Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
27-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Feature History for Scanning Threat Detection, page 27-11 Information About Scanning Threat Detection A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive database that contains host statistics that can be analyzed for scanning activity. The host database tracks suspicious activity such as connections with no return activity, access of closed service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors. If the scanning threat rate is exceeded, then the ASA sends a syslog message (733101), and optionally shuns the attacker. The ASA tracks two types of rates: the average event rate over an interval, and the burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or 10 seconds, whichever is higher. For each event detected that is considered to be part of a scanning attack, the ASA checks the average and burst rate limits. If either rate is exceeded for traffic sent from a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a host, then that host is considered to be a target. CautionThe scanning threat detection feature can affect the ASA performance and memory significantly while it creates and gathers host- and subnet-based data structure and information. Guidelines and Limitations This section includes the guidelines and limitations for this feature: Security Context Guidelines Supported in single mode only. Multiple mode is not supported. Firewall Mode Guidelines Supported in routed and transparent firewall mode. Types of Traffic Monitored Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection. Traffic that is denied by an ACL does not trigger scanning threat detection; only traffic that is allowed through the ASA and that creates a flow is affected by scanning threat detection.
27-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Default Settings Table 27-4 lists the default rate limits for scanning threat detection. The burst rate is calculated as the average rate every N seconds, where N is the burst rate interval. The burst rate interval is 1/30th of the rate interval or 10 seconds, whichever is larger. Configuring Scanning Threat Detection Detailed Steps Step 1Choose the Configuration > Firewall > Threat Detection pane, and check the Enable Scanning Threat Detection check box. Step 2(Optional) To automatically terminate a host connection when the ASA identifies the host as an attacker, check the Shun Hosts detected by scanning threat check box. Step 3(Optional) To except host IP addresses from being shunned, enter an address in the Networks excluded from shun field. You can enter multiple addresses or subnets separated by commas. To choose a network from the list of IP address objects, click the ... button. Step 4(Optional) To set the duration of a shun for an attacking host, check the Set Shun Duration check box and enter a value between 10 and 2592000 seconds. The default length is 3600 seconds (1 hour). To restore the default value, click Set Default. Table 27-4 Default Rate Limits for Scanning Threat Detection Average Rate Burst Rate 5 drops/sec over the last 600 seconds. 10 drops/sec over the last 20 second period. 5 drops/sec over the last 3600 seconds. 10 drops/sec over the last 120 second period.
27-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection Feature History for Scanning Threat Detection Table 27-5 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 27-5 Feature History for Scanning Threat Detection Feature NamePlatform Releases Feature Information Scanning threat detection 8.0(2) Scanning threat detection was introduced. The following screen was introduced: Configuration > Firewall > Threat Detection. Shun duration 8.0(4)/8.1(2) You can now set the shun duration, The following screen was modified: Configuration > Firewall > Threat Detection. Burst rate interval changed to 1/30th of the average rate.8.2(1) In earlier releases, the burst rate interval was 1/60th of the average rate. To maximize memory usage, the sampling interval was reduced to 30 times during the average rate. Improved memory usage 8.3(1) The memory usage for threat detection was improved.
27-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 27 Configuring Threat Detection Configuring Scanning Threat Detection
CH A P T E R 28-1 Cisco ASA Series Firewall ASDM Configuration Guide 28 Using Protection Tools This chapter describes some of the many tools available to protect your network and includes the following sections: Preventing IP Spoofing, page 28-1 Configuring the Fragment Size, page 28-2 Configuring TCP Options, page 28-3 Configuring IP Audit for Basic IPS Support, page 28-5 Preventing IP Spoofing This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. Normally, the ASA only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the ASA to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the ASA, the ASA routing table must include a route back to the source address. See RFC 2267 for more information. For outside traffic, for example, the ASA can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the ASA uses the default route to correctly identify the outside interface as the source interface. If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the ASA drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the ASA drops the packet because the matching route (the default route) indicates the outside interface. Unicast RPF is implemented as follows: ICMP packets have no session, so each packet is checked. UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet. Configuration > Firewall > Advanced > Anti-Spoofing Fields Interface—Lists the interface names.
28-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring the Fragment Size Anti-Spoofing Enabled—Shows whether an interface has Unicast RPF enabled, Yes or No. Enable—Enables Unicast RPF for the selected interface. Disable—Disables Unicast RPF for the selected interface. Configuring the Fragment Size By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your network if you have an application that routinely fragments packets, such as NFS over UDP. However, if you do not have an application that fragments traffic, we recommend that you do not allow fragments through the ASA. Fragmented packets are often used as DoS attacks. To modify the IP fragment database parameters of an interface, perform the following steps: Step 1Choose the Configuration > Firewall > Advanced > Fragment pane, choose the interface to change in the Fragment table, and click Edit. The Edit Fragment dialog box appears. Step 2In the Size field, set the maximum number of packets that can be in the IP reassembly database waiting for reassembly. The default is 200. Step 3In the Chain field, set the maximum number of packets into which a full IP packet can be fragmented. The default is 24 packets. Step 4In the Timeout field, set the maximum number of seconds to wait for an entire fragmented packet to arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds specified, all fragments of the packet that were already received will be discarded. The default is 5 seconds. Step 5Click OK. Step 6Click Apply. Step 7To view the fragment statistics, click Show Fragment. See the “Show Fragment” section on page 28-2 for more information. Show Fragment The Configuration > Properties > Fragment > Show Fragment pane displays the current IP fragment database statistics for each interface. Fields Size—Display only. Displays the number of packets in the IP reassembly database waiting for reassembly. The default is 200. Chain—Display only. Displays the number of packets into which a full IP packet can be fragmented. The default is 24 packets.
28-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring TCP Options Timeout—Display only. Displays the number of seconds to wait for an entire fragmented packet to arrive. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds displayed, all fragments of the packet that were already received will be discarded. The default is 5 seconds. Threshold—Display only. Displays the IP packet threshold, or the limit after which no new chains can be created in the reassembly module. Queue—Display only. Displays the number of IP packets waiting in the queue for reassembly. Assembled—Display only. Displays the number of IP packets successfully reassembled. Fail—Display only. Displays the number of failed reassembly attempts. Overflow—Display only. Displays the number of IP packets in the overflow queue. Configuring TCP Options The Configuration > Firewall > Advanced > TCP Options pane lets you set parameters for TCP connections. Fields Inbound and Outbound Reset—Sets whether to reset denied TCP connections for inbound and outbound traffic. –Interface—Shows the interface name. –Inbound Reset—Shows the interface reset setting for inbound TCP traffic, Yes or No. Enabling this setting causes the ASA to send TCP resets for all inbound TCP sessions that attempt to transit the ASA and are denied by the ASA based on ACLs or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the ASA silently discards denied packets. –Outbound Reset—Shows the interface reset setting for outbound TCP traffic, Yes or No. Enabling this setting causes the ASA to send TCP resets for all outbound TCP sessions that attempt to transit the ASA and are denied by the ASA based on ACLs or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the ASA silently discards denied packets. –Edit—Sets the inbound and outbound reset settings for the interface. Other Options—Sets additional TCP options. –Send Reset Reply for Denied Outside TCP Packets—Enables resets for TCP packets that terminate at the least secure interface and are denied by the ASA based on ACLs or AAA settings. When this option is not enabled, the ASA silently discards denied packets. If you enable Inbound Resets for the least secure interface (see TCP Reset Settings), then you do not also have to enable this setting; Inbound Resets handle to-the-ASA traffic as well as through the ASA traffic. –Force Maximum Segment Size for TCP—Sets the maximum TCP segment size in bytes, between 48 and any maximum number. The default value is 1380 bytes. You can disable this feature by setting the bytes to 0. Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum exceeds the value you set here, then the ASA overrides the maximum and inserts the value you set. For example, if you set a maximum size of 1200 bytes, when a host requests a maximum size of 1300 bytes, then the ASA
28-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring TCP Options alters the packet to request 1200 bytes. See the “Controlling Fragmentation with the Maximum Transmission Unit and TCP Maximum Segment Size” section on page 11-8 for more information. –Force Minimum Segment Size for TCP—Overrides the maximum segment size to be no less than the number of bytes you set, between 48 and any maximum number. This feature is disabled by default (set to 0). Both the host and the server can set the maximum segment size when they first establish a connection. If either maximum is less than the value you set for the Force Minimum Segment Size for TCP Proxy field, then the ASA overrides the maximum and inserts the “minimum” value you set (the minimum value is actually the smallest maximum allowed). For example, if you set a minimum size of 400 bytes, if a host requests a maximum value of 300 bytes, then the ASA alters the packet to request 400 bytes. –Force TCP Connection to Linger in TIME_WAIT State for at Least 15 Seconds—Forces each TCP connection to linger in a shortened TIME_WAIT state of at least 15 seconds after the final normal TCP close-down sequence. You might want to use this feature if an end host application default TCP terminating sequence is a simultaneous close. The default behavior of the ASA is to track the shutdown sequence and release the connection after two FINs and the ACK of the last FIN segment. This quick release heuristic enables the ASA to sustain a high connection rate, based on the most common closing sequence, known as the normal close sequence. However, in a simultaneous close, both ends of the transaction initiate the closing sequence, as opposed to the normal close sequence where one end closes and the other end acknowledges prior to initiating its own closing sequence (see RFC 793). Thus, in a simultaneous close, the quick release forces one side of the connection to linger in the CLOSING state. Having many sockets in the CLOSING state can degrade the performance of an end host. For example, some WinSock mainframe clients are known to exhibit this behavior and degrade the performance of the mainframe server. Using this feature creates a window for the simultaneous close down sequence to complete. TCP Reset Settings The Configuration > Firewall > Advanced > TCP Options > TCP Reset Settings dialog box sets the inbound and outbound reset settings for an interface. Fields Send Reset Reply for Denied Inbound TCP Packets—Sends TCP resets for all inbound TCP sessions that attempt to transit the ASA and are denied by the ASA based on ACLs or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the ASA silently discards denied packets. You might want to explicitly send resets for inbound traffic if you need to reset identity request (IDENT) connections. When you send a TCP RST (reset flag in the TCP header) to the denied host, the RST stops the incoming IDENT process so that you do not have to wait for IDENT to time out. Waiting for IDENT to time out can cause traffic to slow because outside hosts keep retransmitting the SYN until the IDENT times out, so the service resetinbound command might improve performance. Send Reset Reply for Denied Outbound TCP Packets—Sends TCP resets for all outbound TCP sessions that attempt to transit the ASA and are denied by the ASA based on ACLs or AAA settings. Traffic between same security level interfaces is also affected. When this option is not enabled, the ASA silently discards denied packets. This option is enabled by default. You might want to disable outbound resets to reduce the CPU load during traffic storms, for example.
28-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Configuring IP Audit for Basic IPS Support The IP audit feature provides basic IPS support for the ASA that does not have an AIP SSM. It supports a basic list of signatures, and you can configure the ASA to perform one or more actions on traffic that matches a signature. This section includes the following topics: IP Audit Policy, page 28-5 Add/Edit IP Audit Policy Configuration, page 28-5 IP Audit Signatures, page 28-6 IP Audit Signature List, page 28-6 IP Audit Policy The Configuration > Firewall > Advanced > IP Audit > IP Audit Policy pane lets you add audit policies and assign them to interfaces. You can assign an attack policy and an informational policy to each interface. The attack policy determines the action to take with packets that match an attack signature; the packet might be part of an attack on your network, such as a DoS attack. The informational policy determines the action to take with packets that match an informational signature; the packet is not currently attacking your network, but could be part of an information-gathering activity, such as a port sweep. For a complete list of signatures, see the IP Audit Signature List. Fields Name—Shows the names of the defined IP audit policies. Although the default actions for a named policy are listed in this table (“--Default Action--”), they are not named policies that you can assign to an interface. Default actions are used by named policies if you do not set an action for the policy. You can modify the default actions by selecting them and clicking the Edit button. Type—Shows the policy type, either Attack or Info. Action—Shows the actions taken against packets that match the policy, Alarm, Drop, and/or Reset. Multiple actions can be listed. Add—Adds a new IP audit policy. Edit—Edits an IP audit policy or the default actions. Delete—Deletes an IP audit policy. You cannot delete a default action. Policy-to-Interface Mappings—Assigns an attack and informational policy to each interface. –Interface—Shows the interface name. –Attack Policy—Lists the attack audit policy names available. Assign a policy to an interface by clicking the name in the list. –Info Policy—Lists the informational audit policy names available. Assign a policy to an interface by clicking the name in the list. Add/Edit IP Audit Policy Configuration The Configuration > Firewall > Advanced > IP Audit > IP Audit Policy > Add/Edit IP Audit Policy Configuration dialog box lets you add or edit a named IP audit policy that you can assign to interfaces, and lets you modify the default actions for each signature type.
28-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 28 Using Protection Tools Configuring IP Audit for Basic IPS Support Fields Policy Name—Sets the IP audit policy name. You cannot edit the name after you add it. Policy Type—Sets the policy type. You cannot edit the policy type after you add it. –Attack—Sets the policy type as attack. –Information—Sets the policy type as informational. Action—Sets one or more actions to take when a packet matches a signature. If you do not choose an action, then the default policy is used. –Alarm—Generates a system message showing that a packet matched a signature. For a complete list of signatures, see IP Audit Signature List. –Drop—Drops the packet. –Reset—Drops the packet and closes the connection. IP Audit Signatures The Configuration > Firewall > Advanced > IP Audit > IP Audit Signatures pane lets you disable audit signatures. You might want to disable a signature if legitimate traffic continually matches a signature, and you are willing to risk disabling the signature to avoid large numbers of alarms. For a complete list of signatures, see the “IP Audit Signature List” section on page 28-6. Fields Enabled—Lists the enabled signatures. Disabled—Lists the disabled signatures. Disable—Moves the selected signature to the Disabled pane. Enable—Moves the selected signature to the Enabled pane. IP Audit Signature List Table 28-1 lists supported signatures and system message numbers. Table 28-1 Signature IDs and System Message Numbers Signature IDMessage Number Signature Title Signature Type Description 1000 400000 IP options-Bad Option List Informational Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed. The IP options list contains one or more options that perform various network management or debugging tasks. 1001 400001 IP options-Record Packet Route Informational Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 7 (Record Packet Route).