cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
870
Views
0
Helpful
3
Replies

Best practices for using Normalizer in ASA and in AIP-SSM

ovt
Level 4
Level 4

Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.

The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?

Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"

"When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."

To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.

So, those who're using ASA with SSM, please share your experience.

Thx.

3 Replies 3

jshelmer
Level 1
Level 1

Can anyone provide more information here? I would like answers to the same questions.

ASA 5520 - 7.0(5)8

IPS - 5.1(2)S244

Thanks.

marcabal
Cisco Employee
Cisco Employee

A simple answer here when using an ASA with an AIP-SSM.

The ASA will automatically turn on it's IP Fragmentation and TCP Normalization features when sending packets to the AIP-SSM for analysis.

So the AIP-SSM Normalizer features are not used because the SSM relies on the ASA to do the normalization.

There is no option to turn OFF the normalizer feature on the ASA, and start using the Normalizer on the SSM.

Yes, this is almost correct ;)

TCP SRP (Stream Reassemly Processor) is turned OFF on the SSM and cannot be enabled, contrary to 4200 appliances, but IP FRP (Fragmentation Reassembly Processor) is functioning on the SSM.

The testing of 7.2(1) shows the following:

When you configure "policy-map" to send packets to the SSM the "tcp-map" parameter "queue-limit", which has the value of zero by default, is set to an X (the X is unknown). This means that the ASA now only accepts the TCP segments which are sent in the correct order. More specifically, the gaps in SEQs are not allowed anymore. When for example, the ASA receives a TCP segment which has a SEQ within the window, but the previous TCP segment has been lost, it sends an ACK to the sender to enforce retransmition of the lost segment. As a result the sender retransmits both segments. Only after that the ASA forwards both segments to the SSM. This basically means that SSM always sees in-order TCP segments. That it is why SRP is not needed on the SSM.

There are at least two problems however.

The first problem is the performance impact.

ASA now acts almost like a proxy. And, so far as I know, it doesn't support SACK (Selective ACKs). First, when the ASA does TCP SEQ randomization it doesn't change SEQ values within the SACK TCP Option. This simply breakes SACK. Second, even if you turn randomization mechanism OFF, then, I believe, the ASA will not selectively ACK the lost TCP segments, as it simply doesn't support this mechanism.

The second problem is THE SECURITY HOLE.

By default the ASA doesn't check TCP checksums. The 4200 appliances do check by default. But as we now know the SRP is turned OFF on the SSM... So, this means that SSM module can easily be evaded. The hacker only needs to mix attacking traffic with the random TCP segments that have bad TCP checksum. The SSM module will see the mixture of the two and will not recognize the attack. The target host will drop TCP segments with the bad checksums and see only attacking traffic... This has been successfully verified in the lab.

Of course, this security hole can be closed with the "tcp-map" parameter "checksum-verification", but it will definitely has performance impact.

The last note: All of the above has never been documented by Cisco. So, use at your own risk, etc.

I hope, you will read this message, Marcoa. All of this MUST be documented. Once again, the default behaviour of the ASA opens up a big security hole.

Regards,

Oleg Tipisov,

REDCENTER,

Moscow

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: