DNS Inspection
This section describes DNS application inspection. This section includes the following topics:
Information About DNS Inspection
General Information About DNS
A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently. Because the app_id expires independently, a legitimate DNS response can only pass through the ASA within a limited period of time and there is no resource build-up.
DNS Inspection Actions
DNS inspection is enabled by default. You can customize DNS inspection to perform many tasks:
-
Translate the DNS record based on the NAT configuration. For more information, see the “DNS and NAT” section.
-
Enforce message length, domain-name length, and label length.
-
Verify the integrity of the domain-name referred to by the pointer if compression pointers are encountered in the DNS message.
-
Check to see if a compression pointer loop exists.
-
Inspect packets based on the DNS header, type, class and more.
Default Settings for DNS Inspection
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
-
The maximum DNS message length is 512 bytes.
-
The maximum client DNS message length is automatically set to match the Resource Record.
-
DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
-
Translation of the DNS record based on the NAT configuration is enabled.
-
Protocol enforcement is enabled, which enables DNS message format check, including domain name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check.
(Optional) Configuring a DNS Inspection Policy Map and Class Map
To match DNS packets with certain characteristics and perform special actions, create a DNS inspection policy map. You can also configure a DNS inspection class map to group multiple match criteria for reference within the inspection policy map. You can then apply the inspection policy map when you enable DNS inspection.
Prerequisites
If you want to match a DNS message domain name list, then create a regular expression using one of the methods below:
Detailed Steps
Step 1 Choose
Configuration
>
Firewall
>
Objects
>
Inspect Maps
>
DNS
.
The Configure DNS Maps pane appears.
Step 2 Click
Add
.
The Add IPv6 Inspection Map dialog box appears.
Step 3 In the Name field, name the inspection policy map.
Step 4 (Optional) In the Description field, add a description.
Step 5 Do one of the following:
-
To use one of the preset security levels (Low, Medium, or High), drag the Security Level knob, then click
OK
to add the inspection policy map. You can skip the rest of this procedure.
-
To customize each parameter and/or to configure packet matching inspection, click
Details
.
Detailed Steps—Protocol Conformance
Step 1 Configure the following Protocol Conformance parameters:
Step 2
Enable DNS guard function
—Enables DNS Guard. The ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
Step 3
Enable NAT re-write function
—Translates the DNS record based on the NAT configuration.
Step 4
Enable protocol enforcement
—Enables DNS message format check, including domain name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check.
Step 5
Randomize the DNS identifier for DNS query
—Randomizes the DNS identifier for a DNS query.
Step 6
Enforce TSIG resource record to be present in DNS message
—Requires a TSIG resource record to be present. Actions include:
-
Action:
Drop packet
or
Log
—Drop or log a non-conforming packet.
-
Log:
Enable
or
Disable
—If you selected Drop packet, you can also enable logging.
Detailed Steps—Filtering
Step 1 Click the
Filtering
tab.
Step 2 Global Settings:
Drop packets that exceed specified maximum length (global)
—Sets the maximum DNS message length, from 512 to 65535 bytes.
Step 3 Server Settings:
Drop packets that exceed specified maximum length
and
Drop packets sent to server that exceed length indicated by the RR
—Sets the maximum server DNS message length, from 512 to 65535 bytes, or sets the maximum length to the value in the Resource Record. If you enable both settings, the lower value is used.
Step 4 Client Settings:
Drop packets that exceed specified maximum length
and
Drop packets sent to server that exceed length indicated by the RR
—Sets the maximum client DNS message length, from 512 to 65535 bytes, or sets the maximum length to the value in the Resource Record. If you enable both settings, the lower value is used.
Detailed Steps—Mismatch Rate
Step 1 Click the
Mismatch Rate
tab.
Step 2
Enable logging when DNS ID mismatch rate exceeds specified rate
—Enables logging for excessive DNS ID mismatches, where the Mismatch Instance Threshold and Time Interval fields specify the maximum number of mismatch instances per
x
seconds before a system message log is sent.
Detailed Steps—Inspections
Step 1 Click the
Inspections
tab.
Step 2 Click
Add
.
The Add DNS Inspect dialog box appears.
Step 3 You can configure DNS inspections using the following methods:
-
Single Match
—Match a single criterion, and identify the action for the match.
-
Multiple matches
—Match multiple criteria by creating an inspection class map.
The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps. If you want different actions for each criteria, use the single match option; you can only set one action for the entire class map.
You can add multiple class maps and single matches in the same policy map.
Actions for each Single Match, or for a Multiple match class map include:
– Mask
– Drop Packet
– Drop Connection
– None
– Enable
– Disable
-
Enforce TSIG: Requires a TSIG resource record to be present.
– Do not enforce
– Drop packet
– Log
– Drop packet and log
Not all combinations are valid for all matching criteria. For example, you can configure both Mask and Enforce TSIG together only for the Criterion: Header Flag option.
Step 4 For Multiple matches, if you predefined a class map on the Configuration > Firewall > Objects > Class Maps > DNS pane, you can select it from the drop-down list, set the Actions, and click
OK
.
To add a new class map:
a. Click
Manage
.
The Manage DNS Class Maps dialog box appears
b. Click
Add
.
The Add DNS Traffic Class Map dialog box appears.
c. Click
Add
.
The Add DNS Match Criterion dialog box appears.
The match criteria are the same for a class map or for single matches; the following steps apply to both methods. The only difference is that you do not set an Action for each criterion in a class map.
Step 5 From the Criterion drop-down list, choose one of the following criteria:
Set the following Value parameters:
– Match Option:
Equals
or
Contains
. If you choose Header Flag Name, and check multiple flags, you can set the ASA to match a packet only if all flags are present (Equals) or if any one of the flags is present (Contains).
– Match Value:
Header Flag Name
or
Header Flag Value
. If you click
Header Flag Name
, you can check one or more well-known flag values. If you want to specify a hex value, click the
Header Flag Value
radio button, and enter the hex value in the field.
Set the following Value parameters:
–
DNS Type Field Name
—Lists the DNS types to select.
A
—IPv4 address
AXFR
—Full (zone) transfer
CNAME
—Canonical name
IXFR
—Incremental (zone) transfer
NS
—Authoritative name server
SOA
—Start of a zone of authority
TSIG
—Transaction signature
–
DNS Type Field Value:
Value
—Lets you enter a value between 0 and 65535 to match.
Range
—Lets you enter a range match. Both values between 0 and 65535.
Set the following Value parameters:
–
DNS Class Field Name: Internet
—Internet is the only option.
–
DNS Class Field Value
:
Value
—Lets you enter a value between 0 and 65535.
Range
—Lets you enter a range match. Both values between 0 and 65535.
-
Question
: Matches a DNS question.
Set the following Value parameters:
– Resource Record:
additional
—DNS additional resource record
answer
—DNS answer resource record
authority
—DNS authority resource record
Set the following Value parameters:
–
Regular Expression
—Choose an existing regular expression from the drop-down menu, or click
Manage
to add a new one. See the “Creating a Regular Expression” section in the general operations configuration guide.
–
Regular Expression Class
—Choose an existing regular expression class map from the drop-down menu, or click
Manage
to add a new one. See the “Creating a Regular Expression Class Map” section in the general operations configuration guide.
Step 6 For a class map:
a. Click
OK
to add the match to the map.
b. Add more matches as desired.
c. Click
OK
to finish the class map.
d. Click
OK
to return to the Add DNS Inspect Map dialog box.
Step 7 Set the action for the Single Match, or for the Multiple matches class map; see Step 3 for actions.
Step 8 Click
OK
to return to the Add DNS Inspect dialog box.
Step 9 In some cases when you have more than one match in the inspection policy map, you can order the matches using the Move Up and Move Down buttons. Generally, the order is determined by internal ASA rules, so these buttons are not available for most entries. However, if you have a direct match and a class map that have the same match, then the order in the configuration determines which match is used, so these buttons are enabled. See the “Guidelines and Limitations” section for more information.
Step 10 Click
OK
to save the DNS inspect map.
Step 11 Click
Apply
.
Configuring DNS Inspection
The default ASA configuration includes many default inspections on default ports applied globally on all interfaces. A common method for customizing the inspection configuration is to customize the default global policy. The steps in this section show how to edit the default global policy, but you can alternatively create a new service policy as desired, for example, an interface-specific policy.
Detailed Steps
Step 1 Configure a service policy on the Configuration > Firewall > Service Policy Rules pane according to Chapter1, “Configuring a Service Policy”
You can configure DNS inspection as part of a new service policy rule, or you can edit an existing service policy.
Step 2 On the Rule Actions dialog box, click the
Protocol Inspections
tab.
Step 3 (To change an in-use policy) If you are editing any in-use policy to use a different DNS inspection policy map, you must disable the DNS inspection, and then re-enable it with the new DNS inspection policy map name:
a. Uncheck the
DNS
check box.
b. Click
OK
.
c. Click
Apply
.
d. Repeat these steps to return to the Protocol Inspections tab.
Step 4 Check the
DNS
check box.
Step 5 Click
Configure
.
The Select DNS Inspect Map dialog appears.
Step 6 Choose the inspection map:
Step 7 If you use the Botnet Traffic Filter, click
Enable Botnet traffic filter DNS snooping
. Botnet Traffic Filter snooping compares the domain name with those on the dynamic database or static database, and adds the name and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the Botnet Traffic Filter when connections are made to the suspicious address. We suggest that you enable DNS snooping only on interfaces where external DNS requests are going. Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates unnecessary load on the ASA. For example, if the DNS server is on the outside interface, you should enable DNS inspection with snooping for all UDP DNS traffic on the outside interface. See the “Enabling DNS Snooping” section.
Step 8 Click
OK
to return to the Protocol Inspections tab.
Step 9 Click
OK
to finish editing the service policy.
Step 10 Click
Apply
.
FTP Inspection
This section describes the FTP inspection engine. This section includes the following topics:
FTP Inspection Overview
The FTP application inspection inspects the FTP sessions and performs four tasks:
-
Prepares dynamic secondary data connection
-
Tracks the FTP command-response sequence
-
Generates an audit trail
-
Translates the embedded IP address
FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels are negotiated through PORT or PASV commands. The channels are allocated in response to a file upload, a file download, or a directory listing event.
Note If you disable FTP inspection engines with the no inspect ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
Using Strict FTP
Using strict FTP increases the security of protected networks by preventing web browsers from sending embedded commands in FTP requests. To enable strict FTP, click the
Configure
button next to FTP on the Configuration > Firewall > Service Policy Rules > Edit Service Policy Rule > Rule Actions > Protocol Inspection tab.
After you enable the
strict
option on an interface, FTP inspection enforces the following behavior:
-
An FTP command must be acknowledged before the ASA allows a new command.
-
The ASA drops connections that send embedded commands.
-
The 227 and PORT commands are checked to ensure they do not appear in an error string.
Caution Using the
strict option may cause the failure of FTP clients that are not strictly compliant with FTP RFCs.
If the
strict
option is enabled, each FTP command and response sequence is tracked for the following anomalous activity:
-
Truncated command—Number of commas in the PORT and PASV reply command is checked to see if it is five. If it is not five, then the PORT command is assumed to be truncated and the TCP connection is closed.
-
Incorrect command—Checks the FTP command to see if it ends with <CR><LF> characters, as required by the RFC. If it does not, the connection is closed.
-
Size of RETR and STOR commands—These are checked against a fixed constant. If the size is greater, then an error message is logged and the connection is closed.
-
Command spoofing—The PORT command should always be sent from the client. The TCP connection is denied if a PORT command is sent from the server.
-
Reply spoofing—PASV reply command (227) should always be sent from the server. The TCP connection is denied if a PASV reply command is sent from the client. This prevents the security hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.”
-
TCP stream editing—The ASA closes the connection if it detects TCP stream editing.
-
Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024. As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the negotiated port falls in this range, then the TCP connection is freed.
-
Command pipelining—The number of characters present after the port numbers in the PORT and PASV reply command is cross checked with a constant value of 8. If it is more than 8, then the TCP connection is closed.
-
The ASA replaces the FTP server response to the SYST command with a series of Xs. to prevent the server from revealing its system type to FTP clients. To override this default behavior, use the
no mask-syst-reply
command in the FTP map.
Select FTP Map
The Select FTP Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select FTP Map
The Select FTP Map dialog box lets you enable strict FTP application inspection, select an FTP map, or create a new FTP map. An FTP map lets you change the configuration values used for FTP application inspection.The Select FTP Map
table provides a list of previously configured maps that you can select for application inspection.
Fields
-
FTP Strict (prevent web browsers from sending embedded commands in FTP requests)
—
Enables strict FTP application inspection, which causes the ASA to drop the connection when an embedded command is included in an FTP request.
-
Use the default FTP inspection map—Specifies to use the default FTP map.
-
Select an FTP map for fine control over inspection
—
Lets you select a defined application inspection map or add a new one.
-
Add—Opens the Add Policy Map dialog box for the inspection.
FTP Class Map
The FTP Class Map dialog box is accessible as follows:
Configuration > Global Objects > Class Maps > FTP
The FTP Class Map pane lets you configure FTP class maps for FTP inspection.
An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields
-
Name—Shows the FTP class map name.
-
Match Conditions—Shows the type, match criterion, and value in the class map.
– Match Type—Shows the match type, which can be a positive or negative match.
– Criterion—Shows the criterion of the FTP class map.
– Value—Shows the value to match in the FTP class map.
-
Description—Shows the description of the class map.
-
Add—Adds an FTP class map.
-
Edit—Edits an FTP class map.
-
Delete—Deletes an FTP class map.
Add/Edit FTP Traffic Class Map
The Add/Edit FTP Traffic Class Map dialog box is accessible as follows:
Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map
The Add/Edit FTP Traffic Class Map dialog box lets you define a FTP class map.
Fields
-
Name—Enter the name of the FTP class map, up to 40 characters in length.
-
Description—Enter the description of the FTP class map.
-
Add—Adds an FTP class map.
-
Edit—Edits an FTP class map.
-
Delete—Deletes an FTP class map.
Add/Edit FTP Match Criterion
The Add/Edit FTP Match Criterion dialog box is accessible as follows:
Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map > Add/Edit FTP Match Criterion
The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP class map.
Fields
-
Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.
For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.
-
Criterion—Specifies which criterion of FTP traffic to match.
– Request-Command—Match an FTP request command.
– File Name—Match a filename for FTP transfer.
– File Type—Match a file type for FTP transfer.
– Server—Match an FTP server.
– User Name—Match an FTP user.
-
Request-Command Criterion Values—Specifies the value details for the FTP request command match.
– Request Command—Lets you select one or more request commands to match.
APPE—Append to a file.
CDUP—Change to the parent of the current directory.
DELE—Delete a file at the server site.
GET—FTP client command for the retr (retrieve a file) command.
HELP—Help information from the server.
MKD—Create a directory.
PUT—FTP client command for the stor (store a file) command.
RMD—Remove a directory.
RNFR—Rename from.
RNTO—Rename to.
SITE—Specify a server specific command.
STOU—Store a file with a unique name.
-
File Name Criterion Values—Specifies to match on the FTP transfer filename.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
-
File Type Criterion Values—Specifies to match on the FTP transfer file type.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
-
Server Criterion Values—Specifies to match on the FTP server.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
-
User Name Criterion Values—Specifies to match on the FTP user.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
FTP Inspect Map
The FTP Inspect Map dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > FTP
The FTP pane lets you view previously configured FTP application inspection maps. An FTP map lets you change the default configuration values used for FTP application inspection.
FTP command filtering and security checks are provided using strict FTP inspection for improved security and control. Protocol conformance includes packet length checks, delimiters and packet format checks, command terminator checks, and command validation.
Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for download, but restrict access to certain users. You can block FTP connections based on file type, server name, and other attributes. System message logs are generated if an FTP connection is denied after inspection.
Fields
-
FTP Inspect Maps—Table that lists the defined FTP inspect maps.
-
Add—Configures a new FTP inspect map. To edit an FTP inspect map, choose the FTP entry in the FTP Inspect Maps table and click
Customize
.
-
Delete—Deletes the inspect map selected in the FTP Inspect Maps table.
-
Security Level—Select the security level (medium or low).
– Low
Mask Banner Disabled
Mask Reply Disabled
– Medium—Default.
Mask Banner Enabled
Mask Reply Enabled
– File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.
– Customize—Opens the Add/Edit FTP Policy Map dialog box for additional settings.
– Default Level—Sets the security level back to the default level of Medium.
File Type Filtering
The File Type Filtering dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > FTP > MIME File Type Filtering
The File Type Filtering dialog box lets you configure the settings for a file type filter.
Fields
-
Match Type—Shows the match type, which can be a positive or negative match.
-
Criterion—Shows the criterion of the inspection.
-
Value—Shows the value to match in the inspection.
-
Action—Shows the action if the match condition is met.
-
Log—Shows the log state.
-
Add—Opens the Add File Type Filter dialog box to add a file type filter.
-
Edit—Opens the Edit File Type Filter dialog box to edit a file type filter.
-
Delete—Deletes a file type filter.
-
Move Up—Moves an entry up in the list.
-
Move Down—Moves an entry down in the list.
Add/Edit FTP Policy Map (Security Level)
The Add/Edit FTP Policy Map dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Basic View
The Add/Edit FTP Policy Map pane lets you configure the security level and additional settings for FTP application inspection maps.
Fields
-
Name—When adding an FTP map, enter the name of the FTP map. When editing an FTP map, the name of the previously configured FTP map is shown.
-
Description—Enter the description of the FTP map, up to 200 characters in length.
-
Security Level—Select the security level (medium or low).
– Low
Mask Banner Disabled
Mask Reply Disabled
– Medium—Default.
Mask Banner Enabled
Mask Reply Enabled
– File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.
– Default Level—Sets the security level back to the default level of Medium.
-
Details—Shows the Parameters and Inspections tabs to configure additional settings.
Add/Edit FTP Policy Map (Details)
The Add/Edit FTP Policy Map (Details) dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Advanced View
The Add/Edit FTP Policy Map pane lets you configure the security level and additional settings for FTP application inspection maps.
Fields
-
Name—When adding an FTP map, enter the name of the FTP map. When editing an FTP map, the name of the previously configured FTP map is shown.
-
Description—Enter the description of the FTP map, up to 200 characters in length.
-
Security Level—Shows the security level and file type filtering settings to configure.
-
Parameters—Tab that lets you configure the parameters for the FTP inspect map.
– Mask greeting banner from the server—Masks the greeting banner from the FTP server to prevent the client from discovering server information.
– Mask reply to SYST command—Masks the reply to the syst command to prevent the client from discovering server information.
-
Inspections—Tab that shows you the FTP inspection configuration and lets you add or edit.
– Match Type—Shows the match type, which can be a positive or negative match.
– Criterion—Shows the criterion of the FTP inspection.
– Value—Shows the value to match in the FTP inspection.
– Action—Shows the action if the match condition is met.
– Log—Shows the log state.
– Add—Opens the Add FTP Inspect dialog box to add an FTP inspection.
– Edit—Opens the Edit FTP Inspect dialog box to edit an FTP inspection.
– Delete—Deletes an FTP inspection.
– Move Up—Moves an inspection up in the list.
– Move Down—Moves an inspection down in the list.
Add/Edit FTP Map
The Add/Edit FTP Map dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > FTP > FTP Inspect Map > Advanced View > Add/Edit FTP Inspect
The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the FTP inspect map.
Fields
-
Single Match—Specifies that the FTP inspect has only one match statement.
-
Match Type—Specifies whether traffic should match or not match the values.
For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.
-
Criterion—Specifies which criterion of FTP traffic to match.
– Request Command—Match an FTP request command.
– File Name—Match a filename for FTP transfer.
– File Type—Match a file type for FTP transfer.
– Server—Match an FTP server.
– User Name—Match an FTP user.
-
Request Command Criterion Values—Specifies the value details for FTP request command match.
– Request Command:
APPE—Command that appends to a file.
CDUP—Command that changes to the parent directory of the current working directory.
DELE—Command that deletes a file.
GET—Command that gets a file.
HELP—Command that provides help information.
MKD—Command that creates a directory.
PUT—Command that sends a file.
RMD—Command that deletes a directory.
RNFR—Command that specifies rename-from filename.
RNTO—Command that specifies rename-to filename.
SITE—Commands that are specific to the server system. Usually used for remote administration.
STOU—Command that stores a file using a unique filename.
-
File Name Criterion Values—Specifies the value details for FTP filename match.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
-
File Type Criterion Values—Specifies the value details for FTP file type match.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
-
Server Criterion Values—Specifies the value details for FTP server match.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
-
User Name Criterion Values—Specifies the value details for FTP user name match.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
-
Multiple Matches—Specifies multiple matches for the FTP inspection.
– FTP Traffic Class—Specifies the FTP traffic class match.
– Manage—Opens the Manage FTP Class Maps dialog box to add, edit, or delete FTP Class Maps.
-
Action—Reset.
-
Log—Enable or disable.
Verifying and Monitoring FTP Inspection
FTP application inspection generates the following log messages:
-
An Audit record 303002 is generated for each file that is retrieved or uploaded.
-
The FTP command is checked to see if it is RETR or STOR and the retrieve and store commands are logged.
-
The username is obtained by looking up a table providing the IP address.
-
The username, source IP address, destination IP address, NAT address, and the file operation are logged.
-
Audit record 201005 is generated if the secondary dynamic channel preparation failed due to memory shortage.
In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959.
HTTP Inspection
This section describes the HTTP inspection engine. This section includes the following topics:
HTTP Inspection Overview
Use the HTTP inspection engine to protect against specific attacks and other threats that are associated with HTTP traffic. HTTP inspection performs several functions:
-
Enhanced HTTP inspection
-
URL screening through N2H2 or Websense
See Information About URL Filtering for information.
-
Java and ActiveX filtering
The latter two features are configured in conjunction with Filter rules.
The enhanced HTTP inspection feature, which is also known as an application firewall and is available when you configure an HTTP map, can help prevent attackers from using HTTP messages for circumventing network security policy. It verifies the following for all HTTP messages:
-
Conformance to RFC 2616
-
Use of RFC-defined methods only.
-
Compliance with the additional criteria.
Select HTTP Map
The Select HTTP Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > Select HTTP Map
The Select HTTP Map dialog box lets you select or create a new HTTP map. An HTTP map lets you change the configuration values used for HTTP application inspection. The Select HTTP Map table provides a list of previously configured maps that you can select for application inspection.
Fields
-
Use the default HTTP inspection map—Specifies to use the default HTTP map.
-
Select an HTTP map for fine control over inspection
—
Lets you select a defined application inspection map or add a new one.
-
Add—Opens the Add Policy Map dialog box for the inspection.
HTTP Class Map
The HTTP Class Map dialog box is accessible as follows:
Configuration > Global Objects > Class Maps > HTTP
The HTTP Class Map pane lets you configure HTTP class maps for HTTP inspection.
An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.
Fields
-
Name—Shows the HTTP class map name.
-
Match Conditions—Shows the type, match criterion, and value in the class map.
– Match Type—Shows the match type, which can be a positive or negative match.
– Criterion—Shows the criterion of the HTTP class map.
– Value—Shows the value to match in the HTTP class map.
-
Description—Shows the description of the class map.
-
Add—Adds an HTTP class map.
-
Edit—Edits an HTTP class map.
-
Delete—Deletes an HTTP class map.
Add/Edit HTTP Traffic Class Map
The Add/Edit HTTP Traffic Class Map dialog box is accessible as follows:
Configuration > Global Objects > Class Maps > HTTP > Add/Edit HTTP Traffic Class Map
The Add/Edit HTTP Traffic Class Map dialog box lets you define a HTTP class map.
Fields
-
Name—Enter the name of the HTTP class map, up to 40 characters in length.
-
Description—Enter the description of the HTTP class map.
-
Add—Adds an HTTP class map.
-
Edit—Edits an HTTP class map.
-
Delete—Deletes an HTTP class map.
Add/Edit HTTP Match Criterion
The Add/Edit HTTP Match Criterion dialog box is accessible as follows:
Configuration > Global Objects > Class Maps > HTTP > Add/Edit HTTP Traffic Class Map > Add/Edit HTTP Match Criterion
The Add/Edit HTTP Match Criterion dialog box lets you define the match criterion and value for the HTTP class map.
Fields
-
Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.
For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.
-
Criterion—Specifies which criterion of HTTP traffic to match.
– Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request.
– Request Arguments—Applies the regular expression match to the arguments of the request.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified.
Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.
– Request Body—Applies the regular expression match to the body of the request.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields.
Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Greater Than Count—Enter the maximum number of header fields.
– Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified.
Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.
– Request Header Field—Applies the regular expression match to the header of the request.
Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers.
Greater Than Count—Enter the maximum number of headers.
– Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified.
Greater Than Length—Enter a header length value in bytes.
– Request Header non-ASCII—Matches non-ASCII characters in the header of the request.
– Request Method—Applies the regular expression match to the method of the request.
Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.
Regular Expression—Specifies to match on a regular expression.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified.
Greater Than Length—Enter a URI length value in bytes.
– Request URI—Applies the regular expression match to the URI of the request.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Response Body—Applies the regex match to the body of the response.
ActiveX—Specifies to match on ActiveX.
Java Applet—Specifies to match on a Java Applet.
Regular Expression—Specifies to match on a regular expression.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified.
Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.
– Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields.
Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Greater Than Count—Enter the maximum number of header fields.
– Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified.
Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.
– Response Header Field—Applies the regular expression match to the header of the response.
Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Response Header Count—Applies the regular expression match to the header of the response with a maximum number of headers.
Greater Than Count—Enter the maximum number of headers.
– Response Header Length—Applies the regular expression match to the header of the response with length greater than the bytes specified.
Greater Than Length—Enter a header length value in bytes.
– Response Header non-ASCII—Matches non-ASCII characters in the header of the response.
– Response Status Line—Applies the regular expression match to the status line.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
HTTP Inspect Map
The HTTP Inspect Map dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > HTTP
The HTTP pane lets you view previously configured HTTP application inspection maps. An HTTP map lets you change the default configuration values used for HTTP application inspection.
HTTP application inspection scans HTTP headers and body, and performs various checks on the data. These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols from traversing the security appliance.
HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP requests and responses, preventing malicious content from reaching the web server. Size limiting of various elements in HTTP request and response headers, URL blocking, and HTTP server header type spoofing are also supported.
Fields
-
HTTP Inspect Maps—Table that lists the defined HTTP inspect maps.
-
Add—Configures a new HTTP inspect map. To edit an HTTP inspect map, choose the HTTP entry in the HTTP Inspect Maps table and click
Customize
.
-
Delete—Deletes the inspect map selected in the HTTP Inspect Maps table.
-
Security Level—Select the security level (low, medium, or high).
– Low—Default.
Protocol violation action: Drop connection
Drop connections for unsafe methods: Disabled
Drop connections for requests with non-ASCII headers: Disabled
URI filtering: Not configured
Advanced inspections: Not configured
– Medium
Protocol violation action: Drop connection
Drop connections for unsafe methods: Allow only GET, HEAD, and POST
Drop connections for requests with non-ASCII headers: Disabled
URI filtering: Not configured
Advanced inspections: Not configured
– High
Protocol violation action: Drop connection and log
Drop connections for unsafe methods: Allow only GET and HEAD.
Drop connections for requests with non-ASCII headers: Enabled
URI filtering: Not configured
Advanced inspections: Not configured
– URI Filtering—Opens the URI Filtering dialog box to configure URI filters.
– Customize—Opens the Edit HTTP Policy Map dialog box for additional settings.
– Default Level—Sets the security level back to the default level of Medium.
URI Filtering
The URI Filtering dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > HTTP > URI Filtering
The URI Filtering dialog box lets you configure the settings for an URI filter.
Fields
-
Match Type—Shows the match type, which can be a positive or negative match.
-
Criterion—Shows the criterion of the inspection.
-
Value—Shows the value to match in the inspection.
-
Action—Shows the action if the match condition is met.
-
Log—Shows the log state.
-
Add—Opens the Add URI Filtering dialog box to add a URI filter.
-
Edit—Opens the Edit URI Filtering dialog box to edit a URI filter.
-
Delete—Deletes an URI filter.
-
Move Up—Moves an entry up in the list.
-
Move Down—Moves an entry down in the list.
Add/Edit HTTP Policy Map (Security Level)
The Add/Edit HTTP Policy Map (Security Level) dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Basic View
The Add/Edit HTTP Policy Map pane lets you configure the security level and additional settings for HTTP application inspection maps.
Fields
-
Name—When adding an HTTP map, enter the name of the HTTP map. When editing an HTTP map, the name of the previously configured HTTP map is shown.
-
Description—Enter the description of the HTTP map, up to 200 characters in length.
-
Security Level—Select the security level (low, medium, or high).
– Low—Default.
Protocol violation action: Drop connection
Drop connections for unsafe methods: Disabled
Drop connections for requests with non-ASCII headers: Disabled
URI filtering: Not configured
Advanced inspections: Not configured
– Medium
Protocol violation action: Drop connection
Drop connections for unsafe methods: Allow only GET, HEAD, and POST
Drop connections for requests with non-ASCII headers: Disabled
URI filtering: Not configured
Advanced inspections: Not configured
– High
Protocol violation action: Drop connection and log
Drop connections for unsafe methods: Allow only GET and HEAD.
Drop connections for requests with non-ASCII headers: Enabled
URI filtering: Not configured
Advanced inspections: Not configured
– URI Filtering—Opens the URI Filtering dialog box which lets you configure the settings for an URI filter.
– Default Level—Sets the security level back to the default.
-
Details—Shows the Parameters and Inspections tabs to configure additional settings.
Add/Edit HTTP Policy Map (Details)
The Add/Edit HTTP Policy Map (Details) dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Advanced View
The Add/Edit HTTP Policy Map pane lets you configure the security level and additional settings for HTTP application inspection maps.
Fields
-
Name—When adding an HTTP map, enter the name of the HTTP map. When editing an HTTP map, the name of the previously configured HTTP map is shown.
-
Description—Enter the description of the HTTP map, up to 200 characters in length.
-
Security Level—Shows the security level and URI filtering settings to configure.
-
Parameters—Tab that lets you configure the parameters for the HTTP inspect map.
– Check for protocol violations—Checks for HTTP protocol violations.
Action—Drop Connection, Reset, Log.
Log—Enable or disable.
– Spoof server string—Replaces the server HTTP header value with the specified string.
Spoof String—Enter a string to substitute for the server header field. Maximum is 82 characters.
– Body Match Maximum—The maximum number of characters in the body of an HTTP message that should be searched in a body match. Default is 200 bytes. A large number will have a significant impact on performance.
-
Inspections—Tab that shows you the HTTP inspection configuration and lets you add or edit.
– Match Type—Shows the match type, which can be a positive or negative match.
– Criterion—Shows the criterion of the HTTP inspection.
– Value—Shows the value to match in the HTTP inspection.
– Action—Shows the action if the match condition is met.
– Log—Shows the log state.
– Add—Opens the Add HTTP Inspect dialog box to add an HTTP inspection.
– Edit—Opens the Edit HTTP Inspect dialog box to edit an HTTP inspection.
– Delete—Deletes an HTTP inspection.
– Move Up—Moves an inspection up in the list.
– Move Down—Moves an inspection down in the list.
Add/Edit HTTP Map
The Add/Edit HTTP Map dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Advanced View > Add/Edit HTTP Inspect
The Add/Edit HTTP Inspect dialog box lets you define the match criterion and value for the HTTP inspect map.
Fields
-
Single Match—Specifies that the HTTP inspect has only one match statement.
-
Match Type—Specifies whether traffic should match or not match the values.
For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.
-
Criterion—Specifies which criterion of HTTP traffic to match.
– Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request.
– Request Arguments—Applies the regular expression match to the arguments of the request.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified.
Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.
– Request Body—Applies the regular expression match to the body of the request.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields.
Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Greater Than Count—Enter the maximum number of header fields.
– Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified.
Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.
– Request Header Field—Applies the regular expression match to the header of the request.
Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers.
Greater Than Count—Enter the maximum number of headers.
– Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified.
Greater Than Length—Enter a header length value in bytes.
– Request Header non-ASCII—Matches non-ASCII characters in the header of the request.
– Request Method—Applies the regular expression match to the method of the request.
Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.
Regular Expression—Specifies to match on a regular expression.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified.
Greater Than Length—Enter a URI length value in bytes.
– Request URI—Applies the regular expression match to the URI of the request.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Response Body—Applies the regex match to the body of the response.
ActiveX—Specifies to match on ActiveX.
Java Applet—Specifies to match on a Java Applet.
Regular Expression—Specifies to match on a regular expression.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified.
Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.
– Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields.
Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Greater Than Count—Enter the maximum number of header fields.
– Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified.
Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.
– Response Header Field—Applies the regular expression match to the header of the response.
Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Response Header Count—Applies the regular expression match to the header of the response with a maximum number of headers.
Greater Than Count—Enter the maximum number of headers.
– Response Header Length—Applies the regular expression match to the header of the response with length greater than the bytes specified.
Greater Than Length—Enter a header length value in bytes.
– Response Header non-ASCII—Matches non-ASCII characters in the header of the response.
– Response Status Line—Applies the regular expression match to the status line.
Regular Expression—Lists the defined regular expressions to match.
Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
Regular Expression Class—Lists the defined regular expression classes to match.
Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
-
Multiple Matches—Specifies multiple matches for the HTTP inspection.
– H323 Traffic Class—Specifies the HTTP traffic class match.
– Manage—Opens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class Maps.
-
Action—Drop connection, reset, or log.
-
Log—Enable or disable.
SMTP and Extended SMTP Inspection
This section describes the IM inspection engine. This section includes the following topics:
SMTP and ESMTP Inspection Overview
ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA and by adding monitoring capabilities.
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For convenience, the term SMTP is used in this document to refer to both SMTP and ESMTP. The application inspection process for extended SMTP is similar to SMTP application inspection and includes support for SMTP sessions. Most commands used in an extended SMTP session are the same as those used in an SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification.
Extended SMTP application inspection adds support for these extended SMTP commands, including AUTH, EHLO, ETRN, HELP, SAML, SEND, SOML, STARTTLS, and VRFY. Along with the support for seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET), the ASA supports a total of fifteen SMTP commands.
Other extended SMTP commands, such as ATRN, ONEX, VERB, CHUNKING, and private extensions and are not supported. Unsupported commands are translated into Xs, which are rejected by the internal server. This results in a message such as “500 Command unknown: 'XXX'.” Incomplete commands are discarded.
The ESMTP inspection engine changes the characters in the server SMTP banner to asterisks except for the “2”, “0”, “0” characters. Carriage return (CR) and linefeed (LF) characters are ignored.
With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following rules are not observed: SMTP commands must be at least four characters in length; must be terminated with carriage return and line feed; and must wait for a response before issuing the next reply.
An SMTP server responds to client requests with numeric reply codes and optional human-readable strings. SMTP application inspection controls and reduces the commands that the user can use as well as the messages that the server returns. SMTP inspection performs three primary tasks:
-
Restricts SMTP requests to seven basic SMTP commands and eight extended commands.
-
Monitors the SMTP command-response sequence.
-
Generates an audit trail—Audit record 108002 is generated when invalid character embedded in the mail address is replaced. For more information, see RFC 821.
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
-
Truncated commands.
-
Incorrect command termination (not terminated with <CR><LR>).
-
The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank space) and “<” ‚”>” are only allowed if they are used to define a mail address (“>” must be preceded by “<”).
-
Unexpected transition by the SMTP server.
-
For unknown commands, the ASA changes all the characters in the packet to X. In this case, the server generates an error code to the client. Because of the change in the packed, the TCP checksum has to be recalculated or adjusted.
-
TCP stream editing.
-
Command pipelining.
Select ESMTP Map
The Select ESMTP Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >Select ESMTP Map
The Select ESMTP Map dialog box lets you select or create a new ESMTP map. An ESMTP map lets you change the configuration values used for ESMTP application inspection. The Select ESMTP Map
table provides a list of previously configured maps that you can select for application inspection.
Fields
-
Use the default ESMTP inspection map—Specifies to use the default ESMTP map.
-
Select an ESMTP map for fine control over inspection
—
Lets you select a defined application inspection map or add a new one.
-
Add—Opens the Add Policy Map dialog box for the inspection.
ESMTP Inspect Map
The ESMTP Inspect Map dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > ESMTP
The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection.
Since ESMTP traffic can be a main source of attack from spam, phising, malformed messages, buffer overflows, and buffer underflows, detailed packet inspection and control of ESMTP traffic are supported. Application security and protocol conformance enforce the sanity of the ESMTP message as well as detect several attacks, block senders and receivers, and block mail relay.
Fields
-
ESMTP Inspect Maps—Table that lists the defined ESMTP inspect maps.
-
Add—Configures a new ESMTP inspect map. To edit an ESMTP inspect map, choose the ESMTP entry in the ESMTP Inspect Maps table and click
Customize
.
-
Delete—Deletes the inspect map selected in the ESMTP Inspect Maps table.
-
Security Level—Select the security level (high, medium, or low).
– Low—Default.
Log if command line length is greater than 512
Log if command recipient count is greater than 100
Log if body line length is greater than 1000
Log if sender address length is greater than 320
Log if MIME file name length is greater than 255
– Medium
Obfuscate Server Banner
Drop Connections if command line length is greater than 512
Drop Connections if command recipient count is greater than 100
Drop Connections if body line length is greater than 1000
Drop Connections if sender address length is greater than 320
Drop Connections if MIME file name length is greater than 255
– High
Obfuscate Server Banner
Drop Connections if command line length is greater than 512
Drop Connections if command recipient count is greater than 100
Drop Connections if body line length is greater than 1000
Drop Connections and log if sender address length is greater than 320
Drop Connections and log if MIME file name length is greater than 255
– MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters.
– Customize—Opens the Add/Edit ESMTP Policy Map dialog box for additional settings.
– Default Level—Sets the security level back to the default level of Low.
MIME File Type Filtering
The MIME File Type Filtering dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > ESMTP > MIME File Type Filtering
The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type filter.
Fields
-
Match Type—Shows the match type, which can be a positive or negative match.
-
Criterion—Shows the criterion of the inspection.
-
Value—Shows the value to match in the inspection.
-
Action—Shows the action if the match condition is met.
-
Log—Shows the log state.
-
Add—Opens the Add MIME File Type Filter dialog box to add a MIME file type filter.
-
Edit—Opens the Edit MIME File Type Filter dialog box to edit a MIME file type filter.
-
Delete—Deletes a MIME file type filter.
-
Move Up—Moves an entry up in the list.
-
Move Down—Moves an entry down in the list.
Add/Edit ESMTP Policy Map (Security Level)
The Add/Edit ESMTP Policy Map (Security Level) dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > ESMTP > ESMTP Inspect Map > Basic View
The Add/Edit ESMTP Policy Map pane lets you configure the security level and additional settings for ESMTP application inspection maps.
Fields
-
Name—When adding an ESMTP map, enter the name of the ESMTP map. When editing an ESMTP map, the name of the previously configured ESMTPS map is shown.
-
Description—Enter the description of the ESMTP map, up to 200 characters in length.
-
Security Level—Select the security level (high, medium, or low).
– Low—Default.
Log if command line length is greater than 512
Log if command recipient count is greater than 100
Log if body line length is greater than 1000
Log if sender address length is greater than 320
Log if MIME file name length is greater than 255
– Medium
Obfuscate Server Banner
Drop Connections if command line length is greater than 512
Drop Connections if command recipient count is greater than 100
Drop Connections if body line length is greater than 1000
Drop Connections if sender address length is greater than 320
Drop Connections if MIME file name length is greater than 255
– High
Obfuscate Server Banner
Drop Connections if command line length is greater than 512
Drop Connections if command recipient count is greater than 100
Drop Connections if body line length is greater than 1000
Drop Connections and log if sender address length is greater than 320
Drop Connections and log if MIME file name length is greater than 255
– MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters.
– Default Level—Sets the security level back to the default level of Low.
-
Details—Shows the Parameters and Inspections tabs to configure additional settings.
Add/Edit ESMTP Policy Map (Details)
The Add/Edit ESMTP Policy Map (Details) dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > ESMTP > ESMTP Inspect Map > Advanced View
The Add/Edit ESMTP Policy Map pane lets you configure the security level and additional settings for ESMTP application inspection maps.
Fields
-
Name—When adding an ESMTP map, enter the name of the ESMTP map. When editing an ESMTP map, the name of the previously configured ESMTP map is shown.
-
Description—Enter the description of the ESMTP map, up to 200 characters in length.
-
Security Level—Shows the security level and mime file type filtering settings to configure.
-
Parameters—Tab that lets you configure the parameters for the ESMTP inspect map.
– Mask server banner—Enforces banner obfuscation.
– Configure Mail Relay—Enables ESMTP mail relay.
Domain Name—Specifies a local domain.
Action—Drop connection or log.
Log—Enable or disable.
-
Inspections—Tab that shows you the ESMTP inspection configuration and lets you add or edit.
– Match Type—Shows the match type, which can be a positive or negative match.
– Criterion—Shows the criterion of the ESMTP inspection.
– Value—Shows the value to match in the ESMTP inspection.
– Action—Shows the action if the match condition is met.
– Log—Shows the log state.
– Add—Opens the Add ESMTP Inspect dialog box to add an ESMTP inspection.
– Edit—Opens the Edit ESMTP Inspect dialog box to edit an ESMTP inspection.
– Delete—Deletes an ESMTP inspection.
– Move Up—Moves an inspection up in the list.
– Move Down—Moves an inspection down in the list.
Add/Edit ESMTP Inspect
The Add/Edit ESMTP Inspect dialog box is accessible as follows:
Configuration > Global Objects > Inspect Maps > ESMTP > ESMTP Inspect Map > Advanced View > Add/Edit ESMTP Inspect
The Add/Edit ESMTP Inspect dialog box lets you define the match criterion and value for the ESMTP inspect map.
Fields
-
Match Type—Specifies whether traffic should match or not match the values.
For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map.
-
Criterion—Specifies which criterion of ESMTP traffic to match.
– Body Length—Match body length at specified length in bytes.
– Body Line Length—Match body line length matching at specified length in bytes.
– Commands—Match commands exchanged in the ESMTP protocol.
– Command Recipient Count—Match command recipient count greater than number specified.
– Command Line Length—Match command line length greater than length specified in bytes.
– EHLO Reply Parameters—Match an ESMTP ehlo reply parameter.
– Header Length—Match header length at length specified in bytes.
– Header To Fields Count—Match header To fields count greater than number specified.
– Invalid Recipients Count—Match invalid recipients count greater than number specified.
– MIME File Type—Match MIME file type.
– MIME Filename Length—Match MIME filename.
– MIME Encoding—Match MIME encoding.
– Sender Address—Match sender email address.
– Sender Address Length—Match sender email address length.
-
Body Length Criterion Values—Specifies the value details for body length match.
– Greater Than Length—Body length in bytes.
– Action—Reset, drop connection, log.
– Log—Enable or disable.
-
Body Line Length Criterion Values—Specifies the value details for body line length match.
– Greater Than Length—Body line length in bytes.
– Action—Reset, drop connection, log.
– Log—Enable or disable.
-
Commands Criterion Values—Specifies the value details for command match.
– Available Commands Table:
AUTH
DATA
EHLO
ETRN
HELO
HELP
MAIL
NOOP
QUIT
RCPT
RSET
SAML
SOML
VRFY
– Add—Adds the selected command from the Available Commands table to the Selected Commands table.
– Remove—Removes the selected command from the Selected Commands table.
– Primary Action—Mask, Reset, Drop Connection, None, Limit Rate (pps).
– Log—Enable or disable.
– Rate Limit—Do not limit rate, Limit Rate (pps).
-
Command Recipient Count Criterion Values—Specifies the value details for command recipient count match.
– Greater Than Count—Specify command recipient count.
– Action—Reset, drop connection, log.
– Log—Enable or disable.
-
Command Line Length Criterion Values—Specifies the value details for command line length.
– Greater Than Length—Command line length in bytes.
– Action—Reset, drop connection, log.
– Log—Enable or disable.
-
EHLO Reply Parameters Criterion Values—Specifies the value details for EHLO reply parameters match.
– Available Parameters Table:
8bitmime
auth
binarymime
checkpoint
dsn
ecode
etrn
others
pipelining
size
vrfy
– Add—Adds the selected parameter from the Available Parameters table to the Selected Parameters table.
– Remove—Removes the selected command from the Selected Commands table.
– Action—Reset, Drop Connection, Mask, Log.
– Log—Enable or disable.
-
Header Length Criterion Values—Specifies the value details for header length match.
– Greater Than Length—Header length in bytes.
– Action—Reset, Drop Connection, Mask, Log.
– Log—Enable or disable.
-
Header To Fields Count Criterion Values—Specifies the value details for header To fields count match.
– Greater Than Count—Specify command recipient count.
– Action—Reset, drop connection, log.
– Log—Enable or disable.
-
Invalid Recipients Count Criterion Values—Specifies the value details for invalid recipients count match.
– Greater Than Count—Specify command recipient count.
– Action—Reset, drop connection, log.
– Log—Enable or disable.
-
MIME File Type Criterion Values—Specifies the value details for MIME file type match.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Action—Reset, drop connection, log.
– Log—Enable or disable.
-
MIME Filename Length Criterion Values—Specifies the value details for MIME filename length match.
– Greater Than Length—MIME filename length in bytes.
– Action—Reset, Drop Connection, Log.
– Log—Enable or disable.
-
MIME Encoding Criterion Values—Specifies the value details for MIME encoding match.
– Available Encodings table
7bit
8bit
base64
binary
others
quoted-printable
– Add—Adds the selected parameter from the Available Encodings table to the Selected Encodings table.
– Remove—Removes the selected command from the Selected Commands table.
– Action—Reset, Drop Connection, Log.
– Log—Enable or disable.
-
Sender Address Criterion Values—Specifies the value details for sender address match.
– Regular Expression—Lists the defined regular expressions to match.
– Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.
– Regular Expression Class—Lists the defined regular expression classes to match.
– Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
– Action—Reset, Drop Connection, Log.
– Log—Enable or disable.
-
Sender Address Length Criterion Values—Specifies the value details for sender address length match.
– Greater Than Length—Sender address length in bytes.
– Action—Reset, Drop Connection, Log.
– Log—Enable or disable.