1-17
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 1      Introduction to the Cisco ASA 5500 Series Adaptive Security Appliance
  Firewall Functional Overview
manager. Other legitimate connections continue to operate independently without interruption. For more 
information, see Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line 
Interface.
Sending Traffic to the Content Security and Control Security Services Module
If your model supports it, the CSC SSM provides protection against viruses, spyware, spam, and other 
unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you 
configure the adaptive adaptive security appliance to send to it.
Applying QoS Policies
Some network traffic, such as voice and streaming video, cannot tolerate long latency times. QoS is a 
network feature that lets you give priority to these types of traffic. QoS refers to the capability of a 
network to provide better service to selected network traffic.
Applying Connection Limits and TCP Normalization
You can limit TCP and UDP connections and embryonic connections. Limiting the number of 
connections and embryonic connections protects you from a DoS attack. The adaptive security appliance 
uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack 
perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection 
request that has not finished the necessary handshake between source and destination.
TCP normalization is a feature consisting of advanced TCP connection settings designed to drop packets 
that do not appear normal.
Enabling Threat Detection
You can configure scanning threat detection and basic threat detection, and also how to use statistics to 
analyze threats.
Basic threat detection detects activity that might be related to an attack, such as a DoS attack, and 
automatically sends a system log message.
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by 
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The 
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection 
that is based on traffic signatures, the adaptive security appliance scanning threat detection feature 
maintains an extensive database that contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed 
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
You can configure the adaptive security appliance to send system log messages about an attacker or you 
can automatically shun the host.
Enabling the Botnet Traffic Filter
Malware is malicious software that is installed on an unknowing host. Malware that attempts network 
activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary data) 
can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP