Downloads |
Table Of Contents
Restrictions for HTTP Inspection Engine
Information About HTTP Inspection Engine
Cisco IOS HTTP Application Policy Overview
How to Define and Apply an HTTP Application Policy to a Firewall for Inspection
Defining an HTTP Application Policy
Applying an HTTP Application Policy to a Firewall for Inspection
Configuration Examples for Setting Up an HTTP Inspection Engine
Setting Up and Verifying an HTTP Inspection Engine: Example
HTTP Inspection Engine
The HTTP Inspection Engine feature allows users to configure their Cisco IOS Firewall to detect and prohibit HTTP connections—such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers—that are not authorized within the scope of the security policy configuration. Tunneling unauthorized protocols through port 80 and over HTTP exposes a network to significant security risks.
The Cisco IOS Firewall can now be configured with a security policy that adheres to the following tasks:
•
Allowing specific traffic targeted for port 80 to traverse the firewall. The traffic is inspected for protocol conformance and for the types of HTTP commands that are allowed or disallowed.
•
Feature History for HTTP Inspection Engine
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
•
•
•
Restrictions for HTTP Inspection Engine
The Cisco 831 router with 48M RAM does not have enough memory to support this feature.
Information About HTTP Inspection Engine
Before configuring an application firewall to detect and police specific traffic targeted for port 80, you should understand the following concepts:
•
What Is a Security Policy?
The application firewall uses a security policy, which consists of a collection of static signatures, to detect security violations. A static signature is a collection of parameters that specify protocol conditions that must be met before an action is taken. (For example, a signature may specify that an HTTP data stream containing the POST method must reset the connection.) These protocol conditions and reactions are defined by the end user via the command-line interface (CLI) to form a security policy.
Cisco IOS HTTP Application Policy Overview
HTTP uses port 80 to transport Internet web services, which are commonly used on the network and rarely challenged with regards to their legitimacy and conformance to standards. Because port 80 traffic is typically allowed through the network without being challenged, many application developers are leveraging HTTP traffic as an alternative transport protocol in which to enable their application to travel through or even bypass the firewall.
Most firewalls provide only packet filtering capabilities that simply permit or deny port 80 traffic without inspecting the data stream; the Cisco IOS application firewall for HTTP performs packet inspection as follows:
•
•
If the packet is not in compliance with the HTTP protocol, it will be dropped, the connection will be reset, and a syslog message will be generated, as appropriate.
How to Define and Apply an HTTP Application Policy to a Firewall for Inspection
This section contains the following procedures:
•
•
Defining an HTTP Application Policy
Use this task to create an HTTP application firewall policy.
Restrictions
Although application firewall policies are defined in global configuration mode, only one global policy for a given protocol is allowed per interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
DETAILED STEPS
What to Do Next
After you have successfully defined an application policy for HTTP traffic inspection, you must apply the policy to an inspection rule. Thereafter, the inspection rule must be applied to an interface. For information on completing this task, see the section "Applying an HTTP Application Policy to a Firewall for Inspection."
Applying an HTTP Application Policy to a Firewall for Inspection
Use this task to apply an HTTP application policy to an inspection rule, followed by applying the inspection rule to an interface.
Note
Prerequisites
You must have already defined an application policy (as shown in the section "Defining an HTTP Application Policy").
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
or
show ip inspect {name inspection-name | config | interfaces | session [detail] | statistics | all}
DETAILED STEPS
Troubleshooting Tips
To help troubleshoot the application firewall configuration, issue the following application-firewall specific debug command: debug appfw {application protocol | function-trace | object-creation | object-deletion | events | timers | detailed}.
The following sample configuration shows how to configure an HTTP policy with application firewall debugging enabled:
Router(config)# appfw policy-name myPolicyAPPFW FUNC:appfw_policy_findAPPFW FUNC:appfw_policy_find -- Policy myPolicy is not foundAPPFW FUNC:appfw_policy_allocAPPFW FUNC:appfw_policy_alloc -- policy_alloc 0x65727278APPFW FUNC:appfw_policy_alloc -- Policy 0x65727278 is set to validAPPFW FUNC:appfw_policy_alloc -- Policy myPolicy has been createdAPPFW FUNC:appfw_policy_command -- memlock policy 0x65727278! Debugging sample for application (HTTP) creationRouter(cfg-appfw-policy)# application httpAPPFW FUNC:appfw_http_commandAPPFW FUNC:appfw_http_appl_findAPPFW FUNC:appfw_http_appl_find -- Application not foundAPPFW FUNC:appfw_http_appl_allocAPPFW FUNC:appfw_http_appl_alloc -- appl_http 0x64D7A25CAPPFW FUNC:appfw_http_appl_alloc -- Application HTTP parser structure 64D7A25C created! Debugging sample for HTTP-specific application inspectionRouter(cfg-appfw-policy-http)#Router(cfg-appfw-policy-http)# strict-http action reset alarmAPPFW FUNC:appfw_http_subcommandAPPFW FUNC:appfw_http_subcommand -- strict-http cmd turned onRouter# debug appfw detailedAPPFW Detailed Debug debugging is onfw7-7206a#debug appfw object-creationAPPFW Object Creations debugging is onfw7-7206a#debug appfw object-deletionAPPFW Object Deletions debugging is onConfiguration Examples for Setting Up an HTTP Inspection Engine
This section contains the following configuration example:
•
Setting Up and Verifying an HTTP Inspection Engine: Example
The following example show how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. This example also includes sample output from the show appfw configuration and show ip inspect config commands, which allow you to verify the configured setting for the application policy.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpstrict-http action allow alarmcontent-length maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc put action allow alarmtransfer-encoding type default action allow alarm!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!! Issue the show appfw configuration command and the show ip inspect config command after the inspection rule "mypolicy" is applied to all incoming HTTP traffic on the FastEthernet0/0 interface.!Router# show appfw configurationApplication Firewall Rule configurationApplication Policy name mypolicyApplication httpstrict-http action allow alarmcontent-length minimum 0 maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request length 1 response length 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc put action allow alarmtransfer-encoding default action allow alarmRouter# show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [400:500] connectionsmax-incomplete sessions thresholds are [400:500]max-incomplete tcp connections per host is 50. Block-time 0 minute.tcp synwait-time is 30 sec -- tcp finwait-time is 5 sectcp idle-time is 3600 sec -- udp idle-time is 30 secdns-timeout is 5 secInspection Rule ConfigurationInspection name firewallhttp alert is on audit-trail is off timeout 3600Additional References
The following sections provide references related to the HTTP Inspection Engine feature.
Related Documents
Firewall commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Cisco IOS Security Command Reference, Release 12.3T
Standards
MIBs
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands.
New Commands
Global Configuration Commands
Application Firewall Policy HTTP (cfg-appfw-policy-http) Configuration Commands
Privileged Exec Commands
Modified Command
appfw policy-name
To define an application firewall policy and put the router in application firewall policy configuration mode, use the appfw policy-name command in global configuration mode. To remove a policy from the router configuration, use the no form of this command.
appfw policy-name policy-name
no appfw policy-name policy-name
Syntax Description
Defaults
If this command is not issued, an application firewall policy cannot be created.
Command Modes
Global configuration
Command History
Usage Guidelines
This command puts the router in application firewall policy (appfw-policy-protocol) configuration mode, which allows you to begin defining the application firewall policy that will later be applied to the Cisco IOS Firewall via the ip inspect name command.
What Is an Application Firewall Policy?
The application firewall uses static signatures to detect security violations. A static signature is a collection of parameters that specifies which protocol conditions must be met before an action is taken. (For example, a signature may specify that an HTTP data stream containing the POST method must reset the connection.) These protocol conditions and reactions are defined by the end user via a command-line interface (CLI) to form an application firewall policy (also known as a security policy).
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpstrict-http action allow alarmcontent-length maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding type default action allow alarm!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!Related Commands
application
To put the router in appfw-policy-protocol configuration mode and begin configuring inspection parameters for a given protocol, use the application command in application firewall policy configuration mode. To remove protocol-specific rules, use the no form of this command.
application protocol
no application protocol
Syntax Description
protocol
Protocol-specific traffic will be inspected. Currently, the only supported protocol is HTTP (specified via the http keyword), which defines the web policy.
Defaults
You cannot set up protocol-specific inspection parameters.
Command Modes
Application firewall policy configuration
Command History
Usage Guidelines
This command puts the router in appfw-policy-protocol configuration mode, where "protocol" is dependent upon the specified protocol. Because HTTP is currently the only available protocol, the configuration mode is "appfw-policy-http."
HTTP-Specific Inspection Commands
After you issue the application command and enter the appfw-policy-http configuration mode, begin configuring inspection parameters for HTTP traffic by issuing any of the following commands:
•
•
•
•
•
•
•
•
•
•
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpstrict-http action allow alarmcontent-length maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding type default action allow alarm!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!Related Commands
appfw policy-name
Defines an application firewall policy and puts the router in application firewall policy configuration mode.
audit-trail
To turn audit trail messages on or off, use the audit-trail command in appfw-policy-http configuration mode. To return to the default value, use the no form of this command.
audit-trail {on | off}
no audit-trail {on | off}
Syntax Description
Defaults
If this command is not issued, the default value specified via the ip inspect audit-trail command will be used.
Command Modes
appfw-policy-http configuration
Command History
Usage Guidelines
The audit-trail command will override the ip inspect audit-trail global command.
Examples
The following example, which shows how to define the HTTP application firewall policy "mypolicy," enables audit trail messages for the given policy. This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpaudit trail onstrict-http action allow alarmcontent-length maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding type default action allow alarm!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!Related Commands
content-length
To permit or deny HTTP traffic through the firewall on the basis of message size, use the content-length command in appfw-policy-http configuration mode. To remove message-size limitations from your configuration, use the no form of this command.
content-length {min bytes max bytes | min bytes | max bytes} action {reset | allow} [alarm]
no content-length {min bytes max bytes | min bytes | max bytes} action {reset | allow} [alarm]
Syntax Description
Defaults
If this command is not enabled, message size is not considered when permitting or denying HTTP messages.
Command Modes
appfw-policy-http configuration
Command History
Usage Guidelines
All messages exceeding the specified content-length range, will be subjected to the configured action (reset or allow).
Examples
The following example, which shows how to define the HTTP application firewall policy "mypolicy," will not permit HTTP messages longer than 1 byte. This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpstrict-http action allow alarmcontent-length max 1 action allow alarmcontent-type-verification match-req-resp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding type default action allow alarm!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!content-type-verification
To permit or deny HTTP traffic through the firewall on the basis of content message type, use the content-type-verification command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.
content-type-verification [match-req-resp] action {reset | allow} [alarm]
no content-type-verification [match-req-resp] action {reset | allow} [alarm]
Syntax Description
