Cisco PIX 500 Series Configuration Manual page 443

Chapter 23 Preventing Network Attacks
Allow the URG pointer:
•
hostname(config-tcp-map)# urgent-flag {allow | clear}
The URG flag is used to indicate that the packet contains information that is of higher priority than
other data within the stream. The TCP RFC is vague about the exact interpretation of the URG flag,
therefore end systems handle urgent offsets in different ways, which may make the end system
vulnerable to attacks. The default behavior is to clear the URG flag and offset. Use this command
to allow the URB flag.
• Drop a connection that has changed its window size unexpectedly. The default is to allow
connections, so use this command to drop them.
hostname(config-tcp-map)# window-variation {allow | drop}
The window size mechanism allows TCP to advertise a large window and to subsequently advertise
a much smaller window without having accepted too much data. From the TCP specification,
"shrinking the window" is strongly discouraged. When this condition is detected, the connection can
be dropped.
To identify the traffic to which you want to apply TCP normalization, add a class map using the
Step 3
class-map command. See the
for more information.
To add or edit a policy map that sets the actions to take with the class map traffic, enter the following
Step 4
command:
hostname(config)# policy-map name
To identify the class map from Step
Step 5
command:
hostname(config-pmap)# class class_map_name
Apply the TCP map to the class map by entering the following command:
Step 6
hostname(config-pmap-c)# set connection advanced-options tcp-map-name
To activate the policy map on one or more interfaces, enter the following command:
Step 7
hostname(config)# service-policy policymap_name {global | interface interface_name }
Where global applies the policy map to all interfaces, and interface applies the policy to one interface.
Only one global policy is allowed. You can override the global policy on an interface by applying a
service policy to that interface. You can only apply one policy map to each interface.
For example, to allow urgent flag and urgent offset packets for all traffic sent to the range of TCP ports
between the well known FTP data port and the Telnet port, enter the following commands:
hostname(config)# tcp-map tmap
hostname(config-tcp-map)# urgent-flag allow
hostname(config-tcp-map)# class-map urg-class
hostname(config-cmap)# match port tcp range ftp-data telnet
hostname(config-cmap)# policy-map pmap
hostname(config-pmap)# class urg-class
hostname(config-pmap-c)# set connection advanced-options tmap
hostname(config-pmap-c)# service-policy pmap global
OL-12172-03
"Identifying Traffic Using a Layer 3/4 Class Map" section on page 21-2
1 to which you want to assign an action, enter the following
Cisco Security Appliance Command Line Configuration Guide
Configuring TCP Normalization
23-13