cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
366
Views
0
Helpful
2
Replies

whats the essential ACL I need on Outside int to Prevent Scan & Syn attacks ?

s_penn002
Level 1
Level 1

I have an ASA 5515x and 200 users behind accessing the internet for all of their services (ie I have no inside servers) whats the essential ACL I need on Outside int to prevent scan and syn attacks which at present seem to fluctuate wildly?

1 Accepted Solution

Accepted Solutions

If you don't have any servers that need to be accessed from the internet then there should be no ACL on the outside interface.  Your outside interface should have a security level of 0 and the inside interface a number higher than 0.  All traffic from a lower security level to a higher security level is denied by default.

If you are allowing traffic in for whatever reason then there is no ACL that will prevent Scan and syn attacks on the fly.  For syn attacks you can limit the embryonic connections:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html

As for preventing a port scan, this is not possible.  You can not prevent the scan itself, but you can prevent it finding open ports in your firewall by not allowing traffic into the outside interface.  This is by either keeping the outside interface at a lower security level than the other interfaces, or if you want to you can add an ACL to the outside interface denying all traffic, but this is not needed as the ASA will drop all traffic from a lower security interface to a higher security interface by default.  Also don't configure static NAT, this combined with the ACL will open a bidirectional opening in the firewall.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

2 Replies 2

If you don't have any servers that need to be accessed from the internet then there should be no ACL on the outside interface.  Your outside interface should have a security level of 0 and the inside interface a number higher than 0.  All traffic from a lower security level to a higher security level is denied by default.

If you are allowing traffic in for whatever reason then there is no ACL that will prevent Scan and syn attacks on the fly.  For syn attacks you can limit the embryonic connections:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_connlimits.html

As for preventing a port scan, this is not possible.  You can not prevent the scan itself, but you can prevent it finding open ports in your firewall by not allowing traffic into the outside interface.  This is by either keeping the outside interface at a lower security level than the other interfaces, or if you want to you can add an ACL to the outside interface denying all traffic, but this is not needed as the ASA will drop all traffic from a lower security interface to a higher security interface by default.  Also don't configure static NAT, this combined with the ACL will open a bidirectional opening in the firewall.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thanks Marius,

That was my understanding but the ASDM graphs of "Possible Scan & Syn attacks" had me paranoid so i applied an anti Bogon ACL to the outside interface but that didnt make any difference.

Thanks again for the clarification,

brgds

SteveP

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: