Check Point’s HTTP Inspection and Threat Prevention has multiple layers of defense that block the use of the SNIcat tool, and do not allow this attack vector to bypass our Security Gateway.
Yet, when there is already malicious software running inside the network, modifications of the SNIcat tool may be able to overcome some of the defenses. In order to avoid this, in addition to enabling all Threat Prevention blades and SSL inspection, Check Point also recommends:
- The use of Check Point Endpoint Security
- A hardened rule-base that includes blocking uncategorized destinations and HTTPS Inspection working in Hold mode.
In addition, Check Point has developed the following protections to catch the SNICat tool:SandBlast Agent
- SNIcat (Server Name Indication Concatenator)
- Part of the Anonymizer category