EasyManuals Logo

Cisco ASA Series Configuration Guide

Cisco ASA Series
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #417 background imageLoading...
Page #417 background image
18-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 18 Threat Detection
Guidelines for Threat Detection
Scanning Threat Detection
A typical scanning attack consists of a host that tests the accessibility of every IP address in a subnet (by
scanning through many hosts in the subnet or sweeping through many ports in a host or subnet). The
scanning threat detection feature determines when a host is performing a scan. Unlike IPS scan detection
that is based on traffic signatures, ASA threat detection scanning maintains an extensive database that
contains host statistics that can be analyzed for scanning activity.
The host database tracks suspicious activity such as connections with no return activity, access of closed
service ports, vulnerable TCP behaviors such as non-random IPID, and many more behaviors.
If the scanning threat rate is exceeded, then the ASA sends a syslog message (733101), and optionally
shuns the attacker. The ASA tracks two types of rates: the average event rate over an interval, and the
burst event rate over a shorter burst interval. The burst event rate is 1/30th of the average rate interval or
10 seconds, whichever is higher. For each event detected that is considered to be part of a scanning
attack, the ASA checks the average and burst rate limits. If either rate is exceeded for traffic sent from
a host, then that host is considered to be an attacker. If either rate is exceeded for traffic received by a
host, then that host is considered to be a target.
The following table lists the default rate limits for scanning threat detection.
Caution The scanning threat detection feature can affect the ASA performance and memory significantly while
it creates and gathers host- and subnet-based data structure and information.
Guidelines for Threat Detection
Security Context Guidelines
Except for advanced threat statistics, threat detection is supported in single mode only. In Multiple mode,
TCP Intercept statistics are the only statistic supported.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
Types of Traffic Monitored
• Only through-the-box traffic is monitored; to-the-box traffic is not included in threat detection.
• Traffic that is denied by an ACL does not trigger scanning threat detection; only traffic that is
allowed through the ASA and that creates a flow is affected by scanning threat detection.
Table 18-1 Default Rate Limits for Scanning Threat Detection
Average Rate Burst Rate
5 drops/sec over the last 600 seconds. 10 drops/sec over the last 20 second period.
5 drops/sec over the last 3600 seconds. 10 drops/sec over the last 120 second period.

Table of Contents

Other manuals for Cisco ASA Series

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA Series and is the answer not in the manual?

Cisco ASA Series Specifications

General IconGeneral
ModelASA 5505
InterfacesVaries by model (Fast Ethernet, Gigabit Ethernet, 10 Gigabit Ethernet, etc.)
High AvailabilityActive/Standby or Active/Active (varies by model)
Power SupplyVaries by model
Form FactorVaries by model
Operating SystemCisco ASA Software
IPsec VPNSupported
SSL VPNSupported
IPS ThroughputVaries by model

Related product manuals