CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1
Using Protection Tools
Downloads: This chapterpdf (PDF - 120.0KB) The complete bookPDF (PDF - 10.51MB) | The complete bookePub (ePub - 3.57MB) | The complete bookMobi (Mobi - 3.47MB) | Feedback

Table of Contents

Using Protection Tools

Preventing IP Spoofing

Configuring the Fragment Size

Blocking Unwanted Connections

Configuring IP Audit for Basic IPS Support

Configuring IP Audit

IP Audit Signature List

Using Protection Tools

This chapter describes some of the many tools available to protect your network and includes the following sections:

Preventing IP Spoofing

This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

Normally, the ASA only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the ASA to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the ASA, the ASA routing table must include a route back to the source address. See RFC 2267 for more information.

For outside traffic, for example, the ASA can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the ASA uses the default route to correctly identify the outside interface as the source interface.

If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the ASA drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the ASA drops the packet because the matching route (the default route) indicates the outside interface.

Unicast RPF is implemented as follows:

  • ICMP packets have no session, so each packet is checked.
  • UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

To enable Unicast RPF, enter the following command:

ciscoasa(config)# ip verify reverse-path interface interface_name
 

Configuring the Fragment Size

By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your network if you have an application that routinely fragments packets, such as NFS over UDP. However, if you do not have an application that fragments traffic, we recommend that you do not allow fragments through the ASA. Fragmented packets are often used as DoS attacks.

To set disallow fragments, enter the following command:

ciscoasa(config)# fragment chain 1 [interface_name]
 

Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this command applies to all interfaces.

Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address. All existing connections and new connections are blocked until you remove the shun.


NoteIf you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections automatically.


To shun a connection manually, perform the following steps:


Step 1 If necessary, view information about the connection by entering the following command:

ciscoasa# show conn
 

The ASA shows information about each connection, such as the following:

TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO
 

Step 2 To shun connections from the source IP address, enter the following command:

ciscoasa(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
 

If you enter only the source IP address, then all future connections are shunned; existing connections remain active.

To drop an existing connection, as well as blocking future connections from the source IP address, enter the destination IP address, source and destination ports, and the protocol. By default, the protocol is 0 for IP. Note that specifying the additional parameters is a convenient way to also drop a specific current connection; the shun, however, remains in place for all future connections from the source IP address, regardless of destination parameters.

For multiple context mode, you can enter this command in the admin context, and by specifying a VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other contexts.

Step 3 To remove the shun, enter the following command:

ciscoasa(config)# no shun src_ip [vlan vlan_id]
 


 

Configuring IP Audit for Basic IPS Support

The IP audit feature provides basic IPS support for the ASA that does not have an AIP SSM. It supports a basic list of signatures, and you can configure the ASA to perform one or more actions on traffic that matches a signature.

This section includes the following topics:

Configuring IP Audit

To enable IP audit, perform the following steps:


Step 1 To define an IP audit policy for informational signatures, enter the following command:

ciscoasa(config)# ip audit name name info [action [alarm] [drop] [reset]]
 

Where alarm generates a system message showing that a packet matched a signature, drop drops the packet, and reset drops the packet and closes the connection. If you do not define an action, then the default action is to generate an alarm.

Step 2 To define an IP audit policy for attack signatures, enter the following command:

ciscoasa(config)# ip audit name name attack [action [alarm] [drop] [reset]]
 

Where alarm generates a system message showing that a packet matched a signature, drop drops the packet, and reset drops the packet and closes the connection. If you do not define an action, then the default action is to generate an alarm.

Step 3 To assign the policy to an interface, enter the following command:

ip audit interface interface_name policy_name
 

Step 4 To disable signatures, or for more information about signatures, see the ip audit signature command in the command reference.


 

IP Audit Signature List

Table 28-1 lists supported signatures and system message numbers.

 

Table 28-1 Signature IDs and System Message Numbers

Signature ID
Message Number
Signature Title
Signature Type
Description

1000

400000

IP options-Bad Option List

Informational

Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed. The IP options list contains one or more options that perform various network management or debugging tasks.

1001

400001

IP options-Record Packet Route

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 7 (Record Packet Route).

1002

400002

IP options-Timestamp

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp).

1003

400003

IP options-Security

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 2 (Security options).

1004

400004

IP options-Loose Source Route

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3 (Loose Source Route).

1005

400005

IP options-SATNET ID

Informational

Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 8 (SATNET stream identifier).

1006

400006

IP options-Strict Source Route

Informational

Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 9(Strict Source Routing).

1100

400007

IP Fragment Attack

Attack

Triggers when any IP datagram is received with an offset value less than 5 but greater than 0 indicated in the offset field.

1102

400008

IP Impossible Packet

Attack

Triggers when an IP packet arrives with source equal to destination address. This signature will catch the so-called Land Attack.

1103

400009

IP Overlapping Fragments (Teardrop)

Attack

Triggers when two fragments contained within the same IP datagram have offsets that indicate that they share positioning within the datagram. This could mean that fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments, which is how the Teardrop attack works to create a DoS.

2000

400010

ICMP Echo Reply

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 0 (Echo Reply).

2001

400011

ICMP Host Unreachable

Informational

Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 3 (Host Unreachable).

2002

400012

ICMP Source Quench

Informational

Triggers when an IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 4 (Source Quench).

2003

400013

ICMP Redirect

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 5 (Redirect).

2004

400014

ICMP Echo Request

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 8 (Echo Request).

2005

400015

ICMP Time Exceeded for a Datagram

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 11(Time Exceeded for a Datagram).

2006

400016

ICMP Parameter Problem on Datagram

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 12 (Parameter Problem on Datagram).

2007

400017

ICMP Timestamp Request

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 13 (Timestamp Request).

2008

400018

ICMP Timestamp Reply

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 14 (Timestamp Reply).

2009

400019

ICMP Information Request

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 15 (Information Request).

2010

400020

ICMP Information Reply

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 16 (ICMP Information Reply).

2011

400021

ICMP Address Mask Request

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 17 (Address Mask Request).

2012

400022

ICMP Address Mask Reply

Informational

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and the type field in the ICMP header set to 18 (Address Mask Reply).

2150

400023

Fragmented ICMP Traffic

Attack

Triggers when a IP datagram is received with the protocol field of the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field.

2151

400024

Large ICMP Traffic

Attack

Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP) and the IP length > 1024.

2154

400025

Ping of Death Attack

Attack

Triggers when a IP datagram is received with the protocol field of the IP header set to 1(ICMP), the Last Fragment bit is set, and (IP offset * 8) + (IP data length) > 65535 that is to say, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8 byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

3040

400026

TCP NULL flags

Attack

Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host.

3041

400027

TCP SYN+FIN flags

Attack

Triggers when a single TCP packet with the SYN and FIN flags are set and is sent to a specific host.

3042

400028

TCP FIN only flags

Attack

Triggers when a single orphaned TCP FIN packet is sent to a privileged port (having port number less than 1024) on a specific host.

3153

400029

FTP Improper Address Specified

Informational

Triggers if a port command is issued with an address that is not the same as the requesting host.

3154

400030

FTP Improper Port Specified

Informational

Triggers if a port command is issued with a data port specified that is <1024 or >65535.

4050

400031

UDP Bomb attack

Attack

Triggers when the UDP length specified is less than the IP length specified. This malformed packet type is associated with a denial of service attempt.

4051

400032

UDP Snork attack

Attack

Triggers when a UDP packet with a source port of either 135, 7, or 19 and a destination port of 135 is detected.

4052

400033

UDP Chargen DoS attack

Attack

This signature triggers when a UDP packet is detected with a source port of 7 and a destination port of 19.

6050

400034

DNS HINFO Request

Informational

Triggers on an attempt to access HINFO records from a DNS server.

6051

400035

DNS Zone Transfer

Informational

Triggers on normal DNS zone transfers, in which the source port is 53.

6052

400036

DNS Zone Transfer from High Port

Informational

Triggers on an illegitimate DNS zone transfer, in which the source port is not equal to 53.

6053

400037

DNS Request for All Records

Informational

Triggers on a DNS request for all records.

6100

400038

RPC Port Registration

Informational

Triggers when attempts are made to register new RPC services on a target host.

6101

400039

RPC Port Unregistration

Informational

Triggers when attempts are made to unregister existing RPC services on a target host.

6102

400040

RPC Dump

Informational

Triggers when an RPC dump request is issued to a target host.

6103

400041

Proxied RPC Request

Attack

Triggers when a proxied RPC request is sent to the portmapper of a target host.

6150

400042

ypserv (YP server daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP server daemon (ypserv) port.

6151

400043

ypbind (YP bind daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP bind daemon (ypbind) port.

6152

400044

yppasswdd (YP password daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port.

6153

400045

ypupdated (YP update daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP update daemon (ypupdated) port.

6154

400046

ypxfrd (YP transfer daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port.

6155

400047

mountd (mount daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the mount daemon (mountd) port.

6175

400048

rexd (remote execution daemon) Portmap Request

Informational

Triggers when a request is made to the portmapper for the remote execution daemon (rexd) port.

6180

400049

rexd (remote execution daemon) Attempt

Informational

Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This may be indicative of an attempt to gain unauthorized access to system resources.

6190

400050

statd Buffer Overflow

Attack

Triggers when a large statd request is sent. This could be an attempt to overflow a buffer and gain access to system resources.