cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2046
Views
5
Helpful
7
Replies

FWSM Policing or Rate-Limiting

lxcollin1
Level 1
Level 1

Hello,

Has anyone had success implementing rate-limiting on the FWSM that does not impact firewall performance? I have heard that I can implement policing on the 6500, but policing does not support pps, it only supports bps, which does not help with a firewall. Please advise.

Thanks!!

Lee

7 Replies 7

Kureli Sankar
Cisco Employee
Cisco Employee

Lee,

I don't think you can do much with the problem that you saw in your network today, besides restricting/limiting via the limit-resource.

On the ASA platform there is something called TD (Threat Detection) which may have helped shun this host opening too many connections through the firewall but it is not supported in multiple context.

Here is some info. on IPS to read:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmSigEng.html#wp1048257

-KS

Hello. The problem is that I did limit the max conns and conn rate, but the host was still able to bring down the firewall. There has to be a way to prevent this from happening in the future. It's difficult to understand how a single host, within a single context, has the ability to bring down an entire FWSM. Any ideas to help resolve this problem?

Once single host can certainly take a firewall down provided it sends the right packets at the right rate.

I will let the rest of them to chime in.

Only other thing that I would like to say is that the FWSM is not an IDS device. As it sees packets it will try to process it whether to deny it or permit it. Time and again we see people who expect the firewall to act as an attack mitigation device as well.

Best thing to do is block this host down/up stream or apply rate limit before it hits the FWSM.

-KS

You can limit the connections from specific hosts to connection rate and maximum number http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/protct_f.html#wp1065885

So you cannot really throttle down the traffic rate, but you can do a couple of things with connections from one host.

I hope it helps a little.

PK

Thanks PK. The problem with rate-limiting on the FWSM is that it is still processed by the np3 engine, which could bring the module to it knees if a host was attempting to initiate tens-of-thousand of connections. I'm really just looking for a method to help protect the module, and since this is a multiple-context firewall, I'm trying to protect my other contexts.

Thanks for your reply!

True, I see your point.

Since one host is the guy that is overwhelming it I would feel more conformable with the FWSM limiting, because the cpu load for a conn limiting would not be that bad, the pc already has the conn table so adding some check against it might not be that bad.

For a cleaner solution. I believe, like other have suggested, rate-limiting somewhere around it would be the best choice.

PK

Thanks PK. Maybe I'll try to do a combination of both measures.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: