Packet Inspection

With Cisco IOS classic firewall, you specify which protocols you want to be inspected, and you specify an interface and interface direction (in or out) where inspection originates. Only specified protocols will be inspected by Cisco IOS classic firewall.

Packets entering the firewall are inspected by Cisco IOS classic firewall only if they first pass the inbound ACL at the input interface or the outbound ACL at the output interface, or both. If a packet is denied by the ACL, the packet is simply dropped and not inspected by Cisco IOS classic firewall.

Cisco IOS classic firewall inspection tracks sequence numbers in all TCP packets, and drops those packets with sequence numbers that are not within expected ranges.

Cisco IOS classic firewall inspection recognizes application-specific commands (such as illegal SMTP commands) in the control channel, and detects and prevents certain application-level attacks.

© 2007 Cisco Systems, Inc. Adaptive Threat Defense 5-23

When Cisco IOS classic firewall suspects an attack, the DoS feature can take several actions:

■ Generate alert messages

■ Protect system resources that could impede performance

■ Block packets from suspected attackers

Cisco IOS classic firewall uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. Setting timeout values for network sessions helps prevent DoS attacks by freeing system resources, dropping sessions after a specified amount of time. Setting threshold values for network sessions helps prevent DoS attacks by controlling the number of half-opened sessions, which limits the amount of system resources applied to half-opened sessions. When a session is dropped, Cisco IOS classic firewall sends a reset message to the devices at both endpoints (source and destination) of the session. When the system under DoS attack receives a reset command, it releases, or frees, processes and resources related to that incomplete session.

Cisco IOS classic firewall provides three thresholds against DoS attacks:

■ The total number of half-opened TCP or UDP sessions

■ The number of half-opened sessions based on time

■ The number of half-opened TCP-only sessions per host

If a threshold is exceeded, Cisco IOS classic firewall has two options:

■ It can send a reset message to the endpoints of the oldest half-opened session, making resources available to service newly arriving synchronization (SYN) packets.

■ In the case of half-opened TCP-only sessions, Cisco IOS classic firewall blocks all SYN packets temporarily for the duration configured by the threshold value. When the router blocks a SYN packet, the TCP three-way handshake is never initiated, which prevents the router from using memory and processing resources needed for valid connections.

DoS detection and prevention requires that you create a Cisco IOS classic firewall inspection rule and apply that rule on an interface. The inspection rule must include the protocols that you want to monitor against DoS attacks. For example, if you have TCP inspection enabled on the inspection rule, Cisco IOS classic firewall can track all TCP connections to watch for DoS attacks. If the inspection rule includes FTP protocol inspection but not TCP inspection, Cisco IOS classic firewall tracks only FTP connections for DoS attacks.

Securing Networks with Cisco Routers and Switches (SNRS) v2.0

5-24

Was this article helpful?

0 0

Post a comment