Filter
Top Products
B-38
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix B Signature Engines
Normalizer Engine
Caution For signature 3050 Half Open SYN Attack, if you choose modify-packet-inline as the action, you can
see as much as 20 to 30% performance degradation while the protection is active. The protection is only
active during an actual SYN flood.
IP Fragmentation Normalization
Intentional or unintentional fragmentation of IP datagrams can hide exploits making them difficult or
impossible to detect. Fragmentation can also be used to circumvent access control policies like those
found on firewalls and routers. And different operating systems use different methods to queue and
dispatch fragmented datagrams. If the sensor has to check for all possible ways that the end host can
reassemble the datagrams, the sensor becomes vulnerable to DoS attacks. Reassembling all fragmented
datagrams inline and only forwarding completed datagrams and refragmenting the datagram if
necessary, prevents this. The IP Fragmentation Normalization unit performs this function.
TCP Normalization
Through intentional or natural TCP session segmentation, some classes of attacks can be hidden. To
make sure policy enforcement can occur with no false positives and false negatives, the state of the two
TCP endpoints must be tracked and only the data that is actually processed by the real host endpoints
should be passed on. Overlaps in a TCP stream can occur, but are extremely rare except for TCP segment
retransmits. Overwrites in the TCP session should not occur. If overwrites do occur, someone is
intentionally trying to elude the security policy or the TCP stack implementation is broken. Maintaining
full information about the state of both endpoints is not possible unless the sensor acts as a TCP proxy.
Instead of the sensor acting as a TCP proxy, the segments are ordered properly and the Normalizer
engine looks for any abnormal packets associated with evasion and attacks.
IPv6 Fragments
The Normalizer engine can reassemble IPv6 fragments and forward the reassembled buffer for
inspection and actions by other engines and processors. The following differences exist between IPv4
and IPv6:
• modify-packet-inline for Normalizer engine signatures has no effect on IPv6 datagrams.
• Signature 1206 (IP Fragment Too Small) does not fire for IPv6 datagrams. Signature 1741 in the
Atomic IP Advanced engine fires for IPv6 fragments that are too small.
• Signature 1202 allows 48 additional bytes beyond the max-datagram-size for IPv6 because of the
longer IPv6 header fields.
TCP Normalizer Signature Warning
You receive the following warning if you disable a default-enabled TCP Normalizer signature or remove
a default-enabled modify packet inline, deny packet inline, or deny connection inline action:
Use caution when disabling, retiring, or changing the event action settings of a <Sig ID>
TCP Normalizer signature for a sensor operating in IPS mode. The TCP Normalizer signature
default values are essential for proper operation of the sensor.
If the sensor is seeing duplicate packets, consider assigning the traffic to multiple
virtual sensors. If you are having problems with asymmetric or out-of-order TCP packets,
consider changing the normalizer mode from strict evasion protection to asymmetric mode
protection. Contact Cisco TAC if you require further assistance.
ASA IPS Modules and the Normalizer Engine
The majority of the features in the Normalizer engine are not used on the ASA 5500 AIP SSM,
ASA 5500-X IPS SSP, or ASA 5585-X IPS SSP, because the ASA itself handles the normalization.
Packets on the ASA IPS modules go through a special path in the Normalizer that only reassembles