FWSM Policing or Rate-Limiting

Unanswered Question
Feb 25th, 2010

Hello,

Has anyone had success implementing rate-limiting on the FWSM that does not impact firewall performance? I have heard that I can implement policing on the 6500, but policing does not support pps, it only supports bps, which does not help with a firewall. Please advise.

Thanks!!

Lee

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Thu, 02/25/2010 - 16:26

Lee,

I don't think you can do much with the problem that you saw in your network today, besides restricting/limiting via the limit-resource.

On the ASA platform there is something called TD (Threat Detection) which may have helped shun this host opening too many connections through the firewall but it is not supported in multiple context.

Here is some info. on IPS to read:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmSigEng.html#wp1048257

-KS

lxcollin1 Thu, 02/25/2010 - 17:27

Hello. The problem is that I did limit the max conns and conn rate, but the host was still able to bring down the firewall. There has to be a way to prevent this from happening in the future. It's difficult to understand how a single host, within a single context, has the ability to bring down an entire FWSM. Any ideas to help resolve this problem?

Kureli Sankar Thu, 02/25/2010 - 19:36

Once single host can certainly take a firewall down provided it sends the right packets at the right rate.

I will let the rest of them to chime in.

Only other thing that I would like to say is that the FWSM is not an IDS device. As it sees packets it will try to process it whether to deny it or permit it. Time and again we see people who expect the firewall to act as an attack mitigation device as well.

Best thing to do is block this host down/up stream or apply rate limit before it hits the FWSM.

-KS

lxcollin1 Fri, 02/26/2010 - 15:17

Thanks PK. The problem with rate-limiting on the FWSM is that it is still processed by the np3 engine, which could bring the module to it knees if a host was attempting to initiate tens-of-thousand of connections. I'm really just looking for a method to help protect the module, and since this is a multiple-context firewall, I'm trying to protect my other contexts.

Thanks for your reply!

Panos Kampanakis Fri, 02/26/2010 - 15:32

True, I see your point.

Since one host is the guy that is overwhelming it I would feel more conformable with the FWSM limiting, because the cpu load for a conn limiting would not be that bad, the pc already has the conn table so adding some check against it might not be that bad.

For a cleaner solution. I believe, like other have suggested, rate-limiting somewhere around it would be the best choice.

PK

lxcollin1 Fri, 02/26/2010 - 15:45

Thanks PK. Maybe I'll try to do a combination of both measures.

Actions

This Discussion