One of the primary functions of the FWSM is to provide application inspection, looking for protocol conformance, changing imbedded IP addressing, and so on. Increasing the capabilities of this feature only adds benefit to the services you are offering to your customers.
Domain Name Service (DNS) guard is a feature used when a client requests DNS information through the FWSM to a DNS server or servers. The default behavior of the FWSM is to allow only a single reply and drop any additional responses, consequently helping to prevent against DNS poisoning attacks. Although not recommended because of the possibility of exploiting the host, the FWSM can be configured to allow all responses using the following command:
FWSM/Context-A(config)# no dns-guard
As you may have noticed from the preceding command syntax, this command also works in multi-context mode.
Policy maps are covered in detail in Chapter 11, "Modular Policy," but the introduction of 4.01 includes additional support/enhancements for inspection policy and/or class maps for the following applications:
• Distributed Computing Environment Remote Procedure Call (DCEPRC): A
protocol used across multiple computers to distribute the load. Policy map inspection is the new addition to 4.01.
• Extended Simple Mail Transfer Protocol (ESMTP): Added extensions to SMTP. The 4.01 code added the capability for application support and the capability to define inspection policy maps that match traffic using regular expressions.
• HTTP: A protocol used generally to transfer information across the Internet.
• Session Initiation Protocol (SIP): A signaling protocol used for voice communications over IP.
The following options are available using policy maps with the previously listed protocols, as follows:
— drop: Drops all packets that match the defined pattern.
— drop-connection: Drops the packet and closes the connection.
— mask: Masks that portion of the packet that has been matched.
— rate-limit: Limits the rate of received messages.
— reset: Drops the packet; closes and resets the connection.
— send-protocol-error: Sends an error message when the packet does not match the ESMTP protocol.
The capability added with policy maps for DCEPRC, ESMTP, HTTP, and SIP adds tremendous functionality for the inspection of these protocols. With the option to drop, drop-connection, log, mask, rate-limit, reset, and send-protocol-error, for many of these protocols, the functionality also significantly improves.
Was this article helpful?