FragGuard and Virtual Reassembly is a PIX Security Appliance
feature that provides IP fragment protection
. Virtual
reassembly is the process of gathering a set of IP fragments, verifying
integrity and completeness, tagging each fragment in the set with the transport
header, and not combining the fragments into a full IP packet. Virtual
Reassembly provides the benefits of full reassembly by verifying the integrity
of each fragment set and tagging it with the transport header. It also
minimizes the buffer space that must be reserved for packet reassembly. Full
reassembly of packets is expensive in terms of buffer space that must be
reserved for collecting and combining the fragments. Since combining of
fragments is not performed with virtual reassembly, no preallocation of the
buffer is needed.
FragGuard and Virtual Reassembly perform full
reassembly of all ICMP error messages and virtual reassembly of the remaining
IP fragments that are routed through the Pix Security Appliance. They use
Syslog to log any fragment overlapping and small fragment offset anomalies,
especially those caused by a Teardrop.c attack.
By default, the PIX
Security Appliance accepts up to 24 fragments to reconstruct a full IP packet.
Based on the network security policy, an administrator should consider
configuring the PIX to prevent fragmented packets from traversing the PIX by
entering the fragment chain 1 interface command on each
interface. Setting the limit to 1 means that all packets must be
unfragmented.
Note the following regarding fragment configuration:
- The default values will limit DoS attacks caused by fragment flooding.
- If an interface is not specified, the command applies to all
interfaces.
The fragment command provides management of packet
fragmentation and improves the compatibility of the PIX Security Appliance with
the Network File System (NFS). NFS is a client-server application that enables
a computer user to view and optionally store and update files on a remote
computer as though they were on the user’s own computer. In general, the
default values of the fragment command should be used
.
However, if a large percentage of the network traffic through the PIX is NFS,
additional tuning may be necessary to avoid database overflow.
The
fragment size command can be used to set the maximum number
of packets in the fragment database. Use the fragment chain
command to specify the maximum number of packets into which a packet can be
fragmented, and use the fragment timeout command to specify
the maximum number of seconds the PIX Security Appliance waits after the first
fragment is received before discarding a fragment waiting for reassembly. The
example in Figure
uses the
fragment size and fragment chain
commands to disallow all fragments through the PIX.
In an environment
where the maximum transmission unit (MTU) between the NFS server and client is
small, such as a WAN interface, the chain option may
require additional tuning. In this case, NFS over TCP is highly recommended to
improve efficiency.
Setting the database-limit of the
size option to a large value can make the PIX Security
Appliance more vulnerable to a DoS attack by fragment flooding. Do not set
the database-limit equal to or greater than the total
number of blocks in the PIX 1550 or 16384 memory pool. See the show
blocks command for more details.
The show
fragment command displays the states of the fragment databases
. If the
interface name is specified, only the database residing at the specified
interface is displayed.
Use the clear fragment
command to reset the fragment databases and defaults. This causes the PIX
Security Appliance to discard all fragments currently waiting for reassembly,
and reset the size, chain, and timeout options to their default values.