I'd like to check on the "fragment chain" command and when is it recommended to be used?
I know that using "fragment chain 1" for example will make my PIX drop any fragmented packets that arrive to the PIX interface, and this is a feature that helps me against DoS attacks. But how can I make a judgment on the number of fragments that I should accept on my environment and how can this affect my applications? Any advice please?
The fragmentation chain is set to 12 as a default. That would allow for a 16k token ring frame to be fragmented into 1500 byte pieces to be correctly processed by the PIX.
Token Ring <--> Router <--> Serial Interface (768 mtu)
In practice, the default is excessive. Although fragmentation is a normal part of IP, it is however, "uncommon". Unless you routinely communicate with remote sights that use token ring, fddi or atm (or maybe x.25), a chain of 2-4 is safer.
If after changing the chain value you cannot communicate with sites you could previously reach,onitor your syslog for the message below and increase chain value as necessary.
209005 Error Message %PIX-4-209005: Discard IP fragment set with more than number elements:
src = IP_address, dest = IP_address, proto = protocol, id = number
Explanation Too many elements are in a fragment set. The firewall disallows any IP packet that is fragmented into more than 12 fragments. Refer to the fragment command in the Cisco PIX Firewall Command Reference for more information.
Recommended Action A possible intrusion event may be in progress. If the message persists, contact the remote peer's administrator or upstream provider.
It seems youre here talking about the sysopt security fagguard command, while I meant the fragment chain 1 command which allows 24 fragments by default and not 12. Please refer to http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1029667 for details about the fragment chain 1 command. Confusingly, I also read in the Cisco PIX Exam Cram guide that the guard allows 100 fragments per internal destination host per second
To be honest, Im a bit confused b/ the 2 commands and how, when applying them on the same time, the PIX will react (i.e. will it allow 12 fragments, 24 or 100) is the fragment chain command a complimentary where I can control the number of chains to permit through my PIX FW?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...