HTTP

The Cisco ASA HTTP inspection engine checks whether an HTTP transaction is compliant with RFC 2616 by checking the HTTP request message. The following are the predefined HTTP commands:

The Cisco ASA checks for these HTTP commands; if the message does not have any of these, the Cisco ASA verifies that it is an HTTP extension method/command (such as MOVE, COPY, EDIT). A syslog message is generated if both checks fail and the packet can be dropped. The Cisco ASA also has the ability to detect double-encoding attacks. This method, known as HTTP de-obfuscation, is one where an HTTP message is encoded by normalizing encoded characters to ASCII-equivalent characters (sometimes also referred to as ASCII normalization). In a double-encoding attack, the attacker sends an encoded HTTP URI request that has been through two rounds of encoding. Traditionally, firewalls and intrusion detection devices detect the first round of encoding and normalize it. The attack still evades the firewall or IDS. The Cisco ASA HTTP inspection engine is able to detect double encoding and prevent this from happening.

The Cisco ASA also provides a feature to filter HTTP messages based on keywords. This is useful when looking for specific applications running over HTTP, such as online instant messenger (IM) applications, music sharing applications, and so on.

Enabling HTTP Inspection

Use the inspect http command to enable HTTP inspection. You can also enable enhanced HTTP inspection by creating an HTTP map and associating it to the inspect http command. To create an HTTP map, use the http-map command, as shown in Example 8-12.

Example 8-12. HTTP Inspection Using an HTTP Map

http-map myhttpmap request-method rfc default action allow request-method ext move action reset request-method ext copy action reset policy-map asa_global_fw_policy class inspection_default inspect http myhttpmap

In Example 8-12, an HTTP map named myhttpmap is configured. Request method inspection is enabled to allow all default RFC-compliant methods. The two extension methods, move and copy, are not allowed. If these two extensions are detected, the HTTP connection will be reset. The following HTTP extensions are supported by the Cisco ASA:

Several enhanced HTTP inspection options can be configured under the http-map subcommands. When you configure an HTTP map, you are placed into the http-map prompt. The following subcommands are available to configure the necessary rules for enhanced HTTP inspection:

strict-http

The strict-http command changes the default action taken when noncompliant HTTP traffic is detected. The following is the subcommand syntax:

strict-http action {allow | reset | drop} [log]

Table 8-5 describes the strict-http command options.

Table 8-5. strict-http Command Options

Option

Description

allow

Allows the message to be transferred through the Cisco ASA.

reset

Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server.

drop

Drops the packet and closes the connection.

log

Generates a syslog message.

The strict-http command is enabled by default. The default action is to log and send a TCP reset.

content-length

The content-length command limits the HTTP traffic allowed through the Cisco ASA based on the content length of the HTTP message body. The following is the command syntax:

content-length {min bytes max bytes}action {allow | reset | drop} [log]

Table 8-6 describes the content-length command options.

Table 8-6. content-length Command Options

Option

Description

min

Minimum content length allowed, in bytes. The range is from 0 to 65,535 bytes.

max

Maximum content length allowed, in bytes. The range is from 0 to 50,000,000 bytes.

bytes

The length, in bytes

allow

Allows the message to be transferred through the Cisco ASA.

reset

Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server.

drop

Drops the packet and closes the connection.

log

Generates a syslog message.

 

content-type-verification

When a web browser receives a document via HTTP, it must determine the document's encoding (sometimes referred to as charset). The browser must know this in order to display non-ASCII characters correctly. The content-type-verification command limits the content types in HTTP messages transferred through the Cisco ASA. The Cisco ASA verifies that the header content-type value is in the internal list of supported content types. Additionally, it checks that the header content type matches the actual content in the data or entity body portion of the message. Here are the currently supported HTTP content types:

The following is the content-type-verification command syntax:

content-type-verification [match-req-rsp] action {allow | reset | drop} [log]

The match-req-rsp keyword enables the Cisco ASA to verify that the content-type field in the HTTP response matches the accept field in the corresponding HTTP request message.

max-header-length

The max-header-length command limits the HTTP header length on traffic that passes through the Cisco ASA. Messages with a header length less than or equal to the configured value will be allowed; otherwise, the configured action will be taken. The following is the command syntax:

max-header-length {request bytes response bytes} action {allow | reset | drop} [log]

Table 8-7 describes the max-header-length command options.

Table 8-7. max-header-length Command Options

Option

Description

request

Used to specify the length of the request message header.

response

Used to specify the length of the response message header.

bytes

The length, in bytes. The range is 1 to 65,535.

allow

Allows the message to be transferred through the Cisco ASA.

reset

Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server.

drop

Drops the packet and closes the connection.

log

Generates a syslog message.

 

max-uri-length

The max-uri-length command limits the length of the Universal Resource Identifier (URI) in a request message. The command syntax is as follows:

max-uri-length bytes action {allow | reset | drop} [log]

Table 8-8 describes the max-uri-length command options.

Table 8-8. max-uri-length Command Options

Option

Description

bytes

The length, in bytes. The range is 1 to 65,535.

allow

Allows the message to be transferred through the Cisco ASA.

reset

Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server.

drop

Drops the packet and closes the connection.

log

Generates a syslog message.

 

port-misuse

The port-misuse command restricts applications, such as instant messengers, that use HTTP as a transport protocol. The following is the command syntax:

port-misuse {default | im | p2p | tunneling} action {allow | reset | drop} [log]

Table 8-9 describes the port-misuse command options.

Table 8-9. port-misuse Command Options

Option

Description

default

Allows inspection for all supported applications.

im

Enables IM application inspection (Yahoo Messenger).

p2p

Peer-to-peer application inspection. Applications include Kazaa and Gnutella.

tunneling

Enables tunneling application inspection. The following applications are inspected:

  • HTTPort/HTTHost

  • GNU Httptunnel

  • GotoMyPC

  • Firethru

  • Http-tunnel.com

allow

Allows the message to be transferred through the Cisco ASA.

reset

Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server.

drop

Drops the packet and closes the connection.

log

Generates a syslog message.

Note

The port-misuse command is disabled by default.

 

request-method

The request-method command configures a specific action for each of the supported HTTP request methods. The following is the command syntax:

request-method rfc rfc _ method action {allow | reset | drop} [log] request-method ext ext_method action {allow | reset | drop} [log]

Table 8-10 describes the request-method command options.

Table 8-10. request-method Command Options

Option

Description

rfc

Used to specify methods defined in RFC 2616, "Hypertext Transfer Protocol".

ext

Used to specify extended methods.

rfc_method

The RFC 2616 supported methods are as follows:

  • connect

  • default

  • delete

  • get

  • head

  • options

  • post

  • put

  • trace

ext_method

The extended methods are as follows:

  • copy

  • default

  • edit

  • getattribute

  • getattribute

  • getproperties

  • index

  • lock

  • mkdir

  • move

  • revadd

  • revlabel

  • revlog

  • revnum

  • save

  • setattribute

  • startrev

  • stoprev

  • unedit

  • unlock

allow

Allows the message to be transferred through the Cisco ASA.

reset

Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server.

drop

Drops the packet and closes the connection.

log

Generates a syslog message.

Note

The request-method command is disabled by default.

 

transfer-encoding type

The transfer-encoding type command configures a specific action for each of the supported HTTP transfer-encoding types passing through the Cisco ASA. The following is the command syntax:

transfer-encoding type encoding_types action {allow | reset | drop} [log]

Table 8-11 describes the transfer-encoding type command options.

Table 8-11. transfer-encoding type Command Options

Option

Description

encoding_types

Used to specify the encoding type. The following encoding types are supported:

  • default The default action. Enables all supported HTTP transfer-encoding types.

  • chunked Message body is transferred in chunks.

  • compress Unix file compression.

  • deflate Supports ZLIB format, as specified in RFC 1950, and deflate compression, defined in RFC 1951.

  • gzip GNU zip, as specified in RFC 1952.

  • identity Used as default encoding (no transfer encoding is done).

action

Action taken when a violation occurs.

allow

Allows the message to be transferred through the Cisco ASA.

reset

Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server.

drop

Drops the packet and closes the connection.

log

Generates a syslog message.

Related

Категории