Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

攻撃防御セーフガードとブロックされる攻撃

トランスポート層

FireWall-1 NG with Application Intelligence は数多くの攻撃を防御し、またそれら攻撃へのセーフガードを提供します。下記一覧表はそれらの防御のうちいくつかを、プロトコルとOSIモデル・レイア別にリストアップしてまとめたものです。

備考:チェック・ポイントは、今後も防御の幅を継続的に拡張します。この一覧表は現時点でのスナップショットで、全てを網羅したものではありません。

 防御リストのダウンロード [PDF]

トランスポート層
Attack Prevention Safeguards Attacks Blocked
TCP
  • Enforce correct usage of TCP flags
  • Limit per-source sessions
  • Enforce minimum TCP header length
  • Block unknown protocols
  • Restrict FIN packets with no ACK
  • Enforce that TCP header length as indicated in header is not longer than packet size indicated by header
  • Block out-of-state packets
  • Verify that first connection packet is SYN
  • Enforce 3-way handshake: Between SYN and SYN-ACK, client can send only RST or SYN
  • Enforce 3-way handshake enforcement: Between SYN and connection establishment, server can send only SYN-ACK or RST
  • Block SYN on established connection before FIN or RST packet is encountered
  • Restrict server-to-client packets belonging to old connections
  • Drop server-to-client packets belonging to old connections if packets contain SYN or RST
  • Enforce minimum TCP header length
  • Block TCP fragments
  • Block SYN fragments
  • Scramble OS fingerprint
  • Verify TCP packet sequence number for packets belonging to an existing session
  • Enforce TCP session sequence verification (Protect persistent unauthenticated network sessions)
  • Network Quota - enforcing a limit upon the number of connections that are allowed from the same source IP, to protect against Denial Of Service attacks
  • Anomaly detection - used ports
  • Drop ICMP error packets that belong to established TCP connections
  • ACK Denial-of-Service Attack
  • SYN Attack
  • Land Attack
  • Tear Drop Attack
  • Session Hijacking Attack
  • Jolt Attack
  • Bloop Attack
  • Cpd Attack
  • Targa Attack
  • Twinge Attack
  • Small PMTU Attack
  • Session Hijacking Attacks (TCP sequence number manipulation)
  • TCP-Based Attacks Spanning Multiple Packets
  • XMAS Attacks
  • Port Scan
  • Witty worm
  • Cisco IOS DOS
UDP
  • Verify UDP length field
  • Match UDP requests and responses
  • Non-TCP Flooding - limit percentage of non-TCP connections to prevent DoS
  • Port Scan