ZoneAlarm Z100G Router Manual PDF (Setup & Configuration Guide)

Page 241 / 428 Scroll up to view Page 236 - 240

SmartDefense Categories

Chapter 11: Using SmartDefense

227

In this field…

Do this…

Log Mode

Specify upon which events logs should be issued, by selecting one of the

following:

•

None.

Do not issue logs.

•

Log per attack.

Issue logs for each SYN attack. This is the default.

•

Log individual unfinished handshakes.

Issue logs for each incomplete

handshake.

This field is only relevant if the

Track

field is set to

Log

.

Maximum time for

completing the

handshake

Type the maximum amount of time in seconds after which a TCP handshake

is considered incomplete.

The default value is 10 seconds.

Protect external

interfaces only

Specify whether SynDefender should be enabled for external (WAN)

interfaces only, by selecting one of the following:

•

Disabled.

Enable SynDefender for all the firewall interfaces. This

is the default.

•

Enabled.

Enable SynDefender for external interfaces only.

Page 242 / 428

SmartDefense Categories

228

Check Point ZoneAlarm User Guide

Sequence Verifier

The ZoneAlarm router examines each TCP packet's sequence number and checks whether

it matches a TCP connection state. You can configure how the router handles packets that

match a TCP connection in terms of the TCP session but have incorrect sequence numbers.

Table 54: Strict TCP

In this field…

Do this…

Action

Specify what action to take when TCP packets with incorrect sequence

numbers arrive, by selecting one of the following:

•

Block.

Block the packets.

•

None.

No action. This is the default.

Track

Specify whether to log TCP packets with incorrect sequence numbers, by

selecting one of the following:

•

Log.

Log the packets. This is the default.

•

None.

Do not log the packets.

Page 243 / 428

SmartDefense Categories

Chapter 11: Using SmartDefense

229

Flags

The URG flag is used to indicate that there is urgent data in the TCP stream, and that the

data should be delivered with high priority. Since handling of the URG flag is inconsistent

between different operating systems, an attacker can use the URG flag to conceal certain

attacks.

You can configure how the URG flag should be handled.

Table 55: Flags Fields

In this field…

Do this…

URG Flag

Specify whether to clear or allow the URG flag, by selecting one of the

following:

•

Clear.

Clear the URG flag on all incoming packets. This is the

default.

•

Allow.

Allow the URG flag.

Page 244 / 428

SmartDefense Categories

230

Check Point ZoneAlarm User Guide

Port Scan

An attacker can perform a port scan to determine whether ports are open and vulnerable to

an attack. This is most commonly done by attempting to access a port and waiting for a

response. The response indicates whether or not the port is open.

This category includes the following types of port scans:

•

Host Port Scan.

The attacker scans a specific host's ports to determine which of

the ports are open.

•

Sweep Scan.

The attacker scans various hosts to determine where a specific port

is open.

You can configure how the ZoneAlarm router should react when a port scan is detected.

Page 245 / 428

SmartDefense Categories

Chapter 11: Using SmartDefense

231

Table 56: Port Scan Fields

In this field…

Do this…

Number of ports

accessed

SmartDefense detects ports scans by measuring the number of ports

accessed over a period of time. The number of ports accessed must exceed

the

Number of ports accessed

value, within the number of seconds specified by

the

In a period of [seconds]

value, in order for SmartDefense to consider the

activity a scan.

Type the minimum number of ports that must be accessed within the

In a

period of [seconds]

period, in order for SmartDefense to detect the activity as

a port scan.

For example, if this value is 30, and 40 ports are accessed within a specified

period of time, SmartDefense will detect the activity as a port scan.

For Host Port Scan, the default value is 30. For Sweep Scan, the default

value is 50.

In a period of

[seconds]

SmartDefense detects ports scans by measuring the number of ports

accessed over a period of time. The number of ports accessed must exceed

the

Number of ports accessed

value, within the number of seconds specified by

the

In a period of [seconds]

value, in order for SmartDefense to consider the

activity a scan.

Type the maximum number of seconds that can elapse, during which the

Number of ports accessed

threshold is exceeded, in order for SmartDefense to

detect the activity as a port scan.

For example, if this value is 20, and the

Number of ports accessed

threshold is

exceeded for 15 seconds, SmartDefense will detect the activity as a port

scan. If the threshold is exceeded for 30 seconds, SmartDefense will not

detect the activity as a port scan.

The default value is 20 seconds.

Rate

Popular ZoneAlarm Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share