CCSE Lab Manual

Checkpoint: Mistake in CCSE and CCSM lab guide

Checkpoint: Mistake in CCSE lab guide R77.30 edition. LAB 9. Understanding IPS Protections. This mistake is present in CCSM lab guide.

Lab Overview

Checkpoint is used to protect Windows server.
Checkpoint IPS demonstration tool will be used to show how IPS works
Almost all signatures are used. Page 311: Clear all options in the Protections to Deactivate section.
Aplication Inteligence is turned on. Page 316: Click the Configure Servers button, and select all options

IPS demonstration tool

*Tools crashes when tries to configure interface IP address. You will be informed by instructor how to bypass this problem.

First attack - SUN RPC

Steps (pages: 324 - 327):
2) Application Intelligence category
1) SUN RPC category
0) Run all items in this category
(This includes: SUN RPC Programs lookup, FreeBSD nfsd NFS Mount Request Denial of Service, Kerberos kadmin RPC Library Uninitialized Poi and Unix Authentication)
Launch attack

In SmartView Tracker there is only IPS log (page 328). But its not related to SUN RPC. Its Null Payload Echo Request ! .

Nobody noticed that there are a lot of connection from IPS demonstration tools to A-GUI (windows target) on port 65000. If you will take closer look, you will notice that there were closed by windows station (reset) because port 65000 is closed.

Attack using SUN RPC category was not launched at all!

Second attack - ICMP

IP and ICMP category - everything looks fine here.
In logs you will find:
- IP Fragments
- Ping of Death
- IGMP protocol Enforcement violation
- Null Payload Echo Request

Third attack - MS RPC

Steps (pages 345 - 346)
2) Application Intelligence category
2) MS-RPC category
Launch attack

In IPS Demonstration Toolkit you will notice (page 346): -t 15 -m -c -p 139 -f cap/MSRPC-Block_Webclient_Vulnerability_MS06_008.replay -s 65000 failed to connect ( Connection refused
trying again (2 more...) failed to connect ( Connection refused
trying again (1 more...) failed to connect ( Connection refused

Manual presents log in SmartView Tracker: Ping of Death (page 347)

Attack using MS RPC category was not launched at all!