https://community.cisco.com/t5/network-security/strict-tcp-enforcement-in-sourcefire/m-p/3070829#M43096 <P>Hi Cisco Support Community team</P> <P>Currently thinking as a scenario the&nbsp;Sourcefire NIPS are working in <U>Blocking mode (Drop when Inline) option</U> is enabled in the 'Intrusion Policy'</P> <P>Can you please let me know<STRONG> 'Strict TCP Enforcement' feature </STRONG>in <STRONG>Sourcefire NIPS </STRONG>can it be implemented<STRONG> Yes <U>or </U>No , along with its Pros/Cons.</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><STRONG>Do let me know&nbsp;your Recommendations&nbsp; is it worth to implement this Strict TCP Enforcement at Sourcefire NIPS 'or' Cisco ASA firewall 'or' at a DDOS Vendor these days Volumetric attacks come from attackers from Internet.</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><STRONG>&nbsp;</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><STRONG>Reference url</STRONG> :&nbsp; &nbsp;<A href="http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/IPS-Devices.html" target="_blank"><U>http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/IPS-Devices.html</U></A>&nbsp;&nbsp;&nbsp;</P> <P style="margin: 0cm 0cm 0pt;"><STRONG></STRONG>&nbsp;</P> <P style="margin: 0cm 0cm 0pt;"><STRONG>Strict TCP Enforcement</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><STRONG>------------------------------------</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><SPAN style="color: red;">To maximize TCP security, you can enable strict enforcement, which "Blocks Connections where the Three-Way Handshake was not completed". </SPAN><U><SPAN style="color: black;">Strict enforcement also blocks:</SPAN></U></P> <UL> <LI style="margin: 0cm 0cm 0pt;"><STRONG>non-SYN TCP packets</STRONG> <U>for connections</U> <STRONG>where the three-way handshake was not completed</STRONG></LI> <LI style="margin: 0cm 0cm 0pt;"><STRONG>non-SYN/RST packets</STRONG> <U>from the initiator on a</U> <STRONG>TCP connection before the responder sends the SYN-ACK</STRONG></LI> <LI style="margin: 0cm 0cm 0pt;"><STRONG>non-SYN-ACK/RST packets</STRONG> <U>from the responder on a</U> <STRONG>TCP connection after the SYN but before the session is established</STRONG></LI> <LI style="margin: 0cm 0cm 0pt;"><STRONG>SYN packets</STRONG> <U>on an established</U> <STRONG>TCP connection from either the initiator or the responder</STRONG></LI> </UL> <P style="margin: 0cm 0cm 0pt;">Regards</P> <P style="margin: 0cm 0cm 0pt;">Chidambara</P> Sun, 10 Mar 2019 13:47:10 GMT chidambarakodandaraju 2019-03-10T13:47:10Z https://community.cisco.com/t5/network-security/strict-tcp-enforcement-in-sourcefire/m-p/3070829#M43096 <P>Hi Cisco Support Community team</P> <P>Currently thinking as a scenario the&nbsp;Sourcefire NIPS are working in <U>Blocking mode (Drop when Inline) option</U> is enabled in the 'Intrusion Policy'</P> <P>Can you please let me know<STRONG> 'Strict TCP Enforcement' feature </STRONG>in <STRONG>Sourcefire NIPS </STRONG>can it be implemented<STRONG> Yes <U>or </U>No , along with its Pros/Cons.</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><STRONG>Do let me know&nbsp;your Recommendations&nbsp; is it worth to implement this Strict TCP Enforcement at Sourcefire NIPS 'or' Cisco ASA firewall 'or' at a DDOS Vendor these days Volumetric attacks come from attackers from Internet.</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><STRONG>&nbsp;</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><STRONG>Reference url</STRONG> :&nbsp; &nbsp;<A href="http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/IPS-Devices.html" target="_blank"><U>http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/IPS-Devices.html</U></A>&nbsp;&nbsp;&nbsp;</P> <P style="margin: 0cm 0cm 0pt;"><STRONG></STRONG>&nbsp;</P> <P style="margin: 0cm 0cm 0pt;"><STRONG>Strict TCP Enforcement</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><STRONG>------------------------------------</STRONG></P> <P style="margin: 0cm 0cm 0pt;"><SPAN style="color: red;">To maximize TCP security, you can enable strict enforcement, which "Blocks Connections where the Three-Way Handshake was not completed". </SPAN><U><SPAN style="color: black;">Strict enforcement also blocks:</SPAN></U></P> <UL> <LI style="margin: 0cm 0cm 0pt;"><STRONG>non-SYN TCP packets</STRONG> <U>for connections</U> <STRONG>where the three-way handshake was not completed</STRONG></LI> <LI style="margin: 0cm 0cm 0pt;"><STRONG>non-SYN/RST packets</STRONG> <U>from the initiator on a</U> <STRONG>TCP connection before the responder sends the SYN-ACK</STRONG></LI> <LI style="margin: 0cm 0cm 0pt;"><STRONG>non-SYN-ACK/RST packets</STRONG> <U>from the responder on a</U> <STRONG>TCP connection after the SYN but before the session is established</STRONG></LI> <LI style="margin: 0cm 0cm 0pt;"><STRONG>SYN packets</STRONG> <U>on an established</U> <STRONG>TCP connection from either the initiator or the responder</STRONG></LI> </UL> <P style="margin: 0cm 0cm 0pt;">Regards</P> <P style="margin: 0cm 0cm 0pt;">Chidambara</P> Sun, 10 Mar 2019 13:47:10 GMT https://community.cisco.com/t5/network-security/strict-tcp-enforcement-in-sourcefire/m-p/3070829#M43096 chidambarakodandaraju 2019-03-10T13:47:10Z