Cisco Firewalls > Additional Protection Mechanisms > Filtering on the TTL Value

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Search

Table of Contents

About the Author

About the Technical Reviewers

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

Foreword

Introduction

Ch. 1. Firewalls and Network Security

Ch. 2. Cisco Firewall Families Overview

Ch. 3. Configuration Fundamentals

Ch. 4. Learn the Tools. Know the Firewall

Ch. 5. Firewalls in the Network Topology

Ch. 6. Virtualization in the Firewall World

Ch. 7. Through ASA Without NAT

Ch. 8. Through ASA Using NAT

Ch. 9. Classic IOS Firewall Overview

Ch. 10. IOS Zone Policy Firewall Overview

Ch. 11. Additional Protection Mechanisms

Antispoofing

TCP Flags Filtering

Filtering on the TTL Value

Handling IP Options

Dealing with IP Fragmentation

Flexible Packet Matching

Time-Based ACLs

Connection Limits on ASA

TCP Normalization on ASA

Threat Detection on ASA

Summary

Filtering on the TTL Value

IP extended ACLs (named and numbered) can be employed to filter based upon the TTL value of packets. Although any Time-To-Live (TTL) value in the range 0 to 255 might be filtered, special handling is necessary when the TTL field assumes a value of 0 or 1.

Packets whose TTL value is 0 or 1 are sent to the process level because, according to basic IP definitions, they will never leave the device. The process level must check if a given packet is destined for the device itself and whether an ICMP TTL Expire message needs to be sent back.

You are currently reading a PREVIEW of this book.

Get instant access to over
$1 million worth of books and videos.

Start a Free Trial

Download Safari Books Online apps: Apple iOS | Android

This Book

Search

Contents

Chapter 11. Additional Protection Mechanisms > Filtering on the TTL Value

Filtering on the TTL Value