The Cisco ASA firewall appliance delivers wonderful safety protection out-of-the box with its default configuration. Having said that, to raise the security protection even further, there are many configuration enhancements that could be utilised to implement more security capabilities. Two of those options are IP Spoofing protection and standard Intrusion Prevention (IPS) help.

IP Spoofing Protection

IP spoofing attacks are those that transform the actual supply IP address of packets to obscure their accurate origin. This means that packets arriving at a specific interface (e.g inside) must have a valid source IP address that matches the correct source interface in accordance with the firewall routing table. Usually the firewall only looks in the location address of a packet in order to forward it accordingly. For those who allow the IP Spoofing mechanism, the firewall checks also the source address from the packets.

If one example is our inside interface connects to internal network 192.168.1.0/24, this means that packets arriving in the inside firewall interface must have a source address in the range 192.168.1.0/24 otherwise they'll be dropped (if IP Spoofing is configured).

The IP Spoofing feature uses the Unicast Reverse Path Forwarding (Unicast RPF) mechanism, which dictates that for any site visitors that you simply wish to enable by means of the security appliance, the security appliance routing table ought to involve a route back to the source address.

To allow IP Spoofing protection, enter the following command:

CiscoASA5500(config)# ip confirm reverse-path interface "interface_name"
For example, to allow IP spoofing on the inside interface, use the following command:
CiscoASA5500(config)# ip confirm reverse-path interface inside

Fundamental IPS Protection

Although the ASA Firewall supports complete IPS functionality with an further IPS hardware module (AIP-SSM), it supports also simple IPS protection that is built-in by default devoid of working with an extra hardware module. The built-in IPS function supports a standard list of signatures and also you can configure the security appliance to perform one or more actions on site visitors that matches a signature. The command that implements the basic IPS function is known as "ip audit".

You will find two signature groups embedded within the firewall application: "Informational" and "Attack" signatures. You can define an IP audit policy for each signature group as following:

For informational signatures:

CiscoASA5500 (config)# ip audit name "name" info [action [alarm] [drop] [reset]]
For attack signatures:
CiscoASA5500 (config)# ip audit name "name" attack [action [alarm] [drop] [reset]]
The keywords [alarm], [drop], [reset] define the actions to perform on a malicious packet that matches one of many signatures. [alarm] generates a program message showing that a packet matched a signature, [drop] drops the packet, and [reset] drops the packet and closes the connection.