Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Protect Yourself from Port Scans

Subscribe

Check Point Reference: SBP-2008-17
Date Published:
Severity:
Last Updated:
Source: IPS Research Center
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
Who is Vulnerable?
Hosts and Networks
Vulnerability Description
A port scanner is a software application designed to probe a network host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.
Vulnerability Details
IPS/SmartDefense offers the following protections:

Host Port Scan - A host port scan is directed at a specific host or network. A scan can determine which services a host offers. For example, a host port scan could discover that a certain host has access points at TCP ports 23, 25 and 110 open; meaning it offers the Telnet, SMTP and POP3 services, respectively. Attackers can then direct their efforts against those services on that machine.

Sweep Scan - An IP Sweep Scan looks for a specific open port and determines where it is available. For example, IP Sweep Scans are used by network worms trying to find machines on which they can propagate themselves. The Blaster worm, for example, looks for the RPC service. The worm searches the entire network looking for that open service.

Protection Overview
IPS/SmartDefense collects statistics on how many inactive ports were accessed during a given time. For example, if it detects a client with twenty attempts to access an inactive port within a 30 second time frame, IPS/SmartDefense will recognize this behavior as a port scan attack. It will then log the event, or notify you.
 
Information regarding the SmartView Tracker logs for port scans:

  • Distinct: One dominant computer was found scanning several ports (according to the threshold) or several computers.
  • Distributed: There are many computers that are trying to scan your network.
  • Ambiguous: Some computers were found trying to scan your network, but it is inconclusive which is leading the attack.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Network Security > Port Scan.
2. In the right pane, double-click the following protections:

Host Port Scan
Sweep Scan

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Host Port Scan
Attack Name: Host Port Scan
Attack Information:
Distinct
Distributed
Ambiguous

Sweep Scan
Attack Name: Sweep Scan
Attack Information:
Distinct
Distributed
Ambiguous

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Network Security > Port Scan.
2. Select the following protections:

Host Port Scan
Sweep Scan

3. In the configuration pane, under Settings > Mode, check Active. Apply additional settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Host Port Scan
Attack Name: Host Port Scan
Attack Information:
Distinct
Distributed
Ambiguous

Sweep Scan
Attack Name: Sweep Scan
Attack Information:
Distinct
Distributed
Ambiguous