Cisco Cisco FirePOWER Appliance 8370
C H A P T E R
26-1
FireSIGHT System User Guide
26
Using Transport & Network Layer Preprocessors
Cisco provides preprocessors that detect exploits at the network and transport layers. These
preprocessors detect attacks that exploit IP fragmentation, checksum validation, and TCP and UDP
session preprocessing. Before packets are sent to preprocessors, the packet decoder converts packet
headers and payloads into a format that can be easily used by the preprocessors and the rules engine and
detects various anomalous behaviors in packet headers. After packet decoding and before sending
packets to other preprocessors, the inline normalization preprocessor normalizes traffic for inline
deployments.
preprocessors detect attacks that exploit IP fragmentation, checksum validation, and TCP and UDP
session preprocessing. Before packets are sent to preprocessors, the packet decoder converts packet
headers and payloads into a format that can be easily used by the preprocessors and the rules engine and
detects various anomalous behaviors in packet headers. After packet decoding and before sending
packets to other preprocessors, the inline normalization preprocessor normalizes traffic for inline
deployments.
See the following sections for more information:
•
•
•
•
•
•
•
Verifying Checksums
License:
Protection
The system can verify all protocol-level checksums to ensure that complete IP, TCP, UDP, and ICMP
transmissions are received and that, at a basic level, packets have not been tampered with or accidentally
altered in transit. A checksum uses an algorithm to verify the integrity of a protocol in the packet. The
packet is considered to be unchanged if the system computes the same value that is written in the packet
by the end host.
transmissions are received and that, at a basic level, packets have not been tampered with or accidentally
altered in transit. A checksum uses an algorithm to verify the integrity of a protocol in the packet. The
packet is considered to be unchanged if the system computes the same value that is written in the packet
by the end host.
Disabling checksum verification may leave your network susceptible to insertion attacks. Note that the
system does not generate checksum verification events. In an inline deployment, you can configure the
system to drop packets with invalid checksums.
system does not generate checksum verification events. In an inline deployment, you can configure the
system to drop packets with invalid checksums.
To configure checksum verifications:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.