FireWall-1 FAQ: Protecting against Nimda and Code Red
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
“Smart Defense” (a patch to NG FP2 and available in NG FP3 and later) provide a mechanism to block HTTP worms of all types, including NIMDA and Code Red. This is done in the kernel module and it does not involve the security servers, so performance should be less of a concern.
If you are using NG FP2 without Smart Defense or a previous version, there are two solutions, one listed in the 4.1 SP5 release notes that does not involve the HTTP Security Server (only for Code Red, though), and the other listed below, which will work on any version of FireWall-1. Please note that this “workaround” should only be applied until you can patch the appropriate web servers since it involves using the HTTP Security Server, which is not known for it’s high performance.
Create a URI resource of type wildcard with the following settings in the match tab:
scheme: http
method: get
host:*
path:{*cmd.exe,*root.exe,*admin.dll,*readme.exe,*default.ida}
query: *
To prevent access to your Web Server, create a rule similar to the following:
Source | Destination | Service | Action |
---|---|---|---|
Any | Web_Servers | HTTP->code_red_resource | Drop |
This rule needs to be listed before the rule that permits HTTP to the Web_Servers, which will allow all non-code_red traffic.
To prevent already infected machines on your network to infect other machines on the Internet, create a rule that similar to the following:
Source | Destination | Service | Action |
---|---|---|---|
Internal-Network | Any | HTTP->code_red_resource | Drop |
This rule needs to be listed before the rule that permits outbound HTTP traffic from your internal network.