Reconnaissance Protection
Prevent attackers from probing your network for vulnerabilities
while preserving the option to perform internal reconnaissance testing.
Similar to the military definition of reconnaissance,
the network security definition of reconnaissance is when attackers
attempt to gain information about your network’s vulnerabilities
by secretly probing the network to find weaknesses. Reconnaissance
activities are often preludes to a network attack. Enable Reconnaissance
Protection on all zones to defend against port scans and host
sweeps:
Port scans discover open ports on a network. A
port scanning tool sends client requests to a range of port numbers
on a host, with the goal of locating an active port to exploit in
an attack. Zone Protection profiles defend against TCP and UDP port
scans.
Host sweeps examine multiple hosts to determine if
a specific port is open and vulnerable.
IP protocol scans cycle through IP protocol numbers to determine the IP
protocols and thus services supported by target machines.
You can use reconnaissance tools for legitimate purposes such
as pen testing of network security or the strength of a firewall.
You can specify up to 20 IP addresses or netmask address objects
to exclude from Reconnaissance Protection so that your internal
IT department can conduct pen tests to find and fix network vulnerabilities.
You can set the action to take when reconnaissance traffic (excluding pen testing traffic)
exceeds the configured threshold when you
configure reconnaissance protection. Retain
the default
Interval and
Threshold to log
a few packets for analysis before blocking the reconnaissance operation.