Page 216 / 428
Scroll up to view Page 211 - 215
Configuring SmartDefense
202
Check Point ZoneAlarm User Guide
Table 37: SmartDefense Security Levels
This level…
Does this…
Minimal
Disables all SmartDefense protections, except those that cannot be disabled.
Normal
Enables the following:
•
Teardrop
•
Ping of Death
•
LAND
•
Packet Sanity
•
Max Ping Size (set to 1500)
•
Welchia
•
Cisco IOS
•
Null Payload
•
IGMP
•
Small PMTU (Log Only)
This level blocks the most common attacks.
High
Enables the same protections as
Normal
level, as well as the following:
•
Host Port Scan
•
Sweep Scan
•
HTTP Header Rejection
•
Strict TCP (Log Only)
Extra Strict
Enables the same protections as
High
level, as well as the following:
•
Strict TCP (Log + Block)
•
Small PMTU (Log + Block)
•
Max Ping Size (set to 512)
•
Network Quota
Page 217 / 428
Configuring SmartDefense
Chapter 11: Using SmartDefense
203
Using the SmartDefense Tree
For convenience, SmartDefense is organized as a tree, in which each branch represents a
category of settings.
When a category is expanded, the settings it contains appear as nodes. For information on
each category and the nodes it contains, see
SmartDefense Categories
on page 205.
Each node represents an attack type, a sanity check, or a protocol or service that is
vulnerable to attacks. To control how SmartDefense handles a specific attack, you must
configure the relevant node's settings.
Page 218 / 428
Configuring SmartDefense
204
Check Point ZoneAlarm User Guide
To configure a SmartDefense node
1.
Click
Security
in the main menu, and click the
SmartDefense
tab.
The
SmartDefense
page appears.
The left pane displays a tree containing SmartDefense categories.
•
To expand a category, click the
icon next to it.
•
To collapse a category, click the
icon next to it.
2.
Expand the relevant category, and click on the desired node.
The right pane displays a description of the node, followed by fields.
3.
To modify the node's current settings, do the following:
a)
Complete the fields using the relevant information in
SmartDefense
Categories
on page 205.
b)
Click
Apply
.
4.
To reset the node to its default values:
Page 219 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
205
a)
Click
Default
.
A confirmation message appears.
b)
Click
OK
.
The fields are reset to their default values, and your changes are saved.
SmartDefense Categories
SmartDefense includes the following categories:
•
Denial of Service
on page 205
•
FTP
on page 232
•
HTTP
on page 237
•
IGMP
on page 243
•
Instant Messaging Traffic
on page 244
•
IP and ICMP
on page 211
•
Microsoft Networks
on page 241
•
Peer-to-Peer
on page 239
•
Port Scan
on page 230
•
TCP
on page 223
Denial of Service
Denial of Service (DoS) attacks are aimed at overwhelming the target with spurious data,
to the point where it is no longer able to respond to legitimate service requests.
This category includes the following attacks:
•
DDoS Attack
on page 210
•
LAND
on page 208
•
Non-TCP Flooding
on page 209
•
Ping of Death
on page 207
•
Teardrop
on page 206
Page 220 / 428
SmartDefense Categories
206
Check Point ZoneAlarm User Guide
Teardrop
In a Teardrop attack, the attacker sends two IP fragments, the latter entirely contained
within the former. This causes some computers to allocate too much memory and crash.
You can configure how Teardrop attacks should be handled.
Table 38: Teardrop Fields
In this field…
Do this…
Action
Specify what action to take when a Teardrop attack occurs, by selecting one
of the following:
•
Block.
Block the attack. This is the default.
•
None.
No action.
Track
Specify whether to log Teardrop attacks, by selecting one of the following:
•
Log.
Log the attack. This is the default.
•
None.
Do not log the attack.
19216811.live