Cisco Systems CL-28826-01 Add and Edit TCP Option Range Dialog Boxes

56-22

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 56 Configuring Service Policy Rules on Firewall Devices

Configuring TCP Maps

Add and Edit TCP Option Range Dialog Boxes

Use the Add and Edit TCP Option Range dialog boxes to define or edit a range of TCP options for use

with a TCP normalization map; these are TCP options not explicitly supported on the device. This

feature lets you allow or discard packets with the specified TCP options set. The typical range numbers

are 6-7 and 9-255.

Navigation Path

In the Add and Edit TCP Map dialog boxes, right-click inside the TCP Range Options table and choose

Add Row, or right-click an existing row and choose Edit Row. See Configuring TCP Maps, page56-20.

Enable TTL Evasion

Protection

Enables the TTL evasion protection offered by the security appliance.

Do not enable this option if you want to prevent attacks that attempt to

evade security policy.

For example, an attacker can send a packet that passes policy with a

very short TTL. When the TTL goes to zero, a router between the

security appliance and the endpoint drops the packet. It is at this point

that the attacker can send a malicious packet with a long TTL that

appears to the security appliance to be a retransmission and is passed.

To the endpoint host, however, it is the first packet that has been

received. In this case, an attacker is able to succeed without security

preventing the attack.

Reserved Bits Specify how to handle TCP packets with the reserved bits set in the

TCP header. The six reserved bits in the TCP header are for future use

and usually have a value of 0.

•Clear and Allow—Clears the reserved bits in the TCP header and

allows the packet.

•Allow only—Permits packets with the reserved bits set in the TCP

header.

•Drop—Drops packets with the reserved bits set in the TCP header.

TCP Range Options table The TCP Range Options table lists TCP options ranges defined for the

TCP map, and the action to take for those options. The typical range

numbers are 6-7 and 9-255; the lower bound must be less than or equal

to the upper bound.

•To add a range, click the Add button to open the Add TCP Option

Range dialog box (see Add and Edit TCP Option Range Dialog

Boxes, page 56-22).

•To edit a range, select it and click the Edit button.

•To delete a range, select it and click the Delete button.

Category The category assigned to the map object. Categories help you organize

and identify rules and objects. See Using Category Objects, page 6-12.

Table56-7 Add and Edit TCP Map Dialog Boxes (Continued)

Element Description