Cisco ASA 5505 Configuration Manual page 1049

Chapter 48 Configuring Connection Settings
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new
connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
•
•
•
TCP Normalization
The TCP normalization feature identifies abnormal packets that the adaptive security appliance can act
on when they are detected; for example, the adaptive security appliance can allow, drop, or clear the
packets. TCP normalization helps protect the adaptive security appliance from attacks. TCP
normalization is always enabled, but you can customize how some features behave.
The TCP normalizer includes non-configurable actions and configurable actions. Typically,
non-configurable actions that drop or clear connections apply to packets that are always bad.
Configurable actions (as detailed in
page
See the following guidelines for TCP normalization:
•
•
TCP State Bypass
By default, all traffic that goes through the adaptive security appliance is inspected using the Adaptive
Security Algorithm and is either allowed through or dropped based on the security policy. The adaptive
security appliance maximizes the firewall performance by checking the state of each packet (is this a new
connection or an established connection?) and assigning it to either the session management path (a new
connection SYN packet), the fast path (an established connection), or the control plane path (advanced
inspection). See the
about the stateful firewall.
TCP packets that match existing connections in the fast path can pass through the adaptive security
appliance without rechecking every aspect of the security policy. This feature maximizes performance.
However, the method of establishing the session in the fast path using the SYN packet, and the checks
that occur in the fast path (such as TCP sequence number), can stand in the way of asymmetrical routing
solutions: both the outbound and inbound flow of a connection must pass through the same adaptive
security appliance.
For example, a new connection goes to adaptive security appliance 1. The SYN packet goes through the
session management path, and an entry for the connection is added to the fast path table. If subsequent
packets of this connection go through adaptive security appliance 1, then the packets will match the entry
in the fast path, and are passed through. But if subsequent packets go to adaptive security appliance 2,
where there was not a SYN packet that went through the session management path, then there is no entry
OL-20339-01
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both
firewalls to be performing this action, even though this action does not affect the traffic.
If you use eBGP multi-hop through the adaptive security appliance, and the eBGP peers are using
MD5. Randomization breaks the MD5 checksum.
You use a WAAS device that requires the adaptive security appliance not to randomize the sequence
numbers of connections.
48-6) might need to be customized depending on your network needs.
The normalizer does not protect from SYN floods. The adaptive security appliance includes SYN
flood protection in other ways.
The normalizer always sees the SYN packet as the first packet in a flow unless the adaptive security
appliance is in loose mode due to failover.
"Stateful Inspection Overview" section on page 1-18
"Customizing the TCP Normalizer with a TCP Map" section on
Cisco ASA 5500 Series Configuration Guide using ASDM
Information About Connection Settings
for more detailed information
48-3