| All ASA/PIX Security Appliances include intrusion protection features, specifically IP Audit, which contains 51 signatures of well-known Internet attacks, and IPS. IPS and IP Audit are capable of looking into packets that come into the ASA/PIX Security Appliance, matching the contents of the packets to an attack signature, and then either reporting or stopping the attack. In addition to signature-based IP Audit protection, the ASA/PIX Security Appliance supports HTTP application inspection, user-definable protocol configurations, instant messaging and peer-to-peer protection, and customized application inspection. Table 9-1 describes the features supported by the ASA/SSM solution. Table 9-1. ASA/SSM IPS FeaturesASA/SSM IPS Feature | Feature Description |
|---|
Multiple packet-drop actions | The ASA SSM is capable of dropping a single packet, an entire TCP flow, or all traffic from a possible attacking source. | SNMP support | ASA SSM users can define alarms or events to be sent as traps to SNMP management servers. The SSM module also supports an SNMP MIB and will respond to SNMP polling, which allows the sensor to respond to and participate with SNMP-compliant network management products. | Traffic normalization | Traffic normalization is a new term for Inline mode, where the SSM enforces order upon the packets traversing the network. It removes ambiguous packets from the network. For example, if two packets are seen on the network with the same headers but different data (shouldn't happen), only one of these packets is allowed through to the end host. The other is dropped. This action prevents a hacker from injecting two packets into a stream trying to confuse an IPS device as to which packet the end host actually accepts. | VoIP Inspection Engine | Added signatures for the evaluation of H.323 and H.225 VoIP traffic. | Meta Event Generator | An on-box correlation technology that enables the user to define multiple alarms as one event, which helps to simplify alarms. | Risk rating | A set of parameters that customers can configure to define the criticality of an event as well as what actions the sensor will take based upon the event. |
Why Use IPS and IP Audit? Up to this point, you have applied all the security preprocessing you can on your traffic by deploying authentication and perimeter security. You are now seeing only valid traffic traversing your security appliance. With the security deployed at this point, your ASA/PIX Security Appliance is looking only into the first few headers of a packet. IPS and IP Audit look further into the data portion of a packet to determine whether an attack is in process. What Are the ASA/PIX IPS and IP Audit Signatures? The ASA/PIX has 51 signatures of well-known, easily identifiable network and host attacks; the ASA/SSM combination has more than 1500 signatures that provide a comprehensive suite of IPS protection. The IP Audit signatures built in to the ASA/PIX are the following: 1000 IP options-Bad Option List 1001 IP options-Record Packet Route 1002 IP options-Timestamp 1003 IP options-Provide s, c, h, tcc 1004 IP options-Loose Source Route 1005 IP options-SATNET ID 1006 IP options-Strict Source Route 1100 IP Fragment Attack 1102 Impossible IP Packet 1103 Teardrop 2000 ICMP Echo Reply 2001 ICMP Host Unreachable 2002 ICMP Source Quench 2003 ICMP Redirect 2004 ICMP Echo Request 2005 ICMP Time Exceeded for a Datagram 2006 ICMP Parameter Problem on Datagram 2007 ICMP Timestamp Request 2008 ICMP Timestamp Reply 2009 ICMP Information Request 2010 ICMP Information Reply 2011 ICMP Address Mask Request 2012 ICMP Address Mask Reply 2150 Fragmented ICMP Traffic 2151 Large ICMP Traffic 2154 Ping of Death Attack 3040 TCP - No Bits Set in Flags 3041 TCP - SYN and FIN Bits Set 3042 TCP - FIN Bit with No ACK Bit in Flags 3153 FTP Improper Address Specified 3154 FTP Improper Port Specified 4050 UDP Bomb 4051 Snork 4052 Chargen 6050 DNS Host Info 6051 DNS Zone Transfer 6052 DNS Zone Transfer High Port 6053 DNS All Records 6100 RPC Port Registration 6101 RPC Port Unregistration 6102 RPC Dump 6103 Proxied RPC Request 6150 ypserv Portmap Request 6151 ypbind Portmap Request 6152 yppasswdd Portmap Request 6153 ypupdated Portmap Request 6154 ypxfrd Portmap Request 6155 mountd Portmap Request 6175 rexd Portmap Request 6180 rexd Attempt 6190 statd Buffer Overflow
NOTE For a more in-depth description of these signatures, refer to http://www.cisco.com/go/pix and browse to Software Center and Documentation.
The important message that should be received from looking at this list of signatures is that the ASA/PIX is capable of stopping several of the popular attacks that plague the Internet today. If you add the ASA/SSM into the mix of protection, you increase the number of signatures to more than 1500, and you add a high level of confidence that false positives will not affect your production network. Any attacks that cannot be stopped with IPS or IP Audit on the security appliance will be stopped on the desktop with host intrusion prevention software (Cisco Security Agent). |
