- ASA Threat Detection Feature Overview
- Threat Detection Default Settings
- ASA Threat Detection Configuration
- Scanning Threat Detection Configuration
Scanning Threat Detection Configuration
The scanning threat detection feature is disabled by default because it can affect the performance of the ASA. When enabling it, keep an eye on the load to ensure that services are not affected.
There are a couple of things that can be configured by using scanning threat detection; one of them is to configure the action that the ASA will take if the configured thresholds are exceeded. In these situations, the ASA provides two different options: flag the traffic (via a syslog message) and/or shun the offending host. The specific shun interval is an optional configurable setting.
The process of configuring scanning traffic detection and its parameters is shown in Table 5.
Table 5: ASA Scanning Threat Detection Configuration
1 |
Enter privileged EXEC mode. |
asa>enable |
2 |
Enter global configuration mode. |
asa#configure terminal |
3 |
Enable Scanning Threat Detection. Note: To exclude a number of IP hosts or networks, enter this command multiple times. |
asa(config)#threat-detection scanning-threat [shut [except {ip-address ip_address mask | object-group network_object_group_id}]] |
4 |
Configure the shun duration (optional). The default is 3600 seconds (60 minutes). |
asa(config)#threat-detection scanning-threat shun duration seconds |
5 |
Alter the default scanning threat detection settings (optional). Notes: The rate-interval, average-rate, and burst-rate parameters are entered in seconds. Up to three different rate intervals can be configured for each event type. |
asa(config)#threat-detection rate scanning-threat rate-interval rate_interval average-rate average_rate burst-rate burst_rate |
There are a couple of commands that are very handy to know when using this feature, including these:
- show threat-detection shunThis command displays a list of the current hosts that are shunned.
- show threat-detection scanning-threat [attacker | target]This command displays the hosts that the ASA decided are attackers and/or the hosts that are currently being targeted.
- clear threat-detection shun[ip-address [mask]] – Used to remove specific host entries from the scanning-threat shun list.
Summary
The ability to have a monitored list of the current or potential attackers of a network is very important information for the security engineer/administrator. They can use this information to further refine their methods of security and limit the short- and long-term effects of these attack types (from general or specific attackers).
Cisco chose to configure its default threat detection configurations rather conservatively and have left it up to the on-site engineers/administrators to strengthen the configuration based on the specific threats of their networks.
While it may be a good idea to utilize some of the more advanced (non-default) threat detection options, make sure to test them under loaded conditions before putting them into a production setting to avoid potential performance issues.