As part of the CCNP Security 300-206 (SENSS) – I have found interesting topics along the ways and this one catches my attention. So here is a quick high-level overview + some configuration examples on IP TCP Intercept
What TCP Intercept is looking to prevent?
This feature looks to prevent Denial of Service Attacks, by limiting incomplete connections to a host, in this case, a Web Server could be a good example.
TCP Intercept – Watch Mode
As the name implies this will monitor the traffic, but make no mistake, as per Cisco’s implementation guide
“If a connection fails to get established in a configured interval, the software intervenes and terminates the connection attempt”
TCP Intercept – Intercept Mode
Now, the intercept mode is a bit more interesting, and for me try to explain it in better words than from Cisco’s documentation, could be an atrocity 🙂 –
“In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with a SYN-ACK, then waits for an acknowledge (ACK) from the client. When the ACK is received, the original SYN is sent to the server and the software performs a three-way handshake with the server. When the three-way handshake is complete, the two half connections are joined.”
Now to me and by looking at the explanation, it could bring more overhead of traffic providing this service, but I will just have to find out on my assumption.
To the Configuration – How to Configure TCP Intercept
Interestingly enough, there is a warning at the beginning of the configuration entry point
“Do not configure the TCP Intercept feature with either NAT and/or the zone-based firewall or Context-Based Access Control (CBAC) firewall.”
– You have been warned
Begin by creating your Access-List
ip access-list extended tcp-intercept
permit ip any host 1.1.1.1
Then move to create your IP Intercept configuration
ip tcp intercept list tcp-intercept
ip tcp intercept connection-timeout 180
ip tcp intercept finrst-timeout 220
ip tcp intercept watch-timeout 200
ip tcp intercept max-incomplete low 3220
ip tcp intercept max-incomplete high 4550
ip tcp intercept one-minute low 234
ip tcp intercept one-minute high 456
ip tcp intercept drop-mode random
Note that the commands where you set up a low and high number of seconds, may be changed on the version that you are using, in my case I’m using the following:
Cisco IOS XE Software, Version 03.16.05.S - Extended Support Release
Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S5, RELEASE SOFTWARE (fc2)
My Analysis
Some things are very difficult for me in my position to really determine the number of tools that are offered by Cisco to prevent attacks in a Network. But what I’m very sure off, is that there are many tools that help companies and enterprises with being protected. TCP intercept is not an exception, but I wonder if this is something that is widely used by big or small companies.
Reference Link
For more information and the official document that I used to go over this topic, feel free to take a look at this link:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_dos_atprvn/configuration/15-mt/sec-data-dos-atprvn-15-mt-book/sec-cfg-tcp-intercpt.html
What to look forward to?
I promised I would document all the things that I keep finding useful and this is one of them, now, this may look to solve a particular issue, but with so many other features in place, not sure how this one will fit in a Corporate or Enterprise Network, definitely interesting to keep it as an additional tool and worth taking a look at it 🙂
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.