Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Protocols & Related Defenses

Transport Layer

Check Point's perimeter, internal and web security gateway solutions block many attacks and provide numerous attack prevention safeguards. This table lists some of these defenses and organizes them by protocol and OSI Model layer.

Note: Check Point continually expands the breadth of defenses provided. This table is a snapshot not an exhaustive list

Transport Layer
Attack Prevention Safeguards
Attacks Blocked

TCP
  • Enforce correct usage of TCP flags
  • Limit per-source sessions
  • Enforce minimum TCP header length
  • Block unknown protocols
  • Restrict FIN packets with no ACK
  • Enforce that TCP header length as indicated in header is not longer than packet size indicated by header
  • Block out-of-state packets
  • Verify that first connection packet is SYN
  • Enforce 3-way handshake: Between SYN and SYN-ACK, client can send only RST or SYN
  • Enforce 3-way handshake enforcement: Between SYN and connection establishment, server can send only SYN-ACK or RST
  • Block SYN on established connection before FIN or RST packet is encountered
  • Restrict server-to-client packets belonging to old connections
  • Drop server-to-client packets belonging to old connections if packets contain SYN or RST
  • Enforce minimum TCP header length
  • Block TCP fragments
  • Block SYN fragments
  • Scramble OS fingerprint
  • Verify TCP packet sequence number for packets belonging to an existing session
  • Enforce TCP session sequence verification (Protect persistent unauthenticated network sessions)
  • Network Quota - enforcing a limit upon the number of connections that are allowed from the same source IP, to protect against Denial Of Service attacks
  • Anomaly detection - used ports
  • Drop ICMP error packets that belong to established TCP connections
  • ACK Denial-of-Service Attack
  • SYN Attack
  • Land Attack
  • Tear Drop Attack
  • Session Hijacking Attack
  • Jolt Attack
  • Bloop Attack
  • Cpd Attack
  • Targa Attack
  • Twinge Attack
  • Small PMTU Attack
  • Session Hijacking Attacks (TCP sequence number manipulation)
  • TCP-Based Attacks Spanning Multiple Packets
  • XMAS Attacks
  • Port Scan
  • Witty worm
  • Cisco IOS DOS

UDP

  • Verify UDP length field
  • Match UDP requests and responses
  • Non-TCP Flooding - limit percentage of non-TCP connections to prevent DoS
  • Port Scan