Attack Guards

DNS Control

To defend against the growing threat of DNS attacks, Cisco introduced an always-on feature called DNS Guard. Because DNS Guard can neither be turned off nor configured, DNS has no fixup protocol command.

Generic UDP handling of DNS queries leaves connections open longer than is prudent. Instead, the PIX Firewall identifies each outbound DNS resolve request, and then tears down the connection as soon as a single reply is received. While a host might query several servers for a response in case the first server is down or congested, only the first answer to that request is allowed. Additional responses are dropped. This prevents a hacker from following a legitimate DNS reply with a modified version directing traffic to another site.

PIX Firewall version 6.2 supports NAT and PAT of DNS messages originating from both inside (more secure) and outside (less secure) interfaces. The embedded addresses in both the query and reply message are now translated, and names resolution works as expected.

Flood Defender

The Flood Defender feature is used to reclaim PIX Firewall resources if the user authentication subsystem runs out of resources. If an inbound or an outbound authentication connection is being attacked or overused, the PIX Firewall actively reclaims TCP user resources. The feature is enabled by default. The Flood Defender feature is enabled/disabled with the floodguard command using the following syntax:

Pix(config)# floodguard enable
Pix(config)# floodguard disable
Pix(config)# no floodguard Pix(config)# clear floodguard

The show floodguard, show running-config, and write terminal commands will all display the flood-defender status.

As resource depletion gets more serious, the PIX Firewall starts reclaiming TCP user resources in the following order, depending on urgency of the shortage:

1. Timewait

2. FinWait

3. Embryonic

4. Idle

FragGuard and Virtual Reassembly

FragGuard and Virtual Reassembly are default features that provide IP fragment protection for traffic passing through the PIX Firewall. FragGuard fully reassembles all ICMP error messages and performs virtual reassembly of all other IP fragments.

Syslog messages are generated by any fragment overlapping and small fragment offset anomalies, common to variations of the teardrop attack. Teardrop attacks work by sending deliberately constructed IP fragments, which are reassembled into an invalid UDP datagram. Overlapping offsets work by causing additional fragments to overwrite data in the middle of the UDP header. This is contained in the first fragment in such a way that the datagrams are left incomplete.

The configuration mode fragment command provides additional management of packet fragmentation and improves compatibility with NFS. The syntax is as follows:

Pix(config)# fragment {size|chain|timeout} limit [int_name]
Pix(config)# clear fragment Pix(config)# show fragment [int_name]

The clear fragment command clears the fragment databases and resets all defaults. Any fragments waiting for reassembly are discarded.

The show fragment [int_name] command displays the settings and statistics of the fragment database for the specified interface. If int_name isn’t specified, the command applies to all interfaces. The following output shows a sample with the default settings:

Pix(config)# show fragment
Interface: outside
 ?? Size: 200, Chain: 24, Timeout: 5
 ? ?Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Interface: inside
 ?? Size: 200, Chain: 24, Timeout: 5
 ? ?Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Interface: dmz
 ???Size: 200, Chain: 24, Timeout: 5
 ???Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Pix(config)#

The PIX Firewall, by default, accepts up to 24 fragments to reassemble a full IP packet. To increase network security, consistent with the security policy, configure the firewall not to accept fragmented packets with the Fragment Size 1 command option. Using a limit of one means only whole packets will be accepted.

The following output shows increasing the fragment size and timeout on all interfaces, plus eliminating fragments on the less-secure interfaces.

Pix(config)# fragment size 500
Pix(config)# fragment chain 1 outside
Pix(config)# fragment chain 1 dmz
Pix(config)# fragment timeout 10
Pix(config)# show fragment
Interface: outside
 ? ?Size: 500, Chain: 1, Timeout: 10
 ?? Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Interface: inside
 ?? Size: 500, Chain: 24, Timeout: 10
 ?? Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Interface: dmz
 ?? Size: 500, Chain: 1, Timeout: 10
 ???Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Pix(config)#

TCP Intercept

The TCP Intercept feature protects inside systems (servers) from a common type of denial of service (DoS) attack, which is perpetrated by flooding an interface with TCP SYN packets that create half-open TCP (embryonic) connections. The feature is enabled by setting the maximum Embryonic (em_limit) Connections option on the nat and static commands. Both features were covered in Chapter 19. The syntax is the following:

Pix(config)# static [(hi_interface, lo_interface)] global_ip local_ip [netmask mask] [norandomseq] [max_conn [em_limit]] Pix(config)# nat (if_name) nat_id ip_address [netmask] [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit] [em_limit]

Once the embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, the firewall intercepts additional SYN packets. The PIX Firewall works as a proxy and responds on behalf of the server, with a SYN/ACK reply turning the session over to the server if it’s successfully established.

Unicast Reverse Path Forwarding

Spoofing IP source addresses in the IP protocol is a common tool for evil doers to attempt to conceal their identities. Unicast Reverse Path Forwarding (Unicast RPF), or reverse route lookup, provides inbound and outbound filtering to help prevent IP address spoofing. The feature verifies that source addresses of inbound packets are verifiable by routes in the local PIX routing table. Realistically, the ip verify reverse-path interface command is most useful in reducing the chances of internal hosts becoming parties to an attack and outsiders spoofing a trusted inside address. The syntax is

Pix(config)# ip verify reverse-path interface int_name
Pix(config)# no ip verify reverse-path interface int_name

Because Unicast RPF is limited to verifying addresses against those in the local route table, the following two conditions are critical:

• A default route statement (0.0.0.0 0.0.0.0) must be configured for the outside interface.

• Static route commands must exist for every network on the protected interfaces.

The following example defines IP addresses for three interfaces, creates a default route to the outside, defines the four networks expected on the other side of an inside router, and assumes all DMZ hosts will be connected locally to the 192.168.128.0 network.

Pix(config)# ip address outside 1.1.1.1 255.255.255.0
Pix(config)# ip address inside 192.168.1.1 255.255.255.0
Pix(config)# ip address dmz 192.168.128.1 255.255.255.0
Pix(config)# route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
Pix(config)# route inside 192.168.4.0 255.255.255.0 192.168.1.2 1
Pix(config)# route inside 192.168.5.0 255.255.255.0 192.168.1.2 1
Pix(config)# route inside 192.168.6.0 255.255.255.0 192.168.1.2 1
Pix(config)# route inside 192.168.7.0 255.255.255.0 192.168.1.2 1
Pix(config)# ip verify reverse-path interface outside
Pix(config)# ip verify reverse-path interface inside
Pix(config)# ip verify reverse-path interface dmz

The ip verify reverse-path interface outside command ensures no packets arrive from the outside with sources addresses defined for the inside or DMZ networks. The ip verify reverse-path interface inside command prevents any packets coming from the inside with source addresses that aren’t defined to that interface. The final command limits packets coming in from the DMZ to source addresses in the 192.168.128.0 network.

The following output shows using the show ip verify command to confirm configuration and the show ip verify statistics command to show activity.

Pix(config)# show ip verify
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
Pix(config)# show ip verify statistics
interface outside: 2 unicast rpf drops
interface inside: 0 unicast rpf drops
interface dmz: 0 unicast rpf drops
Pix(config)#

ActiveX Blocking, Java Filtering, and URL Filtering

These three features were covered in Chapter 19 as content filtering using the filter command. All three are made possible because of the fixup protocol http [port] command. They are included here as attack guards.