SmartDefense DShield Storm Center: Share Malicious IP Addresses with Other Organizations
| Check Point Reference: | SBP-2006-09 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | SmartDefense Research Center | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? | ||
| Vulnerability Description Storm Centers collect logging information about attacks, provided voluntarily by organization from all around the world. Storm Centers compare and present reports on real-time threats to network security. The SmartDefense Storm Center Module enables information flow between the network Storm Centers, and the organizations requiring network security information. One of the leading Storm Centers is SANS Dshield.org. DShield.org gathers statistics and presents it as a series of reports at http://secure.dshield.org/reports.php. |
||
|
Vulnerability Details Check Point SmartDefense integrates with the SANS DShield.org Storm Center in two ways: 1. Retrieving and blocking malicious IPs - The DShield.org Storm Center produces a frequently updated Block List report, which is a list of address ranges that are worth blocking. The SmartDefense Storm Center retrieves and adds this list to the Security Policy. 2. Reporting to DShield - You can decide to send logs to the Storm Center in order to help other organizations combat the threats that were directed at your own network. You can decide which logs to send by selecting the rules for which you want to send logs. The logs that are submitted to the Storm Center contain information such as Connection parameters (Source IP Address, Destination IP Address, Source Port, Destination Port, IP protocol) and Rule Base Parameters (Time, action). Storm Centers have a special interest in receiving logging information about issues such as unwanted port 80 traffic reaching the organization and HTTP Worms caught by the SmartDefense General HTTP Worm Catcher. |
Protection Overview
The SmartDefense Storm Center Module is included in the standard FireWall-1 product installation. It enables you to send and receive a list of malicious IP addresses. The received IP ranges will be blocked by SmartDefense and the sent IP addresses will be included in DShield.org's Block List, enabling other clients to protect themselves from these malicious IP addresses.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Network Security > DShield Storm Center; the DShield Storm Center page opens.
Select Retrieve and block malicious IPs to retrieve and add the Block List to the Security Policy. You can receive the Block List without registering with DShield.
Select Report to DShield to send logs to the Storm Center in order to help other organizations. You can decide which logs to send by selecting the rules for which you want to send logs. Storm Center Login is the username and password you received from DShield. To submit logs to DShield, you must register at http://secure.dshield.org/cp/register.php .
2. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
If you click Retrieve and block malicious IPs the Storm Center Module will receive the Block List of malicious IP addresses from DShield.org via HTTPS.
SmartView Tracker will log the following entry:
Attack Information: IP Blocklist Updated
If you click Report to DShield, SmartView Tracker will Show the submission of logs to the Storm Center:
