Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1733
Views
5
Helpful
2
Replies

Preventing DoS attacks and using encryption

Go to solution
net buzz
Level 1
Level 1

‎03-07-2011 11:13 AM - edited ‎03-11-2019 01:02 PM

Hi!

I have setup the network as per the attached topology. All remote sites are able to access the Main site Application Server.

My issues are as follows:

  • How can DoS attacks on the server be prevented? Is there some configuration that can be on the routers or the firewall (Rate limiting, ACL)?

  • All the routers (Cisco 3825 and 2811) are equipped with the ADVENTERPRISEK9-M IOS and therefore contain cryptographic features.

       Are the routers already encrypting the data which is being transmitted?

       If yes, how is the encryption/decryption processes performed?

       If no, is there some configuration that needs to be done on the routers to turn encryption on?

Please see attached topology.

Thanks,

Alvin

Labels:
Preview file
23 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-07-2011 05:53 PM

Hi,

To prevent DoS on an ASA level you can do some things (i found the following making a quick search in CSC):

For DDOS / DOS attacks see below a reference for configuring threat detection

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html

If  you want to provide protection for against spam, spyware, viruses,  phishing, etc that enters your network via email, HTTP, or FTP traffic  then you would use a CSC modules. See the link below

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html

See below a Q&A for the product

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_qas0900aecd8040397e.html

An IPS modue provides  protection by blocking threats such as distributed denial of service  attacks, reconnaissance  attacks, and attacks against operating system  and application  vulnerabilities. See below

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps6120_Products_Data_Sheet.html

See below a Q&A for the product

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/qa_c67-458612_ps6120_Products_Q_and_A_Item.html

The 5510 & 5520's only have one expansion slot for security services modules so you can install only of these devices.

For the other question... the fact that the routers have an advanced services image means they can encrypt the data and provide additional security features.

The routers are NOT encrypting the data by default.

They CAN be configured to encrypt data before sending packets out (as you would normally have when configuring an IPsec tunnel).

Hope it helps.


Federico.

View solution in original post

0 Helpful

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎03-07-2011 06:03 PM

Hello Alvin,

Just to add a little more to what Fedrico has shared, on IOS we can use TCP intercept feature availble in advipservicesk9 image.

Here are few links for your better understanding & reference:

Hope this helps. Please reply if you need further assistance.

Regards,
Chirag

P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

View solution in original post

2 Replies 2

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-07-2011 05:53 PM

Hi,

To prevent DoS on an ASA level you can do some things (i found the following making a quick search in CSC):

For DDOS / DOS attacks see below a reference for configuring threat detection

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html

If  you want to provide protection for against spam, spyware, viruses,  phishing, etc that enters your network via email, HTTP, or FTP traffic  then you would use a CSC modules. See the link below

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html

See below a Q&A for the product

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_qas0900aecd8040397e.html

An IPS modue provides  protection by blocking threats such as distributed denial of service  attacks, reconnaissance  attacks, and attacks against operating system  and application  vulnerabilities. See below

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps6120_Products_Data_Sheet.html

See below a Q&A for the product

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/qa_c67-458612_ps6120_Products_Q_and_A_Item.html

The 5510 & 5520's only have one expansion slot for security services modules so you can install only of these devices.

For the other question... the fact that the routers have an advanced services image means they can encrypt the data and provide additional security features.

The routers are NOT encrypting the data by default.

They CAN be configured to encrypt data before sending packets out (as you would normally have when configuring an IPsec tunnel).

Hope it helps.


Federico.

0 Helpful

Go to solution
csaxena
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎03-07-2011 06:03 PM

Hello Alvin,

Just to add a little more to what Fedrico has shared, on IOS we can use TCP intercept feature availble in advipservicesk9 image.

Here are few links for your better understanding & reference:

Hope this helps. Please reply if you need further assistance.

Regards,
Chirag

P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card