Filter
Top Products
27-10
Cisco ASDM User Guide
OL-16647-01
Chapter 27 Configuring Advanced Firewall Protection
Configuring IP Audit
• Drop SYN Packets with data—Drops SYN packets with data.
• Drop SYNACK Packets with data—Drops TCP SYNACK packets that contain data.
• Drop packets with invalid ACK—Drops packets with an invalid ACK. You might see invalid ACKs
in the following instances:
–
In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet
is not exactly same as the sequence number of the next TCP packet sending out, it is an invalid
ACK.
–
Whenever the ACK number of a received TCP packet is greater than the sequence number of
the next TCP packet sending out, it is an invalid ACK.
Note TCP packets with an invalid ACK are automatically allowed for WAAS connections.
• Enable TTL Evasion Protection—Enables the TTL evasion protection offered by the security
appliance. Do not enable this option if you want to prevent attacks that attempt to evade security
policy.
For example, an attacker can send a packet that passes policy with a very short TTL. When the TTL
goes to zero, a router between the security appliance and the endpoint drops the packet. It is at this
point that the attacker can send a malicious packet with a long TTL that appears to the security
appliance to be a retransmission and is passed. To the endpoint host, however, it is the first packet
that has been received by the attacker. In this case, an attacker is able to succeed without security
preventing the attack.
• Verify TCP Checksum—Enables checksum verification.
f. To set TCP options, check any of the following options:
• Clear Selective Ack—Lists whether the selective-ack TCP option is allowed or cleared.
• Clear TCP Timestamp—Lists whether the TCP timestamp option is allowed or cleared.
• Clear Window Scale—Lists whether the window scale timestamp option is allowed or cleared.
• Range—Lists the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower
bound should be less than or equal to the upper bound.
g. Click OK.
Step 7 To set the time to live, check Decrement time to live for a connection.
Step 8 Click OK or Finish.
Configuring IP Audit
The IP audit feature provides basic IPS functionality; for advanced IPS functionality on supported
platforms, you can install an AIP SSM.
This feature lets you create a named audit policy that identifies the actions to take when a packet matches
a predefined attack signature or informational signature. Signatures are activities that match known
attack patterns. For example, there are signatures that match DoS attacks. You can configure the security
appliance to drop the packet, generate an alarm, or reset the connection.