Upload
cisco
View
8.926
Download
4
Embed Size (px)
DESCRIPTION
The Cisco ASA offers a wealth of access control features, many of which are underutilized in modern networks. In this session, we will discuss the methods and best practices for extension of classic firewalling policies to include proper configuration of low-level inspection routines, custom network and application-layer access controls, and anomaly-based access controls available in the latest Cisco ASA release.
Citation preview
Session ID BRKCRT-201
Effective Deployment of Cisco ASA Access Control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 2
Cisco Live & Networkers VirtualSpecial Offer – Save $100Cisco Live has a well deserved reputation as one the industry’s best educational values. With hundreds of sessions spanning foureducational programs — Networkers, Developer Networker, Service Provider, IT Management, you can build a custom curriculum that can make you a more valuable asset to your workplace and advance your career goals. Cisco Live and Networkers Virtual immerses you in all facets of Cisco Live, from participating in live keynotes and Super Sessions events to accessing session content to networking with your peers.Visit www.ciscolivevirtual.com and register for Cisco Live and Networkers Virtual. To get $100 USD off the Premier pass, which provides access to hundreds of technical sessions, enter “slideshareFY11”.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 3
Agenda and Prerequisites
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 4
Agenda� Definition of Access Control Effectiveness� Tune Basic OSI Layer 3-4 Inspection� Configure and Verify the Cisco ASA TCP Normalizer and Advanced Connection Options� Configure Application-layer Inspection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 5
Prerequisites� Understanding of TCP/IP protocol suite and application protocols� Familiarity with common classes of network attacks� Familiarity with basic network firewall concepts� Basic-to-intermediate level of familiarity with Cisco ASA configuration concepts
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 6
Definition of Access Control Effectiveness
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 7
Access Control EffectivenessLevels of Access Control
� Firewall components can operate on different OSI layers:
Application layer (Layers 5–7) access control: Controls payload and content inside permitted connectionsNetwork layer (Layers 2–4) access control: Minimizes connectivity between hosts and their applications
Host
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 8
Access Control EffectivenessAbility to Prevent Current and Future Attacks
� Firewall components can operate in different access control modes:
Restrictive access control: Everything not explicitly allowed is prohibitedPermissive access control: Everything not explicitly prohibited is allowed
Host
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 9
Access Control EffectivenessCriterion DescriptionCoverage The control provides protection against a wide
variery of attacksAccuracy The control produces a manageable rate of
false positives or negativesGranularity The control is able to inspect activity at the
desired depthIntegration ability The control can support most applications and
local infrastructure quirksImplementation simplicity
The control is manageable to implement and operate
Effectiveness Criteria
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 10
Tune Cisco ASA Basic OSI Layer 3-4 Inspection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 11
Basic Stateful Inspection Tuning Overview
� The ASA enforces a strict traffic filtering policy that may interfere with unexpected or unusual application requirements, or network design
There are many tools in the ASA to create exceptions for such situationsIt is strongly recommended to plan for known exceptions in advance
Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 12
Basic Stateful Inspection Tuning Overview
Input DescriptionPotentially problematic TCP/IP stacks in the network, and applications with special TCP requirements
Required to plan for TCP normalizer exceptions
IP fragmentation issues in the network Required to tune fragmentation handling
Asymmetric routing in the network Required to possiby bypass stateful algorithms
Applications with long idle session periods
Required to adjust connection table timers
Dynamic applications used in the network
Required to enable relevant dynamic application inspectors
Dynamic applications using non-standard ports
Required to enable relevant dynamic application inspectors
Non-standard dynamic applications Required to describe such applications to the ASA
Input Parameters
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 13
Basic Stateful Inspection Tuning Overview1. Tune Basic OSI Layer 3-4 inspection2. Tune the ASA TCP normalizer3. Configure support for dynamic protocols
Deployment Tasks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 14
Basic Stateful Inspection Tuning Overview� Consider the following overall guidelines:
When creating exceptions, make only minimal required changes to the ASA traffic handling policyConsider the possible adverse effects of your changes to access control reliability and performance
Guidelines
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 15
Tune Basic OSI Layer 3-4 Inspection
� The ASA will by default statefully track TCP, UDP, and GRE flows
ICMP PING tracking is disabled by default, and may be enabled
ASA Default Layer 3-4 Stateful Tracking
TCP 10.1.1.2:1474 > 192.168.1.6:22, inseq 346234, outseq 712136UDP 192.168.1.3:58255 > 172.16.2.1:53, DNS id=457348956TCP 10.1.1.2:4685 > 172.16.1.7:80, inseq 49758234, outseq 8345723ICMP ECHO 10.1.1.7 > 172.16.9.1, IDMP ID=48572349...
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 16
Tune Basic OSI Layer 3-4 Inspection� Sessions are normally deleted from the connection table based on TCP connection close events (FIN, RST), or idle timeouts (UDP, GRE, PING)
The connection table performs periodic garbage collection for TCP connections based on additional timeoutsThese timeouts may be too aggressive for specific applications, and need to be tuned
ASA Session Timers
TCP Timer Default DescriptionEmbryonic connection timeout
30 seconds Defines the time the ASA will wait for a SYN/ACK reply to a SYN
Half-closed connection timeout
10 minutes Defines the time a TCP connection can be FIN-closed in one direction
Connection timeout 1 hour Defines the time a TCP connection can be idle (i.e. no traffic passed over it)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 17
Tune Basic OSI Layer 3-4 Inspection
� The ASA performs virtual IP reassemblyBuffers fragments of a packet until all have been receivedVerifies that fragments are properly fragmentedReassembles IP fragments internally, to perform TCP normalization and application inspectionForwards fragments as they have been received
ASA IP Fragment Handling
Incoming IP fragments Outgoing IP fragments
Reassembled packet
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 18
Tune Basic OSI Layer 3-4 Inspection1. (Optionally) Tune inspection timers and DCD2. (Optionally) Tune fragment management
Configuration Steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 19
Tune Basic OSI Layer 3-4 InspectionConfiguration Scenario
10.0.0.0/8
For telnet sessions to host, set idle timer to 4 hours and enable DCD
Buffer up to 1000 IP fragments on all interfaces
10.10.1.9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 20
Tune Basic OSI Layer 3-4 InspectionStep 1: (Optionally) Tune Inspection Timers and DCD
Configuration > Firewall > Service Policy Rules
Crate a new ACL-based class that matches specific telnet traffic
Specify the idle timeout
Enable DCD with default parameters
You can reset the connection on forced close
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 21
Tune Basic OSI Layer 3-4 InspectionStep 2: (Optionally) Tune Fragment Management
Configuration > Firewall > Service Policy Rules
Edit the virtual reassembly policy for each interface
Adjust fragment database parameters
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 22
Tune Basic OSI Layer 3-4 InspectionCLI Configuraton
access-list TELNET-TO-HOST-ACL permit tcp 10.0.0.0 255.0.0.0 host 10.10.1.9 eq 23!class-map TELNET-TO-HOSTmatch access-group TELNET-TO-HOST-ACL!policy-map global_policyclass TELNET-TO-HOSTset connection timeout idle 4:00:00 reset dcd
!fragment size 1000 insidefragment size 1000 outside2
1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 23
Tune Basic OSI Layer 3-4 Inspection� Consider the following implementation guidelines:
Only tune connection timers when required by specific applications, for a minimal set of required hosts; use DCD with long-lived connections to avoid resource exhaustionFragmentation management does not normally require tuning; first, try to eliminate the root fragmentation cause before tuning the ASA
Guidelines
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 24
Tune the Cisco ASA TCP Normalizer
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 25
Tune the ASA TCP Normalizer
� The ASA TCP normalizer feature Verifies adherence to the TCP protocol and prevents evasion attacksDisables some TCP features by defaultPerforms TCP sequence number randomization for protected hostsProvides the reassembled bytestream to upper-layer inspectors
TCP Normalizer Overview
Incoming TCP segments Normalized TCP segments
Reassembled stream
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 26
Tune the ASA TCP Normalizer
Parameter DescriptionVerify contents of retransmissions (disabled)
Enables or disables the retransmit data checks.
Verify TCP checksum of all packets (disabled)
Enables or disables checksum verification.
Analyze TCP MSS of flows (allow) Allows or drops packets that exceed MSSAnalyze TCP reserved flags (allow) Sets the reserved flags policySYN packet analysis (allow) Allows or drops SYN packets with data. Analyze unusual TCP options (clear)
Allows or clears TCP options.
Analyze IP TTL of flows (enabled) Enables or disables the TTL evasion protectionURG flag check (allow) Allows or clears the URG pointer.Analyze TCP windowing (drop) Drops a connection that has changed its window
size unexpectedly.
TCP Normalizer Configurable Parameters
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 27
Tune the ASA TCP Normalizer� You can bypass ASA stateful inspection algorithms for some flows
Configurable through MPF traffic classesCauses the ASA to treat these flows similarly to Cisco IOS Software stateless ACLsAlso disables AIC, SSCs, cut-through proxy, and TCP normalizer for these flowsUse only for trusted flows
TCP State Bypass
Deny unidirectional TCP flow
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 28
Tune the ASA TCP Normalizer1. (Optionally) Tune TCP normalization2. (Optionally) Tune TCP ISN randomization3. (Optionally) Configure TCP state bypass
Configuration Steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 29
Tune the ASA TCP NormalizerConfiguration Scenario
Support an authenticated BGP session through the ASA
B GP
10.1.1.0/24 10.2.2.0/24
Statelessly handle traffic between 10.1.1.0/24 and 10.2.2.0/24 networks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 30
Tune the ASA TCP NormalizerStep 1: (Optionally) Tune TCP Normalization
Configuration > Firewall > Objects > TCP Maps
Crate a new TCP map that defines TCP normalizer parameters
Allow TCP option 19 (BGP authentication)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 31
Tune the ASA TCP NormalizerStep 2: (Optionally) Tune TCP ISN Randomization
Configuration > Firewall > Service Policy Rules
Crate a new ACL-based class that matches specific BGP traffic
Specify the configured TCP map
Disable ISN randomization
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 32
Tune the ASA TCP NormalizerStep 3: (Optionally) Configure TCP State Bypass
Configuration > Firewall > Service Policy Rules
Crate a new ACL-based class that matches specific networks
Disable stateful checks for this class
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 33
Tune the ASA TCP NormalizerCLI Configuration
access-list BGP-PEERING-ACL permit tcp host 10.3.3.3 host 10.4.4.4 eq 179access-list BGP-PEERING-ACL permit tcp host 10.4.4.4 host 10.3.3.3 eq 179!class-map BGP-PEERINGmatch access-group BGP-PEERING-ACL
!access-list STATE-BYPASS-ACL permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0access-list STATE-BYPASS-ACL permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0!class-map STATE-BYPASSmatch access-group STATE-BYPASS-ACL
!tcp-map TCP-BGP-AUTH-MAPtcp-options range 19 19 allow!policy-map global_policyclass STATE-BYPASSset connection advanced-options tcp-state-bypass
class BGP-PEERINGset connection advanced-options TCP-BGP-AUTH-MAPset connection random-sequence-number disable
1
3
1
2
3
21
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 34
Tune the ASA TCP Normalizer� Consider the following implementation guidelines:
Exercise extreme care if you are relaxing TCP normalizer parameters – this may cause unreliable application-layer filteringFor application-layer inspection, add TCP checksum verification and retransmission checks to your flow policy, at the expense of lower performanceMake only minimal required changes between specific hosts or networksUse TCP bypass only when absolutely necessary (to support trusted asymmetric flows, or TCP stack quirks of critical hosts)
Guidelines
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 35
Configure Support for Dynamic Protocols
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 36
Configure Support for Dynamic Protocols
� Dynamic protocols are those that negotiate additional sessions on negotiated transport-layer ports
The ASA will by default snoop on many dynamic protocols to automatically permit these sessionsIn ACLs, you only need to permit the initial session
Dynamic Protocols and Stateful Filtering
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 37
Configure Support for Dynamic Protocols� The ASA assigns a set of well-known ports used by dynamic applications into the default inspection class
Not all ports are by default inspectedAdditional ports are present for NAT and application-layer inspection
Default Ports in the Default Inspection Class
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 38
Configure Support for Dynamic ProtocolsDefault Inspectors in the Default Inspection ClassInspector FunctionFTP Allows FTP data connectionsH.323 (H.225) Allows negotiated RTP flowsH.323 (RAS) Allows negotiated RTP flowsRSH Allows RSH stderr connectionsRTSP Allows negotiated RTP flowsSCCP Allows negotiated RTP flowsSIP Allows negotiated RTP flowsOracle SQL*Net (TNS) Allows dynamic database connections UNIX RPC (SUNRPC) Allows all available UNIX RPC applications
via the RPC portmapperTFTP Allows TFTP data connectionsXDCMP Allows dynamic XWindows display sessions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 39
Configure Support for Dynamic ProtocolsInactive Inspectors in the Default Inspection ClassInspector FunctionCTIQBE Allows negotiated RTP flowsDCERPC Allows dynamic Microsoft DCOM and DCE
RPC connectionsMMP Allows negotiated RTP flowsMGCP Allows negotiated RTP flows
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 40
Configure Support for Dynamic Protocols� The ASA also supports a non-default WAAS inspector
WAAS is not a dynamic application, but changes TCP behaviorEnabling the inspector allows WAAS sessions to work through the ASA
WAAS Inspector
WAAS-enabled ISR
WAAS-enabled ISR
WAAS-optimized TCP sessions
WAAS-aware ASA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 41
Configure Support for Dynamic Protocols1. (Optionally) Configure support for non-default
dynamic applications2. (Optionally) Configure support for dynamic
applications on non-standard ports3. (Optionally) Configure support for custom
dynamic applications
Configuration Steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 42
Configure Support for Dynamic ProtocolsConfiguration Scenario
Enable support for FTP on TCP port 2121
Enable non-default CTIQBE and DCERPC inspectors
Support the custom dynamic application
7 7 7 7U D P
TC P3000
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 43
Configure Support for Dynamic ProtocolsStep 1: (Optionally) Configure support for non-default dynamic applications
Configuration > Firewall > Service Policy Rules
Modify the default inspection class
Enable additional dynamic protocol inspectors
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 44
Configure Support for Dynamic ProtocolsStep 2: (Optionally) Configure support for dynamic applications on non-standard ports
Configuration > Firewall > Service Policy Rules
Create a new destination-port-based class
Specify static ports or port ranges of the dynamic application
Enable the dynamic application inspector for this class
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 45
Configure Support for Dynamic Protocols
This command allows you to describe a dynamic application to the ASABased on an established authorized connection, it will allow additional connections between the same two hostsThis is a better approach compared to permanently permitting these dynamic sessions using ACLs
Step 3: (Optionally) Configure support for custom dynamic applications
established tcp 3000 permitto 7777!access-list INSIDE permit tcp 10.0.0.0 255.0.0.0 172.16.0.0 255.255.0.0 eq 3000!access-group INSIDE in interface inside
established protocol dest_port [ source_port ] [ permitto protocol port [ -port ]] [ permitfrom protocol port [ -port ] ]
ASA(config)#
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 46
Configure Support for Dynamic ProtocolsCLI Configuration
class-map NON-STANDARD-FTPmatch port tcp eq 2121
!policy-map global_policyclass inspection_defaultinspect ctiqbe inspect dcerpc
class NON-STANDARD-FTPinspect ftp2
1
2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 47
Configure Support for Dynamic Protocols� Consider the following implementation guidelines
If you do not use a particular dynamic protocol, it is generally better to globally disable its inspection function inside the default classUse the established command instead of static ACLs to support minimal connectivity of custom dynamic applications
Guidelines
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 48
Configuring Application-Layer Policies
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 49
Application-Layer Access Control Overview� Application-layer access control can
Provide defense in depth by protecting exposed client and server applicationsPrevent malicious content from being delivered to endpointsPrevent covert tunneling
Overview
Protect the client application
Protect the server application
CRM
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 50
Application-Layer Access Control Overview
Control DescriptionProtocol Minimization
Allows a minimal required set of protocol features through the ASAIncreases protection by hiding unnecessary featuresCan prevent both known and unknown attacks
Payload Minimization
Allows transport of minimally required payloads over the application sessionIncreases protection by only allowing expected content types andvaluesCan prevent both known and unknown attacks
Application-layer Signatures
Detect and drop known malicious payloads in application-layer sessionsCan generally only prevent known attacksCan be manually configured in ASA native AIC, or you can use full IPS functionality of the AIP SSM or SSC
Protocol Verification
Detects and/or drops anomalous application-layer protocol unitsCan prevent both known and unknown attacksCan prevent covert tunneling
Application-layer Controls
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 51
Application-Layer Access Control OverviewInput DescriptionApplication protocols used Required to determine the level of AIC
support on the ASAApplications used Required to determine basic application
behaviorLocal application customization
Required to determine detailed application behavior
Hardening and patching policies; known application vulnerabilities
Required to determine application vulnerability and the need for network protection
Cryptographic protection used
Required to determine implementation feasibility and the possible need for decryption
� Input Parameters
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 52
Application-Layer Access Control Overview� Consider the following general deployment guidelines:
Deploy application-layer access control as the primary line of defense, if your applications are known to be vulnerable to application-layer attacksOtherwise, consider application-layer access control for defense in depthAnalyze application behavior in detail, and cooperate with endpoint and application administrators before attempting to create network application-layer access controlsDecrypt application-layer traffic before inspecting it (and possibly re-encrypt it afterwards)
Guidelines
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 53
Configure Cisco ASA HTTP Inspection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 54
Configure HTTP Inspection
� The ASA HTTP inspector can granularly parse HTTP requests and responses and allow specific value and regular expression matching inside these containers� Additionally, the inspector can verify adherence to the HTTP protocol, and log accessed URIs
HTTP Inspector Overview
H T T P
GET /go/asa HTTP/1.1Accept: image/jpeg, image/gif, application/x-shockwave-flash, */*User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; ...
HTTP/1.1 200 OKDate: Mon, 22 Mar 2010 12:30:50 GMTServer: Apache/2.2Last-Modified: Sat, 20 Mar 2010 00:39:56 GMT...
<!DOCTYPE html PUBLIC ...
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 55
Configure HTTP InspectionHTTP Request and ResponseGET /go/asa HTTP/1.1Accept: image/jpeg, image/gif, application/x-shockwave-flash, */*User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)Accept-Encoding: gzip, deflateHost: www.cisco.comConnection: Keep-AliveCookie: CP_...
HTTP/1.1 200 OKDate: Mon, 22 Mar 2010 12:30:50 GMTServer: Apache/2.2Last-Modified: Sat, 20 Mar 2010 00:39:56 GMTAccept-Ranges: bytesContent-Type: text/htmlContent-Length: 24316Connection: keep-alive
<!DOCTYPE html PUBLIC ...
Request headers
Response headers
Data
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 56
Configure HTTP InspectionHTTP Request and Response Details
GET /scripts/myapp?username=joe&sessionid=12 HTTP/1.1
Host: www.cisco.com
Content-Type: text/html
HTTP method HTTP arguments
HTTP URI HTTP versionVirtual server
HostnameType of returned content
HTML content
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 57
Configure HTTP Inspection
HTTP Request Field Type of matchRequest Method Specific valuesRequest URI Regular expression(s)Request Length Numeric (greater than)Request Arguments Regular expression(s)Request Header Field (names and values)
Specific values or regular expression(s)
Request Header Field Count Numeric (greater than)Request Header Field Length Numeric (greater than)Request Header Count Numeric (greater than)Request Header Length Numeric (greater than)Request Header Non-ASCII Boolean (true or false)
Request Inspection Options
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 58
Configure HTTP InspectionResponse Inspection Options
HTTP Request Field Type of matchResponse Status Line Regular expression(s)Response Body Regular expression(s)Response Body Length Numeric (greater than)Response Header Field (names and values)
Specific values or regular expression(s)
Response Header Field Count Numeric (greater than)Response Header Field Length Numeric (greater than)Response Header Count Numeric (greater than)Response Header Length Numeric (greater than)Response Header Non-ASCII Boolean (true or false)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 59
Configure HTTP Inspection1. Create a HTTP inspection policy map2. (Optionally) Configure HTTP protocol
minimization3. (Optionally) Configure HTTP payload minimization4. (Optionally) Configure HTTP signatures5. (Optionally) Configure HTTP protocol verification6. Apply the HTTP inspection policy map
Configuration Steps
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 60
Configure HTTP InspectionConfiguration Scenario
Drop requests that contain basic SQL injection (“SELECT FROM”) in HTTP arguments
Only allow the HTTP GET methodOnly allow URIs starting with “/myapp”
Verify adherence to HTTP protocol
H T T P
10.10.10.1
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 61
Configure HTTP InspectionStep 1: Create a HTTP Inspection Policy Map
Configuration > Firewall > Objects > Inspect Maps > HTTP
OR
Choose a pre-configured policy
Use the “Details”view to create custom inspections
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 62
Configure HTTP InspectionStep 1: Create a HTTP Inspection Policy Map (Cont.)
Configuration > Firewall > Objects > Inspect Maps > HTTP
You can Addmultiple inspections; any matching inspection will trigger an action
In each inspection, you can match on a single or multiple conditions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 63
Configure HTTP InspectionStep 2: (Optionally) Configure HTTP Protocol Minimization
Configuration > Firewall > Objects > Inspect Maps > HTTP
To minimize protocol features, use the “No Match” criterion, and specify all valid protocol features
Specify the actions taken when protocol feature is not on the “white list”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 64
Configure HTTP InspectionStep 3: (Optionally) Configure HTTP Payload Minimization
Configuration > Firewall > Objects > Inspect Maps > HTTP
To minimize payloads, use the “No Match”criterion, and specify all valid payloads
Specify the actions taken when payload is not on the “white list”
Specify valid payloads using regex or specific values
Create and test a regex in the ASDM interface
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 65
Configure HTTP InspectionStep 4: (Optionally) Configure HTTP Signatures
Configuration > Firewall > Objects > Inspect Maps > HTTP
To create signatures, use the “Match”criterion, and specify individual malicious payloads
Specify the actions taken when payload is on the “blacklist”
Specify malicious payloads using regex or specific values
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 66
Configure HTTP InspectionStep 5: (Optionally) Configure HTTP Protocol Verification
Configuration > Firewall > Objects > Inspect Maps > HTTP
Enable protocol verification Specify the actions taken for
non-compliant sessions
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 67
Configure HTTP InspectionStep 6: Apply the HTTP Inspection Policy Map
Configuration > Firewall > Service Policy Rules
Crate a new ACL-based class that matches specific web traffic
Enable HTTP inspection and apply the custom HTTP inspect map
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 68
Configure HTTP InspectionCLI Configuratonregex BASIC-SQL-INJECTION "[Ss][Ee][Ll][Ee][Cc][Tt].+[Ff][Rr][Oo][Mm]"regex MY-URI "^\/myapp“!policy-map type inspect http MY-HTTP-POLICYparametersprotocol-violation action drop-connection logmatch not request method getdrop-connection logmatch not request uri regex MY-URIdrop-connection logmatch request args regex BASIC-SQL-INJECTIONdrop-connection log4
3
2
1
5
4
3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 69
Configure HTTP InspectionCLI Configuraton (Cont.)access-list WEB-SERVER-ACL permit tcp any host 10.10.10.1 eq http !class-map WEB-SERVER-PROTECTIONmatch access-list WEB-SERVER-ACL!policy-map global_policyclass WEB-SERVER-PROTECTIONinspect http MY-HTTP-POLICY
6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 70
Configure HTTP InspectionVerify the Policy Map
Configuration > Firewall > Objects > Inspect Maps > HTTP
Verify that all needed inspections are configured in the HTTP inspect map
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 71
Configure HTTP Inspection� Consider the following implementation guidelines:
Analyze application behavior well (using traffic captures, and detection policies) before implementing aggressive actionsThe ASA regular expression engine does not support the $ (end-of-line) metacharacters, therefore you can only match on prefixesConsider implementing length-based restrictions in addition to pattern-based filteringUsing minimization (i.e. “least-privilege”) is often more effective than signatures, but is almost always much more challenging to implement
Guidelines
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 72
Summary� Exercise extreme care when configuring lower inspection layers, to ensure reliability of more advanced inspection� Consider improving your own controls based on the effectiveness criteria outlined in this session� Use various ASA configuration tools to ensure that your policy is accurately implemented� Deploying application-layer inspection is challenging, but can provide excellent defense-in-depth