Page 246 / 428
Scroll up to view Page 241 - 245
SmartDefense Categories
232
Check Point ZoneAlarm User Guide
In this field…
Do this…
Track
Specify whether to issue logs for scans, by selecting one of the following:
•
Log.
Issue logs. This is the default.
•
None.
Do not issue logs. This is the default.
Detect scans
from Internet only
Specify whether to detect only scans originating from the Internet, by
selecting one of the following:
•
False.
Do not detect only scans from the Internet. This is the
default.
•
True.
Detect only scans from the Internet.
FTP
This category allows you to configure various protections related to the FTP protocol. It
includes the following:
•
Block Known Ports
on page 234
•
Block Port Overflow
on page 235
•
Blocked FTP Commands
on page 236
•
FTP Bounce
on page 233
Page 247 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
233
FTP Bounce
When connecting to an FTP server, the client sends a PORT command specifying the IP
address and port to which the FTP server should connect and send data. An FTP Bounce
attack is when an attacker sends a PORT command specifying the IP address of a third
party instead of the attacker's own IP address. The FTP server then sends data to the victim
machine.
You can configure how FTP bounce attacks should be handled.
Table 57: FTP Bounce Fields
In this field…
Do this…
Action
Specify what action to take when an FTP Bounce attack occurs, by selecting
one of the following:
•
Block.
Block the attack. This is the default.
•
None.
No action.
Track
Specify whether to log FTP Bounce attacks, by selecting one of the
following:
•
Log.
Log the attack. This is the default.
•
None.
Do not log the attack.
Page 248 / 428
SmartDefense Categories
234
Check Point ZoneAlarm User Guide
Block Known Ports
You can choose to block the FTP server from connecting to well-known ports.
Note:
Known ports are published ports associated with services (for example, SMTP
is port 25).
This provides a second layer of protection against FTP bounce attacks, by preventing such
attacks from reaching well-known ports.
Table 58: Block Known Ports Fields
In this field…
Do this…
Action
Specify what action to take when the FTP server attempts to connect to a
well-known port, by selecting one of the following:
•
Block.
Block the connection.
•
None.
No action. This is the default.
Page 249 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
235
Block Port Overflow
FTP clients send PORT commands when connecting to the FTP sever. A PORT command
consists of a series of numbers between 0 and 255, separated by commas.
To enforce compliance to the FTP standard and prevent potential attacks against the FTP
server, you can block PORT commands that contain a number greater than 255.
Table 59: Block Port Overflow
In this field…
Do this…
Action
Specify what action to take for PORT commands containing a number
greater than 255, by selecting one of the following:
•
Block.
Block the PORT command. This is the default.
•
None.
No action.
Page 250 / 428
SmartDefense Categories
236
Check Point ZoneAlarm User Guide
Blocked FTP Commands
Some seldom-used FTP commands may compromise FTP server security and integrity.
You can specify which FTP commands should be allowed to pass through the security
server, and which should be blocked.
To enable FTP command blocking
•
In the
Action
drop-down list, select
Block
.
The FTP commands listed in the
Blocked Commands
box will be blocked.
FTP command blocking is enabled by default.
To disable FTP command blocking
•
In the
Action
drop-down list, select
None
.
All FTP commands are allowed, including those in the
Blocked Commands
box.
To block a specific FTP command
1.
In the
Allowed Commands
box, select the desired FTP command.
2.
Click
Block
.
The FTP command appears in the
Blocked Commands
box.
3.
Click
Apply
.
When FTP command blocking is enabled, the FTP command will be blocked.
19216811.live