Configuring Individual Protections

Some IPS protections require more in-depth customization to give a network the best security.

• SQL Injection - This protection runs a scan on traffic to a user-defined list of specified web servers. The protection is active only when the network objects for these servers are created correctly. Do not apply the protections for SQL injection to all HTTP traffic, as unnecessary false-positives can disrupt network traffic.
• Geo Protection - Control network traffic for specified countries. An IP-to-country database connects packet IP addresses to the countries. Configure one set of policies for each Profile to block or allow traffic for one or more countries. If your company has no business and network traffic with certain countries, you can use Geo Protection to block the traffic. When you block traffic, you increase overall security and are well protected against targeted and DDoS attacks. You can track traffic to or from other countries and after some time determine if you can also block the traffic.

  Note - If you track traffic for all countries, IPS generates too many logs.

• General HTTP/CIFS Worm Catcher and Header Rejection - These protections let you add and edit regular expressions so that the Firewall can block the specified HTTP requests. Check Point occasionally advises customers to add a pattern to these protections as an immediate pre-emptive action against a new threat. The IPS protections are updated when the new protections package is available from Check Point.
• SNORT Conversion - Gateways that are version R76 and higher can import and convert SNORT signatures to IPS protections. You can use public-domain and custom signatures to help protect the network. For more about how to use SNORT signatures for IPS, go to the IPS Administration Guide for your version.

Email Protections

Activate protections for the protocols that your environment uses for emails and add customized security to the mail servers.

Setting POP3/IMAP Scope

By default, when you configure the POP3/IMAP Security settings in Protections > By Protocol > IPS Software Blade > Application Intelligence > Mail, they apply to all hosts that are defined as mail servers based on the Action settings of each IPS profile. You can also limit the scope of this protection to only the specified mail servers.

To specify which hosts get the POP3/IMAP protection settings:

1. In the IPS tab, go to Protections > By Protocol > IPS Software Blade > Application Intelligence > Mail.
2. In the Look for field, enter POP3/IMAP Security.
3. In the search results that show, double-click POP3/IMAP Security.

   The Protection Details - POP3/IMAP Security configuration window opens.

4. Select the profile and click Edit.
5. In the Protection Scope area, click Apply to selected mail servers.
6. Click Customize.

   The Select Servers window opens, and all mail servers are selected by default.

7. Change selection of servers on which POP3 and IMAP protections should not be enforced:
   • To remove servers from the list - clear the servers
   • To add servers to this list - click Add, select the servers, and click OK
   • To edit server settings - select a server, click Edit, edit settings in the Host Node configuration window that opens, and click OK
8. Click OK.

The POP3/IMAP Security protection has a list of commands that IPS recognizes and inspects. The definitions of the POP3 commands apply to all IPS profiles. In the Protection Details - POP3/IMAP Security configuration window, you can edit the list of POP3 commands that apply to all profiles or edit the list of POP3 commands that apply to specific profiles.

To edit the list of POP3 commands that apply to all profiles:

1. In the Protection Details - POP3/IMAP Security configuration window, click Edit for the POP 3 Commands Definitions.

   The Add custom POP3 command window opens.

2. Edit the list as necessary:
   • To add a new command - click Add and enter the new command
   • To change an existing command - select the command, click Edit, and edit the command
   • To delete a command - select the command, click Remove, and in the window that opens, click Yes to confirm
3. Click OK.

To block or allow a POP3 command for a profile:

1. In the Protection Details - POP3/IMAP Security configuration window, select the profile for which you want to edit the settings.
2. Click Edit.

   The Protection Settings window opens.

3. In the list of Known POP3 commands, clear any command that you do not want blocked.

When you finish editing POP3/IMAP Security settings, click OK to save them and exit the Protection Details - POP3/IMAP Security configuration window.

Optimizing Web Security Protections

You can manage Web Intelligence to configure the Web server settings to maximize security and reduce the Security Gateway performance, or the opposite.

Improving Connectivity by Setting Scope

Some inspection settings that are too severe can have a negative impact on connectivity to and from valid Web servers.

• The HTTP Format sizes protection restricts URL lengths, header lengths or the number of headers. This is good practice because these elements can be used to perform a Denial of Service attack on a Web server.
• The ASCII Only Request protection can block connectivity to Web pages that have non-ASCII characters in URLs. This is good practice because non-ASCII headers or form fields open vulnerabilities to certain attacks, such as Code Injection.
• The HTTP Methods protection can block certain HTTP methods, known to be unsafe, because they can be used to exploit vulnerabilities on a Web server.

Applying these restrictions (activating these protections) is in general good practice, but they may block valid sites or important applications. Applying these protections to specific Web servers can solve the connectivity problems, and may enhance CPU performance. This exclusion of a Web server from a particular protection is global to all profiles.

To configure Web Protection scope:

1. Scroll down on a Web Intelligence protection page, to see the Protection Scope area.
2. To apply this protection only to a defined set of Web servers, select Apply to selected web servers.
3. Click Customize.
   • To exclude a Web server from the protection, clear the server checkbox.
   • To add a gateway object to the list of Web servers, click Add. From the Set Hosts as Web Servers window, select the hosts that you want and click OK.
4. To edit a Web server, select the Web server in the list and click Edit.

The Check Point Host window opens, displaying the Web Server category, which is added to a host that is defined as a Web server.

You can configure connectivity-security balance for each type of Web Intelligence protection in the Web Server > Protections window, but enforcement of these configurations always depends on whether they are activated by the Web server's IPS profile.