Security Guide vA5(1.0), Cisco ACE Application Control Engine
Index
Downloads: This chapterpdf (PDF - 363.0KB) The complete bookPDF (PDF - 6.83MB) | Feedback

Index

Table Of Contents

A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - W -

Index

A

AAA

accounting configuration, displaying 2-50

accounting log information, displaying 2-50

accounting method, defining default 2-45

authentication configuration, displaying 2-53

groups, displaying 2-47

LDAP server, configuring for 2-33

LDAP server configuration, displaying 2-49

local and remote support 2-4

login authentication method, defining 2-43

overview 2-2

quick start 2-8

RADIUS server, configuring for 2-23

RADIUS server configuration, displaying 2-47

server, adding 2-22

server groups, configuring 2-36

status and statistics 2-46

TACACS+ server, configuring for 2-29

TACACS+ server configuration, displaying 2-48

user accounts, creating 2-21

accounting

configuration, displaying 2-50

default method, defining 2-45

log information, displaying 2-50

RADIUS server accounting settings, configuring 2-15

TACACS+ server accounting settings, configuring 2-11

ACLs

alternate address, ICMP message 1-17

BPDU 1-20

clearing statistics 1-50

comments in extended ACLs 1-19

configuration information, displaying 1-48

dynamic NAT 5-12

EtherType, configuring 1-20

EtherType examples 1-47

expanded 1-4

extended, configuring 1-7

extended examples 1-38

guidelines 1-3

ICMP 1-8, 1-9

implicit deny 1-4

inbound 1-40

IP extended ACL 1-7, 1-8

IPs with NAT 1-43

maximum entries 1-4

merged 1-2

object groups1-22to 1-35

order of entries 1-4

outbound 1-40

overview 1-2

quick start 1-5

resequencing entries 1-22

static NAT 5-32, 5-46

statistics, displaying 1-48

types 1-3

application protocol inspection

class map overview 3-6

configuration examples 3-128, 3-129, 3-131

DNS 3-9, 3-104

FTP 3-10, 3-104

HTTP 3-12, 3-105

ICMP 3-15, 3-105

ILS 3-5, 3-16, 3-103, 3-105

Layer 3 and 4 HTTP parameter map 3-110

Layer 3 and 4 quick start 3-29

Layer 3 and 4 traffic policy configuration 3-91

Layer 7 FTP command inspection class map 3-32

Layer 7 FTP command inspection configuration 3-31

Layer 7 FTP command inspection quick start 3-22

Layer 7 HTTP deep packet inspection class map 3-40

Layer 7 HTTP deep packet inspection configuration 3-39

Layer 7 HTTP deep packet inspection policy map 3-64

Layer 7 HTTP deep packet inspection quick start 3-25

limitations 3-4

NAT and PAT support 3-4

overview 3-2

policy map overview 3-6

process flow diagram 3-8

protocol inspection overview 3-2

RTSP 3-17, 3-105

SCCP 3-6, 3-19, 3-71, 3-98, 3-104, 3-106, 3-113

service policy, defining 3-126

service policy, displaying 3-132

SIP 3-6, 3-19, 3-75, 3-98, 3-103, 3-106, 3-118

standards 3-4

statistics 3-132

supported protocols 3-4

authentication

configuration, displaying 2-53

local and remote support 2-4

local database 2-5

login method, defining 2-43

overview 2-7

RADIUS server authentication settings, configuring 2-14

TACACS+ server accounting settings, configuring 2-10

B

bandwidth rate limiting 4-9

BPDU, in ACL 1-20

buffer size

for connection parameter map 4-10

receive or transmit data for each TCP connection 4-10

C

class map

associating with Layer 7 policy map 3-37

associating with policy map 3-68, 3-101

description, entering 3-108, 3-115, 3-119, 4-9

dynamic NAT 5-18

Layer 3 and 4 access list match criteria 3-96

Layer 3 and 4 class map, associating with policy map 4-33

Layer 3 and 4 class map, creating 3-94

Layer 3 and 4 description 3-96

Layer 3 and 4 port range criteria 3-97

Layer 4, creating 4-27

Layer 4 description 4-28

Layer 4 IP address criteria 4-29

Layer 4 port number criteria 4-30

Layer 7 FTP command inspection, configuring 3-32

Layer 7 FTP command inspection description 3-33

Layer 7 FTP request methods 3-34

Layer 7 HTTP deep packet inspection, configuring 3-40

Layer 7 HTTP deep packet inspection description 3-42

overview in application protocol inspection process 3-6

static NAT 5-38, 5-47

configurational examples

application protocol inspection 3-131

FTP 3-129

HTTP 3-128

TCP/IP normalization 4-55

connection parameter map

action for segment overrun 4-13

associating with policy map 4-34

buffer size setting 4-10

configuring for TCP/IP normalization 4-7

creating for TCP/IP, UDP, and ICMP 4-8

embryonic connection timeout 4-16

half-closed connection timeout 4-16

inactive connection timeout 4-17

Nagle's algorithm 4-14

random TCP sequence numbers 4-14

reserved bit handling 4-15

segment size setting 4-11

slow start algorithm 4-20

TCP options, handling 4-22

TCP SYN retries, limiting 4-13

TCP SYN segments with data, handling 4-21

type of service 4-26

urgent pointer policy 4-25

connections

clearing 4-78

embryonic, handling timeout of 4-16

half-closed, handling timeout of 4-16

inactive, handling timeout of 4-17

rate limiting 4-9

statistics, clearing 4-78

content type verification

HTTP message 3-68

D

DDoS 4-40

dead-time

RADIUS server group setting 2-39

RADIUS server setting 2-27

TACACS+ server group setting 2-39

TACACS+ server setting 2-32

denial of service. See DoS

destination NAT 5-2, 5-7, 5-38, 5-43, 5-50, 5-61

distributed denial of service. See DDoS

DNS 3-104

application protocol inspection, configuring 3-104

application protocol support 3-4

configuration example 3-131

inspection overview 3-9

Don't Fragment bit, handling 4-44

DoS protection, SYN cookie 4-40

dynamic NAT

See NAT

E

embryonic connection, handling timeout of 4-16

EtherType ACL

configuring 1-20

examples 1-47

extended ACL

comments in 1-19

configuring 1-7

examples 1-38

F

fixups

See application protocol inspection

fragment reassembly parameters

See IP fragment reassembly parameters

FTP

application protocol support 3-4

associating class map with policy map 3-37

class map 3-32

configuration examples 3-129

inline match commands in policy map 3-36

inspection overview 3-10

Layer 3 and 4 FTP application protocol inspection, configuring 3-104

Layer 7 FTP command inspection, configuring 3-31

passive with source NAT 5-19

policy actions 3-38

policy map 3-34, 3-35

request methods, defining for command inspection 3-34

strict 3-11, 3-104

G

global addresses, guidelines for NAT 5-8

H

header value string expressions 3-52

HTTP

application protocol support 3-4

associating class map with policy map 3-68

class map 3-40

configuration examples 3-128

content length, defining 3-44

content match criteria, defining 3-43

content type verification match criteria, defining 3-68

header for inspection 3-48

header value string expressions 3-52

HTTP/1/1 header fields, supported 3-49

inline match commands in policy map 3-66

inspection overview 3-12

internal compliance checks 3-68

Layer 3 and 4 HTTP application protocol inspection, configuring 3-105

Layer 7 HTTP deep packet inspection, configuring 3-39

Layer 7 HTTP deep packet inspection policy map 3-64

maximum header length for inspection 3-53

MIME type for inspection 3-54

parameter map 3-110

policy actions 3-70

policy map 3-65

request method for inspection 3-59

restricted category, defining (port misuse) 3-57

statistics from inspection 3-132

strict HTTP match criteria, defining 3-68

transfer encoding type for inspection 3-60

URL for inspection 3-62

URL length for inspection 3-63

HTTP/1/1 header fields, supported 3-49

I

ICMP

ACL 1-8, 1-9

application protocol inspection, configuring 3-105

application protocol support 3-5

conversion-error, ICMP message 1-17

echo, ICMP message 1-17

echo reply, ICMP message 1-17

information reply, ICMP message 1-17

information request, ICMP message 1-17

inspection overview 3-15

mask reply, ICMP message 1-17

mask request, ICMP message 1-17

mobile redirect, ICMP message 1-17

NAT of ICMP error messages 3-105

parameter-problem, ICMP message 1-17

redirect, ICMP message 1-17

router-advertisement, ICMP message 1-17

router-solicitation, ICMP message 1-17

security, disabling 4-38

source quench, ICMP message 1-17

time-exceeded, ICMP message 1-17

timestamp-reply, ICMP message 1-17

timestamp-request, ICMP message 1-17

traceroute, ICMP message 1-17

types 1-16, 1-17

unreachable, ICMP message 1-17

ILS inspection 3-5, 3-16, 3-103, 3-105

inbound ACLs 1-40

inline match commands

content type verification for HTTP inspection 3-68

in Layer 7 FTP command inspection policy map 3-36

in Layer 7 HTTP deep packet inspection policy map 3-66

strict HTTP for HTTP inspection 3-68

inspection engines

See application protocol inspection

Internet Locator Service. See ILS

IP

ACL 1-7, 1-8

address pool, for dynamic NAT 5-13, 5-32

for ACL with NAT 1-43

normalization, overview 4-3

options, handling 4-45

IP fragment reassembly parameters

configurational example 4-55

configuring 4-47

maximum fragment size setting 4-51

maximum fragments setting 4-50

MTU setting 4-49

quick start 4-48

reassembly timeout setting 4-52

L

Layer 3 and 4 application protocol inspection, configuring

associating class map with policy map 3-101

class map 3-94

policy actions 3-102

policy map 3-100

LDAP server

ACE configuration 2-33

configuration, displaying 2-49

configuration overview 2-18

directory server overview 2-6

parameters, setting 2-34

port, setting 2-35

search filter configuration 2-42

server group, creating 2-37

timeout, setting 2-36

user profile attribute type configuration 2-40

virtualization attributes, defining 2-12, 2-16, 2-19

local database authentication 2-5

login authentication method, defining 2-43

M

merged ACLs 1-2

MIME type, supported for HTTP inspection 3-54

MPLS, in ACL 1-20, 1-21

MTU

in IP fragment reassembly configuration 4-49

N

Nagle's algorithm 4-14

NAT

ACL configuration, dynamic 5-12

ACL configuration, static 5-32, 5-46

application protocol inspection support 3-4

as policy map action, dynamic 5-21

as policy map action, static 5-37, 5-48

class map configuration, dynamic 5-18

class map configuration, static 5-38, 5-47

destination 5-2, 5-7, 5-38, 5-43, 5-50, 5-61

dynamic NAT, overview 5-4

dynamic NAT and PAT, configuring 5-9

dynamic PAT, overview 5-5

global address guidelines 5-8

global IP address pool 5-13, 5-32

idle timeout, configuring 5-9

IPs in ACLs 1-43

maximum number of statements 5-8

overview 5-2

policy map configuration, dynamic 5-19

policy map configuration, static 5-39, 5-47

quick start, dynamic NAT and PAT 5-10

quick start, static NAT 5-27, 5-44

service policy, global dynamic 5-22, 5-23

service policy, local dynamic 5-22

service policy, static 5-40, 5-51

source 5-2, 5-4, 5-5, 5-9

static NAT, overview 5-7

static NAT and port redirection, configuring 5-43

static port redirection 5-7

network address translation

See NAT

normalization parameters

configuring 4-35

Don't Fragment bit, handling 4-44

ICMP security, disabling 4-38

IP options, handling 4-45

normalization send-reset, enabling 4-37

packet TTL setting 4-45

TCP normalization, disabling 4-36

unicast reverse-path forwarding, configuring 4-46

O

object groups

expanded 1-4

network 1-11

overview 1-23

service 1-16

order of ACL entries 1-4

outbound ACLs 1-40

P

packet TTL setting 4-45

parameter map

associating with Layer 3 and 4 policy map 3-110, 3-113, 3-117, 3-125

case sensitivity, disabling 3-111

configuring for Layer 3 and 4 HTTP inspection 3-110

maximum content bytes setting 3-112

maximum header bytes setting 3-112

passive FTP with source NAT 5-19

PAT

configuring 5-9

overview 5-5

policy map

actions, defining 3-38, 3-70, 3-102

associating with connection parameter map 4-34

dynamic NAT 5-19

dynamic NAT as policy map action 5-21

Layer 3 and 4, associating with class map 3-101

Layer 3 and 4, associating with parameter map 3-110, 3-113, 3-117, 3-125

Layer 3 and 4, associating with service policy 4-35

Layer 3 and 4, configuring HTTP parameter map 3-110

Layer 3 and 4, creating 3-100, 4-33

Layer 3 and 4, defining 3-100

Layer 3 and 4, description 3-101

Layer 3 and 4 policy map, associating with class map 4-33

Layer 7 FTP command inspection, adding description 3-36

Layer 7 FTP command inspection, associating with class map 3-37

Layer 7 FTP command inspection, creating 3-35

Layer 7 FTP command inspection, defining 3-34

Layer 7 FTP command inspection, inline match commands 3-36

Layer 7 HTTP deep packet inspection, adding description 3-66

Layer 7 HTTP deep packet inspection, associating with class map 3-68

Layer 7 HTTP deep packet inspection, creating 3-65

Layer 7 HTTP deep packet inspection, inline match commands 3-66

overview in application protocol inspection process 3-6

static NAT 5-39, 5-47

static NAT as policy map action 5-37, 5-48

port

for LDAP server 2-35

number or range for Layer 3 and 4 application protocol inspection 3-97

port redirection, configuring 5-43

port redirection

configuring 5-43

overview 5-7

preshared key

RADIUS, setting for 2-26

TACACS+, setting for 2-31

Q

quick start

AAA configuration 2-8

ACL configuration 1-5

dynamic NAT and PAT configuration 5-10

IP fragment reassembly configuration 4-48

Layer 3 and 4 application protocol inspection 3-29

Layer 7 FTP command inspection 3-22

Layer 7 HTTP deep packet inspection 3-25

static NAT configuration 5-27, 5-44

TCP/IP normalization 4-4

R

RADIUS server

ACE configuration 2-23

adding 2-22

authentication settings, configuring 2-14

configuration, displaying 2-47

dead-time setting 2-27

global preshared key setting 2-26

NAS-IP-Address attribute setting 2-25

number of retransmissions, setting 2-28

parameters, setting 2-23

server accounting settings, configuring 2-15

server group, creating 2-37

server group dead-time setting 2-39

server overview 2-6

timeout setting 2-29

rate limiting

bandwidth 4-9

connection 4-9

remarks in extended ACLs 1-19

reordering ACL entries 1-22

request methods

FTP command inspection, defining for 3-34

HTTP inspection, defining for 3-59

resequencing ACL entries 1-22

reserved bits, handling in connection parameter map 4-15

restricted category, defining for HTTP inspection (port misuse) 3-57

reverse-path forwarding, configuring 4-46

RTSP

application protocol inspection, configuring 3-105

application protocol support 3-6

inspection overview 3-17

restrictions 3-18

rules, maximum in ACL 1-4

S

SCCP

inspection 3-6, 3-19, 3-71, 3-98, 3-104, 3-106, 3-113

segment size

action for overrun 4-13

for connection parameter map 4-11

server groups

configuring 2-36

creating 2-37

LDAP 2-37

RADIUS 2-37

TACACS+ 2-37

service policy

applying to VLAN interfaces 3-126

associating with Layer 3 and 4 policy map 4-35

configuration information 3-133

dynamic NAT, global 5-22, 5-23

dynamic NAT, local 5-22

static NAT, local 5-40, 5-51

Session Initiation Protocol. See SIP

SIP

inspection 3-6, 3-19, 3-75, 3-98, 3-103, 3-106, 3-118

inspection, enabling logging of packets 3-124

Skinny Client Control Protocol. See SCCP

slow start algorithm, enabling in connection parameter map 4-20

source NAT 5-2, 5-4, 5-5, 5-9

static NAT

See NAT

statistics

AAA 2-46

ACL, clearing 1-50

ACL, displaying 1-48

connection, clearing 4-78

HTTP inspection 3-132

IP, clearing 4-79

IP fragmentation and reassembly, clearing 4-80

IP fragmentation and reassembly, displaying 4-68

IP traffic 4-63

service policy 4-72

TCP, clearing 4-79

TCP, displaying 4-70

TCP/IP and UDP connections 4-60

TCP/IP connections and IP reassembly, clearing 4-79

TCP/IP connections and IP reassembly, displaying 4-56

UDP, clearing 4-80

UDP, displaying 4-71

switch mode, configuring 4-53

SYN cookie

configurational and operational considerations 4-41

configuring on an interface 4-43

displaying statistics 4-76

overview 4-40

SYN flood attack 4-40

T

TACACS+ server

accounting settings, configuring 2-11

ACE configuration 2-29

adding 2-22

Cisco Secure Access Control Server (ACS) 2-10, 2-11

configuration, displaying 2-48

dead-time setting 2-32

global preshared key setting 2-31

parameters, setting 2-30

server authentication settings, configuring 2-10

server group, creating 2-37

server group dead-time setting 2-39

server overview 2-5

timeout setting 2-33

TCP

connection, receive or transmit buffer size 4-10

normalization, disabling 4-36

normalization, overview 4-2

normalization send-reset, enabling 4-37

options, handling in connection parameter map 4-22

port numbers and key words 1-11

sequence numbers, randomizing 4-14

slow start algorithm, enabling in connection parameter map 4-20

SYN retries, limiting in connection parameter map 4-13

SYN segments with data, handling in connection parameter map 4-21

WAN optimization 4-18

TCP/IP and UDP configurations, displaying 4-57

TCP/IP normalization

clearing connections 4-78

configuration example 4-55

connection parameter map, configuring 4-7

IP fragment reassembly parameters, configuring 4-47

Layer 3 and 4 policy map, configuring 4-33

Layer 4 class map, configuring 4-27

normalization parameters, configuring 4-35

overview 4-2

quick start 4-4

statistics, clearing 4-79, 4-80

statistics, displaying 4-56

statistics, IP fragmentation and reassembly 4-68

statistics, IP traffic 4-63

statistics, service policy 4-72

statistics, TCP 4-70

statistics, TCP/IP connections 4-60

statistics, UDP 4-71

TCP/IP and UDP configurations, displaying 4-57

traffic policy, configuring 4-27

traffic class

See class map

traffic policies

TCP/IP normalization 4-27

transfer encoding, defining for HTTP inspection 3-60

TTL setting 4-45

type of service, setting in connection parameter map 4-26

U

UDP

port numbers and key words 1-14

UDP and TCP/IP configurations, displaying 4-57

unicast reverse-path forwarding, configuring 4-46

urgent pointer policy, setting in connection parameter map 4-25

URL

defining for HTTP deep packet inspection 3-62

length, defining for HTTP deep packet inspection 3-63

regular expressions 3-62

URL request logging 3-105

W

WAN optimization 4-18