Attack Guards

Attack Guards

The PIX Firewall offers a family of features to defend the device and protected networks from attack. The PIX application-inspection capabilities and IDS features work together to provide services similar to those covered in Chapters 6 (IDS) and 7 (CBAC). Attack guards refer to the PIX Firewall application-layer inspection capabilities that have been programmed to prevent specific kinds of common attacks. This section looks at the following attack guards.

  • DNS Control

  • Flood Defender

  • FragGuard and Virtual Reassembly

  • TCP Intercept

  • Unicast Reverse Path Forwarding

  • ActiveX Blocking, Java Filtering, and URL Filtering

DNS Control

To defend against the growing threat of DNS attacks, Cisco introduced an always-on feature called DNS Guard. Because DNS Guard can neither be turned off nor configured, DNS has no fixup protocol command.

Generic UDP handling of DNS queries leaves connections open longer than is prudent. Instead, the PIX Firewall identifies each outbound DNS resolve request, and then tears down the connection as soon as a single reply is received. While a host might query several servers for a response in case the first server is down or congested, only the first answer to that request is allowed. Additional responses are dropped. This prevents a hacker from following a legitimate DNS reply with a modified version directing traffic to another site.

PIX Firewall version 6.2 supports NAT and PAT of DNS messages originating from both inside (more secure) and outside (less secure) interfaces. The embedded addresses in both the query and reply message are now translated, and names resolution works as expected.

Flood Defender

The Flood Defender feature is used to reclaim PIX Firewall resources if the user authentication subsystem runs out of resources. If an inbound or an outbound authentication connection is being attacked or overused, the PIX Firewall actively reclaims TCP user resources. The feature is enabled by default. The Flood Defender feature is enabled/disabled with the floodguard command using the following syntax:

Pix(config)# floodguard enable
Pix(config)# floodguard disable
Pix(config)# no floodguard Pix(config)# clear floodguard

The show floodguard, show running-config, and write terminal commands will all display the flood-defender status.

As resource depletion gets more serious, the PIX Firewall starts reclaiming TCP user resources in the following order, depending on urgency of the shortage:

  1. Timewait

  2. FinWait

  3. Embryonic

  4. Idle

FragGuard and Virtual Reassembly

FragGuard and Virtual Reassembly are default features that provide IP fragment protection for traffic passing through the PIX Firewall. FragGuard fully reassembles all ICMP error messages and performs virtual reassembly of all other IP fragments.

Syslog messages are generated by any fragment overlapping and small fragment offset anomalies, common to variations of the teardrop attack. Teardrop attacks work by sending deliberately constructed IP fragments, which are reassembled into an invalid UDP datagram. Overlapping offsets work by causing additional fragments to overwrite data in the middle of the UDP header. This is contained in the first fragment in such a way that the datagrams are left incomplete.

The configuration mode fragment command provides additional management of packet fragmentation and improves compatibility with NFS. The syntax is as follows:

Pix(config)# fragment {size|chain|timeout} limit [int_name]
Pix(config)# clear fragment Pix(config)# show fragment [int_name]

size database-limit

Maximum number of packets in the fragment database. Default is 200. Maximum is 1,000,000.

chain chain-limit

Maximum number of packets a full IP packet can be fragmented to. Default is 24. Maximum is 8,200.

timeout seconds

Maximum total seconds after the first fragment is received that fragments can wait to be reassembled, after which the fragments are discarded. Default is five seconds. Maximum is 30 seconds.

The clear fragment command clears the fragment databases and resets all defaults. Any fragments waiting for reassembly are discarded.

The show fragment [int_name] command displays the settings and statistics of the fragment database for the specified interface. If int_name isn’t specified, the command applies to all interfaces. The following output shows a sample with the default settings:

Pix(config)# show fragment
Interface: outside
 ?? Size: 200, Chain: 24, Timeout: 5
 ? ?Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Interface: inside
 ?? Size: 200, Chain: 24, Timeout: 5
 ? ?Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Interface: dmz
 ???Size: 200, Chain: 24, Timeout: 5
 ???Queue: 0, Assemble: 0, Fail: 0, Overflow: 0

The PIX Firewall, by default, accepts up to 24 fragments to reassemble a full IP packet. To increase network security, consistent with the security policy, configure the firewall not to accept fragmented packets with the Fragment Size 1 command option. Using a limit of one means only whole packets will be accepted.

The following output shows increasing the fragment size and timeout on all interfaces, plus eliminating fragments on the less-secure interfaces.

Pix(config)# fragment size 500
Pix(config)# fragment chain 1 outside
Pix(config)# fragment chain 1 dmz
Pix(config)# fragment timeout 10
Pix(config)# show fragment
Interface: outside
 ? ?Size: 500, Chain: 1, Timeout: 10
 ?? Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Interface: inside
 ?? Size: 500, Chain: 24, Timeout: 10
 ?? Queue: 0, Assemble: 0, Fail: 0, Overflow: 0
Interface: dmz
 ?? Size: 500, Chain: 1, Timeout: 10
 ???Queue: 0, Assemble: 0, Fail: 0, Overflow: 0

The sysopt security fragguard Command

The sysopt commands are used to modify about a dozen PIX Firewall system options. Our interest at this point is specifically the sysopt security fragguard command. Although it’s disabled by default, once this feature is enabled, it enforces two addition security checks beyond those recommended by RFC 1858 (IP fragment–style attacks, such as teardrop, land, and so forth).

  • Each noninitial IP fragment must be associated with a known valid initial IP fragment.

  • IP fragments are limited to 100 per second to each internal host.

The feature operates on all PIX Firewall interfaces and can’t be selectively enabled or disabled by interface. No Security FragGuard options exist. The syntax is as follows:

Pix(config)# sysopt security fragguard
Pix(config)# no sysopt security fragguard

The clear sysopt command resets all sysopt commands to default settings.


While the sysopt security fragguard command deviates from the standard for handling IP fragments, it opts on the side of security by greatly reducing the possibility of IP fragmentation attacks.

TCP Intercept

The TCP Intercept feature protects inside systems (servers) from a common type of denial of service (DoS) attack, which is perpetrated by flooding an interface with TCP SYN packets that create half-open TCP (embryonic) connections. The feature is enabled by setting the maximum Embryonic (em_limit) Connections option on the nat and static commands. Both features were covered in Chapter 19. The syntax is the following:

Pix(config)# static [(hi_interface, lo_interface)] global_ip local_ip [netmask mask] [norandomseq] [max_conn [em_limit]] Pix(config)# nat (if_name) nat_id ip_address [netmask] [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit] [em_limit]


The embryonic or half-open TCP connection limit. Default is 0, which allows unlimited connections.

Once the embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, the firewall intercepts additional SYN packets. The PIX Firewall works as a proxy and responds on behalf of the server, with a SYN/ACK reply turning the session over to the server if it’s successfully established.

Unicast Reverse Path Forwarding

Spoofing IP source addresses in the IP protocol is a common tool for evil doers to attempt to conceal their identities. Unicast Reverse Path Forwarding (Unicast RPF), or reverse route lookup, provides inbound and outbound filtering to help prevent IP address spoofing. The feature verifies that source addresses of inbound packets are verifiable by routes in the local PIX routing table. Realistically, the ip verify reverse-path interface command is most useful in reducing the chances of internal hosts becoming parties to an attack and outsiders spoofing a trusted inside address. The syntax is

Pix(config)# ip verify reverse-path interface int_name
Pix(config)# no ip verify reverse-path interface int_name

Because Unicast RPF is limited to verifying addresses against those in the local route table, the following two conditions are critical:

  • A default route statement ( must be configured for the outside interface.

  • Static route commands must exist for every network on the protected interfaces.

The following example defines IP addresses for three interfaces, creates a default route to the outside, defines the four networks expected on the other side of an inside router, and assumes all DMZ hosts will be connected locally to the network.

Pix(config)# ip address outside
Pix(config)# ip address inside
Pix(config)# ip address dmz
Pix(config)# route outside 1
Pix(config)# route inside 1
Pix(config)# route inside 1
Pix(config)# route inside 1
Pix(config)# route inside 1
Pix(config)# ip verify reverse-path interface outside
Pix(config)# ip verify reverse-path interface inside
Pix(config)# ip verify reverse-path interface dmz

The ip verify reverse-path interface outside command ensures no packets arrive from the outside with sources addresses defined for the inside or DMZ networks. The ip verify reverse-path interface inside command prevents any packets coming from the inside with source addresses that aren’t defined to that interface. The final command limits packets coming in from the DMZ to source addresses in the network.

The following output shows using the show ip verify command to confirm configuration and the show ip verify statistics command to show activity.

Pix(config)# show ip verify
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
Pix(config)# show ip verify statistics
interface outside: 2 unicast rpf drops
interface inside: 0 unicast rpf drops
interface dmz: 0 unicast rpf drops

ActiveX Blocking, Java Filtering, and URL Filtering

These three features were covered in Chapter 19 as content filtering using the filter command. All three are made possible because of the fixup protocol http [port] command. They are included here as attack guards.

ActiveX Blocking

ActiveX controls (formerly OLE or OCX controls) are embedded web page components that can introduce potential problems to network clients.

Java Filtering

Java applets are executable programs that can enable certain methods of attacking a protected network.

URL Filtering

Uses products like Websense or N2H2 servers to prevent outbound access to specific configurable web sites deemed inappropriate for the user(s).

Part III: Virtual Private Networks (VPNs)