Filter
Top Products
27-9
Cisco ASDM User Guide
OL-16647-01
Chapter 27 Configuring Advanced Firewall Protection
Configuring Connection Settings
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new
connection and potentially hijacking the new session.
Step 6 To configure TCP normalization, check Use TCP Map.
Choose an existing TCP map from the drop-down list (if available), or add a new one by clicking New.
The Add TCP Map dialog box appears.
a. In the TCP Map Name field, enter a name.
b. In the Queue Limit field, enter the maximum number of out-of-order packets, between 0 and 250
packets.
The Queue Limit sets the maximum number of out-of-order packets that can be buffered and put in
order for a TCP connection. The default is 0, which means this setting is disabled and the default
system queue limit is used depending on the type of traffic:
–
Connections for application inspection, IPS, and TCP check-retransmission have a queue limit
of 3 packets. If the security appliance receives a TCP packet with a different window size, then
the queue limit is dynamically changed to match the advertised setting.
–
For other TCP connections, out-of-order packets are passed through untouched.
If you set the Queue Limit command to be 1 or above, then the number of out-of-order packets
allowed for all TCP traffic matches this setting. For application inspection, IPS, and TCP
check-retransmission traffic, any advertised settings are ignored. For other TCP traffic, out-of-order
packets are now buffered and put in order instead of passed through untouched.
c. In the Timeout field, set the maximum amount of time that out-of-order packets can remain in the
buffer, between 1 and 20 seconds.
If they are not put in order and passed on within the timeout period, then they are dropped. The
default is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you
need to set the limit to be 1 or above for the Timeout to take effect.
d. In the Reserved Bits area, click Clear and allow, Allow only, or Drop.
Allow only allows packets with the reserved bits in the TCP header.
Clear and allow clears the reserved bits in the TCP header and allows the packet.
Drop drops the packet with the reserved bits in the TCP header.
e. Check any of the following options:
• Clear urgent flag—Clears the URG flag through the security appliance. The URG flag is used to
indicate that the packet contains information that is of higher priority than other data within the
stream. The TCP RFC is vague about the exact interpretation of the URG flag, therefore end systems
handle urgent offsets in different ways, which may make the end system vulnerable to attacks.
• Drop connection on window variation—Drops a connection that has changed its window size
unexpectedly. The window size mechanism allows TCP to advertise a large window and to
subsequently advertise a much smaller window without having accepted too much data. From the
TCP specification, “shrinking the window” is strongly discouraged. When this condition is detected,
the connection can be dropped.
• Drop packets that exceed maximum segment size—Drops packets that exceed MSS set by peer.
• Check if transmitted data is the same as original—Enables the retransmit data checks.
• Drop packets which have past-window sequence—Drops packets that have past-window sequence
numbers, namely the sequence number of a received TCP packet is greater than the right edge of the
TCP receiving window. If you do not check this option, then the Queue Limit must be set to 0
(disabled).