Connecting the world…

intrusion

PIX / ASA – Threat Detection

From software release 8.0 and later the Cisco PIX and Cisco ASA firewalls support the feature called Threat Detection. In the default configuration Basic Threat Detection is enabled on the security appliance.

Using Threat Detection the appliance monitors the rate of dropped packets and security events due to these reasons (Source):

  • Denial by access lists;
  • Bad packet format (such as invalid-ip-header or invalid tcp-hdr-length);
  • Connection limits exceeded (both system-wide resource limits, and limits set in the configuration);
  • DoS attack detected (such as an invalid SPI, Stateful Firewall check failure);
  • Basic firewall checks failed (This option is a combined rate that includes all firewall-related packet drops in this bulleted list. It does not include non-firewall-related drops such as interface overload, packets failed at application inspection, and scanning attack detected.);
  • Suspicious ICMP packets detected;
  • Packets failed application inspection;
  • Interface overload;
  • Scanning attack detected;
  • Incomplete session detection such as TCP SYN attack detected or no data UDP session attack detected;

When the security appliance detects a threat a syslog message is send. These syslog messages have the following format:

%ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate is rate_val per second, max configured rate is rate_val; Current average rate is rate_val per second, max configured rate is rate_val; Cumulative total count is total_cnt

Basic Threat Detection affects the performance of the security appliance only when there are drops or potentials threats. I have monitored the CPU with Basic Threat Detection enabled and disabled in an environment with many deny hits on the outside interface, resulting from port scans and (D)DoS attacks. The performance impact on the security appliance is insignificant.

The security appliance has also the option to actively scan all traffic and shun connections if threats rates are exceeded. The security appliance tracks two types of rates:

  1. the average event rate over an interval;
  2. the burst event rate over a shorter burst interval;

More information about configuring Threat Detection can be found in the Cisco Security Appliance Command Line Configuration Guide, 8.0 and more specific the chapter Preventing Network Attacks.

In my own experience with Cisco PIX and Cisco ASA firewalls running software release 8.0 and later, I normally disable Basic Threat Detection. Often I receive questions from customers about the syslog messages generated by Basic Threat Detection. Customers always think that something is terribly wrong with the security appliance. For some customers I enabled Basic Threat Detection in conjunction with the Scanning Threat Statistics. Enabling the statistics give you more detailed information about the discovered threat rates. The statistics can be viewed via the Firewall Dashboard when using ASDM or with various show commands using the CLI. Below the output of the command show threat-detection rate.

Average(eps)    Current(eps) Trigger    Total events
10-min ACL  drop:                  1               0       0            119
21-hour ACL  drop:                  2               1       0          7556
10-min SYN attck:                  0               0       0            436
1-hour SYN attck:                  0               0       0           2863
10-min  Scanning:                 12               9   31963            721
31-hour  Scanning:                 20              11   21622         74264
10-min Bad  pkts:                  0               0       0            107
1-hour Bad  pkts:                  0               0       0            682
10-min  Firewall:                  2               1       0           1299
1-hour  Firewall:                  2               1       0           8238
10-min Interface:                 10               0       0           6314
1-hour Interface:                 10              10       0          37220

Enabling the use of statistics could have a bad influence on the performance from the PIX / ASA. Especially the memory usage can increase enormously. With Basic Thread Detection, there is also an option for actively scanning all traffic and shun the traffic when certain threshold are reached. Shunning the traffic is accomplished by adding a policy rule to the configuration. This rule is added to the configuration automatically and stays even after a reboot.

I talked with a Cisco engineer about this feature and he advized me not to use Basic Thread Detection with the scanning feature. The feature is rather new and needs a lot of tweaking, because this functionality can basically be compared with Intrusion Detection and Intrusion Prevention System. The engineer also stated that the gathering of statistics can have an influence on the memory usage of the box. Therefore he also advized to only use the statistics feature in certain environments and circumstances.