The new service policy rules can actually fall into the category of perimeter protection or intrusion prevention. In the ASA/PIX Security Appliance, intrusion prevention is thought of in two ways:
The following list displays the network service policy enhancements to ASA/PIX version 7. In many cases, the features are Cisco proprietary and cannot be disclosed. The protocols inspections that aren't Cisco proprietary are described in the following sections:
ICMP InspectionThis new feature of ASA/PIX version 7 allows stateful return of ICMP packets. If an ICMP packet request is sourced from the inside network, the ASA/PIX keeps a state (even though ICMP is stateless) and allows the ICMP reply traffic back into the inside network of the ASA/PIX. In previous versions of the ASA/PIX Security Appliance, the reply traffic was blocked unless specifically allowed by an access list. HTTP Deep Packet InspectionThis feature ensures that HTTP is being used as designed for web access and not malicious applications or intent such as illegal file sharing, spyware, adware, unencrypted instant messaging, URL buffer-overflow attempts, and the tunneling of confidential data. This new ASA/PIX version 7 enhancement allows very granular filtering based on the content of an HTTP request. ASA/PIX version 7 can decide to drop or report packets depending on how you have configured the filtering option. Those choices include the following:
You configure all of these features through the ASDM panel, as follows:
FTP Command FilteringThis new 344868ASA/PIX version 7 feature allows inspection on FTP protocol commands. The passing of these commands can be allowed or disallowed based on your configurations and requirements. Syslog messages can be generated to notify you if these commands are attempted after you have configured your security appliance to block the commands. This feature helps you to track down users or software with malicious intent. Configurable Security Appliance InspectionsThis ASA/PIX version 7 enhanced feature allows grouping of inspection commands. The group can then subsequently be applied to various rules within the ASA/PIX version 7 operating system. ESMTP Command FilteringPrevious inspections of SMTP are augmented to support the same Extended Simple Mail Protocol. TCP Pools for URL FilteringThe ASA/PIX version 7 inspection enhancement controls the reuse of URL filtering requests and improves the overall handling efficiency of URL filtering requests. SIP IM InspectionThis new ASA/PIX version 7 feature adds inspection support for instant messaging of the RTC client for Windows Messenger v4.7.0105. SunRPC InspectionThis new ASA/PIX version 7 feature allows you granular control over which RPC services will be allowed through SunRPC-style connections traversing the ASA/PIX Security Appliance. MGCP Command FilteringThis enhanced ASA/PIX version 7 feature for MGCP provides support of network address translation (NAT) for the existing MGCP inspection. Original source addresses are embedded in the payload of the packet, which might potentially break NAT. This inspection ensures that the appropriate addresses are written to the address headers of these packets. Domain Name Services Command FilteringThis new ASA/PIX version 7 feature enables you to control certain aspects of the DNS protocol such as the maximum length of a DNS packet so that hackers can't exploit or overflow buffers on DNS servers using malformed or oversized packets. Simple Network Management Protocol Command FilteringThis new ASA/PIX version 7 feature enables you to configure and control which version of SNMP that you are allowing into your network. This feature helps you to keep attackers from using unauthorized versions of SNMP to exploit your network. |