SmartDefense Protections Reference Guide - Check Point

SmartDefense ProtectionsReference GuideFor additional technical information about Check Point products, consult Check Point’s SecureKnowledge at:http://support.checkpoint.com/kb/See the latest version of this document in the User Center at:http://www.checkpoint.com/support/technical/documents/docs_r60.htmlJune 2006

© 2003-2005 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.RESTRICTED RIGHTS LEGEND:Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.TRADEMARKS:©2003-2005 Check Point Software Technologies Ltd. All rights reserved.Check Point, Application Intelligence, Check Point Express, the Check Point logo,AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pendingapplications.THIRD PARTIES:Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrust’s logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.Verisign is a trademark of Verisign Inc.The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright © 1992-1996 Regents of the University ofMichigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided “as is” without express or implied warranty.Copyright © Sax Software (terminal emulation only).The following statements refer to those portions of the software copyrighted by CarnegieMellon University.Copyright 1997 by Carnegie Mellon University. All Rights Reserved.Permission to use, copy, modify, and distribute this software and its documentation forany purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation, and that the name of CMU not be used in advertising orpublicity pertaining to distribution of the software without specific, written priorpermission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.The following statements refer to those portions of the software copyrighted by The OpenGroup.THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project foruse in the OpenSSL Toolkit (http://www.openssl.org/).THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITSCONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR ORCONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright © 1998 The Open Group.The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercialapplications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.3. This notice may not be removed or altered from any source distribution.The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies orsubstantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT redistributeor represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.comInternational Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

U.S. Government Restricted RightsThe material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose arerestricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cialComputer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).Use of the material in this document by the Government constitutes acknowledgment ofNextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer WarrantyTHE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NORANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.Limitation of LiabilityUNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHEINABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSINTHE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHEABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

Table Of ContentsChapter 1Chapter 2IntroductionOverview and Purpose 13SmartDefense 14Web Intelligence 14Obtaining the Latest Version of the Documentation 15Structure of the Guide 15How to Read this Document: 16Network SecurityIntroduction 17Denial Of Service 18Teardrop 19Ping of Death 20LAND 21Non TCP Flooding 22IP and ICMP 23Packet Sanity 23Max Ping Size 25IP Fragments 26Network Quota 27Block Welchia ICMP 28Block CISCO IOS DOS 29Block Null Payload ICMP 30TCP 31SYN Attack Configuration 31Small PMTU 33Spoofed Reset Protection 34Sequence Verifier 35Fingerprint Scrambling 36ISN Spoofing 37TTL 38IP ID 39Successive Events 40Address Spoofing 40Denial of Service 41Local Interface Spoofing 42Successive Alerts 43Successive Multiple Connections 44DShield Storm Center 45Retrieve and Block Malicious IPs 46Report to DShield 47Table of Contents 7

Port Scan 48Host Port Scan 48Sweep Scan 49Dynamic Ports 50Block Data Connections to Low Ports 50Chapter 3 fApplication IntelligenceIntroduction 52Mail 53POP3 / IMAP Security 53SMTP Worm Catcher 54SMTP Format Restrictions 55SMTP Malicious Code 57Mail Security Server 59Block ASN.1 Bitstring Encoding Attack over SMTP 60NNTP 61FTP 62FTP Bounce 62FTP Security Server 63Oracle XDB Overflow 64Microsoft Networks 65File and Print Sharing 65Block Null CIFS Sessions 66Block Popup Messages 67Block ASN.1 Bitstring Encoding Attack 68Block WINS Replication Attack 69Block WINS Name Validation Attack 70Block Long CIFS Password 71Block SMB Server Buffer Overflow 72Block Message Queuing Buffer Overflow 73Block Repetitive SMB Login Attempts 74Peer to Peer 75Excluded Services/Network Objects 75All Protocols through Port 80 76IRC 77All Protocols 78Instant Messengers 79Excluded Services/Network Objects 79MSN Messenger over SIP 80MSN Messenger over MSNMS 81All Protocols through Port 80 82All Protocols 83DNS 84Protocol Enforcement - TCP 84Protocol Enforcement - UDP 86Domain Block List 87Cache Poisoning Protections 88Operations Enforcement 898

Type Enforcement 90DNS Traffic to Non-DNS Server 91Resource Records Enforcements 92VoIP 93DOS Protection 93H323 94SIP 95MGCP (allowed commands) 100SCCP (Skinny) 101SNMP 102Allow Only SNMPv3 Traffic 102Drop Requests to Default Community Strings 103VPN Protocols 104PPTP Enforcement 104SSL Enforcement 105Block IKE Aggressive Exchange 106IKE Enforcement 107SSH - Detect SSH over Non-Standard Ports 108SSH Enforcement 109Content Protection 110Malformed JPEG 110Malformed ANI File 111Malformed GIF 112Malformed TIFF 113Malformed AVI 114Malformed PNG 115Block EOT Files 116Blocked WMF/EMF 117Malformed BMP File 118MS-RPC 119DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135 119Drop Unauthenticated DCOM 120MS-RPC Program Lookup 121Block Fragmented Bind Request 122Block Multiple Context Bind 123Block uPnP Vulnerability MS05-039 124Block uPnP Vulnerability MS05-047 125Block Client Service for Netware Vulnerabilities (MS05-046) 126Block DTC Vulnerability (MS05-051) 127Block Print Spooler Vulnerability (MS05-043) 128Block LSASS Vulnerability (MS05-011) 129Block Web Client Vulnerability (MS05-011) 130MS-SQL 131MS-SQL Monitor Protocol 131MS-SQL Server Protocol 132Restricted Stored Procedures 133Restricted Commands 134Restricted Tabs 135Malicious Code Protector 136Table of Contents 9

Weak Passwords 137Block Null Passwords 138Block RPC Service 139Block Bulk Data 140MS-SQL Over Non-Standard Ports 141Routing Protocols 142OSPF 142BGP (block non-MD5 authenticated BGP connections) 143RIP 144IGMP 145SUN-RPC 146SUN-RPC Program Lookup 146NFS / Block Illegal Mount Request 147DHCP 148SOCKS 149TFTP 150Excluded Network Objects 150Restrictions and Error Concealment 151Block Over Non-Standard Ports 152Citrix 153Citrix Protocol Settings 153Citrix Protections 154Remote Control Applications 155RDP Enforcement 155GoToMyPC 156VNC 157Remote Administration 158Authentication Enforcement 158Detect Over Non-Standard 159Tunneling 160SSL Tunnels 160Telnet 162Environment Disclosure Protection 162Veritas Backup Exec Protections 163Backup Exec Remote Registration Protection 163Backup Exec Agent 164CA BrightStore Backup 165MS-SQL Agent Protection 165Chapter 4Web IntelligenceIntroduction 167Malicious Code 168General HTTP Worm Catcher 169Malicious Code Protector 170Application Layer 172Cross Site Scripting 172LDAP Injection 174SQL Injection 17510

Command Injection 176Directory Traversal 177Information Disclosure 178Header Spoofing 179Directory Listing 180Error Concealment 181HTTP Protocol Inspection 182HTTP Format Sizes 183ASCII Only Request 187ASCII Only Response Headers 188Header Rejection 189HTTP Methods 190Block HTTP on Non-Standard Port 191Block Malicious HTTP Encodings 192Microsoft Internet Explorer 193Table of Contents 11

CHAPTER 1IntroductionIn This ChapterOverview and Purpose page 13Obtaining the Latest Version of the Documentation page 15Structure of the Guide page 15How to Read this Document: page 16Overview and PurposeThis guide is divided into a number of sections and chapters that provide an overviewof how NGX R60 SmartDefense and Web Intelligence protections work with thefollowing previous versions:• NG FP3• NG With Application Intelligence R54• NG With Application Intelligence R55 (including R55P)• NG With Application Intelligence R55W• InterSpect NGX R60The intention of this guide is to provide system administrators with an understandingabout the implication of each protection when installing a policy on previous releases(in other words, backwards compatibility, performance implications, logs etc.).To fully understand SmartDefense and Web Intelligence protections it is recommendedthat you familiarize yourself with NGX R60 behavior. To do this, refer to the NGXR60 Firewall and SmartDefense Guide.13

Overview and PurposeSmartDefenseCheck Point SmartDefense provides a unified security framework for variouscomponents that identify, alert and prevent attacks. SmartDefense actively defends yournetwork, even when the protection is not explicitly defined in the Security Rule Base.It unobtrusively analyzes activity across your network, tracking potentially threateningevents and optionally sending notifications. It protects organizations from all known,and most unknown, network attacks using intelligent security technologies and engines.Keeping up-to-date with the latest defenses does not require up-to-the-minutetechnical knowledge. A single click updates SmartDefense with all the latest defensesfrom the SmartDefense website.SmartDefense provides a console that can be used to:• Choose the attacks that you wish to defend against, and read detailed informationabout the attack.• Easily configure parameters for each attack, including logging options.• Receive real-time information on attacks, and update SmartDefense with newcapabilities.Web IntelligenceCheck Point Web Intelligence enables customers to configure, enforce and updateattack protections for web servers and applications. Web Intelligence protections aredesigned specifically for web-based attacks, and complement the network andapplication level protections offered by SmartDefense. In addition, Web IntelligenceAdvisories published online by Check Point provide information and add new attackdefenses.Web Intelligence not only protects against a range of known attacks, varying fromattacks on the web server itself to databases used by web applications, but alsoincorporates intelligent security technologies that protect against entire categories ofemerging, or unknown, attacks.Web Intelligence provides proactive attack protections. It ensures that communicationsbetween clients and web servers comply with published standards and security bestpractices, restricts hackers from executing irrelevant system commands, and inspectstraffic passing to web servers to ensure that they don't contain dangerous maliciouscode. Web Intelligence allows organizations to permit access to their web servers andapplications without sacrificing either security or performance.14

Web IntelligenceObtaining the Latest Version of the DocumentationSmartDefense and Web Intelligence protections are being continuously updated. Forthis reason, see the latest available online version of this document in the User Centerat http://www.checkpoint.com/support/technical/documents/docs_r60.html. Foradditional information contact your Check Point partner.Structure of the GuideThis guide is divided into a number of chapters:Chapter 2, “Network Security”gives an overview of Network Security protections,which enable protection against attacks on the network and transport level.Chapter 3, “Application Intelligence”gives an overview of Application Intelligenceprotections, which enable the configuration of various protections at the applicationlayer, using SmartDefense's Application Intelligence capabilities.Chapter 4, “Web Intelligence” provides high performance attack protection for webservers and applications. It provides proactive attack protection by looking for maliciouscode and ensuring adherence to protocols and security best practice.Chapter 1 Introduction 15

How to Read this Document:How to Read this Document:In this guide the condition of each protection in a specific scenario is represented by astatus. The following represent all of the possible statuses:• Onindicates that the protection is on by default. However, within the protectionoptions may be off/on by default.• Offindicates that the protection is off by default.• Sameindicates that the protections behavior is the same as in NGX R60.• Always Onindicates that the protection cannot be turned off on modules from this release eventhough it is configured as Off in NGX R60 Management.• Enforcedindicates that the protection is active.• *Enforcedindicates that the protection is active, but that it did not exist when R55 wasreleased. Before this protection can be active it requires a SmartDashboard update.• Not Enforcedindicates that the protection is not active.• Allowedindicates all commands are allowed.• N/Aindicates not applicable.16

CHAPTER 2Network SecurityIntroductionIn This ChapterIntroduction page 17Denial Of Service page 18IP and ICMP page 23TCP page 31Fingerprint Scrambling page 36Successive Events page 40DShield Storm Center page 45Port Scan page 48Dynamic Ports page 50Application Intelligence is primarily associated with application level defenses.However, in practice many attacks aimed at network applications actually target thenetwork and transport layers.Hackers target these lower layers as a means to access the application layer, andultimately the application and data itself. Also, by targeting lower layers, attacks caninterrupt or deny service to legitimate users and applications (e.g., DoS attacks). Forthese reasons, SmartDefense addresses not only the application layer, but also networkand transport layers.Preventing malicious manipulation of network-layer protocols (e.g., IP, ICMP) is acrucial requirement for multi-level security gateways. The most common vehicle forattacks against the network layer is the Internet Protocol (IP), whose set of servicesresides within this layer.17

Denial Of ServiceAs with the network layer, the transport layer and its common protocols (TCP, UDP)provide popular access points for attacks on applications and their data.The pages to follow contain information that will help you configure variousSmartDefense protections against attacks on the network and transport level fromversions prior to NGX R60. These pages allow you to configure protection againstattacks which attempt to target network components or the firewall directly.The effect of such attacks, on the IP, TCP, UDP or ICMP network protocols, rangefrom simple identification of the operating systems used in your organization, to denialof service attacks on hosts and servers on the network.Denial Of ServiceDenial of Service (DoS) attacks are aimed at disrupting normal operations of a service.The attacks in this section exploit bugs in operating systems to remotely crash themachines.The detections in this protection depend on logs generated by SmartDefense. Theselogs can be configured per attack.18

TeardropTeardropWhen tracking a Teardrop attack you will be notified of any attempt to exploit thefragmentation of large packets with erroneous offset values in the second or laterfragment. Selecting this protection will block an attempted Teardrop attack.This attack will be blocked even if the checkbox is not selected, and logged as Virtualdefragmentation error: Overlapping fragments.Default Flag Settings:Log Generated by Protection:Tear drop attack detectedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOnDoes not impact performanceDoes not impact performanceDoes not impact performanceNG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame N/A Same N/AChapter 2 Network Security 19

Denial Of ServicePing of DeathWhen tracking this type of attack you will be notified of any attempt in which an IPpacket larger than 64KB has being sent to your network.Selecting this protection will block an attempted Ping of Death attack.This attack will be blocked even if the checkbox is not selected, and logged as "Virtualdefragmentation error: Packet too big".Default Flag Settings:Log Generated by Protection:Ping of DeathNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOnDoes not impact performanceDoes not impact performanceDoes not impact performancefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame N/A Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management20

LANDLANDWith this protection you can block LAND crafted packets. When tracking this type ofattack you will be notified of any attempt in which a packet is sent to your machinewith the same source host/port.Selecting this protection will block an attempted LAND attack.LAND crafted packets will be blocked when this protection is activated.Default Flag Settings:Log Generated by Protection:Land AttackNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOnDoes not impact performanceDoes not impact performanceDoes not impact performancefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 2 Network Security 21

Denial Of ServiceNon TCP FloodingWith this protection you can protect against non-TCP Flooding attacks by limiting thepercentage of open non-TCP connections. By setting this threshold, SmartDefenseprevents more than a specific percentage of the bandwidth being used for non-TCPconnections.In addition, you can track non-TCP connections which exceed the threshold.Default Flag Settings:Log Generated by Protection:Non TCP floodingNon TCP quota reachedData connection exceeds non TCP quotaNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffThe feature is fully acceleratedThe feature is fully acceleratedThe feature is fully acceleratedfeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management22

Packet SanityIP and ICMPThe protections in this section allow you to enable a comprehensive sequence of layer 3checks (IP and ICMP protocols) and some layer 4 verifications (UDP, TCP and IPoptions sanity checks).Packet SanityThis protection performs several Layer 3 and Layer 4 sanity checks. These includeverifying packet size, UDP and TCP header lengths, dropping IP options and verifyingthe TCP flags.With this protection you can configure whether logs will be issued for offendingpackets.A Monitor Only mode makes it possible to track unauthorized traffic without blockingit. However, setting this protection to Monitor Only means that badly fragmentedpackets pass unfiltered. Any type of attack may be hidden in fragmented packets. Thissetting exposes the network to attack.The following is recommended:• UDP• Verify that header length matches the physical length (IP header + UDPheader).• Verify that UDP packet length is correct.• Verify that port 0 on the packet is not used (source or destination). Port 0 canbe allowed, configurable with global parameter fw_allow_udp_port0.• TCP• Make sure header length matches the physical length (IP header + TCP header).• Make sure TCP flags are "making sense".• Accept/reject SYN-RST packet, according to configuration(fw_accept_syn_rst).• Port 0 on the packet is not used.• ICMP• Make sure packet length does not exceed the maximum allowed Ping size.• Make sure packet length matches the physical length.• Make sure that if this is an ICMP error, it has at least the minimal IP header ofthe original IP packet that generated the error, plus 8 bytes.Chapter 2 Network Security 23

IP and ICMP• GRE• Verify that GRE packet is not too short and is long enough to contain theheader.• Verify that the PPP packet's length is not too short.Although Packet Sanity is turned off in Monitor Only mode, the following sanityverifications are still enforced and when applicable these packets are dropped:- UDP packets with invalid UDP Length- TCP packets with a corrupt headerIn each of the above cases, SmartDefense logs will be generated.Default Flag Settings:Log Generated by Protection:Attack name: Malformed PacketNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOnProtection acceleratedProtection acceleratedNonefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementAlways On Enforced Always On Always On24

Max Ping SizeMax Ping SizeThis protection allows you to limit the maximum allowed data size for an ICMP echorequest. This should not be confused with "Ping of Death", in which the request ismalformed.Default Flag Settings:Log Generated by Protection:Attack name: Large pingAttack Information: Echo request too bigNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOnDoes not impact performanceDoes not impact performanceNonefeature behaviorwhen protectionis on in NGXR60 ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 2 Network Security 25

IP and ICMPIP FragmentsThis protection allows you to configure whether fragmented IP packets can passSmartDefense gateways. It is possible to set a limit upon the number of fragmentedpackets (incomplete packets) that are allowed.It is also possible to define a timeout for holding unassembled packets before discardingthem.Default Flag Settings:Log Generated by Protection:AllowedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionFragments handling is notaccelerated. Non-fragmentedtraffic is not impacted.Fragments passed to the FW.Non-fragmented traffic is notimpacted.Nonefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame N/A Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management26

Network QuotaNetwork QuotaNetwork Quota enforces a limit upon the number of connections that are allowed fromthe same source IP, to protect against Denial Of Service attacks.When a certain source exceeds the number of allowed connections, Network Quotacan either block all new connection attempts from that source or track the event.Default Flag Settings:Log Generated by Protection:Network QuotaNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables templatesAcceleratedNonefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Same Same Same (called "onlytrack the event")Note - In the R55W Network Quota protection, Monitor Only was referred to as Only trackthe event.Chapter 2 Network Security 27

IP and ICMPBlock Welchia ICMPWhen this protection is enabled, SmartDefense will identify and drop the Welchiaworm specific ping packets.Default Flag Settings:Log Generated by Protection:Welchia/Nachi Worm ICMP Packet DetectedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNone (ICMP is not accelerated)None (ICMP is not accelerated)None (ICMP is not accelerated)Default in NGX R60feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management28

Block CISCO IOS DOSBlock CISCO IOS DOSThis protection allows you to configure which protocols should be protected againstthis attack. You can also define how many hops away from the enforcement modulewill Cisco routers be protected.Default Flag Settings:Log Generated by Protection:Cisco IOS Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNone (ICMP is not accelerated).None (ICMP is not accelerated)None (ICMP is not accelerated)Default in NGX R60feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 2 Network Security 29

IP and ICMPBlock Null Payload ICMPWhen this protection is enabled, SmartDefense will identify and drop the null payloadping packets.Using SmartView Tracker, VPN-1 NG AI R55 will identify Drop log entries againstrule number 99501.Default Flag Settings:Log Generated by Protection:Null Payload Echo RequestNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNone (ICMP is not accelerated).None (ICMP is not accelerated)None (ICMP is not accelerated)Default in NGX R60feature behaviorwhen protectionis on in NGXR60 ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management30

SYN Attack ConfigurationTCPThe protections in this section allow you to configure a comprehensive set of TCPtests.SYN Attack ConfigurationThis protection allows you to configure how an SYN attack is detected and how toprotect your network from this attack. With this protection you can select whether toactivate the SYN attack protection configuration in one place (that is, viaSmartDefense), and specify the protection parameters for all modules (that is, gateways),or you can activate previous SYNDefender configuration versions for all currentgateway versions.Chapter 2 Network Security 31

TCPThe SYN attack protection can be configured for each module separately. This pageallows you to override the modules' specific configuration.Default Flag Settings:Log Generated by Protection:Attack name: SYN AttackAttack information: Under SYN attack - Switching to active protection(relay/cookie mode)Note that relay or cookie is only from Enfield and on. In earlier versions the stringstates "Switching to active protection"When the attack is over, another log is issued, with attack information:SYN attack abated - Switching to passive protectionNGX Performance Impact:Passive mode all sessionhandshake is forwarded to thefirewall. In relay mode all sessionhandshake is forwarded to theFW.InterSpect NGX - Impact on Acceleration Passive Mode - accelerated.Relay mode - Session Handshakeis not acceleratedInterSpect NGX - Impact on Performance Relay Mode - HighSmartDefense Update VersionOffNG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Enforced Same Same32

Small PMTUSmall PMTUIn this protection the configuration option "Minimal MTU size" controls the allowedpacket size. An exceedingly small value will not prevent an attack, while anunnecessarily large value might result in legitimate requests to be dropped, causing"black hole" effects and degrading performance.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNone (Accelerated)None (Accelerated)None (Accelerated)feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 2 Network Security 33

TCPSpoofed Reset ProtectionThis protection enforces a threshold on the number of RST packets allowed perconnection during a pre-defined period of time.It is possible to exclude specific services from this protection. Services such as HTTPthat are characterized by relatively short sessions are not affected by this attack. It istherefore advisable for performance reasons to exclude those services from theprotection.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionThe handling of TCP reset (RST)is not accelerated.The handling of TCP reset (RST)is not accelerated.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced34

Sequence VerifierSequence VerifierSequence Verifier is a mechanism matching the current TCP packet's sequence numberagainst a TCP connection state. Packets that match the connection in terms of the TCPsession but have incorrect sequence numbers are either dropped when the packet'ssequence may compromise security, or stripped of data.With this protection you can select the appropriate tracking option and define the typeof out-of-sequence packets to be tracked.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNoneNoneNonefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Not EnforcedChapter 2 Network Security 35

Fingerprint ScramblingFingerprint ScramblingSmartDefense can scramble some of the fields commonly used for fingerprinting,masking the original identity of hosts behind the firewall. Please note, however, thattotally preventing fingerprinting is next to impossible. Also note that while this featuremakes fingerprinting the hosts protected by the firewall harder, it does little to hide thefact that there is a firewall here (i.e. - fingerprinting the firewall's existence is stillpossible).With this protection you can choose whether to spoof fingerprints for unencrypted(plain) connections, for encrypted connection (for example, a VPN connection, or anHTTPS connection), or both.SmartDefense can scramble some of the fields commonly used for fingerprinting,masking the original identity of hosts behind the firewall.36

ISN SpoofingISN SpoofingThe ISN scrambler counters this attack by creating a difference between the sequencenumbers used by the server and the sequence numbers perceived by the client. Thisdifference has high entropy using cryptographic functions, and effectively makes itimpossible to guess the server's ISN. If the real server has a higher entropy than theentropy selected for the ISN scrambler, the higher entropy will pass through to theclient.Default Flag Settings:Log Generated by Protection:This feature does not issue a log.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables session rate accelerationon TCP traffic.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Not EnforcedChapter 2 Network Security 37

Fingerprint ScramblingTTLWith this protection you can enable or disable the use of TTL, and define how toidentify a packet as a traceroute packet.You can change the TTL field of all packets (or all outgoing packets) to a givennumber. This achieves two goals. Using this approach it is not possible to know howmany routers (hops) the host is from the listener, and the listener cannot know what isthe original TTL value.Default Flag Settings:Log Generated by Protection:This feature does not issue a log.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration on alltraffic.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Not Enforced38

IP IDIP IDWith this protection you can override the original IP ID with an ID generated by thefirewall, thus masking the algorithm used by the original operating system, masking theoperating system's identity. The three available algorithms used by the various operatingsystems are: Random, Incremental, and Incremental LE (little endian).Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables acceleration on alltraffic.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Not EnforcedChapter 2 Network Security 39

Successive EventsSuccessive EventsThe protections in this section allow you to configure different kinds of Check PointMalicious Activity Detections, including some general attributes.All of these detections depend on logs generated by SmartDefense. By default, CheckPoint Malicious Activity Detections do not block the detected attacks but rathergenerate an Alert. It is possible to configure that other actions will be taken, forexample User Defined Alerts.Address SpoofingThis protection allows you to define parameters that are specific to the defense againstAddress Spoofing attempts. An attack is detected (defined) as Address Spoofing whenmore than a specific number of events are detected over a period of a specific numberof seconds.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNoneN/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Enforced Same Enforced40

Denial of ServiceDenial of ServiceTo protect the network from DOS attacks, SmartDefense employs a threshold. Thethreshold detects DOS events when more than a specific amount occurs over a specificamount of time.When the threshold limit is reached, the incidents of DOS events are logged and analert is issued.With this protection you can define the frequency of events that will be treated as aDoS attack, and the Action to be taken when one of these attacks is detected.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNoneN/AN/ANG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Enforced Same EnforcedChapter 2 Network Security 41

Successive EventsLocal Interface SpoofingWith this protection you can define parameters that are specific to the defense againstLocal Interface Spoofing attempts. An attack is detected (defined) as Local InterfaceSpoofing when more than a specific number of events are detected over a period of aspecific number of seconds.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNoneN/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Enforced Same Enforced42

Successive AlertsSuccessive AlertsWith this protection you can define parameters that are specific to the defense againstSuccessive Alerts attempts. An attack is detected (defined) as Successive Alerts whenmore than a specific number of events are detected over a period of a specific numberof seconds.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNoneN/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Enforced Same EnforcedChapter 2 Network Security 43

Successive EventsSuccessive Multiple ConnectionsThis protection allows you to define parameters that are specific to the defense againstSuccessive Multiple Connections attempts. An attack is detected (defined) as SuccessiveMultiple Connections when more than a specific number of events are detected over aperiod of a specific number of seconds.Default Flag Settings:Log Generated by Protection:Successive Multiple ConnectionsNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNoneN/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Enforced Same Enforced44

Successive Multiple ConnectionsDShield Storm CenterDShield Storm Center provides a platform for users of firewalls to share intrusioninformation. DShield Storm Center gathers logging information about attacks. Thisinformation is voluntarily provided by organizations from across the world for thebenefit of all. Storm Center collates and presents reports on real-time threats tonetwork security in a way that is immediately useful for the users.The following are the two ways information flows between the network Storm Centerand the organizations requiring network security information. The SmartDefenseStorm Center Module enables the following two:• Retrieve a list of malicious IPs from the DShield Storm Center and block those IPs.• Voluntarily submit logs to DShield.Chapter 2 Network Security 45

DShield Storm CenterRetrieve and Block Malicious IPsWith this protection you can decide whether to block all the malicious IP addressesreceived from DShield.org (one of the leading Storm Centers) on all gateways orwhether to block them for specific gateways.Default Flag Settings:Log Generated by Protection:The SmartDefense Storm Center Module (=daemon) logs:StormAgentName: daemon; StormAgentAction: Agent is up.StormAgentName: daemon; StormAgentAction: Going down.StormAgentName: daemon; StormAgentAction: Going down, Termination due toan error.StormAgentName: daemon; StormAgentAction: Going down, Failed on startup.Connectivity to DShield storm center site:StormAgentName: CPDShield; StormAgentAction: Retrieve blocklist;StormAgentMsg: ip list.StormAgentName: CPDShield; StormAgentAction: Retrieve blocklist;StormAgentMsg: Initialization failed.StormAgentName: CPDShield; StormAgentAction: Retrieve blocklist;StormAgentMsg: List is too old. Not updating.StormAgentName: CPDShield; StormAgentAction: Retrieve blocklist;StormAgentMsg: Failed to update dynamic object.StormAgentName: CPDShield; StormAgentAction: Retrieve blocklist;StormAgentMsg: Failed to access URL.StormAgentName: CPDShield; StormAgentAction: Retrieve blocklist;StormAgentMsg: Data has expired. Clearing defined rangesStormAgentName: CPDShield; StormAgentAction: Retrieve blocklist;StormAgentMsg: Certificate validation failed for URL:url.NGX Performance Impact:NoneInterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffN/AN/A46

Report to DShieldfeature behaviorwhen protectionis on in NGXR60ManagementReport to DShieldNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Not EnforcedWith this protection you can send logs to the Storm Center in order to help otherorganizations combat the threats that were directed at your own network.Default Flag Settings:Log Generated by Protection:The SmartDefense Storm Center Module (=daemon) logs:StormAgentName: daemon; StormAgentAction: Agent is up.StormAgentName: daemon; StormAgentAction: Going down.StormAgentName: daemon; StormAgentAction: Going down, Termination due toan error.StormAgentName: daemon; StormAgentAction: Going down, Failed on startup.NGX Performance Impact:NoneInterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffN/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Not EnforcedChapter 2 Network Security 47

Port ScanPort ScanPort Scan protections allow you to discover incidences of intelligence gathering so thatthe information in question cannot be used to attack vulnerable computers.Port Scanning is a method of collecting information about open TCP and UDP portsin a network. Gathering information is not in itself an attack, but the information canbe used later to target and attack vulnerable computers.Port scanning can be performed either by a hacker using a scanning utility such asnmap, or by a worm trying to spread itself to other computers. Port Scanning is mostcommonly done by trying to access a port and waiting for a response. The responseindicates whether or not the port is openHost Port ScanSmartDefense has three levels of port scan detection sensitivity. Each level represents theamount of inactive ports scanned during a certain amount of time. When port scan isdetected a log or alert is issued.Default Flag Settings:Log Generated by Protection:Port ScanNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNoneNoneNonefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management48

Sweep ScanSweep ScanSmartDefense has three levels of port scan detection sensitivity. Each level represents theamount of inactive ports scanned during a certain amount of time. When port scan isdetected a log or alert is issued.Default Flag Settings:Log Generated by Protection:Port ScanNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNoneNoneNonefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 2 Network Security 49

Dynamic PortsDynamic PortsIf this protection is enabled, when a client tries to open a dynamic connection to sucha protected port, the connection is dropped.Block Data Connections to Low PortsBlock data connections to low ports specifies whether or not dynamically opened portsbelow 1024 are permitted. The low port range is used by many standard services, soyou will not normally permit low ports.Default Flag Settings:Log Generated by Protection:Port ScanNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOnNoneNoneNoneNG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Same50

CHAPTER 3fApplication IntelligenceIn This ChapterIntroduction page 52Mail page 53FTP page 62Microsoft Networks page 65Block Long CIFS Password page 71Instant Messengers page 79DNS page 84VoIP page 93SNMP page 102VPN Protocols page 104Content Protection page 110MS-RPC page 119MS-SQL page 131Routing Protocols page 142SUN-RPC page 146DHCP page 148SOCKS page 149TFTP page 150Citrix page 153Remote Control Applications page 15551

IntroductionIntroductionRemote Administration page 158Tunneling page 160Telnet page 162Veritas Backup Exec Protections page 163CA BrightStore Backup page 165A growing number of attacks attempt to exploit vulnerabilities in network applicationsrather than target the firewall directly. Check Point Application Intelligence is a set ofadvanced capabilities, integrated into Firewall and SmartDefense, which detects andprevents application-level attacks. Based on INSPECT intelligent inspection technology,Check Point Application Intelligence gives SmartDefense the ability to protect againstapplication attacks and hazards.FIGURE 3-1 OSI (Open Systems Interconnection) Reference ModelNote - The OSI Reference Model is a framework, or guideline, for describing how data istransmitted between devices on a network.The Application Layer is not the actual end-user software application, but a set of servicesthat allows the software application to communicate via the network. Distinctions betweenlayers 5, 6, and 7 are not always clear, and some competing models combine these layers,as does this user guide.Application Intelligence protections allow you to configure various protections at theapplication layer, using SmartDefense's Application Intelligence capabilities.52

POP3 / IMAP SecurityMailThe protections in this section allow you to select what types of enforcement will beapplied to Mail traffic.POP3 / IMAP SecurityWith this protection you enable limitations on email messages delivered to the networkusing POP3/IMAP protocols. These options make it possible to recognize and stopmalicious behavior. For example, SmartDefense can enforce the length of a usernameand password (as done in a Buffer Overrun attack), the effect of which will prevent theuse of a long string of characters that can potentially crash the machine.SmartDefense can also prevent a situation in which the use of network resources isdeliberately discontinued. It can limit the number of NOOP commands (that is, a nooperation command) that may be used in a Denial of Service attack.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables POP3/IMAPacceleration and enables Securityservers.Disables POP3/IMAPacceleration.Protection is streamed client toserver.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 53

MailSMTP Worm CatcherWith this protection one can define worm patterns in the SMTP command arguments(other than mail data) that will be detected and blocked. These patterns are describedby means of a regular expression. In the online help, search for "Regular Expressions"for an explanation of the syntax and usage of regular expressions.Updated patterns can be obtained via the SmartDefense update mechanism.This protection can be enforced on specific SMTP servers by defining them in the MailServers View. When this protection is triggered the originating source can bequarantined for a configurable period of time. Packet streams that triggered thisprotection can be captured and stored, and then examined using an internal packetviewer or any third party protocol analyzer.A monitor-only mode can be used for logging unauthorized traffic without enforcingthe protection.Note - Do not apply this protection to MS Exchange Server SMTP Connectors.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNot EnforcedDisables POP3/IMAPacceleration.CPU Intensive - active controland inspection of a TCP stream.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced54

SMTP Format RestrictionsSMTP Format RestrictionsThis protection preempts possible buffer overrun and Denial of Service attacks byplacing restrictions on the SMTP command arguments that can pass.Field Length restrictions allows you to configure upper bounds to different elements inthe SMTP message. This can preempt buffer overrun attacks.Command Restrictions prevent Denial of Service attacks.Clients can be prevented from sending an excessive number of commands perconnection, and the number of NOOP commands can be limited.Max unknown commands is the maximum number of allowed unknown commands perconnection. It can prevent the SMTP mail protocol being maliciously exploited. Thefollowing are the known commands: DATA, EHLO, EXPN, HELO, HELP, MAILFrom, NOOP, QUIT, RCPT To, RSET, VRFY. All other commands are treated asunknown. Unchecking a command in the "Blocked Commands" list does not make it aknown command.Blocked commands is a list of blockable SMTP commands. Some commands (such asEXPN and VRFY) are blocked by default because they are frequently used in attacks.Some known commands are not in the list because blocking them would prevent theSMTP connection. Commands can be manually added to the list.This protection can be enforced on specific servers by defining them in the MailServers View. When this protection is triggered the originating source can bequarantined for a configurable period of time. Packet streams that triggered thisprotection can be captured and stored, and then examined using an internal packetviewer or any third party protocol analyzer.Chapter 3 Application Intelligence 55

MailA monitor-only mode can be used for logging unauthorized traffic without enforcingthe protection.Note - Do not apply this protection to MS Exchange Server SMTP Connectors.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNot EnforcedDisables POP3/IMAPacceleration.CPU Intensive - active controland inspection of a TCP stream.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced56

SMTP Malicious CodeSMTP Malicious CodeThis protection analyzes SMTP command arguments (other than mail data). It assessesthe danger, and allows or rejects connections accordingly. Because it analyzes commandarguments dynamically, it is able to protect against most future vulnerabilities withoutthe need for patterns or updates.Security Level makes it possible to choose the appropriate trade-off between Securityand performance.LOW: Only 8-bit encoded SMTP command arguments are inspected for maliciouscode. Most attacks are likely to be carried by 8-bit encoded command arguments,rather than in 7-bit (textual) command arguments. This option gives betterperformance.HIGH: All SMTP command arguments are inspected for malicious code. This optionuses more InterSpect resources, but is more secure.This protection can be enforced on specific servers by defining them in the MailServers View. When this protection is triggered the originating source can bequarantined for a configurable period of time. Packet streams that triggered thisprotection can be captured and stored, and then examined using an internal packetviewer or any third party protocol analyzer.Chapter 3 Application Intelligence 57

MailA monitor-only mode can be used for logging unauthorized traffic without enforcingthe protection.Note - Note: Do not apply this protection to MS Exchange Server SMTP Connectors.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNot EnforcedDisables POP3/IMAPacceleration.CPU Intensive - active controland inspection of a TCP stream.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced58

Mail Security ServerMail Security ServerWith this protection you can select what types of enforcement will be applied to SMTPconnections passing through the security server.The SMTP security server allows strict enforcement of the SMTP protocol. Usually thesecurity server is activated by specifying resources or authentication rules in the standardsecurity policy.Default Flag Settings:Log Generated by Protection:On - only for connections relatedto resources used in the rule base.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables SMTP acceleration andenables Security servers.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Not EnforcedChapter 3 Application Intelligence 59

MailBlock ASN.1 Bitstring Encoding Attack over SMTPSmartDefense provides protection against this vulnerability by analyzing thecommunication, looking for ASN.1 encoding within GSSAPI structures in SMTPauthentication.Note that SMTP Security Servers already block the GSSAPI authentication method.Default Flag Settings:Log Generated by Protection:MS-ASN.1 Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration of therelevant protocols for which theprotection is turned on.Disables acceleration of therelevant protocols for which theprotection is turned on.Inspection on a per packet basisand not accelerated.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management60

NNTPNNTPThis protection checks for the validity of response messages to the potentially maliciousLIST and UPDATE LIST commands.This protection is based on Buffer Overflow vulnerabilities. That is, with this protectionyou can protect a client from a malicious server that sends a list of articles that causeBuffer Overflow and a malicious client that uses a search command that causes BufferOverflow.A monitor-only mode makes it possible to track NNTP protocol violation withoutblocking the connection.Default Flag Settings:Log Generated by Protection:NNTP Malformed Message / NNTP Buffer OverflowNGX Performance Impact:Disables NNTP acceleration.InterSpect NGX - Impact on AccelerationOffDisables NNTP acceleration.InterSpect NGX - Impact on Performance Outlook express vuln. is streamedfrom the server to the client.XPAT vuln. is streamed from theclient to the server. Low memoryconsumption.SmartDefense Update Version 591050706feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 61

FTPFTPThe protections in this section allow you to configure various protections related to theFTP protocol.FTP BounceWith this protection you can neutralize an FTP bounce attack aimed at the firewall.SmartDefense neutralizes the attack by performing tests in the kernel.SmartDefense performs a mandatory protection against the FTP bounce attack,verifying the destination of the FTP PORT command. In addition, SmartDefenseblocks connections to Dynamic Ports, as defined in the Dynamic Ports tab, underNetwork Security.Default Flag Settings:Log Generated by Protection:IP address mismatch in port/227 command - header IP different from command IPNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOnNoneDisables FTP acceleration.Low memory consumptioninspection on a packet basis.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management62

FTP Security ServerFTP Security ServerWith this protection you can access Authentication services and Content Security basedon FTP commands (PUT/GET), file name restrictions, and CVP checking (forexample, for viruses). In addition, the FTP Security Server logs FTP get and putcommands, as well as the associated file names, if the rule's Track is Log.Usually the Security Servers are enabled by specifying rules in the security policy.Default Flag Settings:On - only for connections relatedto resources used in the rule base.Log Generated by Protection:This feature does not contain a specific log, instead it contains various logs. Forexample:Blocked FTP Commandsreason: command: was blockedBlock Known Portsreason: bad PORT command: Block Port Overflowreason: Invalid arguments for Port commandreason: Invalid arguments for PASV replyNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables FTP acceleration andenables Security servers.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Not EnforcedChapter 3 Application Intelligence 63

FTPOracle XDB OverflowThis protection blocks a routine in the XDB FTP UNLOCK command that canpotentially allow remote code execution in Oracle XDB service.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:Attack Name: Oracle FTP Service Protection ViolationAttack Information: Oracle XDB FTP command blockedNGX Performance Impact:Disables FTP acceleration.InterSpect NGX - Impact on Acceleration Disables acceleration of port 2100TCP.InterSpect NGX - Impact on Performance Protection is over streaming.OffSmartDefense Update Version 591060212NG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Same Not Enforced64

File and Print SharingMicrosoft NetworksThe protections in this section allow you to select what types of enforcement will beapplied to Microsoft networking protocols.File and Print SharingThis protection allows you to configure worm signatures that will be detected andblocked by the CIFS Worm Defender.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables acceleration of MicrosoftNetwork Protocols.Disables session rate accelerationof the CIFA Protocol.Minor impact (the protectionemploys a TCP engine on serverto client traffic).feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 65

Microsoft NetworksBlock Null CIFS SessionsWhen this protection is enabled, SmartDefense will block null session attempts.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate accelerationfor the CIFS protocol.Disables session rate accelerationfor the CIFS protocol.Minor impact (the protectionemploys a TCP engine on serverto client traffic).feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55W*Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management66

Block Popup MessagesBlock Popup MessagesWhen this protection is enabled, any attempt to send a Windows popup message will beblocked.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate accelerationfor the CIFS protocol.Disables session rate accelerationfor the CIFS protocol.Minor impact (the protectionemploys a TCP engine on serverto client traffic).feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55W*Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 67

Microsoft NetworksBlock ASN.1 Bitstring Encoding AttackSmartDefense provides protection against this vulnerability by analyzing thecommunication, looking for ASN.1 BER encoding within GSS-API structures, indifferent protocols.Default Flag Settings:Log Generated by Protection:MS-ASN.1 Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration of therelevant protocols for which theprotection is turned on.Disables acceleration of therelevant protocols for which theprotection is turned on.Inspection on a per packet basisand not accelerated.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management68

Block WINS Replication AttackBlock WINS Replication AttackWith this protection SmartDefense is able to recognize an illegal WINS packet. Thisability enables SmartDefense to catch potentially harmful packets before they enter thenetwork.Default Flag Settings:Log Generated by Protection:MS WINS Replication Protocol Enforcement ViolationNGX Performance Impact:Disables acceleration of MicrosoftWINS traffic on the client toserver connection.InterSpect NGX - Impact on Acceleration Disables acceleration of therelevant protocols for which theprotection is turned on.InterSpect NGX - Impact on Performance Inspection on a per packet basisand not accelerated.SmartDefense Update VersionOfffeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 69

Microsoft NetworksBlock WINS Name Validation AttackWith this protection SmartDefense is able to recognize an illegal NBNS packet. Thisenables SmartDefense to catch potentially harmful packets before they enter thenetwork.Default Flag Settings:Log Generated by Protection:MS WINS Name Validation Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration ofMicrosoft WINS traffic on theclient to server connection.Disables acceleration of therelevant protocols for which theprotection is turned on.Inspection on a per packet basisand not accelerated.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management70

Block Long CIFS PasswordBlock Long CIFS PasswordSome versions of the SAMBA server are vulnerable to a buffer overrun when using avery long login password.When enabled, this protection will block attempts to use an overly long password,which might crash some SAMBA servers.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate accelerationfor the CIFS protocol.Minor impact (the protectionemploys a TCP engine on serverto client traffic).feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 71

Microsoft NetworksBlock SMB Server Buffer OverflowA vulnerability exists in the implementation of the Microsoft SMB. A remote attackercould exploit this vulnerability by sending a series of specially crafted messages to anaffected system. This allows a remote attacker to take complete control of the affectedsystem.By enabling this protection, SmartDefense will block any attempt to exploit this bufferoverflow.A monitor-only mode makes it possible to track attempts to exploit the buffer overflowvulnerability.Default Flag Settings:Log Generated by Protection:Attack Name: Windows SMB Protection ViolationAttack Information: Buffer Overflow AttemptNGX Performance Impact:InterSpect NGX - Impact on Acceleration Disables acceleration on SMBtraffic.InterSpect NGX - Impact on Performance Inspection on a per packet basisand not accelerated.SmartDefense Update Version 591050801Offfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management72

Block Message Queuing Buffer OverflowBlock Message Queuing Buffer OverflowA vulnerability exists in the way an MSMQ server parses messages received by RPC. Byconstructing a malicious message it is possible to cause a buffer overflow in thevulnerable component. This condition may be remotely exploited to execute arbitrarycode on the target machine within the system security context.By enabling this protection, SmartDefense will block any attempt to exploit this bufferoverflow and attempts to conceal the attack with multi-context bind calls.A monitor-only mode makes it possible to track attempts to exploit the buffer overflowvulnerability.Default Flag Settings:Log Generated by Protection:Attack Name: MS Message Queuing Protection ViolationAttack Information: Buffer Overflow AttemptNGX Performance Impact:Disables acceleration ofMicrosoft MSMQ traffic on theclient to server connection.InterSpect NGX - Impact on Acceleration Disables acceleration ofMicrosoft MSMQ traffic on theclient to server connection.InterSpect NGX - Impact on Performance Inspection on a per packet basisand not accelerated.SmartDefense Update Version 591050801Offfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 73

Microsoft NetworksBlock Repetitive SMB Login AttemptsBy trying to repeatedly authenticate to a SMB connected server using differentpasswords, it is possible to crack user accounts on the remote target or compromise thetarget.SmartDefense can block repeated login attempts from the same client during a certainperiod of time.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:Attack Name: Windows SMB Protection ViolationAttack Information: Too many login attemptsNGX Performance Impact:Disables acceleration ofMicrosoft SMB traffic on theclient to server connection.InterSpect NGX - Impact on AccelerationOffDisables acceleration ofMicrosoft SMB traffic on theclient to server connection.InterSpect NGX - Impact on Performance Inspection on a per packet basisand not accelerated.SmartDefense Update Version 591060122feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management74

Excluded Services/Network ObjectsPeer to PeerThis protections class enables you to block Peer To Peer traffic.In this section the protections allow you to prevent the use of peer to peer applicationsused for message transfer and file sharing (for example, Kazaa and Gnutella). For Peer toPeer applications that masquerade as HTTP you can define HTTP patterns that youwish to block.By identifying fingerprints and HTTP headers SmartDefense detects peer to peersessions regardless of the TCP port that it is using.Excluded Services/Network ObjectsSince R55W we were able to create a white list of hosts and ports that will not bescanned for peer to peer protocols. However, since this capability does not exist onpre-R55 modules installing the protections on older modules will cause the protectionsto be active even on the excluded objects.Default Flag Settings:Log Generated by Protection:This feature does not contain a log.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNoneNo ImpactNo Impactfeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 75

Peer to PeerAll Protocols through Port 80With these protections you can block one of the supported peer to peer applications:• KaZaA• DirectConnect• Gnutella• eMule• BitTorrent• SoulSeekDefault Flag Settings:Log Generated by Protection:KaZaA protocol detected on connection.DirectConnect protocol detected on connection.Gnutella protocol detected on connection.eMule protocol detected on connection.BitTorrent protocol detected on connection.SoulSeek protocol detected on connection.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables session rate accelerationon port 80.Disables session rate accelerationon port 80, client to server.Accelerated TCP streaming onserver to client.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management76

IRCIRCSome worms have backdoor and Trojan capabilities: they connect to an IRC server onTCP high ports and once they join in a channel on that server, wait for instructionsfrom the remote attacker. In addition, some worms use IRC to spread.SmartDefense can block IRC traffic by identifying IRC protocol fingerprint.SmartDefense is able to detect and block IRC traffic regardless of the TCP port beingused to initiate the session.This protection is applicable for InterSpect and R55W modules only.Default Flag Settings:Log Generated by Protection:IRC protocol detected on connection.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffIRC Disables acceleration onpopular IRC ports (TCP). IfBlock on all TCP high ports isselected, then it will disableacceleration on all TCP highports.IRC Disables acceleration onpopular IRC ports (TCP). IfBlock on all TCP high ports isselected, then it will disableacceleration on all TCP highports.Low memory consumptioninspection on a packet basis. Hasacceleration patterns so that notall high ports are not accelerated).feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 77

Peer to PeerAll ProtocolsWith these protections you can block one of the supported peer to peer applications:• KaZaA• DirectConnect• Gnutella• eMule• BitTorrent• SoulSeekFor older versions (FP3 to R55) if you turn on Header Rejection, HTTP will beprotected.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate acceleration.Disables session rate accelerationof P2P trafficLow memory consumptioninspection on a packet basis. Hasacceleration patterns so that notall high ports are notaccelerated).NG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Same Same78

Excluded Services/Network ObjectsInstant MessengersThe protections in this section allow you to block Instant Messaging applications thatuse Instant Messaging protocols. Instant Messaging applications have many capabilities,including voice calls, message transfer, and file sharing.Excluded Services/Network ObjectsSince R55W we were able to create a white list of hosts and ports that will not bescanned for peer to peer protocols. However, since this capability does not exist onpre-R55 modules installing the protections on older modules will cause the protectionsto be active even on the excluded objects.Default Flag Settings:OffLog Generated by Protection:This feature is an exclusion list that does not contain a log.NGX Performance Impact:NoneInterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNoneNonefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 79

Instant MessengersMSN Messenger over SIPWith this protection you can block everything sent from SIP-based MSN Messenger, orspecific MSN Messenger applications: file-transfer, application-sharing, white-boarding,and remote-assistant.SmartDefense verifies compliance to Session Initiation Protocol (SIP) RFC 3261. MSNmessenger can be either blocked completely, or its applications can be selectivelyblocked (file-transfer, application sharing, white-boarding, and remote assistant).If "block sip based instant messaging" in SmartDefense > Application Intelligence >VoIP > SIP is selected, all MSN over SIP applications will be blocked automatically.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionSIP traffic is not accelerated.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management80

MSN Messenger over MSNMSMSN Messenger over MSNMSWith this protection you can block specific MSN Messenger applications: video, audio,file-transfer, application-sharing, white-boarding, and remote-assistant.MSN messenger can be either blocked completely, or its applications can be selectivelyblocked (audio, video, file-transfer, application sharing, white-boarding, and remoteassistant).To completely block MSN Messenger over MSNMS, no configuration is needed,because a security rule is required to allow it.To selectively block SIP-based instant messenger applications, you must define asecurity rule with the MSNMS service (TCP1863), that allows them, and thenconfigure SmartDefense.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVPN-1 - Disables session rateacceleration.Disables session rate accelerationon all ports.Protection maybe CPU intensive(that is, active control andinspection of a TCP stream).feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 81

Instant MessengersAll Protocols through Port 80With these protections you can block one of the supported Instant Messengersapplications:• Skype• Yahoo• ICQ• Google TalkDefault Flag Settings:OffLog Generated by Protection:Instant Messengers Pattern – instant messengers pattern foundNGX Performance Impact:Disables session rate accelerationon port 80.InterSpect NGX - Impact on Acceleration Disables session rate accelerationon port 80, client to server.InterSpect NGX - Impact on Performance Accelerated TCP streaming onserver to client.SmartDefense Update Version 591050906feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management82

All ProtocolsAll ProtocolsWith these protections you can block one of the supported Instant Messengersapplications:• Skype• Yahoo• ICQ• Google TalkDefault Flag Settings:Log Generated by Protection:Skype protocol detected on connectionYahoo protocol detected on connectionICQ protocol detected on connectionGoogle Talk protocol detected on connectionNGX Performance Impact:OffVPN-1 - Disables session rateacceleration.InterSpect NGX - Impact on Acceleration Disables session rate accelerationof IM traffic.InterSpect NGX - Impact on Performance Low memory consumption thatis not streamed. Has accelerationpatterns so that not all high portsare not accelerated.SmartDefense Update Version 591050906feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 83

DNSDNSWith the protection in this section you can prevent various DNS related vulnerabilitiesand prevent protocol violations by performing DNS protocol enforcement andvalidation (TCP and UDP).Protocol Enforcement - TCPSmartDefense is able to recognize a DNS packet that has been altered. This abilityenables SmartDefense to catch potentially harmful packets before they enter thenetwork.With this protection you can enforce TCP protocols. Only pure DNS packets sent overTCP will be able to enter the network. In this case, all DNS port connections overTCP will be monitored to verify that every DNS packet attempting to enter thenetwork has not been altered.84

Protocol Enforcement - TCPWith the enforcement of the TCP protocol the potential for maliciously altered DNSpackets to enter the system is decreased.Default Flag Settings:Log Generated by Protection:DNS Enforcement ViolationAttack Name: Invalid DNSOnEnabling Protocol Enforcement - TCP will generate numerous DNS logs with thecommon Attack Name "Invalid DNS".NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables DNS over TCPacceleration.Disables DNS over TCPacceleration.Minor impact (TCP Streaming).Most traffic is UDP basedfeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 85

DNSProtocol Enforcement - UDPSmartDefense is able to recognize a DNS packet that has been altered. This abilityenables SmartDefense to catch potentially harmful packets before they enter thenetwork.In this window you can enforce UDP protocols. Only pure DNS packets sent overUDP will be able to enter the network. In this case, all DNS port connections overUDP will be monitored to verify that every DNS packet attempting to enter thenetwork has not been altered.With the enforcement of the UDP protocol the potential for maliciously altered DNSpackets to enter the system is decreased.Default Flag Settings:Log Generated by Protection:DNS Enforcement ViolationAttack Name: Invalid DNSOnEnabling Protocol Enforcement - UDP will generate numerous DNS logs with thecommon Attack Name "Invalid DNS".NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables DNS over UDPacceleration.Disables DNS over UDPacceleration.NG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same N/A86

Domain Block ListDomain Block ListWith this protection you can create a Block List for the purpose of filtering outundesirable traffic.SmartDefense contains a Block list for the purpose of filtering out undesirable traffic.SmartDefense will not allow a user to access a domain address specified in the Blocklist. The domain Block list is updated manually.Default Flag Settings:Log Generated by Protection:DNS Enforcement ViolationAttack Name: Invalid DNSAttack Information: Domain found in block listNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables DNS acceleration.Disables DNS acceleration.Minor impact (TCP Streaming).Most traffic is UDP based.NG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Same SameChapter 3 Application Intelligence 87

DNSCache Poisoning ProtectionsThe Cache Poisoning protections enable you to configure Cache Poisoning protection.To reduce DNS traffic, name severs maintain cache. The DNS cache is updatedaccording to the TTL of each zone. Cache Poisoning occurs when DNS caches receivemapping information that was deliberately altered from a remote name server. TheDNS server caches the incorrect information and sends it out as the requestedinformation. As a result, email messages and URL addresses can be redirected and theinformation sent by a user can be captured and corrupted.Default Flag Settings:Log Generated by Protection:DNS Enforcement ViolationDrop Inbound Requests -• Attack Name: Invalid DNS, Attack Information: Unauthorized domain requestMismatched Replies• Attack Name: Invalid DNS, Attack Information: Mismatched RepliesNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables DNS acceleration.Disables DNS acceleration.Minor impact (TCP Streaming).Most traffic is UDP based.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management88

Operations EnforcementOperations EnforcementThis SmartDefense protection can block the DNS operations Query, Update andNotify. When this protection is triggered the originating source can be quarantined fora configurable period of time. Packet streams that triggered this protection can becaptured and stored, and then examined using an internal packet viewer or any thirdparty protocol analyzer. A monitor-only mode can be used for logging unauthorizedtraffic without enforcing the protection.To activate this protection, the Protocol Enforcement page must be configured in thefollowing manner: at least one protocol enforcement (TCP or UDP) enabled, andmonitor-only mode disabled.Default Flag Settings:Log Generated by Protection:DNS Enforcement ViolationAttack Name: Invalid DNSAttack Information: Unallowed Opcode in queryNGX Performance Impact:Disables DNS acceleration.InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables DNS acceleration.Minor impact (TCP Streaming).Most traffic is UDP based.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 89

DNSType EnforcementThis protection provides granular control over DNS queries by blocking specific querytypes, and over DNS responses by blocking specific resource record types. (Note thatthey are separated into two lists.) Resource record and query types which areunnecessary to network functionality should be blocked in order to preventunauthorized use.When this protection is triggered, the originating source can be quarantined for aconfigurable period of time. Packet streams that triggered this protection can becaptured and stored, and then examined using an internal packet viewer or any thirdparty protocol analyzer. A monitor-only mode can be used for logging unauthorizedtraffic without enforcing the protection.To activate this protection, the Protocol Enforcement page must be configured in thefollowing manner: at least one protocol enforcement (TCP or UDP) enabled, andmonitor-only mode disabled.Default Flag Settings:Log Generated by Protection:DNS Enforcement ViolationAttack Name: Invalid DNS, Attack Information: Bad query format, unallowed typeAttack Name: Invalid DNS, Attack Information: Bad Resource Record format,unallowed typeNGX Performance Impact:Disables DNS acceleration.InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables DNS acceleration.Minor impact (TCP Streaming).Most traffic is UDP based.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced90

DNS Traffic to Non-DNS ServerDNS Traffic to Non-DNS ServerBy enabling this protection, SmartDefense blocks DNS traffic to network objects thatare not designated as DNS servers. To see the list of DNS servers, refer to the DNSServers View.When this protection is triggered, the originating source can be quarantined for aconfigurable period of time. Packet streams that triggered this protection can becaptured and stored, and then examined using an internal packet viewer or any thirdparty protocol analyzer. A monitor-only mode can be used for logging unauthorizedtraffic without enforcing the protection.To activate this protection, the Protocol Enforcement page must be configured in thefollowing manner: at least one protocol enforcement (TCP or UDP) enabled, andmonitor-only mode disabled.Default Flag Settings:OffLog Generated by Protection:DNS Enforcement ViolationAttack Name: Invalid DNSAttack Information: DNS request to an undefined DNS serverNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables DNS acceleration.Disables DNS acceleration.Minor impact (TCP Streaming).Most traffic is UDP based.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 91

DNSResource Records EnforcementsThis protection allows you to set the maximum number of allowed Answer, Authorityand Additional Resource Records within a reply to a DNS query sent over TCP.Default Flag Settings:Log Generated by Protection:DNS Enforcement ViolationOffAttack Information: Resource Records Enforcement - Excessive number ofResource Records detected in replyAttack Information: Resource Records Enforcement - Excessive number ofAuthority Resource Records detected in replyAttack Information: Resource Records Enforcement - Excessive number ofAdditional Resource Records detected in replyNGX Performance Impact:Disables DNS acceleration.InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables DNS acceleration.Minor impact (TCP Streaming).Most traffic is UDP based.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management92

DOS ProtectionVoIPWith the protections in this section you can enable protection against Dos attacksdirected against VoIP networks. The VoIP pages you can configure protections for VoIPprotocols.SmartDefense validates the addresses of the caller and receiver, and ensures that thecaller and receiver are allowed to make and receive VoIP calls. In addition,SmartDefense examines the contents of the packets passing through every allowed port,to make sure they contain proper information. Full stateful inspection on H.323, SIP,MGCP and SCCP commands ensures that all VoIP packets are structurally valid, andthat they arrive in a valid sequence according to RFC standards.DOS ProtectionA rogue IP phone could make Denial of Service attacks by flooding the network withcalls, thereby interfering with proper use of the phone network.This protection allows you to protect against Denial of Service attacks by limiting thenumber of call attempts per minutes that the VPN-1 Pro Gateway will allow from anygiven IP address. Calls from handover devices are not counted, because they make alarge number of calls.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 93

VoIPH323In this window you can perform the following application layer checks:• Strict enforcement of the protocol, including the order and direction of H.323packets.• If the phone number sent is longer than 24 characters the packet is dropped. Thisprevents buffer overruns in the server.• Dynamic ports will only be opened if the port is not used by another service. Forexample: If the Connect message sends port 80 for the H.245 it will not be opened.This prevents well-known ports being used illegally.Default Flag Settings:Log Generated by Protection:OnNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Not Enforced Same Not Enforced94

SIPSIPWith this protection you can verify content in the SIP header. If this option is selectedand there are explicit SIP rules in the Rule Base, SmartDefense will validate the SIPheaders and look for invalid characters inside them.Default Flag Settings:Log Generated by Protection:OnNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementSameexcept: blockspecificapplications(video, audio,instantmessaging) anddefaultregistrationtimeout, whichare not enforcedNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforcedfeature behaviorwhen protectionis on in NGXR60ManagementSame"Block SIP callsthat use …" and" Drop unknownSIP message" arenot enforced)R55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot EnforcedChapter 3 Application Intelligence 95

VoIPsip_allow_two_media_connsDefault Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behavior whenprotection is on in R55Verify SIP Header Contentfeature behavior whenprotection is on inR55WEnforced Enforced Enforcedfeature behavior whenprotection is on in R60Default Flag Settings:Log Generated by Protection:OnNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behavior whenprotection is on in R55feature behavior whenprotection is on inR55WEnforced Enforced Enforcedfeature behavior whenprotection is on in R6096

SIPBlock SIP-base Video/AudioDefault Flag Settings:Log Generated by Protection:Off for all versions prior to R60/ On for R60NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behavior whenprotection is on in R55feature behavior whenprotection is on inR55WNot Enforced Enforced EnforcedBlock SIP-based Instant Messagingfeature behavior whenprotection is on in R60Default Flag Settings:Log Generated by Protection:Off for all versions prior toR60 / On for R60NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behavior whenprotection is on in R55feature behavior whenprotection is on inR55WEnforced Enforced Enforcedfeature behavior whenprotection is on in R60Chapter 3 Application Intelligence 97

VoIPDrop Unknown SIP MessagesDefault Flag Settings:Log Generated by Protection:OnNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behavior whenprotection is on in R55feature behavior whenprotection is on inR55WNot Enforced Not Enforced Enforcedfeature behavior whenprotection is on in R60Default Proxy Registration Expiration Time PeriodDefault Flag Settings:Log Generated by Protection:600 secondsNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behavior whenprotection is on in R55feature behavior whenprotection is on inR55WNot Enforced Not Enforced Enforcedfeature behavior whenprotection is on in R6098

SIPBlock the Destination from Re-inviting CallsDefault Flag Settings: Off for all versions prior to R60 /On for R60Log Generated by Protection:NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behavior whenprotection is on in R55feature behavior whenprotection is on inR55WEnforced Enforced Enforcedfeature behavior whenprotection is on in R60Chapter 3 Application Intelligence 99

VoIPMGCP (allowed commands)SmartDefense provides full network level security for MGCP. SmartDefense enforcesstrict compliance with RFC-2705, RFC-3435 (version 1.0) and ITU TGCPspecification J.171. In addition, all SmartDefense capabilities are supported, such asinspection of fragmented packets, anti spoofing, protection against Denial of Serviceattacks. Note however that NAT on MGCP is not supported.In addition, SmartDefense restricts handover locations and controls signalling and dataconnections.Default Flag Settings:Log Generated by Protection:AllowedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management100

SCCP (Skinny)SCCP (Skinny)SCCP (Skinny Client Control Protocol) controls telephony gateways from external callcontrol devices called Call Agents (also known as Media Gateway Controllers).SmartDefense provides full connectivity and network level and security for SCCP basedVoIP communication. All SCCP traffic is inspected, and legitimate traffic is allowed topass while attacks are blocked. All SmartDefense capabilities are supported, such as antispoofingand protection against Denial of Service attacks. Fragmented packets areexamined and secured using kernel based streaming. However, NAT on SCCP devicesis not supported.In addition, SmartDefense restricts handover locations, and controls signalling and dataconnections.SmartDefense tracks state and verifies that the state is valid for all SCCP message. For anumber of key messages, it also verifies of existence and correctness of the messageparameters.SmartDefense can perform additional content security checks for SCCP connections,thereby providing a greater level of protection.Default Flag Settings:Log Generated by Protection:OnNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionVoIP traffic is not accelerated.N/AN/Afeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 101

SNMPSNMPWith the protections in this section you can protect against SNMP vulnerabilities byproviding the option of enforcing SNMPv3 (the latest SNMP version) while rejectingprevious versions. In addition, in this window you can allow all SNMP versions whiledropping requests with SNMPv1 and SNMPv2 default community strings.Allow Only SNMPv3 TrafficThis protection prevents the use of previous SNMP versions. By forcing the network towork with SNMPv3, SmartDefense employs authentication features that are notavailable with previous SNMP versions (that is, SNMPv1 and SNMPv2).Default Flag Settings:Log Generated by Protection:SNMP Enforcement Violation - Version earlier than version 3 was detectedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration of SNMPtraffic.Disables acceleration of SNMPtraffic.Low memory consumptioninspection on a packet basis..NG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Same Same102

Drop Requests to Default Community StringsDrop Requests to Default Community StringsDrop requests with default community strings for SNMPv1 and SNMPv2 preventsunencrypted text associated with SNMPv1 and SNMPv2 from being sent over thenetwork.Default Flag Settings:Log Generated by Protection:SNMP Enforcement Violation - Bad community was detectedNGX Performance Impact:Disables acceleration of SNMPtraffic.InterSpect NGX - Impact on Acceleration Disables acceleration of SNMPtraffic.InterSpect NGX - Impact on Performance Low memory consumptioninspection on a packet basis.SmartDefense Update VersionOffNG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Same SameChapter 3 Application Intelligence 103

VPN ProtocolsVPN ProtocolsThe protections in this section allow you to select what types of enforcement will beapplied to VPN (Virtual Private Network) protocols.PPTP EnforcementThis protection enforces the PPTP protocol. PPTP sessions are forced to comply withthe RFC standard including message type, and packet length. In case the PPTP controlconnection unexpectedly terminates, the GRE tunnel will be terminated automatically.In addition, enabling this protection will allow Hide NAT as well as Static NAT to beperformed on PPTP connections.Default Flag Settings:Log Generated by Protection:OnNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables acceleration of PPTPtraffic.Disables acceleration of PPTPtraffic.Low memory consumptioninspection on a packet basis.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced104

SSL EnforcementSSL EnforcementWhen this protection is enabled, SmartDefense will identify and drop malformed SSLhandshakes.Default Flag Settings:Log Generated by Protection:Invalid SSL PacketNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration of SSLtraffic passing through thegateway.Disables session rate accelerationonly during the sessionhandshake, the rest of the sessionis accelerated.Protection has low CPUintensity. Protection is streamedon both sides and forwarded tothe Firewall with Mediummemory consumption.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 105

VPN ProtocolsBlock IKE Aggressive ExchangeWhen this protection is enabled, SmartDefense will identify and drop IKE aggressiveexchanges.Default Flag Settings:Log Generated by Protection:IKE Aggressive Packet DetectedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration of IKEtraffic on the client to serverdirection passing through thegateway.Server to client is still accelerated.Disables session rate acceleration(templates) on client to serverIKE traffic (Server to client is stillaccelerated).Protection is not CPU intensiveand has low memoryconsumption inspection on apacket basis.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management106

IKE EnforcementIKE EnforcementThis protection enforces the compliance of the IKE protocol to RFC 2409 in terms ofpayload type and length, maximal payload number, and packet length. By enabling"IKE payload enforcement" SmartDefense will perform additional checks on the IKESecurity Association payload. A monitor-only mode makes it possible to track IKEprotocol violation without blocking the connection.Default Flag Settings:Log Generated by Protection:IKE Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration of IKEtraffic (on both directions).Disables session rate acceleration(templates) on IKE traffic.Protection is not CPU intensiveand has low memoryconsumption inspection on apacket basis.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 107

VPN ProtocolsSSH - Detect SSH over Non-Standard PortsSSH versions 1 and 2 are typically used over TCP port 22. This protection provides twopossible actions (Block All SSH Versions and Run SSH Enforcement).• When you select Block All SSH Versions, SSH traffic (associated with any SSHversion), on all possible TCP ports will be blocked.• When you select Run SSH Enforcement, the SSH Enforcement protection will beapplied to all non standard ports including TCP port 22.Default Flag Settings:Log Generated by Protection:SSH Connection on a Non-Standard PortNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables session rate accelerationon all traffic.Disables session rate accelerationon all traffic.Low memory consumptioninspection on a packet basis, withacceleration patterns.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management108

SSH EnforcementSSH EnforcementSSH Enforcement protection applies to SSH traffic on TCP port 22. SSH Enforcementenables you to select and deselect specific defense attributes. By selecting Block SSHv1, only SSH version 2 will be enabled over TCP port 22.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate accelerationon SSH traffic.Disables session rate accelerationon SSH traffic.Low memory consumptioninspection on a packet basis.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 109

Content ProtectionContent ProtectionThe protections in this section allow you to block malicious content over multipleprotocols.Malformed JPEGBy enabling this protection, SmartDefense will block malformed formatted JPEG fileson all services with Protocol Type 'HTTP'.Enabling "Perform strict enforcement" enables JPEG file detection based on its content.Default Flag Settings:Log Generated by Protection:JPEG Content Protection ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration altogetherfor HTTP.Disables acceleration altogetherfor HTTP.Highfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management110

Malformed ANI FileMalformed ANI FileBy enabling this protection, SmartDefense will block malformed formatted ANI fileson all services with Protocol Type 'HTTP'.Default Flag Settings:Log Generated by Protection:ANI Content Protection ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration altogetherfor HTTP.Disables acceleration altogetherfor HTTP.Highfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 111

Content ProtectionMalformed GIFSpecially crafted GIF files may be used to create a DoS condition and in some cases,arbitrary code execution when parsed by Mozilla or FireFox browsers.By enabling this protection, SmartDefense will block malformed formatted GIF files onall services with Protocol Type 'HTTP'.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:GIF Content Protection ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration altogetherfor HTTP.Disables acceleration altogetherfor HTTP.Highfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management112

Malformed TIFFMalformed TIFFSpecially crafted GIF files may be used to create a DoS condition and in some cases,arbitrary code execution when parsed by Mozilla or FireFox browsers.By enabling this protection, SmartDefense will block malformed TIFF files on allservices with Protocol Type 'HTTP'.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:TIFF Content Protection Violation: Malformed TIFF" (or rule 99805 in R55)NGX Performance Impact:Disables acceleration altogetherfor HTTP.InterSpect NGX - Impact on Acceleration Disables acceleration altogetherfor HTTP.InterSpect NGX - Impact on Performance HighSmartDefense Update VersionOfffeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 113

Content ProtectionMalformed AVISpecially crafted AVI files may be used to create a DoS condition and in some cases,arbitrary code execution.By enabling this protection, SmartDefense will block malformed AVI files on allservices with Protocol Type 'HTTP'.This defense is employed on the server to client response which may involve inspectionof large data transfers.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:AVI Content Protection ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceOffDisables acceleration altogetherfor HTTP.Disables acceleration altogetherfor HTTP.HighSmartDefense Update Version 591050926feature behaviorwhen protectionis on in NGXR60 ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management114

Malformed PNGMalformed PNGSpecially crafted PNG files may be used to create a DoS condition and in some cases,arbitrary code execution.By enabling this protection, SmartDefense will block malformed PNG files on allservices with Protocol Type 'HTTP'.This defense is employed on the server to client response which may involve inspectionof large data transfers.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:PNG Content Protection ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceOffDisables acceleration altogetherfor HTTP.Disables acceleration altogetherfor HTTP.HighSmartDefense Update Version 591050816feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55 Only) Same SameR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 115

Content ProtectionBlock EOT FilesA vulnerability in Embedded Web Fonts Could Allow Remote Code Execution.SmartDefense can block embedded Web font files that could potentially allow remotecode execution if a user visited a malicious Web site.This defense is employed on the server to client response which may involve inspectionof large data transfers.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:EOT Files are blockedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceOffDisables acceleration altogetherfor HTTP.Disables acceleration altogetherfor HTTP.HighSmartDefense Update Version 591060212feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management116

Blocked WMF/EMFBlocked WMF/EMFVulnerability in Microsoft Windows Meta Files (WMF) and Enhanced Meta Files(EMF) Could Allow Remote Code Execution.SmartDefense can block WMF/EMF files that could potentially allow remote codeexecution if a user visited a malicious Web site.This defense is employed on the server to client response which may involve inspectionof large data transfers.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:WMF File Detected / EMF File DetectedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceOffDisables acceleration altogetherfor HTTP.Disables acceleration altogetherfor HTTP.HighSmartDefense Update Version 591060302feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 117

Content ProtectionMalformed BMP FileA vulnerability in the way Microsoft Windows Media Player handles Bitmap imagescould allow remote code execution (MS06-005).SmartDefense can block malformed bitmap files that could potentially allow remotecode execution if downloaded by the user.The Perform Strict Enforcement feature will identify malicious BMP files, and checkthem for the MS06-005 vulnerability, even when the file has not been entirelyidentified as a BMP file. This will block possible additional variations of this attack, butmay result in a certain amount of false positives, depending on the trafficA monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:Malformed BMP FileNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceOffDisables acceleration altogetherfor HTTP.Disables acceleration altogetherfor HTTP.HighSmartDefense Update Version 591060326feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55 Only) Same SameR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management118

DCOM - Allow DCE-RPC interfaces other than End-Point Mapper on Port 135MS-RPCDCOM - Allow DCE-RPC interfaces other than End-PointMapper on Port 135This protection will allow specific MS-RPC interfaces, such as DCOM interface, ifthey are allowed in the rule base. You can use the DCE-RPC services to create themand apply the protections in this page.SmartDefense unconditionally blocks the "Blaster" worm and its variants, whileallowing legitimate DCOM traffic.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.Disables acceleration of RPCtrafficProtection is streamed on bothsides. Low memory consumption.NG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementEnforced Not Enforced Same SameChapter 3 Application Intelligence 119

MS-RPCDrop Unauthenticated DCOMDefault Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for all MS-RPCover CIFS protections.Disables acceleration of RPCtrafficProtection is streamed on bothsides. Low memory consumption.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55W*Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management120

MS-RPC Program LookupMS-RPC Program LookupThis protection blocks Lookup operation requests and prevents the exploitation of thisvulnerability.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.Disables acceleration of RPCtraffic.Protection is streamed on bothsides. Low memoryconsumption.feature behaviorwhen protectionis on in NGXR60ManagementEnforced (R55and above)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Enforced Not EnforcedChapter 3 Application Intelligence 121

MS-RPCBlock Fragmented Bind RequestUsers of VPN-1 R55W and above and InterSpect will identify fragmented Bindrequests with Attack Information 'MS-RPC over CIFS - Fragmented Bind detected' onthe SmartView Tracker screen. Users of VPN-1 R55 will identify fragmented Bindrequests log with rule no. 99444Default Flag Settings:OffLog Generated by Protection:Attack Name: MS-RPC over CIFS Enforcement ViolationAttack Information: MS-RPC over CIFS - Fragmented Bind detectedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.Disables acceleration of RPCtraffic.Protection is streamed on bothsides and has low memoryconsumption.feature behaviorwhen protectionis on in NGXR60ManagementEnforced (R55and above)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Enforced Not Enforced122

Block Multiple Context BindBlock Multiple Context BindUsers of VPN-1 R55W and above and InterSpect will identify fragmented Bindrequests with Attack Information 'MS-RPC over CIFS - Fragmented Bind detected' onthe SmartView Tracker screen. Users of VPN-1 R55 will identify fragmented Bindrequests log with rule no. 99444Default Flag Settings:Log Generated by Protection:Attack Name: DCE-RPC Enforcement Violation:Attack Information: Unallowed number of context items in Bind/Alter contextrequest.NGX Performance Impact:Disables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.InterSpect NGX - Impact on Acceleration Disables acceleration of RPCtraffic.InterSpect NGX - Impact on Performance Protection is streamed on bothsides and has low memoryconsumption.SmartDefense Update VersionOfffeature behaviorwhen protectionis on in NGXR60ManagementEnforced (R55and above)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Enforced Not EnforcedChapter 3 Application Intelligence 123

MS-RPCBlock uPnP Vulnerability MS05-039A vulnerability was detected in the Plug and Play (PnP) service for several MicrosoftWindows operating systems that can allow remote attackers to execute arbitrary codevia a PnP crafted packet.By enabling the protection, SmartDefense will block the Plug and Play (PnP) interfaceover the MS-RPC Common Internet File Sharing (CIFS) protocol.A monitor-only mode makes it possible to track unauthorized access attempts withoutblocking them.Please note that when the monitor-only is enabled with Microsoft Networks > File andPrint Sharing protection, the MS-RPC over CIFS protection is also activated inmonitor-only.Default Flag Settings:Log Generated by Protection:MS-RPC over CIFS - Detected Microsoft uPnP Vulnerability (MS05-039)NGX Performance Impact:Disables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration of RPCtraffic.Protection is streamed on bothsides and has low memoryconsumption.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55 andabove)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management124

Block uPnP Vulnerability MS05-047Block uPnP Vulnerability MS05-047A vulnerability was detected in the PnP service for several Microsoft Windowsoperating systems that can allow remote attackers to execute arbitrary code via a craftedPnP packet.By enabling the protection, SmartDefense will block the specific vulnerable operationin PnP MS-RPC interface over Common Internet File Sharing (CIFS) protocol.A monitor-only mode makes it possible to track unauthorized access attempts withoutblocking them.Default Flag Settings:Log Generated by Protection:MS-RPC over CIFS - Detected Microsoft uPnP Vulnerability (MS05-047)NGX Performance Impact:Disables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.InterSpect NGX - Impact on Acceleration Disables acceleration of RPCtraffic.InterSpect NGX - Impact on Performance Protection is streamed on bothsides and has low memoryconsumption.SmartDefense Update Version 591051011Offfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55 andabove)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 125

MS-RPCBlock Client Service for Netware Vulnerabilities (MS05-046)A vulnerability was detected in the PnP service for several Microsoft Windowsoperating systems that can allow remote attackers to execute arbitrary code via a craftedPnP packet.By enabling the protection, SmartDefense will block the specific vulnerable operationin PnP MS-RPC interface over Common Internet File Sharing (CIFS) protocol.A monitor-only mode makes it possible to track unauthorized access attempts withoutblocking them.Default Flag Settings:Log Generated by Protection:MS-RPC over CIFS - Detected Microsoft client for netware vulnerabilities(MS05-046)NGX Performance Impact:Disables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.InterSpect NGX - Impact on AccelerationOffDisables acceleration of RPCtraffic.InterSpect NGX - Impact on Performance Protection is streamed on bothsides and has low memoryconsumption.SmartDefense Update Version 591051011feature behaviorwhen protectionis on in NGXR60 ManagementSame (R55 andabove)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management126

Block DTC Vulnerability (MS05-051)Block DTC Vulnerability (MS05-051)A vulnerability was detected in the PnP service for several Microsoft Windowsoperating systems that can allow remote attackers to execute arbitrary code via a craftedPnP packet.By enabling the protection, SmartDefense will block the specific vulnerable operationin PnP MS-RPC interface over Common Internet File Sharing (CIFS) protocol.A monitor-only mode makes it possible to track unauthorized access attempts withoutblocking them.Default Flag Settings:Log Generated by Protection:MS-RPC over CIFS - Detected Microsoft DTC Vulnerability (MS05-051)NGX Performance Impact:Disables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.InterSpect NGX - Impact on Acceleration Disables acceleration of RPCtraffic.InterSpect NGX - Impact on Performance Protection is streamed on bothsides and has low memoryconsumption.SmartDefense Update Version 591051011Offfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55 andabove)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 127

MS-RPCBlock Print Spooler Vulnerability (MS05-043)A vulnerability was detected in the PnP service for several Microsoft Windowsoperating systems that can allow remote attackers to execute arbitrary code via a craftedPnP packet.By enabling the protection, SmartDefense will block the specific vulnerable operationin PnP MS-RPC interface over Common Internet File Sharing (CIFS) protocol.A monitor-only mode makes it possible to track unauthorized access attempts withoutblocking them.Default Flag Settings:Log Generated by Protection:MS-RPC over CIFS - Detected Microsoft Print Spooler Vulnerability (MS05-043)NGX Performance Impact:InterSpect NGX - Impact on AccelerationOffDisables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.Disables acceleration of RPCtraffic.InterSpect NGX - Impact on Performance Protection is streamed on bothsides and has low memoryconsumption.SmartDefense Update Version 591050816feature behaviorwhen protectionis on in NGXR60ManagementSame (R55 andabove)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management128

Block LSASS Vulnerability (MS05-011)Block LSASS Vulnerability (MS05-011)A vulnerability was detected in the PnP service for several Microsoft Windowsoperating systems that can allow remote attackers to execute arbitrary code via a craftedPnP packet.By enabling the protection, SmartDefense will block the specific vulnerable operationin PnP MS-RPC interface over Common Internet File Sharing (CIFS) protocol.A monitor-only mode makes it possible to track unauthorized access attempts withoutblocking them.Default Flag Settings:Log Generated by Protection:MS-RPC over CIFS - Detected Microsoft LSASSr Vulnerability (MS05-011)NGX Performance Impact:Disables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.InterSpect NGX - Impact on Acceleration Disables acceleration of RPCtraffic.InterSpect NGX - Impact on Performance Protection is streamed on bothsides and has low memoryconsumption.SmartDefense Update Version 591051011Offfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55 andabove)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 129

MS-RPCBlock Web Client Vulnerability (MS05-011)Remote code execution vulnerability exists in the way that Windows processes WebClient requests that could allow an attacker who successfully exploited this vulnerabilityto take complete control of the affected system.By enabling the protection, SmartDefense will block the WebDAV MS-RPC interfaceover Common Internet File Sharing (CIFS) protocol.A monitor-only mode makes it possible to track unauthorized access attempts withoutblocking them.Default Flag Settings:Log Generated by Protection:MS-RPC over CIFS - Detected Microsoft Web client Vulnerability (MS06-008)NGX Performance Impact:Disables acceleration of RPCtraffic. Protection is based onstreaming in NGX R60. Onestreaming handler for allMS-RPC over CIFS protections.InterSpect NGX - Impact on AccelerationOffDisables acceleration of RPCtraffic.InterSpect NGX - Impact on Performance Protection is streamed on bothsides and has low memoryconsumption.SmartDefense Update Version 591060301feature behaviorwhen protectionis on in NGXR60ManagementSame (R55 andabove)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management130

MS-SQL Monitor ProtocolMS-SQLThe protections in this section allow you to configure various protections related to theMS SQL Server protocols.MS-SQL Monitor ProtocolWith this protection you can configure different protections to be applied to the MSSQL Monitor protocol (running on port 1434/UDP).Default Flag Settings:Log Generated by Protection:MS-SQL Monitor Protocol Enforcement ViolationNGX Performance Impact:Disables acceleration of MS-SQLtraffic.InterSpect NGX - Impact on Acceleration Enforcement is different, seebelow.InterSpect NGX - Impact on Performance Enforcement is different, seebelow.SmartDefense Update VersionOfffeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 131

MS-SQLMS-SQL Server ProtocolWith this protection you can configure several protections to the MS SQL Serverprotocol (running on tcp/1433).Default Flag Settings:Log Generated by Protection:MS-SQL Server Protocol Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration of MS-SQLtraffic.SameSamefeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management132

Restricted Stored ProceduresRestricted Stored ProceduresThis protections allows you to disable stored procedures in the SQL query that arevulnerable and enable access. The user can add his/her own stored procedures.Default Flag Settings:Log Generated by Protection:MS-SQL Restricted Stored ProceduresNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNot EnforcedDisables MS-SQL accelerationProtection is streamed client toserver and has low memoryconsumption.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 133

MS-SQLRestricted CommandsThis protections allows you to disable specific SQL commands within the SQL query.This protection contains a default list, but the user can add his/her own.Default Flag Settings:Log Generated by Protection:MS-SQL Restricted CommandsNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNot EnforcedDisables MS-SQL accelerationProtection is streamed client toserver and has low memoryconsumption.NG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced134

Restricted TabsRestricted TabsThis protections allows you to disable specific access to tables in the SQL query. Thisprotection contains a default list but the user can add his/her own.Default Flag Settings:Log Generated by Protection:MS-SQL Restricted TabsNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNot EnforcedDisables MS-SQL accelerationProtection is streamed client toserver and has low memoryconsumption.NG FP3 to R55R55Wfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60Managementfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 135

MS-SQLMalicious Code ProtectorThis protection runs on SQL queries and looks for malicious code embedded in thequery. This protection has two levels:• High - runs on each query• Low - only runs on a query that contains non-printable characters.Default Flag Settings:Log Generated by Protection:MS-SQL Malicious Code ProtectorNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNot EnforcedDisables MS-SQL accelerationProtection is CPU intensive,Protection is streamed client toserver and has low memoryconsumption.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced136

Weak PasswordsWeak PasswordsThis protection allows you to disable entry attempts of passwords that are shorter thanthe length set by the administrator.Default Flag Settings:Log Generated by Protection:MS-SQL Weak Password DetectorNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNot EnforcedDisables MS-SQL accelerationProtection is streamed client toserver and has low memoryconsumption.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 137

MS-SQLBlock Null PasswordsThis protection disables entry attempts without a password.Default Flag Settings:Log Generated by Protection:MS-SQL Null Password AttackNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNot EnforcedDisables MS-SQL accelerationProtection is streamed client toserver and has low memoryconsumption.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced138

Block RPC ServiceBlock RPC ServiceThis protection enables you to disable RPC commands.MS-SQL uses protocol TDS that allows you to send a Remote Procedure Call (RPC)instead of a query. With RPC you can bypass other protections. For this reason, RPCabilities are enabled.Default Flag Settings:Log Generated by Protection:MS-SQL RPCNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNot EnforcedDisables MS-SQL accelerationProtection is streamed client toserver and has low memoryconsumption.feature behaviorwhen protectionis on in NGXR60 ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 139

MS-SQLBlock Bulk DataThis protection enables you to disable Bulk Data Commands.MS-SQL uses protocol TDS that allows you to send Bulk Data messages. Thisprotection also blocks a query using the BULK DATA command.Default Flag Settings:Log Generated by Protection:MS-SQL Bulk Data AccessNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNot EnforcedDisables MS-SQL accelerationProtection is streamed client toserver and has low memoryconsumption.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced140

MS-SQL Over Non-Standard PortsMS-SQL Over Non-Standard PortsAll other MS-SQL server protocol protections work on ports set in MS-SQL services.This protection checks all other ports for MS-SQL traffic and blocks them when found.Default Flag Settings:Log Generated by Protection:MS-SQL On Non-Standard PortsNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNot EnforcedMS-SQL over non standard portsdisables all acceleration (except forMS-SQL). MS-SQL over CIFSdisables acceleration forSMB(CIFS) traffic.Low memory consumption.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 141

Routing ProtocolsRouting ProtocolsOSPFThe protections in this section allow you to select what types of enforcement will beapplied to routing protocols.By enabling this protection, SmartDefense will enforce the validity of the OSPF packetheader, including protocol version, message type and packet length. In addition,SmartDefense is able to detect and block OSPF traffic that is non-MD5 authenticated,which is considered insecure.Default Flag Settings:Log Generated by Protection:OSPF enforcement violationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffPerformance Pack - None. It isnot accelerated. Nokia disablesacceleration of these protocols.None - protocol is notaccelerated.Low Impact, not TCP andtherefore inspection on a packetbasis.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management142

BGP (block non-MD5 authenticated BGP connections)BGP (block non-MD5 authenticated BGP connections)By enabling this protection, SmartDefense will detect and block BGP traffic that isnon-MD5 authenticated, which is considered insecure.Default Flag Settings:Log Generated by Protection:BGP Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffPerformance Pack - None. It isnot accelerated. Nokia disablesacceleration of these protocols.Disables session rate acceleration(templates) on BGP port (179 bydefault).Low Impact inspection on apacket basis.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 143

Routing ProtocolsRIPBy enabling this protection, SmartDefense will enforce the validity of the RIP packetheader. In addition, SmartDefense is able to detect and block RIP traffic that isnon-MD5 authenticated, which is considered insecure.Default Flag Settings:Log Generated by Protection:RIP Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffPerformance Pack - None. It isnot accelerated. Nokia disablesacceleration of these protocols.Disables session rate acceleration(templates) on RIP port (udp 520by default).Low Impact, not TCP andtherefore inspection on a packetbasis.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management144

IGMPIGMPBy enabling this protection, SmartDefense will enforce the validity of the IGMP packetheader. In addition, SmartDefense is able to detect and block IGMP traffic that isnon-MD5 authenticated, which is considered insecure.Default Flag Settings:Log Generated by Protection:IGMP protocol Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffPerformance Pack - None. It isnot accelerated. Nokia disablesacceleration of these protocols.None - protocol is not acceleratedLow Impact, not TCP andtherefore inspection on a packetbasis.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 145

SUN-RPCSUN-RPCThe protections in this section allow you to select what types of enforcement will beapplied to SUN-RPC (Remote Procedure Calls) protocols.SUN-RPC Program LookupThis protection, available for NG with Application Intelligence (R55) and above, willblock SUN-RPC interface scanning.Default Flag Settings:Log Generated by Protection:SUN-RPC Enforcement ViolationNGX Performance Impact: Disables acceleration of SUN -RPC traffic.InterSpect NGX - Impact on Acceleration Disables acceleration of SUN -RPC traffic - with services goingthrough the port mapper.InterSpect NGX - Impact on Performance Inspection on a per packet basisand not accelerated.SmartDefense Update VersionOfffeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management146

NFS / Block Illegal Mount RequestNFS / Block Illegal Mount RequestSpecially crafted NFS requests may be used to cause FreeBSD systems to reboot.By enabling this protection, SmartDefense will block the malformed NFS requests, aswell as similar requests for other RPC over TCP services.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:Illegal Mount RequestNGX Performance Impact: Disables acceleration of SUN -RPC traffic.InterSpect NGX - Impact on Acceleration Disables acceleration of SUN -RPC traffic - with services goingthrough the port mapper.InterSpect NGX - Impact on Performance Inspection on a per packet basisand not accelerated.SmartDefense Update Version 591060326Offfeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 147

DHCPDHCPBy enabling this protection, SmartDefense will enforce the validity of the DHCPpacket header and options.Default Flag Settings:Log Generated by Protection:DHCP Protocol Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNoneNonefeature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management148

NFS / Block Illegal Mount RequestSOCKSThis protection provides enforcement of the SOCKS protocol. Non SOCKS protocolcommunication over the SOCKS protocol port (1080 by default) will be blocked.You may also block SOCKS version 4 only or any unauthenticated SOCKScommunication (often used by trojans to tunnel information).Default Flag Settings:Log Generated by Protection:SOCKS Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNoneNoneLow memory consumption, nottcp - inspection on a packet basis.feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 149

TFTPTFTPWith these protections you can block TFTP (Trivial File Transfer Protocol) traffic.TFTP uses UDP port 69, but with these protections you can also define additionalUDP ports on which to enforce this protection.These protections will ensure TFTP traffic is compliant with RFC 1350 and RFC2347.Excluded Network ObjectsWith this protection you can create a white list of clients that are excluded from thisinspection.Default Flag Settings:Log Generated by Protection:N/ANGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffN/ANoneNonefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WN/A N/A N/A N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management150

Restrictions and Error ConcealmentRestrictions and Error ConcealmentWith this protection you can block the GET or the PUT commands (or both). As aresult, you can select the file types you want to block and add new file types.You can also block:• files without name extension• files with double file name extension• directory traversal in file names (such as '../../../a.txt')This protection hides the TFTP error codes that are returned from a server, to replacewith error code 0 and therefore prevents revealing server information in the errorcodes.Default Flag Settings:Log Generated by Protection:TFTP Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffN/ADisables session rate acceleration(templates) on service 69 (udp).Low memory consumption, nottcp - inspection on a packet basis.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WN/A N/A N/A N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 151

TFTPBlock Over Non-Standard PortsThis protection detects and blocks TFTP traffic on any UDP port that is not configuredin the TFTP protocol settings as an allowed port.Default Flag Settings:Log Generated by Protection:TFTP traffic detected on non-standard port.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffN/ADisables session rate acceleration(templates) on udp services.Low memory consumption, nottcp - inspection on a packet basis.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WN/A N/A N/A N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management152

Citrix Protocol SettingsCitrixSmartDefense can protect against various Citrix ICA related vulnerabilities and preventprotocol violations.By default, the Citrix ICA protections are not enforced.Note: Citrix ICA protections do not support Session Reliability, which is available fromCitrix MPS 3.0 and aboveCitrix Protocol SettingsInspected ServicesWith this protection you can specify services that undergo Citrix inspection andenforcement. By default, Citrix ICA works over TCP port 1494. Other services can beadded if Citrix is used on a non-default port.Excluded Network ObjectsWith this protection you can specify Citrix ICA clients that are excluded frominspection. The Citrix ICA protections do not apply to hosts in this list.Default Flag Settings:Log Generated by Protection:N/ANGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffN/ANoneNonefeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WN/A N/A N/A N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 153

CitrixCitrix ProtectionsWith this protection you can define different settings of the Citrix protection:• Perform Strict Protocol Enforcement - Validate the negotiation of the protocol.• Block Session Sharing (seamless window) - Blocks the option of opening multipleapplications on the same connection.• Block Unauthorized Applications - Block Citrix-delivered applications that are notexplicitly allowed in the Authorized applications list. You can edit this list, add orremove application that will be allowed.Default Flag Settings:Log Generated by Protection:Citrix Enforcement ViolationsNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffN/ADisables session rate accelerationon Citrix ports.Protection is streamed on bothsides (passive streaming).feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WN/A N/A N/A N/Afeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management154

RDP EnforcementRemote Control ApplicationsThese protections allow you to select what types of enforcement will be applied toremote control applications.RDP EnforcementRemote Desktop Protocol (RDP) lets users create a virtual session on their desktopcomputers, allowing them to access all the data and applications on their computers.The vulnerability is due to a failure of the RDP protocol driver to properly handlemalformed Remote Desktop Protocol requests.By enabling this protection, SmartDefense will block the MS05-038 RDP protocolvulnerability.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:RDP Buffer OverflowNGX Performance Impact:InterSpect NGX - Impact on AccelerationOffDisables session rate acceleration(templates) on client to serverRDP traffic.Disables acceleration of RDPtraffic (c2s, port 3389)InterSpect NGX - Impact on Performance Protection is not CPU intensityand low memory consumptioninspection on a packet basis.SmartDefense Update Version 591050906feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 155

Remote Control ApplicationsGoToMyPCGoToMyPC is a remote control protocol that uses the TCP protocol. The use ofGoToMyPC may circumvent the organizational security policy.SmartDefense is able to detect and block GoToMyPC protocol connection attempts.Default Flag Settings:Log Generated by Protection:GoToMyPC Enforcement ViolationNGX Performance Impact:InterSpect NGX - Impact on AccelerationOffDisables session rate accelerationof client to server traffic onHTTP port 80, SSL port 443,port 8080, and port 8200.Disables acceleration of client toserver traffic on HTTP port 80,SSL port 443, port 8080, andport 8200. (+pattern: Onlyconnections whose first packetstarts with 'GET ' are notaccelerated)InterSpect NGX - Impact on Performance Protection has low-medium CPUintensity and low memoryconsumption inspection on apacket basis.SmartDefense Update Version 591050926feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management156

VNCVNCSome trojans use the VNC protocol in order to allow remote control of the infectedcomputer by an attacker.SmartDefense is able to detect and block VNC protocol connection attempts, on anyport.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate acceleration.Disables session rate acceleration.Inspection on a per packet basisand not accelerated.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 157

Remote AdministrationRemote AdministrationAuthentication EnforcementSome trojans use the Remote Administrator protocol in order to allow remote controlof the infected computer by an attacker.SmartDefense is able to detect and block Remote Administrator protocol connectionattempts, on any port.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate acceleration.Disables session rate acceleration.Inspection on a per packet basisand not accelerated.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management158

Detect Over Non-StandardDetect Over Non-StandardSome trojans use the Remote Administrator protocol in order to allow remote controlof the infected computer by an attacker.SmartDefense is able to detect and block Remote Administrator protocol connectionattempts, on any port.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate acceleration.Disables session rate acceleration.Inspection on a per packet basisand not accelerated.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 159

TunnelingTunnelingThese protections detect and block encrypted connections from clients in an internalnetwork.SSL TunnelsSSL encrypted communication between internal clients and servers outside theorganization can leave the client that initiates the encrypted connection vulnerable toattacks sent through the encrypted tunnel. The client machine could potentially infectother machines, so that the internal network is at risk. Peer to Peer applications areexamples of applications that can use SSL encryption.This protection detects and blocks SSL encrypted client to server communicationoriginating at internal clients. Clients are prevented from opening encryptedconnections on non-standard ports. This protection supports the Secure Sockets Layer(SSL v2/v3), and Transport Layer Security (TLS v1) protocols. It is possible to specifyports for which encrypted connections are allowed.160

SSL TunnelsA monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:SSL TunnelingNGX Performance Impact:InterSpect NGX - Impact on AccelerationOffDisables acceleration of all traffic(excluding SSL traffic on dport443 and other user-excludedports).Disables acceleration of all traffic(excluding SSL traffic on dport443 and other services defined byuser on exclusion list).InterSpect NGX - Impact on Performance Protection is not CPU intensive,and has low memoryconsumption inspection on apacket basis.SmartDefense Update Version 591051214feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 161

TelnetTelnetThese protections allow you to configure various protections related to the Telnetprotocol.Environment Disclosure ProtectionRemote exploitation of an input validation error in multiple Telnet clients could allowan attacker to gain sensitive information regarding the victim's machine.By enabling this protection, SmartDefense will block the potentially maliciousNEW-ENVIRON command on all Telnet connection from the server side.A monitor-only mode makes it possible to track unauthorized traffic without blockingit.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationDisables acceleration of telnettraffic.Disables acceleration of telnettraffic.InterSpect NGX - Impact on Performance Inspection on a per packet basisand not accelerated.SmartDefense Update Version 591050629feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management162

Backup Exec Remote Registration ProtectionVeritas Backup Exec ProtectionsThese protections allow you to configure various protections related to the VeritasBackup Exec software suite.Backup Exec Remote Registration ProtectionRemote exploitation of an access validation vulnerability may grant an attackeradministrative privileges over the vulnerable machine's registry.By enabling this protection, SmartDefense will block any attempt of unauthorizedremote registry access to a host with Backup Exec installed.A monitor-only mode makes it possible to track unauthorized remote registry accessattempts without blocking them.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationDisables acceleration of BackupExec traffic.Disables acceleration of BackupExec traffic.InterSpect NGX - Impact on Performance Inspection on a per packet basisand not accelerated.SmartDefense Update Version 591050816feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 3 Application Intelligence 163

Veritas Backup Exec ProtectionsBackup Exec AgentTwo vulnerabilities exist in the Backup Exec agent:• A buffer overflow condition in the CONNECT_CLIENT_AUTH request, whichmay lead to arbitrary remote code execution.• A null pointer dereference caused by a maliciously crafted packet which causesDoS.By enabling the CONNECT_CLIENT_AUTH protection, SmartDefense will verifythe validity of the authentication requests exchanged between the Backup Exec serverand its agents. The Block Backup Agent DoS protection will block specially craftedpackets that lead to a DoS condition. Both protections are enforced on port10000/TCP.A monitor-only mode makes it possible to track exploitation attempts of thesevulnerabilities without blocking them.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationDisables acceleration of BackupExec agent traffic.Disables acceleration of BackupExec agent traffic.InterSpect NGX - Impact on Performance Inspection on a per packet basisand not accelerated.SmartDefense Update Version 591050816feature behaviorwhen protectionis on in NGXR60ManagementSame (R55Only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 Only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management164

MS-SQL Agent ProtectionCA BrightStore BackupThese protections allow you to configure various protections related to the ComputerAssociates BrightStore ARCserve Backup system.MS-SQL Agent ProtectionComputer Associates BrightStore ARCserve Backup system contains a buffer overflowvulnerability that may allow remote attackers to execute arbitrary code or cause a denialof service condition.By enabling this protection, SmartDefense will block an attempt to exploit thisvulnerability in order to cause denial-of-service or execute arbitrary code on the targetsystem.A monitor-only mode makes it possible to track an attack without blocking anynetwork traffic.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update Version 591050906Disables Acceleration on CAbrightstore traffic (Port 6070TCP).Disables Acceleration on CAbrightstore traffic (Port 6070TCP).This protection is over streaming.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 3 Application Intelligence 165

CA BrightStore Backup166

CHAPTER 4Web IntelligenceIntroductionIn This ChapterIntroduction page 167Malicious Code page 168Application Layer page 172Information Disclosure page 178HTTP Protocol Inspection page 182Web Intelligence is based on Check Point's Stateful Inspection, Application Intelligence, andMalicious Code Protector technologies, so that it is possible to block not only specificattacks, but also entire categories of attacks, while allowing legitimate traffic to pass.• Malicious Code Protector is a Check Point patent-pending technology that blockshackers from sending malicious code to target web servers and applications. It candetect malicious executable code within web communications by identifying notonly the existence of executable code in a data stream but its potential for maliciousbehavior. Malicious Code Protector is a kernel-based protection delivering almostwire-speed performance.• Application Intelligence is a set of technologies that detect and preventapplication-level attacks by integrating a deeper understanding of applicationbehavior into network security defenses.• Stateful Inspection analyzes information flow into and out of a network so thatreal-time security decisions can be based on communication session information aswell as on application information. It accomplishes this by tracking the state andcontext of all communications traversing the firewall gateway, even when theconnection involves complex protocols.167

Malicious CodeWeb intelligence is an add-on for VPN-1 Pro. Customers who purchase theSmartDefense Subscription service can automatically update both SmartDefense andWeb Intelligence with a single click. Updates are released frequently, and are obtainedfrom the Check Point SmartDefense site:http://www.checkpoint.com/techsupport/documentation/smartdefense/index.htmlCustomers with a valid subscription license also receive special SmartDefense Advisoriesthat provide updated SmartDefense and Web Intelligence attack protections, as well asinformation, tools and best practice methods to mitigate different attacks.Tip - It is recommended to keep your gateway version up-to-date, as the newest defensesare incorporated into the latest version of Check Point software.Malicious CodeThe protections in this section allow you to prevent attacks that run malicious code onweb servers or clients.168

General HTTP Worm CatcherGeneral HTTP Worm CatcherWith this protection you can configure worm signatures that will be detected andblocked based pre-defined patterns. This detection takes place in the kernel, and so isperformed very quickly. It does not require a security server.This protection can be applied either to all traffic or to specific web servers. When theattack is blocked, users can be informed via a customizable web page.Default Flag Settings:Log Generated by Protection:Worm catcher pattern found. cmd.exeNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 4 Web Intelligence 169

Malicious CodeMalicious Code ProtectorThis protection analyzes URLs, HTTP request headers and HTTP request bodies bydisassembling machine code. It assesses the danger, and allows or rejects connectionsaccordingly. Because it analyzes assembler code dynamically, it is able to protect againstmost future vulnerabilities without the need for patterns or updates.To provide good protection with a minimum number of false positives, three levels ofprotection are available. They make it possible to choose the appropriate trade-offbetween a high detection rate on the one hand and a low level of false positives on theother. The protection level can be changed at any time to suit the environment. Fordetails, see the online help.170

Malicious Code ProtectorThis protection is available for Web Servers running on the platforms specified in theonline help.Default Flag Settings:Log Generated by Protection:Malicious code detected in URLNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffSome works only on client toserver traffic, which is notaccelerated, the impact dependson the configured level. On lowthe impact is around 10%.None (works only on client toserver traffic, which is notaccelerated).Some works only on client toserver traffic, which is notaccelerated, the impact dependson the configured level. On lowthe impact is around 10%.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementNot Enforced Not Enforced Same (exceptwith web serversthat supportSolaris - whichwas is supported)R55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSameChapter 4 Web Intelligence 171

Application LayerApplication LayerThe protections in this section prevent hackers from introducing text, tags, commands,or other characters that a web application will interpret as special instructions.Introducing these characters in forms or URLs can allow a hacker to steal private data,redirect a communication session to a malicious web site, steal information from adatabase, gain unauthorized access, or execute restricted commands.Cross Site ScriptingTo protect against Cross-Site Scripting attacks, HTTP requests sent using the POSTcommand, that contain scripting code are rejected. This protection also understands theencoded data sent as part of the URL, which is an alternative way of submittinginformation. The scripting code is not stripped from the request, but rather the wholerequest is rejected.172

Cross Site ScriptingTo provide good protection with a minimum number of false positives, three levels ofprotection are available. They make it possible to choose the appropriate trade-offbetween a high detection rate on the one hand and a low level of false positives on theother. The protection level can be changed at any time to suit the environment. Fordetails, see the online help.Default Flag Settings:Log Generated by Protection:Cross Site Scripting detected in URL: 'script'NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 4 Web Intelligence 173

Application LayerLDAP InjectionThis protection protects LDAP servers by identifying attempted misuse of LDAP queriesin forms and URLs submitted to Web applications. If an attack is detected, theconnection is rejected.To provide good protection with the optimum detection sensitivity, three levels ofprotection are available. For details, see the online help.The list of LDAP fields that is examined can be customized, which makes it possible tocontrol the use of customized LDAP fields, as well as standard ones.Default Flag Settings:Log Generated by Protection:LDAP Injection detected in URL: 'uid'NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced174

SQL InjectionSQL InjectionWeb Intelligence looks for SQL commands in forms and in URLs. If it finds them, theconnection is rejected.To provide good protection with a minimum number of false positives, three levels ofprotection are available. They make it possible to choose the appropriate trade-offbetween a high detection rate on the one hand and a low level of false positives on theother. The protection level can be changed at any time to suit the environment. Fordetails, see the online help.Default Flag Settings:Log Generated by Protection:SQL Injection detected in URL: 'select'NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 4 Web Intelligence 175

Application LayerCommand InjectionThis protection looks for system commands in forms and in URLs. If it finds them, theconnection is rejected.To provide good protection with a minimum number of false positives, three levels ofprotection are available. They make it possible to choose the appropriate trade-offbetween a high detection rate on the one hand and a low level of false positives on theother. The protection level can be changed at any time to suit the environment. Fordetails, see the online help.Default Flag Settings:Log Generated by Protection:Command Injection detected in URL: 'chown'NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management176

Directory TraversalDirectory TraversalThis protection verifies that the URL does not contain an illegal combination directorytraversal characters. Requests in which the URL contains an illegal directory request areblocked.Default Flag Settings:Log Generated by Protection:directory traversal overflow http://1.2.3.4/../../NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 4 Web Intelligence 177

Information DisclosureInformation DisclosureOne of the first steps an attacker may take before attacking a web site is to gatherinformation about the site. The goal of the hacker is to get the web server to revealinformation that hacker can use to tailor an attack. This is known as "fingerprinting".The protections in this section allow you to prevent the web server revealinginformation that is not required by users.178

Header SpoofingHeader SpoofingThis protection allows you to remove or change a specific header (that can appear eitherin the HTTP Request or Response) by giving a regular expression to identify theheader name and header value. For example, a typical server header will contain theweb server name and version number. Use this protection to spoof out the versioninformation.Note - Activating this protection decreases performance for Web traffic to which thisprotection is applied.Default Flag Settings:Log Generated by Protection:Header Spoofing, replacing header, new header is 'IIS'NGX Performance Impact:Disables acceleration on allHTTP traffic - active control andinspection of a TCP stream.InterSpect NGX - Impact on Acceleration Disables acceleration on allHTTP traffic - active control andinspection of a TCP stream.InterSpect NGX - Impact on Performance Heavy impact - active control andinspection of a TCP stream.SmartDefense Update VersionOfffeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 4 Web Intelligence 179

Information DisclosureDirectory ListingThis protection identifies web pages containing directory listings and blocks them.To provide good protection with the optimum detection sensitivity, three levels ofprotection are available. For details, see the online help.Default Flag Settings:Log Generated by Protection:Directory Listing detectedNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration on all HTTPtraffic - active control andinspection of a TCP stream.Disables acceleration on all HTTPtraffic - active control andinspection of a TCP stream.Heavy impact - active control andinspection of a TCP stream.feature behaviorwhen protectionis on in NGXR60 ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not Enforced180

Error ConcealmentError ConcealmentThis protection looks for web server error messages in HTTP responses, and if it findsthem, prevents the web page reaching the user.Error messages are detected and concealed in two ways.The first way conceals HTTP Responses containing those 4XX and 5XX error statuscodes that reveal unnecessary information. It is possible to choose the status codes thatwill be concealed.The second way hides error messages generated by the web application engine. Thisapproach is needed when the application engine does not tell the web server it has anerror, in which case the web server displays error information that it should not. It ispossible to configure patterns that identify messages from particular application engines.If these patterns are detected the pages are blocked.Default Flag Settings:Log Generated by Protection:Concealed HTTP response status code: '413'NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffDisables acceleration on all HTTPtraffic - active control andinspection of a TCP stream.Disables acceleration on all HTTPtraffic - active control andinspection of a TCP stream.Heavy Impact - active control andinspection of a TCP stream.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 4 Web Intelligence 181

HTTP Protocol InspectionHTTP Protocol InspectionHTTP Protocol Inspection provides strict enforcement of the HTTP protocol, ensuringthese sessions comply with RFC standards and common security practices.Web Intelligence performs high performance kernel-level inspection of all connectionspassing through enforcement modules of version NG with Application Intelligence(R55W) or higher.For enforcement modules of versions of version NG with Application Intelligence(R55) or lower, there is a choice. It is possible to choose whether to perform HTTPprotocol inspection using the kernel for optimized performance, or using the HTTPSecurity Server for strict protocol enforcement. A third option applies the options onlyto connections related to resources used in the Rule Base, and enforces the optionsusing the Security Server.182

HTTP Format SizesHTTP Format SizesIt is good security practice to limit the sizes of different elements in HTTP request andresponse. This reduces the chance for buffer overruns and limits the size of code thatcan be inserted into the header.This protection allows you to configure upper bounds to different elements in theHTTP request and response. You can also impose limits on specific headers using aregular expression to describe the header name. If the inspected HTTP connectioncontains more than one request, the limits are imposed on each request separately.Default Flag Settings:OnMaximum Request Body Size:Default Flag Settings:Log Generated by Protection:OffRequest body length exceeded allowed maximum length of 49152 bytesNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementNot Enforced Not Enforced Same (althoughthe defense isnot present inthe GUI)R55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSameChapter 4 Web Intelligence 183

HTTP Protocol InspectionMaximum URL Length:Default Flag Settings:Log Generated by Protection:URL length exceeded allowed maximum length of 2048 bytes.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60 ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management184

HTTP Format SizesMaximum Header Value Length:Default Flag Settings:Log Generated by Protection:'host' header length exceeded maximum allowed length.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic, which is notaccelerated)None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 4 Web Intelligence 185

HTTP Protocol InspectionMaximum Number of Headers:Default Flag Settings:Log Generated by Protection:Number of HTTP headers exceeded allowed maximum of 500.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management186

ASCII Only RequestASCII Only RequestThis protection makes it possible to selectively block non-ASCII characters in HTTPrequests. It is possible to block HTTP request headers and Form fields. When a usersubmits a web form, the data can be carried in the query section of the URL or in thebody of the HTTP request.Default Flag Settings:Log Generated by Protection:Invalid character detected in request URL: '0xff'.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic, which is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 4 Web Intelligence 187

HTTP Protocol InspectionASCII Only Response HeadersThis protection drops responses which contain non ASCII values.Note - Activating this protection decreases performance for Web traffic to which thisprotection is applied.With this page you can force all HTTP headers to be ASCII only. This will preventsome malicious content from passing in the HTTP protocol headers.Default Flag Settings:Log Generated by Protection:Invalid character detected in response headers: '0xff'NGX Performance Impact:Disables acceleration on allHTTP traffic.InterSpect NGX - Impact on Acceleration None (works only on client toserver traffic, which is notaccelerated).InterSpect NGX - Impact on Performance Accelerated TCP streaming onserver to client only.SmartDefense Update VersionOfffeature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementSame Enforced Same Enforced188

Header RejectionHeader RejectionThis protection allows you to reject HTTP requests that contains specific headers andheader values.The HTTP header name and value are defined using case-sensitive regular expressions.Default Flag Settings:Log Generated by Protection:Header Rejection pattern found in request.NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOffNone (works only on client toserver traffic which, is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementSame(previouslyreferred to asPeer to Peer)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WEnforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementChapter 4 Web Intelligence 189

HTTP Protocol InspectionHTTP MethodsThis protection can be used to control which HTTP methods can be used in HTTPrequests.Web Intelligence divides the HTTP methods into three groups: Standard safe (GET,HEAD and POST), standard unsafe (the other standard HTTP methods), and WebDAV.By default, all methods are blocked other than the standard safe methods.To allow users access to popular applications such as Microsoft Hotmail, Outlook WebAccess, and FrontPage, the non-RFC compliant WebDAV HTTP methods can beallowed.It is possible to choose exactly which methods to block. For example, if only GET andPOST methods are allowed, and all others are blocked, the following HTTP requestusing a WebDav method will be rejected: MKCOL / HTTP/1.0.Default Flag Settings:Log Generated by Protection:Blocked Method: 'PUT'NGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionOn for defined web serversNone (works only on client toserver traffic which, is notaccelerated).None (works only on client toserver traffic, which is notaccelerated).Accelerated TCP streaming onserver to client only.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WNot Enforced Not Enforced Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGX R60Management190

Block HTTP on Non-Standard PortBlock HTTP on Non-Standard PortSmartDefense is able to detect and block HTTP traffic on any TCP port not configuredby the security administrator as an allowed port for the use of HTTP.For more details on how to allow HTTP traffic on non standard ports, please refer tothe above CPSA-2005-01 advisory.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate acceleration.Disables session rate acceleration.No accelerated TCP streamingacceleration.feature behaviorwhen protectionis on in NGXR60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced Not Enforced Not Enforced Not EnforcedChapter 4 Web Intelligence 191

HTTP Protocol InspectionBlock Malicious HTTP EncodingsNULL encoding in URIs are mostly used when trying to bypass URI based restrictionsor take advantage of the fact that some web servers ignore parameters after a NULLcharacter.This protection allows you to block HTTP requests which contain NULL encoding inthe path part of the URI.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:InterSpect NGX - Impact on AccelerationInterSpect NGX - Impact on PerformanceSmartDefense Update VersionDisables session rate acceleration.Disables session rate acceleration.No accelerated TCP streamingacceleration.feature behaviorwhen protection ison in NGX R60ManagementNot Enforced(R54, FP3)Same (R55 only)NG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60ManagementNot Enforced(R54, FP3)Same (R55 only)featurebehavior whenprotection is onin NGX R60ManagementSameR55Wfeature behaviorwhen protection isin Monitor-Onlymode in NGXR60 ManagementSame192

Microsoft Internet ExplorerMicrosoft Internet ExplorerBy enabling this protection, SmartDefense will block an attempt to exploit thisvulnerability in order to cause denial-of-service or execute arbitrary code on the targetsystem.A monitor-only mode makes it possible to track an attack without blocking anynetwork traffic.Default Flag Settings:Log Generated by Protection:OffNGX Performance Impact:Disables http acceleration.InterSpect NGX - Impact on Acceleration Disables http acceleration.InterSpect NGX - Impact on Performance HighSmartDefense Update Version 591051214feature behaviorwhen protection ison in NGX R60ManagementNG FP3 to R55feature behaviorwhen protection isin Monitor-Onlymode in NGX R60Managementfeature behaviorwhen protectionis on in NGXR60ManagementR55WSame (R55 only) Same (R55 only) Same Samefeature behaviorwhen protection isin Monitor-Onlymode in NGXR60 ManagementChapter 4 Web Intelligence 193

HTTP Protocol Inspection194

IndexNumerics55120Head1Denial Of Service 18AAddress Spoofing 40Allow Only SNMPv3 Traffic 102Allowed 16Always On 16Application Intelligence 167Application Layer 172ASCII Only Request 187ASCII Only Response Headers 188BBGP 143Block ASN.1 Bitstring EncodingAttack 68Block ASN.1 Bitstring EncodingAttack over SMTP 60Block CISCO IOS DOS 29Block Data Connections to LowPorts 50Block HTTP on Non-StandardPort 191Block IKE Aggressive Exchange 106,107Block Malicious HTTPEncodings 192Block Null CIFS Sessions 66Block Null Payload ICMP 30Block Popup Messages 67Block SSL Null-PointerAssignment 105Block Welchia ICMP 28Block WINS Name ValidationAttack 70, 71, 72, 73, 74Block WINS Replication Attack 69CCache Poisoning Protections 88Command Injection 176Content Protection 110Cross Site Scripting 172DDCOM 119Denial Of Service 18Denial of Service 41DHCP 148Directory Listing 180Directory Traversal 177DNS 84Domain Block List 87DOS Protection 93Drop Requests to DefaultCommunity Strings 103Drop Unauthenticated DCOM 120DShield Storm Center 45Dynamic Ports 50EEnforced 16Error Concealment 181FFile and Print Sharing 65Fingerprint Scrambling 36FTP 62FTP Bounce 62FTP Security Server 63GGeneral HTTP Worm Catcher 169HH323 94Header Rejection 189Header Spoofing 179Host Port Scan 48HTTP Format Sizes 183HTTP Methods 190HTTP Protocol Inspection 182IIGMP 145Information Disclosure 178Instant Messengers 79InterSpect NGX R60 13IP and ICMP 23IP Fragments 26IP ID 39ISN Spoofing 37LLAND 21LDAP Injection 174Local Interface Spoofing 42MMail 53Mail Security Server 59Malformed ANI File 111, 112, 113,114, 115, 118Malformed JPEG 110Malicious Code 168195

NMalicious Code Protector 167, 170Max Ping Size 25Maximum Header Value Length 185Maximum Number of Headers 186Maximum Request Body Size 96,183Maximum URL Length 184MGCP (allowed commands) 100Microsoft Networks 65MSN Messenger over MSNMS 81MSN Messenger over SIP 80MS-RPC 119MS-RPC Program Lookup 121MS-SQL 131MS-SQL Monitor Protocol 131MS-SQL Server Protocol 132NN/A 16Network Quota 27NG FP3 13NG R55W 13NG With Application IntelligenceR54 13NG With Application IntelligenceR55 13Non TCP Flooding 22Not Enforced 16OOff 16On 16OSPF 142PPacket Sanity 23Peer to Peer 75Ping of Death 20POP3 / IMAP Security 53Port Scan 48PPTP Enforcement 104Protocol Enforcement - TCP 84Protocol enforcement - UDP 86Resource Records Enforcements 92Retrieve and Block Malicious IPs 46RIP 144Routing Protocols 142SSame 16SCCP (Skinny) 101Sequence Verifier 35SIP 95Small PMTU 33SmartDefense 14SNMP 102SOCKS 149Spoofed Reset Protection 34SQL Injection 175SSH - Detect SSH over Non-Standard Ports 108SSH Enforcement 109Stateful Inspection 167Successive Alerts 43Successive Events 40Successive Multiple Connections 44SUN-RPC 146SUN-RPC Program Lookup 146Sweep Scan 49SYN Attack Configuration 31TTCP 31Teardrop 19TTL 38VVoIP 93VPN Protocols 104WWeb Intelligence 14RReport to DShield 47196