| co ASA firewall appliance provides great security | | | | Basic IPS Protection |
| protection out-of-the box with its default | | | | Although the ASA Firewall supports full IPS |
| configuration. However, to increase the security | | | | functionality with an extra IPS hardware module |
| protection even further, there are several | | | | (AIP-SSM), it supports also basic IPS protection |
| configuration enhancements that can be used to | | | | which is built-in by default without using an extra |
| implement additional security features. Two of | | | | hardware module. The built-in IPS feature |
| these features are IP Spoofing protection and | | | | supports a basic list of signatures and you can |
| basic Intrusion Prevention (IPS) support. | | | | configure the security appliance to perform one |
| IP Spoofing Protection | | | | or more actions on traffic that matches a |
| IP spoofing attacks are those that change the | | | | signature. The command that implements the |
| actual source IP address of packets to obscure | | | | basic IPS feature is called "ip audit". |
| their true origin. This means that packets arriving | | | | There are two signature groups embedded in the |
| at a particular interface (e.g inside) must have a | | | | firewall software: "Informational" and "Attack" |
| valid source IP address that matches the correct | | | | signatures. You can define an IP audit policy for |
| source interface according to the firewall routing | | | | each signature group as following: |
| table. Normally the firewall only looks at the | | | | For informational signatures: |
| destination address of a packet in order to | | | | CiscoASA5500 (config)# ip audit name "name" |
| forward it accordingly. If you enable the IP | | | | info [action [alarm] [drop] [reset]] |
| Spoofing mechanism, the firewall checks also the | | | | For attack signatures: |
| source address of the packets. | | | | CiscoASA5500 (config)# ip audit name "name" |
| If for example our inside interface connects to | | | | attack [action [alarm] [drop] [reset]] |
| internal network 192.168.1.0/24, this means that | | | | The keywords [alarm], [drop], [reset] define the |
| packets arriving at the inside firewall interface | | | | actions to perform on a malicious packet that |
| must have a source address in the range | | | | matches one of the signatures. [alarm] generates |
| 192.168.1.0/24 otherwise they will be dropped (if | | | | a system message showing that a packet |
| IP Spoofing is configured). | | | | matched a signature, [drop] drops the packet, and |
| The IP Spoofing feature uses the Unicast | | | | [reset] drops the packet and closes the |
| Reverse Path Forwarding (Unicast RPF) | | | | connection. |
| mechanism, which dictates that for any traffic | | | | After defining an IP audit policy (IPS policy) as |
| that you want to allow through the security | | | | shown above, we need to attach the policy to a |
| appliance, the security appliance routing table must | | | | specific interface: |
| include a route back to the source address. | | | | CiscoASA5500(config)# ip audit interface |
| To enable IP Spoofing protection, enter the | | | | "interface_name" " policy_name" |
| following command: | | | | Let's see an actual example: |
| CiscoASA5500(config)# ip verify reverse-path | | | | CiscoASA5500 (config)# ip audit name |
| interface "interface_name" | | | | dropattacks attack action drop |
| For example, to enable IP spoofing on the inside | | | | CiscoASA5500 (config)# ip audit interface outside |
| interface, use the following command: | | | | dropattacks |
| CiscoASA5500(config)# ip verify reverse-path | | | | Download the best configuration tutorial for any |
| interface inside | | | | Cisco ASA 5500 Firewall model Here. |