Interesting TCP enhancements that fall "in between" packet filtering and application inspection are TCP normalization and SYN-cookies. Cisco Security Appliances use TCP normalization to drop packets that do not appear normal. Additionally, SYN cookies are initial TCP sequence numbers that encode a sender's IP address to enable the receiver to know which packets are from valid senders during a SYN-flood. These TCP enhancements prove to be beneficial for securing most applications. SYN-cookies are discussed in Chapter 11.
Application layer inspection is available with the Cisco PIX Firewall, Cisco Security Appliance, and the CBAC IOS firewall feature. In order to ensure the correct behavior of known applications, Cisco PIX Firewall and the CBAC IOS firewall feature store application layer session information along with the transport layer connection information in the state table. The firewall will drop the application layer session if behavior of the application is not RFC-compliant, even when the application session spans multiple TCP connections. Examples of RFC-compliance are
To enable application inspection on the PIX firewall, use the ip protocol fixup command for each of the protocols that you would like to inspect. The PIX firewall will ensure that the protocol you configure obeys the common operation of the application protocol.
The PIX firewall also supports HTTP method and URL filtering. Additionally, the Cisco Application Velocity System (AVS) platform supports HTTP-specific application security features, such as cookie encryption, resource cloaking, and filtering based on HTTP encoding types.
To configure CBAC, you configure the applications you want to inspect using the ip inspect global configuration command. In Example 4-2, the CBAC list "inspectapps" gives the applications that the IOS firewall will inspect.
Example 4-2. Configuring CBAC
Common applications that you can inspect using CBAC or the PIX firewall are:
Network Based Application Recognition (NBAR) also inspects application traffic to classify packets for QoS policies. To learn more about NBAR, see Chapter 6, "Ensuring Content Delivery with Quality of Service."
Although CBAC and the PIX provide application layer inspection in addition to packet filtering capabilities, intrusion prevention systems (IPS) were developed by Cisco specifically to provide application layer inspection. IPSs are standalone appliances that protect your network by detecting, classifying, and blocking spyware, worms, adware, network viruses, and application abuse by inspecting information at Layers 27. IPSs evolved from the intrusion detection systems (IDS) to include a more robust set of threat identification methods to minimize false-positive alerts, such as:
The Cisco Traffic Anomaly Detector device is also available for distributed denial of service (DDoS) anomaly detection (via technology obtained from the Riverhead acquisition).