2010年9月27日 星期一

ASA – Network Attack Preventation

 

Threat Detection

  • Basic threat detection (performance impact low)
    monitor dropped packet rates and security events. If it sees a threat, the appliance generates a log message with a log identifier number of 730100. The kinds of security events or dropped packet rates that the appliance monitors include:
    • Matches on deny statements in ACLs.
    • Malformed packets (for example, invalid IP header values or an incorrect header length).
    • Packets that fail application layer inspection policies defined by the Modular Policy Framework (MPF) or that inherit in the application inspection process itself. (For example, if a specified URL in a policy was seen, causing an HTTP connection to be reset, or if a wiz command was executed on an SMTP/ESMTP connection respectively.)
    • Defined connection limits that have been exceeded, which includes global system values as well as limits you’ve defined with MPF or the static/nat commands.
    • Seeing unusual ICMP packets or connections.
    •   Examining the combined rate of all security-related packet drops in this bulleted list.
    • An interface became overloaded, causing packet drops.
    • A scanning attack was detected. (For example, the TCP three-way handshake failed, or the first packet in a TCP connection was not a SYN—this is discussed in the “Scanning Threat Detection” section later in the chapter.)
    • An incomplete connection was detected. (For example, the TCP three-way handshake failed, or UDP traffic is only seen in one direction of a connection.)
  • Scanning threat detection (performance impact high)
    • disabled by default
    • detect scan attacks and optionally shun the attacker.
    • shunning can also be made manually & unconditionally which take precedence over any policy control (acl , inspection, even conn table checking)
  • Threat detection statistic (performance impact high)
    -disabled by default 
    -monitor the appliance threat statistics

IP Audit

  • Software based IPS
  • Information and Attack
  • 50+ signatures to detect attacks.

TCP Normalization

  • Prevent abnormal or unusual TCP packets.
  • Extension of MPF.
  • Create TCP map to define abnormal criteria.

RPF - Reverse Path Forwarding

  • RFC 2267
  • Prevent IP spoofing attacks
  • Compare the src in packet with routing table to verifiy where it is coming from.
  • Drop if packet is coming from a network that is not associated with the source interface.

Fragmentation Limits

  • Use fragment to control how many fragments make up a packet.

http://www.amazon.com/Cisco-Configuration-Networking-Professionals-Library/dp/0071622691/ref=sr_1_2?ie=UTF8&s=books&qid=1285924140&sr=8-2-spell

沒有留言: