After a device comes under attack from SYN floods, TCP Intercept will transition to a mode known as aggressive mode. Aggressive mode is triggered if the number of incomplete connections exceeds 1,100 or the number of connections arriving in one minute exceeds 1,100; after aggressive mode has triggered, each new arriving connection causes the oldest half− open connection to be deleted. TCP Intercept will also lower its initial retransmission timeout of 1 second by half, to 0.5 seconds. This allows the router to cut in half the time allotted to establish a connection.

When TCP Intercept is in aggressive mode, the following occurs:

∙Each newest connection request causes the oldest half−open connection to be deleted.

∙The initial retransmission timeout is reduced by half, to 0.5 seconds.

∙If TCP Intercept is configured for watch mode, the watch timeout is reduced by half.

Network Address Translation

IP address depletion is one of the key problems that faces the Internet today. To address the IP address depletion problem Cisco has implemented a feature known as Network Address Translation (NAT). NAT, described in RFC 1631, provides a way to use IP addresses in multiple Internetworks by replacing the original source or destination IP address in an IP packet. The functionality of NAT allows privately addressed networks to connect to public networks such as the Internet. When the host on the private inside network sends a packet through the NAT router, the private addresses are converted to registered globally routable IP addresses.

NAT helps to solve other problems aside from the rapid depletion of global network address space and provides an enterprise with many advantages, some of which are listed here:

∙NAT reduces the instances in which addressing schemes overlap. If an IP scheme was originally set up within a private network and the network was connected to the public network, such as the Internet, or merges with another company that may use the same address, space communication could not take place because of overlapping IP address schemes. Without NAT, overlapping of address schemes could potentially take place on a global scale.

∙Implementing NAT automatically creates a makeshift firewall between the internal trusted network and the outside untrusted networks or the Internet. NAT allows only connections that originate inside the trusted network. Essentially, this means that a computer on an external untrusted network cannot connect to a computer on the inside trusted network unless the inside computer has initiated the contact.

∙NAT increases the flexibility of connecting to a public network and provides network designers with greater flexibility when designing an organization's addressing plan. This flexibility allows for multiple pools and loadsharing/balancing features. NAT also saves on the cost of renumbering a private network address space with a unique global address space.

Although most networking devices support NAT because of its many beneficial features, NAT does have a few disadvantages that should be weighed against the benefits when determining if it is a viable solution for the enterprise:

∙NAT increases the overall switching delay of the packet, which is caused by the translation that must take place, but also because NAT is performed using process switching. The router must examine every packet to determine if a header rewrite is required.

∙NAT causes the loss of end−to−end traceability and forces some applications that use IP addressing to stop functioning because of NAT's inherent functionality of hiding IP

89

addresses.

At a high level, NAT has two types of networks: internal and external. Internal networks, also referred to as stub domains, are networks that have been assigned IP addresses that are considered to be private or not routable. Likewise, external networks are networks that are considered to be public and routable. NAT also has its own terminology for types of IP addresses:

∙Inside local IP address—The IP address assigned to a host on the inside trusted network. These addresses are typically allocated from the private IP address ranges.

∙Inside global IP address—A legitimate IP address that represents one or more inside local addresses to the outside network(s). These are the IP addresses that the inside local IP addresses are translated to. They are advertised outside the inside local address space.

∙Outside global IP address—The IP address that is assigned to a host on the outside network by its owner. These addresses are allocated from legitimate globally routable address space.

∙Outside local IP address—The IP address of an outside host as it appears to the inside network. This address is allocated from IP address space that is routable on the inside network.

NAT creates two types of address translations: simple and extended. A simple translation entry is an entry that simply maps one IP address to another IP address. An extended translation entry is a translation entry that maps one IP address and port pair information to another IP address and port pair.

Port Address Translation (PAT) is a variant of Network Address Translation (NAT). NAT creates a one−to−one address translation at the network layer and does not maintain port parameters per translation. PAT, on the other hand, creates a many−to−one address translation and maintains port parameters per translation. PAT allows many inside local IP address packets to be translated to one outside global address. It allows enterprises to conserve public IP addresses by translating the source of all inside addresses or all inside addresses matched by an access list to one global public IP address. When PAT is enabled on a perimeter router, the translation process chooses a unique source port number for each outbound connection request.

PAT can allow for translation of one IP address for up to 64,000 hosts. However, in most cases, a more realistic number of translations is in the vicinity of 4,000 hosts. PAT does not use well−known port numbers in its address translation, nor are any destination fields translated— only source information is translated.

Committed Access Rate

Committed Access Rate (CAR) is a software feature that implements both classification of services and policing of traffic through rate−limiting, which, in effect, limits the input or output transmission rate of an interface based on a configurable set of criteria. Network administrators can use CAR to designate traffic−handling policies when traffic either conforms to or exceeds a specified rate limit. CAR's rate−limiting feature manages the bandwidth policy for a network by ensuring that traffic falling within the specified rate parameters is sent while dropping packets that exceed the acceptable amount of traffic. CAR also specifies an exceed action, which can be set to drop packets.

CAR uses a token bucket measuring system. Tokens are inserted into the bucket at the committed rate, and the number of tokens in the bucket is limited by the configured burst size. Traffic arriving at the bucket when tokens are available is traffic that matches a configured conform action. If tokens

90

are available when the traffic arrives, the appropriate number of tokens are removed from the bucket and the specified conform action is executed. If there is not an adequate number of tokens available, the traffic matches a configured exceed action. The token bucket is a culmination of three components: a Mean Rate (CIR), a Burst Size (Bc), and a Time Interval (Tc). Each of these components is further detailed in the following list:

∙Mean Rate (CIR)—The average rate at which you would like to transmit. The rate is averaged over an increment of time (Tc), and traffic that is under this rate will always conform. This is measured in bits/second.

∙Burst Size (Bc)—The amount of data sent per time interval (Tc). When used with CAR, this is measured in bytes per burst interval.

∙Time Interval (Tc)—A measurement of Bc/CIR.

The token bucket formula for determining the Mean Rate of transfer is as follows:

Mean Rate (CIR) = Burst Size (Bc) / Time Interval (Tc)

The equation solves for Mean Rate (CIR) by dividing the Time Interval (Tc) by the Burst Size (Bc)eqn0 One other formula that relates to the token bucket measuring system solves for the Time Interval (Tc):

Time Interval (Tc) = Burst Size (Bc) / Mean Rate (Cir)

Each action, conform and exceed, can be configured to provide another action based on the available tokens:

∙Transmit—The packet is forwarded accordingly.

∙Drop—The packet is dropped and no further processing takes place on it.

∙Set precedence then transmit—The IP Precedence bit in the packet is rewritten. The packet is then transmitted.

∙Continue—The packet is compared to the next policy that is configured in the list of rate limits. If no other policy is configured, the packet is sent.

∙Set precedence and continue—The IP Precedence bits are rewritten to a specified value, and the packet is then compared to the next policy configured in the list of rate limits.

A security administrator can use CAR's rate−limiting feature to control the maximum rate at which traffic is sent or received during times the router is receiving a stream of DoS attack packets. To define a rate limit, three values must be specified:

∙Average rate—The average rate at which you want to transmit. All traffic that is transmitted at or below the average rate meets the conform action. Traffic that is transmitted above the average rate meets the exceed action, depending on the values configured for normal burst and excess burst. This value is specified in bits per second.

∙Normal burst—The amount of traffic, specified in bytes per second, that is allowed to burst before partial amounts of traffic are subjected to the excess burst action.

∙Excess burst—The amount of traffic, specified in bytes per second, that is allowed in a burst before all traffic is subjected to the excess burst action. Setting this value to zero disables bursting.

91

When CAR rate−limiting is applied to a packet, CAR removes from the bucket tokens that are equivalent in number to the byte size of the packet. If a packet arrives and its byte size is greater than the number of tokens available in the standard token bucket, extended burst capability is engaged if it is configured. Extended burst is configured by setting the extended burst so it's greater than the normal burst value. Setting the extended burst value equal to the normal burst value, in effect, disables extended burst.

Logging

Routers are a mainstay of most network−connected organizations. Over the past few years, they have become increasingly sophisticated and moved beyond the realm of simply connecting different subnets. Although routers provide a high degree of network security, it can sometimes be challenging to security administrators to answer questions such as the following:

∙Who's on my network and where are they spending their time?

∙Are my network security and usage policies being adhered to?

∙Is my router secure?

∙Have there been any attempts to breach it?

∙Are there any system failures or configuration issues to attend to?

Logging of events that take place on the perimeter routers provides a security administrator with a clear audit trail of each and every bit of information that traverses the router. This information is needed in order to assess network activity and find out if security and network usage policies are functioning as designed. Accomplishing complete network security is an investigative process that requires ongoing analysis of network device activity. Because of this investigative process, security administrators should log every event that takes place on the perimeter router to a syslog server daemon to aid in analyzing attacks that take place from a trusted or untrusted network.

Cisco routers define certain levels of message logging, and each level is based upon the severity of the event. Table 3.1 lists each event error message and its corresponding severity level.

Table 3.1: Logging messages and severity level.

92