Beruflich Dokumente
Kultur Dokumente
Handling
Lesson 10
Server Server
Client Client
Data Data
X
Client Server
Inspect HTTP
Add TCP Port 8080
Kaaza
http://www.example.com/l
ong/URL/far2long
IM whiteboard
ciscoasa(config)#
regex name regular_expression
Creates a regular expression
Match
ANYGIF
file.gif
NOTE: This regular expression matches “file.gif”. It does not match “.gif”.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-20
Testing a Regular Expression
ciscoasa(config)#
test regex input_text regular_expression
Tests a regular expression
Match:
NEW_P2P
New_P2P_Client1
FTP Server
asa1(config)#policy-map type inspect ftp MY_FTP_MAP
asa1(config-pmap)# parameters
asa1(config-pmap-p)# ?
Response Request
content-type = accept =
audio/x-wav audio/basic
Internet
ciscoasa(config-pmap)#
Gator Gator
traffic traffic
Internet
ciscoasa(config-cmap)#
match [not] request method {method | regex {regex_name |
class class_map_name}}
Matches an HTTP request method or extension method (predefined or custom)
Only one match request method command allowed in inspection class map
Multiple match not request method commands allowed in inspection class map
body header
content-type
47 4b ff d8
Internet
Server =
IIS
Server =
Internet ServerX
IM traffic IM traffic
Internet
Yahoo Messenger
Internet
The specified action is taken only after the inspection policy map is applied to a
Layer 3 or 4 policy map and the Layer 3 or 4 policy map is activated.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-48
Block IM Based on IP Address
ciscoasa(config-pmap)#
match [not] ip-address ip-address netmask
Matches the source IP address of the IM message
Yahoo Messenger
source = 10.1.1.0
10.1.1.0/24
Internet
Yahoo Messenger
source = 10.0.1.0
10.0.1.0/24
Yahoo
chat
Internet
MSN MSN
chat game
Mail
Server
Client
Inbound SMTP Command
Internet
ESMTP inspection:
– Allows only seven minimum SMTP commands: data, helo, mail, noop,
quit, rcpt, and rset (RFC 821)
– Adds support for eight extended SMTP commands: auth, ehlo, etrn,
help, saml, send, soml, and vrfy
– Defines ports on which to activate ESMTP inspection. (default = 25)
If disabled, all SMTP commands are allowed through the firewall, and
potential mail server vulnerabilities are exposed
Mail
Server
Client
body length > 32000
Internet
The specified action is taken only after the inspection policy map is applied to a
Layer 3 or 4 policy map and the Layer 3 or 4 policy map is activated.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-55
Prevent DoS Attacks with Command
Rate Limiting
ciscoasa(config-pmap)#
match [not] cmd {RCPT count gt recipients-number | line length
gt characters | verb verb [verb]}
Configures a match condition related to the commands exchanged in an ESMTP
transaction
Mail
Server
Client
etrn
Internet
(10 per second)
The specified action is taken only after the inspection policy map is applied to a
Layer 3 or 4 policy map and the Layer 3 or 4 policy map is activated.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-56
Block Spam by Blocking Specific MIME
Encoding Types
ciscoasa(config-pmap)#
match [not] mime {encoding encoding-type | filename length gt
character-count | filetype regex {regular-expression | class
class-map-name}}
Configures a match condition on the ESMTP MIME encoding type, MIME filename length, or MIME
file type
Mail
Server
Client mime encoding
other
Internet
LOG
mime encoding
quoted-printable . . .
asa1(config)# policy-map type inspect esmtp MY_ESMTP_MAP
asa1(config-pmap)# match mime encoding quoted-printable
asa1(config-pmap-c)# log
. . .
asa1(config-pmap)# match mime encoding other
asa1(config-pmap-c)# drop-connection
Logs messages with quoted-printable encoding and drops messages with other encoding
The specified action is taken only after the inspection policy map is applied to a
Layer 3 or 4 policy map and the Layer 3 or 4 policy map is activated.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-57
Block Malicious Senders or Domains
ciscoasa(config-pmap)#
match [not] sender-address {length gt character-count | regex
{regular expression | class class-map-name}}
Configures a match condition on the ESMTP sender e-mail address
Mail
Client sender = Server
joe@abc.com
Internet
domain =
xyz.com
53 1050
Request
Response
2
4
10.0.0.5 192.168.0.20 .1 192.168.0.20 10.0.0.5 (host)
Who is cisco.com? 192.168.0.0 192.168.0.17 10.0.0.10 (DNS)
.2
Source: 192.168.0.20 Source: 172.26.26.50
Destination: 172.26.26.50 Destination: 10.0.0.5
.1
10.0.0.0
1
http://cisco.com .10
.5
Web Server
Web Client
cisco.com
The specified action is taken only after the inspection policy map is applied
to a Layer 3 or 4 policy map and the Layer 3 or 4 policy map is activated.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—10-63
Protocol Application
Inspection
Request
Reply Insidehost
ICMP echo request (len 32 id 512 seq 26624) Insidehost > 172.26.26.50
ICMP echo reply (len 32 id 512 seq 26624) 172.26.26.50 > Insidehost
Internet
SNMP manager
SNMP v1 10.0.0.3
RTSP uses one TCP and two RTSP-TCP-only mode does not
UDP channels. require special handling by the
Transport options: security appliance.
– RTP Supported applications:
– RTCP – RealNetworks:
In standard RTP mode, RTP uses three 5000 554 2008 3057
Outbound
channels:
5001 TCP: Control 3056
– Control connection (TCP) Setup
– RTP data (simplex UDP) transport = rtp/avp/udp
– RTCP reports (duplex UDP) UDP: RTP Data
For outbound connections, the security UDP: RTCP Reports
appliance opens inbound ports for RTP
data and RTCP reports.
For inbound connections, if an ACL exists, Client Server
the security appliance handles standard
RTP mode as follows:
– If outbound traffic is allowed, no 3057 2008 554 5000
Inbound
special handling is required. TCP: Control
3056 5001
– If outbound traffic is not allowed, it Setup
opens outbound ports for RTP and transport = rtp/avp/udp
RTCP.
UDP: RTP Data
UDP: RTCP Reports
RTCP
Enables SIP
Default port = 5060
Enables security appliance to support any SIP VoIP
gateways and VoIP proxies
– Signaling mechanism (SIP)
– Multimedia (RTP, RTCP)
RTCP
RTCP
192.168.1.115
10.0.1.7
Gateway to Call Agent
2427
Call Agent to Gateway
2727
With the inspect command, you can enable, disable, or enhance the use
of a protocol inspection.
The security appliance uses special handling for some advanced
protocols: FTP, HTTP, SNMP, and MGCP.
The security appliance handles such multimedia protocols as RTSP,
RTP, SCCP, SIP, MGCP, and H.323.
You can change the port value for protocol inspection.
The class-map type inspect (optional), policy-map type inspect, class-
map, policy-map, and service-policy commands are used to configure
advanced protocol inspection.
The match command can be used in an inspection class map or an
inspection policy map to identify the traffic on which you want the security
appliance to perform an action.
Some match commands allow you to identify text in a packet using a
regular expression, which is a pattern to match against an input string.
10.0.P.0 10.0.Q.0
.10 .100 .100 .10
Web RTS RTS Web
FTP FTP
Student PC Student PC