Cisco PIX 500 Series Configuration Manual page 442
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring TCP Normalization
•
Set the maximum number of out-of-order packets that can be queued for a TCP connection:
hostname(config-tcp-map)# queue-limit pkt_num
Where pkt_num specifies the maximum number of out-of-order packets. The range is 0 to 250 and
the default is 0.
•
Clear reserved bits in the TCP header, or drop packets with reserved bits set. The default is to allow
reserved bits, so use this command to clear them or drop the packets.
hostname(config-tcp-map)# reserved-bits {allow | clear | drop}
Where allow allows packets with the reserved bits in the TCP header. clear clears the reserved bits
in the TCP header and allows the packet. drop drops the packet with the reserved bits in the TCP
header.
•
Drop SYN packets with data. The default is to allow SYN packets with data, so use this command
to drop the packets.
hostname(config-tcp-map)# syn-data {allow | drop}
•
Clears the selective-ack, timestamps, or window-scale TCP options, or drops a range of TCP options
by number. The default is to allow packets with specified options, or to clear the options within the
range, so use this command to clear, allow, or drop them.
hostname(config-tcp-map)# tcp-options {selective-ack | timestamp | window-scale}
{allow | clear}
Or:
hostname(config-tcp-map)# tcp-options range lower upper {allow | clear | drop}
Where allow allows packets with the specified option. clear clears the option and allows the packet.
drop drops the packet.
The selective-ack keyword allows or clears the SACK option. The default is to allow the SACK
option.
The timestamp keyword allows or clears the timestamp option. Clearing the timestamp option
disables PAWS and RTT. The default is to allow the timestamp option.
The widow-scale keyword allows or clears the window scale mechanism option. The default is to
allow the window scale mechanism option.
The range keyword specifies a range of options.
The lower argument sets the lower end of the range as 6, 7, or 9 through 255.
The upper argument sets the upper end of the range as 6, 7, or 9 through 255.
•
Disable the TTL evasion protection:
hostname(config-tcp-map)# ttl-evasion-protection
Do not enter this command it you want to prevent attacks that attempt to evade security policy.
For example, an attacker can send a packet that passes policy with a very short TTL. When the TTL
goes to zero, a router between the security appliance and the endpoint drops the packet. It is at this
point that the attacker can send a malicious packet with a long TTL that appears to the security
appliance to be a retransmission and is passed. To the endpoint host, however, it is the first packet
that has been received by the attacker. In this case, an attacker is able to succeed without security
preventing the attack.
Cisco Security Appliance Command Line Configuration Guide
23-12
Chapter 23
Preventing Network Attacks
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
