Cisco Cisco FirePOWER Appliance 8360
26-12
FireSIGHT System User Guide
Chapter 26 Using Transport & Network Layer Preprocessors
Defragmenting IP Packets
the packets incorrectly, thus allowing an exploit to pass through undetected. To mitigate this kind of
attack, you can configure the defragmentation preprocessor to use the appropriate method of
defragmenting packets for each host on your network. See
attack, you can configure the defragmentation preprocessor to use the appropriate method of
defragmenting packets for each host on your network. See
for more information.
Note that you can also use adaptive profiles to dynamically select target-based policies for the IP
defragmentation preprocessor using host operating system information for the target host in a packet.
For more information, see
defragmentation preprocessor using host operating system information for the target host in a packet.
For more information, see
.
Target-Based Defragmentation Policies
License:
Protection
A host's operating system uses three criteria to determine which packet fragments to favor when
reassembling the packet: the order in which the fragment was received by the operating system, its offset
(the fragment's distance, in bytes, from the beginning of the packet), and its beginning and ending
position compared to overlap fragments. Although every operating system uses these criteria, different
operating systems favor different fragments when reassembling fragmented packets. Therefore, two
hosts with different operating systems on your network could reassemble the same overlapping
fragments in entirely different ways.
reassembling the packet: the order in which the fragment was received by the operating system, its offset
(the fragment's distance, in bytes, from the beginning of the packet), and its beginning and ending
position compared to overlap fragments. Although every operating system uses these criteria, different
operating systems favor different fragments when reassembling fragmented packets. Therefore, two
hosts with different operating systems on your network could reassemble the same overlapping
fragments in entirely different ways.
An attacker, aware of the operating system of one of your hosts, could attempt to evade detection and
exploit that host by sending malicious content hidden in overlapping packet fragments. This packet,
when reassembled and inspected, seems innocuous, but when reassembled by the target host, contains a
malicious exploit. However, if you configure the IP defragmentation preprocessor to be aware of the
operating systems running on your monitored network segment, it will reassemble the fragments the
same way that the target host does, allowing it to identify the attack.
exploit that host by sending malicious content hidden in overlapping packet fragments. This packet,
when reassembled and inspected, seems innocuous, but when reassembled by the target host, contains a
malicious exploit. However, if you configure the IP defragmentation preprocessor to be aware of the
operating systems running on your monitored network segment, it will reassemble the fragments the
same way that the target host does, allowing it to identify the attack.
You can configure the IP defragmentation preprocessor to use one of seven defragmentation policies,
depending on the operating system of the target host. The following table lists the seven policies and the
operating systems that use each one. The First and Last policy names reflect whether those policies favor
original or subsequent overlapping packets.
depending on the operating system of the target host. The following table lists the seven policies and the
operating systems that use each one. The First and Last policy names reflect whether those policies favor
original or subsequent overlapping packets.
Table 26-2
Target-Based Defragmentation Policies
Policy
Operating Systems
BSD
AIX
FreeBSD
IRIX
VAX/VMS
BSD-right
HP JetDirect
First
Mac OS
HP-UX
Linux
Linux
OpenBSD
Last
Cisco IOS
Solaris
SunOS
Windows
Windows