Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Set Global Timeouts and Thresholds

Set Global Timeouts and Thresholds

Sep 10,2009 by alperen

small font medium font large font
image

Set Global Timeouts and Thresholds

This section looks at configuring the following global timeouts and thresholds used by CBAC.

  • TCP SYN and FIN wait times

  • TCP, UDP, and DNS idle timers

  • TCP flooding thresholds (DoS indicators)

These are global default settings used by CBAC to determine how long to maintain state table entries and as indicators of possible DoS attacks. Each command has a default value and, therefore, needs to be set only to change the default to implement a security policy better.

TCP Session Establishment Timer

Use the Global Configuration Mode command ip inspect tcp synwait-time to define the number of seconds the software will wait for a TCP session to reach the established state before dropping the session. The session is considered to have reached the established state after the session’s first SYN bit is detected. Use the no form of this command to reset the timeout to the default of 30 seconds. The syntax is

Rtr1(config)#ip inspect tcp synwait-time seconds
Rtr1(config)#no ip inspect tcp synwait-time

This command was introduced in IOS 11.2 P. The default is 30 seconds.

The value specified for this timeout applies to all TCP sessions inspected by CBAC.

TCP Session Termination Timer

Use the Global Configuration Mode command ip inspect tcp finwait-time to define how many seconds a TCP session will still be managed after the firewall detects a FIN-exchange. The FIN-exchange occurs when the TCP session is ready to close. Use the no form of the command to reset the timeout to the default of five seconds. The syntax is

Rtr1(config)#ip inspect tcp finwait-time seconds
Rtr1(config)#no ip inspect tcp finwait-time

This command was introduced in IOS 11.2 P. The default is five seconds.

The timeout set with this command is referred to as the finwait timeout. It applies to all CBAC-inspected TCP sessions.

TCP Session Inactivity Timer

Use the Global Configuration Mode command ip inspect tcp idle-time to specify the TCP idle timeout—the number of seconds a TCP session will still be managed after no activity. Use the no form of the command to reset the timeout to the default of 3,600 seconds (one hour). The syntax is

Rtr1(config)#ip inspect tcp idle-time seconds
Rtr1(config)#no ip inspect tcp idle-time

This command was introduced in IOS 11.2 P. The default is 3,600 seconds (one hour).

When CBAC detects a valid TCP packet that’s the first in a session for a protocol CBAC is inspecting, the software creates a new state table entry with the information. If no TCP packets for a particular session are detected for the time defined by the TCP idle timeout, the software drops that session entry from the state table and ACL.

This global value can be overridden for specific interfaces by defining a set of inspection rules with the Global Configuration Mode command ip inspect name. This command only applies the new timeout to any new or existing inspection rules that don’t have an explicitly defined timeout.

UDP Session Inactivity Timer

Use the Global Configuration Mode command ip inspect udp idle-time to specify the UDP idle timeout, the number of seconds a UDP “session” will still be managed after no activity. Use the no form of the command to reset the timeout to the default of 30 seconds. The syntax is

Rtr1(config)#ip inspect udp idle-time seconds Rtr1(config)#no ip inspect udp idle-time

This command was introduced in IOS 11.2 P. The default is 30 seconds.

When CBAC detects a valid UDP packet that’s the first in a session for a protocol CBAC is inspecting, the software creates a new state table entry with the information. Because UDP is a connectionless service, no actual sessions exist, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, similar source/destination addresses) and if the packet was detected soon after another similar UDP packet.

Because UDP is a connectionless service, no actual sessions exist as with TCP, so CBAC approximates sessions. It does this by examining the packets and determining if they’re similar (source/destination addresses and ports) to other UDP packets. If no UDP packets for a particular session are detected for the time defined by the UDP idle timeout, the software drops those session entries from the state table and ACL.

This global value can be overridden for specific interfaces when you define a set of inspection rules with the Global Configuration Mode command ip inspect name. This command only applies the new timeout to any new or existing inspection rules that don’t have an explicitly defined timeout.

DNS Session Inactivity Timer

Use the Global Configuration Mode command ip inspect dns-timeout to specify the DNS idle timeout, the length of time a DNS-name lookup session will still be managed after no activity. Use the no form of the command to reset the timeout to the default of five seconds. The syntax is

Rtr1(config)#ip inspect dns-timeout seconds
Rtr1(config)#no ip inspect dns-timeout

This command was introduced in IOS 11.2 P. The default is five seconds.

When CBAC detects a valid UDP packet for a new DNS-name lookup session for a protocol CBAC is inspecting, the software creates a new state table entry with the information. If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software then drops that session entry from the state table and ACL.

The DNS idle timeout applies to all DNS-name lookup sessions inspected by CBAC and overrides the global UDP timeout. The DNS idle timeout value also enters Aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name command.

Maximum Incomplete Sessions High/Low Threshold

An unusually high number of half-open sessions can indicate a DoS attack is occurring. For TCP, half-open means that the session hasn’t reached the established state. For UDP, half-open means that the firewall has detected traffic from one direction only.

CBAC measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute.

When the number of existing half-open sessions rises above the threshold set by the ip inspect max-incomplete high command, the software then deletes half-open sessions until the number of existing half-open sessions drops below the threshold set by the ip inspect max-incomplete low command.

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Use the Global Configuration Mode command ip inspect max-incomplete high to define the number of existing half-open sessions that will cause the software to start deleting half-open sessions. Use the no form of the command to reset the threshold to the default of 500. The syntax is

Rtr1(config)#ip inspect max-incomplete high number
Rtr1(config)#no ip inspect max-incomplete high

This command was introduced in IOS 11.2 P. The default is 500 half-open sessions.

Use the Global Configuration Mode command ip inspect max-incomplete low to define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. Use the no form of the command to reset the threshold to the default of 400 half-open sessions. The syntax is

Rtr1(config)#ip inspect max-incomplete low number
Rtr1(config)#no ip inspect max-incomplete low

This command was introduced in IOS 11.2 P. The default is 400 half-open sessions.

The following example causes the CBAC to start deleting half-open sessions when the number of half-open sessions rises above 800 and to stop when the number drops below 500.

Rtr1(config)#ip inspect max-incomplete high 800
Rtr1(config)#ip inspect max-incomplete low 500

One Minute Incomplete Sessions High/Low Threshold

This is an extension of the preceding threshold, accelerating the process to respond to a rapid increase in incomplete sessions. These rate thresholds are measured as the number of new session connection attempts detected in the last one-minute sample period.

The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC.

Use the Global Configuration Mode command ip inspect one-minute high to define the number of new unestablished sessions that will cause the software to start deleting half-open sessions. Use the no form of the command to reset the threshold to the default of 500. The syntax is

Rtr1(config)#ip inspect one-minute high number
Rtr1(config)#no ip inspect one-minute high

This command was introduced in IOS 11.2 P. The default is 500 half-open sessions.

Use the Global Configuration Mode command ip inspect one-minute low to define the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. Use the no form of this command to reset the threshold to the default of 400. The syntax is

Rtr1(config)#ip inspect one-minute low number
Rtr1(config)#no ip inspect one-minute low

This command was introduced in IOS 11.2 P. The default is 400 half-open sessions.

The following example causes the software to start deleting half-open sessions when more than 1,000 session establishment attempts are detected in the last minute and to stop when fewer than 750 sessions are detected in the last minute:

Rtr1(config)#ip inspect one-minute high 1000
Rtr1(config)#ip inspect one-minute low 750

Maximum Incomplete Sessions Per Destination Host Threshold

An unusually high number of half-open sessions with the same destination host address can indicate that a DoS attack is being launched against the host. Use the Global Configuration Mode command ip inspect tcp max-incomplete host to specify threshold and blocking time values for TCP host–specific DoS detection and prevention. Use the no form of the command to reset the threshold and blocking time to the default values. The syntax is

Rtr1(config)#ip inspect tcp max-incomplete host number block-time seconds
Rtr1(config)#no ip inspect tcp max-incomplete host

number

Specifies how many half-open TCP sessions with the same host destination address can exist at a time, before the software starts deleting half-open sessions to the host. Use a number from 1 to 250.

block-time

Specifies blocking of connection initiation to a host.

seconds

Specifies how long the software will continue to delete new connection requests to the host.

This command was introduced in IOS 11.2 P. The default is 50 half-open sessions and 0 minutes.

When the numbers of half-open sessions with the same destination host address rises above this threshold, CBAC will delete half-open sessions choosing a method based on the block-time seconds setting. If the timeout is

0 (the default)

CBAC will delete the oldest half-open session for the host for every new connection request to the host. This ensures the number of half-open sessions to a given host will never exceed the threshold.

Greater than 0

CBAC will delete all existing half-open sessions for the host, and then block all new connection requests to the host until the block-time expires.

The software also sends syslog messages whenever the max-incomplete host number is exceeded and when blocking of connection initiations to a host starts or ends.

The global values specified for the threshold and blocking time apply to all TCP connections inspected by CBAC.

The following example changes the max-incomplete host number to 70 half-open sessions and changes the block-time timeout to 90 seconds.

Rtr1(config)#ip inspect tcp max-incomplete host 70 block-time 90


1726 times read

Related news
» Test and Verify
by alperen posted on Sep 10,2009
» IOS Firewall Feature Set—CBAC Questions and Answers
by alperen posted on Sep 11,2009
» Stopping Denial of Service Attacks
by admin posted on Jul 21,2008
» Define Inspection Rules
by alperen posted on Sep 10,2009
» Set Audit Trails and Alerts
by alperen posted on Sep 10,2009
Did you enjoy this article?
1 2 3 4 5
Rating: 4.95Rating: 4.95Rating: 4.95Rating: 4.95Rating: 4.95 (total 39 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.