Tcp Normalization Overview - Cisco 4700M Configuration Manual
Application control engine appliance security
Hide thumbs
Also See for 4700M:
- Administration manual (292 pages) ,
- Upgrade manual (24 pages) ,
- Installation manual (18 pages)
Table of Contents
Advertisement
TCP Normalization Overview
TCP Normalization Overview
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
4-2
Chapter 4
This section describes how the ACE uses TCP normalization to protect itself and
the data center from a variety of network-based attacks.
TCP normalization is a Layer 4 feature that consists of a series of checks that the
ACE performs at various stages of a flow, from the initial connection setup to the
closing of a connection.You can control many of the segment checks by
configuring one or more advanced TCP connection settings. The ACE uses these
TCP connection settings to decide which checks to perform and whether to
discard a TCP segment based on the results of the checks. The ACE discards
segments that appear to be abnormal or malformed.
With TCP normalization, the ACE checks for segments that have invalid or
suspect conditions (for example, a SYN sent to the client from the server or a
SYNACK sent to the server from the client) and takes actions based on the
configured parameter settings. The ACE uses TCP normalization to block certain
types of network attacks (for example, insertion attacks and evasion attacks).
Insertion attacks occur when the inspection module accepts a packet that the end
system rejects. Evasion attacks occur when the inspection module rejects a packet
while the end system accepts it.
The ACE always discards segments when the following conditions exist:
•
Bad segment checksum
Bad TCP header or payload length
•
Suspect TCP flags (for example, NULL, SYN/FIN, or FIN/URG)
•
TCP normalization is enabled by default. If you are migrating to, or replacing
legacy products with, the ACE, disable normalization using the no normalization
command in interface configuration mode until you are sure that everything is
working properly. Then, reenable normalization using the normalization
command in interface configuration mode.
To configure TCP normalization on the ACE, you assemble various TCP
commands into a parameter map. After you create the connection parameter map,
you associate it with a multi-match policy map, and activate the traffic policy
globally across all interfaces in the context using a service policy. For details
about configuring traffic policies, see the
TCP/IP Normalization and Termination"
Configuring TCP/IP Normalization and IP Reassembly Parameters
"Configuring a Traffic Policy for
section.
OL-16202-01
Advertisement
Table of Contents
