Home Cisco Configuring connection limit on Cisco ASA and CheckPoint Firewall

Configuring connection limit on Cisco ASA and CheckPoint Firewall

ddos_attack_diagram

Configuring connection limit on Cisco ASA and CheckPoint Firewall ?

What is DOS Attack ?                                                                                                                                                       

DOS stand for Denial of Services is an attempt to make a machine or network resources unavailable for legitimate users.

I already write two articles on DOS attack Perform DOS attack with Hping command and How to perform DOS attack on a website (LOIC) tool . Today i am going to show you how you can protect your network with Cisco ASA and Checkpoint Firewall-1 connection limit.

On Cisco ASA :-

The Cisco ASA firewall offers excellent protection for Denial of Service attacks, such as SYN floods, TCP excessive connection attacks etc. Using the new Policy Framework functionality, the ASA administrator can configure granular controls for TCP Connection limits and timeouts. For example, we can control and limit the maximum number of simultaneous TCP and UDP connections that are allowed towards a specific host (or subnet), the maximum number of simultaneous embryonic connections allowed (for SYN flood attacks), the per-client max number of connections allowed etc.

Configuration Example :-

STEP1: Identify the traffic to apply connection limits using a class map

ASA(config)# access list CONNS-ACL extended permit ip any 10.1.1.1 255.255.255.255

ASA(config)# class-map CONNS-MAP

ASA(config-cmap)# match access-list CONNS-ACL

STEP2: Add a policy map to set the actions to take on the class map traffic

ASA(config)# policy-map CONNS-POLICY

ASA(config-pmap)# class CONNS-MAP

! The following sets connection number limits

ASA(config-pmap-c)# set connection {[conn-max n] [embryonic-conn-max n]

[per-client-embryonic-max n] [per-client-max n] [random-sequence-number {enable | disable}]}

where the conn-max n argument sets the maximum number of simultaneous TCP and/or UDP connections that are allowed, between 0 and 65535.

The embryonic-conn-max n argument sets the maximum number of simultaneous embryonic connections allowed, between 0 and 65535.

The per-client-embryonic-max n argument sets the maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535.

The per-client-max n argument sets the maximum number of simultaneous connections allowed per client, between 0 and 65535.

! The following sets connection timeouts

ASA(config-pmap-c)# set connection timeout {[embryonic hh:mm:ss] {tcp hh:mm:ss

[reset]] [half-closed hh:mm:ss] [dcd hh:mm:ss [max_retries]]}

STEP3: Apply the Policy on one or more interfaces or Globaly

ASA(config)# service-policy CONNS-POLICY {global | interface interface_name}

On Checkpoint Firewall-1 :-

Open Smart Dashboard -> Gateway Cluster Properties ->  Capacity Optimization

ip560-maxconnections

 

You can configure session timeout setting in Policy -> Global Propertiesfrom within Smart Dashboard.

ip560-tcptimeout

 Watch Guard Firewall :- 

The default configuration of the WatchGuard device is to block flood attacks. To disable or re-enable this feature, or to change the maximum allowed number of packets each second:

  1. From Policy Manager,click 
    Or, select Setup > Default Threat Protection > Default Packet Handling.
    The Default Packet Handling dialog box appears.

screenshot of Default Packet Handling dialog box

  1. Select or clear the check boxes for the flood attacks you want to prevent.

Hope you like my post Configuring connection limit on Cisco ASA and CheckPoint Firewall, Please Share with others.

Comments are closed.