Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FWSM Policing or Rate-Limiting

Hello,

Has anyone had success implementing rate-limiting on the FWSM that does not impact firewall performance? I have heard that I can implement policing on the 6500, but policing does not support pps, it only supports bps, which does not help with a firewall. Please advise.

Thanks!!

Lee

7 REPLIES
Cisco Employee

Re: FWSM Policing or Rate-Limiting

Lee,

I don't think you can do much with the problem that you saw in your network today, besides restricting/limiting via the limit-resource.

On the ASA platform there is something called TD (Threat Detection) which may have helped shun this host opening too many connections through the firewall but it is not supported in multiple context.

Here is some info. on IPS to read:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmSigEng.html#wp1048257

-KS

New Member

Re: FWSM Policing or Rate-Limiting

Hello. The problem is that I did limit the max conns and conn rate, but the host was still able to bring down the firewall. There has to be a way to prevent this from happening in the future. It's difficult to understand how a single host, within a single context, has the ability to bring down an entire FWSM. Any ideas to help resolve this problem?

Cisco Employee

Re: FWSM Policing or Rate-Limiting

Once single host can certainly take a firewall down provided it sends the right packets at the right rate.

I will let the rest of them to chime in.

Only other thing that I would like to say is that the FWSM is not an IDS device. As it sees packets it will try to process it whether to deny it or permit it. Time and again we see people who expect the firewall to act as an attack mitigation device as well.

Best thing to do is block this host down/up stream or apply rate limit before it hits the FWSM.

-KS

Cisco Employee

Re: FWSM Policing or Rate-Limiting

You can limit the connections from specific hosts to connection rate and maximum number http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/protct_f.html#wp1065885

So you cannot really throttle down the traffic rate, but you can do a couple of things with connections from one host.

I hope it helps a little.

PK

New Member

Re: FWSM Policing or Rate-Limiting

Thanks PK. The problem with rate-limiting on the FWSM is that it is still processed by the np3 engine, which could bring the module to it knees if a host was attempting to initiate tens-of-thousand of connections. I'm really just looking for a method to help protect the module, and since this is a multiple-context firewall, I'm trying to protect my other contexts.

Thanks for your reply!

Cisco Employee

Re: FWSM Policing or Rate-Limiting

True, I see your point.

Since one host is the guy that is overwhelming it I would feel more conformable with the FWSM limiting, because the cpu load for a conn limiting would not be that bad, the pc already has the conn table so adding some check against it might not be that bad.

For a cleaner solution. I believe, like other have suggested, rate-limiting somewhere around it would be the best choice.

PK

New Member

Re: FWSM Policing or Rate-Limiting

Thanks PK. Maybe I'll try to do a combination of both measures.

1510
Views
5
Helpful
7
Replies