17-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Understanding Inspection Rules
Understanding Access Rule Requirements for Inspection Rules, page 17-4
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page17-4
Configuring Inspection Rules, page 17-5
Understanding Access Rule Requirements for Inspection Rules
Access rules are applied before inspection rules. Therefore, you must ensure that your access rules do
not prohibit traffic that you want inspected. Use the following guidelines:
Permit inspected traffic to leave the network through the firewall.
All access rules that evaluate traffic leaving the protected network should permit traffic that will be
inspected. For example, if Telnet will be inspected, then Telnet traffic should be permitted on all
access rules that apply to traffic leaving the network.
Deny inspected return traffic entering the network through the firewall.
For temporary openings to be created in an access list, the access list should deny inspected return
traffic because the inspection engine will open up temporary holes in the access lists for this traffic.
(You want traffic to be normally blocked when it enters your network.)
Permit or deny traffic that cannot be inspected, or that you do not want to inspect, as required by
your network.
For example, if you do not want to inspect ICMP traffic, but you want to allow some ICMP traffic,
configure your access rules to allow the traffic in both directions. Consider permitting at least these
ICMP message types: echo reply (for ping commands), time-exceeded (for trace route),
packet-too-big (for path MTU discovery), traceroute (for trace route), and unreachable (to notify
that a host cannot be found).
Add an access rule entry denying any network traffic from a source address matching an address on
the protected network.
This is known as anti-spoofing protection because it prevents traffic from an unprotected network
from assuming the identity of a device on the protected network.
Add an entry denying broadcast messages with a source address of 255.255.255.255.
This entry helps to prevent broadcast attacks.
Related Topics
Understanding Access Rules, page 16-1
Choosing the Interfaces for Inspection Rules, page 17-2
Selecting Which Protocols To Inspect, page17-3
Configuring Inspection Rules, page 17-5
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices
Inspecting packets at the application layer, and maintaining TCP and UDP session information, provides
a device with the ability to detect and prevent certain types of network attacks such as SYN-flooding. A
SYN-flood attack occurs when a network attacker floods a server with a barrage of requests for
connection and does not complete the connection. The resulting volume of half-open connections can
overwhelm the server, causing it to deny service to valid requests. Network attacks that deny access to a
network device are called denial-of-service (DoS) attacks.