Security Guide vA2(1.0), Cisco ACE Application Control Engine Module
Index
Downloads: This chapterpdf (PDF - 368.0KB) The complete bookPDF (PDF - 6.1MB) | Feedback

Index

Table Of Contents

A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - W -

Index

A

AAA

accounting configuration, displaying 2-52

accounting log information, displaying 2-53

accounting method, defining default 2-48

authentication configuration, displaying 2-54

groups, displaying 2-49

LDAP server, configuring for 2-35

LDAP server configuration, displaying 2-52

local and remote support 2-4

login authentication method, defining 2-46

overview 2-2

quick start 2-8

RADIUS server, configuring for 2-25

RADIUS server configuration, displaying 2-49

server, adding 2-24

server groups, configuring 2-38

status and statistics 2-49

TACACS+ server, configuring for 2-31

TACACS+ server configuration, displaying 2-51

user accounts, creating 2-23

accounting

configuration, displaying 2-52

default method, defining 2-48

log information, displaying 2-53

RADIUS server accounting settings, configuring 2-16

TACACS+ server accounting settings, configuring 2-12

ACLs

alternate address, ICMP message 1-14

BPDU 1-17

clearing statistics 1-44

comments in extended ACLs 1-16

configuration information, displaying 1-42

dynamic NAT 5-12

EtherType, configuring 1-17

EtherType examples 1-41

expanded 1-4

extended, configuring 1-6

extended examples 1-32

guidelines 1-3

ICMP 1-7

implicit deny 1-4

inbound 1-34

IP extended ACL 1-7

IPs with NAT 1-37

maximum entries 1-4

merged 1-2

object groups1-19to 1-29

order of entries 1-3

outbound 1-34

overview 1-2

quick start 1-4

resequencing entries 1-18

static NAT 5-25, 5-36

statistics, displaying 1-42

types 1-3

application protocol inspection

class map overview 3-7

configuration examples 3-124, 3-125, 3-127

DNS 3-9, 3-102

FTP 3-10, 3-102

HTTP 3-12, 3-103

ICMP 3-12, 3-103

ILS 3-5, 3-14, 3-101, 3-103

Layer 3 and 4 HTTP parameter map 3-108

Layer 3 and 4 quick start 3-27

Layer 3 and 4 traffic policy configuration 3-90

Layer 7 FTP command inspection class map 3-30

Layer 7 FTP command inspection configuration 3-29

Layer 7 FTP command inspection quick start 3-20

Layer 7 HTTP deep packet inspection class map 3-38

Layer 7 HTTP deep packet inspection configuration 3-37

Layer 7 HTTP deep packet inspection policy map 3-62

Layer 7 HTTP deep packet inspection quick start 3-23

limitations 3-4

NAT and PAT support 3-4

overview 3-2

policy map overview 3-7

process flow diagram 3-8

protocol inspection overview 3-2

RTSP 3-15, 3-103

SCCP 3-6, 3-16, 3-69, 3-96, 3-102, 3-104, 3-111

service policy, defining 3-122

service policy, displaying 3-128

SIP 3-6, 3-17, 3-73, 3-96, 3-102, 3-104, 3-115

standards 3-4

statistics 3-128

supported protocols 3-3

authentication

configuration, displaying 2-54

local and remote support 2-4

local database 2-5

login method, defining 2-46

overview 2-7

RADIUS server authentication settings, configuring 2-15

TACACS+ server accounting settings, configuring 2-11

B

bandwidth rate limiting 4-8

BPDU, in ACL 1-17

buffer size

for connection parameter map 4-9

receive or transmit data for each TCP connection 4-9

C

class map

associating with Layer 7 policy map 3-35

associating with policy map 3-66, 3-99

dynamic NAT 5-15

Layer 3 and 4 access list match criteria 3-94

Layer 3 and 4 class map, associating with policy map 4-31

Layer 3 and 4 class map, creating 3-92

Layer 3 and 4 description 3-93

Layer 3 and 4 port range criteria 3-95

Layer 4, creating 4-26

Layer 4 description 4-27

Layer 4 IP address criteria 4-28

Layer 4 port number criteria 4-29

Layer 7 FTP command inspection, configuring 3-30

Layer 7 FTP command inspection description 3-31

Layer 7 FTP request methods 3-31

Layer 7 HTTP deep packet inspection, configuring 3-38

Layer 7 HTTP deep packet inspection description 3-40

overview in application protocol inspection process 3-7

static NAT 5-30, 5-36

configurational examples

application protocol inspection 3-127

FTP 3-125

HTTP 3-124

TCP/IP normalization 4-46

connection parameter map

action for segment overrun 4-12

associating with policy map 4-32

buffer size setting 4-9

configuring for TCP/IP normalization 4-6

creating for TCP/IP, UDP, and ICMP 4-7

embryonic connection timeout 4-14

half-closed connection timeout 4-15

inactive connection timeout 4-16

Nagle's algorithm 4-13

random TCP sequence numbers 4-13

reserved bit handling 4-14

segment size setting 4-10

slow start algorithm 4-19

TCP options, handling 4-20

TCP SYN retries, limiting 4-12

TCP SYN segments with data, handling 4-20

type of service 4-25

urgent pointer policy 4-24

connections

clearing 4-64

embryonic, handling timeout of 4-14

half-closed, handling timeout of 4-15

inactive, handling timeout of 4-16

rate limiting 4-8

statistics, clearing 4-65

content type verification

HTTP message 3-65

D

DDoS 4-36

dead-time

RADIUS server group setting 2-42

RADIUS server setting 2-29

TACACS+ server group setting 2-41

TACACS+ server setting 2-34

denial of service. See DoS

destination NAT 5-2, 5-7, 5-30, 5-33, 5-40, 5-50

distributed denial of service. See DDoS

DNS 3-102

application protocol inspection, configuring 3-102

application protocol support 3-4

configuration example 3-127

inspection overview 3-9

Don't Fragment bit, handling 4-39

DoS protection, SYN cookie 4-36

dynamic NAT

See NAT

E

embryonic connection, handling timeout of 4-14

EtherType ACL

configuring 1-17

examples 1-41

extended ACL

comments in 1-16

configuring 1-6

examples 1-32

F

fixups

See application protocol inspection

fragment reassembly parameters

See IP fragment reassembly parameters

FTP

application protocol support 3-4

associating class map with policy map 3-35

class map 3-30

configuration examples 3-125

inline match commands in policy map 3-34

inspection overview 3-10

Layer 3 and 4 FTP application protocol inspection, configuring 3-102

Layer 7 FTP command inspection, configuring 3-29

passive with source NAT 5-16

policy actions 3-36

policy map 3-32, 3-33

request methods, defining for command inspection 3-31

strict 3-11, 3-102

G

global addresses, guidelines for NAT 5-8

H

header value string expressions 3-50

HTTP

application protocol support 3-4

associating class map with policy map 3-66

class map 3-38

configuration examples 3-124

content length, defining 3-42

content match criteria, defining 3-41

content type verification match criteria, defining 3-65

header for inspection 3-47

header value string expressions 3-50

HTTP/1/1 header fields, supported 3-47

inline match commands in policy map 3-64

inspection overview 3-12

internal compliance checks 3-66

Layer 3 and 4 HTTP application protocol inspection, configuring 3-103

Layer 7 HTTP deep packet inspection, configuring 3-37

Layer 7 HTTP deep packet inspection policy map 3-62

maximum header length for inspection 3-51

MIME type for inspection 3-52

parameter map 3-108

policy actions 3-67

policy map 3-62

request method for inspection 3-57

restricted category, defining (port misuse) 3-55

statistics from inspection 3-128

strict HTTP match criteria, defining 3-66

transfer encoding type for inspection 3-58

URL for inspection 3-59

URL length for inspection 3-61

HTTP/1/1 header fields, supported 3-47

I

ICMP

ACL 1-7

application protocol inspection, configuring 3-103

application protocol support 3-4, 3-5

conversion-error, ICMP message 1-15

echo, ICMP message 1-14

echo reply, ICMP message 1-14

information reply, ICMP message 1-14

information request, ICMP message 1-14

inspection overview 3-12

mask reply, ICMP message 1-14

mask request, ICMP message 1-14

mobile redirect, ICMP message 1-15

NAT of ICMP error messages 3-103

parameter-problem, ICMP message 1-14

redirect, ICMP message 1-14

router-advertisement, ICMP message 1-14

router-solicitation, ICMP message 1-14

security, disabling 4-35

source quench, ICMP message 1-14

time-exceeded, ICMP message 1-14

timestamp-reply, ICMP message 1-14

timestamp-request, ICMP message 1-14

traceroute, ICMP message 1-14

types 1-14

unreachable, ICMP message 1-14

ILS inspection 3-5, 3-14, 3-101, 3-103

implicit PAT 5-2

inbound ACLs 1-34

inline match commands

content type verification for HTTP inspection 3-65

in Layer 7 FTP command inspection policy map 3-34

in Layer 7 HTTP deep packet inspection policy map 3-64

strict HTTP for HTTP inspection 3-66

inspection engines

See application protocol inspection

Internet Locator Service. See ILS

IP

ACL 1-7

address pool, for dynamic NAT 5-13, 5-25

for ACL with NAT 1-37

normalization, overview 4-3

options, handling 4-40

IP fragment reassembly parameters

configurational example 4-46

configuring 4-42

maximum fragment size setting 4-45

maximum fragments setting 4-44

MTU setting 4-44

quick start 4-42

reassembly timeout setting 4-45

L

Layer 3 and 4 application protocol inspection, configuring

associating class map with policy map 3-99

class map 3-92

policy actions 3-101

policy map 3-98

LDAP server

ACE configuration 2-35

configuration, displaying 2-52

configuration overview 2-19

directory server overview 2-6

parameters, setting 2-36

port, setting 2-37

search filter configuration 2-45

server group, creating 2-39

timeout, setting 2-38

user profile attribute type configuration 2-43

virtualization attributes, defining 2-13, 2-17, 2-20

local database authentication 2-5

login authentication method, defining 2-46

M

merged ACLs 1-2

MIME type, supported for HTTP inspection 3-52

MPLS, in ACL 1-17, 1-18

MTU

in IP fragment reassembly configuration 4-44

N

Nagle's algorithm 4-13

NAT

ACL configuration, dynamic 5-12

ACL configuration, static 5-25, 5-36

application protocol inspection support 3-4

as policy map action, dynamic 5-18

as policy map action, static 5-29, 5-38

class map configuration, dynamic 5-15

class map configuration, static 5-30, 5-36

creating over 8 K static configurations 5-41

destination 5-2, 5-7, 5-30, 5-33, 5-40, 5-50

dynamic NAT, overview 5-4

dynamic NAT and PAT, configuring 5-9

dynamic PAT, overview 5-5

global address guidelines 5-8

global IP address pool 5-13, 5-25

idle timeout, configuring 5-9

IPs in ACLs 1-37

maximum number of statements 5-8

overview 5-2

policy map configuration, dynamic 5-16

policy map configuration, static 5-31, 5-37

quick start, dynamic NAT and PAT 5-10

quick start, static NAT 5-21, 5-33

service policy, global dynamic 5-19

service policy, local dynamic 5-19

service policy, static 5-32, 5-40

source 5-2, 5-4, 5-5, 5-9

static NAT, overview 5-7

static NAT and port redirection, configuring 5-33

static port redirection 5-7

network address translation

See NAT

normalization parameters

configuring 4-34

Don't Fragment bit, handling 4-39

ICMP security, disabling 4-35

IP options, handling 4-40

packet TTL setting 4-40

TCP normalization, disabling 4-34

unicast reverse-path forwarding, configuring 4-41

O

object groups

expanded 1-4

network 1-9

overview 1-19

service 1-14

order of ACL entries 1-3

outbound ACLs 1-34

P

packet TTL setting 4-40

parameter map

associating with Layer 3 and 4 policy map 3-107, 3-110, 3-114, 3-121

case sensitivity, disabling 3-109

configuring for Layer 3 and 4 HTTP inspection 3-108

maximum content bytes setting 3-110

maximum header bytes setting 3-109

passive FTP with source NAT 5-16

PAT

configuring 5-9

implicit 5-2

overview 5-5

policy map

actions, defining 3-36, 3-67, 3-101

associating with connection parameter map 4-32

dynamic NAT 5-16, 5-18

Layer 3 and 4, associating with class map 3-99

Layer 3 and 4, associating with parameter map 3-107, 3-110, 3-114, 3-121

Layer 3 and 4, associating with service policy 4-33

Layer 3 and 4, configuring HTTP parameter map 3-108

Layer 3 and 4, creating 3-98, 4-31

Layer 3 and 4, defining 3-98

Layer 3 and 4, description 3-99

Layer 3 and 4 policy map, associating with class map 4-31

Layer 7 FTP command inspection, adding description 3-33

Layer 7 FTP command inspection, associating with class map 3-35

Layer 7 FTP command inspection, creating 3-33

Layer 7 FTP command inspection, defining 3-32

Layer 7 FTP command inspection, inline match commands 3-34

Layer 7 HTTP deep packet inspection, adding description 3-63

Layer 7 HTTP deep packet inspection, associating with class map 3-66

Layer 7 HTTP deep packet inspection, creating 3-62

Layer 7 HTTP deep packet inspection, inline match commands 3-64

overview in application protocol inspection process 3-7

static NAT 5-31, 5-37

static NAT as policy map action 5-29, 5-38

port

for LDAP server 2-37

number or range for Layer 3 and 4 application protocol inspection 3-95

port redirection, configuring 5-33

port redirection

configuring 5-33

overview 5-7

preshared key

RADIUS, setting for 2-28

TACACS+, setting for 2-33

Q

quick start

AAA configuration 2-8

ACL configuration 1-4

dynamic NAT and PAT configuration 5-10

IP fragment reassembly configuration 4-42

Layer 3 and 4 application protocol inspection 3-27

Layer 7 FTP command inspection 3-20

Layer 7 HTTP deep packet inspection 3-23

static NAT configuration 5-21, 5-33

TCP/IP normalization 4-3

R

RADIUS server

ACE configuration 2-25

adding 2-24

authentication settings, configuring 2-15

configuration, displaying 2-49

dead-time setting 2-29

global preshared key setting 2-28

NAS-IP-Address attribute setting 2-28

number of retransmissions, setting 2-30

parameters, setting 2-25

server accounting settings, configuring 2-16

server group, creating 2-39

server group dead-time setting 2-42

server overview 2-6

timeout setting 2-31

rate limiting

bandwidth 4-8

connection 4-8

remarks in extended ACLs 1-16

reordering ACL entries 1-18

request methods

FTP command inspection, defining for 3-31

HTTP inspection, defining for 3-57

resequencing ACL entries 1-18

reserved bits, handling in connection parameter map 4-14

restricted category, defining for HTTP inspection (port misuse) 3-55

reverse-path forwarding, configuring 4-41

RTSP

application protocol inspection, configuring 3-103

application protocol support 3-6

inspection overview 3-15

restrictions 3-15, 3-16

rules, maximum in ACL 1-4

S

SCCP

inspection 3-6, 3-16, 3-69, 3-96, 3-102, 3-104, 3-111

segment size

action for overrun 4-12

for connection parameter map 4-10

server groups

configuring 2-38

creating 2-39

LDAP 2-39

RADIUS 2-39

TACACS+ 2-39

service policy

applying to VLAN interfaces 3-122

associating with Layer 3 and 4 policy map 4-33

configuration information 3-129

dynamic NAT, global 5-19

dynamic NAT, local 5-19

static NAT, local 5-32, 5-40

Session Initiation Protocol. See SIP

SIP

inspection 3-6, 3-17, 3-73, 3-96, 3-102, 3-104, 3-115

Skinny Client Control Protocol. See SCCP

slow start algorithm, enabling in connection parameter map 4-19

source NAT 5-2, 5-4, 5-5, 5-9

static NAT

See NAT

statistics

AAA 2-49

ACL, clearing 1-44

ACL, displaying 1-42

connection, clearing 4-65

HTTP inspection 3-128

IP, clearing 4-65

IP fragmentation and reassembly, clearing 4-67

IP fragmentation and reassembly, displaying 4-58

IP traffic 4-55

service policy 4-61

TCP, clearing 4-66

TCP, displaying 4-59

TCP/IP and UDP connections 4-52

TCP/IP connections and IP reassembly, clearing 4-65

TCP/IP connections and IP reassembly, displaying 4-48

UDP, clearing 4-66

UDP, displaying 4-60

SYN cookie

configurational and operational considerations 4-38

configuring on an interface 4-38

displaying statistics 4-62

overview 4-36

SYN flood attack 4-36

T

TACACS+ server

accounting settings, configuring 2-12

ACE configuration 2-31

adding 2-24

Cisco Secure Access Control Server (ACS) 2-11, 2-12

configuration, displaying 2-51

dead-time setting 2-34

global preshared key setting 2-33

parameters, setting 2-32

server authentication settings, configuring 2-11

server group, creating 2-39

server group dead-time setting 2-41

server overview 2-5

timeout setting 2-35

TCP

connection, receive or transmit buffer size 4-9

normalization, disabling 4-34

normalization, overview 4-2

options, handling in connection parameter map 4-20

port numbers and key words 1-9

sequence numbers, randomizing 4-13

slow start algorithm, enabling in connection parameter map 4-19

SYN retries, limiting in connection parameter map 4-12

SYN segments with data, handling in connection parameter map 4-20

WAN optimization 4-16

TCP/IP and UDP configurations, displaying 4-48

TCP/IP normalization

clearing connections 4-64

configuration example 4-46

connection parameter map, configuring 4-6

IP fragment reassembly parameters, configuring 4-42

Layer 3 and 4 policy map, configuring 4-31

Layer 4 class map, configuring 4-26

normalization parameters, configuring 4-34

overview 4-2

quick start 4-3

statistics, clearing 4-65, 4-67

statistics, displaying 4-48

statistics, IP fragmentation and reassembly 4-58

statistics, IP traffic 4-55

statistics, service policy 4-61

statistics, TCP 4-59

statistics, TCP/IP connections 4-52

statistics, UDP 4-60

TCP/IP and UDP configurations, displaying 4-48

traffic policy, configuring 4-26

traffic class

See class map

traffic policies

TCP/IP normalization 4-26

transfer encoding, defining for HTTP inspection 3-58

TTL setting 4-40

type of service, setting in connection parameter map 4-25

U

UDP

port numbers and key words 1-12

UDP and TCP/IP configurations, displaying 4-48

unicast reverse-path forwarding, configuring 4-41

urgent pointer policy, setting in connection parameter map 4-24

URL

defining for HTTP deep packet inspection 3-59

length, defining for HTTP deep packet inspection 3-61

regular expressions 3-60

URL request logging 3-103

W

WAN optimization 4-16