XSR Firewall Feature Set Functionality
16-16 Configuring Security on the XSR
against the routing table. If a packet is received from an interface with a source IP address that is
not routable through this interface, it is considered spoofed and dropped.
A high priority log is generated when DoS attacks are detected. These DoS attacks are covered:
Anti-Spoofing - In response to a spoof attack, the firewall drops all packets with a source
address belonging to an internal network when received from an external interface. Packets
from an internal interface with a source address not in the network will also be dropped.
ICMP Flood - In response to ICMP echo requests received from different source addresses at a
very high rate, the firewall sets a rate limit of ICMP echo requests processed per second.
Ping of Death - In response, fragmented echo requests are dropped.
Smurf attack - In response to a smurf attack where ICMP echo requests with the directed
broadcast address is the destination and the source is any host, the firewall will filter echo
requests to directed broadcasts or all directed broadcast packets.
SYN Flood - In response to a continuous TCP open packets (SYN bit set) stream targeting an
address, the firewall limits the number of half-open TCP links and set a max rate of TCP links.
Tea r d rop - In response to receiving IP fragments that overlap, the firewall will track fragments
received for every session, detect bad offsets and drop the entire packet (all fragments).
Christmas Tree - When a TCP packet is received with all flags set, TCP packets with any two of
the SYN, FIN or RST bits set are dropped.
LANd - In response t o receiving a TCP SYNC packet with the same source and destination
address, the firewall will drop any packet with same source and destination address.
Alarm Logging
The XSR supports Console and Syslog logging and provides session usage data using the allow-
log/log options. If you want to enable persistent logging which preserves logs after a system reboot,
you must install a CompactFlash memory card in the XSR. Logs stored in Flash are purged during
a system reboot unless the XSR senses the presence of CompactFlash.
Alarms
The XSR generates firewall alarms in the following categories:
TCP and UDP packets
Permitted connect and disconnect
Blocked connects and disconnects
Blocked data packet
Individual packet logging per user configured firewall policy (by stipulating allow_log
or log)
IP option Permit or Deny logs
Other Protocols Permit or Deny Logs
OSP F, E SP, RI P, G R E
–ICMP
Broadcast, multicast
Specific FTP, HTTP and SMTP requests logs