Cisco ASA 1000V ASDM Configuration Guide, 6.7
Configuring Inspection of Management Application Protocols
Downloads: This chapterpdf (PDF - 138.0KB) The complete bookPDF (PDF - 11.09MB) | Feedback

Configuring Inspection for Management Application Protocols

Table Of Contents

Configuring Inspection for Management Application Protocols

DCERPC Inspection

DCERPC Overview

Select DCERPC Map

DCERPC Inspect Map

Add/Edit DCERPC Policy Map

RADIUS Accounting Inspection

RADIUS Accounting Inspection Overview

Select RADIUS Accounting Map

Add RADIUS Accounting Policy Map

RADIUS Inspect Map

RADIUS Inspect Map Host

RADIUS Inspect Map Other

RSH Inspection

SNMP Inspection

SNMP Inspection Overview

Select SNMP Map

SNMP Inspect Map

Add/Edit SNMP Map

XDMCP Inspection


Configuring Inspection for Management Application Protocols


This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the ASA 1000V to do packet inspection instead of passing the packet through the fast path. As a result, inspection engines can affect overall throughput.

Several common inspection engines are enabled on the ASA 1000V by default, but you might need to enable others depending on your network.

This chapter includes the following sections:

DCERPC Inspection

RADIUS Accounting Inspection

RSH Inspection

SNMP Inspection

XDMCP Inspection

DCERPC Inspection

This section describes the DCERPC inspection engine. This section includes the following topics:

DCERPC Overview

"Select DCERPC Map" section

"DCERPC Inspect Map" section

"Add/Edit DCERPC Policy Map" section

DCERPC Overview

DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.

This typically involves a client querying a server called the Endpoint Mapper listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The ASA 1000V allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.

DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Since a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.


Note DCERPC inspection only supports communication between the EPM and clients to open pinholes through the ASA 1000V. Clients using RPC communication that does not use the EPM is not supported with DCERPC inspection.


Select DCERPC Map

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >Select DCERPC Map

The Select DCERPC Map dialog box lets you select or create a new DCERPC map. A DCERPC map lets you change the configuration values used for DCERPC application inspection. The Select DCERPC Map table provides a list of previously configured maps that you can select for application inspection.

Fields

Use the default DCERPC inspection map—Specifies to use the default DCERPC map.

Select a DCERPC map for fine control over inspectionLets you select a defined application inspection map or add a new one.

Add—Opens the Add Policy Map dialog box for the inspection.

DCERPC Inspect Map

Configuration > Global Objects  > Inspect Maps > DCERPC

The DCERPC pane lets you view previously configured DCERPC application inspection maps. A DCERPC map lets you change the default configuration values used for DCERPC application inspection.

DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.

This typically involves a client querying a server called the Endpoint Mapper (EPM) listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The ASA 1000V allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.

DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Because a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.

Fields

DCERPC Inspect Maps—Table that lists the defined DCERPC inspect maps.

Add—Configures a new DCERPC inspect map. To edit a DCERPC inspect map, choose the DCERPC entry in the DCERPC Inspect Maps table and click Customize.

Delete—Deletes the inspect map selected in the DCERPC Inspect Maps table.

Security Level—Select the security level (high, medium, or low).

Low

Pinhole timeout: 00:02:00

Endpoint mapper service: not enforced

Endpoint mapper service lookup: enabled

Endpoint mapper service lookup timeout: 00:05:00

Medium—Default.

Pinhole timeout: 00:01:00

Endpoint mapper service: not enforced

Endpoint mapper service lookup: disabled.

High

Pinhole timeout: 00:01:00

Endpoint mapper service: enforced

Endpoint mapper service lookup: disabled

Customize—Opens the Add/Edit DCERPC Policy Map dialog box for additional settings.

Default Level—Sets the security level back to the default level of Medium.

Add/Edit DCERPC Policy Map

Configuration > Global Objects  > Inspect Maps > DCERPC > DCERPC Inspect Map > Basic/Advanced View

The Add/Edit DCERPC Policy Map pane lets you configure the security level and parameters for DCERPC application inspection maps.

Fields

Name—When adding a DCERPC map, enter the name of the DCERPC map. When editing a DCERPC map, the name of the previously configured DCERPC map is shown.

Description—Enter the description of the DCERPC map, up to 200 characters in length.

Security Level—Select the security level (high, medium, or low).

Low

Pinhole timeout: 00:02:00

Endpoint mapper service: not enforced

Endpoint mapper service lookup: enabled

Endpoint mapper service lookup timeout: 00:05:00

Medium—Default.

Pinhole timeout: 00:01:00

Endpoint mapper service: not enforced

Endpoint mapper service lookup: disabled.

High

Pinhole timeout: 00:01:00

Endpoint mapper service: enforced

Endpoint mapper service lookup: disabled

Default Level—Sets the security level back to the default level of Medium.

Details—Shows the Parameters to configure additional settings.

Pinhole Timeout—Sets the pinhole timeout. Because a client may use the server information returned by the endpoint mapper for multiple connections, the timeout value is configurable based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2 minutes.

Enforce endpoint-mapper service—Enforces endpoint mapper service during binding.

Enable endpoint-mapper service lookup—Enables the lookup operation of the endpoint mapper service. If disabled, the pinhole timeout is used.

Enforce Service Lookup Timeout—Enforces the service lookup timeout specified.

Service Lookup Timeout—Sets the timeout for pinholes from lookup operation.

RADIUS Accounting Inspection

This section describes the IM inspection engine. This section includes the following topics:

RADIUS Accounting Inspection Overview

Select RADIUS Accounting Map

Add RADIUS Accounting Policy Map

RADIUS Inspect Map

RADIUS Inspect Map Host

RADIUS Inspect Map Other

RADIUS Accounting Inspection Overview

One of the well known problems is the over-billing attack in GPRS networks. The over-billing attack can cause consumers anger and frustration by being billed for services that they have not used. In this case, a malicious attacker sets up a connection to a server and obtains an IP address from the SGSN. When the attacker ends the call, the malicious server will still send packets to it, which gets dropped by the GGSN, but the connection from the server remains active. The IP address assigned to the malicious attacker gets released and reassigned to a legitimate user who will then get billed for services that the attacker will use.

RADIUS accounting inspection prevents this type of attack by ensuring the traffic seen by the GGSN is legitimate. With the RADIUS accounting feature properly configured, the ASA 1000V tears down a connection based on matching the Framed IP attribute in the Radius Accounting Request Start message with the Radius Accounting Request Stop message. When the Stop message is seen with the matching IP address in the Framed IP attribute, the ASA 1000V looks for all connections with the source matching the IP address.

You have the option to configure a secret pre-shared key with the RADIUS server so the ASA 1000V can validate the message. If the shared secret is not configured, the ASA 1000V does not need to validate the source of the message and will only check that the source IP address is one of the configured addresses allowed to send the RADIUS messages.


Note When using RADIUS accounting inspection with GPRS enabled, theASA 1000V checks for the 3GPP-Session-Stop-Indicator in the Accounting Request STOP messages to properly handle secondary PDP contexts. Specifically, the ASA 1000V requires that the Accounting Request STOP messages include the 3GPP-SGSN-Address attribute before it will terminate the user sessions and all associated connections. Some third-party GGSNs might not send this attribute by default.


Select RADIUS Accounting Map

The Select RADIUS Accounting Map dialog box lets you select a defined RADIUS accounting map or define a new one.

Fields

Add—Lets you add a new RADIUS accounting map.

Add RADIUS Accounting Policy Map

The Add RADIUS Accounting Policy Map dialog box lets you add the basic settings for the RADIUS accounting map.

Fields

Name—Enter the name of the previously configured RADIUS accounting map.

Description—Enter the description of the RADIUS accounting map, up to 100 characters in length.

Host Parameters tab:

Host IP Address—Specify the IP address of the host that is sending the RADIUS messages.

Key: (optional)—Specify the key.

Add—Adds the host entry to the Host table.

Delete—Deletes the host entry from the Host table.

Other Parameters tab:

Attribute Number—Specify the attribute number to validate when an Accounting Start is received.

Add—Adds the entry to the Attribute table.

Delete—Deletes the entry from the Attribute table.

Send response to the originator of the RADIUS message—Sends a message back to the host from which the RADIUS message was sent.

Enforce timeout—Enables the timeout for users.

Users Timeout—Timeout for the users in the database (hh:mm:ss).

RADIUS Inspect Map

The RADIUS pane lets you view previously configured RADIUS application inspection maps. A RADIUS map lets you change the default configuration values used for RADIUS application inspection. You can use a RADIUS map to protect against an overbilling attack.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

RADIUS Inspect Maps—Table that lists the defined RADIUS inspect maps. The defined inspect maps are also listed in the RADIUS area of the Inspect Maps tree.

Add—Adds the new RADIUS inspect map to the defined list in the RADIUS Inspect Maps table and to the RADIUS area of the Inspect Maps tree. To configure the new RADIUS map, select the RADIUS entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the RADIUS Inspect Maps table and from the RADIUS area of the Inspect Maps tree.

RADIUS Inspect Map Host

The RADIUS Inspect Map Host Parameters pane lets you configure the host parameter settings for the inspect map.

Fields

Name—Shows the name of the previously configured RADIUS accounting map.

Description—Enter the description of the RADIUS accounting map, up to 200 characters in length.

Host Parameters—Lets you configure host parameters.

Host IP Address—Specify the IP address of the host that is sending the RADIUS messages.

Key: (optional)—Specify the key.

Add—Adds the host entry to the Host table.

Delete—Deletes the host entry from the Host table.

RADIUS Inspect Map Other

The RADIUS Inspect Map Other Parameters pane lets you configure additional parameter settings for the inspect map.

Fields

Name—Shows the name of the previously configured RADIUS accounting map.

Description—Enter the description of the RADIUS accounting map, up to 200 characters in length.

Other Parameters—Lets you configure additional parameters.

Send response to the originator of the RADIUS message—Sends a message back to the host from which the RADIUS message was sent.

Enforce timeout—Enables the timeout for users.

Users Timeout—Timeout for the users in the database (hh:mm:ss).

Validate Attribute—Attribute information.

Attribute Number—Specify the attribute number to validate when an Accounting Start is received.

Add—Adds the entry to the Attribute table.

Delete—Deletes the entry from the Attribute table.

RSH Inspection

RSH inspection is enabled by default. The RSH protocol uses a TCP connection from the RSH client to the RSH server on TCP port 514. The client and server negotiate the TCP port number where the client listens for the STDERR output stream. RSH inspection supports NAT of the negotiated port number if necessary.

SNMP Inspection

This section describes the IM inspection engine. This section includes the following topics:

SNMP Inspection Overview

"Select SNMP Map" section

"SNMP Inspect Map" section

SNMP Inspection Overview

SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your security policy. The ASA 1000V can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by creating an SNMP map.

You then apply the SNMP map when you enable SNMP inspection according to the "Configuring Application Layer Protocol Inspection" section.

Select SNMP Map

Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select SNMP Map

The Select SNMP Map dialog box lets you select or create a new SNMP map. An SNMP map lets you change the configuration values used for SNMP application inspection. The Select SNMP Map table provides a list of previously configured maps that you can select for application inspection.

Fields

Use the default SNMP inspection map—Specifies to use the default SNMP map.

Select an SNMP map for fine control over inspectionLets you select a defined application inspection map or add a new one.

Add—Opens the Add Policy Map dialog box for the inspection.

SNMP Inspect Map

Configuration > Global Objects > Inspect Maps > SNMP

The SNMP pane lets you view previously configured SNMP application inspection maps. An SNMP map lets you change the default configuration values used for SNMP application inspection.

Fields

Map Name—Lists previously configured application inspection maps. Select a map and click Edit to view or change an existing map.

Add—Configures a new SNMP inspect map.

Edit—Edits the selected SNMP entry in the SNMP Inspect Maps table.

Delete—Deletes the inspect map selected in the SNMP Inspect Maps table.

Add/Edit SNMP Map

Configuration > Global Objects > Inspect Maps > SNMP > Add/Edit SNMP Map (You can get to this dialog box through various paths.)

The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection.

Fields

SNMP Map Name—Defines the name of the application inspection map.

SNMP version 1—Enables application inspection for SNMP version 1.

SNMP version 2 (party based)—Enables application inspection for SNMP version 2.

SNMP version 2c (community based)—Enables application inspection for SNMP version 2c.

SNMP version 3—Enables application inspection for SNMP version 3.

XDMCP Inspection

XDMCP inspection is enabled by default; however, the XDMCP inspection engine is dependent upon proper configuration of the established command.

XDMCP is a protocol that uses UDP port 177 to negotiate X sessions, which use TCP when established.

For successful negotiation and start of an XWindows session, the ASA 1000V must allow the TCP back connection from the Xhosted computer. To permit the back connection, use the established command on the ASA 1000V. Once XDMCP negotiates the port to send the display, The established command is consulted to verify if this back connection should be permitted.

During the XWindows session, the manager talks to the display Xserver on the well-known port 6000 | n. Each display has a separate connection to the Xserver, as a result of the following terminal setting.

setenv DISPLAY Xserver:n
 
   

where n is the display number.

When XDMCP is used, the display is negotiated using IP addresses, which the ASA 1000V can NAT if needed. XDCMP inspection does not support PAT.