Application Layer Protocol Inspection

To define a set of inspection rules, enter the ip inspect name command for each protocol that you want the Cisco IOS classic firewall to inspect, using the same inspection name. Give each set of inspection rules a unique inspection name, which should not exceed the 16-character limit. Define either one or two sets of rules per interface—you can define one set to examine both inbound and outbound traffic, or you can define two sets: one for outbound traffic and one for inbound traffic.

To define a single set of inspection rules, configure inspection for all the desired application layer protocols, and for ICMP, TCP, and UDP, or as desired. This combination of TCP, UDP, and application layer protocols join together to form a single set of inspection rules with a unique name. (There are no application layer protocols associated with ICMP.) For HTTP inspection, you can also optionally configure Java applet blocking.

Cisco IOS classic firewall inspection rules can help protect hosts against certain DoS attacks involving fragmented IP packets. Using fragmentation inspection, the firewall maintains an interfragment state (structure) for IP traffic. Noninitial fragments are discarded unless the corresponding initial fragment was permitted to pass through the firewall. Noninitial fragments received before the corresponding initial fragments are discarded.

To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol; to remove the entire set of inspection rules, use the no form of this command only; that is, do not list any inspection names or protocols.

© 2007 Cisco Systems, Inc. Adaptive Threat Defense 5-45

The syntax for the ip inspect name command is as follows:

ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

Syntax Description

inspection-name

This argument names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection name as the existing set of rules.

The inspection name cannot exceed 16 characters; otherwise, the name will be truncated to the 16-character limit.

parameter max-sessions number

(Optional) This command limits the number of established firewall sessions that a firewall rule creates. The default is that there is no limit to the number of firewall sessions.

protocol

This is the protocol to inspect (listed in the "Application Layer Protocol Keyword Examples" table).

alert { on | off}

(Optional) For each inspected protocol, the generation of alert messages can be set to on or off. If no option is selected, alerts are generated on the basis of the setting of the ip inspect alert-off command.

audit-trail { on | off}

(Optional) For each inspected protocol, the audit-trail option can be set to on or off. If no option is selected, audit trail messages are generated based on the setting of the ip inspect audit trail command.

timeout seconds

Optional) To override the global TCP or UDP, or ICMP idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout.

This timeout overrides the global TCP, UDP, or ICMP timeouts but will not override the global DNS timeout.

In general, if you configure inspection for an application layer protocol, packets for that protocol should be permitted to exit the firewall (by configuring the correct ACL), and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state.

Following are the protocol keywords for application-layer protocols.

Application Layer Protocol Keyword Examples

Keyword

Protocol

appfw

Application firewall

cuseeme

CUseeMe

smtp | esmtp

SMTP or ESMTP

ftp

FTP

imap

Internet Message Access Protocol (IMAP)

http

Java

h323

H.323

netshow

Microsoft NetShow

5-46 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 © 2007 Cisco Systems, Inc.

pop3

Post Office Protocol version 3 (POP3)

realaudio

RealAudio

rpc

RPC

sip

SIP

Smtp | esmtp

SMTP or ESMTP

skinny

Skinny Client Control Protocol (SCCP)

streamworks

StreamWorks

sqlnet

SQL*Net

tftp

TFTP

rcmd

UNIX r commands (rlogin, rexec, rsh)

vdolive

VDOLive

user-10

Represents a user-defined application in the port-to-application mapping (PAM) table of the ip port-map command.

Note All applications that appear under the show ip port-map command are supported.

HTTP Inspection Syntax

Use this syntax for HTTP inspection configuration.

ip inspect name inspection-name http [java-list access-list] [urlfilter] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

Syntax Description

http

Specifies the HTTP protocol for Java applet blocking

java-list access-list

(Optional) Specifies the numbered standard ACL to use to determine "friendly" sites

This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with numbered standard ACLs.

urlfilter

(Optional) Associates URL filtering with HTTP inspection

SMTP and ESMTP Inspection Syntax

Use this syntax for SMTP and ESMTP inspection configuration.

ip inspect name inspection-name {smtp | esmtp} [alert {on | off}] [audit-trail {on | off}] [max-data number] [timeout seconds]

Syntax Description

smtp | esmtp

Specifies the protocol being used to inspect the traffic

max-data number

(Optional) Specifies the maximum number of bytes (data) that can be transferred in a single SMTP session

After the maximum value is exceeded, the firewall logs an alert message and closes the session. The default value is 20 MB.

© 2007 Cisco Systems, Inc. Adaptive Threat Defense 5-47

© 2007 Cisco Systems, Inc. Adaptive Threat Defense 5-47

Fragment Inspection Syntax

Use this syntax for fragment inspection.

ip inspect name inspection-name [parameter max-sessions number] fragment [max number timeout seconds]

Syntax Description

fragment

This keyword specifies fragment inspection for the named rule.

max number

(Optional) This command specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS Software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10,000. The default is 256 state entries.

Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

timeout seconds (fragmentation)

(Optional) This command configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is 1 second.

If this number is set to a value greater that 1 second, it is automatically adjusted by the Cisco IOS Software when the number of free state structures goes below certain thresholds. When the number of free states is fewer than 32, the timeout is divided by 2. When the number of free states is fewer than 16, the timeout is set to 1 second.

Session Limiting Syntax

Use this syntax for to limit maximum firewall sessions.

ip inspect name inspection-name [parameter max-sessions number]

Syntax Description

parameter max-sessions

(Optional) Limits the number of established firewall sessions

number

that a firewall rule creates

The default is that there is no limit to the number of firewall

sessions.

User-Defined Application Syntax

Use this syntax to point to a "user defined" application in the PAM table.

ip inspect name inspection-name user-10 [alert {on | off}] [audit-trail {on | off}] [timeout seconds}

Syntax Description user-10

Represents a user-defined application in the Port-to-Application Mapping (PAM) table of the ip port-map command

5-48 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 © 2007 Cisco Systems, Inc.

0 0

Post a comment