I am doing the audit for a telecommunication company. and during the audit of the external network segment we faced this issue:
The company is using Cisco firewall pix 525 version 6.3.(4) with Six interface cards. During our audit we observed that the configuration of ?TCP, UDP and embryonic connection? is set to ?Unlimited?. In addition ?Reverse Path Forward Verification? is disabled.
We understand that it is not recommended to set ?TCP, UDP and embryonic connection? to ?Unlimited? as these setting could expose the firewall to a variety of ?packet flooding? attacks making it more liable to crash and rendering it less effective in protecting the network. We have recommended that to our customer.
So I would like to know the following
1. Is there any standard ?limit? that should be applied for configuring the ?TCP, UDC and embryonic connection??
2. What factors are to be considered in identifying the appropriate limit in configuration of TCP, UDC and embryonic connection??
3. Is there any implication (positive or negative) that should be consider
a. In setting the ?TCP, UDC and embryonic connection? configuration
In regards to the TCP, UDP and embryonic connections. I would say it depends of your environment which can't be applied to all scenarios. You really need to customize these values.
In regards to the reverse forwarding check .. please see below .. take special attention to the recomendation part.
" Error Message %PIX-1-106021: Deny protocol reverse path check from source_address to
dest_address on interface interface_name
Explanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall.
Recommended Action This message appears when you have enabled Unicast Reverse Path Forwarding with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the firewall checks packets arriving from the outside.
The firewall looks up a route based on the source_address. If an entry is not found and a route is not defined, then this syslog message appears and the connection is dropped.
If there is a route, the firewall checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The firewall does not support asymmetric routing.
If configured on an internal interface, the firewall checks static route command statements or RIP and if the source_address is not found, then an internal user is spoofing their address.
An attack is in progress. With this feature enabled, no user action is required. The firewall repels the attack. "
NOTE Before using this command, add static route command statements for every
network that can be accessed on the interfaces you want to protect. Enable this command
only if routing is fully specified. Otherwise, the Cisco PIX Firewall stops traffic on the
Hi ... you need to have an idea of how many concurrent TCP and UDP connections are expected to be INITIATED from a higher security interface ( i.e inside) to a lower ( i.e outside ) at any given time.
In regards to the embryonic limit .. this is normally used to protect devices that are being accessed from the Internet ( check the static command ) it depends of whether the host is fast enought to respond to simultaneous connection request. If it is then a higher limit is advisable ... if it is not then a lower limit is advisable ... the TCP intercept feature of the firewall will be used for the 3 handshake on behalf of the host once the emb limit is reached. Once again you need to have an idea of what is an acceptable limit on your environment.
max_conns Specifies the maximum number of simultaneous TCP and UDP connections for
the entire subnet. The default is 0, which means unlimited connections. (Idle
connections are closed after the idle timeout specified by the timeout conn
Note This option does not apply to outside NAT. The firewall only tracks
connections from a higher security interface to a lower security interface.
If you set max_conns as well as the outside option, the max_conns option
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...