Page 226 / 428 Scroll up to view Page 221 - 225
SmartDefense Categories
212
Check Point ZoneAlarm User Guide
Packet Sanity
Packet Sanity performs several Layer 3 and Layer 4 sanity checks. These include verifying
packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP
flags.
You can configure whether logs should be issued for offending packets.
Table 43: Packet Sanity Fields
In this field…
Do this…
Action
Specify what action to take when a packet fails a sanity test, by selecting
one of the following:
Block.
Block the packet. This is the default.
None.
No action.
Track
Specify whether to issue logs for packets that fail the packet sanity tests, by
selecting one of the following:
Log.
Issue logs. This is the default.
None.
Do not issue logs.
Page 227 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
213
In this field…
Do this…
Disable relaxed
UDP length
verification
The UDP length verification sanity check measures the UDP header length
and compares it to the UDP header length specified in the UDP header. If
the two values differ, the packet may be corrupted.
However, since different applications may measure UDP header length
differently, the ZoneAlarm router relaxes the UDP length verification sanity
check by default, performing the check but not dropping offending packets.
This is called relaxed UDP length verification.
Specify whether the ZoneAlarm router should relax the UDP length
verification sanity check or not, by selecting one of the following:
True.
Disable relaxed UDP length verification. The ZoneAlarm
router will drop packets that fail the UDP length verification
check.
False.
Do not disable relaxed UDP length verification. The
ZoneAlarm router will not drop packets that fail the UDP length
verification check. This is the default.
Page 228 / 428
SmartDefense Categories
214
Check Point ZoneAlarm User Guide
Max Ping Size
PING (ICMP echo request) is a program that uses ICMP protocol to check whether a
remote machine is up. A request is sent by the client, and the server responds with a reply
echoing the client's data.
An attacker can echo the client with a large amount of data, causing a buffer overflow.
You can protect against such attacks by limiting the allowed size for ICMP echo requests.
Table 44: Max Ping Size Fields
In this field…
Do this…
Action
Specify what action to take when an ICMP echo response exceeds the
Max
Ping Size
threshold, by selecting one of the following:
Block.
Block the request. This is the default.
None.
No action.
Track
Specify whether to log ICMP echo responses that exceed the
Max Ping Size
threshold, by selecting one of the following:
Log.
Log the responses. This is the default.
None.
Do not log the responses.
Page 229 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
215
In this field…
Do this…
Max Ping Size
Specify the maximum data size for ICMP echo response.
The default value is 1500.
IP Fragments
When an IP packet is too big to be transported by a network link, it is split into several
smaller IP packets and transmitted in fragments. To conceal a known attack or exploit, an
attacker might imitate this common behavior and break the data section of a single packet
into several fragmented packets. Without reassembling the fragments, it is not always
possible to detect such an attack. Therefore, the ZoneAlarm router always reassembles all
the fragments of a given IP packet, before inspecting it to make sure there are no attacks or
exploits in the packet.
You can configure how fragmented packets should be handled.
Page 230 / 428
SmartDefense Categories
216
Check Point ZoneAlarm User Guide
Table 45: IP Fragments Fields
In this field…
Do this…
Forbid IP Fragments
Specify whether all fragmented packets should be dropped, by selecting
one of the following:
True.
Drop all fragmented packets.
False.
No action. This is the default.
Under normal circumstances, it is recommended to leave this field set to
False
. Setting this field to
True
may disrupt Internet connectivity, because
it does not allow any fragmented packets.
Max Number of
Incomplete Packets
Type the maximum number of fragmented packets allowed. Packets
exceeding this threshold will be dropped.
The default value is 300.
Timeout for
Discarding
Incomplete Packets
When the ZoneAlarm router receives packet fragments, it waits for
additional fragments to arrive, so that it can reassemble the packet.
Type the number of seconds to wait before discarding incomplete
packets.
The default value is 10.
Track
Specify whether to log fragmented packets, by selecting one of the
following:
Log.
Log all fragmented packets.
None.
Do not log the fragmented packets. This is the default.

Rate

3.5 / 5 based on 2 votes.

Popular ZoneAlarm Models

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top