Application Layer Inspection | Content Networking Fundamentals

Interesting TCP enhancements that fall "in between" packet filtering and application inspection are TCP normalization and SYN-cookies. Cisco Security Appliances use TCP normalization to drop packets that do not appear normal. Additionally, SYN cookies are initial TCP sequence numbers that encode a sender's IP address to enable the receiver to know which packets are from valid senders during a SYN-flood. These TCP enhancements prove to be beneficial for securing most applications. SYN-cookies are discussed in Chapter 11.

Application layer inspection is available with the Cisco PIX Firewall, Cisco Security Appliance, and the CBAC IOS firewall feature. In order to ensure the correct behavior of known applications, Cisco PIX Firewall and the CBAC IOS firewall feature store application layer session information along with the transport layer connection information in the state table. The firewall will drop the application layer session if behavior of the application is not RFC-compliant, even when the application session spans multiple TCP connections. Examples of RFC-compliance are

Users attempt valid application commands over the connection.
Commands occur in the correct sequence during the connection. For example, an HTTP response without an HTTP request violates the RFC 2626 definition of the HTTP request-response sequence.

To enable application inspection on the PIX firewall, use the ip protocol fixup command for each of the protocols that you would like to inspect. The PIX firewall will ensure that the protocol you configure obeys the common operation of the application protocol.

Note

The PIX firewall also supports HTTP method and URL filtering. Additionally, the Cisco Application Velocity System (AVS) platform supports HTTP-specific application security features, such as cookie encryption, resource cloaking, and filtering based on HTTP encoding types.

To configure CBAC, you configure the applications you want to inspect using the ip inspect global configuration command. In Example 4-2, the CBAC list "inspectapps" gives the applications that the IOS firewall will inspect.

Example 4-2. Configuring CBAC

 ip inspect name inspectapps rtsp timeout 30 ip inspect name inspectapps ftp timeout 30 ip inspect name inspectapps realaudio timeout 30 interface FastEthernet 0/1  ip access-group insession in  ip inspect inspectapps out ! ip access-list extended insession  deny ip any any

Common applications that you can inspect using CBAC or the PIX firewall are:

HTTP
Real-Time Session Protocol (RTSP)
H.323
FTP
Internet Control Management Protocol (ICMP)
Simple Mail Transfer Protocol (SMTP)
TFTP

Note

Network Based Application Recognition (NBAR) also inspects application traffic to classify packets for QoS policies. To learn more about NBAR, see Chapter 6, "Ensuring Content Delivery with Quality of Service."

Although CBAC and the PIX provide application layer inspection in addition to packet filtering capabilities, intrusion prevention systems (IPS) were developed by Cisco specifically to provide application layer inspection. IPSs are standalone appliances that protect your network by detecting, classifying, and blocking spyware, worms, adware, network viruses, and application abuse by inspecting information at Layers 27. IPSs evolved from the intrusion detection systems (IDS) to include a more robust set of threat identification methods to minimize false-positive alerts, such as:

Pattern recognition Detects code vulnerabilities by matching against text patterns (or "signatures") in the application payload, and thereby protects against Internet worms such as Code Red and Nimbda.
Protocol analysis Inspects known applications for deviations from RFC-compliant behavior.
Traffic-level anomaly detection Notices abnormal changes in application traffic levels. For example, an IPS detects ICMP floods if the number of ICMP packets exceeds a threshold over a given amount of time.

Note

The Cisco Traffic Anomaly Detector device is also available for distributed denial of service (DDoS) anomaly detection (via technology obtained from the Riverhead acquisition).