Default ASA threat-detection and basic IPS

[snootalope]

Anyone know, is the default setup on an asa 8.0 with threat-detection enabled and basic IPS turned on acceptable as it is? Or, do you think it's nessacary to go in and modify some of the threat-detection rate's?

What about TCP normalization, is it acceptable as is by default?

Will the defaults detect and stop a DoS attack?

 

[NetworkGhost]

DoS attacks can come in many forms. Usually you see it in a high amount of half connections. Throttling connection limits can help this. When it comes in forms of fragments or built in the data of a packet targeted at a service the firewall may not be the best resource. There are some default signatures but these can become quickly outdated. If you dont have any host based security and your are truly worried about Intrusion attempts than I would recommend getting a full IPS solution. You can view some of the signatures that the ASA comes with at the following link:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1728128

http://www.wr-mem.com