Understanding Application Intelligence

Previous page
Table of content
Next page

The second section of SmartDefense, Application Intelligence, focuses on attack detection that is application specific. This includes applications such as HTTP, Mail, FTP, Microsoft Networks, DNS, and VoIP. SmartDefense is able to examine properties and data within the packets that travel to and from these applications and detect suspicious signs.

General HTTP Worm Catcher

The first type of HTTP protection offered is the HTTP Worm Catcher, shown in Figure 13.9.

click to expand
Figure 13.9: General HTTP Worm Catcher

Recently a number of HTTP worms have been released on the Internet that have had a significant impact on the availability of many corporations network resources. These worms typically exploit vulnerabilities in HTTP clients and servers, using these vulnerabilities to both infect the affected server or client and spread itself to other potential hosts .

The HTTP Worm Catcher, operating within the kernel of the server running VPN-1/FireWall-1, is configured to watch for specific strings. If one of these strings is detected in HTTP traffic flowing through the firewall, SmartDefense will take the action specified in the Track setting. Patterns can be added, removed, and edited manually, imported from a file, or updated automatically through the SmartDefense update mechanism.

HTTP Protocol Inspection

A second layer of HTTP protection is available via HTTP protocol inspection, accessible under the HTTP Protocol Inspection tab, shown in Figure 13.10.

click to expand
Figure 13.10: HTTP Protocol Inspection

When enabled, the two ASCII header options, for requests and responses, prevent other types of data from being used in header transmission. Since all header requests and responses should be standard ASCII text, there is no valid reason to allow non-ASCII data. This type of data could be used in an attempt to overload the HTTP server s buffer, as a DoS attack.

The HTTP Format Sizes tab, shown in Figure 13.11, allows you to configure other aspects of what constitutes acceptable HTTP parameters. Setting the maximum URL length, which defaults to 2048 bytes, eliminates the threat of a malicious user entering an extremely long and invalid URL in an attempt to cause the HTTP sever to malfunction. Although all HTTP servers should have this vulnerability patched by now, it still cannot hurt to leave this option enabled.

click to expand
Figure 13.11: HTTP Format Sizes

Header restrictions, for length and number, defaulting to 1000 bytes and 500 respectively, are used to prevent malicious users from transmitting an excessive number of HTTP headers to your HTTP server or from sending unreasonably large HTTP headers. Both of these attacks would be launched in an attempt to cause a malfunction of your HTTP server ”either to gain unauthorized access to it or simply to deny legitimate users access.

Note that in the case that any of these limits are exceeded, VPN-1/FireWall-1 drops the connection so that the suspicious traffic does not even reach the HTTP server.

Cross-Site Scripting

The Cross Site Scripting tab, shown in Figure 13.12, allows you to configure the firewall to protect against attacks that are designed to steal users confidential information. Malicious users employ two methods to do this: obtaining information stored in cookies on Web servers and causing Web servers to run scripts that end in users sending their information directly to a third party.

click to expand
Figure 13.12: Cross-Site Scripting

Both of these methods involve uploading a script to a Web server that instructs it to pass saved cookies to a third-party site or to send a form to users that will direct entered information to a third party. Although it is important to ensure that your Web server is patched from vulnerability to this attack, SmartDefense adds extra protection by denying HTTP POST requests and URLs that include scripts.

Configuration options for cross-site scripting include a setting to block script, HTML, or all tags for all defined Web servers, or, for additional granularity, you have the option of blocking scripts by individual Web server.

Peer-to-Peer Blocking

The Peer to Peer tab, shown in Figure 13.13, allows you to control users access to the various peer-to-peer networks such as Kazaa, Gnutella, ICQ, and AIM. SmartDefense comes with the most common of these controls already configured, so all you need to do is enable or disable them based on your corporate policy concerning access to these services. You may also add more peer-to-peer networks, as long as you know the header name and value that SmartDefense should use to identify traffic bound for the service.

click to expand
Figure 13.13: Peer-to-Peer Blocking

File and Print Sharing Worm Catcher

The File and Print Sharing Worm Catcher, located on the Microsoft Networks tab under File and Print Sharing (see Figure 13.14), extends SmartDefense s worm detection capability to Microsoft file shares. Just as with the HTTP Worm Catcher, SmartDefense comes preconfigured with a number of worm patterns that you may enable or disable, and you can add or import new patterns. Enabling this option protects Windows systems within your network from NetBIOS worms and from the Windows 2000 CIFS vulnerability.

click to expand
Figure 13.14: File and Print Sharing


Previous page
Table of content
Next page
Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
Java I/O
Project Management JumpStart
Lotus Notes and Domino 6 Development (2nd Edition)
VBScript Programmers Reference
Microsoft WSH and VBScript Programming for the Absolute Beginner
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy