Intrusion Prevention Enhancements

The new service policy rules can actually fall into the category of perimeter protection or intrusion prevention. In the ASA/PIX Security Appliance, intrusion prevention is thought of in two ways:

• Signature protection Protection based on signature matches with an associated action such as drop, alarm, and reset.

• Application firewall Protection based on protocol compliance and optionally user configuration. Protocol compliance stops malicious software that tries to use HTTP as a tunneling protocol to pass other data besides web traffic through your security device. You are also given the option to write your own customer rules to enforce security features such as blocking file attachments and URI size overloading.

The following list displays the network service policy enhancements to ASA/PIX version 7. In many cases, the features are Cisco proprietary and cannot be disclosed. The protocols inspections that aren't Cisco proprietary are described in the following sections:

• ICMP inspection

• HTTP deep packet inspection

• FTP command filtering

• Configurable firewall inspections

• ESMTP command filtering

• H.323 T.38 inspection

• H.323 GKRCS inspection

• TCP pools for URL filtering

• SIP IM support inspection

• GTP inspection

• SunRPC inspection

• MGCP command filtering

• CTIQBE inspection

• Domain Name Services inspection and command filtering

• ILS inspection

• NetBIOS inspection

• Point-to-point Tunneling Protocol inspection

• Remote Shell inspection

• RTSP inspection

• SKINNY inspection

• Simple Network Management Protocol (SNMP) command filtering

• SQLNet inspection

• Trivial File Transfer Protocol inspection

• X-Display Management Protocol inspection

ICMP Inspection

This new feature of ASA/PIX version 7 allows stateful return of ICMP packets. If an ICMP packet request is sourced from the inside network, the ASA/PIX keeps a state (even though ICMP is stateless) and allows the ICMP reply traffic back into the inside network of the ASA/PIX. In previous versions of the ASA/PIX Security Appliance, the reply traffic was blocked unless specifically allowed by an access list.

HTTP Deep Packet Inspection

This feature ensures that HTTP is being used as designed for web access and not malicious applications or intent such as illegal file sharing, spyware, adware, unencrypted instant messaging, URL buffer-overflow attempts, and the tunneling of confidential data.

This new ASA/PIX version 7 enhancement allows very granular filtering based on the content of an HTTP request. ASA/PIX version 7 can decide to drop or report packets depending on how you have configured the filtering option. Those choices include the following:

• Enforce RFC compliancy for HTTP

• Enforce permitted MIME types

• Configure the minimum and maximum size of different fields of the HTTP packet

• Enforce the content type in the response message to be what is configured in the message's Accept Type field

• Filtering of HTTP messages on valid HTTP keywords

• Enforce maximum and minimum header lengths and URLs

You configure all of these features through the ASDM panel, as follows:

Configuration > Features > Security Policies > Service Policy Rules > Add

Configuration > Features > Security Policies > Service Policy Rules > Edit

FTP Command Filtering

This new 344868ASA/PIX version 7 feature allows inspection on FTP protocol commands. The passing of these commands can be allowed or disallowed based on your configurations and requirements. Syslog messages can be generated to notify you if these commands are attempted after you have configured your security appliance to block the commands. This feature helps you to track down users or software with malicious intent.

Configurable Security Appliance Inspections

This ASA/PIX version 7 enhanced feature allows grouping of inspection commands. The group can then subsequently be applied to various rules within the ASA/PIX version 7 operating system.

ESMTP Command Filtering

Previous inspections of SMTP are augmented to support the same Extended Simple Mail Protocol.

TCP Pools for URL Filtering

The ASA/PIX version 7 inspection enhancement controls the reuse of URL filtering requests and improves the overall handling efficiency of URL filtering requests.

SIP IM Inspection

This new ASA/PIX version 7 feature adds inspection support for instant messaging of the RTC client for Windows Messenger v4.7.0105.

SunRPC Inspection

This new ASA/PIX version 7 feature allows you granular control over which RPC services will be allowed through SunRPC-style connections traversing the ASA/PIX Security Appliance.

MGCP Command Filtering

This enhanced ASA/PIX version 7 feature for MGCP provides support of network address translation (NAT) for the existing MGCP inspection. Original source addresses are embedded in the payload of the packet, which might potentially break NAT. This inspection ensures that the appropriate addresses are written to the address headers of these packets.

Domain Name Services Command Filtering

This new ASA/PIX version 7 feature enables you to control certain aspects of the DNS protocol such as the maximum length of a DNS packet so that hackers can't exploit or overflow buffers on DNS servers using malformed or oversized packets.

Simple Network Management Protocol Command Filtering

This new ASA/PIX version 7 feature enables you to configure and control which version of SNMP that you are allowing into your network. This feature helps you to keep attackers from using unauthorized versions of SNMP to exploit your network.