|
|
Table Of Contents
Global Timeouts and Thresholds
HTTP Protocol Java List Option
Inspection Rules
Use this window to examine, add, edit, or delete inspection rules. Inspection rules allow the router to examine the protocol type and session information in outgoing packets. If an outgoing packet matches the criteria in the inspection rule, return traffic of the same type will be permitted into the network if it is associated with a session started within the firewall. Without inspection rules, access rules might deny return traffic associated with sessions initiated inside the firewall.
The upper portion of the window contains a table with the following columns:
Rule Name
The name of the inspection rule. If it is a Cisco Router and Security Device Manager (SDM) default inspection rule, the name will be Default100.
Type
One of the following:
•
Running Configuration.
Used By
The interface or module with which that rule is associated.
Protocol
The protocol that will be inspected by this rule entry.
Alert
Indicates whether this rule entry will generate alerts when traffic of this type is encountered.
Audit Trail
Indicates whether an audit trail has been enabled for this rule entry.
What do you want to do?
Configure the global timeouts and thresholds for all inspection rules.
Click Settings, and specify values in the Global Timeouts and Thresholds window.
Add an inspection rule.
Click Add, and specify settings in the Inspection Rule Information window.
Edit an inspection rule.
Select the inspection rule, click Edit, and edit the rule in the Inspection Rule Information window.
Associate an inspection rule with an interface.
Delete an inspection rule that has not been associated with an interface.
Select the inspection rule, and click Delete.
Delete a rule that has been associated with an interface
SDM does not permit you to delete a rule that has been associated with an interface. In order to delete the rule, you must first dissasociate it from the interface. See How Do I Delete a Rule That Is Associated with an Interface?
Create an access rule for a Java list.
See the procedure How Do I Create an Access Rule for a Java List?
Global Timeouts and Thresholds
This screen lets you set Context-Based Access Control (CBAC) global timeouts and thresholds. CBAC uses timeouts and thresholds to determine how long to manage state information for a session and to determine when to drop sessions that do not become fully established. These timeouts and thresholds apply to all sessions.
Global Timer values can be specified in seconds, minutes, or hours.
TCP Connection Timeout Value
The amount of time to wait for a TCP connection to be established. The default value is 30 seconds.
TCP FIN Wait Timeout Value
The amount of time that a TCP session will still be managed after the firewall detects a FIN exchange. The default value is 4 seconds.
TCP IdleTimeout Talue
The amount of time that a TCP session will still be managed after no activity has been detected. The default value is 3600 seconds.
UDP Idle Timeout Value
The amount of time that a User Datagram Protocol ( UDP) session will still be managed after no activity has been detected. The default value is 30 seconds.
DNS Timeout Value
The amount of time that a Domain Name System ( DNS) name lookup session will be managed after no activity has been detected. The default value is 5 seconds
SYN Flooding DoS Attack Thresholds
An unusually high number of half-open sessions may indicate that a Denial of Service (DoS) attack is under way. DoS attack thresholds allow the router to start deleting half-open sessions after the total number of them has reached a maximum threshold. By defining thresholds, you can specify when the router should start deleting half-open sessions and when it can stop deleting them.
TCP Maximum Incomplete Sessions per Host:
The router starts deleting half-open sessions for the same host when the total number for that host exceeds this number. The default number of sessions is 50. If you check the Blocking Time field and enter a value, the router will continue to block new connections to that host for the number of minutes that you specify.
Enable audit globally
Check this box if you want to turn on CBAC audit trail messages for all types of traffic.
Enable alert globally
Check this box if you want to turn on CBAC alert messages for all types of traffic.
Inspection Rule Editor
Edit or create an inspection rule in this window.
Inspection Rule Name
Enter or edit the inspection rule name in this field. The name must be at least 1 character long, and it must be no longer than 16 characters. The following characters cannot be used: the space character, the exclamation point (!), the question mark (?), the backslash (\), and the semicolon (;).
Protocol
Check the box next to the protocol if you want that protocol inspected. If you do not want the protocol inspected, leave the box unchecked. For more information on the protocols listed in this window, refer to Services and Ports.
Alert
If you want an alert generated when this protocol is detected, click On. If you do not want the alert generated, click Off.
Audit Trail
If you want the router to maintain an audit trail for this protocol, click On. If you do not want the audit trail maintained, click Off. The default is Off.
Timeout
Enter the number seconds that you want the router to wait before blocking return traffic for this protocol. The router will allow return traffic for this protocol for the number of seconds entered in this field. By default, the fields in this column contain the TCP idle timeout value entered in the Global Timouts and Thresholds window. You can edit the value if the protocol has been checked.
Fragment Entry
A Fragment entry allows you to specify the maximum number of unreassembled packets. Check the box next to Fragment if you want to include a fragment entry, and complete the Fragment Options dialog box that is displayed.
Insert additional RPC protocol entries
Click this button if you want to add remote-procedure call (RPC) protocol entries by program number, and enter a protocol number in the dialog box displayed. If you want to add an additional RPC protocol entry, click Insert more RPC protocol entries.
HTTP Protocol Java List Option
Users may inadvertently download destructive Java applets into the network. You can use inspection rules to filter Java applets at the interface the rules are applied to; this allows users to download only applets residing within the firewall and trusted applets from outside the firewall.
Java List Number (1-99)
Click the ... button, and specify whether you want to select an existing rule or create a new rule, and complete the configuration in the windows displayed.
The Java list number is the number of a standard access rule that permits traffic from trusted addresses. If you have already created the access rule, you can specify its number in this field, or click the button and select Create a new rule (ACL) and select.
To learn how to create an access rule to use in a Java list, see How Do I Create an Access Rule for a Java List?
Fragment Options
In this window, you can set the maximum number of unreassembled packets the router should accept before dropping them. Enter a value between 50 and 10000.
RPC Protocol Options
You can inspect RPC programs, specifying them by number. Create a separate entry for each RPC program that you want to inspect. If a program number is not specified, all traffic for that program will be blocked.
Program Number
Enter a single program number in this field.
Wait Time
You can optionally specify how many minutes to allow subsequent RPC connections from the same source to be made to the same destination address and port. The default wait time is zero minutes.
Posted: Fri Oct 7 13:27:19 PDT 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.