- Basic threat detection (performance impact low)
monitor dropped packet rates and security events. If it sees a threat, the appliance generates a log message with a log identifier number of 730100. The kinds of security events or dropped packet rates that the appliance monitors include:
- Matches on deny statements in ACLs.
- Malformed packets (for example, invalid IP header values or an incorrect header length).
- Packets that fail application layer inspection policies defined by the Modular Policy Framework (MPF) or that inherit in the application inspection process itself. (For example, if a specified URL in a policy was seen, causing an HTTP connection to be reset, or if a wiz command was executed on an SMTP/ESMTP connection respectively.)
- Defined connection limits that have been exceeded, which includes global system values as well as limits you’ve defined with MPF or the static/nat commands.
- Seeing unusual ICMP packets or connections.
- Examining the combined rate of all security-related packet drops in this bulleted list.
- An interface became overloaded, causing packet drops.
- A scanning attack was detected. (For example, the TCP three-way handshake failed, or the first packet in a TCP connection was not a SYN—this is discussed in the “Scanning Threat Detection” section later in the chapter.)
- An incomplete connection was detected. (For example, the TCP three-way handshake failed, or UDP traffic is only seen in one direction of a connection.)
- Scanning threat detection (performance impact high)
- disabled by default
- detect scan attacks and optionally shun the attacker.
- shunning can also be made manually & unconditionally which take precedence over any policy control (acl , inspection, even conn table checking)
- Threat detection statistic (performance impact high)
-disabled by default
-monitor the appliance threat statistics
- Software based IPS
- Information and Attack
- 50+ signatures to detect attacks.
- Prevent abnormal or unusual TCP packets.
- Extension of MPF.
- Create TCP map to define abnormal criteria.
RPF - Reverse Path Forwarding
- RFC 2267
- Prevent IP spoofing attacks
- Compare the src in packet with routing table to verifiy where it is coming from.
- Drop if packet is coming from a network that is not associated with the source interface.
- Use fragment to control how many fragments make up a packet.