Has anyone had success implementing rate-limiting on the FWSM that does not impact firewall performance? I have heard that I can implement policing on the 6500, but policing does not support pps, it only supports bps, which does not help with a firewall. Please advise.
Hello. The problem is that I did limit the max conns and conn rate, but the host was still able to bring down the firewall. There has to be a way to prevent this from happening in the future. It's difficult to understand how a single host, within a single context, has the ability to bring down an entire FWSM. Any ideas to help resolve this problem?
Once single host can certainly take a firewall down provided it sends the right packets at the right rate.
I will let the rest of them to chime in.
Only other thing that I would like to say is that the FWSM is not an IDS device. As it sees packets it will try to process it whether to deny it or permit it. Time and again we see people who expect the firewall to act as an attack mitigation device as well.
Best thing to do is block this host down/up stream or apply rate limit before it hits the FWSM.
Thanks PK. The problem with rate-limiting on the FWSM is that it is still processed by the np3 engine, which could bring the module to it knees if a host was attempting to initiate tens-of-thousand of connections. I'm really just looking for a method to help protect the module, and since this is a multiple-context firewall, I'm trying to protect my other contexts.
Since one host is the guy that is overwhelming it I would feel more conformable with the FWSM limiting, because the cpu load for a conn limiting would not be that bad, the pc already has the conn table so adding some check against it might not be that bad.
For a cleaner solution. I believe, like other have suggested, rate-limiting somewhere around it would be the best choice.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...