Free Essay

Cisco Case Study

In:

Submitted By saj200000
Words 5299
Pages 22
ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 1 of 11

ASA/PIX 7.x and Later: Mitigating the Network Attacks
Document ID: 100830
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Conventions
Protecting Against SYN Attacks
TCP SYN Attack
Mitigation
Protecting Against IP Spoofing Attacks
IP Spoofing
Mitigation
Spoofing Identification Using Syslog Messages
Basic Threat Detection Feature in ASA 8.x
Syslog Message 733100
Cisco Support Community - Featured Conversations
Related Information

Introduction
This document describes how to mitigate the various network attacks, such as Denial-of-Services (DoS), using Cisco
Security Appliance (ASA/PIX).

Prerequisites
Requirements
There are no specific requirements for this document.

Components Used
The information in this document is based on the Cisco 5500 Series Adaptive Security Appliance (ASA) that runs software version 7.0 and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Related Products
This document can also be used with Cisco 500 Series PIX that runs software version 7.0 and later.

Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.

Protecting Against SYN Attacks
How do you mitigate the Transmission Control Protocol (TCP) synchronize/start (SYN) attacks on the ASA/PIX?

TCP SYN Attack
TCP SYN attack is a type of DoS attack in which a sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users.
When a normal TCP connection starts, a destination host receives a SYN packet from a source host and sends back a synchronize acknowledge (SYN ACK). The destination host must then hear an ACK of the SYN ACK before the connection is established. This is referred to as the TCP three-way handshake.
While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly because the ACK is expected to arrive a few milliseconds after the SYN ACK.
The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Because the SYN ACK is destined for an incorrect or non-existent host, the last part of the "three-way handshake" is never completed and the entry remains in the connection queue until a timer expires, typically for about one minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services (such as email, file transfer, or WWW) to legitimate users.
There is no easy way to trace the originator of the attack because the IP address of the source is forged.
The external manifestations of the problem include inability to get e-mail, inability to accept connections to WWW or
FTP services, or a large number of TCP connections on your host in the state SYN_RCVD.

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 2 of 11

Refer to Defenses Against TCP SYN Flooding Attacks for more information on TCP SYN attacks.

Mitigation
This section describes how to mitigate the SYN attacks by setting the maximum TCP and User Datagram Protocol
(UDP) connections, maximum embryonic connections, connection timeouts, and how to disable TCP sequence randomization. If the embryonic connection limit is reached, then the security appliance responds to every SYN packet sent to the server with a SYN+ACK, and does not pass the SYN packet to the internal server. If the external device responds with an ACK packet, then the security appliance knows it is a valid request (and not part of a potential SYN attack).
The security appliance then establishes a connection with the server and joins the connections together. If the security appliance does not get an ACK back from the server, it aggressively times out that embryonic connection.
Each TCP connection has two Initial Sequence Number (ISNs): one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:


If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic.



If you use external BGP (eBGP) multi-hop through the security appliance, and the eBGP peers are using
MD5, randomization breaks the MD5 checksum.



You use a Wide Area Application Services (WAAS) device that requires the security appliance not to randomize the sequence numbers of connections.

Note: You can also configure maximum connections, maximum embryonic connections, and TCP sequence randomization in the NAT configuration. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 3 of 11

Complete these steps in order to set connection limits:
1. In order to identify the traffic, add a class map using the class-map command according to Using Modular
Policy Framework.
2. In order to add or edit a policy map that sets the actions to take with the class map traffic, enter this command: hostname(config)#policy-map name
3. In order to identify the class map (from step 1) to which you want to assign an action, enter this command:

hostname(config-pmap)#class class_map_name
4. In order to set the maximum connections (both TCP and UDP), maximum embryonic connections, per-clientembryonic-max, per-client-max or whether to disable TCP sequence randomization, enter this command:

hostname(config-pmap-c)#set connection {[conn-max number]
[embryonic-conn-max number] [per-client-embryonic-max number]
[per-client-max number][random-sequence-number {enable | disable}} Where number is an integer between 0 and 65535. The default is 0, which means no limit on connections.
You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined on one line in the running configuration.
5. In order to set the timeout for connections, embryonic connections (half-opened) and half-closed connections, enter this command:

hostname(config-pmap-c)#set connection {[embryonic hh[:mm[:ss]]]
[half-closed hh[:mm[:ss]]] [tcp hh[:mm[:ss]]]}
Where embryonic hh[:mm[:ss] is a time between 0:0:5 and 1192:59:59. The default is 0:0:30. You can also set this value to 0, which means the connection never times out.
The half-closed hh[:mm[:ss] and tcp hh[:mm[:ss] values are a time between 0:5:0 and 1192:59:59. The default for half-closed is 0:10:0 and the default for tcp is 1:0:0. You can also set these values to 0, which means the connection never times out.
You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined on one line in the running configuration.


Embryonic (Half-opened) connection—An embryonic connection is a TCP connection request that has not finished the necessary handshake between source and destination.



Half-closed connection—Half closed connection is when the connection is only closed in one direction by sending FIN. However, TCP session is still maintained by peer.



Per-client-embryonic-max—The maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535. The default is 0, which allows unlimited connections.



Per-client-max—The maximum number of simultaneous connections allowed per client, between 0 and 65535. The default is 0, which allows unlimited connections.

6. In order to activate the policy map on one or more interfaces, enter this command:

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 4 of 11

hostname(config)#service-policy policymap_name {global | interface interface_name} Where global applies the policy map to all interfaces, and interface applies the policy to one interface. Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
Example:

ciscoasa(config)#class-map tcp_syn ciscoasa(config-cmap)#match port tcp eq 80 ciscoasa(config-cmap)#exit ciscoasa(config)#policy-map tcpmap ciscoasa(config-pmap)#class tcp_syn ciscoasa(config-pmap-c)#set connection conn-max 100 ciscoasa(config-pmap-c)#set connection embryonic-conn-max 200 ciscoasa(config-pmap-c)#set connection per-client-embryonic-max 10 ciscoasa(config-pmap-c)#set connection per-client-max 5 ciscoasa(config-pmap-c)#set connection random-sequence-number enable ciscoasa(config-pmap-c)#set connection timeout embryonic 0:0:45 ciscoasa(config-pmap-c)#set connection timeout half-closed 0:25:0 ciscoasa(config-pmap-c)#set connection timeout tcp 2:0:0 ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#exit ciscoasa(config)#service-policy tcpmap global
Note: In order to verify the total number of half-open sessions for any particular host, use this command:

ASA-5510-8x# show local-host all
Interface
Interface
Interface
Interface

dmz: 0 active, 0 maximum active, 0 denied management: 0 active, 0 maximum active, 0 denied xx: 0 active, 0 maximum active, 0 denied inside: 7 active, 18 maximum active, 0 denied

local host: ,
TCP flow count/limit = 2/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Note: The line, TCP embryonic count to host, displays the number of half-open sessions.

Protecting Against IP Spoofing Attacks
Can the PIX/ASA block IP spoof attacks?

IP Spoofing
In order to gain access, intruders create packets with spoofed source IP addresses. This exploits applications that use authentication based on IP addresses and leads to unauthorized user and possibly root access on the targeted system. Examples are the rsh and rlogin services.
It is possible to route packets through filtering-router firewalls if they are not configured to filter incoming packets whose source address is in the local domain. It is important to note that the described attack is possible even if no reply packets can reach the attacker.
Examples of configurations that are potentially vulnerable include:


Proxy firewalls where the proxy applications use the source IP address for authentication



Routers to external networks that support multiple internal interfaces



Routers with two interfaces that support subnetting on the internal network

Mitigation
Unicast Reverse Path Forwarding (uRPF) guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table.

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 5 of 11

Normally, the security appliance only looks at the destination address when determining where to forward the packet.
Unicast RPF instructs the security appliance to also look at the source address. This is why it is called Reverse Path
Forwarding. For any traffic that you want to allow through the security appliance, the security appliance routing table must include a route back to the source address. See RFC 2267

for more information.

Note: The :- %PIX-1-106021: Deny protocol reverse path check from src_addr to dest_addr on interface int_name log message can be seen when the reverse path check is enabled. Disable the reverse path check with the no ip verify reverse-path interface (interface name) command in order to resolve this issue:

no ip verify reverse-path interface (interface name)
For outside traffic, for example, the security appliance can use the default route to satisfy the Unicast RPF protection.
If traffic enters from an outside interface, and the source address is not known to the routing table, the security appliance uses the default route to correctly identify the outside interface as the source interface.
If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the security appliance drops the packet because the matching route (the default route) indicates the outside interface.
Unicast RPF is implemented as shown:


ICMP packets have no session, so each packet is checked.



UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

In order to enable Unicast RPF, enter this command:

hostname(config)#ip verify reverse-path interface interface_name

Example:
As shown this figure, the Attacker PC originates a request to the application server 10.1.1.10 by sending a packet with a forged source IP address 10.1.1.5/24, and the server sends a packet to the real IP address 10.1.1.5/24 in response to the request. This type of illegal packet will attack both the application server and legitimate user in the inside network.

Unicast RPF can prevent attacks based on source address spoofing. You need to configure the uRPF in the outside interface of the ASA as shown here:

ciscoasa(config)#ip verify reverse-path interface outside

Spoofing Identification Using Syslog Messages

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 6 of 11

The security appliance keeps receiving syslog error messages as shown. This indicates potential attacks using spoofed packets or that might trigger due to asymmetric routing.

%PIX|ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name

1.

Explanation
This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by the security policy that is defined for the specified traffic type. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a
TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.
The tcp_flags are as follows:


ACK—The acknowledgment number was received.



FIN—Data was sent.



PSH—The receiver passed data to the application.



RST—The connection was reset.



SYN—Sequence numbers were synchronized to start a connection.



URG—The urgent pointer was declared valid.

There are many reasons for static translation to fail on the PIX/ASA. But, a common reason is if the demilitarized zone (DMZ) interface is configured with the same security level (0) as the outside interface.
In order to resolve this issue, assign a different security level to all interfaces
Refer to Configuring Interface Parameters for more information.
This error message also appears if an external device sends an IDENT packet to the internal client, which is dropped by the PIX Firewall. Refer to PIX Performance Issues Caused by IDENT Protocol for more information %PIX|ASA-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}

2.

Explanation
This is a connection-related message. This message is displayed if the specified connection fails because of an outbound deny command. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action: Use the show outbound command to check outbound lists.

%PIX|ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)

3.

Explanation
The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.

%PIX|ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.

4.

Explanation
This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:


Loopback network (127.0.0.0)



Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)



The destination host (land.c)

In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.
Recommended Action: Determine if an external user is trying to compromise the protected network. Check

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 7 of 11

for misconfigured clients.
5.

%PIX|ASA-2-106017: Deny IP due to Land Attack from IP_address to
IP_address
Explanation
The security appliance received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.
Recommended Action: If this message persists, an attack might be in progress. The packet does not provide enough information to determine where the attack originates.

6.

%PIX|ASA-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name
Explanation
An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection. Unicast
RPF, also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your security appliance.
This message appears when you have enabled Unicast RPF with the ip verify reverse-path command. This feature works on packets input to an interface. If it is configured on the outside, then the security appliance checks packets arriving from the outside.
The security appliance looks up a route based on the source address. If an entry is not found and a route is not defined, then this system log message appears and the connection is dropped.
If there is a route, the security appliance checks which interface it corresponds. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The security appliance does not support asymmetric routing.
If the security appliance is configured on an internal interface, it checks static route command statements or
RIP. If the source address is not found, then an internal user is spoofing their address.
Recommended Action: Even though an attack is in progress, if this feature is enabled, no user action is required. The security appliance repels the attack.
Note: The show asp drop command shows the packets or connections dropped by the accelerated security path (asp), which might help you troubleshoot a problem. It also indicates when the last time the asp drop counters were cleared. Use the show asp drop rpf-violated command in which the counter is incremented when ip verify reverse-path is configured on an interface and the security appliance receives a packet for which the route lookup of the source IP did not yield the same interface as the one on which the packet was received. ciscoasa#show asp drop frame rpf-violated
Reverse-path verify failed

2

Note: Recommendation: Trace the source of traffic based on the source IP printed in this next system message, and investigate why it is sending spoofed traffic.
Note: System log messages: 106021
7.

%PIX|ASA-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name
Explanation
A packet matching a connection arrives on a different interface from the interface where the connection began. For example, if a user starts a connection on the inside interface, but the security appliance detects the same connection arriving on a perimeter interface, the security appliance has more than one path to a destination.
This is known as asymmetric routing and is not supported on the security appliance.
An attacker also might attempt to append packets from one connection to another as a way to break into the security appliance. In either case, the security appliance displays this message and drops the connection.
Recommendation Action: This message appears when the ip verify reverse-path command is not configured. Check that the routing is not asymmetric.

8.

%PIX|ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
Explanation

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 8 of 11

An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL.
Recommendation Action: If messages persist from the same source address, messages might indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.

%PIX|ASA-3-210011: Connection limit exceeded cnt/limit for dir packet from sip/sport to dip/dport on interface if_name.

9.

%ASA-4-419002: Received duplicate TCP SYN from in_interface:src_address/src_port to out_interface:dest_address/dest_port with different initial sequence number.

10.

Explanation
This system log message indicates that establishing a new connection through the firewall device will result in exceeding at least one of the configured maximum connection limits. The system log message applies both for connection limits configured using a static command, or to those configured using Cisco Modular Policy
Framework. The new connection will not be allowed through the firewall device until one of the existing connections are torn down, thereby bringing the current connection count below the configured maximum.


cnt—Current connection count



limit—Configured connection limit



dir—Direction of traffic, inbound or outbound



sip—Source IP address



sport—Source Port



dip—Destination IP address



dport—Destination Port



if_name—Name of the interface on which the traffic unit is received, either Primary or Secondary.

Recommendation Action: Because connection limits are configured for a good reason, this system log message could indicate a possible DoS attack, in which case the source of the traffic could likely be a spoofed
IP address. If the source IP address is not totally random, identifying the source and blocking it using an access-list might help. In other cases, getting sniffer traces and analyzing the source of the traffic would help in isolating unwanted traffic from legitimate traffic.

Basic Threat Detection Feature in ASA 8.x
Cisco Security Appliance ASA/PIX supports the feature called threat detection from software version 8.0 and later.
Using basic threat detection, the security appliance monitors the rate of dropped packets and security events due to these reasons:


Denial by access lists



Bad packet format (such as invalid-ip-header or invalid-tcp-hdr-length)



Connection limits exceeded (both system-wide resource limits, and limits set in the configuration)



DoS attack detected (such as an invalid SPI, Stateful Firewall check failure)



Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.)



Suspicious ICMP packets detected



Packets failed application inspection



Interface overload



Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet is not a
SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection (refer to
Configuring Scanning Threat Detection for more information) takes this scanning attack rate information and acts on it by classifying hosts as attackers and automatically shunning them, for example.)



Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected.

When the security appliance detects a threat, it immediately sends a system log message (730100).
Basic threat detection affects performance only when there are drops or potential threats. Even in this scenario, the performance impact is insignificant.

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 9 of 11

The show threat-detection rate command is used in order to identify potential attacks when you are logged into the security appliance.

ciscoasa#show threat-detection rate
Average(eps)
10-min ACL drop:
0
1-hour ACL drop:
0
1-hour SYN attck:
5
10-min Scanning:
0
1-hour Scanning:
106
1-hour Bad pkts:
76
10-min Firewall:
0
1-hour Firewall:
76
10-min DoS attck:
0
1-hour DoS attck:
0
10-min Interface:
0
1-hour Interface:
88

Current(eps) Trigger
0
0
0
0
0
2
0
29
0
10
0
2
0
3
0
2
0
0
0
0
0
0
0
0

Total events
16
112
21438
193
384776
274690
22
274844
6
42
204
318225

Refer to Configuring Basic Threat Detection section of ASA 8.0 configuration guide for more information on the configuration part.

Syslog Message 733100
Error Message:

%ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate is rate_val per second, max configured rate is rate_val;
Current average rate is rate_val per second, max configured rate is rate_val; Cumulative total count is total_cnt
The specified object in the system log message has exceeded the specified burst threshold rate or average threshold rate. The object can be drop activity of a host, TCP/UDP port, IP protocol, or various drops due to potential attacks. It indicates the system is under potential attack.
Note: These error messages with resolution are applicable only to ASA 8.0 and later.
1. Object—The general or particular source of a drop rate count, which might include these:


Firewall



Bad pkts



Rate limit



DoS attck



ACL drop



Conn limit



ICMP attk



Scanning



SYN attck



Inspect



Interface

2. rate_ID—The configured rate that is being exceeded. Most objects can be configured with up to three different rates for different intervals.
3. rate_val—A particular rate value.
4. total_cnt—The total count since the object was created or cleared.
These three examples show how these variables occur:


For an interface drop due to a CPU or bus limitation:

%ASA-4-733100: [Interface] drop rate 1 exceeded. Current burst rate is 1 per second, max configured rate is 8000; Current average rate is 2030 per second, max configured rate is 2000; Cumulative total count is 3930654

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems



Page 10 of 11

For a scanning drop due to potential attacks:

ASA-4-733100: [Scanning] drop rate-1 exceeded. Current burst rate is 10 per second_ max configured rate is 10; Current average rate is 245 per second_ max configured rate is 5; Cumulative total count is 147409 (35 instances received)


For bad packets due to potential attacks:

%ASA-4-733100: [Bad pkts] drop rate 1 exceeded. Current burst rate is 0 per second, max configured rate is 400; Current average rate is 760 per second, max configured rate is 100; Cumulative total count is 1938933
Recommended Action:
Perform these steps according to the specified object type that appears in the message:
1. If the object in the syslog message is one of these:


Firewall



Bad pkts



Rate limit



DoS attack



ACL drop



Conn limit



ICMP attk



Scanning



SYN attck



Inspect



Interface

Check whether the drop rate is acceptable for the running environment.
2. Adjust the threshold rate of the particular drop to an appropriate value by running the threat-detection rate xxx command, where xxx is one of these:


acl-drop



bad-packet-drop



conn-limit-drop



dos-drop



fw-drop



icmp-drop



inspect-drop



interface-drop



scanning-threat



syn-attack

3. If the object in the syslog message is a TCP or UDP port, an IP protocol, or a host drop, check whether the drop rate is acceptable for the running environment.
4. Adjust the threshold rate of the particular drop to an appropriate value by running the threat-detection rate bad-packet-drop command. Refer to the Configuring Basic Threat Detection section of the ASA 8.0
Configuration Guide for more information.
Note: If you do not want the drop rate exceed warning to appear, you can disable it by running the no threatdetection basic-threat command.

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

ASA/PIX 7.x and Later: Mitigating the Network Attacks - Cisco Systems

Page 11 of 11

Cisco Support Community - Featured Conversations
Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your

peers. Below are just some of the most recent and relevant conversations happening right now.

Want to see more? Join us by clicking here help firewall capacity expansion for... castleju1 1 Reply 5 months, 3 weeks ago
ASA NAT exempt, TCP sequence Moxy82KAW 5 Replies 1 year, 3 months ago
How to establish a baseline for... mhcraig 0 Replies 2 years, 9 months ago
ASA/Pix 7.X Failover addressing jeffasher 1 Reply 5 years, 2 months ago
Pings thru ASA/PIX 7.x vikram_anumukonda 4 Replies 3 years, 6 months ago
IP Pools assigned from AAA server joseph.kukis_at_stevens.edu 3 Replies 5 months, 3 weeks ago ASA and OSPF svanguilder 2 Replies 2 years, 7 months ago
Restrict Network Bandwidth ray_stone 4 Replies 3 years, 6 months ago vpn authentication ofir_at_oscar 7 Replies 2 years, 8 months ago
VPN Backup Architecture gdelpanta 10 Replies 5 years, 6 months ago
Enable Raduis Attributes for Group Lock marcohernandez 4 Replies 8 months, 2 days ago
Start A New Discussion

Subscribe

Related Information







Cisco 5500 Series Adaptive Security Appliances Support Page
Cisco 500 Series PIX Support Page
Defenses Against TCP SYN Flooding Attacks
Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Denial of Service
Vulnerabilities in Content Switching Module
Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Multiple Vulnerabilities in Cisco PIX and ASA Appliances and Firewall Services Module
IP Spoofing

 Technical Support & Documentation - Cisco Systems

Updated: Sep 30, 2008

Document ID: 100830

http://kbase/paws/servlet/ViewFile/100830/asa-pix-netattacks.xml?convertPaths=1

11/4/2011

Similar Documents

Free Essay

Enterprise It at Cisco Case Study

...The problem bothered Cisco a lot in 2001 is an example of company doesn’t do anything about centralized monitoring. The decisions may different with company strategy, which may lead a waste of human resource and money. This case shows the importance of collaborating between all departments in business. After reading this case, bunch of questions jump out of my mind: would I approve the call center project if I were Boston? If yes, what kind of benefits will bring to company? If no, why? Admittedly, call center project was very important and valuable, but so were many others considered by BPOC. So the main questions for approving call center project are: would its benefits are much more than risk? Would it against other projects? Would it also benefit to other functional areas? How much will it cost- the percentage in total IT budget, people and training cost? To answer the question of if I will approve call center project, I need the answers of the questions I mentioned before. However, I can’t get perfect answers for these questions. Besides, the most urgent thing for Cisco now is to upgrade its ERP project. Even though Cisco had ERP system to store all the data, there was no common business logic allowed all the applications to read and interpret the raw data in a consistent manner. So it is more important to upgrade ERP system to capture more and accurate information about the customer. It would be better if Cisco do the ERP upgrade first, and then consider the call...

Words: 262 - Pages: 2

Premium Essay

Cisco Case Study

...CISCO CASE STUDY QUESTION 1 How is building a brand in a business-to-business context different from doing so in the consumer market? ANSWER First of all we must describe what is meant by business-to-business. Business-to-business is a transaction that occurs between a company and another company, as opposed to a transaction involving a consumer (R wright, 2004). R .Wright further elaborates it as a term that may refer to a situation where one business makes a commercial transaction with another. This can happen through a business sourcing materials for their production processes or a business re-sells goods and services manufactured by other companies. Creating a strong brand that is able to set a business apart from other companies is always an important job. However for this to succeed knowing who the intended clients are, will assist the company in determining how to build their brand. According to Nick Kendall (2015), he describes a brand as a product, service or concept that is publicly distinguished from other products, services or concepts so that it can be easily communicated. e.g.(sign, symbol, words or combination of these, employed in creating an image that identifies a product). Business-to business branding requires that the business be willing to accept the time to completely educate the professional buyers about the product, instead of mass marking and small advertisements. The reason to have professional buyers is because they are already well informed...

Words: 1183 - Pages: 5

Premium Essay

Cisco Case Study

...Cisco IT Case Study – August 2013 Big Data Analytics How Cisco IT Built Big Data Platform to Transform Data Management EXECUTIVE SUMMARY CHALLENGE ● Unlock the business value of large data sets, including structured and unstructured information ● Provide service-level agreements (SLAs) for internal customers using big data analytics services ● Support multiple internal users on same platform SOLUTION ● Implemented enterprise Hadoop platform on Cisco UCS CPA for Big Data - a complete infrastructure solution including compute, storage, connectivity and unified management ● Automated job scheduling and process orchestration using Cisco Tidal Enterprise Scheduler as alternative to Oozie RESULTS ● Analyzed service sales opportunities in one-tenth the time, at one-tenth the cost ● $40 million in incremental service bookings in the current fiscal year as a result of this initiative ● Implemented a multi-tenant enterprise platform while delivering immediate business value LESSONS LEARNED ● Cisco UCS can reduce complexity, improves agility, and radically improves cost of ownership for Hadoop based applications ● Library of Hive and Pig user-defined functions (UDF) increases developer productivity. ● Cisco TES simplifies job scheduling and process orchestration ● Build internal Hadoop skills ● Educate internal users about opportunities to use big data analytics to improve data processing and decision making NEXT STEPS ● Enable NoSQL Database and advanced...

Words: 3053 - Pages: 13

Premium Essay

Cisco Case Study

...text and in reading the Cisco case study, it seems that business-to-business marketing consists of a more direct approach through very specific channels of distribution. Business-to-business success is centered around more personal relationships between the partner companies. In the Cisco case this was demonstrated by Cisco's business to business relationships it developed with Matsushita, U.S. West, and Sony (Cisco). In comparison, consumer marketing is targeted at all the major demographic groups. Consumer marketing aims to capture sales through major retailers thus removing the personal connection that is inherent in the business-to-business relationship. In the Cisco case, it is obvious that throughout the 90's Cisco was extremely successful at working the business-to-business model and focused on technology companies and specific corporations to sale their internet based technologies too. This enabled them to become the largest company in the world in the 90's with over $500 billion in worth, however, they name brand through the consumer market was relatively unknown (Cisco). Cisco began making acquisitions in the 21st century of companies such as Linksys which began their efforts toward consumer marketing, away from business-to-business marketing. Cisco has continued to change its messaging, focus advertising on customers, and worked hard to make its brand image known throughout the world the same as its competitors Microsoft and Apple (Cisco). 2- Is Cisco's plan to...

Words: 472 - Pages: 2

Premium Essay

Cisco Case Study

...Cisco Case Study D. i. How did Cisco determine the allocation of the purchase price to specific tangible and intangible assets? (see business combinations in the summary of significant accounting policies in note 2.) Cisco allocates the fair value of the purchase consideration of its acquisitions to the tangible assets, liabilities, and intangible assets acquired. The excess fair value of the purchase consideration over the fair values of these identifiable assets and liabilities is recorded as goodwill. ii. What percentage of the total (gross) assets acquired in the NDS acquisition (excluding liabilities assumed) are comprised of goodwill and other intangibles? Cash and cash equivalents 98,000,000 A/R 199,000,000 Other tangible assets 268,000,000 Goodwill 3,444,000,000 Purchased intangible assets 1,746,000,000 Total 5,755,000,000 % of goodwill and other intangibles of the total (5,190,000,000 / 5,755,000,000) = 90.2% iii. Show the consolidation journal entry that Cisco made to record the purchase of NDS in 2013 Cash 98 A/R 199 Other intangibles 268 Goodwill 3444 Purchased intangible assets 1746 Deferred tax liability 378 Liabilities 372 Cash 5005 iv. 12 additional business acquisitions made by Cisco in 2013 for a total purchase price of $1,977 million. How does Cisco report the purchase transaction in Note 3 in the statement of cash flows in 2013? Why does the amount reported in the statement...

Words: 711 - Pages: 3

Premium Essay

Cisco Case Study

...Cisco Systems, Inc.: Implementing ERP Introduction Cisco Systems Inc. was founded in 1984 by two of Stanford University’s computer scientists. In 1990, a matter of just six years from the start-up date, Cisco became publically traded. With the massive growth of Internet Technologies, demand for Cisco products increased dramatically, resulting in Cisco dominating the marketplace. The contributing factor to Cisco’s dominating presence in the market is due to the company’s primary product, the “router”. This is a combination of hardware and software that acts as a traffic cop on the complex Transmission Control Protocol and Internet Protocol (TCP/IP) networks that make up the internet as well as corporate intranets. TCP and IP networks provided a robust standard for routing messages between LANs and created the potential to connect all computers on an ever-larger Wide Area Network (WAN). Financially, the company experienced consistent growth from July 30, 1995 up until July 25 1998. Using figures provided in Exhibit 1 of the case study, it can be calculated that Net Sales increased a whopping 279% from 1995-1998. The year 1997 proved to be a milestone for the company. It was the first year for the company to feature on the Fortune 500 list. Cisco was ranked among the top five companies in return on revenues and return on assets. Some industry pundits predicted Cisco would be third dominating company alongside Microsoft and Intel, to shape the digital revolution. The reasoning...

Words: 1220 - Pages: 5

Premium Essay

Cisco Case Study

...| Case Study on Cisco Systems, Inc | Continuous Assessment | Global Supply Chain Management | | | Table of Contents Table of Figures 3 Question 1. Using an appropriate operations framework outline the challenges/risks faced by Cisco in introducing a new product. 3 Question 2. What are the general operational / supply chain issues in using a Chinese supplier 6 Question 3. Identify and briefly explain the specific risks / rewards in selecting Foxconn as a key subcontractor. 9 Question 4. Recommend, detail and justify operational and supply chain strategies for Cisco. 11 Question 5. Research and reference Cisco's subsequent actions using publically available material and comment briefly 13 Appendices 16 Appendix A 16 Appendix B 17 Appendix C 18 References 20 Project Diary: 26 Table of Figures Figure 2.1 Chinese Traditional Values (Jin et al., 2013). 17 Figure 2.2 Global Rate, Labour and Freight (Kumar et al., 2009). 18 Figure 4.1 Competitive Advantages. (Christopher, M., & Peck, H, 2003)…………...….….....18 Question 1. Using an appropriate operations framework outline the challenges/risks faced by Cisco in introducing a new product. Erhun, Gonclaves and Hopman (2007) state that risk during new product introduction (NPI) process can stem from either an internal or external source, and more critically from either a supply or a demand prospective. The challenge for Cisco during the NPI phase is to utilise an operational framework...

Words: 5304 - Pages: 22

Premium Essay

Case Study for Cisco

...Cisco Case Study Cisco Systems, Inc. (NASDAQ: CSCO) is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Founded by Len Bosack and Sandy Lerner, a married couple who worked as computer operations staff members at Stanford University, along with Nicholas Pham, founded Cisco Systems in 1984. For the first time in a decade Cisco experienced its first negative quarter in 2001. The loss of earnings was due to the economic down. Their sales declined by 30%, inventory surplus was written off as a loss to the tune of $2.2 billion, 8,500 workers were laid off and stock prices plummeted by almost 60%, as of April 6, 2001 stock prices were $13.63 per share, down from $82 per share 13 short months earlier. Cisco leaders blamed the economy for its decline; the economic downturn was only partly to blame for Cisco’s problem. To analyze and interpret the article What Went Wrong at Cisco in 2001, I will first explain what actually went wrong, second I will Show a SWOT analysis to identify Cisco’s strengths, weaknesses, and threats, third we will analyze and discuss the nature and problems of the Cisco’s business-level and corporate strategy, last I will present my solutions and recommendations for Cisco in the future. What Went Wrong at Cisco In 2001? Cisco’s problems were only magnified by the economic downturn but there had been signs of...

Words: 1391 - Pages: 6

Premium Essay

Cisco Case Study

...Cisco is the infamous routing and networking company that have used ingenious methods of both business-to-business and the consumer marketing. Cisco original product line was intended for sale to other business. Building a brand in a business-to-business context has some notable differences than doing so in the consumer market because it markets to different audience. Branding within business-to-business appears to be more centered on relationships of various companies. This is demonstrated when the company Cisco developed partnerships with Sony, Matsushita, and US West. Constructing a brand in a business-to-business also requires awareness or educational building activities. Cisco launched a television ad campaign to educate the consumer. In those ad campaign facts about the power of the internet where revealed to viewers in a series of questions. The target audience in a business-to-business is small and focused. In 2003, Cisco targeted corporate executives and IT decision makers to sell their products. Erecting a brand in a consumer market is more product-driven than relationship driven than the business-to-business marketing. When Cisco switched from business-to-business to the consumer market, they began producing several home entertainment products than covered a large target audience with various products for music, printing, video, and more. A new marketing brand was also necessary to tap into the emotional buying needs of the consumer market. Cisco began their ‘The...

Words: 495 - Pages: 2

Premium Essay

Cisco Case Study

...In the past ten to fifteen years, Cisco has changed its marketing channel strategy majorly. While in the past Cisco was only focused on the volume of their business, they reconfigured their strategy to focus in on the value of business. Previously business was transferred through Cisco’s partners and retailers, who worked with customers to make deals and fill orders. Under their newer value-based strategy, their VARs, or value-added channel resellers, work directly with customers to ensure they are receiving the best value products and latest technologies. These VARs were able to work with large accounts as well as small to mid size accounts by offering specializations and value in niche markets or specific regions. Using this method makes it impossible to structure the strategy based on volume, because it is unfeasible to rate resellers effectively based on volume of sales when the focus is so highly placed on quality and value of the sale. Resellers and channel members were rated based on the value that they brought to the table rather than the volume of sales, making it easier for lower-tiered members to gain high status based on the value that they brought to the table. For example, a member that previously did not generate nearly enough sales to be considered a top-tiered reseller would now be able to achieve a higher status if the value of their service and specializations were up to par. This creates a stronger relationship between the customer and the VAR, thus increasing...

Words: 607 - Pages: 3

Premium Essay

Cisco Case Study

...Cisco incorporated both aspects by buying companies that rendered services and products that they needed in order to expand to a broader marketing audience which resulted in their company becoming the most valuable company in the world in March 2000. Successful marketing requires capabilities such as understanding, creating, delivering, capturing while also sustaining value. Along with these needed additives, one must understand that business to business and business to consumer relate to each other. However, they must be handled or strategically attacked with separate or specific missions. With building a brand, one must develop a strong marketing strategy in order to generate profit. Business to business marketing is geared more to business buyers and sellers whereas business to consumer focuses on the individual consumers need or want. When it comes to the marketing aspect of the two, the marketing strategy, advertisement, internet marketing, and public relations will all have to be executed in specific ways in order to target the right audience. There are also similar but different aspects that should be considered when developing marketing strategies for business to business and business to consumer as well. Business to business markets tend to be more on a personal level to which companies focus on getting to know their customers in order to establish a working relationship. However, in the consumer market, mass communication and distribution tools are needed...

Words: 469 - Pages: 2

Premium Essay

Cisco Case Study

...A. I. An intangible asset is a non-physical asset having a useful life greater than one year. These assets are generally recognized as part of an acquisition, where the acquirer is allowed to assign some portion of the purchase price to acquired intangible assets. Examples: Patents, trademarks, copyrights, intellectual property etc. II. According to U.S. GAAP, intangible assets are only listed on the balance sheet if they are acquired assets and assets with an identifiable value and useful lifespan that can be amortized. Internally developed intangibles do not show up on the company’s balance sheet. Ex. Company logo: does not have a price that can be set a fair market value. When intangibles have an identifiable value and lifespan, they show up on the balance sheet as long-term assets. III. IAS 38: Main Differences between IFRS and U.S. GAAP: Revaluations other than impairment considerations: Subsequent to their initial recognition, intangible assets (other than goodwill) may be revalued to fair value as an accounting policy election. However, because adoption of this election requires that fair value be determined by reference to an active market, it is rarely used. Internally developed intangible assets: Costs in the research phase are expensed as incurred. Costs in the development phase are capitalized if the entity can demonstrate all of the following: The technical feasibility of completing the intangible asset The intention to complete the intangible asset ...

Words: 848 - Pages: 4

Premium Essay

Cisco Case Study

...Nicolas  de  Gonneville,  Jeremy  Lipszyc,  Rayan  Mekouar         Corporate Strategy   Cisco System: New millennium – new acquisition strategy? 1. What was unique in the way Cisco managed its acquisitions in the 90’s?   During the 90’s, Cisco has based its growth strategy mainly on acquisitions. From the first acquisition of the company called “Crescendo” in 1993, Cisco has bought more than 45 firms until 1999. Cisco can be considered as unique in its way of managing its acquisition deals because of the methodology that they have created and the kind of expertise that they have developed. The Cisco’s acquisition framework focuses on 2 main steps: targeting and integration. § Targeting: In order to enter in niches markets, to acquire a technology, to add a product to its range or to reinforce a specific process, Cisco’s strategy was based on the purchase of smaller and innovative companies. The selection process includes 6 main criteria: -­‐ size; focus mainly on small companies, -­‐ growth; fast growing companies, -­‐ strategy; Cisco is looking for focused companies with a strong expertise, -­‐ entrepreneurial spirit, -­‐ similarity in culture, -­‐ and geographical proximity especially for the largest targets. Cisco is looking for good fit, complementarity of visions, quick wins for shareholders and long terms wins for all stakeholders. § Integration According to Cisco’s management, post-acquisition integration...

Words: 478 - Pages: 2

Premium Essay

Csu -Cisco Case Study

...Cisco Case Study Columbia Southern University Business to business (B2B) is defined as commerce transactions between businesses and business to consumer (B2C) is defined as transactions of a business by serving consumers with their products or services. An example of B2B is “commerce transactions between businesses, such as between a manufacturer and a wholesaler or between a wholesaler and a retailer” (McCleave, 2010, para. 4). In addition, an example of B2C is Cisco offering “several home entertainment solutions, including wireless capabilities for music, printing, video, and more (Kotler & Keller, 2012, p. 57)”. There are a few difference between B2B and B2C as it relates to a corporation marketing and building their brand. For example in a B2B relationship a corporation can build a relationship with another business better than it can build a relationship with a consumer. Cisco build relationships with other corporations in order to increase the business knowledge of their products. Cisco benefitted from building these relationship because it help them to grow and become successful. “Cisco developed partnerships with Sony, Matsushita, and US West to co-brand its modems with the Cisco logo in hopes of building its name recognition and brand value” (Kotler & Keller, 2012, p. 57). A corporation brand awareness for a B2C relationship is to increase the consumer awareness of the products. Once awareness is increase the corporation is hoping more consumers will purchase...

Words: 736 - Pages: 3

Premium Essay

Cisco Case Study

...In the business to business branding the company will have to build a relationship with customers that is strong and personable. This will result in the brand becoming the got to source for customers. Business to business takes up a little more time to ensure other professional buyers about the brand. These buyers are needed because they are more informed about the needs of the purchase. This will allow them to achieve higher income with a lower cost than some of the other competitors. Typically this type of buyer is more concerned with the availability of the brand more than the cost of the brand. Cisco demonstrated this type of personal relationship with Matsushita, U.S. West and Sony. Cisco success in the 90s was the result of this business to business relationship with technology companies, allowing Cisco’s logo to be used which resulted in the brand value and recognition going up. In the business to consumer market it differs dramatically form the business to business marketing. The biggest difference is in business to consumer marketing is geared to the actual consumer, the person that not only is buying the product but also using the product. This means a company’s advertising mind state must change. The way a company advertises to other companies cannot and will not be the same as they do to consumers. Even though a customer may feel a true connection to a particular brand it does not make them have a personal relationship with that brand such as in a business...

Words: 453 - Pages: 2