There are several mechanisms that can be used to protect a Cisco IP network from Denial of Service attacks. Especially for Service Provider networks, DoS Attacks are the biggest threat the network administrators face today. Worms, flooding attacks, Distributed Denial of Service by BotNets etc are some forms of DoS attacks that can hit a Service Provider IP Network. The two most effective security features on Cisco routers to mitigate DoS attacks are the following:

Receive Access Control Lists (rACL)

The Receive ACL feature is applicable on the GSR model routers. It is used to increase security on Cisco 12000 by protecting the router’s gigabit route processor (GRP) from unnecessary and potentially malicious traffic. The rACL feature can be used in combination with Control Plane Policing and Routing Protection to implement a successful defence-in-depth strategy for Control Plane Protection in the Core. This feature is supported in IOS version 12.0(24)S (and newer) of the GSR platform.

The traffic inspected by the rACL is the one passing through the GSR Line Cards (LC) towards the LC CPU (ICMP and Logging) and also traffic passing through the LC towards the route processor (GRP) (Routing Protocols, SSH, Telnet, SNMP, NTP). Because the GRP has limited capacity to handle excessive traffic coming from the Line Cards, there is a danger of a Denial-of-Service attack on the GRP. Receive ACLs explicitly permit or deny traffic destined to the GRP, while transit traffic in the Forwarding (Data) Plane is not affected. Traffic is filtered on the ingress LC prior to RP processing. Deploying rACLs has helped defend against several security advisories in all US Service Providers Network Infrastructure.

Control Plane Policing (CoPP)

The Control Plane Policing mechanism is complementary to the rACL feature. The later controls what protocols and traffic are allowed to flow towards the router processor, while the CoPP feature controls how much traffic is allowed to flow. This feature is applicable on both the GSR 12000 and 7600 routers.
The Control Plane Policing feature treats the CP as a separate entity with its own ingress (input) and egress (output) ports, which are like ports on a router and switch. Because the Control Plane Policing feature treats the CP as a separate entity, a set of rules can be established and associated with the ingress and egress port of the CP. These rules are applied only after the packet has been determined to have the CP as its destination or when a packet exits from the CP. Thereafter, you can configure a service policy to prevent unwanted packets from progressing after a specified rate limit has been reached; for example, a system administrator can limit all TCP/SYN packets that are destined for the CP to a maximum rate of 1 megabit per second.

The Cisco ASA 5505 is the smallest model in the newest 5500 series of Cisco firewalls. It is a great product for small businesses (5-10 employees) or even for home network use. However, if you need to create a DMZ zone (in addition to your Inside and Outside zones) in order to install a publicly accessible server (e.g WEB server, MAIL server etc), then the default basic license won’t work for you. The basic license does not allow more than 2 security zones. You will need to upgrade to “Security Plus” license which also enhances some other firewall parameters (more firewall connections, more remote access VPN sessions, trunking with 20 VLANs).

The Licensing for the ASA 5505 is as following:

Cisco ASA 5505 10 User Firewall Edition Bundle

Includes: 10 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, Triple Data Encryption Standard/Advanced Encryption Standard (3DES/AES) license.

Cisco ASA 5505 50 User Firewall Edition Bundle

Includes: 50 users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license.

Cisco ASA 5505 Unlimited User Firewall Edition Bundle

Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 10 IPsec VPN peers, 2 SSL VPN peers, 3DES/AES license.

Cisco ASA 5505 Security Plus Firewall Edition Bundle

Includes: Unlimited users, 8-port Fast Ethernet switch with 2 Power over Ethernet ports, 25 IPsec VPN peers, 2 SSL VPN peers, DMZ support, Stateless Active/Standby high availability, Dual ISP support, 3DES/AES license.

Which command both verifies that NAT is working properly and displays active NAT translations?
A. show nat translation
B. show running-confugration nat
C. show ip nat all
D. show xlate
Answer: D

Which three of these are Cisco ASA syslog message fields? (Choose three.)
A. syslog community string
B. message.text
C. triggering packet copy
D. logging device ip
E. default ASA gateway
F. logging level
Answer: B,D,F

An Administrator wants to protect a DMZ web server from SYN Flood attacks. Which three of these commands, used individually would allow the administrator to place limits on the number of embryonic connections? (choose three.)
A. http redirect
B. nat
C. http-proxy
D. static
E. set connection
F. access-list
Answer: B,D,E

Which of these commands displays the status of the CSC SSM on the Cisco ASA?
A. show module 1 CSC details
B. show hw 1 details
C. show module 1 details
D. show interface GigabitEthernet 1/0
Answer: C

The Cisco VPN Client supports which three of these tunneling protocols and methods? (Choose three.)
A. AH
B. LZS
C. IPSec over TCP
D. IPSec over UDP
E. SCEP
F. ESP
Answer: C,D,F

What does the nat 0 command do?
A. The nat 0 command, followed by an access list, specifies the addresses that are not to be translated
B. The nat 0 command, followed by a range of IP Addresses, specifies the addresses that are to be translated using network address translations
C. The nat 0 command, followed by a range of IP Addresses, specifies the addresses that are to be translated when used for IPSec
D. The nat 0 command, followed by an access list, specifies the addresses that are to be used in translations only once
Answer: A

What does the activation-key command in the Cisco ASA do?
A. Applies the activation key to the Cisco ASDM so the Cisco ASA can be managed using a web interface
B. Applies the activation key to the Cisco ASA operating system, so that the Cisco ASA is licensed and all features are available
C. Activates the SSM module in the Cisco ASA, providing intrusion protection and content filtering
D. Automatically activates the Cisco ASA, allowing it to be configured right out of the box
Answer: B

Firewalls are used to protect computer networks from hostile intrusions. A hardware firewall separates trusted internal networks (e.g Internal corporate LAN) from external non-trusted networks (e.g Internet or untrusted WAN). The primary objective of the firewall is to examine all inbound and outbound traffic to see if it meets specific criteria (firewall policy rules). If the traffic complies with the firewall policy it is permitted, otherwise it is dropped.

Firewall operations are based on the following general firewall technologies:

• Packet Filtering
• Proxy Server Firewall
• Stateful packet Firewall

Packet Filtering

A firewall can use packet filtering to limit information that enters a network and information moving from one segment of a network to another. Packet filtering uses access control lists (ACLs), which allow a firewall to accept or deny access based on packet types and other variables.

This method is effective when a protected netwoyrk receives a packet from an unprotected network. Any packet that is sent to the protected network and does not fit the criteria defined by the ACLs is dropped.

Problems with packet filtering are as follows:

• Arbitrary packets can be sent that fir the ACL criteria and therefore pass through the filter.
• Packets can pass through the filter by being fragmented.
• Complex ACLs are difficult to implement and maintain correctly.
• Some services can not be filtered.

Packet Filtering is usually used on Cisco Routers using Access Control Lists. This filtering technology is good as a first line of defence on border gateway routers.

Proxy Server Firewall

A proxy server is a firewall device that examines packets at higher layers of the OSI model. This device hides valuable data by requiring users to communicate with a secure system by means of a proxy. Users gain access to the network by going through a process that establishes session state, user authentication, and authorization policy. This means that users connect to outside services via application programs (proxies) that are running on the gateway that is connected to the outside unprotected zone.

Problems with the proxy server are as follows:

• The proxy server creates a single point of failure, which means that if the entrance to the network is compromised, then the entire network is compromised.
• Adding new services to the firewall is difficult.
• The proxy server performs more slowly under stress.

Stateful Packet Firewall

Stateful packet filtering firewall is the method that is used by the Cisco security appliances. This technlology maintains complete session state of the traffic passing through the firewall. Each time a TCP or UDP connection is established for inbound or outbound connections, the information is logged in a stateful session flow table.

The stateful session flow table, also known as the state table, contains the source and destination addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection that is associated with the particular session. This information creates a connection object, and consequently, all inbound and outbound packets are compared against session flows in the stateful session flow table. Data is permitted through the firewall only if an appropriate connection exists to validate its passage.

This method is effective for three reasons.

• It works both on packets and on connections.
• It operates at a higher performance level than packet filtering or using a proxy server.
• It records data in a table for every connection and connectionless transaction. This table serves as a reference point for determining if packets belong to an existing connection or are from an unauthorized source.

Some examples of stateful firewalls are the Cisco PIX and ASA models.