Application Inspection
Application inspection can look at the application protocol content of a packet to ensure that it is allowed to pass through the security Cisco ASA. Application inspection is a three step configuration process:
|
Step 1. |
Set up the Application Inspection Map.
You set up application inspection under Configuration > Features > Building Blocks > Inspect Maps.
SecureMe is looking to enable inspection for the HTTP data packets at its Chicago location. SecureMe would like to do the following:
- Drop connections if they are not RFC 2616 compliant. RFC 2616 defines the HTTP 1.1 protocol specification. - Allow connections after verifying the content-type field. - Reset connections if the MAX URI exceeds 250 bytes. - Drop connections for P2P applications such as Kazaa and Gnutella. The RFC compliance and content-type verification are checked under the General tab, as shown in Figure 19-18, in which an HTTP map called web-traffic is set up. Select Drop Connection as the action under RFC Compliance. Because SecureMe is interested in looking at the logs whenever a noncompliant packet tries to traverse through Cisco ASA, also check the Generate Syslog option. To enable content-type verification, check Verify Content-Type Field Belongs to the Supported Internal Content-Type List and specify Allow Connection as the action and check Generate Syslog to log this event.
Figure 19-18. RFC Compliance and Content-Type Verification Figure 19-19 shows how to specify the maximum URL length when an HTTP packet traverses through the security Cisco ASA. It is set up under the Entity Length tab in the Add HTTP Map window. Check Inspect URI Length and specify the maximum length of 250 bytes.
Figure 19-19. Setting Maximum URI Length Click the Application Category tab to set up inspection for specific application types that are included in an HTTP request. Choose P2P under Available Categories and select Drop Connection as the applied action. Enable Generate Syslog to log an entry if Cisco ASA drops the P2P HTTP packets. Click Add to move the entry with the selected action to the specified category table. Figure 19-20 illustrates how to set it up.
Figure 19-20. Application Inspection |
|
Step 2. |
Define a policy map.
After setting up the application map, the next step is to map it to a service policy so that Cisco ASA can start inspecting the traffic traversing through it. Create a new service policy map by navigating to Configuration > Features > Security Policy > Service Policy Rules and clicking Add. The application inspection can either be a part of the global policy or a separate interface policy. In Figure 19-21, an interface policy is being created called inside-policy that will be applied to the inside interface.
Figure 19-21. Adding a New Service Policy The next configuration window prompts you to choose how to classify the traffic when it passes through Cisco ASA. Because SecureMe is interested in inspecting the web traffic, choose as the traffic match criteria TCP or UDP Destination Port, as shown in Figure 19-22. The next window (not shown) prompts you to specify at which Layer 4 port number to inspect the traffic. SecureMe uses port 80 for all of its web traffic, and consequently the selected TCP destination port is 80.
Figure 19-22. Classifying Traffic |
|
Step 3. |
Link the inspection map to the service policy.
Click Configure and select the inspection map called web-traffic from the list, as shown in Figure 19-23. Click OK and then Finish to complete the setup of the service policy.
Figure 19-23. Inspection Map and Service Policy |
Example 19-8 shows the complete configuration of an HTTP map and the service policy.
Example 19-8. HTTP Map Configuration Generated by ASDM
http-map web-traffic strict-http action drop log content-type-verification action allow log max-uri-length 250 action reset port-misuse p2p action drop log class-map inside-class match port tcp eq 80 policy-map inside-policy class inside-class inspect http web-traffic service-policy inside-policy interface inside