Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Protocols & Related Defenses

Application Layer

Check Point's Perimeter, Internal and Web security gateway solutions block many attacks and provide numerous attack prevention safeguards. This table lists some of these defenses and organizes them by protocol and OSI Model layer.

Note: Check Point continually expands the breadth of defenses provided. This table is a snapshot not an exhaustive list.
Application Layer  

Attack Prevention Safeguards

Attacks Blocked
HTTP Client (browser and other client machine components)
  • Limit maximum response header length
  • Prohibit binary characters in HTTP response headers
  • Validate HTTP response protocol compliance
  • Block user-defined URLs
  • URL filtering
  • Restrict download of user-defined files
  • Restrict peer-to-peer (P2P) connections
  • Restrict P2P connections for non-HTTP ports
  • Block Java code
  • Strip script tags
  • Strip applet tags
  • Strip FTP links
  • Strip port strings
  • Strip ActiveX tags
  • Code Red worm & Mutations
  • Nimda worm & Mutations
  • HTR Overflow Worm & Mutations
  • MDAC Buffer Overflow & Mutations
  • Malicious URLs
  • User-Defined worms & mutations
  • Cross-Site Scripting Attacks
HTTP Server
  • Limit maximum URL length
  • Limit maximum number of response headers allowed
  • Limit maximum request header length
  • Limit maximum response header length
  • Specify header length, using regular expressions for header name and value
  • Reject HTTP headers that contain specific header names or values
  • Prohibit binary characters in HTTP response headers
  • Prohibit binary characters in HTTP requests
  • Block user-defined URLs
  • Restrict non-RFC HTTP methods
  • Enforce HTTP security on non-standard ports (ports other than 80)
  • Compare transmission to user-approved SOAP scheme/template
  • Restrict download of user-defined files
  • ASN.1 buffer overflow
  • Distinguish between different HTTP v1.1 requests over same connection
  • Restrict unsafe HTTP commands
  • Fingerprint scrambling (spoofing) to hide server information
  • SOAP Scheme validation
  • SSL overflow attacks
  • SSL v3 version enforcement
  • Restrict header values
  • Malicious Code Protector (Prohibit malicious executable code against web servers)
  • SQL Injection
  • Command Injection
  • Restrict Binary data in forms
  • Restrict HTTP methods
  • Block HTTP traffic featuring negative content-length HTTP headers
  • Blocks Trojan by identifying attempts to receive SCRIPT traffic containing HTML tags
  • Block content disposition in http header
  • Define specific network objects as Web servers
  • Perform strict HTTP protocol enforcement
  • Reject HTTP requests that contain illegal SWAT header
  • Strip files extensions in Web traffic
  • Block network access to files with certain extensions (to prevent worm infection)
  • Block HTML Tags from http request header
  • Block shell commands from http request header
  • Block http requests containing scripting code using POST command
  • Block non-ASCII characters in http request/response header
  • LDAP injection protection
  • Encoding Attacks
  • User-Defined Worms & Mutations
  • Code Red Worm & Mutations
  • Nimda Worm & Mutations
  • HTR Overflow Worm & Mutations
  • Directory Traversal Attacks
  • MDAC Buffer Overflow & Mutations
  • Malicious URLs
  • Chunked Transfer Encoding Attacks
  • Cross-Site Scripting Attacks
  • HTTP-based attacks spanning multiple packets
  • WebDAV Attacks
  • PCT Worms & Mutations
  • HTTP header spoofing attacks
  • IIS Server Buffer Overflow
  • Santy worm & Mutations
  • Spyware and Adware Attacks
  • LDAP injection attacks
SMTP
  • Block multiple "content-type" headers
  • Block multiple "encoding headers"
  • Camouflage default banner
  • Restrict unsafe SMTP commands
  • Header forwarding verification
  • Restrict unknown encoding
  • Restrict mail messages not containing sender/recipient domain name
  • Restrict MIME attachments of specified type
  • Strip file attachments with specified names
  • Strict enforcement of RFC 821 & 822
  • Monitor and enforce restrictions on ESMTP commands
  • Hide internal mail user names and addresses
  • Perform reverse DNS lookup
  • Strict enforcement of MAIL and RCPT syntax
  • Restrict mail from user-defined sender or domain
  • Restrict mail to user-defined recipients
  • Restrict mail to unknown domains
  • Enforce limits on the number of RCPT commands allowed per transaction
  • Restrict mail relay usage
  • Enforce ASN.1 standard
  • Strip script tags
  • Strip ActiveX tags
  • Block malicious filenames
  • Block the X-LINK2STATE SMTP extended verb
  • SMTP Mail Flooding
  • SMTP worm & Mutations
  • Extended Relay Attacks
  • Message/ Partial MIME Attack
  • SPAM Attack (large number of emails)
  • Command Verification Attack
  • SMTP Payload worm & Mutations
  • Worm Encoding
  • Firewall Traversal Attack
  • SMTP Error Denial-of-Service Attack
  • Mailbox Denial-of-Service Attack (excessive email size)
  • Address Spoofing
  • SMTP Buffer Overflow Attacks
  • MyDoom worm & Mutations
  • Bagle worm & Mutations
  • Sober worm & Mutations
  • Zafi worm & Mutations
  • Bagz.C worm and Mutations

POP3
  • Restrict connections with passwords identical to user name
  • Enforce max characters in user name (buffer overflow protection)
  • Enforce max password length (buffer overflow protection)
  • Restrict binary characters in user name (buffer overflow protection)
  • Restrict binary characters in passwords (buffer overflow protection)
  • Restrict binary characters in POP3 commands (buffer overflow protection)
  • Limit number of NOOP commands, freeing POP3 daemon resources (DoS protection)
  • POP3 Buffer Overflow attacks

IMAP4
  • Restrict connections with passwords identical to user name
  • Enforce max characters in user name (buffer overflow protection)
  • Enforce max password length (buffer overflow protection)
  • Restrict binary characters in user name (buffer overflow protection)
  • Restrict binary characters in passwords (buffer overflow protection)
  • Restrict binary characters in POP3 commands (buffer overflow protection)
  • Limit number of NOOP commands, freeing POP3 daemon resources (DOS protection)
  • IMAP4 Buffer Overflow attacks

RSH
  • Auxiliary port monitoring
  • Restrict reverse injection
  

RTSP
  • Auxiliary port monitoring.
  

IIOP
  • Auxiliary port monitoring
  

FTP
  • Analyze and restrict hazardous FTP commands
  • Block custom file types
  • Camouflage default banner
  • Strip FTP references
  • FTP Bounce Attack
  • Passive FTP Attacks
  • Client and Server Bounce Attacks
  • FTP Port Injection Attacks
  • Directory Traversal Attack
  • Firewall Traversal Attack
  • TCP Segmentation Attack
DNS
  • Restrict DNS zone transfers
  • Restrict usage of DNS server as a public server
  • Provide separate DNS service for private vs. public domains
  • Enforce DNS over TCP protocol
  • Restrict domains on "not allowed" list
  • Provide cache protection
  • Restrict inbound requests
  • Restrict mismatched replies
  • Enforce DNS query format
  • Enforce DNS response format
  • Protect against DNS Cache poisioning attacks
  • DNS Query Malformed Packet Attacks
  • DNS Answer Malformed Packet Attacks
  • DNS Query-Length Buffer Overflow
  • DNS Query Buffer Overflow - Unknown Request/Response
  • Man-in-the-Middle Attack
Microsoft Networking
  • CIFS filename filtering (protect against worms utilizing CIFS protocol)
  • Restrict remote access to registry
  • Restrict remote null sessions
  • Restrict pop-up messages
  • Enforce ASN.1 standard
  • Bugbear Worm
  • Nimda Worm
  • Liotan Worm
  • Sasser Worm
  • Opaserv Worm
  • MS05-003 Indexing Service
  • MS05-010 License Logging Service

SSH
  • Enforce SSH v2 protocol
  • SSH v1 Buffer Overflow Attack

SNMP
  • Restrict SNMP get/put commands
  • Restrict known dangerous communities
  • Enforce or require SNMPv3 protocol
  • SNMP Flooding Attack
  • Default Community Attacks
  • Brute Force Attacks
  • SNMP Put Attack

MS SQL
  • Block remote command execution
  • Restrict potentially dangerous commands (Information Leakage)
  • Restrict usage of default system administrator password
  • SQL Resolver Buffer Overflow
  • SQL Slammer Worm
  • Buffer Overflow (various attack variations)
  • MS SQL networking DOS (various DOS attack variations)
  • Heap Overflow Attack

Oracle SQL
  • Verify dynamic port allocation and initiation
  • SQLNet v2 Man-in-the-Middle Attack

SSL
  • Enforce SSL V3 protocol
  • SSL V2 Buffer Overflow

H.323
  • Verify protocol fields and values
  • Identification and restriction of the PORT command
  • Enforce existence of mandatory fields
  • Enforce user registration
  • Prevent VoIP firewall holes
  • Disable H.323 audio and video transmissions
  • Enforce H.323 call duration limits
  • For H.323, Allow only traffic associated with a specific call
  • For H.323, Restrict blank source in calls
  • Buffer Overflow Attacks
  • Man-in-the-Middle Attack

MGCP
  • Verify protocol fields and values
  • Identification and restriction of the PORT command
  • Enforce existence of mandatory fields
  • Enforce user registration
  • Prevent VoIP firewall holes
  • Enforce MGCP protocol
  • Verify state of MGCP commands
  • Restrict unknown and unsafe MGCP commands
  • Buffer Overflow Attacks
  • Man-in-the-Middle Attack

SCCP (Cisco VoIP)
  • Enforce SCCP protocol
  • Secure SCCP dynamic ports
  • Verify state of SCCP commands
  • Verify protocol fields and values
  • Identification and restriction of the PORT command
  • Enforce existence of mandatory fields
  • Enforce user registration
  • Prevent VoIP firewall holes
  • Buffer Overflow Attacks
  • Man-in-the-Middle Attack

SIP
  • Limit number of invite commands (DOS protection)
  • Restrict SIP-based instant messaging
  • Verify protocol fields and values
  • Identification and restriction of the PORT command
  • Enforce existence of mandatory fields
  • Enforce user registration
  • Prevent VoIP firewall holes
  • Restrict MSN Messenger file transfers
  • Restrict MSN Messenger application sharing
  • Restrict MSN Messenger whiteboard sharing
  • Restrict MSN Messenger remote assistance
  • Buffer Overflow Attacks
  • Man-in-the-Middle Attack

X11
  • Restrict reverse injection
  • Block special clients

 

DHCP
  • Perform Strict DHCP options enforcement
  • Block BOOTP clients
  • Block non-Ethernet DHCP clients

 

Peer-to-Peer
  • Block IRC protocol on all TCP high ports
  • Restrict P2P connections
  • Restrict P2P connections on on-HTTP ports

 

SOCKS
  • Drop SOCKS versions other than Version 5
  • Block unauthenticated SOCKS connections

 

Routing Protocols
  • Enforce MD5 routing authentication on various routing protocols (OSPF, BGP, RIP)
  • Enforce the validity of IGMP packets

 

Content Protection

  • Block Malformed JPEG
  • Block Malformed ANI file
  • Block Malformed GIF

 

Instant Messengers

  • Block invalid MSN Messenger over MSNMS patterns (prevent worm infection)
  • Block file transfer in Instant Messages via MSN/Windows Messenger
  • Block the MSN_Messenger group
  • Bropia.E Worm
  • Kelvir.B Worm

 

Remote Control Applications

  • Block VNC connections on the VNC port and on other ports
  • Block Remote Administrator connection attempts made both on the Remote Administrator well-known port and on other ports
  • Enforce authentication scheme on Radmin connections