Sending traffic to the ips module, Applying qos policies, Applying connection limits and tcp normalization – Cisco ASA 5505 User Manual

1-26

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

Firewall Functional Overview

Sending Traffic to the IPS Module

If your model supports the IPS module for intrusion prevention, then you can send traffic to the module
for inspection. The IPS module monitors and performs real-time analysis of network traffic by looking
for anomalies and misuse based on an extensive, embedded signature library. When the system detects
unauthorized activity, it can terminate the specific connection, permanently block the attacking host, log
the incident, and send an alert to the device manager. Other legitimate connections continue to operate
independently without interruption. For more information, see the documentation for your IPS module.

Sending Traffic to the Content Security and Control Module

If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other
unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you
configure the ASA to send to it.

Applying QoS Policies

Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a
network feature that lets you give priority to these types of traffic. QoS refers to the capability of a
network to provide better service to selected network traffic.

Applying Connection Limits and TCP Normalization

You can limit TCP and UDP connections and embryonic connections. Limiting the number of
connections and embryonic connections protects you from a DoS attack. The ASA uses the embryonic
limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding
an interface with TCP SYN packets. An embryonic connection is a connection request that has not
finished the necessary handshake between source and destination.

TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets
that do not appear normal.

Enabling Threat Detection

You can configure scanning threat detection and basic threat detection, and also how to use statistics to
analyze threats.

Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and
automatically sends a system log message.

A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive
database that contains host statistics that can be analyzed for scanning activity.

The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.

You can configure the ASA to send system log messages about an attacker or you can automatically shun
the host.