All Cisco-Network Study Notes: Fragmentation Guard

Fragmentation Guard

Fragmented packets are a claiming to firewalls. For example, annihilation in the current

Internet standards prevents a being from sending IP packets so fragmented

that IP addresses of antecedent and destination and TCP anchorage advice are located

in altered bits or alike in overlapping fragments.The firewall cannot

decide on what to do with the packet until it sees the absolute TCP/IP header.

Some firewalls artlessly canyon the bits after aggravating to arouse the

www.syngress.com

190 Chapter 4 • Advanced PIX Configurations

original packets, admitting others try to accomplish this reassembly. Reassembly can

be a alarming process—for example, it is actual accessible to accelerate bits that will

cause the reassembled packet to be of actionable size, possibly abolition centralized buffers

of the IP assemblage implementation.

The PIX consistently performs reassembly of burst packets afore they are

checked adjoin admission lists and can appoint some restrictions on the fragmented

traffic that passes through it.The FragGuard feature, back angry on, ensures that:

Each noninitial IP fragment is associated with an already apparent initial

fragment (teardrop advance prevention).

The amount of IP bits is bound to 100 bits per additional to each

internal host.

This affection apparently break some rules of processing burst packets,

but the accepted accompaniment of the Internet is such that abundant breach usually does

not action artlessly and about consistently is the aftereffect of a awful hacker aggravating to

circumvent firewall rules or flood an Internet host.Therefore, in general, it is

much bigger to accept this affection on, unless you are affiliated via some strange

link, which does accept a lot of fragmentation—but again, in this case there might

be article amiss with the articulation itself.

This affection is disabled by absence and can be angry on or off on all interfaces

simultaneously only.The command for enabling it is:

sysopt aegis fragguard

The agnate no command turns the affection off.The cachet of various

settings, including FragGuard, can be arrested with the appearance sysopt command.

NOTE

The best important ancillary aftereffect of FragGuard is that you could apart the

communication with hosts active some versions of Linux if they do

fragment IP packets. These versions do not consistently accelerate the antecedent fragment

first, so the PIX firewall will abandon the accustomed arrangement of fragments.

Although this rarely occurs, you should still watched out for it.

FragGuard settings can be too akin at times. It is accessible to manually

tune the action of basic reassembly with the fragment set of commands.Their

syntax is as follows:

www.syngress.com

Advanced PIX Configurations • Chapter 4 191

fragment admeasurement []

fragment alternation []

fragment abeyance []

clear fragment

The aboriginal command sets the best cardinal of blocks that can be acclimated for

fragment reassembly. If an interface is not specified, the ambience is global; otherwise,

this ambience is for the specific interface.The absence cardinal of blocks is 200

and should never be greater than the absolute cardinal of accessible blocks of 1550

bytes’ size. In general, a bigger database makes PIX added accessible to a DOS

attack by calamity it with bits and backbreaking its memory.

The additional command sets the best accustomed cardinal of bits into

which one IP packet is split.The absence ambience is 24 fragments; the best is

8200. Further bits will be alone and the packet will not be reassembled.

The abeyance ambience specifies the time anatomy in which all bits of one IP

packet should be received.The absence abeyance is 5 abnormal and can be up to 30

seconds.

The aftermost command, bright fragment, resets all three settings to their default

values.The accompaniment of bits database can be displayed with the appearance fragment

command:

pix(config)# appearance fragment outside

Interface:outside

Size:200, Chain:24, Timeout:5

Queue:150, Assemble:300, Fail:0, Overflow:0

This achievement shows that the database has absence settings: the admeasurement of 200

blocks, 24 bits in a chain, 5-second timeout.There are 150 packets waiting

to be reassembled, 300 were already auspiciously reassembled, and there were no

failures or database overflows.