318 Chapter 15: Attack Guards and Multimedia Support
command is disabled by default. To enable the IP fragmentation guard on the PIX, enter the following:
sysopt security fragguard
The fragguard feature enforces the checks recommended by RFC 1858, with two additional security checks protecting against many IP fragment-style attacks, such as teardrop:
•The checks ensure that each noninitial IP fragment has an associated valid initial IP fragment.
•IP fragments of more than 12 elements cannot pass through the PIX. IP fragments are rated 100 full fragmented packets per second to each internal host. This means that the PIX can process 1200 packet fragments a second.
Virtual reassembly is enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies. Here is an example of such a message:
%PIX-2-106020: Deny IP teardrop fragment (size=num, offset=num)from IP_addr to
IP_addr
Domain Name System (DNS) Guard
To understand the DNS attack protection provided by the Cisco PIX Firewall, it helps to understand how DNS can be exploited to cause a DoS attack. DNS queries are sent from the attacker to each of the DNS servers. These queries contain the target’s spoofed address. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity.
The port assignment for DNS cannot be configured on the Cisco PIX Firewall. DNS requires application inspection so that DNS queries will not be subject to generic UDP handling based on activity timeouts. The PIX allows only a single DNS response for outgoing DNS requests. The UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query is received, dropping all other responses and averting a DoS attack. This functionality is called DNS Guard. DNS Guard is enabled by default.
DNS inspection performs two tasks:
•It monitors the message exchange to ensure that the DNS reply’s ID matches the DNS query’s ID.
•It translates the DNS A-record on behalf of the alias command.
Only forward lookups are translated via NAT, so pointer (PTR) records are not touched. Alarms can also be set off in the Intrusion Detection System (IDS) module for DNS zone transfers.
NOTE |
A pointer record is also called a reverse record. A PTR record associates an IP address with |
|
a canonical name. |
|
|
Attack Guards 319
Cisco PIX Firewall version 6.2 introduces full support for NAT and PAT of DNS messages originating from either inside (more-secure) or outside (less-secure) interfaces. This means that if a client on an inside network requests DNS resolution of an inside address from a DNS server on an outside interface, the DNS A-record is translated correctly. This also means that the use of the alias command is now unnecessary.
Mail Guard
An SMTP server responds to client requests with numeric reply codes and optional humanreadable strings. SMTP application inspection controls and reduces the commands that the user can use, as well as the messages the server returns. SMTP inspection performs three primary tasks:
•SMTP requests are restricted to seven commands—HELO, MAIL, RCPT, DATA,
RSET, NOOP, and QUIT.
•It monitors the SMTP command-response sequence.
•It generates an audit trail—audit record 108002—when an invalid character embedded in the mail address is replaced. For more information, see RFC 821.
By default, the Cisco PIX Firewall inspects port 25 connections for SMTP traffic. SMTP inspection monitors the command-response sequence for the following anomalous signatures:
•Truncated commands.
•Incorrect command termination (those not terminated with <CR><LR>).
•The MAIL and RCPT commands specify the mail’s sender and recipient. Mail addresses are scanned for strange characters. The pipe character (|) is deleted (changed to a blank space), and < and > are allowed only if they are used to define a mail address (> must be preceded by <).
•An unexpected transition by the SMTP server.
•For unknown commands, the PIX changes all the characters in the packet to X. In this case, the server generates an error code to the client. Because of the change in the packet, the TCP checksum has to be recalculated or adjusted.
The fixup command is used to change the default port assignment for SMTP. The command syntax is as follows:
fixup protocol smtp [port[-port]]
The fixup protocol smtp command enables the Mail Guard feature. This restricts mail servers to receiving only the seven commands defined in RFC 821, section 4.5.1 (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT). All other commands are rejected.
The strict implementation of RFC 821, section 4.5.1 sometimes causes problems for mail servers that do not adhere to the standard. For example, Microsoft Exchange Server does not strictly comply with RFC 821 section 4.5.1, using extended SMTP commands such as HELO. The Cisco PIX Firewall converts any such commands into NOOP commands,
320 Chapter 15: Attack Guards and Multimedia Support
which, as specified by the RFC, forces SMTP servers to fall back to using minimal SMTP commands only. This might cause Microsoft Outlook clients and Exchange servers to function unpredictably when their connection passes through the PIX.
Mail Guard, however, is not the magic bullet for all mail server-related attacks. It protects your mail server only from known attacks.
Flood Defender
The Flood Defender feature of the PIX protects inside systems from a DoS attack that floods an interface with half-open TCP (embryonic) connections, otherwise known as SYN flooding. Creating a threshold for the number of embryonic connections or limiting the number of connections to the host mitigates such attacks. When the configured embryonic limit is reached, the PIX intercepts the SYN bound for the host and responds with a SYN/ ACK on the host’s behalf.
You enable this feature by setting the emb_limit (maximum embryonic connections) option or max_conn (maximum connection) option on the nat and static commands. For example:
static (inside,outside) 192.168.10.10 10.10.10.10 netmask 255.255.255.255 max_conn 300 emb_limit 500000
This example sets the maximum connection to host 10.10.10.10 to 300 and sets the embryonic connection limit to 500,000.
If you set max_conn too low, you deny legitimate user access, creating a denial of service for yourself. There is no magic number for the max_conn and emb_limit arguments, because every network has a unique environment. The best number is a number that does not negatively affect the network. You can observe the number of connections and embryonic connections to your host, preand post- max_conn and emb_limit implementation, using the show local-host host_ip command.
The static command with the maximum connection or embryonic connection mitigates inbound DoS. The nat command with the same arguments can prevent the users in your network from committing TCP SYN attacks on someone else.
AAA Floodguard
The Cisco PIX Firewall has a Floodguard feature that helps it monitor and recover resources tied up in the user authentication (auth) subsystem. As with DNS, the service of authentication is maliciously exploited to create a DoS attack. Authentication attacks are done on the premise that each authentication request has to be processed. Sending an enormous number of authentication requests bogs down the target’s finite resources, forcing a shutdown in the worst case.