Cisco ASA Series 5: Configuring Threat Detection

Cisco ASA Series 5: Configuring Threat Detection

Cisco ASA is a security appliance that incorporates a firewall, antivirus software, intrusion detection, and a virtual private network (VPN). It allows for proactive threat defense, preventing attacks from propagating over the network.

Cisco ASA Basic Site 2 Site Topology
Fig 1.1- Cisco ASA Basic Site 2 Site Topology

To enable the security appliance to keep an eye on potentially dangerous packet flows, threat detection was included. In addition to alerting managers to potential attacks, this function is intelligent enough to automatically ban IP addresses or ranges that pose a concern (mostly through threat monitoring).

A technique for recognizing, comprehending, and thwarting threats before they affect the internal network architecture is called threat detection. It is dependent on several firewall triggers and data that are generated and computed when traffic flows through the ASA.

You can enable the threat detection functionality on any ASA running software version 8.0(2) or above, since it is supported starting with that version. Advanced Threat Detection TCP intercept data are only available in ASA 8.0(4) and above. Threat detection can be used to provide an extra layer of security to the fundamental security features of an ASA in situations when an IPS is unavailable, but it should not be confused with a dedicated IDS/IPS solution.

The threat detection function consists of three major components:

  • Basic Threat Detection (by default activated)
  • Advanced Threat Detection (by default, only ACL statistics are enabled)
  • Threat Detection via Scanning (you can block hosts that scan the protected network).
⭐Note : Here in this article we will only talk about the Basic Threat Detection and will talk advanced and scanning in another article 

⭐ Cisco ASA's Basic Threat Detection 🔐

By tracking the rates at which packets are discarded by the ASA as a whole for a variety of reasons, basic threat detection offers very rudimentary protection. Due to the lack of granularity to allow for very detailed monitoring, it offers basic capabilities as the name implies and is applied to the entire device. 

⭐Imp : The ASA promptly sends a system log message (733100) upon detecting a threat.

Basic threat detection calculates the average rate interval (ARI), which varies from 600 seconds to 30 days, by measuring the rates at which drops occur for each event throughout the specified time period. The ASA views events as dangerous if the quantity of events occurring inside the ARI above the specified rate criteria. 

To create the statistics, it often leverages the firewall's ASP-Drop engine. 

  • Packets that Access Lists (ACL Drop) reject.
  • Invalid packet format (e.g., invalid-tcp-hdr-length or invalid-ip-header).
  • Exceeded connection limitations (including configuration- and system-wide resource constraints).
  • Attack of DoS detected (e.g., Stateful Firewall check failure, incorrect SPI).
  • Basic firewall inspections were unsuccessful. (This option is a cumulative rate for all packet drops in this bulleted list that are due to firewalls). Drops unrelated to firewalls, such as interface overload, packets rejected during application inspection, and identified scanning attacks, are not included.)
  • Noticed suspicious ICMP packets.
  • Applications were not properly inspected, and there was an overflow of interfaces.
  • Attack detection using scanning The initial TCP packet is not a SYN packet, or the TCP connection failed the three-way handshake—these types of scanning attacks are monitored by this option. This scanning attack rate data is used by full scanning threat detection, which uses it to categorize hosts as attackers and automatically ban them, among other things.)
  • SYN Attack Recognition. Sessions with incomplete detection, such those with no data and/or TCP SYN attacks, are identified.
Two customizable thresholds—the average rate and the burst rate—determine when an event qualifies as a threat in basic threat detection. The average rate is only the mean quantity of drips per second within the designated ARI time frame. 

For instance, when the ARI is set to 600 seconds and the average rate threshold for ACL drops is set to 300, the ASA determines the average quantity of packets dropped by ACLs during the previous 600 seconds. Should this figure prove to be more than 300 per second, the ASA records a threat.

The ASA only creates the syslog message %ASA-4-733100 to notify the administrator that a possible danger has been discovered whenever a basic threat is detected. These alert messages can be set up to be sent via email by the ASA. If I'm an administrator and we want to be notified, the ASA will send us an email with this alert number so we may take appropriate action.

⭐ CLI Command configuration 📜

NDNA_CiscoASA(config)# threat-detection basic-threat

⭐ Web GUI configuration 💻

There is no performance effect from basic threat detection statistics, which are enabled by default. To enable or disable this capability, navigate to: 
Configuration →Firewall →Threat Detection in the ASDM.

The show threat-detection rate command displays the average, latest, and total number of incidents for each threat category. Basic threat detection does not take any action to block the offending traffic or stop subsequent attempts because it just operates on the firewall's overall drops. Simple threat detection may be used as a reporting or monitoring tool and is entirely informative.