Solved: Threat-Detection Tuning - How do you tune yours?

scott.hartlaub · ‎01-13-2012

I am very interested in tuning my ASA Threat-Detection configuration. I desire for the device to shun addresses quicker for ACL failures and IP scanning. Any advice would be most appreciated.

Julio Carvajal · ‎01-13-2012

Hello,

So you will need to focus on this for the shunning purposes:

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

You are already using the minimunt amount of time for the scanning threat, so the only thing you can change is to try to use a lower burst-rate.

Rate if this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎01-13-2012

Hello Scott,

As I have understood, If you want to be able to shun host based on threat-detection analisis you will need to use the scanning threat detection as the other two ( basic and advanced threat detection will only generate logs messages)

Configuration for the scanning:

- threat-detection scanning-threat

- threat-detection scanning-threat shun duration xxx ( How long the host will be shunned)

- threat-detection rate scanning-threat rate-interval 600 ( time where the ASA will inspect traffic looking for a scan or sweep) average-rate 30 ( times ASA encounter a scan or sweep) burst-rate 10 ( times per second the scan happen)

As I told you the following command will generate a log, just that, it will not shun the host.

- threat-detection rate acl-drop rate-interval 600 ( time where the ACL-Drop will be inspected) average-rate 30 ( Times ACL will drop the packet) burst ( denys per second) 10

Let me know if I was clear enough

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

scott.hartlaub · ‎01-13-2012

Hello Julio,

I have the following configuration and it does shun properly, i just want to tune it to shun faster.

threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800

threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640

threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

no threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200

no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160

threat-detection rate syn-attack rate-interval 600 average-rate 20 burst-rate 30

threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000

threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address 192.168.0.0 255.255.0.0

threat-detection scanning-threat shun duration 36000

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200 threat-detection rate dos-drop

Julio Carvajal · ‎01-13-2012

Hello,

So you will need to focus on this for the shunning purposes:

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

You are already using the minimunt amount of time for the scanning threat, so the only thing you can change is to try to use a lower burst-rate.

Rate if this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

scott.hartlaub · ‎01-13-2012

That was it! Thanks Julio!

Julio Carvajal · ‎01-13-2012

Hello Scott,

My pleasure,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

BlueMCisco · ‎09-20-2012

Is there a significant performance hit when using 'scanning threat detection' and the shun feature as opposed to using only 'basic threat detection'?

I have a pair of ASA 5520's with ~100 users with a fair amount of traffic. My CPU usage is between 10 and 30% on average. I've been advised by some security experts to turn on the feature but I'm afraid to overlad the ASA's.

Thanks.

Julio Carvajal · ‎09-20-2012

Hello Blue,

It will increment a lot as all traffic will need to be deeply inspected. They will gather more information from all the statistics and they could even perform shunning but you can monitor how many CPU takes with the following command:

sh processes cpu-usage sorted non-zero

Any other question..Sure.. Just remember to rate all the helpful posts

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC