How does the Layer 4 Traffic Monitor block traffic if it is only receiving mirrored traffic?
Environment:
Layer 4 Traffic Monitor - L4TM configured to block suspicious traffic
Solution:
The Cisco Web Security Appliance (WSA) has a built-in Layer 4 Traffic Monitor (L4TM) service that can block suspicious sessions across all network ports (TCP/UDP 0-65535).
To be able to monitor or block these sessions traffic must be redirected to the WSA, either by using a TAP (Test Access Port) device, or by configuring a mirror port on network devices (SPAN ports on Cisco devices). L4TM in-line mode is not supported yet.
Even though traffic is only mirrored (copied) from the original sessions to the appliance, the WSA can still block suspicious traffic by either resting a TCP session or sending ICMP "host unreachable" messages for UDP sessions.
For TCP sessions
When the WSA L4TM receives a packet to or from a server and the traffic matches a Block Action, L4TM will send a TCP RST (reset) datagram to the client or server depending on the scenario. A TCP RST datagram is just a regular packet with the TCP RST flag set to 1.
The receiver of a RST first validates it, then changes state. If the receiver was in the LISTEN state, it ignores it. If the receiver was in SYN-RECEIVED state and had previously been in the LISTEN state, then the receiver returns to the LISTEN state, otherwise the receiver aborts the connection and goes to the CLOSED state. If the receiver was in any other state, it aborts the connection and advises the user and goes to the CLOSED state.
There are two cases to consider (in both cases users/clients are behind a firewall):
For UDP sessions
A similar behavior is performed by WSA when the suspicious traffic is from a UDP session, but instead of sending TCP RST , the L4TM will send ICMP host unreachable messages (ICMP type 3 code 1) to either the client or the server. However , there's not IP spoofing in these cases as the ICMP message states that the host is unreachable so it can not be sending packets. Source IP in this case will be WSA's IP.
These RSTs and ICMP packets are sent from the WSA using the data routing table, via either M1, P1, or P2, depending on the deployment.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
16-Jul-2014 |
Initial Release |