Cisco press cisco ASA all in one firewall IPS and VPN adaptive security appliance oct 2005 ISBN 1587052091

Publisher: Cisco Press Pub Date: October 21, 2005 ISBN: 1-58705-209-1 Pages: 840 Table of Contents | Index The definitive insider's guide to planning, installing, configuring, and maint

Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

By Jazib Frahim - CCIE No 5459, Omar Santos

Publisher: Cisco Press Pub Date: October 21, 2005 ISBN: 1-58705-209-1

Pages: 840

Table of Contents | Index

The definitive insider's guide to planning, installing, configuring, and maintaining the new Cisco Adaptive Security Appliance

Delivers expert guidance from Cisco TAC engineers for securing small and medium business networks with the newly released Cisco all-in-one network security solution

Covers the latest PIX Version 7 OS

line references

Incorporates detailed configuration examples with screenshots and command-Covers unified firewall, IPS, and VPN management

Achieving maximum network security has been a challenge for many organizations, especially those that cannot afford to purchase, master, and maintain a separate

security device such as a PIX or IPS system for each and every security need To better meet the needs of these customers, Cisco Systems recently launched an all-in- one security solution called ASA that aims to offer a more affordable and simplified

security solution Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security

Appliance introduces this new suite of converged security appliances and provides a

complete configuration and troubleshooting guide from the Technical Assistance Center (TAC) experts at Cisco Systems This book brings together expert guidance for virtually every challenge the reader will face from building basic network

security policies to advanced VPN and IPS implementations This book has five parts, which contain three technology-based sections: Firewall, IPS, and VPN Each section

is comprised of many sample configurations, accompanied by in-depth analysis of

in each section Ground-breaking features like WebVPN, virtual and Layer-2 firewalls are discussed extensively.

Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance

By Jazib Frahim - CCIE No 5459, Omar Santos

Publisher: Cisco Press Pub Date: October 21, 2005 ISBN: 1-58705-209-1

Pages: 840

Table of Contents | Index

Defining an Authentication Server

Configuring Authentication of Administrative Sessions

Authenticating Firewall Sessions (Cut-Through Proxy Feature) Configuring Authorization

Computer Telephony Interface Quick Buffer Encoding Inspection Domain Name System

Summary

Part III: Intrusion Prevention System (IPS) Solution

Chapter 13 Intrusion Prevention System Integration

Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM) Directing Traffic to the AIP-SSM

Summary

Part V: Adaptive Security Device Manager

Chapter 18 Introduction to ASDM

Case Study 3: Data Center Security with Cisco ASA

Summary

Index

should not be regarded as affecting the validity of any trademark or service

Warning and Disclaimer

This book is designed to provide information about Cisco ASA Every effort has

been made to make this book as complete and as accurate as possible, but nowarranty or fitness is implied

The information is provided on an "as is" basis The authors, Cisco Press, andCisco Systems, Inc., shall have neither liability nor responsibility to any person

or entity with respect to any loss or damages arising from the information

contained in this book or from the use of the discs or programs that may

accompany it

The opinions expressed in this book belong to the author and are not necessarilythose of Cisco Systems, Inc

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity forbulk purchases or special sales

Readers' feedback is a natural continuation of this process If you have any

Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea •

Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway •Peru • Philippines • Poland • Portugal • Puerto Rico • Romania • Russia • SaudiArabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain •Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom

• United States • Venezuela • Vietnam • Zimbabwe

Copyright © 2003 Cisco Systems, Inc All rights reserved CCIP, CCSP, the

Cisco Arrow logo, the Cisco Powered Network mark, the Cisco Systems

Verified logo, Cisco Unity, Follow Me Browsing, FormShare, iQ Net ReadinessScorecard, Networking Academy, and ScriptShare are trademarks of Cisco

Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, The FastestWay to Increase Your Internet Quotient, and iQuick Study are service marks ofCisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS,

iQ Expertise, the iQ logo, LightStream, MGX, MICA, the Networkers logo,

Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX,

Registrar, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe,

TeleRouter, TransPath, and VCO are registered trademarks of Cisco Systems,Inc and/or its affiliates in the U.S and certain other countries

All other trademarks mentioned in this document or Web site are the property oftheir respective owners The use of the word partner does not imply a partnershiprelationship between Cisco and any other company (0303R)

Printed in the USA

Dedications

I would like to dedicate this book to my parents, Frahim and Perveen, whosupport and encourage me on all of my endeavors I would also like to

dedicate it to my siblings, including my brother Shazib and my sisters

Erum and Sana, my sister-in-law Asiya, and my cute nephew Shayan fortheir patience and understanding during the development of this book

Jazib Frahim

I would like to dedicate this book to my lovely wife Jeannette, who has

always stood by me and supported me throughout the development of thisbook I also dedicate this book to my two beautiful children, Hannah andDerek

Omar Santos

Jazib Frahim, CCIE No 5459, has been with Cisco Systems for more than 6

years Having a bachelor's degree in computer engineering from Illinois Institute

of Technology, he started out as a TAC engineer in the LAN Switching team Hethen moved to the TAC Security team, where he acted as a technical leader forthe security products He led a team of 20 engineers as a team leader in resolvingcomplicated security and VPN technologies He is currently working as a SeniorNetwork Security Engineer in the Worldwide Security Services Practice of

Cisco's Advanced Services for Network Security He is responsible for guidingcustomers in the design and implementation of their networks with a focus innetwork security He holds two CCIEs, one in Routing and Switching and theother in Security He has written numerous Cisco online technical documentsand has been an active member on Cisco's online forum, NetPro He has

presented at Networkers on multiple occasions and has taught many onsite andonline courses to Cisco customers, partners, and employees He is also pursuingmasters of business administration (MBA) from North Carolina State University

Omar Santos is a Senior Network Security Engineer in the Worldwide Security

Services Practice of Cisco's Advanced Services for Network Security He hasmore than 12 years of experience in secure data communications Omar hasdesigned, implemented, and supported numerous secure networks for Fortune

500 companies and the U.S government, including the United States MarineCorps (USMC) and Department of Defense (DoD) He is also the author of

many Cisco online technical documents and configuration guidelines Prior tohis current role, he was a technical leader of Cisco's Technical Assistance Center(TAC), where he taught, led, and mentored many engineers within the

organization He is an active member of the InfraGard organization InfraGard is

a cooperative undertaking between the Federal Bureau of Investigation and anassociation of businesses, academic institutions, state and local law enforcementagencies, and other participants that is dedicated to increasing the security of thecritical infrastructures of the United States of America Omar has also deliverednumerous technical presentations to Cisco customers, partners, and other

organizations

David White, Jr., CCIE No 12021, has more than 9 years of networking

experience with a focus in network security He is currently a Technical Leader

in the Cisco TAC, where he has been for over 5 years In his role at Cisco, he isinvolved in new product design and implementation and is an active participant

in producing Cisco documentation, both online and in print David holds a CCIE

in Security, and is also NSA IAM certified Prior to joining Cisco, David workedfor the U.S government, where he helped secure its worldwide communicationsnetwork He was born and raised in St Petersburg, Florida and received hisbachelor's degree in computer engineering from the Georgia Institute of

He graduated St Petersburg State Technical University in 1997 Andrew's

networking experience started around 1992, when he commenced work for asystems integration company in St Petersburg In parallel with the jobwhichvaried from fiber cable installations to custom Perl programminghe obtainedNovell CNE certification for NetWare 4.1 He became a CCIE in Routing andSwitching in 1999 and in Security in 2002

Wen Zhang, CCIE No 4302, is a senior engineer in the Cisco TAC Escalation

Team, with a focus in network security and VPN technologies In this role, he isresponsible for handling difficult and complex escalation issues, working oncritical software defects, and participating in the new product design and

implementation process He earned his B.S and M.S degrees in electrical

engineering from Clemson University

We would like to thank the technical editors (David White, Andrew

Yourtchenko, and Wen Zhang) for their time and technical expertise They

verified our work and corrected us in all the major and minor mistakes that werehard to find

Special thanks go to Jay Biersbach and James Cline for reviewing the

manuscript and making this a better-looking book

We would like to thank the Cisco Press team, especially Brett Bartow, SheriCain, Dayna Isley, Michelle Grandin and Marc Fowler for their patience,

guidance, and consideration Their efforts are greatly appreciated

Many thanks to our managers, William Beach and Joe Dallatore, for their

continuous support They highly encouraged us throughout this project

Kudos to the Cisco ASA product development team for delivering such a greatproduct Their support is also greatly appreciated during the development of thisbook

Network security is at a critical juncture where no single technology can solvethe problem in silos Hundreds of millions of dollars are being spent in reactivelysolving the virus, worms, malware problem and the rapid propagation of thesevile threats Recognizing this, Cisco has modeled the Self-Defending Network(SDN) similar to the way our bodies protect us and deal with diseases

The SDN has several protective and integrated layersVPNs, firewalls, intrusionprevention, and anomaly mitigation When combined with advanced

thoughtful security practices and designs for Cisco I have found this book reallyhighlights the practical aspects needed for building real-world security It offersthe insider's guidance needed to plan, implement, configure, and troubleshoot theCisco ASA in customer environments and demonstrates the potential and power

of SDNs I hope you enjoy the insights of this book as much as I and come toappreciate the ground-breaking security pioneered by Cisco over the past fewyears

Senior Vice President, Security Technology GroupOctober 2005

[View full size image]

Network security has always been a challenge for many organizations that

cannot deploy separate devices to provide firewall, intrusion prevention, andvirtual private network (VPN) services Cisco ASA is a high-performance,

multifunction security appliance that offers firewall, IPS, network anti-virus, andVPN services Cisco ASA delivers these features through improved networkintegration, resiliency, and scalability

This book is an insider's guide to planning, implementing, configuring, andtroubleshooting Cisco ASA It delivers expert guidance from senior Cisco

network security consulting engineers It demonstrates how adaptive

identification and mitigation services on Cisco ASA provide a sophisticatednetwork security solution to small, medium, and large organizations This bookbrings together expert guidance for virtually every challenge you will facefrombuilding basic network security policies to advanced VPN and IPS

implementations

This book serves as a guide for any network professional who manages networksecurity or installs and configures firewalls, VPN devices, or intrusion

detection/prevention systems It encompasses topics from an introductory level

to advanced topics on security and VPNs The requirements of the reader include

a basic knowledge of TCP/IP and networking

This book has five parts, which provide a Cisco ASA product overview and thenfocus on firewalls, intrusion prevention, VPNs, and Adaptive Security DeviceManager (ASDM) Each part comprises many sample configurations,

accompanied by in-depth analyses of design scenarios Your learning is furtherenhanced by a discussion of a set of debugs included in each technology

Ground-breaking features, such as WebVPN and virtual and Layer 2 firewalls,are discussed extensively

Part I, "Product Overview," includes the following chapters:

- Chapter 1 , "Introduction to Network Security" This chapter

provides an overview of different technologies that are supported byCisco ASA and widely used by today's network security professionals

- Chapter 2 , "Product History" Historically, Cisco PIX security

appliances, the Cisco IOS Advanced Security Feature Set, and thesecurity services modules for Cisco Catalyst 6500 Series Switcheshave provided integrated security solutions to small and large

organizations As described in this chapter, Cisco ASA incorporatesfeatures from each of these products, integrating comprehensive

Part II, "Firewall Solution," includes the following chapters:

- Chapter 4 , "Initial Setup and System Maintenance" A

comprehensive list of initial setup tasks and system maintenance

- Chapter 5 , "Network Access Control" Cisco ASA can protect one

or more networks from intruders Connections between these networkscan be carefully controlled by advanced firewall capabilities, enablingyou to ensure that all traffic from and to the protected networks passesonly through the firewall based on the organization's security policy.This chapter shows you how to implement your organization's securitypolicy using the features that Cisco ASA provides

- Chapter 6 , "IP Routing" This chapter covers the different routing

capabilities of Cisco ASA

- Chapter 7 , "Authentication, Authorization, and Accounting (AAA)" Cisco ASA supports a wide range of AAA features This

chapter provides guidelines on how to configure AAA services bydefining a list of authentication methods applied to various

to configure and troubleshoot each of these security contexts

- Chapter 10 , "Transparent Firewalls" This chapter introduces the

transparent (Layer 2) firewall model within Cisco ASA It explainshow users can configure Cisco ASA in transparent single mode andmultiple mode while accommodating their security needs

- Chapter 11 , "Failover and Redundancy" This chapter discusses

- Chapter 12 , "Quality of Service" QoS is a network feature that lets

you give priority to certain types of traffic This chapter covers how toconfigure and troubleshoot QoS in Cisco ASA

Part III, "Intrusion Prevention System (IPS) Solution," includes the

following chapters:

- Chapter 13 , "Intrusion Prevention System Integration" Intrusion

detection and prevention systems provide a level of protection beyondthe firewall by securing the network against internal and externalattacks and threats This chapter describes the integration of IntrusionPrevention System (IPS) features within Cisco ASA

- Chapter 14 , "Configuring and Troubleshooting Cisco IPS

Software via the CLI" This chapter provides expert guidance on how

to configure the AIP-SSM IPS software via its command-line interface(CLI) Troubleshooting scenarios are also included to enhance

learning

Part IV, "Virtual Private Network (VPN) Solution," includes the followingchapters:

- Chapter 15 , "Site-to-Site IPSec VPNs" Cisco ASA supports IPSec

VPN features that allows you to connect networks in different

geographic locations This chapter provides configuration and

troubleshooting guidelines to successfully deploy site-to-site IPSecVPNs

- Chapter 16 , "Remote Access VPNs" This chapter discusses many

different remote-access VPN solutions that are supported on CiscoASA A large number of sample configurations and troubleshooting

- Chapter 17 , "Public Key Infrastructure (PKI)" This chapter starts

by introducing PKI concepts It then covers the configuration andtroubleshooting of PKI in Cisco ASA

- Chapter 20 , "IPS Management Using ASDM" This chapter shows

you how to configure and manage IPS features using ASDM

- Chapter 21 , "VPN Management Using ASDM" The configuration

and management of remote-access and site-to-site VPNs using ASDMare covered in this chapter

- Chapter 22 , "Case Studies" In this chapter, you gain greater insight

into how the implementation of Cisco ASA advanced features canbenefit your organization Several sample configurations and

deployment scenarios are covered in detail

Chapter 1 Introduction to Network Security

Chapter 2 Product History

Chapter 3 Hardware Overview

Security threats vary from distributed denial-of-service (DDoS) attacks to

viruses, worms, Trojan horses, and theft of information These threats can easilydestroy or corrupt vital data, requiring difficult and expensive remediation tasks

to restore business continuity

This chapter introduces the essentials of network security technologies and

provides the necessary foundation for technologies involved in the Cisco

Adaptive Security Appliances security features and solutions

A detailed understanding of how firewalls and their related technologies work isextremely important for all network security professionals This knowledge willhelp them to configure and manage the security of their networks accurately and

effectively The word firewall commonly describes systems or devices that are

placed between a trusted and an untrusted network

Several network firewall solutions offer user and application policy enforcementthat provide multivector attack protection for different types of security threats.They often provide logging capabilities that allow the security administrators toidentify, investigate, validate, and mitigate such threats

Additionally, several software applications can run on a system to protect onlythat host These types of applications are known as personal firewalls Thissection includes an overview of network and personal firewalls and their relatedtechnologies

Network Firewalls

It is important to recognize the value of perimeter security in today's networkingworld Network-based firewalls provide key features used for perimeter security.The primary task of a network firewall is to deny or permit traffic that attempts

to enter the network based on explicit preconfigured policies and rules Theprocesses that are used to allow or block traffic may include the following:

Simple packet-filtering techniques

Multifaceted application proxies

Stateful inspection systems

Packet-Filtering Techniques

The purpose of packet filters is simply to control access to specific networksegments by defining which traffic can pass through them They usually inspectincoming traffic at the transport layer of the Open System Interconnection (OSI)model For example, packet filters can analyze TCP or UDP packets and judgethem against a set of predetermined rules called access control lists (ACLs).They inspect the following elements within a packet:

RealAudio, QuickTime, and other streaming audio and video applications.Packet filters do not understand the underlying upper-layer protocols used

by this type of application, and providing support for this type of

application is difficult because the ACLs need to be manually configured inpacket-filtering firewalls

Application Proxies

Application proxies, or proxy servers, are devices that operate as intermediaryagents on behalf of clients that are on a private or protected network Clients onthe protected network send connection requests to the application proxy in order

to transfer data to the unprotected network or the Internet Consequently, theapplication proxy sends the request on behalf of the internal client The majority

of proxy firewalls work at the application layer of the OSI model Few proxyfirewalls have the ability to cache information to accelerate their transactions.This is a great tool for networks that have numerous servers that experienceconsiderably high usage A disadvantage of application proxies is their inability

to scale This makes them difficult to deploy in large environments

Network Address Translation

Several Layer 3 devices can provide Network Address Translation (NAT)

services The application proxy translates the internal host's IP addresses to apublicly routable address NAT is often used by firewalls; however, other

devices such as wireless access points provide support for NAT By using NAT,the firewall exposes its own network address or public address range of an

unprotected network This enables a network professional to use any IP addressspace as the internal network A best practice is to use the address spaces that arereserved for private use (see RFC 1918, "Address Allocation for Private

Internets") Table 1-1 lists the private address ranges specified in RFC 1918

Table 1-1 RFC 1918 Private Address Ranges

Network Address Range Network/Mask

10.0.0.010.255.255.255 10.0.0.0/8

172.16.0.0172.31.255.255 172.16.0.0/12

192.168.0.0192.168.255.255 192.168.0.0/16

It is important to think about the different private address spaces when you planyour network (for example, number of hosts and subnets that can be configured).Careful planning and preparation will lead to substantial time savings if changesare encountered down the road

Port Address Translation

Normally, application proxies perform a technique called Port Address

Translation (PAT) This feature allows many devices on the internal protectednetwork to share one IP address by inspecting the Layer 4 information on thepacket This address is usually the firewall's public address Figure 1-1 showshow PAT works

Figure 1-1 PAT Example

[View full size image]

translating the 10.10.10.x addresses into its own address (209.165.200.228) Inthis example, Host A sends a TCP port 80 packet to the web server located in the

"outside" unprotected network The application proxy translates the request fromthe original 10.10.10.8 IP address of Host A to its own address It does this byrandomly selecting a different Layer 4 source port when forwarding the request

to the web server

Static Translation

A different methodology is used when hosts in the unprotected network need tocontact specific hosts behind the NAT device This is done by creating a staticmapping of the public IP address and the address of the internal protected device.For example, static NAT can be configured when a web server has a private IPaddress but needs to be contacted by hosts located in the unprotected network orthe Internet Figure 1-2 demonstrates how static translation works

In Figure 1-2, the web server address (10.10.10.230) is statically translated to anaddress in the outside network (209.165.200.240, in this case) This allows theoutside host to initiate a connection to the web server by directing the traffic to209.165.200.240 The device performing NAT then translates and sends therequest to the web server on the inside network

Address translation is not limited to firewalls Nowadays, devices from simplesmall office, home office (SOHO) routers to very sophisticated stateful

inspection firewalls are able to perform different types of NAT techniques

Stateful Inspection Firewalls

Stateful inspection firewalls provide enhanced benefits when compared to thesimple packet-filtering firewalls They track every connection passing throughtheir interfaces by assuring that they are valid connections They examine notonly the packet header contents, but also the application layer information within

of the connection and maintains a database with this information This database

is usually called the state table The state of the connection details whether suchconnection has been established, closed, reset, or is being negotiated Thesemechanisms offer protection for different types of network attacks

Numerous firewalls have the capability to configure a network (or zone) whereyou can place devices to allow outside or Internet hosts to access them Theseareas or network segments are usually called demilitarized zones (DMZs) Thesezones provide security to the systems that reside within them, but with a

by hosts on the Internet

Personal Firewalls

Personal firewalls use similar methods as network-based firewalls They providefiltering techniques and stateful inspection of connections directed to the specifichost Conversely, they abridge the operation of the application to meet the needs

of a less technically inclined consumer Personal firewall applications can

restrict access to services and applications installed within a single host This iscommonly deployed to telecommuters and remote mobile users Several

personal firewalls generally protect the host from inbound connections and

attacks; however, they allow all outbound connections

There are many differences between personal firewalls and network-based

firewalls One of the major differences is the deployment model and the securityservices each of them provides

Technologies

In the security world, intrusion detection systems (IDSs) are devices that detectattempts from an attacker to gain unauthorized access to a network or a host tocreate performance degradation or to steal information They also detect DDoSattacks, worms, and virus outbreaks The number and complexity of securitythreats have skyrocketed over recent years Achieving efficient network

intrusion security is vital to maintaining a high level of protection Cautiousprotection ensures business continuity and minimizes the effects of costly

interruption of services Like firewalls, there are two different types of intrusiondetection systems:

Pattern matching and stateful pattern-matching recognition

Protocol analysis

Heuristic-based analysis

Anomaly-based analysis

Pattern matching is a methodology in which the intrusion detection device

searches for a fixed sequence of bytes within the packets traversing the network.Generally, the pattern is aligned with a packet that is related to a respective

service or, in particular, associated with a source and destination port This

approach reduces the amount of inspection made on every packet However, it islimited to services and protocols that are associated with well-defined ports.Protocols that do not use any Layer 4 port information will not be categorized

This tactic uses the concept of signatures A signature is a set of conditions that

point out some type of intrusion occurrence For example, if a specific TCPpacket has a destination port of 1234 and its payload contains the string

"ff11ff22," an alert will be triggered to detect such string

Alternatively, the signature could include an explicit starting point and endpointfor inspection within the specific packet

false negatives.

To address some of these limitations, a more refined method was created This

methodology is called stateful pattern-matching recognition This process

dictates that systems performing this type of signature analysis must consider thechronological order of packets in a TCP stream In particular, they should judgeand maintain a stateful inspection of such packets and flows

restrictions of the simple pattern-matching methodology, which was discussedpreviously, including an uncertain rate of false positives and a possibility ofsome false negatives

Protocol Analysis

Protocol analysis (or protocol decode-base signatures) is often referred to as theextension to stateful pattern recognition A NIDS accomplishes protocol analysis

by decoding all protocol or client-server conversations The NIDS identifies theelements of the protocol and analyzes them while looking for an infringement.Some intrusion detection systems look at explicit protocol fields within the

inspected packets Others require more sophisticated techniques, such as

examination of the length of a field within the protocol or the number of

arguments For example, in SMTP, the device may look at specific commandsand fields such as HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT Thistechnique diminishes the possibility of encountering false positives if the

protocol being analyzed is properly defined and enforced On the other hand, thesystem can alert numerous false positives if the protocol definition is ambiguous

or tolerates flexibility in its implementation

Heuristic-Based Analysis

A different approach to network intrusion detection is to perform heuristic-basedanalysis Heuristic scanning uses algorithmic logic from statistical analysis ofthe traffic passing through the network Its tasks are CPU and resource intensive

This is an important consideration while planning your deployment Heuristic-minimize the possibility of false positives For example, a system signature cangenerate an alarm if a range of ports is scanned on a particular host or network.The signature can also be orchestrated to restrict itself from specific types ofpacket (for example, TCP SYN packets) Heuristic-based signatures call formore tuning and modification to better respond to their distinctive network

classified as heuristic-based systems

However, sometimes it is challenging to classify a specific behavior as normal orabnormal based on different factors These factors include negotiated protocolsand ports, specific application changes, and changes in the architecture of thenetwork

A variation of this type of analysis is profile-based detection This allows

systems to orchestrate their alarms on alterations in the way that other systems orend users interrelate on the network

Another kind of anomaly-based detection is protocol-based detection This

scheme is related to, but not to be confused with, the protocol-decode method.The protocol-based detection technique depends on well-defined protocols,

because it detects as an anomaly any unpredicted value or configuration within afield in the respective protocol

Devices doing protocol decoding can look at information within the packets thatwill look similar to a possible buffer-overflow pattern

Note