Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
0
Helpful
7
Replies

Embryonic connections

Franco_Pieressa
Level 1
Level 1

‎11-04-2004 07:02 AM - edited ‎03-09-2019 09:20 AM

Hello, I'm limiting the number of embryonic conections in my PIX v6.3(4) with the static command, and I have some doubs.

- How can I see the number of SYN that the PIX it's proxing, when is threshold reached? The "show local-host" command doesn't show me that info...

- Which are the disadvantages of limiting the number of embryonic connections with a static command in a PIX? Is there any case where it must not be used?

Regards

FP

Labels:
0 Helpful
7 Replies 7

Patrick Iseli
Level 7
Level 7

‎11-04-2004 07:22 AM

I am not sure but it looks like it would be that comand?

pixfirewall(config)# show IPAddress detail

local host: <10.1.1.15>,

TCP connection count/limit = 0/unlimited

TCP embryonic count = 0

...............

There is not really a disadvantge to do that, just the risk that if you are to restrictive that you may block sessions and no new session could be established

emb_limit

Specifies the maximum number of embryonic connections per host. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. Set a small value for slower systems, and a higher value for faster systems. The default is 0, which means unlimited embryonic connections.

The embryonic connection limit lets you prevent a type of attack where processes are started without being completed. When the embryonic limit is surpassed, the TCP intercept feature intercepts TCP synchronization (SYN) packets from clients to servers on a higher security level. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and combines the two half-connections together transparently. Thus, connection attempts from unreachable hosts never reach the server. The PIX firewall accomplishes TCP intercept functionality using SYN cookies.

Note This option does not apply to outside NAT. The TCP intercept feature applies only to hosts or servers on a higher security level. If you set the embryonic limit for outside NAT, the embryonic limit is ignored.

sincerely

Patrick

0 Helpful

Franco_Pieressa
Level 1
Level 1
In response to Patrick Iseli

‎11-04-2004 09:02 AM

I think the PIX doesn't block connections when I configure embryonic limit. What it do is intercept TCP SYN packets, allowing only legitims connections between clients and servers.

So, what is the disadvantage in configure embryonic limit? A performance penalty maybe?

Sincerely

FP

0 Helpful

scoclayton
Level 7
Level 7
In response to Franco_Pieressa

‎11-04-2004 12:20 PM

I think the PIX doesn't block connections when I configure embryonic limit. What it do is intercept TCP SYN packets, allowing only legitims connections between clients and servers.

That is correct. Once the embryonic limit is reached, the PIX uses SYN cookies to make sure the conns are legit. It then snaps the legit ones back to the server it is protecting and drops the non-legit ones.

So, what is the disadvantage in configure embryonic limit? A performance penalty maybe?

Yes, this is also right. The disadvantage from the PIX stand-point is that is does require additional overhead. Other than that, there really is no reason *not* to set the emb limit, especially on important Internet facing servers.

Hope this helps.

Scott

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to scoclayton

‎11-04-2004 12:33 PM

Scoclayton,

Are there some quidelines how to setup that for diffrend services lets say web, ftp ...

sincerely

Patrick

0 Helpful

Franco_Pieressa
Level 1
Level 1
In response to scoclayton

‎11-05-2004 01:25 AM

So, do you think a value of 1 in the emb limit is a good value?

Another question: I made some test with a PIX configured with a static emb limit, and found that the "TCP embryonic count" (in the output of "show local-host" command) shows the number of embryonic connections the server behind the firewall has. But, how can I see the number of SYN the firewall is intercepting? How can I detect a SYN flood attack in a PIX with the emb limit protection configured?

Thanks

FP

0 Helpful

Franco_Pieressa
Level 1
Level 1
In response to Franco_Pieressa

‎11-05-2004 07:53 AM

I will try to answer my own question:

- The only problem that has the use of embryonic limits, beside the firewall performance (the security is his job :-), it's the delay added to the establishment of new connections when the limit is surpassed.

- There aren't any command to view the number of connection the firewall is intercepting when embryonic limit is surpassed, because it use a syncookie method. No connections are created before 3 handshake TCP is completed into the PIX, so neither the command "show conn" nor "show logg" shows them

Thanks

FP

0 Helpful

hoangbp
Level 1
Level 1
In response to Franco_Pieressa

‎11-05-2004 08:09 AM

Hi Patrick:

I don't think there's a general guideline specifically on what you should set your max_conn and max_embryonic conns to for a particular service. However,what I normally do is to monitor the pattern of our network traffic for a while and decide what would be the best threshold we want to set for those services. As you pointed out, "show xlate" and "show local-host x.x.x.x" are pretty useful commands for that purpose.

Even though the PIX will experience some performance hit when TCP Intercept kicks in, we all probably agree that having Flood Defender in place is so much better from a security standpoint than not having it at all. Just my 2 cents.

Thanks,

Binh

0 Helpful
Customers Also Viewed These Support Documents