Transport Layer Attack Prevention Safeguards and Attacks Blocked

Attack Prevention Safeguards and Attacks Blocked

Transport Layer

FireWall-1 NG with Application Intelligence blocks many attacks and provides numerous attack prevention safeguards. This table lists some of these defenses and organizes them by protocol and OSI Model layer.

Note: Check Point continually expands the breadth of defenses provided. This table is a snapshot not an exhaustive list.

Application Layer |

Session Layer |

Transport Layer |

Network Layer |

Transport Layer
Attack Prevention Safeguards	Attacks Blocked
TCP
Enforce correct usage of TCP flags Limit per-source sessions Enforce minimum TCP header length Block unknown protocols Restrict FIN packets with no ACK Enforce that TCP header length as indicated in header is not longer than packet size indicated by header Block out-of-state packets Verify that first connection packet is SYN Enforce 3-way handshake: Between SYN and SYN-ACK, client can send only RST or SYN Enforce 3-way handshake enforcement: Between SYN and connection establishment, server can send only SYN-ACK or RST Block SYN on established connection before FIN or RST packet is encountered Restrict server-to-client packets belonging to old connections Drop server-to-client packets belonging to old connections if packets contain SYN or RST Enforce minimum TCP header length Block TCP fragments Block SYN fragments Scramble OS fingerprint Verify TCP packet sequence number for packets belonging to an existing session		ACK Denial-of-Service Attack SYN Attack Land Attack Tear Drop Attack Session Hijacking Attack Jolt Attack Bloop Attack Cpd Attack Targa Attack Twinge Attack Small PMTU Attack Session Hijacking Attacks (TCP sequence number manipulation) TCP-Based Attacks Spanning Multiple Packets XMAS Attacks Port Scan
UDP
Verify UDP length field Match UDP requests and responses		UDP Flood Attacks Port Scan