Application inspection can look at the application protocol content of a packet to ensure that it is allowed to pass through the security Cisco ASA. Application inspection is a three step configuration process:
Set up the Application Inspection Map.
- Drop connections if they are not RFC 2616 compliant. RFC 2616 defines the HTTP 1.1 protocol specification.
- Allow connections after verifying the content-type field.
- Reset connections if the MAX URI exceeds 250 bytes.
- Drop connections for P2P applications such as Kazaa and Gnutella.The RFC compliance and content-type verification are checked under the General tab, as shown in Figure 19-18, in which an HTTP map called web-traffic is set up. Select Drop Connection as the action under RFC Compliance. Because SecureMe is interested in looking at the logs whenever a noncompliant packet tries to traverse through Cisco ASA, also check the Generate Syslog option. To enable content-type verification, check Verify Content-Type Field Belongs to the Supported Internal Content-Type List and specify Allow Connection as the action and check Generate Syslog to log this event.
Figure 19-18. RFC Compliance and Content-Type Verification
Figure 19-19 shows how to specify the maximum URL length when an HTTP packet traverses through the security Cisco ASA. It is set up under the Entity Length tab in the Add HTTP Map window. Check Inspect URI Length and specify the maximum length of 250 bytes.
Figure 19-19. Setting Maximum URI Length
Click the Application Category tab to set up inspection for specific application types that are included in an HTTP request. Choose P2P under Available Categories and select Drop Connection as the applied action. Enable Generate Syslog to log an entry if Cisco ASA drops the P2P HTTP packets. Click Add to move the entry with the selected action to the specified category table. Figure 19-20 illustrates how to set it up.
Figure 19-20. Application Inspection
Define a policy map.
Figure 19-21. Adding a New Service Policy
The next configuration window prompts you to choose how to classify the traffic when it passes through Cisco ASA. Because SecureMe is interested in inspecting the web traffic, choose as the traffic match criteria TCP or UDP Destination Port, as shown in Figure 19-22. The next window (not shown) prompts you to specify at which Layer 4 port number to inspect the traffic. SecureMe uses port 80 for all of its web traffic, and consequently the selected TCP destination port is 80.
Figure 19-22. Classifying Traffic
Link the inspection map to the service policy.
Figure 19-23. Inspection Map and Service Policy
Example 19-8 shows the complete configuration of an HTTP map and the service policy.
Example 19-8. HTTP Map Configuration Generated by ASDM
http-map web-traffic strict-http action drop log content-type-verification action allow log max-uri-length 250 action reset port-misuse p2p action drop log class-map inside-class match port tcp eq 80 policy-map inside-policy class inside-class inspect http web-traffic service-policy inside-policy interface inside
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM