Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Firewall Mode Overview

1-25

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter1 Introduction to the Cisco ASA 5500 Series

Firewall Functional Overview

Applying Connection Limits and TCP Normalization

You can limit TCP and UDP connections and embryonic connections. Limiting the number of

connections and embryonic connections protects you from a DoS attack. The ASA uses the embryonic

limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding

an interface with TCP SYN packets. An embryonic connection is a connection request that has not

finished the necessary handshake between source and destination.

TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets

that do not appear normal.

Enabling Threat Detection

You can configure scanning threat detection and basic threat detection, and also how to use statistics to

analyze threats.

Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and

automatically sends a system log message.

A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by

scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The

scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection

that is based on traffic signatures, the ASA scanning threat detection feature maintains an extensive

database that contains host statistics that can be analyzed for scanning activity.

The host database tracks suspicious activity such as connections with no return activity, access of closed

service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.

You can configure the ASA to send system log messages about an attacker or you can automatically shun

the host.

Enabling the Botnet Traffic Filter

Malware is malicious software that is installed on an unknowing host. Malware that attempts network

activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data)

can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP

address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic database

of known bad domain names and IP addresses (the blacklist), and then logs any suspicious activity. When

you see syslog messages about the malware activity, you can take steps to isolate and disinfect the host.

Configuring Cisco Unified Communications

The Cisco ASA 5500 series is a strategic platform to provide proxy functions for unified

communications deployments. The purpose of a proxy is to terminate and reoriginate connections

between a client and server. The proxy delivers a range of security functions such as traffic inspection,

protocol conformance, and policy control to ensure security for the internal network. An increasingly

popular function of a proxy is to terminate encrypted connections in order to apply security policies

while maintaining confidentiality of connections.

Firewall Mode Overview

The ASA runs in two different firewall modes:

•Routed

Cisco Systems Firewall Mode Overview

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505

Applying Connection Limits and TCP Normalization

Enabling Threat Detection

Enabling the Botnet Traffic Filter

Configuring Cisco Unified Communications