Security Best Practice: Get Yourself Familiar with the Header Rejection Tool
| Check Point Reference: | SBP-2008-07 | |
| Date Published: | ||
| Severity: | ||
| Source: | SmartDefense Research Center | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? HTTP Servers & Clients | ||
| Vulnerability Description Web servers and applications parse not only the URL, but also the rest of the HTTP header data. Wrong parsing can lead to buffer overrun attacks and other vulnerabilities. Some exploits use the HTTP headers to cause damage. The exploit can be carried in standard headers (the Host header for example) with custom values, or in custom headers. Such attacks can be blocked using signatures that are defined using regular expressions. Web Intelligence can provide protection against many HTTP threats, including preventing attacks that run malicious code on web servers or clients. SmartDefense allows Administrators to configure signatures that will be detected and blocked by Gateways. The SmartDefense subscription service regularly updates signature patterns for common malware. In addition, an Administrator can define custom header rejection patterns. |
||
|
Vulnerability Details The Web Intelligences Header Rejection tool can:
|
Protection Overview
By enabling this protection, SmartDefense will detect and reject HTTP requests that contain specific headers and header values.
Please note that the Header Rejection tool can be used to block malware traffic. It can not be used to remove a present malware infection.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > Header Rejection.
2. In the Header Rejection configuration pane, under Header Rejection Settings > Mode, check Active.
3. Under Header Rejection, enable the protections of your choice.
4. Under the Protection Scope you can either choose to apply the protections to all HTTP traffic or only to selected web servers. You can also choose to apply the traffic to connections related to URI resources.
5. Install policy on all modules.
How to define a custom header rejection pattern:
1. In the Header Rejection configuration pane, under HTTP Headers, click on Edit. The Header Rejection Patterns pane opens. Click on Add.
2. The Header Detection Properties pane opens. Give the pattern a name (Application Name). This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
3. Choose an Header Name (for example: Host or User-Agent).
4. Under Header Value, choose "Specific" and write the regular expression (case-sensitive) you want to block or detect. Click OK. The new defined pattern will now appear in the Header Rejection list.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Header Rejection
Attack Information: Application's Name
VPN-1 NGX R61 & R60
How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Protocol Inspection > Header Rejection.
2. In the Header Rejection configuration pane, under Header Rejection, enable the protections of your choice.
3. Under the Protection Scope you can either choose to apply the protections to all HTTP traffic or only to selected web servers. You can also choose to apply the traffic to connections related to URI resources.
4. Install policy on all modules.
How to define a custom header rejection pattern:
1. In the Header Rejection configuration pane, under Header Rejection, click on Add.
2. The Header Detection Properties pane opens. Give the pattern a name (Application Name). This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
3. Choose an Header Name (for example: Host or User-Agent).
4. Under Header Value, choose "Specific" and write the regular expression (case-sensitive) you want to block or detect. Click OK. The new defined pattern will now appear in the Header Rejection list.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Header Rejection
Attack Information: Application's Name
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection and enable Peer to Peer.
2. In the Peer to Peer configuration pane, under Header Detection, enable the protections of your choice.
3. Install policy on all modules.
How to define a custom header rejection pattern:
1. In the Peer to Peer configuration pane, under Header Detection, click on Add.
2. The Header Detection Properties pane opens. Give the pattern a name (Application Name). This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
3. Choose an Header Name (for example: Host or User-Agent).
4. Under Header Value, choose "Specific" and write the regular expression (case-sensitive) you want to block or detect. Click OK. The new defined pattern will now appear in the Header Detection list.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Header Rejection
Attack Information: Application's Name
VPN-1 VSX NGX R65
How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > Header Rejection.
2. In the Header Rejection configuration pane, under Header Rejection Settings > Mode, check Active.
3. Under Header Rejection, enable the protections of your choice.
4. Under the Protection Scope you can either choose to apply the protections to all HTTP traffic or only to selected web servers. You can also choose to apply the traffic to connections related to URI resources.
5. Install policy on all modules.
How to define a custom header rejection pattern:
1. In the Header Rejection configuration pane, under HTTP Headers, click on Edit. The Header Rejection Patterns pane opens. Click on Add.
2. The Header Detection Properties pane opens. Give the pattern a name (Application Name). This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
3. Choose an Header Name (for example: Host or User-Agent).
4. Under Header Value, choose "Specific" and write the regular expression (case-sensitive) you want to block or detect. Click OK. The new defined pattern will now appear in the Header Rejection list.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Header Rejection
Attack Information: Application's Name
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection and enable Peer to Peer.
2. In the Peer to Peer configuration pane, under Header Detection, enable the protections of your choice.
3. Install policy on all modules.
How to define a custom header rejection pattern:
1. In the Peer to Peer configuration pane, under Header Detection, click on Add.
2. The Header Detection Properties pane opens. Give the pattern a name (Application Name). This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
3. Choose an Header Name (for example: Host or User-Agent).
4. Under Header Value, choose "Specific" and write the regular expression (case-sensitive) you want to block or detect. Click OK. The new defined pattern will now appear in the Header Detection list.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Header Rejection
Attack Information: Application's Name
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Protocol Inspection > Header Rejection.
3. In the Header Rejection configuration pane, under Header Rejection, enable the protections of your choice.
4. Under the Protection Scope you can either choose to apply the protections to all HTTP traffic or only to defined web servers.
5. Install policy on all modules.
How to define a custom header rejection pattern:
1. In the Header Rejection configuration pane, under Header Rejection, click on Pattern Definitions. The Header Rejection Patterns pane opens. Click Add.
2. The Header Detection Properties pane opens. Give the pattern a name (Application Name). This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
3. Choose an Header Name (for example: Host or User-Agent).
4. Under Header Value, choose "Specific" and write the regular expression (case-sensitive) you want to block or detect. Click OK. The new defined pattern will now appear in the Header Rejection list.
5. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Header Rejection
Attack Information: Application's Name