| ASDM enables you to add your own customized service policies. Because the ASA/PIX ships with such a strong security posture by default, no customizations are "required" to ensure additional security. This section does, however, cover how to create a customized service policy should you decide that it's important for your deployment. The example used is the creation of a service policy that checks the length of a URL and drops the packet if the length is too long. This policy could be effective for preventing hackers from both attempting to guess a URL that could cause buffer overflows or passing URLs that contain SQL commands in an attempt to gain access to a back-end SQL database. This policy is only one example of what you can do with custom service policies. You will notice when you browse these panels that ASDM gives you a wide range of options to drop or log suspect traffic traversing your security appliance. You can customize protocol checking using the Service Policy panel as follows: Step 1. | Navigate to the Configuration > Features > Security Policy panel.
| Step 2. | Click the Service Policy Rules option button.
| Step 3. | Click Add to launch a wizard to step you through the process. (See Figure 8-3.)
Figure 8-3. Service Policy Wizard 
| Step 4. | On the first panel, click the Interface option button. Then, choose the Inside interface from the pull-down list to create a policy for traffic going to the inside interface. Click Next to continue.
| Step 5. | On the next panel (Figure 8-4), check the box next to TCP or UDP Destination Port.
Figure 8-4. Traffic Classification 
| Step 6. | On the next panel (Figure 8-5), enter 80 in the Port Number box and ensure that TCP is enabled. The TCP option button applies this policy to your web traffic only.
Figure 8-5. Destination Port 
| Step 7. | On the next panel, Protocol Inspection, click HTTP and then click the Configure button to the right of the HTTP selection. Doing so displays a dialog box to select an HTTP map. Click the New button to display the Add HTTP Map dialog box. (See Figure 8-6.)
Figure 8-6. Add HTTP Map 
| Step 8. | Enter the text URLength in the HTTP Map Name box. This field cannot contain spaces in the name.
| Step 9. | In the RFC Compliance section, ensure that Reset Connection is chosen.
| Step 10. | Check the Generate Syslog box to the right of the action box.
| Step 11. | Click the Entity Length tab. The panel shown in Figure 8-7 will display.
Figure 8-7. Entity Length 
| Step 12. | Check the Inspect URI Length check box.
Enter 128 for maximum number of bytes. The value of 128 is just an example. If you were deploying this in production, you would find out the longest URL in your web server and use that value.
| Step 13. | Choose the action Reset Connection.
| Step 14. | Check the Generate Syslog check box.
| Step 15. | Click OK. A panel will display with the existing HTTP maps. Choose the map you just created and click OK.
| Step 16. | Click Finish in the last wizard panel.
| Step 17. | Click Apply to write this configuration to the ASA/PIX Security Appliance.
|
You have now created a rule that will inspect HTTP traffic. If a packet is found with a URL greater than 128, the ASA/PIX will reset the connection and report the policy violation to a syslog server. Appendix A, "Deploying Effective Security Management," explains how to configure a syslog server. |
