Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 3.1
Preventing Network Attacks
Downloads: This chapterpdf (PDF - 193.0KB) The complete bookPDF (PDF - 7.77MB) | Feedback

Preventing Network Attacks

Table Of Contents

Preventing Network Attacks

Configuring Connection Limits and Timeouts

Preventing IP Spoofing

Configuring the Fragment Size

Blocking Unwanted Connections


Preventing Network Attacks


This chapter describes how to prevent network attacks and includes the following sections:

Configuring Connection Limits and Timeouts

Preventing IP Spoofing

Configuring the Fragment Size

Blocking Unwanted Connections

Configuring Connection Limits and Timeouts

This section describes how to set maximum TCP and UDP connections, connection timeouts, and how to disable TCP sequence randomization.

Each TCP connection has two ISNs: one generated by the client and one generated by the server. The FWSM randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.

Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.

TCP initial sequence number randomization can be disabled if required. For example:

If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.

If you use eBGP multi-hop through the FWSM, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.

You use a WAAS device that requires the FWSM not to randomize the sequence numbers of connections.


Note You can also configure maximum connections and TCP sequence randomization in the NAT configuration. If you configure these settings for the same traffic using both methods, then the FWSM uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the FWSM disables TCP sequence randomization.

NAT also lets you configure embryonic connection limits, which triggers TCP Intercept to prevent a DoS attack. To configure connection limits, TCP randomization, and embryonic limits, see "Configuring Connection Limits for Transparent Firewall Mode and Non-NAT Configurations" section and Chapter 12 "Configuring NAT."


To set connection limits and timeouts, perform the following steps:


Step 1 To identify the traffic, add a class map using the class-map command. See the "Identifying Traffic Using a Class Map" section for more information.

For example, you can match all traffic using the following commands:

hostname(config)# class-map CONNS
hostname(config-cmap)# match any
 
   

To match specific traffic, you can match an access list:

hostname(config)# access list CONNS extended permit ip any 10.1.1.1 255.255.255.255
hostname(config)# class-map CONNS
hostname(config-cmap)# match access-list CONNS
 
   

Note When you identify a match access-list command for the class map, then the set connection actions are performed separately for each ACE in the access list and not for the access list as a whole. For example, you match an access list with 2 ACEs such as the following, and apply a connection limit of 2 connections:

access-list testACL extended permit tcp host 10.2.1.1 any eq 21
access-list testACL extended permit tcp host 10.2.1.1 any eq 23
 
   
class-map testclass
   match access-list testACL
 
   
policy-map testpolicy
   class testclass
      set connection conn-max 2
 
   

The FWSM allows the creation of 2 connections for Telnet sessions (ACE 1) and 2 connections for FTP sessions (ACE 2).


Step 2 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following commands:

hostname(config)# policy-map name
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
 
   

where the class_map_name is the class map from Step 1.

For example:

hostname(config)# policy-map CONNS
hostname(config-pmap)# class CONNS
hostname(config-pmap-c)#
 
   

Step 3 To set maximum connection limits or whether TCP sequence randomization is enabled, enter the following command:

hostname(config-pmap-c)# set connection {[conn-max n] [random-sequence-number {enable | 
disable}]}
 
   

where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535. The default is 0, which allows unlimited connections.

The random-sequence-number {enable | disable} keyword enables or disables TCP sequence number randomization.

You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The FWSM combines the command into one line in the running configuration.

Step 4 To set connection timeouts, enter the following command:

hostname(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] [half-closed 
hh:mm:ss] [tcp hh:mm:0]}
 
   

where the embryonic hh:mm:ss keyword sets the timeout period until a TCP embryonic (half-open) connection is closed, between 0:0:1 and 0:4:15. The default is 0:0:20. You can also set this value to 0, which means the connection never times out.

The half-closed hh:mm:ss keyword sets the idle timeout between 0:0:1 and 0:4:15. The default is 0:0:20. You can also set this value to 0, which means the connection never times out. The FWSM does not send a reset when taking down half-closed connections.

The tcp hh:mm:0 keyword sets the idle timeout between 0:5:0 and 1092:15:0. The default is 0:60:0 . You can also set this value to 0, which means the connection never times out.


Note The tcp keyword ignores the value you set for seconds; you can only specify the hours and minutes. Therefore, you should set the seconds to be 0.


You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined onto one line in the running configuration.


Note This command does not affect secondary connections created by an inspection engine. For example, you cannot change the connection settings for secondary flows like SQL*Net, FTP data flows, and so on using the set connection timeout command. For these connections, use the global timeout conn command to change the idle time. Note that the timeout conn command affects all traffic flows unless you otherwise use the set connection timeout command for eligible traffic.


Step 5 To activate the policy map on one or more interfaces, enter the following command:

hostname(config)# service-policy policymap_name {global | interface interface_name}
 
   

where policy_map_name is the policy map you configured in Step 2. To apply the policy map to traffic on all the interfaces, use the global keyword. To apply the policy map to traffic on a specific interface, use the interface interface_name option, where interface_name is the name assigned to the interface with the nameif command.

Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.


The following example sets the maximum TCP and UDP connections to 5000, and sets the maximum embryonic timeout to 40 seconds, the half-closed timeout to 20 minutes, and the TCP timeout to 2 hours for traffic going to 10.1.1.1:

hostname(config)# access-list CONNS permit ip any host 10.1.1.1
 
   
hostname(config)# class-map conns
hostname(config-cmap)# match access-list CONNS
 
   
hostname(config-cmap)# policy-map conns
hostname(config-pmap)# class conns
hostname(config-pmap-c)# set connection conn-max 5000
hostname(config-pmap-c)# set connection timeout embryonic 0:0:40 half-closed 0:20:0 tcp 
2:0:0
 
   
hostname(config-pmap-c)# service-policy conns interface outside
 
   

You can enter set connection commands with multiple parameters or you can enter each parameter as a separate command. The FWSM combines the commands into one line in the running configuration. For example, if you entered the following two commands in class configuration mode:

hostname(config-pmap-c)# set connection timeout embryonic 0:0:40
hostname(config-pmap-c)# set connection timeout half-closed 0:20:0
 
   

the output of the show running-config policy-map command would display the result of the two commands in a single, combined command:

set connection timeout embryonic 0:0:40 half-closed 0:20:0
 
   

Preventing IP Spoofing

This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

Normally, the FWSM only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the FWSM to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the FWSM, the FWSM routing table must include a route back to the source address. See RFC 2267 for more information.

For outside traffic, for example, the FWSM can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the FWSM uses the default route to correctly identify the outside interface as the source interface.

If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the FWSM drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the FWSM drops the packet because the matching route (the default route) indicates the outside interface.

Unicast RPF is implemented as follows:

ICMP packets have no session, so each packet is checked.

UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

To enable Unicast RPF, enter the following command:

hostname(config)# ip verify reverse-path interface interface_name

Configuring the Fragment Size

By default, the FWSM allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your network if you have an application that routinely fragments packets, such as NFS over UDP. However, if you do not have an application that fragments traffic, we recommend that you do not allow fragments through the FWSM. Fragmented packets are often used as DoS attacks. To set disallow fragments, enter the following command:

hostname(config)# fragment chain 1 [interface_name]
 
   

Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this command applies to all interfaces.

Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address and other identifying parameters. No new connections can be made until you remove the shun.


Note If you have an IPS that monitors traffic, then the IPS can shun connections automatically.


To shun a connection manually, perform the following steps:


Step 1 If necessary, view information about the connection by entering the following command:

hostname# show conn
 
   

The FWSM shows information about each connection, such as the following:

TCP out 64.101.68.161:4300 in 10.86.194.60:23 idle 0:00:00 bytes 1297 flags UIO
 
   

Step 2 To shun connections from the source IP address, enter the following command:

hostname(config)# shun src_ip [dst_ip src_port dest_port [protocol]] [vlan vlan_id]
 
   

This command drops the existing connection and blocks future connections. By default, the protocol is 0 for IP.

For multiple context mode, you can enter this command in the admin context, and by specifying a VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other contexts.

Step 3 To remove the shun, enter the following command:

hostname(config)# no shun src_ip [vlan vlan_id]