed).
SmartDefense offers options that enable limitations on e-mail messages delivered to the network making use of POP3/IMAP. These options make it possible to recognize and stop malicious behavior. For example, SmartDefense can limit the length of a username and password. An attacker can send a long string of characters when it is not expected and may result in a buffer overflow attack that could crash the machine. Additionally, SmartDefense can verify and restrict binary data enclosed in POP3/IMAP messages.
SmartDefense can test POP3/IMAP usernames and passwords against the user database defined in VPN-1/FireWall-1. Based on this information, administrators can configure SmartDefense to restrict connections when the username and password are identical. SmartDefense ensures that POP3 and IMAP traffic adheres to the established protocols and security best practices. SmartDefense monitors the communication state of connections and can, for example, drop a LIST command if the user was not first authenticated as required by the protocol. In addition, SmartDefense can limit the number of NOOP commands issued. The NOOP command (No Operation) is rarely employed by e-mail clients but is used in selected DoS attacks.
These sections allow administrators to configure various controls related to FTP.
Particularly for FTP when issuing the PORT command as part of the FTP control session, the originating host specifies an arbitrary destination address and port for the data connection. However, this behavior also means that an attacker can open a connection to a port of his or her choosing on a host that may not be the originating client.
Making this connection to an arbitrary host for unauthorized purposes is the FTP Bounce attack. SmartDefense protects against FTP Bounce attacks by allowing only FTP sessions in which the control and data session IP addresses match. Administrators can also configure preferred tracking options.
The FTP Security Server provides authentication services and content security based on FTP commands (PUT/GET); filename restrictions; and CVP checking (e.g., viruses and other malware). In addition, the FTP Security Server logs FTP GET and PUT commands, as well as associated filenames.
The FTP Security Server is characteristically enabled by specifying rules in the firewall security policy. If you select the Configuration applies to all connections option, the firewall will forward all FTP connections to the FTP Security Server.
For security reasons, it is possible to limit the FTP commands allowed to pass through the firewall.
Prevent Known Ports Checking allows you to select whether to allow the FTP Security Server to connect to well-known ports. Thus, it provides a second layer of protection against selected bounce attacks. Even if the attacker manages to bounce a connection, the FTP Security Server will not let the bounce connect to any port running a known service. SmartDefense blocks attempts to issue FTP PORT commands to connect to well-known TCP or UDP port numbers (e.g., TCP port 23 for Telnet and TCP 80 for HTTP).
To conform to the FTP specifications, the PORT command has the originating host specify an arbitrary destination and port for data connection. By using different representations of the same number, attackers can attempt to bypass restrictions and PORT connections. SmartDefense blocks connections that implement multiple representations of the same number in an FTP PORT command.
Note
By default, SmartDefense is configured to perform PORT overflow checks for FTP connections where toggling the checkbox to on disables this enforcement. In general, disabling this test is recommended only when the administrator needs to preserve connectivity for a specific application that cannot act in accordance with the safeguard.
Clicking Configuration applies to all connections will enforce settings on all connections.
CIFS, the Common Internet File System (sometimes called SMB for Server Message Block), is a protocol for sharing files and printers in a Microsoft environment. The protocol is widely implemented by Microsoft operating systems. CIFS has many known vulnerabilities, including Null Session exploits and Host Announcement flooding. In addition, many worms that have infected a host exploit CIFS as a means of propagation.
The SANS Institute has acknowledged that unprotected Windows networking shares is one of the top 20 critical threats to Internet security (www.sans.org/top20). This is mainly due to the frequency of exploits that target this vulnerability.
The File and Print Sharing control lets administrators configure worm signatures that can detect and block worm attacks at the Check Point enforcement point. This detection takes place in the kernel and does not require a security server.
Peer-to-peer applications pose security concerns for organizations as they become increasingly popular and more intelligent in how they interconnect peer nodes. Historically, peer-to-peer applications were simple to block as they employed central servers to coordinate communications. Today, peer-to-peer applications are frequently complex to perceive for numerous reasons, including their capability to exploit proprietary protocols across any accessible port, their ability to masquerade as HTTP traffic across the characteristic TCP port 80 channel, and their inventive mechanisms for making use of reachable peers as a proxy to reach other peers blocked by a firewall. In these ways, peer-to-peer applications have emerged as a potential covert channel for transferring confidential information across the traditional security perimeter.
This control detects and blocks the most widely deployed peer-to-peer applications. Once configured, it can detect peer-to-peer applications running across all 64,535 possible ports. In addition, it inspects HTTP traffic to detect peer-to-peer applications masquerading as HTTP traffic across port 80. This control includes HTTP header value definitions for most common peer-to-peer applications and allows administrators to add additional headers if needed. In addition, the SmartDefense Service allows updates to these headers as they become available.
The Exclusion Settings options allow specific ports or hosts to be excluded from peer-to-peer checking. SmartDefense can monitor the following peer-to-peer applications and their variants.
Gnutella, Bearshare, Shareaza, and Morpeheus are identified in the SmartView Tracker as Gnutella. The following peer-to-peer applications are also detected.
eMule
Skype
BitTorrent
SmartDefense recognizes Yahoo! Messenger when used for messaging, voice, video, and file transfer.
SmartDefense recognizes ICQ when used for messaging, voice, video, and file transfer and defeats peer-to-peer firewall traversal. Most peer-to-peer applications include firewall traversal features, which look for open ports in the firewall. SmartDefense can detect peer-to-peer applications attempting to traverse any open port.
This also prevents HTTP masquerading. Many peer-to-peer applications can hide by encapsulating their communications in HTTP. SmartDefense can detect and block these connections.
SmartDefense can defeat peer-to-peer proxies as well. In a number of peer-to-peer applications, peer nodes communicate location information in a comparable means as dynamic routing protocols. This information allows an internal peer to commence a connection from inside the network, traversing firewalls that consider any connection initiated from inside the network as safe. SmartDefense blocks these classes of connections.
Instant Messaging applications provide communication and collaboration among Internet users using various modes of communication, including the exchange of instant messages, voice and video, application sharing, white boards, file transfer, and remote assistance. The odds are that these applications are already in use within your organization; Check Point adds the ability to monitor and control these applications.
MSN Messenger uses SIP for real-time voice, video, and collaboration communication. Just like other network applications, an attacker can exploit MSN Messenger in an attack.
This control provides several security controls for MSN Messenger. SmartDefense can block all MSN Messenger traffic or restrict specific allowable actions, including file transfer, application sharing, white boards, and remote assistant. In addition, SmartDefense will apply the general SIP controls as configured in SmartDashboard.
DNS is the standard Internet protocol that maps human-readable addresses (e.g., www.syngress.com) to machine-readable IP addresses. To taint a network with malicious content, attackers attempt to change the content of a DNS packet and attempt to make it enter the network undetected. Thus, when clients ask for a name to an IP address resolution from an infected DNS server, they may receive an IP address pointing them to the attacker’s site or to a nonexistent host.
SmartDefense is able to distinguish a DNS packet that has been altered. This capability enables SmartDefense to catch potentially harmful packets before they enter the network. DNS queries are generally transmitted over UDP, but in a number of cases they are exchanged over TCP, such as during zone transfers between DNS servers. SmartDefense enables a system administrator to enforce DNS over TCP and UDP. Controls will be applied to all DNS port connections over UDP and TCP to prevent attackers from using DNS for an attack.
By selecting the UDP protocol enforcement option, administrators can configure VPN-1/FireWall-1 to monitor DNS traffic to ensure compliance with DNS RFCs, meaning that the DNS packets are correctly formatted and contain only DNS-related information. DNS RFCs include 1034, 1035, 1996, 2136, 2317, 2535, and 2671. SmartDefense will test several RFC-defined parameters, including lengths, counters, header flags, domain format, and resource record format, among others.
A black list is a group of URL addresses that have been prohibited. SmartDefense contains a black list for the purpose of filtering out undesirable traffic. SmartDefense will not permit a user to access a domain address particular in the black list. You can update the domain black list manually or automatically as part of the SmartDefense Service.
To reduce DNS traffic, name servers maintain cache. Each DNS record includes a TTL value, which tells the DNS server how long the record can be stored in the cache before it should expire. Cache poisoning occurs when DNS caches mapping information that was deliberately altered from a remote name server. The DNS server caches the incorrect information and sends it out as the requested information. As a result, e-mail messages and URL addresses can be redirected and the information sent by a user can be captured and corrupted.
DNS performs limited authentication for DNS transactions, checking only source and destination IP addresses, port numbers, and query IDs. Query IDs are assigned by the host that initiates the DNS query. Attackers exploit a number of techniques to obtain a valid query ID, exploiting weaknesses in random number generators in DNS servers and employing advanced statistical analysis (e.g., the Birthday attack). Given the ID number and source port, an attacker can send a spoofed reply that contains counterfeit information on behalf of the name server to which the request was initially sent. This enables the redirection of the hosts to fake Web sites that can be used to collect private user information.
To guard the corporate DNS server from cache poisoning, SmartDefense has the capability to scramble the source port and query ID number of each DNS request. This control can be applied either to all traffic or to specific servers.
DNS is a distributed protocol whereby information is distributed all over the Internet instead of being hosted in a single site. DNS defines a process that lets clients find the correct DNS server with the information required. Each domain has one or more authoritative domain servers that are responsible for the maintenance and distribution of DNS information for that domain. Consequently, as these are considered the definitive repository of domain information, they are also an attractive target for an attacker. A compromised authoritative DNS server poses an issue for all users on the network trying to connect to an organization’s domain (potentially both internally and externally).
SmartDefense minimizes the risk faced by an authoritative domain server from attack. Because the server is authoritative for a predefined set of domains, inbound DNS queries for other domains would not be expected. SmartDefense can restrict inbound requests to a DNS server to only those related to the defined domains. Any inbound requests for domains not defined in SmartDefense are blocked.
A mismatched reply occurs when a DNS query results in an answer that does not match the requested information. Mismatched replies indicate an attempt to perform DNS cache poisoning. When a large number of mismatched replies occur over a specific period, it can be assumed that the network has been corrupted.
To protect the network from cache poisoning, SmartDefense employs a threshold. The threshold detects mismatched replies when more than a specific number of mismatched replies occur over a specific amount of time. When
Voice and video traffic, like any other information on the corporate IP network, has to be protected as it enters and leaves the organization. Possible threats to this traffic include:
Call redirections, where calls intended for the receiver are redirected to someone else
Stealing calls, where the caller pretends to be someone else
Unauthorized, free toll calls
DoS attacks caused by hacking a VoIP device or spoofing a call termination message
Systems hacking, or making use of ports opened for VoIP connections
In addition to the controls and capabilities offered through firewall policies (these include VoIP domains, network address translator [NAT] traversal, and more), SmartDefense provides enhanced security capabilities for VoIP protocols. One of these is dynamic ports, which open firewall ports only when needed. For instance, FireWall-1 opens only the ports that have been negotiated during VoIP call setup, including those transmitted inside the protocol.
Flow enforcement monitors the state of communication between VoIP endpoints and ensures that they follow the flow defined by the individual RFCs. This helps to prevent hijackers from interjecting malicious traffic outside the regular call session process (e.g., sending fake call termination notices in an attempt to deceive a billing system).
H.323 is an International Telecommunication Union (ITU) standard that specifies the components, protocols, and procedures that provide multimedia communication services, as well as real-time audio, video, and data communications over packet networks, including IP-based networks.
SmartDefense supports H.323 Version 2, which includes H.225 Version 2 and H.245 Version 3. It performs the following application layer checks:
It provides strict validation of the protocol, including the order and direction of H.323 packets.
If the phone number sent is longer than 24 characters the packet is dropped, preventing buffer overruns in the server.
Dynamic ports will be opened only if the port is not in use by another service (e.g., if the Connect message sends port 80 for the H.245 it will not be opened, averting well-known ports from being exploited illicitly).
SIP is a VoIP protocol transported over UDP. SIP is one of the most widely accepted VoIP protocols with integration in many applications, including Microsoft Windows XP and MSN Messenger. SIP is an application-layer control protocol required for the creation, modification, and termination of sessions with one or more participants. SmartDefense Application Intelligence ensures that packets match the RFC 3261 for SIP over UDP/IP specifications (SIP over TCP is unsupported). It also inspects SIP-based Instant Messaging protocols, and it protects against DoS attacks as well as against penetration attempts such as connection hijacking and connection manipulation.
SmartDefense validates the expected usage of SIP. For example, if an end-of-call message is sent immediately after the start of the call, the call will be denied because this behavior is characteristic of a DoS attack. Application-level checks include:
Checks for binaries and illegal characters in packets
Strict RFC validation for header fields
Header field length restrictions
Removal of unknown media types
The Media Gateway Control Protocol (MGCP) is a protocol for controlling telephony gateways from external call control devices called call agents (also known as Media Gateway Controllers). MGCP is a client/server protocol, which means it assumes limited intelligence at the edge (endpoints) and intelligence at the core (call agent). In this it differs from SIP and H.323, which are peer-to-peer protocols.
SmartDefense provides full network-level security for MGCP. SmartDefense enforces stringent compliance with RFC 2705, RFC 3435 (Version 1.0), and ITU TGCP specification J.171.
Additionally, SmartDefense affords inspection of fragmented packets, anti-spoofing, and security against DoS attacks. SmartDefense restricts handover locations and controls signaling and data connections. NAT on MGCP is not supported. SmartDefense can perform additional content security checks for MGCP connections, thereby providing a greater level of protection. MGCP-specific Application Intelligence security is configured via SmartDefense. Three options are available with this control:
Define individual MGCP commands to accept or block.
Verify MGCP header content.
Allow multicast Real-time Transport Protocol (RTP) connections.
The Skinny Client Control Protocol (SCCP) controls telephony gateways from external call control devices (call agents, or Media Gateway Controllers). SCCP is a VoIP protocol used in many Cisco voice implementations.
SmartDefense provides full connectivity and network-level security for SCCP-based VoIP communication. All SCCP traffic is inspected, and authentic traffic is allowed to pass while attacks are blocked. All SmartDefense capabilities are supported by this control, including anti-spoofing and protection against DoS attacks. SmartDefense restricts handover locations, and controls signaling and data connections. Fragmented packets are examined and secured, making use of kernel-based streaming. NAT on SCCP devices is not supported.
SmartDefense tracks state and verifies that the state is valid for all SCCP messages. For a number of key messages, it also verifies the existence and correctness of the message parameters.
New SIP features to enhance VoIP include:
SNMP is part of the Internet protocol suite that provides a consistent framework for the management of various network devices. It is frequently implemented for managing network devices. The current version of SNMP is Version 3. In terms of security, SNMP versions 2 and 3 provide enhanced security over Version 1. SNMPv3 contains security features such as authentication, authorization, access control, data integrity, key management, and encryption options not available in previous SNMP versions.
Attackers exploit several issues related to SNMP. SNMP packets can be used to gain information about network devices, which was a particular concern in prior versions of SNMP that did not implement authentication or other security features. Additionally, default community strings are widely known for many vendors. Attackers can exploit this information to monitor or configure devices making use of the default strings.
SmartDefense provides several security features for SNMP. SmartDefense can be configured to permit only the more secure SNMPv3, rejecting SNMP versions 1 and 2. If SNMP versions 1 and 2 are required, SmartDefense can block SNMP packets making use of particular community strings. Several well-known default community strings are preconfigured, but administrators can define their own set of strings to block. This allows continued utilization of insecure SNMP versions 1 and 2 while escalating security through mitigating attacks making use of well-known default community strings.
Application Intelligence extends client-to-client communication by defining an Office Mode range of addresses for remote clients, and then including this range of addresses in the virtual private network (VPN) domain of the gateway that acts as the hub. Each remote client directs communication to the remote peer via the gateway; from the remote client’s perspective, its peer belongs to the VPN domain of the gateway.
Two properties control whether small proposals are used—one for pre-NG with Application Intelligence, and the other for NG with Application Intelligence:
phase2_proposal. Determines whether an old client (pre-NG with Application Intelligence) will try small proposals. The default is “false.”
phase2_proposal_size. Determines whether a new client (for NG with Application Intelligence) will try small proposals. The default is “true.” In Global Properties | Remote Access page| VPN -Advanced subpage | User Encryption Properties, select AES-128. This configures remote users to offer AES-128 as a small proposal.
The VPN capabilities of the Application Intelligence feature allow the administrator to validate digital certificates used against the Certificate Revocation List and monitor for preshared secret vulnerability. This provides protection against:
Internet Key Exchange (IKE) brute force attacks
Hub-and-spoke topology attacks
IKE UDP DoS attacks
Windows 2000 IKE DoS attacks
VPN IP spoofing attacks
VPN MITM attacks
VPN-1 provides web content security via its OPSEC partners. This allows URL filtering and network virus protection making use of Check Point best-of-breed partners. VPN-1 also provides a number of integrated Web security capabilities that are configured via the Security rulebase. These include a number of URL-based protections, and the ability to secure XML Web Services (SOAP) on Web servers.
Web Intelligence allows the definition of an error page that can be sent back to the user whose browsing was blocked (see Figure 7.2). This control can be utilized in combination with SmartView Tracker to identify the exact cause of a connection being closed.
MS-RPC is a protocol used by many applications in a networked environment. It allows client machines to access (call) a server for selected functions (procedures) as though the server were located on the client machine. Similar to FTP, clients and servers negotiate ports within the MS-RPC session. For firewalls that must open or close ports to provide access control, MS-RPC can pose unique challenges due to the dynamic nature of the protocol. To traverse a firewall, either a wide range of ports must be left open to allow MS-RPC, or the firewall must understand MS-RPC communications. As a consequence of being deployed in the majority of Microsoft applications, MS-RPC is often exploited by attackers in attacks such as the Blaster worm and Spike. These attacks are based on malformed MS-RPC traffic. SmartDefense understands the MS-RPC protocol and routinely applies several security features every time MS-RPC is permitted as part of the firewall security policy. No configuration is required. These controls are based on the understanding of MS-RPC formats, sessions, and defined flow.
SmartDefense includes some important capabilities. For example, with strict protocol enforcement, SmartDefense checks and verifies protocol fields. This prevents worms and other attacks from making use of malformed MS-RCP packets for attacks. In addition, with protocol flow enforcement, SmartDefense monitors communication sessions to ensure that the state and flow adhere to the protocol. For example, SmartDefense ensures that new MS-RPC sessions start with a call to the server EndPointMapper (these are commonly called the portmapper or rpcbind) which is defined as part of the MS-RPC protocol. This is done to first establish the ports to be used for the application session.
Dynamic port allocation is used so that SmartDefense only needs to open ports as they are negotiated during the MS-RPC session. This minimizes the number of ports and length of time these ports are open on the firewall. Specific application identification is implemented for each application in an MS-RPC environment. This defines a globally unique identifier (GUID). Applications such as Microsoft Outlook have an assigned GUID. SmartDefense recognizes GUIDs and will restrict MS-RPC calls to only those applications permitted in the firewall policy.
Application Intelligence provides the capability to block specific MS-SQL attacks. These include:
SQL resolver buffer overflows
The SQL Slammer worm
Application Intelligence provides additional fortification to IP routing. Dynamic routing protocols, of which the Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP) are the most widely deployed, have been increasingly abused by malicious users over the past few years. In the absence of strong authentication validation verifying that routing information comes from the true peer router, a malicious user may spoof or modify valid routing protocol messages and corrupt or change a network’s routing tables. This may cause a redirection of network traffic, connectivity problems, excessive bandwidth consumption, and a potential denial of service to the router or, specifically, the routing protocol.
To block routing-protocol-based attacks, Check Point has added a control designed to verify that all traffic is Message Digest 5 (MD5)-authenticated (all protocols) and that all packet headers are valid (RIP, OSPF).
By applying this protection, SmartDefense will enforce the packet header validity advertised by OSPF and RIP, including protocol version, message type, and packet length. This control will also enforce MD5 routing authentication on all protocols and will detect and restrict other authentication mechanisms that are considered insecure (e.g., plain text password authentication).
In addition to protecting dynamic routing protocols, IP controls also stop the following attacks:
IP record routes
IP source routes
Loose source routes
Strict source routes
IP spoofing
Application Intelligence provides the capability to restrict specific SUN-RPC attacks. These include:
ToolTalk attacks
snmpXdmid attacks
rstat attacks
mountd attacks
cmsd attacks
cachefsd attacks
Application Intelligence provides validation of the Dynamic Host Configuration Protocol (DHCP) that offers the following features:
Performs stringent DHCP option enforcement, allowing only selected and approved DHCP options to be issued to the client
The capability to drop unauthorized BOOTP clients
The capability to drop non-Ethernet DHCP clients from the network
Proxy servers use the SOCKS protocol to handle requests from clients and forward these requests across the Internet. The vulnerability impacts applications making use of the protocol by allowing Trojan or backdoor programs to exploit the default SOCKS port (TCP/1080) to bypass firewalls, resulting in remote code execution and data theft.
The SOCKS protocol is increasingly exploited by worms with Trojan capabilities as a communication channel to gain remote control over systems. Some of these worms include:
The mass-mailing Win32.Mydoom, which opens and listens on TCP port 1080.The worm acts as a SOCKS proxy and can be used to redirect network traffic through the infected system.
Phatbot/Agobot, which can run a SOCKS proxy on demand and redirect SOCKS traffic.
Win32/Bagle, which acts as a backdoor Trojan and SOCKS proxy that allows unauthorized access to an affected host.
SOCKS controls may be configured to either drop SOCKS versions other than Version 5 or restrict unauthenticated SOCKS connections altogether. SOCKS versions prior to Version 5 do not deploy authentication. Version 5 may optionally use authentication.
Web Intelligence is based on Check Point’s Stateful Inspection, Application Intelligence, and Malicious Code Protector technologies, so it is possible to restrict not only specific attacks, but also complete categories of attacks, while allowing genuine traffic to pass. Web Intelligence offers the following features:
Malicious Code Protector. This feature blocks attackers from sending malicious code to target Web servers and applications. It can detect malicious executable code within Web communications by identifying not only the existence of executable code in a data stream, but also that code’s potential for malicious behavior. Malicious Code Protector is a kernel-based control delivering almost wire-speed performance.
Application Intelligence. This is a set of technologies that detect and prevent application-level attacks by integrating a deeper understanding of application behavior into network security defenses.
Stateful Inspection. This feature analyzes the information flow into and out of a network so that real-time security decisions are based on communication session information as well as on application information. It accomplishes this by tracking the state and context of all communications traversing the firewall gateway, even when the connection involves complex protocols.
All Web Intelligence defenses can be activated for specific Web servers. If the control is problematic on a particular Web server, it can be turned off for that Web server.
Web Intelligence provides a wide range of security features for Web servers. All Web Intelligence features are implemented in the Kernel Inspection Module, which means that users benefit from very high performance.
HTTP inspection settings that are too severe can affect connectivity to and from valid Web servers. For example:
HTTP format size protection restricts URL lengths, header lengths, or the number of headers. This is a good practice, as these elements can be implemented to perform a DoS attack on a Web server. However, these restrictions can also potentially block valid sites. Applying the control for specific Web servers can solve these connectivity problems.
ASCII-only Request Header protection can obstruct connectivity to Web pages that have non-ASCII characters in URLs. Applying the control for specific Web servers can solve these connectivity problems.
Some standard and non-standard HTTP methods are unsafe, as they can be implemented to exploit vulnerabilities on a Web server. Microsoft WebDAV methods (used for Outlook Express access to Hotmail), for example, have various security issues, but blocking them can prevent the operation of important applications. Applying the control for specific Web servers can solve the connectivity problems.
The Malicious Code controls aid in preventing attacks that attempt to run malicious code on Web servers.
The Application Layer class of control prevents attackers from introducing text, tags, commands, or other characters that a Web application will interpret as special instructions. Introducing such objects into forms or URLs can allow an attacker to steal private data, redirect a communication session to a malicious Web site, steal information from a database, gain unauthorized access, or execute restricted commands.
Information Disclosure controls thwart an attacker, stopping him or her from gathering information about a system or site. The objective of information disclosure is to obtain information from the Web server that can be implemented to tailor an attack.
HTTP Protocol Inspection presents stringent validation of HTTP. This ensures that sessions act in accordance with the RFC standards and common security practices.
All Web Intelligence controls have a monitor-only mode that enables you to evaluate what impact the control will have on a system’s connectivity. It does this by examining logs to review traffic that Web Intelligence has distinguished as possibly being unsafe, while still transmitting uninterrupted traffic flow.
It is possible to activate each Web Intelligence defense individually for a specific Web server. If the control is challenging on a particular Web server, it can be disabled (turned off) for that Web server.
Advanced defenses such as Cross-Site Scripting, Command Injection, SQL Injection, and Malicious Code Protectors include changeable security-level settings. If a difficulty with connectivity occurs on a particular Web server, the security level can be reduced individually for that Web server.
A gateway or gateway cluster requires a Web Intelligence license if it enforces one or more of the following safeguards:
Malicious Code Protector
LDAP Injection
SQL Injection
Command Injection
Directory Listing
Error Concealment
ASCII Only Request
Header Rejection
HTTP Methods
The licensing requirement depends on the number of Web servers that the gateway or gateway cluster protects. For gateway clusters, a single regular gateway license is essential for any one of the cluster members, and a cluster license is required for each of the other cluster members. Licensing is enforced by counting the number of Web servers that are protected by each gateway.
This quantity is calculated by means of the setting in the Protected by field of the Web Server page of the Web Server object in the Firewall policy. If All is selected, the number of calculated Web server licenses is augmented for all gateways that implement any Web Intelligence functionality. If the correct license is not installed, it is not possible to install a policy on any gateway.
SmartDefense not only protects against a variety of recognized attacks that vary from the dissimilar classes of Microsoft networking worms through to DDoS attacks, but it also integrates advanced security technologies that increase a site’s protection from complete categories of emerging or unknown attacks.
SmartDefense is founded on Check Point’s Stateful Inspection and Application Intelligence technologies, which allow an administrator to drop not only precise attacks, but also complete categories of attacks while still allowing genuine traffic to pass. Application Intelligence is a collection of technologies that detect and prevent application-level attacks by integrating a deeper inspection of application profiles into network security defenses. The core functions of Application Intelligence include:
Validating compliance to standards and RFCs
Validating expected usage of protocols
Blocking malicious data
Controlling hazardous application operations
SmartDefense blocks attacks at a Check Point enforcement point which may be either a gateway or a single installation of SecureServer on a host. It does this by implementing Check Point’s Stateful Inspection and Application Intelligence technologies. A number of SmartDefense facilities are enforced as an incorporated element of the firewall security policy. These are distributed as an element of the enforcement points’ security policy. SmartDefense also provides further benefits from the stringent access control to network resources it provides through the deployment of Check Point enforcement points.
 | SmartDefense is completely integrated with other Check Point products. |
| SmartDefense provides object and rule integration across products. |
| Ad hoc or dedicated real-time reports with SmartView Monitor. |
| Historical reports with SmartView Reporter. |
| Cross Site Scripting attack blocking |
| Worm pattern matching for CIFS |
| High-performance peer-to-peer support |
| HTTP encoding attack prevention |
| Network Quota and flow shaping for DoS protection |
| System Fingerprint Scrambling |
| VPN Denial of Service Protection |
The following tables provide a summary of the defenses provided by Check Point’s SmartDefense organized by protocol and OSI layer.
Application Layer | |
|---|---|
Attack Prevention Safeguards | Attacks Blocked |
HTTP Client (browser and other client host components) | |
Limit maximum response header length. | Code Red worm and mutations |
Prohibit binary characters in HTTP response headers. | Nimda worm and mutations HTR Overflow worm and mutations |
Validate HTTP response protocol compliance. | MDAC buffer overflow and mutations |
Drop user-defined URLs. | Malicious URLs |
URL filtering. | User-defined worms and mutations |
Restrict download of user-defined files. | Cross-Site Scripting attacks |
Restrict peer-to-peer connections. Restrict peer-to-peer connections for non-HTTP ports. Drop Java code. Strip script tags. Strip applet tags. Strip FTP links. Strip port strings. Strip ActiveX tags. | |
HTTP Server | |
Limit maximum URL length. | Encoding attacks |
Limit maximum number of response headers allowed. | User-defined worms and mutations Code Red worm and mutations |
Limit maximum request header length. | Nimda worm and mutations |
Limit maximum response header length. | HTR Overflow worm and mutations |
Specify header length, using regular expressions for header name and value. | Directory traversal attacks MDAC buffer overflow and mutations |
Reject HTTP headers that contain specific header names or values. | Malicious URLs Chunked transfer encoding attacks |
Prohibit binary characters in HTTP response headers. | Cross-Site Scripting attacks HTTP-based attacks spanning multiple packets |
Prohibit binary characters in HTTP requests. | WebDAV attacks |
Drop user-defined URLs. | PCT worms and mutations |
Restrict non-RFC HTTP methods. | HTTP header spoofing attacks |
Enforce HTTP security on nonstandard ports (ports other than 80). | IIS server buffer overflows Santy worm and mutations |
Compare transmission to a user-approved SOAP scheme/template. | Spyware and adware attacks LDAP injection attacks |
Restrict download of user-defined files. | |
ASN.1 buffer overflow. | |
Distinguish between different HTTP v1.1 requests over the same connection. | |
Restrict unsafe HTTP commands. | |
Fingerprint scrambling (spoofing) to hide server information. SOAP Scheme validation. SSL overflow attacks. SSLv3 enforcement. Restrict header values. Malicious Code Protector (prohibit malicious executable code against Web servers). SQL injection. Command injection. Restrict binary data in forms. Restrict HTTP methods. Drop HTTP traffic featuring negative content-length HTTP headers. Block Trojans by identifying attempts to receive SCRIPT traffic containing HTML tags. Drop content disposition in HTTP header. Define specific network objects as Web servers. Perform stringent HTTP validation. Reject HTTP requests that contain illegal SWAT headers. Strip file extensions in Web traffic. Drop network access to files with various extensions (to prevent worm infections). Drop HTML tags from HTTP request headers. Drop shell commands from HTTP request headers. Drop HTTP requests containing scripting code using the POST command. Drop non-ASCII characters in HTTP request/response headers. LDAP injection protection. | |
SMTP | |
Drop multiple “content-type” headers. | SMTP mail flooding |
Drop multiple “encoding headers.” | SMTP worm and mutations |
Camouflage default banners. | Extended Relay attacks |
Restrict unsafe SMTP commands. | Message/partial MIME attacks |
Header forwarding verification. | SPAM attacks (large number of e-mails) |
Restrict unknown encoding. | Command verification attacks |
Restrict mail messages not containing sender/recipient domain names. | SMTP Payload worm and mutations Worm encoding |
Restrict MIME attachments of a particular type. | Firewall traversal attacks |
Strip file attachments with particular names. | SMTP Error DoS attacks |
Strict enforcement of RFCs 821 and 822. | Mailbox DoS attacks (excessive e-mail size) |
Monitor and enforce restrictions on ESMTP commands. | Address spoofing SMTP buffer overflow attacks |
Hide internal mail usernames and addresses. | MyDoom worm and mutations |
Perform reverse DNS lookups. | Bagle worm and mutations |
Strict enforcement of MAIL and RCPT syntax. | Sober worm and mutations |
Restrict mail from a user-defined sender or domain. | Zafi worm and mutations |
Restrict mail to user-defined recipients. | Bagz.C worm and mutations |
Restrict mail to unknown domains. | |
Enforce limits on the number of RCPT commands allowed per transaction. | |
Restrict mail relay usage. | |
Enforce the ASN.1 standard. | |
Strip script tags. | |
Strip ActiveX tags. | |
Drop malicious filenames. | |
Drop the X-LINK2STATE SMTP extended verb. | |
POP3 | |
Restrict connections with passwords identical to the username. | POP3 buffer overflow attacks |
Enforce the maximum number of characters in the username (buffer overflow protection). | |
Enforce the maximum password length (buffer overflow protection). | |
Restrict binary characters in the username (buffer overflow protection). | |
Restrict binary characters in passwords (buffer overflow protection). | |
Restrict binary characters in POP3 commands (buffer overflow protection). | |
Limit the number of NOOP commands, freeing POP3 daemon resources (DoS protection). | |
IMAP4 | |
Restrict connections with passwords identical to the username. | IMAP4 buffer overflow attacks |
Enforce the maximum number of characters in the username (buffer overflow protection). | |
Enforce the maximum password length (buffer overflow protection). | |
Restrict binary characters in the username (buffer overflow protection). | |
Restrict binary characters in passwords (buffer overflow protection). | |
Restrict binary characters in POP3 commands (buffer overflow protection). | |
Limit the number of NOOP commands, freeing POP3 daemon resources (DOS protection). | |
RSH | |
Auxiliary port monitoring. | |
Restrict reverse injection. | |
RTSP | |
Auxiliary port monitoring | |
IIOP | |
Auxiliary port monitoring | |
FTP | |
Analyze and restrict hazardous FTP commands. | FTP bounce attacks |
Drop custom file types. | Passive FTP attacks |
Camouflage default banners. | Client and server bounce attacks |
Strip FTP references. | FTP port injection attacks Directory traversal attacks Firewall traversal attacks TCP segmentation attacks |
DNS | |
Restrict DNS zone transfers. attacks. | Protect against DNS cache poisoning |
Restrict usage of the DNS server as a public server. | DNS query malformed packet attacks DNS answer malformed packet attacks |
Provide a separate DNS service for private versus public domains. | DNS query-length buffer overflow DNS query buffer overflow—Unknown request/response |
Enforce DNS over TCP. | MITM attacks |
Restrict domains on the “not allowed” list. | |
Provide cache protection. | |
Restrict inbound requests. | |
Restrict mismatched replies. | |
Enforce the DNS query format. | |
Enforce the DNS response format. | |
Microsoft Networking | |
CIFS filename filtering (protect against worms utilizing the CIFS protocol). | Bugbear worm Nimda worm |
Restrict remote access to the Registry. | Liotan worm |
Restrict remote null sessions. | Sasser worm |
Restrict pop-up messages. | Opaserv worm |
Enforce the ASN.1 standard. | MS05-003 Indexing Service MS05-010 License Logging Service |
SSH | |
Enforce the SSH v2 protocol. | SSH v1 buffer overflow attack |
SNMP | |
Restrict SNMP GET/PUT commands. | SNMP flooding attacks |
Restrict known dangerous communities. | Default community attacks |
Enforce or require the SNMPv3 protocol. | Brute force attacks SNMP Put attacks |
MS SQL | |
Drop remote command execution. | SQL resolver buffer overflow |
Restrict potentially dangerous commands (information leakage). | SQL Slammer worm Buffer overflow (various attack variations) |
Restrict usage of the default system administrator password. | MS SQL networking DoS (various DoS attack variations) Heap overflow attacks |
Oracle SQL | |
Verify dynamic port allocation and initiation. | SQLNet v2 MITM attacks |
SSL | |
Enforce the SSL v3 protocol | SSL v2 buffer overflow |
H.323 | |
Verify protocol fields and values. | Buffer overflow attacks |
Identify and restrict the PORT command. | MITM attacks |
Enforce the existence of mandatory fields. | |
Enforce user registration. | |
Prevent VoIP firewall holes. | |
Disable H.323 audio and video transmissions. | |
Enforce H.323 call duration limits. | |
For H.323, allow only traffic associated with a specific call. | |
For H.323, restrict blank source in calls. | |
MGCP | |
Verify protocol fields and values. | Buffer overflow attacks |
Identify and restrict the PORT command. | MITM attacks |
Enforce the existence of mandatory fields. | |
Enforce user registration. | |
Prevent VoIP firewall holes. | |
Enforce MGCP. | |
Verify the state of MGCP commands. | |
Restrict unknown and unsafe MGCP commands. | |
SCCP (Cisco VoIP) | |
Enforce SCCP. | Buffer overflow attacks |
Secure SCCP dynamic ports. | MITM attacks |
Verify the state of SCCP commands. | |
Verify protocol fields and values. | |
Identify and restrict the PORT command. | |
Enforce the existence of mandatory fields. | |
Enforce user registration. | |
Prevent VoIP firewall holes. | |
SIP | |
Limit the number of invite commands (DoS protection). | Buffer overflow attacks MITM attacks |
Restrict SIP-based instant messaging. | |
Verify protocol fields and values. | |
Identify and restrict the PORT command. | |
Enforce the existence of mandatory fields. | |
Enforce user registration. | |
Prevent VoIP firewall holes. | |
Restrict MSN Messenger file transfers. | |
Restrict MSN Messenger application sharing. | |
Restrict MSN Messenger white board sharing. | |
Restrict MSN Messenger remote assistance. | |
X11 | |
Restrict reverse injection. | |
Drop special clients. | |
DHCP | |
Perform stringent DHCP option enforcement. | |
Drop BOOTP clients. | |
Drop non-Ethernet DHCP clients. | |
Peer-to-Peer | |
Drop the IRC protocol on all TCP high ports. | |
Restrict P2P connections. | |
Restrict P2P connections on non-HTTP ports. | |
SOCKS | |
Drop SOCKS versions other than Version 5. | |
Drop unauthenticated SOCKS connections. | |
Routing Protocols | |
Enforce MD5 routing authentication on various routing protocols (e.g., OSPF, BGP, and RIP). | |
Enforce the validity of IGMP packets. | |
Content Protection | |
Drop malformed JPEGs. | |
Drop malformed ANI files. | |
Drop malformed GIFs. | |
Instant Messengers | |
Drop invalid MSN Messenger over MSNMS patterns (prevent worm infection). | Bropia.E worm Kelvir.B worm |
Drop file transfer in instant messages via MSN/Windows Messenger. | |
Drop the MSN_Messenger group. | |
Remote Control Applications | |
Drop VNC connections on the VNC port and on other ports. | |
Drop Remote Administrator connection attempts made both on the Remote Administrator well-known port and on other ports. | |
Enforce authentication scheme on Radmin connections. | |
Session Layer | |
Attack Prevention Safeguards | Attacks Blocked |
RPC | |
Drop RPC portmapper exploits. | ToolTalk attacks snmpXdmid attacks rstat attacks mountd attacks cmsd attacks cachefsd attacks |
DEC-RPC | |
Drop DCE-RPC portmapper exploits. | Blaster worm Sasser worm |
Allow endpoint mapper communications via the EPM port only. | |
Allow only authenticated DCOM. | |
SUN-RPC | |
Drop SUN-RPC interface scanning. Enforce RPC through inspection of packet lengths. | |
HTTP Proxy | |
HTTP Proxy enforcement: Enforce HTTP session logic in proxy mode. | |
VPN | |
Validate digital certificates used against Certificate Revocation List. | IKE brute force attacks Hub-and-spoke topology attacks |
Monitor for preshared secret vulnerability. | IKE UDP DoS attacks Windows 2000 IKE DoS attacks VPN IP spoofing attacks VPN MITM attacks IKE aggressive mode attacks |
SSL | |
Protect against SSL null pointer attacks. | Microsoft PCT worm |
Transport Layer | |
Attack Prevention Safeguards | Attacks Blocked |
TCP | |
Enforce correct usage of TCP flags. | ACK DoS attacks |
Limit per-source sessions. | SYN attacks |
Enforce the minimum TCP header length. | Land attacks |
Drop unknown protocols. | Teardrop attacks |
Restrict FIN packets with no ACK. | Session hijacking attacks |
Enforce that TCP header length as indicated in header is not longer than packet size indicated by header. | Jolt attacks Bloop attacks |
Drop out-of-state packets. | Cpd attacks |
Verify that first connection packet is SYN. | Targa attacks |
Enforce three-way handshake: Between SYN and SYN-ACK, client can send only RST or SYN. | Twinge attacks Small PMTU attacks |
Enforce three-way handshake enforcement: Between SYN and connection establishment, server can send only SYN-ACK or RST. | Session hijacking attacks (TCP sequence number manipulation) TCP-based attacks spanning multiple packets |
Drop SYN on established connection before FIN or RST packet is encountered. | XMAS attacks |
Restrict server-to-client packets belonging to old connections. | Port scans Witty worm |
Drop server-to-client packets belonging to old connections if packets contain SYN or RST. | Cisco IOS DoS |
Enforce minimum TCP header length. | |
Drop TCP fragments. | |
Drop SYN fragments. | |
Scramble the OS fingerprint. | |
Verify the TCP packet sequence number for packets belonging to an existing session. | |
Enforce TCP session sequence verification (protect persistent unauthenticated network sessions). | |
Network Quota: enforcing a limit upon the number of connections that are allowed from the same source IP, to protect against DoS attacks. | |
Anomaly detection; used ports. | |
Drop ICMP error packets that belong to established TCP connections. | |
UDP | |
Verify the UDP length field. | Port scans |
Match UDP requests and responses. | |
Non-TCP flooding; limit percentage of non-TCP connections to prevent DoS. | |
Network Layer | |
Attack Prevention Safeguards | Attacks Blocked |
IP | |
Enforce minimum header length. | IP address sweep scans |
Restrict IP-UDP fragmentation. | IP timestamp attacks |
Enforce that header length indicated in IP header is not longer than packet size indicated by header. | IP record route attacks IP source route attacks |
Enforce that packet size indicated in IP header is not longer than actual packet size. | IP fragment DoS attacks Loose source route attacks |
Scramble OS fingerprint. | Strict source route attacks |
Control IP options. | IP spoofing attacks |
ICMP | |
Drop large ICMP packets. | Ping-of-Death attacks |
Restrict ICMP fragments. | ICMP floods |
Match ICMP requests and responses. | |