For any security engineer or administrator, one of the things that they can't get enough of is information. On many security appliances, this is provided via an internal logging buffer and other configurable logging servers (Syslog, SNMP).
Once they are set up, the question becomes this: What is the appliance filling the log with? With too much raw information, the data is just ignored or issues can be lost within the data; with too little information, the logging itself becomes secondary and limited in its usefulness.
One of the ways that Cisco attempts to address this issue with its Adaptive Security Appliances (ASA) is by providing a threat-detection capability. This feature will watch the traffic that goes through the appliance and flags (via log entries) a number of different attack types as they happen. This information is then placed and maintained within the ASA as a detailed list of attack statistics.
This article takes a look at the traffic detection feature and how it can be configured to operate within a network.
ASA Threat Detection Feature Overview
The easiest way to look at the threat detection feature is by thinking of it as a statistical tool that can be used to look at a snapshot of the current threats that the ASA is facing. Based on this information, the security engineer/administrator can take protective measures by configuring additional rules on the system to protect the internal network(s).
The ASA supports two different levels of threat detection: basic (which is enabled by default) and advanced (which can affect performance). Basic threat detection provides statistics for the system as a whole while the advanced threat detection can be configured to support statistics (all or a limited portion) down to the object level (including specific hosts, networks, ports, protocols or a group of these as defined by an ACL).
When using basic threat detection, the ASA will monitor the rate of dropped packets and security events that are caused by the following:
- ACL Denial
- Bad Packet Format
- Exceeded Connection Limits
- Denial of Service (DoS) Detection
- Basic Firewall Check Failure
- Suspicious ICMP packets Exceeded
- Application Inspection Packet Failure
- Interface Overload
- Scanning Attack Detection
- Incomplete Session Detection
When one of these threats is detected, a syslog message will be generated on the device (and to external syslog servers, if configured). There are two different detection rates that are monitored: the first is an average event rate, and the second is a burst rate. The burst rate is typically 1/30th of the average rate OR 10 seconds, whichever is higher.
Each time these limits are exceeded, a syslog message is generated. It is also possible that two different separate syslog messages will be generated if both the average and burst thresholds are exceeded.
Another type of threat detection that the ASA provides is Scanning Threat Detection, which occurs when an attacker attempts to test the accessibility of hosts on a subnet by sweeping through a range of addresses and host ports.