Attack Prevention Safeguards and Attacks Blocked

Application Layer

FireWall-1 NG with Application Intelligence blocks many attacks and provides numerous attack prevention safeguards. This table lists some of these defenses and organizes them by protocol and OSI Model layer.

Note: Check Point continually expands the breadth of defenses provided. This table is a snapshot not an exhaustive list.

Application Layer | Session Layer | Transport Layer | Network Layer |
 
Application Layer

Attack Prevention Safeguards

Attacks Blocked
HTTP Client
  • Block Java code
  • Strip script tags
  • Strip applet tags
  • Strip FTP links
  • Strip port strings
  • Strip ActiveX tags
  • Camouflage default banner
  • URL filtering
  • Limit maximum URL length
  • Limit maximum number of response
    headers allowed
  • Limit maximum request header length
  • Limit maximum response header length
  • Prohibit binary characters in HTTP response headers
  • Prohibit binary characters in HTTP requests
  • Validate HTTP response protocol compliance
  • Block user-defined URLs
  • Enforce maximum GET and POST length
  • Restrict download of user-defined files
  • Code Red Worm & Mutations
  • Nimda Worm & Mutations
  • HTR Overflow Worm & Mutations
  • Directory Traversal Attacks
  • MDAC Buffer Overflow & Mutations
  • Cross-Site Scripting Attacks
  • Malicious URLs
  • User-Defined Worms & Mutations
HTTP Server
  • Limit maximum URL length
  • Distinguish between different HTTP v1.1 requests over same connection
  • Limit maximum number of response headers allowed
  • Limit maximum request header length
  • Limit maximum response header length
  • Prohibit binary characters in HTTP response headers
  • Prohibit binary characters in HTTP requests
  • Block user-defined URLs
  • Restrict non-RFC HTTP methods
  • Enforce HTTP security on non-standard ports (ports other than 80)
  • Compare transmission to user-approved SOAP scheme/template
  • Restrict unsafe HTTP commands
  • Restrict download of user-defined files
  • Encoding Attacks
  • Cross-Site Scripting Attacks
  • HTTP-based attacks spanning multiple packets
  • WebDAV Attacks
  • User-Defined Worms & Mutations
  • Chunked Transfer Encoding Attacks
SMTP
  • Block multiple "content-type" headers
  • Block multiple "encoding headers"
  • Camouflage default banner
  • Restrict unsafe SMTP commands
  • Header forwarding verification
  • Restrict unknown encoding
  • Restrict mail messages not containing sender/recipient domain name
  • Restrict MIME attachments of specified type
  • Strip file attachments with specified names
  • Strict enforcement of RFC 821 & 822
  • Monitor and enforce restrictions on ESMTP commands
  • Hide internal mail user names and addresses
  • Perform reverse DNS lookup
  • Strict enforcement of MAIL and RCPT syntax
  • Restrict mail from user-defined sender or domain
  • Restrict mail to user-defined recipients
  • Restrict mail to unknown domains
  • Enforce limits on the number of RCPT commands allowed per transaction
  • Restrict mail relay usage
  • SMTP Mail Flooding
  • SMTP Worm & Mutations
  • Extended Relay Attacks
  • Message/ Partial MIME Attack
  • SPAM Attack (large number of emails)
  • Command Verification Attack
  • SMTP Worm Payload & Mutations
  • Worm Encoding
  • Firewall Traversal Attack
  • SMTP Error Denial-of-Service Attack
  • Mailbox Denial-of-Service Attack (excessive email size)
  • Address Spoofing
  • SMTP Buffer Overflow Attacks

RSH
  • Auxiliary port monitoring
  • Restrict reverse injection
 

RTSP
  • Auxiliary port monitoring.
 

IIOP
  • Auxiliary port monitoring
 

FTP
  • Analyze and restrict hazardous FTP commands
  • Block custom file types
  • Camouflage default banner
  • Strip FTP references
  • Passive FTP Attacks
  • FTP Bounce Attack
  • Client and Server Bounce Attacks
  • FTP Port Injection Attacks
  • Directory Traversal Attack
  • Firewall Traversal Attack
  • TCP Segmentation Attack

DNS
  • Restrict DNS zone transfers
  • Restrict usage of DNS server as a public server
  • Provide separate DNS service for private vs. public domains
  • DNS Query Malformed Packet Attacks
  • DNS Answer Malformed Packet Attacks
  • DNS Query-Length Buffer Overflow
  • DNS Query Buffer Overflow - Unknown Request/Response
  • Man-in-the-Middle Attack

Microsoft Networking
  • CIFS filename filtering (protect against worms utilizing CIFS protocol)
  • Restrict remote access to registry
  • Restrict remote null sessions
  • Bugbear Worm
  • Nimda Worm
  • Liotan Worm
  • Opaserv Worm
SSH
  • Enforce SSH v2 protocol
  • SSH v1 Buffer Overflow Attack
SNMP
  • Restrict SNMP get/put commands
  • SNMP Flooding Attack
  • Default Community Attacks
  • Brute Force Attacks
  • SNMP Put Attack

MS SQL
 
  • SQL Resolver Buffer Overflow
  • SQL Slammer Worm

Oracle SQL
  • Verify dynamic port allocation and initiation
  • SQLNet v2 Man-in-the-Middle Attack

SSL
  • Enforce SSL V3 protocol
  • SSL V2 Buffer Overflow

VoIP
  • Verify protocol fields and values
  • Identification and restriction of the PORT command
  • Enforce existence of mandatory fields
  • Enforce user registration
  • Prevent VoIP firewall holes
  • Disable H.323 audio and video transmissions
  • Enforce H.323 call duration limits
  • For H.323, allow only traffic associated with a specific call
  • Buffer Overflow Attacks
  • Man-in-the-Middle Attack

X11
  • Restrict reverse injection
  • Block special clients