Dead Connection Detection Overview; Tcp Sequence Randomization Overview; Enabling Connection Limits - Cisco PIX 500 Series Configuration Manual

Chapter 23 Preventing Network Attacks

Dead Connection Detection Overview

Dead connection detection detects a dead connection and allows it to expire, without expiring
connections that can still handle traffic. You configure DCD when you want idle, but valid connections
to persist.
When you enable DCD, idle timeout behavior changes. With idle timeout, DCD probes are sent to each
of the two end-hosts to determine the validity of the connection. If an end-host fails to respond after
probes are sent at the configured intervals, the connection is freed, and reset values, if configured, are
sent to each of the end-hosts. If both end-hosts response that the connection is valid, the activity timeout
is updated to the current time and the idle timeout is rescheduled accordingly.

TCP Sequence Randomization Overview

Each TCP connection has two ISNs: one generated by the client and one generated by the server. The
security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound
directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new
connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
•
•
•

Enabling Connection Limits

To set connection limits, perform the following steps:
To identify the traffic, add a class map using the class-map command. See the
Step 1
Class Map for Through Traffic" section on page 21-3
Management Traffic" section on page 21-5
To add or edit a policy map that sets the actions to take with the class map traffic, enter the following
Step 2
command:
hostname(config)# policy-map name
To identify the class map from
Step 3
command:
hostname(config-pmap)# class class_map_name
To set maximum connection limits or whether TCP sequence randomization is enabled, enter the
Step 4
following command:
hostname(config-pmap-c)# set connection {[conn-max number ] [embryonic-conn-max number ]
[per-client-embryonic-max number ] [per-client-max number ] [random-sequence-number {enable
| disable}]}
where number is an integer between 0 and 65535. The default is 0, which means no limit on connections.
OL-12172-03
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both
firewalls to be performing this action, even though this action does not affect the traffic.
If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5.
Randomization breaks the MD5 checksum.
You use a WAAS device that requires the security appliance not to randomize the sequence numbers
of connections.
or the
for more information.
Step 1 to which you want to assign an action, enter the following
Cisco Security Appliance Command Line Configuration Guide
Configuring Connection Limits and Timeouts
"Creating a Layer 3/4
"Creating a Layer 3/4 Class Map for
23-15