Lesson 13 Flashcards
___________ feature of the ASA appliance monitors the dropped packet rate and security events and, if it sees a threat, the appliance generates a log message .
Basic Threat Detection
measures the rates that drops occur over a configured period of time.
Basic Threat Detection is enabled by default.
Uses the following command to enable
fw1( config )# threat - detection basic - threat
These can be seen on the appliance with the __________ command
show run all threat - detection
basic threat detection measures the rates that drops occur over a configured period of time. This period of time is called the ________and can range from ___ seconds to __ days
average rate interval (ARI)
600 seconds to 30 days
The burst rate is very similar but looks at smaller periods of snapshot data, called the __________.
burst rate interval (BRI)
show run all threat-detection [rate]
Unlike Basic Threat Detection, Advanced Threat Detection can be used to track statistics for more granular objects.
fw1( config )# threat - detection statistics [{ access - list | host | port | protocol }]
Without any options, all statistics are enabled
show threat - detection statistics
show threat - detection statistics top
_____________ is used in order to keep track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet.
Scanning Threat Detection
_____________ is used in order to keep track of suspected attackers who create connections to too many hosts in a subnet, or many ports on a host/subnet.
Scanning Threat Detection
threat-detection scanning-threat
Scanning Threat Detection can optionally react to an attack by ________ the attacker IP.
shunning
Once the set threshold for _________________ has been reached, the security appliance will intercept all TCP synchronizations and respond on behalf of the client .
TCP synchronizations (also known as SYN scan half - open connections , or embryonic connections )
You can limit the number of embryonic connections that can be built with the _______________ with the _____________option using the Modular Policy Framework .
set connection command
embryonic - conn - max
The ASA AIP - SSM IPS module , on the other hand can detect over 1,500 attacks. • However , if you don’t have this card, you can supplement the security of your appliance with the IPS software feature, commonly called ___________
IP audit
The following signature classes are supported by Cisco Security Appliances:
Informational
Attack
To enable default IDS on a security appliance use the command :
fw1( config )#
ip audit info action alarm
ip audit attack action alarm
IDS attack trigger. 3 possibilities
Alarm. Drop. Reset
To disable the IP auditing you must use :
ip audit info action
When a ______ is activated all existing connections from an attacker can be dropped and all future connections can be blocked.
shun
Two general settings for IDS and IPS in an SSM module in ASA
Inline
Promiscuous
By default the appliance allows up to __ fragments that will make up a complete IP packet, as well as up to ___ fragments that are waiting to be reassembled back into a complete packet.
24
200
If you do not expect fragments in your network , then you should have the appliance drop any fragments that it receives. This is accomplished with the following command:
fw1(config)# fragment chain 1 outside
The chain parameter specifies the number of fragments that can make up a complete packet; by setting it to 1, you are ensuring that your appliance won’t allow fragments through it, since fragments are commonly used in DoS attacks.
Virtual IP Reassembly
ASA provides IP fragment protection by performing full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the ASA.
Sets the maximum number of packets to track/hold in the database – Default is __
fragment size
200
Sets the maximum number of fragments per packet –Default is __
fragment chain
24
Sets the time to receive all fragments once the first has been received by the appliance – Default is _ seconds – The maximum is __ seconds
fragment timeout
5 > 30
The____________ command is most useful in reducing the chances of internal hosts becoming parties to an attack and outsiders spoofing a trusted inside address
ip verify reverse - path interface
You must have a default route enabled
