The Cisco ASA HTTP inspection engine checks whether an HTTP transaction is compliant with RFC 2616 by checking the HTTP request message. The following are the predefined HTTP commands:
The Cisco ASA checks for these HTTP commands; if the message does not have any of these, the Cisco ASA verifies that it is an HTTP extension method/command (such as MOVE, COPY, EDIT). A syslog message is generated if both checks fail and the packet can be dropped. The Cisco ASA also has the ability to detect double-encoding attacks. This method, known as HTTP de-obfuscation, is one where an HTTP message is encoded by normalizing encoded characters to ASCII-equivalent characters (sometimes also referred to as ASCII normalization). In a double-encoding attack, the attacker sends an encoded HTTP URI request that has been through two rounds of encoding. Traditionally, firewalls and intrusion detection devices detect the first round of encoding and normalize it. The attack still evades the firewall or IDS. The Cisco ASA HTTP inspection engine is able to detect double encoding and prevent this from happening.
The Cisco ASA also provides a feature to filter HTTP messages based on keywords. This is useful when looking for specific applications running over HTTP, such as online instant messenger (IM) applications, music sharing applications, and so on.
Enabling HTTP Inspection
Use the inspect http command to enable HTTP inspection. You can also enable enhanced HTTP inspection by creating an HTTP map and associating it to the inspect http command. To create an HTTP map, use the http-map command, as shown in Example 8-12.
Example 8-12. HTTP Inspection Using an HTTP Map
http-map myhttpmap request-method rfc default action allow request-method ext move action reset request-method ext copy action reset policy-map asa_global_fw_policy class inspection_default inspect http myhttpmap
In Example 8-12, an HTTP map named myhttpmap is configured. Request method inspection is enabled to allow all default RFC-compliant methods. The two extension methods, move and copy, are not allowed. If these two extensions are detected, the HTTP connection will be reset. The following HTTP extensions are supported by the Cisco ASA:
Several enhanced HTTP inspection options can be configured under the http-map subcommands. When you configure an HTTP map, you are placed into the http-map prompt. The following subcommands are available to configure the necessary rules for enhanced HTTP inspection:
strict-http
The strict-http command changes the default action taken when noncompliant HTTP traffic is detected. The following is the subcommand syntax:
strict-http action {allow | reset | drop} [log]
Table 8-5 describes the strict-http command options.
Option |
Description |
---|---|
allow |
Allows the message to be transferred through the Cisco ASA. |
reset |
Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server. |
drop |
Drops the packet and closes the connection. |
log |
Generates a syslog message. |
The strict-http command is enabled by default. The default action is to log and send a TCP reset.
content-length
The content-length command limits the HTTP traffic allowed through the Cisco ASA based on the content length of the HTTP message body. The following is the command syntax:
content-length {min bytes max bytes}action {allow | reset | drop} [log]
Table 8-6 describes the content-length command options.
Option |
Description |
---|---|
min |
Minimum content length allowed, in bytes. The range is from 0 to 65,535 bytes. |
max |
Maximum content length allowed, in bytes. The range is from 0 to 50,000,000 bytes. |
bytes |
The length, in bytes |
allow |
Allows the message to be transferred through the Cisco ASA. |
reset |
Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server. |
drop |
Drops the packet and closes the connection. |
log |
Generates a syslog message. |
content-type-verification
When a web browser receives a document via HTTP, it must determine the document's encoding (sometimes referred to as charset). The browser must know this in order to display non-ASCII characters correctly. The content-type-verification command limits the content types in HTTP messages transferred through the Cisco ASA. The Cisco ASA verifies that the header content-type value is in the internal list of supported content types. Additionally, it checks that the header content type matches the actual content in the data or entity body portion of the message. Here are the currently supported HTTP content types:
The following is the content-type-verification command syntax:
content-type-verification [match-req-rsp] action {allow | reset | drop} [log]
The match-req-rsp keyword enables the Cisco ASA to verify that the content-type field in the HTTP response matches the accept field in the corresponding HTTP request message.
max-header-length
The max-header-length command limits the HTTP header length on traffic that passes through the Cisco ASA. Messages with a header length less than or equal to the configured value will be allowed; otherwise, the configured action will be taken. The following is the command syntax:
max-header-length {request bytes response bytes} action {allow | reset | drop} [log]
Table 8-7 describes the max-header-length command options.
Option |
Description |
---|---|
request |
Used to specify the length of the request message header. |
response |
Used to specify the length of the response message header. |
bytes |
The length, in bytes. The range is 1 to 65,535. |
allow |
Allows the message to be transferred through the Cisco ASA. |
reset |
Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server. |
drop |
Drops the packet and closes the connection. |
log |
Generates a syslog message. |
max-uri-length
The max-uri-length command limits the length of the Universal Resource Identifier (URI) in a request message. The command syntax is as follows:
max-uri-length bytes action {allow | reset | drop} [log]
Table 8-8 describes the max-uri-length command options.
Option |
Description |
---|---|
bytes |
The length, in bytes. The range is 1 to 65,535. |
allow |
Allows the message to be transferred through the Cisco ASA. |
reset |
Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server. |
drop |
Drops the packet and closes the connection. |
log |
Generates a syslog message. |
port-misuse
The port-misuse command restricts applications, such as instant messengers, that use HTTP as a transport protocol. The following is the command syntax:
port-misuse {default | im | p2p | tunneling} action {allow | reset | drop} [log]
Table 8-9 describes the port-misuse command options.
Option |
Description |
---|---|
default |
Allows inspection for all supported applications. |
im |
Enables IM application inspection (Yahoo Messenger). |
p2p |
Peer-to-peer application inspection. Applications include Kazaa and Gnutella. |
tunneling |
Enables tunneling application inspection. The following applications are inspected:
|
allow |
Allows the message to be transferred through the Cisco ASA. |
reset |
Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server. |
drop |
Drops the packet and closes the connection. |
log |
Generates a syslog message. |
Note
The port-misuse command is disabled by default.
request-method
The request-method command configures a specific action for each of the supported HTTP request methods. The following is the command syntax:
request-method rfc rfc _ method action {allow | reset | drop} [log] request-method ext ext_method action {allow | reset | drop} [log]
Table 8-10 describes the request-method command options.
Option |
Description |
---|---|
rfc |
Used to specify methods defined in RFC 2616, "Hypertext Transfer Protocol". |
ext |
Used to specify extended methods. |
rfc_method |
The RFC 2616 supported methods are as follows:
|
ext_method |
The extended methods are as follows:
|
allow |
Allows the message to be transferred through the Cisco ASA. |
reset |
Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server. |
drop |
Drops the packet and closes the connection. |
log |
Generates a syslog message. |
Note
The request-method command is disabled by default.
transfer-encoding type
The transfer-encoding type command configures a specific action for each of the supported HTTP transfer-encoding types passing through the Cisco ASA. The following is the command syntax:
transfer-encoding type encoding_types action {allow | reset | drop} [log]
Table 8-11 describes the transfer-encoding type command options.
Option |
Description |
---|---|
encoding_types |
Used to specify the encoding type. The following encoding types are supported:
|
action |
Action taken when a violation occurs. |
allow |
Allows the message to be transferred through the Cisco ASA. |
reset |
Causes Cisco ASA to send a TCP-RST (reset) message to client and/or server. |
drop |
Drops the packet and closes the connection. |
log |
Generates a syslog message. |
Part I: Product Overview
Introduction to Network Security
Product History
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
IP Routing
Authentication, Authorization, and Accounting (AAA)
Application Inspection
Security Contexts
Transparent Firewalls
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM
Case Studies