Services Module

FW Services Module
Attack Prevention DNS Guard
FWSM DNS Server Pool
DNS Reply

DNS Reply

DNS Request

DNS Request

DNS Reply

Identifies an outbound DNS resolve request, and only allows a single DNS response. A host may query several servers for a response (in the case that the first server is slow in responding), but only the first answer to the specific question will be allowed. All the additional answers from other servers will be dropped - NO CONFIGURATION NECESSARY

FW Services Module
Attack Prevention Flood Defender
Reduced SYN Request rate TCP SYN Flood Server Pool S Y N F L O O D

Protects inside systems from TCP SYN flood attacks. Enable by setting the maximum connections option to the NAT and static commands. Allows servers within the inside network to be protected from one style of denial of service attack

FW Services Module
Flood Defender Configuration
Reduced SYN Request rate TCP SYN Flood S Y N F L O O D

Flood Defender enabled by default

FW Services Module
Attack Prevention TCP Intercept
Limit reached Server Pool

When the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the affected server is intercepted.

FW Services Module
TCP Intercept Configuration
Limit reached Server Pool

nat [(if_name)] nat_id local_ip [netmask [max_conns [em_limit]]] [norandomseq] TCP Intercept kicks in when embryonic session limit reached An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data Every connection is embryonic until it sets up Embryonic limit specified as part of NAT configuration

FW Services Module
Attack Prevention Unicast RPF

Kill user session

Spoof user session

Firewall denies attempted access

Also known as "reverse route lookups" prevents IP spoofing in the IP protocol. Provides ingress and egress filtering. Checks inbound packets for IP source address integrity, and verifies that packets destined for hosts outside the managed domain have IP source addresses verifiable by routes in the enforcing entities local routing table.

FW Services Module
Attack Prevention Unicast RPF

Kill user session

Spoof user session

Firewall denies attempted access

FWSM(config)# ip verify reverse-path interface interface_name

FW Services Module
Attack Prevention FRAG Guard
1. Receive fragmented packets
Frag4 Frag3 Frag2 Frag1

4. Send fragmented packets if no threat

Frag4 Frag3 Frag2 Frag1

2. Reassemble packet

3. Check packet for threat

Frag4

Frag3

Frag2

Frag1

IP fragment protection that performs full-reassembly of all ICMP error messages and virtual-reassembly of the remaining IP fragments that are routed through the FWSM

FW Services Module
Attack Prevention Mail Guard
SMTP Attacker SMTP Servers

Allows mail servers to be deployed within the internal network without them being exposed to known security problems with some SMTP server implementations.

FW Services Module
Mail Guard Configuration
SMTP Attacker

Mail Guard is enabled in the FWSM using the inspect command

FWSM(config)# policy-map global_policy FWSM(config-pmap)# class inspection_default FWSM(config-pmap-c)# inspect smtp

FW Services Module
Address Translation NAT

Data

Data

Outside World

Source=A

Dest=X

Data

Source=B

Dest=X

Data

Provides a way to translate an inside secure address to a public domain address hiding the source address from outside users and allowing the inside network to utilise private addresses

FW Services Module
Address Translation PAT
Note Source address is the same port number uniquely identifies flow

Source=A Dest=X Port=80

Data

Source=C Dest=X Port=2001

Data

Source=B Dest=X Port=80

Data

Source=C Dest=X Port=2002

Data

Port re-mapping allows a single valid IP address to be translated to 64,000 active XLATE objects. PAT minimizes the number of globally valid IP addresses required to support private or invalid internal addressing schemes.

FW Services Module
NAT/PAT Configuration
Source=A Dest=X Data Source=B Dest=X Data

Defines addresses from 10.1.1.0 will be translated

FWSM(config)# nat (inside) 1 10.1.1.0 255.255.255.0 FWSM(config)# global (outside) 1 195.1.1.1-195.1.1.254 255.255.255.0

Defines host 10.1.1.15 to bypass NAT

FWSM(config)# access-list no-nat permit ip host 10.1.1.15 host 10.2.1.3 FWSM(config)# nat (inside) 0 access-list no-nat

Defines PAT Translation

FWSM(config)# nat (inside) 1 10.1.1.0 255.255.255.0 FWSM(config)# global (outside) 1 195.1.1.1-195.1.1.1 255.255.255.0

FW Services Module
Protocol Support NETBIOS over IP
Problem: NETBIOS incorporates the IP address in its datagram,..so when NAT is applied to a NETBIOS packet that has to be routed, NAT will translate the IP Header but not the IP Address in the datagram,..BZZZZ!!! This causes issue for destination host

NAT Changes this address

No Configuration Necessary

IP HDR

NETBIOS IP NOT this one

IP HDR

NETBIOS IP

NETBIOS over IP support in the FWSM recognises NETBIOS packet and translates both IP Header and IP Address in datagram

FW Services Module
Syslog
Provides means to view network events and assist with troubleshooting Syslog Message Types 0 1 Emergencies Alerts System Unusable Messages Take immediate action

2
3 4 5

Critical
Errors Warnings Notifications

Critical condition
Error messages Warning message Normal but significant condition

6
7

Informational
Debugging

Informational message
Debug and log messages

FWSM(config)# logging buffered level

FW Services Module
Syslog sending messages to a server
SYSLOG messages can be sent to a syslog server

%FWSM-5-304001: user 192.168.69.71 Accessed URL 10.133.219.25 : www.example.com Identify the syslog host

FWSM(config)# logging host dmz_1 192.168.1.1 FWSM(config)# logging trap debugging FWSM(config)# logging on

Set logging level

Turn logging on