Configuring Connection Limits And Timeouts - Cisco FirePOWER ASA 5500 series Configuration Manual

Configuring Connection Limits and Timeouts

Configuring Connection Limits and Timeouts
This section describes how to set maximum TCP and UDP connections, maximum embryonic
connections, maximum per-client connections, connection timeouts, dead connection detection, and how
to disable TCP sequence randomization.
Limiting the number of connections and embryonic connections protects you from a DoS attack. The
security appliance uses the per-client limits and the embryonic connection limit to trigger TCP Intercept,
which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN
packets. An embryonic connection is a connection request that has not finished the necessary handshake
between source and destination.
Dead connection detection(DCD) detects a dead connection and allows it to expire, without expiring
connections that can still handle traffic. If DCD timeout is configured for the class, DCD is enabled for
traffic matching that class. If DCD timeout is not configured, DCD is disabled for the traffic matching
that class. You configure DCD when you want idle, but valid connections to persist.
When you enable DCD, idle timeout behavior changes. With idle timeout, DCD probes are sent to each
of the two end-hosts to determine the validity of the connection. If an end-host fails to respond after
probes are sent at the configured intervals, the connection is freed, and reset values, if configured, are
sent to each of the end-hosts. If both end-hosts response that the connection is valid, the activity timeout
is updated to the current time and the idle timeout is rescheduled accordingly.
TCP sequence randomization should only be disabled if another in-line firewall is also randomizing
sequence numbers and the result is scrambling the data. Each TCP connection has two Initial Sequence
Numbers (ISNs): one generated by the client and one generated by the server. The security appliance
randomizes the ISN generated by both the client and the host/server. At least one of the ISNs must be
randomly generated so that attackers cannot predict the next ISN and potentially hijack the session.
You can also configure maximum connections, maximum embryonic connections, and TCP sequence
Note
randomization in the NAT configuration. If you configure these settings for the same traffic using both
methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is
disabled using either method, then the security appliance disables TCP sequence randomization.
To set connection limits, perform the following steps:
Step 1 To identify the traffic, add a class map using the class-map command. See the
a Layer 3/4 Class Map" section on page 21-2
Step 2 To add or edit a policy map that sets the actions to take with the class map traffic, enter the following
command:
hostname(config)# policy-map name
Step 3 To identify the class map from
command:
hostname(config-pmap)# class class_map_name
Step 4 To set maximum connection limits or whether TCP sequence randomization is enabled, enter the
following command:
hostname(config-pmap-c)# set connection {conn-max number | embryonic-conn-max number |
per-client-embryonic-max number | per-client-max number | random-sequence-number {enable |
disable}}. . .
where number is an integer between 0 and 65535. The default is 0, which means no limit on connections.
Cisco Security Appliance Command Line Configuration Guide
23-4
for more information.
Step 1 to which you want to assign an action, enter the following
Chapter 23 Preventing Network Attacks
"Identifying Traffic Using
OL-10088-01