Protecting Web Servers with Web Intelligence

Web servers are vulnerable to numerous attacks, ranging from application based attacks such as cross-site scripting, command injection and directory traversal attacks, through information gathering attacks such as header spoofing to taking advantage of non-RFC compliant HTTP protocol sessions. If successfully exploited, these attacks may allow an attacker to steal sensitive user information, gain unauthorized access, execute restricted commands and more.

Web Intelligence protections are designed specifically for Web-based attacks. These protections can be applied to any Check Point gateway or host that has been defined as Web server.

Malicious Code - These protections allow you to prevent attacks that run malicious code on Web Servers or clients. This is done without requiring a signature for the attack, normally available only after the attack has been analyzed. see CPSA-2004-06.
Application Layer - This class of protections prevents attackers from introducing text, tags, commands, or other characters that a Web application will interpret as special instructions. Some of the advanced defenses in this category include Cross-Site Scripting (CPSA-2005-03), SQL injection (CPSA-2005-02) and Command Injection (CPSA-2004-07).  
Information Disclosure - This class of protections prevents an attacker from getting the Web server to reveal information that can be used to launch an attack. One such protection is the Error concealment protection (CPSA-2005-09) that conceals error messages returned by the server that may reveal sensitive information.
HTTP Protocol Inspection- This class of protections provides strict enforcement of the HTTP protocol, including restricting URL lengths, header lengths, number of headers and more. for more information, refer to CPSA-2005-09, CPAI-2005-31, CPAI-2004-41.

Application Layer: Command Injection:
Attack Name: Command Injection
Information: reason: WSE0050001 command injection detected in URL: 'ipconfig'

Information Disclosure: Error Concealment
Attack Name: Error Concealment
Information:  reason: WSE0160001 Concealed HTTP response status code: '404'

HTTP Protocol Inspection:
Attack Name: HTTP Format Sizes
Attack Information: WSE0020004 URL length exceeded allowed maximum length in request

Web Intelligence focuses on protecting web servers against attacks. As such, Web server objects are defined, and protections are applied either to all web servers, or to selected web servers.

To define a gateway or host object as a web server:

1. From the Network Objects tree in the SmartDashboad, right-click the Nodes icon.
2. From the Nodes menu, select New Node > Host.
3. Give the server a name and IP address; Click Configure Severs and click the Web Server option; Click OK.



4. Click the Web Server tab; in case the server uses other ports in addition to the standard TCP port 80, check Server uses additional ports and enter the selected port:

5. Click OK. 

6. Select the Web Intelligence protection you wish to enable; In the protection screen (e.g Command Injection), click Apply to selected Web servers and add the host you have configured.
7. Apply security policy to all modules.

CPAI-2005-122, CPAI-2005-128: Examples of how to configure a Web server on a non standard port(e.g 3443, 21700)