Monday, June 6, 2016

Threat Detection on Cisco ASA Firewall


Threat Detection is feature that you can enable on Cisco ASA Firewall and we will use the ASA5512-X in our example:

Check below simple topology,









enabling the threat detection can be done on CLI using the following


# threat-detection basic-threat   [ enables basic threat detection ]
#threat-detection scanning-threat shun except object-group NOT-ATTACKER
#threat-detection statistics   [ this command will enable advanced threat detection ]
#threat-detection statistics tcp-intercept rate-interval 5 burst-rate 25 average-rate 25


on ASDM [ Configuration>Firewall>Threat Detection



while the NOT-ATTACKER is object group that contains IP's that you dont want to be in the shun list
and it will be excepted from the action the firewall will take for the other event triggers.


to check the enable features by the command #threat-detection statistics [ advanced ] then you can use the command below:

# show running-config all threat-detection 
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun except object-group NOT-ATTACKER
threat-detection statistics access-list
threat-detection statistics host number-of-rate 1
threat-detection statistics port number-of-rate 1
threat-detection statistics protocol number-of-rate 1
threat-detection statistics tcp-intercept rate-interval 5 burst-rate 25 average-rate 25





Note:
as you possibly have some smart phones that connects to your network, you might face threats from inside your network, its better to add your Inside subnets to the exception list, in order not to block any host from your networks

ASA# show object-group id NOT-ATTACKER
object-group network NOT-ATTACKER
 description: this object group contains hosts excluded from shun
 network-object 10.211.0.0 255.255.0.0
 network-object 192.168.200.0 255.255.252.0
 network-object 172.16.16.0 255.255.255.0
 network-object 10.80.90.0 255.255.255.0





Check the statistics below that shows what have been done from events that was considered as threat

ASA# show threat-detection rate
                          Average(eps)    Current(eps) Trigger      Total events
  10-min ACL  drop:                 43              42      14             26160
  1-hour ACL  drop:                 45              43       0            163347
  10-min ICMP attk:                  0               0       0                 5
  1-hour ICMP attk:                  0               0       0                29
  10-min SYN attck:                 41              38     471             25067
  1-hour SYN attck:                 42              38      79            151824
  10-min  Scanning:                120             114   52852             72070
  1-hour  Scanning:                123             115   34517            444929
  10-min Bad  pkts:                 34              33       0             20596
  1-hour Bad  pkts:                 35              33       0            128188
  10-min  Firewall:                 78              75       0             47003
  1-hour  Firewall:                 81              77       0            293105
  10-min DoS attck:                  0               0       0               242
  1-hour DoS attck:                  0               0       0              1541
  10-min Interface:                 80             237       2             48218
  1-hour Interface:                 83              79       0            301326




Samer R. Saleem
-
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Python-Jinja template configuration generator for Cisco devices and printout configs to external text files

 In this post, I worked on collecting a code that works with Jinja template. the nice thing in working with Jinja is that you can have basel...