Configuring Specific Protections

IPS contains a large array of protections that prevent attacks, protect against vulnerabilities in network protocols, and close unnecessary entry points into the network. In SmartDashboard, each protection is accompanied by a description of the protection as well as other useful information.

You can find here instructions for configuring some of the more commonly used protections.

SNORT Signature Support

SNORT is a popular, open source, Network Intrusion Detection System (NIDS). You can import SNORT rules (plain text files with .rules extension) that you downloaded or that you created yourself. If you download, make sure to use trusted sources. See snort.org for more information.

Snort Protections get these levels automatically:

• Severity - High
• Confidence Level - Medium-Low
• Performance Impact - High

The name of the imported Snort protection is the value of the msg field in the original SNORT rule.

• If one SNORT rule has multiple msg strings with the same value, they are aggregated to one IPS Snort protection.
• If multiple rules are imported at different times and have the same msg string, the new import overrides the old protection.

Importing SNORT Rules to Security Management Server

The IPS SnortConvertor tool converts SNORT rules to Check Point IPS protections. The new IPS protections are in the IPS tree: Protections > By Protocol > IPS Software Blade > Application Intelligence > SNORT Imported

Make sure you have the SNORT rule file. It holds SNORT rules and usually has the extension: .rules.

To import and convert SNORT rules:

1. Make sure no SmartDashboard is connected to the Security Management Server.
2. Copy the rules file to the Security Management Server.

   Best practice: put the file in /home/admin.

3. Run: SnortConvertor update -f <filename>

   The tool converts the rules to Check Point syntax and updates the protections database.

4. Make sure that Snort protections are activated in the IPS profile.
5. Install policy.

Example:

[Expert@cpmodule]# SnortConvertor update —f snort.rules

39/39 rules were successfully converted, total of 38 IPS protections were found.

38/38 IPS protections were updated

Updating database...

Database updated successfully

Please note that for the new configuration to take effect, you need to make sure

that the new protections are activated and then to install policy.

[Expert@cpmodule] #

Importing SNORT Rules to Multi-Domain Server

In a Multi-Domain Security Management environment, import Snort rules to the Multi-Domain Server. Then assign policy of the IPS Global Profile to the Domain Management Servers. This downloads the new IPS Snort protections to Domain Management Servers.

To import Snort rules to the Multi-Domain Server:

1. Copy a Snort Rules file to the Multi-Domain Server.
2. Run: SnortConvertor update -f <filename>
3. Make sure that Snort Protections are activated in the Global IPS Profile.
4. Click Global Policies.
5. Right-click the Multi-Domain Server object and select Reassign Global Policy and IPS to all assigned Domains.

Testing SNORT Rule Conversion

You can test the conversion before you update the IPS database.

To test the conversion:

SnortConvertor update -f <inputFile> --dry-run

Deleting SNORT Protections

After you convert and import a SNORT rule, it is a part of the IPS database. You cannot delete it from the SmartDashboard. You must delete it with the SnortConvertor tool, to make sure that the database is updated.

To delete a Snort protection:

1. Run: SnortConvertor list
2. From the output, copy the name of the protection to delete.
3. Run: SnortConvertor delete -n <protection_name>

To delete selected protections:

1. Get or make a text file with names of protections to delete.
2. Run: SnortConvertor delete -f <filename>

To delete all Snort protections:

1. Make sure no SmartDashboard is connected to the Security Management Server.
2. Run: SnortConvertor delete -a

To delete the Snort protections in Multi-Domain Security Management:

1. Run: SnortConvertor delete -a
2. In SmartDomain Manager, click Global Policies.
3. Right-click the Multi-Domain Server object and select Reassign Global Policy and IPS to all assigned Domains

Example of List:

[Expert@cpmodule]# SnortConvertor list 

GPL EXPLOIT .cmd executable file parsing attack

GPL EXPLOIT .cnf access

GPL EXPLOIT .htr access

GPL EXPLOIT /etc/shadow access

GPL EXPLOIT Oracle Web Cache PUT overflow attempt

GPL EXPLOIT Oracle Web Cache TRACE overflow attempt

GPL EXPLOIT WEB—MISC JBoss web—console access

GPL EXPLOIT WEBDAV exploit attempt

GPL EXPLOIT administrators.pwd access

GPL EXPLOIT cmd32.exe access

GPL EXPLOIT ctnd? access

GPL EXPLOIT echo command attempt

GPL EXPLOIT evaluate.cfm access

GPL EXPLOIT formmail access

GPL EXPLOIT fpcount access

GPL EXPLOIT iisadmpwd attempt

GPL EXPLOIT iissamples access

GPL EXPLOIT kadmind buffer overflow attempt

GPL EXPLOIT php.cgi access

GPL EXPLOIT unicode directory traversal attempt

Please note that the configuration is up to date, therefore no changes were made

[Expert@cpmodule] 

Example of Delete All:

[Expert@cpmodule]# SnortConvertor delete —a 

Are you sure you want to delete all user defined protections? (y/n)

y

Updating database...

Database updated successfully

Please note that for the new configuration to take effect, you have to install policy.

(Expert@cpmodule] 

Creating SNORT Rule Files

You can write your own SNORT rules and then import them to be protections. SNORT rules use signatures to define attacks. A SNORT rule has a rule header and rule options. For more about SNORT, see snort.org.

Check Point supports snort 2.9 and lower.

SNORT Rule Header:

< Action > < Protocol > < Address > < Port > < Direction > < Address > < Port >

SNORT Rule Options:

<keyword>:"<option>"

Example:

alert tcp any any -> any any (msg:"Possible exploit"; content:"|90|";)

Where:

• Action = alert
• Protocol = tcp
• Address = any
• Port = any
• Direction = ->
• Address = any
• Port = any
• Keyword = content
• Option = |90|
• Name of protection in IPS = Possible exploit

Supported Snort syntax:

In general, these are the supported syntax components. There are some limitations.

• Supported Snort Keywords: "data", "content", "length", "test", "re", "jump", "pcre", "flowbits", "byte_test", "byte_jump", "isdataat", "stateop_global", "stateop", "no_match", "inspect"
• Supported Content Keyword Modifiers: "nocase", "rawbytes", "depth", "offset:", "distance:", "within", "urilen"
• Supported Threshold Rule Types - Threshold , Both (Limit is not supported.)
• Supported Macros - HTTP_PORTS (Interpreted as 80 and 8080 ports.)

  Note - Make sure that SNORT Rules with the same flowbits flag have the same content in the msg field. Otherwise, they will not be under the same protection.

Debugging:

$FWDIR/log/SnortConvertor.elg is updated with the debug messages from the last SnortConvertor run.

To find failed rule debugs in the SnortConvertor.elg file, search for: Failed to convert rule

Unsupported SNORT Syntax

This syntax is not supported and will not convert:

• pcre modifiers: ‘G’, ‘O’, ‘A’, ‘C’,‘K’
• pcre regular expression with lookahead assertion: ?!
• Using byte_test keyword with operator not in: <,>,=,&,^
• Content modifiers: http_cookie, http_raw_cookie
• http_method is not supported if it is the only http modifier type in the Snort Rule
• Protocols: icmp, ip. (all is interpreted as udp and tcp protocols)
• Snort Rule without content keyword
• All PORT macros, except HTTP_PORTS
• Specification of source port (only any is supported)

The conversion will change the behavior of these macros and syntax.

• Specification of IP Addresses – Enforced on all IP Addresses.
• HOME_NET macro - Interpreted as any IP Addresses.
• EXTERNAL_NET macro - Interpreted as any IP Addresses.
• HTTP_SERVERS macro - Interpreted as any IP Addresses.

These combinations of keywords and modifiers are implemented differently in the IPS blade as Snort protections than in SNORT Rules. We recommend you test them before activating them in a production environment.

• rawbytes content, or B pcre modifiers with http_uri content or U pcre modifiers
• With http content or pcre modifiers:
  • http_raw_uri content or I pcre modifiers
  • http_stat_msg content or Y pcre modifiers
  • http_stat_code content or S pcre modifiers
• Without http content or pcre modifiers:
  • Two or more uses of http_header content or H pcre modifiers
  • Two or more uses of http_raw_header content or D pcre modifiers
• With depth or offset content and http content that is one of these on the same content keyword, or ^ (carrot) in pcre with one of these http pcre modifiers on the same pcre keyword:
  • http_header content or H pcre modifiers
  • http_raw_header content or D pcre modifiers
  • http_stat_msg content or Y pcre modifiers
  • http_stat_code content or S pcre modifiers
  • http_uri content or U pcre modifiers
• Use of depth or offset content, or ^ (carrot) in pcre, without any http content, and with destination ports that are not HTTP_PORTS macro
• http_client_body content or P pcre modifier
• A pcre keyword with {} (curly braces) quantifier
• Use of both content and byte_test keywords
• http_header content modifiers or H pcre modifiers enforced only on raw http data (not decoded and normalized header data)
• Use of the urilen keyword, except in a SNORT Rule that has only http_uri and U pcre modifiers, or http_raw_uri content modifier and I pcre modifiers.
  • If the SNORT Rule has only http_uri content or U pcre modifiers, the size will be of the decoded and normalized buffer.
  • If the SNORT Rule has only http_raw_uri content or I pcre modifiers, the size will be of the raw uri buffer.

Configuring Network Security Settings

These pages allow you to configure protection against attacks which attempt to target network components or the firewall directly.

Some of the Network Security protections apply to the firewall in general, providing quick access to specific firewall features. The following sections will help you become familiar with these protections.

Streaming Engine Settings

The Streaming Engine Settings protect against improper use of the TCP or UDP protocols. IPS analyzes the TCP and UDP packets to verify that they conform to proper communication conventions.

Changing the default settings will enable crafted traffic to bypass IPS protections and is not recommended.

Receiving Block List

The security administrator configures the IPS Block List option by selecting Network Security > DShield Storm Center > Retrieve and Block Malicious IPS. Malicious IP can be blocked for all gateways or for specific gateways.

An agent (daemon) on each enforcing gateway for which malicious IP are to be blocked receives the Block List of malicious IP addresses from http://secure.dshield.org/block_list_info.html. Following every refresh interval (by default, three hours), the agent takes the Block List and updates the security policy with the IP address ranges in the Block List. This process is logged in the SmartView Tracker.

Anti-Spoofing Configuration Status

Anti-Spoofing is an integral protection of Check Point hosts. The Network Security > Anti-Spoofing Configuration Status page shows which on which Check Point hosts this feature is not enabled, and provides direct access to enabling it.

To enable Anti-Spoofing:

1. In the IPS tab, open Protections > By Protocol > Network Security > Anti-Spoofing Configuration Status.
2. Select a gateway in the list and click Edit.
3. In Check Point Gateway > Interface Properties > Topology, select any option other than Internal > Not Defined.

   Thus, to enable Anti-Spoofing, you must first be able to define or estimate the topology of the selected gateway.

4. Select Perform Anti-Spoofing based on interface topology, and any of the relevant Anti-Spoofing features.
5. Click OK.

   The gateway is immediately removed from the Anti-Spoofing Configuration Status list.

Aggressive Aging Configurations

Within the Denial of Service category is Aggressive Aging, a protection page whose configurations affect protections of various categories. Aggressive Aging manages the connections table capacity and the memory consumption of the firewall to increase durability and stability. It allows a gateway to handle large amounts of unexpected traffic, especially during a DoS attack.

Normally, sessions have a regular timeout, defined in the Stateful Inspection page of Global Properties (see Policy menu > Global Properties > Stateful Inspection). When a connection is idle for longer than its defined timeout, it is marked as Eligible for Deletion.

With this protection you can:

• Set faster timeouts, aggressive timeouts, ensuring that sessions are dropped faster during times of heavy load, maintaining overall connectivity
• Set the connections table and memory consumption thresholds that determine when the aggressive timeouts are used rather than the normal timeouts

Configuring Aggressive Timeouts

You configure the aggressive timeouts for all profiles. Each timeout value is for a different type of session.

To configure aggressive timeouts:

1. Open Protections > By Protocol > Network Security > Denial of Service > Aggressive Aging.
2. Select the aggressive timeouts that you want to be enforced, and change the default values as needed.

   The Aggressive Aging value must be lower than the default session timeouts. As the regular values can also be changed, it is recommended that you review them before changing the aggressive timeout values.
   To see regular timeouts: click Policy menu > Global Properties > Stateful Inspection.

   These settings are global to all profiles and all gateways.

Aggressive Aging Timeouts

Configuring Thresholds

Now that you have the two different sets of timeouts, when is Aggressive Aging enforced over the regular timeouts?

The major benefit of Aggressive Aging is that it starts to operate when the machine still has available memory and the connections table is not entirely full. Thus, it reduces the chances of connectivity problems that might have occurred under low-resource conditions.

Aggressive Aging is activated according to thresholds to the memory consumption or the connections capacity that you configure. If a defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the Eligible for Deletion list. An additional ten connections are deleted with every new connection until the threshold falls below the enforcement limit. If there are no Eligible for Deletion connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold.

To configure Aggressive Aging thresholds:

1. Select the profile for which you want to edit the settings and click Edit.
2. Activate the Aggressive Aging protection.
3. Configure the limits for the Connections table and Memory consumption.

   Default is 80%, with connections from the Eligible for Deletion list being deleted if either the Connections table or Memory consumption passes this limit. You can change this default by selecting one or the other:

   • Connections table exceeds __% of its limit
   • Memory consumption exceeds __% of the gateway's capacity

   The limits for the Connections table and Memory consumption are set for each profile, so may be different for different gateways.

   Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic.

   Note - If a SecureXL device does not support Aggressive Aging, the feature is disabled. When this happens, the action is logged and a console message is generated.

IP Fragments

IP packets may legitimately be fragmented. For example, some connections might go through a network with an MTU with a smaller packet size limit. This MTU will then break up larger packets into IP fragments, and the destination re-assembles the fragments into packets.

A security threat exists, with the possibility of an attacker deliberately breaking a packet into fragments and inserting malicious data, or holding back some fragments to cause a Denial of Service attack by consuming the resources needed to store the fragments until the packets can be re-assembled.

IPS provides optional protections against IP fragment threats.

• Forbid IP Fragments: the most secure option, but it may block legitimate traffic.
• Configure IP Fragment limits: set the maximum number of packets that the gateway will hold, with a timeout, to release resources and prevent DoS attacks.
• Capture Packets: track IP fragments and capture the data for observation and troubleshooting (see Working with Packet Information).

Configuring IP Fragments Thresholds

The IP Fragment protection is configured for each profile, so different gateways may be configured differently.

To configure an IPS profile to handle IP fragments:

1. Open the Network Security > IP and ICMP > IP Fragments protection.
2. Select the profile for which you want to edit the settings and click Edit.
3. Select Allow IP Fragments.
4. Set the value for Maximum number of incomplete packets.

   If this threshold is exceeded, the oldest fragments are dropped (default is 200).

5. Set the value for Discard incomplete packets after __ seconds.

   If fragments of a packet are held after this threshold, waiting for the missing fragments, they are all dropped (default is one second).

Blocking IP Fragments

To configure an IPS profile to block all IP fragments:

1. Open the Network Security > IP and ICMP > IP Fragments page.
2. Select Forbid IP Fragments.

   All IP fragments will be blocked; fragmented packets will be dropped.

DShield Storm Center

The range and sophistication of the techniques used by hackers to penetrate private networks is ever increasing. However, few organizations are able to maintain up-to-date protection against the latest attacks. Network Storm Centers are collaborative initiatives that were set up to help security administrators maintain the most up-to-date solutions to security threats to their networks. Storm Centers achieve this by gathering logging information about attacks and sharing it with other organizations from around the world. Storm Centers collate and present reports on threats to network security in a timely and effective manner.

The IPS Storm Center module is included in the Check Point Security Gateway. It enables communication between the Network Storm Centers and the organizations requiring network security information.

One of the leading Storm Centers is SANS DShield.org, located at: http://www.dshield.org/. DShield.org gathers statistics and presents it as a series of reports at http://www.dshield.org/reports.html.

IPS integrates with the SANS DShield.org Storm Center. The DShield.org Storm Center produces a Block List report which is a frequently updated list of address ranges that are recommended for blocking. The IPS Storm Center module retrieves and adds this list to the security policy.

Retrieving and Blocking Malicious IPs

To retrieve and block malicious IPs:

1. In the Firewall Rule Base, define appropriate rules as necessary. Security Gateways and Security Management Servers must be able to connect to the Storm Center using HTTPS.
2. In the IPS tab, select Network Security > DShield Storm Center > Malicious IPs.
3. Select the profile for which you want to edit the settings and click Edit.

1. Install the security policy.

Manually Configuring the Blocking of Malicious IPs

When configured through IPS, the DShield Block List is enforced before the Rule Base. Because DShield uses statistical analysis and the Block List is made up of /24 (Class C) networks, not all of those IP addresses are necessarily malicious. Therefore, in order to prevent reputable IP addresses from being blocked, you can manually add a Block List rule in the Firewall Rule Base.

To manually configure blocking malicious IPs:

1. In IPS, select Network Security > DShield Storm Center.
2. Clear the Retrieve and Block Malicious IPS option.
3. Add the Block List rule:

1. Place the Block List rule as high as possible in the Firewall Rule Base, but below all authentication rules and any other rules for trusted sources that should not be blocked.
2. To retrieve and block malicious IPs only at particular gateways, specify them in the Install On cell of the rule.

1. Install the security policy.

Authenticity is Assured

The Block List is securely transferred and authenticated through SSL. The Certificate of the Storm Center Certificate Authority, which comes with the Storm Center module, is stored locally and serves to verify the authenticity of the origin of the received Block List.

The Certificate Authority of SANS DShield.org is Equifax. equifax.cer is the file name of the locally stored certificate, which is stored in the conf directory of the Storm Center module installation.

Log Size and Effect on Gateway Performance

Receiving the Block List does not affect gateway performance because only a very small amount of data is received.

Configuring Application Intelligence

A growing number of attacks attempt to exploit vulnerabilities in network applications rather than targeting the firewall directly. Application Intelligence is a set of advanced capabilities that detects and prevents application layer attacks. Based on the INSPECT intelligent inspection technology, Application Intelligence gives IPS the ability to protect against application attacks and hazards.

Email Protections

Activate protections for the protocols that your environment uses for emails and add customized security to the mail servers.

Setting POP3/IMAP Scope

By default, when you configure the POP3/IMAP Security settings in Protections > By Protocol > IPS Software Blade > Application Intelligence > Mail, they apply to all hosts that are defined as mail servers according to the Action settings of each IPS profile. You can also limit the scope of this protection to only the specified mail servers.

To specify which hosts get the POP3/IMAP protection settings:

1. In the IPS tab, go to Protections > By Protocol > IPS Software Blade > Application Intelligence > Mail.
2. In the Look for field, enter POP3/IMAP Security.
3. In the search results that show, double-click POP3/IMAP Security.

   The Protection Details - POP3/IMAP Security configuration window opens.

4. Select the profile and click Edit.
5. In the Protection Scope area, click Apply to selected mail servers.
6. Click Customize.

   The Select Servers window opens, and all mail servers are selected by default.

7. Change selection of servers on which POP3 and IMAP protections should not be enforced:
   • To remove servers from the list - clear the servers
   • To add servers to this list - click Add, select the servers, and click OK
   • To edit server settings - select a server, click Edit, edit settings in the Host Node configuration window that opens, and click OK
8. Click OK.

The POP3/IMAP Security protection has a list of commands that IPS recognizes and inspects. The definitions of the POP3 commands apply to all IPS profiles. In the Protection Details - POP3/IMAP Security configuration window, you can edit the list of POP3 commands that apply to all profiles or edit the list of POP3 commands that apply to specific profiles.

To edit the list of POP3 commands that apply to all profiles:

1. In the Protection Details - POP3/IMAP Security configuration window, click Edit for the POP 3 Commands Definitions.

   The Add custom POP3 command window opens.

2. Edit the list as necessary:
   • To add a new command - click Add and enter the new command
   • To change an existing command - select the command, click Edit, and edit the command
   • To delete a command - select the command, click Remove, and in the window that opens, click Yes to confirm
3. Click OK.

To block or allow a POP3 command for a profile:

1. In the Protection Details - POP3/IMAP Security configuration window, select the profile for which you want to edit the settings.
2. Click Edit.

   The Protection Settings window opens.

3. In the list of Known POP3 commands, clear any command that you do not want blocked.

When you finish editing POP3/IMAP Security settings, click OK to save them and exit the Protection Details - POP3/IMAP Security configuration window.

FTP

You can configure various protections related to the FTP protocol. For example, activating (on Prevent) the Block Port Overflow protection, will check and prevent any attempt to use an FTP server as an agent for a malicious operation.

You can create a Black List of FTP commands that will be blocked, by moving commands to the Blocked Commands list on the Blocked FTP Commands page.

Microsoft Networks

The protections in this category refer to the CIFS protocol and protection against File and Print Sharing worms.

IPS uses pattern matching to recognize and block worms. You can add or edit to the pattern lists in the File and Print Sharing protection against worms. These definitions apply to all profiles.

To define patterns to be blocked:

1. In the IPS tab, open Application Intelligence > Microsoft Networks > File and Print Sharing.
2. In the Block File and Print Sharing Worms list, make sure that the worms that you want to block are selected.
3. At the top of the page, click Edit.
4. Click Add to add a new worm pattern, or select an existing worm name and click Edit.
5. Provide a name for the known worm pattern.
6. Provide the pattern string, or click Paste from clipboard, if the string has been copied to the clipboard.
7. Click Recalculate to get the real Checksum.
8. Click OK.

The new or changed worm name appears immediately in the Block File and Print Sharing Worms list.

Peer-to-Peer

IPS can block peer-to-peer traffic by identifying the proprietary protocols, even if the application switches ports, and preventing the initial connection to the peer to peer networks. This not only prevents, but also searches operations. The pages in this category are all Application Control: activate them to enforce company policy against peer-to-peer applications; they do not protect against malicious behavior.

Peer to Peer General Exclusion Settings

General Exclusion Settings allow you to exclude services or network objects from IPS detection and blocking; to allow specific services or gateways to pass without inspection.

To exclude services or objects from peer-to-peer application control:

1. In the IPS tab, open Application Intelligence > Peer to Peer - Global Exclusion Settings.
2. Choose the exclusion settings that you want:
   • Exclude specific services from <application type> detection: allow certain services to pass without detection or blocking.
   • Exclude network objects from <application type> detection: allow certain machines to use the application services.
3. For each setting selected, click Configure.
4. In the window that opens, select each service or object that you want to exclude from these application blocking controls and click Add.

Defining Peer to Peer HTTP Headers

Each protection under Peer to Peer has a Masquerading over HTTP Protocol section. In this section you can add patterns or regular expressions to match in the HTTP header of the Request or Response.

To configure peer to peer pattern matching:

1. Open a protection page under Application Intelligence > Peer to Peer.

   The blocked patterns are shown in the list at the bottom of the page.

2. Click Edit Patterns at the top of the protection page.
3. Click Add or select an existing pattern and click Edit.
4. In Header Name, provide the header name of the HTTP Request/Response to match.
5. In Header Value, provide a regular expression that the header value of the HTTP Request/Response to match.

   For more information, see Regular Expressions.

6. Click OK.

The new or changed header pattern is added immediately to the list on the bottom of the page.

Instant Messengers

You can block Instant Messaging applications, or any of the features. For example, you could allow MSN Messenger Chat, but block Video.

Instant Messengers General Exclusion Settings

General Exclusion Settings allow you to exclude services or network objects from IPS detection and blocking; to allow specific services or gateways to pass without inspection.

To exclude services or objects from instant messenger application control:

1. In the IPS tab, open Application Intelligence > Instant Messengers - Global Exclusion Settings.
2. Choose the exclusion settings that you want:
   • Exclude specific services from <application type> detection: allow certain services to pass without detection or blocking.
   • Exclude network objects from <application type> detection: allow certain machines to use the application services.
3. For each setting selected, click Configure.
4. In the window that opens, select each service or object that you want to exclude from these application blocking controls and click Add.

VoIP

It is important to protect voice and video traffic as it enters and leaves a network. Potential threats to voice and video traffic are:

• Call redirections whereby calls intended for one recipient are redirected to another.
• Stealing calls, where the caller pretends to be someone else.
• System hacking using ports opened for VoIP connections.

VoIP calls involve a series of complex protocols, each of which can carry potentially threatening information through many ports.

IPS ensures that caller and recipient addresses are valid and that the caller and recipient can make and receive VoIP calls. IPS also examines the contents of the packets passing through every allowed port to ensure that they contain the proper information. Full stateful inspection on H.323, SIP, MGCP and SCCP commands ensures that all VoIP packets are structurally valid and that they arrive in a valid sequence.

For more on VoIP, see the R77 VoIP Administration Guide.

SNMP

IPS enables you to protect against SNMP vulnerabilities by providing the option of enforcing SNMPv3 (the latest SNMP version) while rejecting previous versions. In addition, IPS can allow all SNMP versions while dropping requests with SNMPv1 and SNMPv2 default community strings.

VPN Protocols

IPS enables you to configure enforcement of RFC 2637: Point-to-Point Tunneling Protocol on Virtual Private Networks.

Citrix ICA

The Independent Computing Architecture (ICA) protocol specifies platform-independent data transfer between server and clients over the Internet and intranets. Applications built on ICA are numerous: browsers, Microsoft Accessories, mail clients, and more. IPS can protect against various ICA-related vulnerabilities and can enforce protocol compliance.

Defining Allowed Applications

Citrix ICA applications are blocked, when this protection is activated in Prevent mode. You can define which of these applications to allow.

To define the Authorized Applications list:

1. In the IPS tab, open Application Intelligence > Citrix ICA > Citrix ICA Unauthorized Application.

   The Authorized Applications list shows applications that have already been entered into the list.

   To block an authorized application, select a profile and then deselect the application in the Authorized Applications list.

2. To configure the Authorized Applications list, click Configure.
3. To add an application to the list, click Add.

   In the new entry that is created, provide the application name. Double-click the Identifier entry and provide the application identifier.

4. To edit an application in the list, click Edit.

   Change the application name as needed, and then double-click the identifier and change it as needed.

5. Click OK.

   The new or changed application names appear immediately in the Authorized Applications list.

Remote Control Applications

IPS can block many different remote control applications which allow remote control over a host. Most remote control applications have the capacity to tunnel into an organization through an outbound connection initiated by the client to a "broker" over HTTP. This enables remote control applications to gain access to internal hosts from the internet enabling attackers to, for example, take over hosts in the network or open a hole for data leakage.

Standard firewall rules cannot sufficiently protect against remote control applications. IPS uses specialized protections to combat these attacks.

MS-RPC

IPS contains a variety of protections which prevent attacks that use the MS-RPC protocol. This group of protections primarily checks that the MS-RPC packets meet the protocols standards, but also prevents the use of MS-RPC operations that can be used to gain access to internal information.

The MS-RPC protection group also protects against improper use of DCOM.

Additionally, IPS includes protections specifically for MS-RPC over CIFS which block certain functions of MS-RPC interfaces that may be misused.

Configuring Web Intelligence

Web Intelligence focuses on protecting Web servers and Web clients against attacks. After you define a gateway or host object as a Web server/client object, Web Intelligence protections are applied to all Web traffic unless you configure the protection to inspect connections with specific Web servers.

Web Intelligence not only protects against a range of known attacks, but also incorporates intelligent security technologies that protect against entire categories of emerging or unknown attacks. Unlike Web firewalls and traditional intrusion protection systems, Web Intelligence provides proactive attack protections. This ensures that communication between clients and Web servers complies with published standards and security best practices, restricts hackers from executing irrelevant system commands, and inspects traffic passing to Web servers to ensure that it does not contain malicious code. Web Intelligence allows organizations to permit access to their Web servers and applications without sacrificing either security or performance.

Web Intelligence uses the Check Point Stateful Inspection technology. Stateful Inspection analyzes the information flow into and out of a network so that real-time security decisions are based on communication session information as well as on application information. It accomplishes this by tracking the state and context of all communications traversing the firewall gateway, even when the connection involves complex protocols.

Configuring Web Intelligence Protections

This section tells you about Web Intelligence protections.

Malicious Code

Malicious Code Protector is a Check Point patent-pending technology that blocks hackers from sending malicious code to target Web servers and applications. It can detect malicious executable code within Web communications by identifying not only the existence of executable code in a data stream but its potential for malicious behavior. Malicious Code Protector is a kernel-based protection delivering almost wire-speed performance.

These protections prevent attacks that attempt to run malicious code on Web servers.

Defining HTTP Worm Patterns

IPS uses pattern matching to recognize worms and to block them. You can add to or edit the pattern lists. These definitions apply to all profiles.

To define patterns to be blocked:

1. In the IPS tab, open Protections > By Protocol > Web Intelligence > Malicious Code > General HTTP Worm Catcher.
2. In the Block HTTP Worms list, leave the checkboxes of the worms that you want to block as selected.
3. At the top of the page, click Edit.
4. Click Add to add a new worm pattern, or select an existing worm name and click Edit.
5. Provide a name for the known worm pattern.
6. Provide the pattern string, or click Paste from clipboard, if the string has been copied to the clipboard.

   See Regular Expressions for pattern syntax.

7. Click Recalculate to get the real Checksum.
8. Click OK.

   The Block HTTP Worms list is updated immediately.

Malicious Code: Connectivity Versus Security

The Malicious Code Protector protection has security level settings. If a connectivity problem arises on a specific Web server, the security level can be lowered for that Web server.

To configure connectivity-security levels for Malicious Code Protector:

1. In the IPS tab, open Malicious Code Protector and scroll down to the Malicious Code Protection Configuration area.
2. Click Configure.
3. Choose a preference between Memory Consumption and Speed.
4. Choose a preference between security and performance, in the Search Method options.
5. Click OK.

Application Layer

This class of protection prevents hackers from introducing text, tags, commands, or other characters that a Web application will interpret as special instructions.

Introducing such objects into forms or URLs can allow a hacker to steal private data, redirect a communication session to a malicious website, steal information from a database, gain unauthorized access, or execute restricted commands.

Defining Commands and Distinguished Names

The Web Intelligence > Application Layer category includes the Cross-Site Scripting, LDAP Injection, SQL Injection, and Command Injection protections. These protections have lists of commands or Distinguished Names for IPS to recognize.

Define commands or DNs to:

• Allow a command (exclude it from inspection and blocking) for a profile: select a profile, scroll down to the list of commands, and clear the command checkbox.
• Add a command to the blocked list (inclusive to all profiles).
• Edit a blocked command (inclusive to all profiles).

To edit a blocked command/DN list:

1. In the IPS tab, open a protection in Protections > By Protocol > Web Intelligence > Application Layer, such as:
   • Cross-Site Scripting
   • LDAP Injection
   • SQL Injection
   • Command Injection
2. Click Edit (in the upper part of the page).
3. Do one of the following:
   • To add a new command or DN, click Add. A new item in the list is created. Provide the command or DN that you want to add and then click OK.
   • To change an existing command or DN, select the command and click Edit. Change the command or DN as needed and then click OK.

   The block list is updated immediately.

Information Disclosure

Application Intelligence is a set of technologies that detect and prevent application-level attacks by integrating a deeper understanding of application behavior into network security defenses.

These protections prevent an attacker from gathering information about a website. The goal of information disclosure is to obtain information from the Web server that can be used to tailor an attack.

HTTP Protocol Inspection

HTTP Protocol Inspection provides strict enforcement of the HTTP protocol, ensuring that sessions comply with RFC standards and common security practices.

Improving Security for Specific HTTP Formats

If you can configure HTTP Format Sizes for specific traffic, IPS will be able to apply best-practice security and inspection, without adversely affecting connectivity.

To set specific header lengths:

1. Open Protections > By Protocol > Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
2. In the Specific Headers Lengths area, click Add.
3. Provide the actual name of the header that IPS is to recognize.
4. Provide the maximum length of the header.
5. Click OK.

Customizable Error Page

Many Web Intelligence protections allow the administrator to define an error page that can be sent back to the user whose browsing was blocked. This page can be used (in conjunction with SmartView Tracker) to pinpoint the reason that caused the connection to be closed. Also, if users see the Customized Error Page, they can call Help Desk and offer real help in protecting their environment.

Although many Web Intelligence protections have an option to configure an Error Page, any configuration changes are applied to all protections: configure an Error Page that applies to all Web Intelligence protections.

To configure a Web Error Page:

1. Open an activated Web Intelligence protection with the Send error page option in the Action area.
2. Select the Send error page checkbox.
3. Click OK to continue.
4. Click Configure.
5. Decide whether to configure an Error Page here or redirect to a URL that shows an error page:
   • Send a pre-defined HTML error page: sends the page that you configure here. You can have the page show your company logo, error code, Reject ID (detailed status code), and any text you choose (Description). Click Page Preview to see how the page will appear in client browsers.
   • Redirect to other URL: sends the browser to the URL that you configure here. If you select the Send error code checkbox, the reject ID and error code are sent to the client browser as parameters in the redirect response to the new location.
6. Click OK.

Reject ID

The Reject ID that appears on the error page, or is sent after a redirect, delivers information to the administrator without exposing it to a potential attacker.

The Reject ID is unique for each rejected connection. The Reject ID also appears in the SmartView Tracker and allows the administrator to correlate between an error and a log record of a specific connection. The log record contains attack information, such as "Cross site scripting detected".

Optimizing Web Security Protections

You can manage Web Intelligence to configure the Web server settings to maximize security and reduce the Security Gateway performance, or the opposite.

Improving Connectivity by Setting Scope

Some inspection settings that are too severe can have a negative impact on connectivity to and from valid Web servers.

• The HTTP Format sizes protection restricts URL lengths, header lengths or the number of headers. This is good practice because these elements can be used to perform a Denial of Service attack on a Web server.
• The ASCII Only Request protection can block connectivity to Web pages that have non-ASCII characters in URLs. This is good practice because non-ASCII headers or form fields open vulnerabilities to certain attacks, such as Code Injection.
• The HTTP Methods protection can block certain HTTP methods, known to be unsafe, because they can be used to exploit vulnerabilities on a Web server.

Although applying these restrictions (activating these protections) is in general good practice, they may potentially block valid sites or important applications. Applying these protections to specific Web servers can solve the connectivity problems, and may enhance CPU performance. This exclusion of a Web server from a particular protection is global to all profiles.

To configure Web Protection scope:

1. Scroll down on a Web Intelligence protection page, to see the Protection Scope area.
2. To apply this protection only to a defined set of Web servers, select Apply to selected web servers.
3. Click Customize.
   • To exclude a Web server from the protection, clear the server checkbox.
   • To add a gateway object to the list of Web servers, click Add. From the Set Hosts as Web Servers window, select the hosts that you want and click OK.
4. To edit a Web server, select the Web server in the list and click Edit.

The Check Point Host window opens, displaying the Web Server category, which is added to a host that is defined as a Web server.

You can configure connectivity-security balance for each type of Web Intelligence protection in the Web Server > Protections window, but enforcement of these configurations always depends on whether they are activated by the Web server's IPS profile.

Protections Implemented in Kernel Versus Security Server

Web Intelligence features are implemented in the kernel Inspection Module, providing a significant higher performance than inspection in Security Servers.

The Check Point Security Gateway provides a number of Web security capabilities that do not require the Web Intelligence feature. These capabilities make use of the HTTP Security server. The performance provided by the HTTP Security server is not as high as that provided by the kernel. These capabilities are available by defining a URI Resource and using it the Firewall Rule Base.

Adjusting Allowed Concurrent HTTP Connections

You can adjust the resources available for HTTP connections to the gateway. If the traffic volume is greater than 1000 concurrent connections, you can increase the allowed maximum number of concurrent HTTP connections. Conversely, if there is a problem installing the security policy due to a lack of memory, you can decrease the allowed maximum number of concurrent connections.

To configure number of allowed concurrent HTTP connections:

1. From the SmartDashboard main menu, click Policy > Global Properties.
2. Click the SmartDashboard Customization category.
3. Click Configure.
4. Open the FireWall-1 > Web Security > Tuning category.
5. Adjust the value of the http_max_concurrent_connections parameter. The default value is 1000.

Managing Application Controls

IPS provides administrators with the ability to track the installation and usage of specified applications, and to choose to block these applications.

For example, you can choose to block Peer-to-Peer applications, such as Kazaa and Gnutella. You can choose to configure the block as an automated event, or to receive notification whenever a client attempts to use an unauthorized application.

To see the applications that are supported by IPS, in the IPS tree select Protections > By Type > Application Control.

From this view, if you are familiar with the applications you want to control, you can select the protection in the table and then click Protection Actions > Prevent on all Profiles, Detect on all Profiles, or Deactivate on all Profiles as needed.

To see the description and further information on each application, technical details on how IPS controls it, or why it may be a threat, click View > Show Description. The description of each protection is displayed in the bottom pane as you browse through the displayed list.

A number of the Application Control protections have further options, providing more detailed control. To see these options of a selected protection, click Protection Actions > See Details. Then, select a profile and click Edit. The settings are applied to the selected profile only.

Configuring Geo Protections

Geo Protection allows you to control traffic by country. You can define a policy to block or allow traffic to or from specific countries, and a policy that applies to all other countries.

Country information is derived from IP addresses in the packet by means of an IP-to-country database. Private IP addresses are always allowed unless the other side of the connection is explicitly blocked. Check Point control connections (such as between Security Gateways and the Security Management Server) are always allowed, regardless of the Geo Protection policy.

To operate Geo Protection, you are required to have:

• A valid IPS contract.
• A Software Blade license for each Security Gateway that enforces Geo Protection, and for the Security Management Server.

Controlling Traffic by Country

You can define a policy to block or allow traffic to or from specific countries, and a policy that applies to all other countries.

Before configuring Geo Protection:

Confirm that you have

• A valid IPS contract.
• A Software Blade license for each Security Gateway that enforces Geo Protection, and for the Security Management Server.

To block, allow or monitor traffic by country:

1. In the SmartDashboard IPS tab, select Geo Protection from the navigation tree.
2. In the Geo Protection page, choose an IPS Profile.

   Note - Geo Protection settings are per-profile. You must configure this protection on the profile used by the Gateways.

3. Set the Action for this protection: Prevent or Detect or Inactive. When protection is in Detect mode, all traffic is allowed (even for rules where the Action is set to Block), but traffic that matches the rules is logged. Use Detect to try out the protection, or for troubleshooting. When the protection is in Prevent mode, the rules are applied as configured
4. Define a Policy for Specific Countries. To configure a policy for a specific country that is different than the Policy for Other Countries:
   1. Click Add.

      The Geo Protection window opens.

   2. In the Geo Protection window, select a Country. To quickly find the country, start typing the name in the search box.
   3. Choose:
      • Direction: Either From Country to the Gateway, or To Country from the Gateway, or From and to Country. If From Country or To Country is selected, connections in the other direction are handled according to the Policy for Other Countries.
      • Action: Either Allow or Block.
      • Track: Any setting other than None generates a log for every connection that is tracked by this protection. If a connection matches two rules, the first rule is logged.
   4. Click OK.
5. Configure a Policy for Other Countries. These settings apply to all countries and IP addresses that are not included in the Policy for Specific Countries. Configure whether to Allow or Block, and a Track setting.
6. If necessary define Exceptions. Exceptions are applied before any other defined rule.

After you have configured the protection:

1. Examine the Policy Preview map. Red countries are blocked and green countries are allowed.
2. Let the protection operate for a while and then review the logs.

To view Geo Protection logs:

In the Geo Protection page of IPS, click View Logs. The logs are for both the Policy for Specific Countries and for the Policy for Other Countries.

The IP Address to Country Database

Country information is derived from IP addresses in the packet by means of an IP-to-country database. To ensure that the information in the IP-to-country database is up-to-date, the database is regularly and automatically downloaded to the Security Gateway from a Check Point data center.

If the Security Gateway needs to access the Internet via a proxy, you need to define the proxy in SmartDashboard.

To define a proxy for the Security Gateway:

1. In SmartDashboard, Edit the Security Gateway.
2. Select the Topology > Proxy page.
3. Configure the required settings.

Log Aggregation by Country

Geo Protection logs are aggregated by default. This means that a single log is generated every aggregation interval, for every country that is part of the Policy for Specific Countries. Logs that relate to other countries are aggregated to a single log.

It is possible to turn off log aggregation by country. In that case, a log is created for every connection that is tracked by this protection. Turning off log aggregation by country may result in a significant increase in the number of generated logs, and in increased CPU utilization on the Security Gateway.

Configuring IPS Pattern Granularity

After the first update of IPS protections, all patterns of Header rejection, Http worm catcher, and Cifs worm catcher protections are converted into new protections (dated to January 1, 2007). The three protections and the patterns under them are kept for NGX R65 and user-defined pattern support.

Activating New Protections

The activation mode of the new protections is set according to the IPS policy of the associated profile (the Severity and Confidence levels). You can change the settings as for other IPS protections. For example, you can change the action from Detect to Prevent.

Only the settings of patterns that were manually modified before upgrade are assigned to their converted protections. Those protections are marked as Override and do not get updates.

You cannot change the signature of the new protections. After upgrade, the previous patterns under the three protections are enforced only on NGX R65 gateways. The user-defined patterns are enforced on all gateways, including R7x and above, because they are not converted to protections.

Network Exceptions for the New Protections

If you added Network Exceptions to the Header rejection, Http worm catcher, or Cifs worm catcher protections before upgrade to R77, then after the upgrade, they are valid only for user-defined patterns. To apply the Network Exceptions to a pattern, add them to the new protection converted from the relevant pattern.

Handling Multiple Matches of a Pattern

If you changed the value of a pattern before upgrade, the pattern shows under the previous pattern list (Header rejection, Http worm catcher, Cifs worm catcher), as user-defined patterns. The pattern is also included as a new protection, marked for Follow Up. Sometimes, this causes multiple matches. To avoid this, turn off the modified patterns, or turn off the new protections.

Configuring Implied IPS Exceptions

Check Point components can use non-standard HTTP and SSL ports to communicate. Implied exceptions exclude this traffic from IPS inspection.

To view the implied exceptions:

• In the View menu, select IPS Implied Exceptions.

  You can see the implied exceptions in the Network Exceptions page of the IPS tab.

We do not recommend that you disable the implied exceptions. But, you can disable them from the IPS page of the Global Properties (Policy > Global Properties > IPS). To disable the implied exceptions, clear the Enable implied exceptions in my environment option.