Configuring The Fragment Size; Blocking Unwanted Connections - Cisco PIX 500 Series Configuration Manual

Chapter 23 Preventing Network Attacks
For outside traffic, for example, the security appliance can use the default route to satisfy the
Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known
to the routing table, the security appliance uses the default route to correctly identify the outside
interface as the source interface.
If traffic enters the outside interface from an address that is known to the routing table, but is associated
with the inside interface, then the security appliance drops the packet. Similarly, if traffic enters the
inside interface from an unknown source address, the security appliance drops the packet because the
matching route (the default route) indicates the outside interface.
Unicast RPF is implemented as follows:
•
•
To enable Unicast RPF, enter the following command:
hostname(config)# ip verify reverse-path interface interface_name

Configuring the Fragment Size

By default, the security appliance allows up to 24 fragments per IP packet, and up to 200 fragments
awaiting reassembly. You might need to let fragments on your network if you have an application that
routinely fragments packets, such as NFS over UDP. However, if you do not have an application that
fragments traffic, we recommend that you do not allow fragments through the security appliance.
Fragmented packets are often used as DoS attacks. To set disallow fragments, enter the following
command:
hostname(config)# fragment chain 1 [ interface_name ]
Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this
command applies to all interfaces.

Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, system log messages show an
attack), then you can block (or shun) connections based on the source IP address and other identifying
parameters. No new connections can be made until you remove the shun.
If you have an IPS that monitors traffic, such as an AIP SSM, then the IPS can shun connections
Note
automatically.
To shun a connection manually, perform the following steps:
If necessary, view information about the connection by entering the following command:
Step 1
hostname# show conn
The security appliance shows information about each connection, such as the following:
OL-12172-03
ICMP packets have no session, so each packet is checked.
UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent
packets arriving during the session are checked using an existing state maintained as part of the
session. Non-initial packets are checked to ensure they arrived on the same interface used by the
initial packet.
Cisco Security Appliance Command Line Configuration Guide
Configuring the Fragment Size
23-17