CCSE Lab Manual

Checkpoint: Mistake in CCSE lab guide

Checkpoint: Mistake in CCSE lab guide R77.30 edition. LAB 9. Understanding IPS Protections


Lab Overview

Checkpoint is used to protect Windows server.
Checkpoint IPS demonstration tool will be used to show how IPS works
Almost all signatures are used. Page 311: Clear all options in the Protections to Deactivate section.
Aplication Inteligence is turned on. Page 316: Click the Configure Servers button, and select all options



IPS demonstration tool

*Tools crashes when tries to configure interface IP address. You will be informed by instructor how to bypass this problem.


First attack - SUN RPC

Steps (pages: 324 - 327):
2) Application Intelligence category
1) SUN RPC category
0) Run all items in this category
(This includes: SUN RPC Programs lookup, FreeBSD nfsd NFS Mount Request Denial of Service, Kerberos kadmin RPC Library Uninitialized Poi and Unix Authentication)
Launch attack

In SmartView Tracker there is only IPS log (page 328). But its not related to SUN RPC. Its Null Payload Echo Request ! .

Nobody noticed that there are a lot of connection from IPS demonstration tools to A-GUI (windows target) on port 65000. If you will take closer look, you will notice that there were closed by windows station (reset) because port 65000 is closed.

Attack using SUN RPC category was not launched at all!

Second attack - ICMP

IP and ICMP category - everything looks fine here.
In logs you will find:
- IP Fragments
- Ping of Death
- IGMP protocol Enforcement violation
- Null Payload Echo Request

Third attack - MS RPC

Steps (pages 345 - 346)
2) Application Intelligence category
2) MS-RPC category
1) MS-RPC Over CIFS
Launch attack

In IPS Demonstration Toolkit you will notice (page 346):

replay-client.pl -t 15 -m -c 10.1.1.201 -p 139 -f cap/MSRPC-Block_Webclient_Vulnerability_MS06_008.replay -s 65000

replay.pl failed to connect (10.1.1.201:65000): Connection refused
trying again (2 more...)
replay.pl failed to connect (10.1.1.201:65000): Connection refused
trying again (1 more...)
replay.pl failed to connect (10.1.1.201:65000): Connection refused


Manual presents log in SmartView Tracker: Ping of Death (page 347)

Attack using MS RPC category was not launched at all!