Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Network_M
Collaborator

How can I protect my web site?

Recently, I have noticed that IPS blade started to detect some kind of

WebServiceViolation, WebEnforcementViolations to my web site.

I can see source IP addresses where they came from in SmartView.

IP addresses may change everytime.

How can I protect my web site according to signature or something else?

How can I write access list against those WebSiteViolations?

Thank you.

PS: 

I have 1 line in Policy in Threat Prevention:

Protected Scopy: Any, Protection/Site/File/Blade is N/A, Action Strict

2 Replies
Danny
Champion Champion
Champion

Check Point offers various ways to protect web servers. As a first step I would create a host object representing my web server and mark it accordingly.

Then I would check which IPS protections regarding to web security protections are relevant to me.

For example prevention of directory traversal etc. might be interesting. Also check these:

  • The HTTP Format sizes protection restricts URL lengths, header lengths or the number of headers. This is good practice because these elements can be used to perform a Denial of Service attack on a Web server.
  • The ASCII Only Request protection can block connectivity to Web pages that have non-ASCII characters in URLs. This is good practice because non-ASCII headers or form fields open vulnerabilities to certain attacks, such as Code injection.
  • The HTTP Methods protection can block certain HTTP methods, known to be unsafe,because they can be used to exploit vulnerabilities on a Web server.
  • SQL Injection: This protection runs a scan on traffic to a user-defined list of specified web servers. The protection is active only when the network objects for these servers are created correctly. Do not apply the protections for SQL injection to all HTTP traffic or unnecessary false-positives will disrupt network traffic.
  • General HTTP/CIFS Worm Catcher and Header Rejection: These protections let you add and edit regular expressions so that the Firewall can block the specified HTTP requests. Check Point advises customers to add a pattern to these protections as an immediate pre-emptive action against a new threat.

To be continued..

Network_M
Collaborator

As a first step I would create a host object representing my web server and mark it accordingly

My web server is created like host object, but was not marked as web server. How important to mark it as web server? What will differ? If I mark it as web server, will it affect something?

Then I would check which IPS protections regarding to web security protections are relevant to me.

For example prevention of directory traversal etc. might be interesting

I checked my IPS protections, it says that all protections are enabled in Threat Prevention Policy. Is it ok?

Thank you!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events