Thursday, May 29, 2014

TCP normalization & tricks for cisco ASA

The cisco ASA  firewall has a few tricks that you can do for the normalizing of tcp data.

1st let's look at  some tcp-options.  These are defined by iana & available here.

1st  What is tcp normalization?

Normalization,  aka "scrubbing",  ensure that tcp-session conform to the correct standards or expect parameters.  This could be something as simple with clamping the  tcp-MSS values or the removal of certain tcp options like Window Scaling or Selective ACKs, or  dropping  SYN, SYN-ACK packets that  have data.

In a few cases, we normalize tcp datagrams to combat bad programs or application that misbehave with certain type of tcp parameters. This intermin fix  is typically used until the application is corrected, or the OS is updated.

examples of normalizations usages

  • In the past, I've  worked in the DDoS sector, and we used tcp-mss to clamp maximum tcp-segments  before entering a GRE tunnel.
  • In the finanicial sector, we had mis-behavin applications that couldn't be correct in the tcp/ip-stack, so we use a mix of tcp-normalization methods to remove certain options from the tcp SYN datagram    ( i.e SACK,WSCALE,TimeStp,etc....).  We ended up disable "SACK" for just one of the many services hosted on the server platform, without modifying the rest of the services.
  • Another example, we had a upstream external IPS that freaked out on certain tcp traffic. This particular IPS was aggressive and we really couldn't write exemptions rules to cover all possibilities. So we instead normalize the traffic b4 reaching the IPS sensor.

On the cisco ASA , you will have to define a tcp-map and reference  a class-map for the traffic we want to  normalized.

This usually requires the following;
  •  acl
  •  class-map 
  •  tcp-map
  •  policy-map

Here's a few samples with tcpdump screenshot of the cleanup tcp-datagram

( the dropping of TCP options SACKS using a defined ACL )

A TCP dump of my SYN and SYN-ACK shows;

( the dropping of the TCP options "WSCALE" using a defined ACL )

Tcpdump shows that the  WSCALEing option is now gone!

More Examples

 ( the dropping of the multiple TCP options using a defined ACL )

 TCpdump shows the SYN & tcp-option are now gone!

NOTE: if you  don't need  specific src/dst  matching ACL you can use a port-match  to accomplish the same. The ACL approach allows for fine control of the src/dst

NOTE:  The dropping SYN or SYN/ACK that  has data , is  very simple &  a tcp conversation should  never  start with data to begin with.

Ken Felix
Network & Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   -   - )=
      /     \

No comments:

Post a Comment