What's New in NGX: SmartDefense

The NGX platform delivers hundreds of important new features, improvements, and enhancements to over twenty Check Point products, offering stronger security enforcement, VPN, and management capabilities - addressing your most challenging security problems.

Learn more about the specific features and benefits of upgrading your Check Point products to the NGX platform below and start planning your upgrade today.

See what's new by product

SmartDefense

SmartDefense
SmartDefense Services tab SmartDashboard now has a new tab called SmartDefense Services. This tab enables universal updatability, meaning, the ability to update all available products from a centralized location. The new tab contains the following views: Download Updates Advisories Security Best Practices
Expanded security and protection against malicious threats New web protections have been added to prevent: Directory Listing LDAP Injection Display of web server error messages in the browser, a feature known as Error Concealment Specific behavioral patterns to be blocked by the Cross-Site Scripting, SQL Injection and Command Injection defenses in Web Intelligence can now be defined by the user. Malicious code protector is now supported on SPARC processors. It is now possible to make all protections on specific web servers run in m mode, while on other servers the protection will be active. Different HTTP method schemes can now be set for each web server. Server-based Security Policy configuration is enhanced, and completely integrated into SmartDefense. The result is an easy and granular defense configuration that retains the global view that is present in SmartDefense.
Multiple SmartDefense Profiles, Centrally-Managed Define multiple SmartDefense profiles and associate them with Check Point gateways. Each gateway can have different defense settings and SmartDefense attributes. Centrally manage all profiles on all gateways through the SmartDashboard.
Download Updates In this view you can review information regarding available versus downloaded updates for all kind of products. Each entry in the table describes an updates package as follows: VPN-1 NGX R61: describes SmartDefense and Web Intelligence updates for the following network objects: VPN-1 Power (VPN-1 Pro) / VPN-1 UTM (Check Point Express / Express CI) gateways VPN-1 Power (VPN-1 Pro) / VPN-1 UTM (Check Point Express / Express CI) clusters UTM-1 Edge/Embedded gateways VPN-1 VSX gateways VPN-1 VSX Clusters InterSpect 1.x and 2.0: describes SmartDefense and Web Intelligence updates for centrally managed InterSpect gateways of versions 1.0, 1.1, 1.5 and 2.0. This entry will appear only if the aforementioned gateways are defined in SmartDashboard. InterSpect NGX: describes SmartDefense and Web Intelligence updates for centrally managed InterSpect gateways of version NGX. This entry will appear only if the aforementioned gateways are defined in SmartDashboard. Connectra 2.0: describes SmartDefense and Web Intelligence updates for centrally managed Connectra gateways of version 2.0. This entry will appear only if the aforementioned gateways are defined in SmartDashboard. Connectra NGX: describes SmartDefense and Web Intelligence updates for centrally managed Connectra gateways of version NGX. This entry will appear only if the aforementioned gateways are defined in SmartDashboard. VPN-1 UTM (Check Point Express / Express CI): describes manual signature updates for gateways that are AntiVirus installed. To implement this, make sure that AntiVirus is checked in the Check Point Products list on the General page. This entry will appear only if the aforementioned gateways are defined in SmartDashboard. UTM-1 Edge: describes manual signature updates for UTM-1 Edge: describes manual signature updates for UTM-1 Edge gateways that are AntiVirus installed, these are defined on the Content Filtering tab of the Gateway Properties window. This entry will appear only if the aforementioned gateways are defined in SmartDashboard. For each of the aforementioned entries, the following information applies: Last downloaded update column: this reflects the update that is currently downloaded in SmartCenter. When clicking on the link, the highlights of the currently installed update will be displayed. (For the CI entries such information does not exist). Available new update column: this reflects the latest available update on the download center. When clicking on the link, the highlights of the newest update will be displayed. (For the CI entries such information does not exist). Deployment Status column: This shows which updated version is installed for each gateway, as well as the gateway status: Up to date - the gateway has the latest available update installed. Out of date -the gateway does not have the latest update installed. Not available -there is no update currently installed on the gateway.
Advisories In this view you can see detailed descriptions and step-by-step instructions on how to activate and configure the relevant defenses provided by Check Point products and SmartDefense Updates. The view has two states: When the user is not logged in to the UserCenter: click on the Check Point Reference column and a vulnerability description is displayed. When the user is logged in to the UserCenter (via the Log in to UserCenter link located at the top of the page), in this case a full step-by-step solution to the described attacks is provided.
Security Best Practices In this view you can see the latest security recommendations briefs from Check Point. This view also has two versions as described in “Advisories”.
Web Intelligence Monitor-only Mode Many of the new features have a monitor-only mode where features are activated in a mode that issues logs but does not block traffic. This usability element is helpful in the transition phase, when features are applied for the first time at a customer's site, and will be helpful in discovering configuration problems in the deployment stage. Monitor-only mode also supports audit-only deployments. SQL Injection VPN-1 Power (VPN-1 Pro) rejects HTTP requests containing SQL commands inside the URL or body. An attacker can use flaws in the web application to inject malicious commands that will be run directly in the application database and cause damage or information disclosure. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard. Shell Command Injection VPN-1 Power (VPN-1 Pro) rejects HTTP requests containing shell commands inside the URL or body. An attacker can use flaws in the scripting engine to inject malicious commands that will be run directly on the host. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard. Cross site scripting VPN-1 Power (VPN-1 Pro) rejects HTTP requests sent using the POST command that contain scripting code. Attackers can use scripting commands inside URLs and forms to steal an innocent user's identity. This form of stealing is particularly insidious because the administrator and the user do not know they are being tricked. VPN-1 Power (VPN-1 Pro) also understands the encoded data sent as part of the URL, which is an alternative way of submitting information. The scripting code is not stripped from the request, but rather the whole request is rejected. The defense has three levels of protection: low, medium and high. Directory Traversal Attacks Directory traversal attacks allow hackers to access files and directories that should be out of their reach. In many attacks, this leads to running executable code on the web server with one simple URL. Most of the attacks are based on the ".." notation within a file system. VPN-1 Power (VPN-1 Pro) blocks requests in which the URL contains an illegal directory request. For example, `http://www.server.com/first/second/../../..` is illegal because it goes deeper than the root directory. `http://www.server.com/first/second/../` is legal because it is equivalent to `http://www.server.com/first/`. VPN-1 Power (VPN-1 Pro) supports the same capability for URLs that are encoded with Unicode and % encoding. HTTP Format Sizes The sizes of different elements in HTTP request/response are not limited; this can used to perform DOS attack on a web server. In addition, many buffer-overflow attacks require a considerably large buffer to be sent to the web server. It is good security practice to limit these buffers. This reduces the chance for buffer overruns and limits the size of code that can be inserted using the overflow. This defense provides the ability to impose a limit on the following elements: Maximum URL length Maximum Header length Maximum number of headers Specific header length, by giving a regular expression to describe the header name and value The maximum allowed length is adjustable using SmartDefense. Blocking Non-ASCII Characters Request VPN-1 Power (VPN-1 Pro) blocks non-ASCII characters (32-127) in the HTTP request/response headers. Other than the fact that the HTTP RFC does not allow binary characters anywhere in the HTTP headers, blocking them is good security practice because executables and buffer-overrun exploits usually need binary characters. The defense can be turned on using SmartDefense, in the Request\Response Headers section of the ASCII Only Request window. Allowed HTTP Methods The HTTP RFC allows a restricted set of standard HTTP methods (GET, PUT, HEAD, POST). Many of the non-standard methods have a very bad security record and so, by default, they are blocked. WebDAV methods are blocked by default but can be added either as a group or individually. Other methods, blocked by default can be added individually too. Header Rejection A web server or application parses not only the URL, but also the rest of the HTTP header data. Wrong parsing can lead to buffer overrun attacks and other vulnerabilities. Such attacks, while RFC compliant, can be blocked using signatures that are defined using regular expressions. HTTP Header Spoofing One of the first steps an attacker takes before attacking a website is to fingerprint it. The attacker analyzes the web server's response in order gather as much information as possible about it. Some information in the response is redundant; this defense removes such information by either removing the relevant header or changing its value. The relevant headers can be added using regular expressions for name and value, each header can be stripped (removed), or replaced from SmartDefense.
Additional Information SmartDefense Services Product Page

SmartDefense Services tab

SmartDashboard now has a new tab called SmartDefense Services. This tab enables universal updatability, meaning, the ability to update all available products from a centralized location.

The new tab contains the following views:
- Download Updates
- Advisories
- Security Best Practices

Expanded security and protection against malicious threats

New web protections have been added to prevent:
- Directory Listing
- LDAP Injection
- Display of web server error messages in the browser, a feature known as Error Concealment
Specific behavioral patterns to be blocked by the Cross-Site Scripting, SQL Injection and Command Injection defenses in Web Intelligence can now be defined by the user.
Malicious code protector is now supported on SPARC processors.
It is now possible to make all protections on specific web servers run in m mode, while on other servers the protection will be active.
Different HTTP method schemes can now be set for each web server.
Server-based Security Policy configuration is enhanced, and completely integrated into SmartDefense. The result is an easy and granular defense configuration that retains the global view that is present in SmartDefense.

Multiple SmartDefense Profiles, Centrally-Managed

Define multiple SmartDefense profiles and associate them with Check Point gateways.
Each gateway can have different defense settings and SmartDefense attributes.
Centrally manage all profiles on all gateways through the SmartDashboard.

Download Updates

In this view you can review information regarding available versus downloaded updates for all kind of products. Each entry in the table describes an updates package as follows:

VPN-1 NGX R61: describes SmartDefense and Web Intelligence updates for the following network objects:

VPN-1 Power (VPN-1 Pro) / VPN-1 UTM (Check Point Express / Express CI) gateways
VPN-1 Power (VPN-1 Pro) / VPN-1 UTM (Check Point Express / Express CI) clusters
UTM-1 Edge/Embedded gateways
VPN-1 VSX gateways
VPN-1 VSX Clusters

InterSpect 1.x and 2.0: describes SmartDefense and Web Intelligence updates for centrally managed InterSpect gateways of versions 1.0, 1.1, 1.5 and 2.0. This entry will appear only if the aforementioned gateways are defined in SmartDashboard.

InterSpect NGX: describes SmartDefense and Web Intelligence updates for centrally managed InterSpect gateways of version NGX. This entry will appear only if the aforementioned gateways are defined in SmartDashboard.

Connectra 2.0: describes SmartDefense and Web Intelligence updates for centrally managed Connectra gateways of version 2.0. This entry will appear only if the aforementioned gateways are defined in SmartDashboard.

Connectra NGX: describes SmartDefense and Web Intelligence updates for centrally managed Connectra gateways of version NGX. This entry will appear only if the aforementioned gateways are defined in SmartDashboard.

VPN-1 UTM (Check Point Express / Express CI): describes manual signature updates for gateways that are AntiVirus installed. To implement this, make sure that AntiVirus is checked in the Check Point Products list on the General page. This entry will appear only if the aforementioned gateways are defined in SmartDashboard.

UTM-1 Edge: describes manual signature updates for UTM-1 Edge: describes manual signature updates for UTM-1 Edge gateways that are AntiVirus installed, these are defined on the Content Filtering tab of the Gateway Properties window. This entry will appear only if the aforementioned gateways are defined in SmartDashboard.

For each of the aforementioned entries, the following information applies:

Last downloaded update column: this reflects the update that is currently downloaded in SmartCenter. When clicking on the link, the highlights of the currently installed update will be displayed. (For the CI entries such information does not exist).
Available new update column: this reflects the latest available update on the download center. When clicking on the link, the highlights of the newest update will be displayed. (For the CI entries such information does not exist).
Deployment Status column: This shows which updated version is installed for each gateway, as well as the gateway status:
- Up to date - the gateway has the latest available update installed.
- Out of date -the gateway does not have the latest update installed.
- Not available -there is no update currently installed on the gateway.

Advisories

In this view you can see detailed descriptions and step-by-step instructions on how to activate and configure the relevant defenses provided by Check Point products and SmartDefense Updates. The view has two states:
- When the user is not logged in to the UserCenter: click on the Check Point Reference column and a vulnerability description is displayed.
- When the user is logged in to the UserCenter (via the Log in to UserCenter link located at the top of the page), in this case a full step-by-step solution to the described attacks is provided.

Security Best Practices

In this view you can see the latest security recommendations briefs from Check Point. This view also has two versions as described in “Advisories”.

Web Intelligence

Monitor-only Mode

Many of the new features have a monitor-only mode where features are activated in a mode that issues logs but does not block traffic. This usability element is helpful in the transition phase, when features are applied for the first time at a customer's site, and will be helpful in discovering configuration problems in the deployment stage. Monitor-only mode also supports audit-only deployments.

SQL Injection

VPN-1 Power (VPN-1 Pro) rejects HTTP requests containing SQL commands inside the URL or body. An attacker can use flaws in the web application to inject malicious commands that will be run directly in the application database and cause damage or information disclosure. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard.

Shell Command Injection

VPN-1 Power (VPN-1 Pro) rejects HTTP requests containing shell commands inside the URL or body. An attacker can use flaws in the scripting engine to inject malicious commands that will be run directly on the host. This defense has three levels of protection: low, medium and high. The definitions for these three levels are conveniently displayed as you slide the change bar to select a different mode in SmartDashboard.

Cross site scripting

VPN-1 Power (VPN-1 Pro) rejects HTTP requests sent using the POST command that contain scripting code. Attackers can use scripting commands inside URLs and forms to steal an innocent user's identity. This form of stealing is particularly insidious because the administrator and the user do not know they are being tricked. VPN-1 Power (VPN-1 Pro) also understands the encoded data sent as part of the URL, which is an alternative way of submitting information. The scripting code is not stripped from the request, but rather the whole request is rejected. The defense has three levels of protection: low, medium and high.

Directory Traversal Attacks

Directory traversal attacks allow hackers to access files and directories that should be out of their reach. In many attacks, this leads to running executable code on the web server with one simple URL. Most of the attacks are based on the ".." notation within a file system. VPN-1 Power (VPN-1 Pro) blocks requests in which the URL contains an illegal directory request. For example, http://www.server.com/first/second/../../.. is illegal because it goes deeper than the root directory. http://www.server.com/first/second/../ is legal because it is equivalent to http://www.server.com/first/. VPN-1 Power (VPN-1 Pro) supports the same capability for URLs that are encoded with Unicode and % encoding.

HTTP Format Sizes

The sizes of different elements in HTTP request/response are not limited; this can used to perform DOS attack on a web server. In addition, many buffer-overflow attacks require a considerably large buffer to be sent to the web server. It is good security practice to limit these buffers. This reduces the chance for buffer overruns and limits the size of code that can be inserted using the overflow. This defense provides the ability to impose a limit on the following elements:
- Maximum URL length
- Maximum Header length
- Maximum number of headers
- Specific header length, by giving a regular expression to describe the header name and value

The maximum allowed length is adjustable using SmartDefense.

Blocking Non-ASCII Characters Request

VPN-1 Power (VPN-1 Pro) blocks non-ASCII characters (32-127) in the HTTP request/response headers. Other than the fact that the HTTP RFC does not allow binary characters anywhere in the HTTP headers, blocking them is good security practice because executables and buffer-overrun exploits usually need binary characters. The defense can be turned on using SmartDefense, in the Request\Response Headers section of the ASCII Only Request window.

Allowed HTTP Methods

The HTTP RFC allows a restricted set of standard HTTP methods (GET, PUT, HEAD, POST). Many of the non-standard methods have a very bad security record and so, by default, they are blocked. WebDAV methods are blocked by default but can be added either as a group or individually. Other methods, blocked by default can be added individually too.

Header Rejection

A web server or application parses not only the URL, but also the rest of the HTTP header data. Wrong parsing can lead to buffer overrun attacks and other vulnerabilities. Such attacks, while RFC compliant, can be blocked using signatures that are defined using regular expressions.

HTTP Header Spoofing

One of the first steps an attacker takes before attacking a website is to fingerprint it. The attacker analyzes the web server's response in order gather as much information as possible about it. Some information in the response is redundant; this defense removes such information by either removing the relevant header or changing its value. The relevant headers can be added using regular expressions for name and value, each header can be stripped (removed), or replaced from SmartDefense.

Additional Information

SmartDefense Services Product Page

Take advantage of these important new features and hundreds of others available only with the NGX platform by ordering your NGX Upgrade Kit today.