Sunday, 21 February 2016

Hardening / threat mitigation with Cisco ASA

This post will briefly describe a number of techniques that can be used to harden / help mitigate attacks targeted against the ASA.

There are types of threat-detection that we can utilize - basic (which is enabled by default - applied system-wide) and advanced - which usually implies that you have more granular control e.g. specifying src/dst)

conn-limit: This variable allows you to set the maximum amount of connections to the device before it will start to drop connections:

threat-detection rate conn-limit-drop rate-interval 1000 average-rate 3 burst-rate 3

We can review the configuration with:

show threat-detection rate

We can also use policy maps to police connections on a more granular level i.e. a specific source / destination:

access-list CUSTOMER-TRAFFIC extended permit tcp any host CUSTOMER-WEBSITE-IP eq www

class-map CONNECTIONS
match access-list CUSTOMER-TRAFFIC
exit

policy-map CONNECTION-POLICY
class CONNECTIONS
set connection per-client-max 30 per-client-embryonic-max 10

service-policy CONNECTION-POLICY interface OUTSIDE

We can then review the policy with (allowing you to check for current connections and how many have been dropped):

show service-policy interface OUTSIDE

SMURF Attacks: This is when an attacker broadcasts a large amount of ICMP messages that have their source spoofed so that other hosts on the network all respond - hence generating a large amount of traffic directed towards the target.

This attack can be mitigated by using the following command:

no ip directed-broadcast

By default this directed broadcast is now turned of by default in IOS 12+.

SYN Flood Attacks: This kind of attack is where an attacker start the three-way handshake with the victim by sending a SYN packet - the victim then responds with a SYN-ACK - although the attacker then never responds (or spoofs the source) with an ACK - leaving the session open - doing this continually can use up all of the connection state table if not mitigated properly.

By default the basic threat detection defines the following:

threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160


0 comments:

Post a comment