B-37
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Appendix B Signature Engines
Normalizer Engine
The Normalizer engine deals with IP fragment reassembly and TCP stream re assembly. With the
Normalizer engine you can set limits on system resource usage, for example, the maximum number of
fragments the sensor tries to track at the same time. Sensors in promiscuous mode report alerts on
violations. Sensors in inline mode perform the action specified in the event action parameter, such as
produce-alert, deny-packet-inline, and modify-packet-inline.
Caution
For signature 3050 Half Open SYN Attack, if you choose modify-packet-inline as the action, you can
see as much as 20 to 30% performance degradation while the protection is active. The protection is only
active during an actual SYN flood.
IP Fragmentation Normalization
Intentional or unintentional fragmentation of IP datagrams can hide exploits making them difficult or
impossible to detect. Fragmentation can also be used to circumvent access control policies like those
found on firewalls and routers. And different operating systems use different methods to queue and
dispatch fragmented datagrams. If the sensor has to check for all possible ways that the end host can
reassemble the datagrams, the sensor becomes vulnerable to DoS attacks. Reassembling all fragmented
datagrams inline and only forwarding completed datagrams and r efragmenting the datagram if
necessary, prevents this. The IP Fragmentation Normalization unit performs this function.
TCP Normalization
Through intentional or natural TCP session segmentation, some classes of attacks can be hidden. To
make sure policy enforcement can occur with no false positives and false negatives, the state of the two
TCP endpoints must be tracked and only the data that is actually processed by the real host endpoints
should be passed on. Overlaps in a TCP stream can occur, but are extremely rare except for TCP segment
retransmits. Overwrites in the TCP session should not occur. If overwrites do occur, someone is
intentionally trying to elude the security policy or the TCP stack implementation is broken. Maintaining
full information about the state of both endpoints is not possible unless the sensor acts as a TCP proxy.
Instead of the sensor acting as a TCP proxy, the segments are ordered properly and the Normalizer
engine looks for any abnormal packets associated with evasion and attacks.
IPv6 Fragments
The Normalizer engine can reassemble IPv6 fragments and forward the reassembled buffer for
inspection and actions by other engines and processors. The following differences exist betwe en IPv4
and IPv6:
modify-packet-inline for Normalizer engine signatures has no effect on IPv6 datagrams.
Signature 1206 (IP Fragment Too Small) does not fire for IPv6 datagrams. Signature 1741 in the
Atomic IP Advanced engine fires for IPv6 fragments that are too small.
Signature 1202 allows 48 additional bytes beyond the max-datagram-size for IPv6 because of the
longer IPv6 header fields.
TCP Normalizer Signature Warning
You receive the following warning if you disable a default-enabled TCP Normalizer signature or remove
a default-enabled modify packet inline, deny packet inline, or deny connection inline action:
Use caution when disabling, retiring, or changing the event action settings of a <Sig ID>
TCP Normalizer signature for a sensor operating in IPS mode. The TCP Normalizer signature
default values are essential for proper operation of the sensor.
If the sensor is seeing duplicate packets, consider assigning the traffic to multiple
virtual sensors. If you are having problems with asymmetric or out-of-order TCP packets,
consider changing the normalizer mode from strict evasion protection to asymmetric mode
protection. Contact Cisco TAC if you require further assistance.