Chapter 13: SmartDefense

Introduction

The basic principle of any firewall is to allow access to legitimate services while denying all other network access. Although in the past this level of security may have been sufficient, in today s world of increasingly sophisticated network-based applications comes the threat that malicious users may be able to exploit vulnerabilities in these applications. As a result, the simplistic permit or deny firewall model is no longer effective on its own as a successful network security defense mechanism.

SmartDefense, a key component of Check Point s VPN-1/FireWall-1 NG with Application Intelligence, is the solution to the problem permitting legitimate access to a network resource while protecting that resource from malicious attacks.

SmartDefense s underlying methodology is to monitor network traffic flowing through the firewall, comparing characteristics of the traffic to patterns known to be indicative of malicious activity. Suspicious activity is logged, and notifications may be sent so that the network administrator can choose to take action against the threat. SmartDefense supports the detection of five categories of attack: Denial of Service (DoS) attacks, Transmission Control Protocol/Internet Protocol (TCP/IP) attacks, application attacks, port and IP scanning, and worms.

With new attacks constantly being designed, it is not sufficient protection to have a static list of algorithms for SmartDefense to use to compare to network traffic. As a result, Check Point offers a subscription service, whereby SmartDefense can be kept constantly up to date on newly released attack algorithms. Updating SmartDefense is a simple, one-step procedure, with the intention that updates may be performed frequently, without tying up significant time or resources.