Best practices for using Normalizer in ASA and in AIP-SSM
Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.
The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?
Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"
"When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."
To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.
So, those who're using ASA with SSM, please share your experience.
This doesn't hold true. The IPS doesn't perform reassembly/refragmentation. It does virtual reassembly, like the PIX do.
What the above doc. says about the TCP normalization:
"Instead of the sensor acting as a TCP proxy, the segments will be ordered properly and the normalizer will look for any abnormal packets associated with evasion and attacks."
Yes, this is correct. But, how does it perform reordering? What does it do if some TCP segments are dropped by the router in the path? I've found out that IPS acts almost like a proxy in this case. For example, it can ACK TCP segments on behalf of the target host to force retransmissions... After receiving previously lost TCP segments it reorders them and passes to the target host. And IPS timers are very very aggressive in this case. I saw how it drops TCP session when some TCP segment is lost and is not retransmitted within 5 seconds!!! The timeout is not configurable! How will this work in real networks? Now I'm wondering if the PIS OS 7 behaves the same way... It seems that they share the same code for normalization.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...