Page 251 / 428
Scroll up to view Page 246 - 250
SmartDefense Categories
Chapter 11: Using SmartDefense
237
To allow a specific FTP command
1.
In the
Blocked Commands
box, select the desired FTP command.
2.
Click
Accept
.
The FTP command appears in the
Allowed Commands
box.
3.
Click
Apply
.
The FTP command will be allowed, regardless of whether FTP command blocking is
enabled or disabled.
HTTP
This category allows you to configure various protections related to the HTTP protocol. It
includes the following:
•
Header Rejection
on page 237
•
Worm Catcher
on page 238
Header Rejection
Some exploits are carried in standard HTTP headers with custom values (for example, in
the Host header), or in custom HTTP headers. You can protect against such exploits by
rejecting HTTP requests that contain specific headers and header values.
Page 252 / 428
SmartDefense Categories
238
Check Point ZoneAlarm User Guide
Table 60: Header Rejection Fields
In this field…
Do this…
Action
Specify what action to take when an HTTP header-based exploit is
detected, by selecting one of the following:
•
Block.
Block the attack.
•
None.
No action. This is the default.
Track
Specify whether to log HTTP header-based exploits, by selecting one of
the following:
•
Log.
Log the attack.
•
None.
Do not log the attack. This is the default.
HTTP header values
list
Select the HTTP header values to detect.
Worm Catcher
A worm is a self-replicating malware (malicious software) that propagates by actively
sending itself to new machines. Some worms propagate by using security vulnerabilities in
the HTTP protocol.
You can specify how HTTP-based worm attacks should be handled.
Page 253 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
239
Table 61: Worm Catcher Fields
In this field…
Do this…
Action
Specify what action to take when an HTTP-based worm attack is
detected, by selecting one of the following:
•
Block.
Block the attack.
•
None.
No action. This is the default.
Track
Specify whether to log HTTP-based worm attacks, by selecting one of
the following:
•
Log.
Log the attack.
•
None.
Do not log the attack. This is the default.
HTTP-based worm
patterns list
Select the worm patterns to detect.
Peer-to-Peer
SmartDefense can block peer-to-peer file-sharing traffic, by identifying the proprietary
protocols and preventing the initial connection to the peer-to-peer networks. This prevents
not only downloads, but also search operations.
This category includes the following nodes:
•
BitTorrent
•
eMule
•
Gnutella
•
KaZaA
•
Winny
Note:
SmartDefense can detect peer-to-peer traffic regardless of the TCP port being
used to initiate the session.
Page 254 / 428
SmartDefense Categories
240
Check Point ZoneAlarm User Guide
In each node, you can configure how peer-to-peer connections of the selected type should
be handled, using the following table.
Table 62: Peer to Peer Fields
In this field…
Do this…
Action
Specify what action to take when a connection is attempted, by selecting
one of the following:
•
Block.
Block the connection.
•
None.
No action. This is the default.
Track
Specify whether to log peer-to-peer connections, by selecting one of the
following:
•
Log.
Log the connection.
•
None.
Do not log the connection. This is the default.
Block proprietary
protocols on all ports
Specify whether proprietary protocols should be blocked on all ports, by
selecting one of the following:
•
Block.
Block the proprietary protocol on all ports. This in effect
prevents all communication using this peer-to-peer
application. This is the default.
•
None.
Do not block the proprietary protocol on all ports.
Page 255 / 428
SmartDefense Categories
Chapter 11: Using SmartDefense
241
In this field…
Do this…
Block masquerading
over HTTP protocol
Specify whether to block using the peer-to-peer application over HTTP,
by selecting one of the following:
•
Block.
Block using the application over HTTP. This is the
default.
•
None.
Do not block using the application over HTTP.
This field is not relevant for eMule and Winny.
Microsoft Networks
This category includes
File and Print Sharing
.
Microsoft operating systems and Samba clients rely on Common Internet File System
(CIFS), a protocol for sharing files and printers. However, this protocol is also widely used
by worms as a means of propagation.
You can configure how CIFS worms should be handled.
19216811.live