Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Familiarize Yourself with the Packet Sanity Protection

Subscribe

Check Point Reference: SBP-2008-19
Date Published:
Severity:
Last Updated:
Source: IPS Research Center
Industry Reference(s): CVE-2002-1071
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
Who is Vulnerable?
Computers and Networks
Vulnerability Description
The Packet Sanity protection performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options and verifying the TCP flags.

Numerous types of attacks may be hidden in fragmented packets.
Vulnerability Details
Even if Packet Sanity is Inactive or Detect Only, the following sanity verifications are still enforced and, when applicable, these packets are dropped and the event is logged:
  • UDP packets with invalid UDP Length
  • TCP packets with a corrupt header
  • UDP and TCP packets with source and/or destination port 0

Protection Overview
This protection performs several Layer 3 and Layer 4 sanity checks.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Network Security > IP and ICMP.
2. In the right pane, double-click the Packet Sanity protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Packet Sanity
Attack Information:
ICMP too short
UDP packets with invalid UDP Length
TCP packets with a corrupt header
UDP and TCP packets with source and/or destination port 0

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Network Security > IP and ICMP.
2. Select the following protection:

Packet Sanity

3. In the configuration pane, under Settings > Mode, check Active. Apply additional settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Packet Sanity
Attack Information:
ICMP too short
UDP packets with invalid UDP Length
TCP packets with a corrupt header
UDP and TCP packets with source and/or destination port 0