Henry's Points

When configure static NAT on ASA, normally we will put 0 0 at the end of line

static (inside, outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255 0 0

When we type question mark (?) for the options, it always shows

The maximum number of simultaneous tcp connections the local IP
hosts are to allow, default is 0 which means unlimited
connections. Idle connections are closed after the time
specified by the timeout conn command

I did Google it though, then I found out the real meaning of these two zeros.

The 0, 0 portions of the command means {Max Connections & Emb Limit}. When it is set to 0′s it means unlimited.

The Max Connections is for TCP connection. the Embryonic Limit means the number of connections that are not completely open. i.e. have not gone through the full 3 way handshake. Its to try and stop a DDoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

Share on Facebook

Tags: ASA by hengdu
No Comments »

Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed according to the ARP specification (RFC 826) but could be used in some cases. A gratuitous ARP request is an AddressResolutionProtocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARP reply is a reply to which no request has been made.

Gratuitous ARPs are useful for four reasons:

• They can help detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.
• They assist in the updating of other machines’ ARP tables. Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another.
• They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.
• Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts.

Share on Facebook

Tags: Switching by hengdu
No Comments »

It is important to understand what a signature is, and what exactly a signature does. A signature is a known type of activity. It has already been detected in the wild and someone has captured the personality or traffic pattern of the attack or intrusive activity and documented it. In many ways, the signature is something akin to a fingerprint. The fingerprint is unique to a person just like the signature is unique to a certain attack or type of activity. A Cisco IDS sensor then compares traffic against the signatures it has configured and will match up this activity when it appears on your network. The parameters you set for the signature will tell the sensor how to respond to the threat. The sensor can send an alarm to your IDS management device, log the event, send e-mail alerts, or even block the suspect traffic at the router, switch, or firewall. Now we are going to discuss each of the signatures. I have taken the time to separate them into the numbered series. The signatures range from 1000 all the way into the 11000s. Besides numerically grouping signatures, the series number represents another type of grouping. They help the administrator narrow down what type of attack is generating the alarms. Are they atomic? Is the attack a string, sweep, or web site exploit? Although the numbers do cover multiple signature types, they help the administrator narrow down his search.

The following list gives a brief description of each signature series.

• The 1000 series covers the signatures that analyze the content of IP headers.
• The 2000 series focuses on ICMP signatures.
• The 3000 series is all about TCP-based signatures.
• The 4000 series is all about UPD connections and ports on the network.
• The 5000 series is probably the largest. It covers web (HTTP) traffic.
• The 6000 series focuses on multiprotocol signatures.
• The 7000 series has the ARP signatures.
• The 8000 series is string-matching signatures.
• The 9000 series covers Back Doors.
• The 10000 series has signatures that focus on policy enforcement.

The detailed article is in here.

Share on Facebook

Tags: Security by hengdu
No Comments »