17-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Configuring Inspection Rules
Inspection helps to protect against DoS attacks in other ways. Inspection looks at packet sequence
numbers in TCP connections to see if they are within expected ranges and drops any suspicious packets.
You can also configure inspection to drop half-open connections, which require firewall processing and
memory resources to maintain. Additionally, inspection can detect unusually high rates of new
connections and issue alert messages.
For IOS devices, you can configure several inspection setting parameters to fine-tune your defenses
against SYN flooding and half-open connections. Configure the Firewall > Settings > Inspection
policy. For details about each setting, see Configuring Settings for Inspection Rules for IOS Devices,
page 17-88.
Inspection can also help by protecting against certain DoS attacks involving fragmented IP packets. Even
though the firewall prevents an attacker from making actual connections to a given host, the attacker can
disrupt services provided by that host. This is done by sending many non-initial IP fragments or by
sending complete fragmented packets through a router with an ACL that filters the first fragment of a
fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the
incomplete packets. To fine-tune fragment inspection, configure an inspection rule for the fragment
protocol and configure the maximum number of fragments you want to allow and a timeout value.
Related Topics
• Understanding Inspection Rules, page 17-1
• Selecting Which Protocols To Inspect, page 17-3
• Configuring Protocols and Maps for Inspection, page 17-21
• Configuring Inspection Rules, page 17-5
Configuring Inspection Rules
Inspection rules policies identify the traffic that will be inspected through an interface. Inspection tracks
permitted sessions and opens temporary holes in your access rules to allow return traffic.
Inspection rules are processed after access rules, so any traffic dropped by an access rule is not inspected.
You can also use deny rules to selectively exclude certain types of traffic from inspection. For example,
you might create a deny inspection rule to prevent a specific class of DNS traffic from being inspected,
while all other DNS traffic is inspected. The basic procedure is:
• Add a new deny rule before the default inspection rule for the specific protocol. For the Match
Traffic By option, select Source and Destination Address and Port. Next, define the specific type of
traffic by providing Source and Destination Network IP addresses, and selecting the desired Service
type (for example, DNS-TCP). Finally, in the third screen of the inspection-rule wizard, select the
appropriate protocol (for example, DNS).
• Now edit the default inspection rule (below your new deny rule in the table). Again select Source
and Destination Address and Port for the Match Traffic By option. Be sure this is a Permit rule,
provide an all-addresses option as the source and destination addresses, and enter IP as the Service
type. In the third screen, keep the selected protocol; configure or remove the related map, as
necessary.
See Inspection Rules Page, page 17-7 and Add or Edit Inspect/Application FW Rule Wizard, page 17-10
for additional information about this process.
See the following topics for more information about things you should consider when creating inspection
rules:
• Understanding Inspection Rules, page 17-1