Guest

Cisco IOS Software Releases 12.3 T

Granular Protocol Inspection

Table Of Contents

Granular Protocol Inspection

Contents

Prerequisites for Granular Inspection Protocol

Restrictions for Granular Inspection Protocol

Information About Granular Protocol Inspection

Cisco IOS Firewall

Granular Protocol Inspection

Benefits

How to Configure Granular Protocol Inspection

Defining Applications

Setting Up Inspection Rules

Verifying the Configuration

Configuration Examples for Granular Protocol Inspection

Defining an Application for the PAM Table: Example

Setting Up an Inspection Rule: Example

Verifying the Configuration: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ip inspect name

ip port-map

show ip port-map

Glossary


Granular Protocol Inspection


The Granular Protocol Inspection feature adds flexibility to the Cisco IOS Firewall by allowing it to perform a higher degree of inspection of TCP and User Data Protocol (UDP) traffic for most RFC 1700 application types.

Feature History for Granular Protocol Inspection

Release
Modification

12.3(14)T

This feature was introduced.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for Granular Inspection Protocol

Restrictions for Granular Inspection Protocol

Information About Granular Protocol Inspection

How to Configure Granular Protocol Inspection

Configuration Examples for Granular Protocol Inspection

Additional References

Command Reference

Glossary

Prerequisites for Granular Inspection Protocol

Cisco IOS Firewall software must be installed in your network.

Access control lists (ACLs) must be applied to specified interfaces to enable the existing firewall software to function properly.

Restrictions for Granular Inspection Protocol

Port ranges cannot be specified directly in the ip inspect name command; use the port-to-application mapping (PAM) table.

Information About Granular Protocol Inspection

To use the Granular Protocol Inspection feature, you need to understand the following concepts:

Cisco IOS Firewall

Granular Protocol Inspection

Benefits

Cisco IOS Firewall

The Cisco IOS Firewall is a security-specific option that provides inspection firewall functionality and intrusion detection for every network perimeter. By delivering state-of-the-art security features such as stateful, application-based filtering; dynamic per-user authentication and authorization; and URL filtering, the Cisco IOS Firewall adds greater depth and flexibility to existing Cisco IOS security solutions including authentication, encryption, and failover.

A firewall is a physical software or hardware barrier between one part of an internal network used to control access to and from external networks. This barrier is unique because it allows predefined traffic to pass through the firewall while being monitored for protocol anomalies. The difficult part is determining the criteria by which the packets are granted or denied access through the device.

As mentioned, a firewall blocks traffic and permits other types of traffic to traverse. Firewalls are not just access control lists (ACLs); rather, they are a stateful inspection application.

Granular Protocol Inspection

The Cisco IOS Firewall performs inspections for TCP and UDP traffic. For example, TCP inspections include Telnet traffic (port 23, by default) as well as all other applications on TCP such as Hypertext Transfer Protocol (HTTP), e-mail, instant message (IM) chatter, and so on. Therefore, there is no easy way to inspect Telnet traffic alone and deny all other TCP traffic.

The Granular Protocol Inspection feature allows you to specify TCP or UDP ports using the PAM table. As a result, the Cisco IOS Firewall can restrict traffic inspections to specific applications, thereby permitting a higher degree of granularity in selecting which protocols are to be permitted and denied as shown in Figure 1.

Figure 1 Sample Topology

Benefits

The Granular Protocol Inspection feature provides the following benefits:

Greater flexibility by allowing more granularity in the selection of protocols to be inspected

Ease of use by providing for group inspection of multiple ports into a single, user-defined application keyword

Enhanced functionality with the addition of more well-known ports, user-defined applications, and user-defined port ranges

Improved performance and reduced CPU load resulting from focused inspection selections

How to Configure Granular Protocol Inspection

This section contains the following procedures:

Defining Applications (required)

Setting Up Inspection Rules (required)

Verifying the Configuration (optional)

Defining Applications

Perform the following task to define your applications in the PAM table by using the ip port-map command.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip port-map appl-name port [tcp | udp] [port_num | from begin_port_num to end_port_num]
[list acl-num] [description description_string]

4. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip port-map appl-name port [tcp | udp] [port_num | from begin_port_num to end_port_num] [list acl-num] [description description_string]

Example:

Router(config)# ip port-map user-10 port udp from 3400 to 3433 list 22 description "test application"

Establishes PAM entries.

Note When defining a user application in the PAM table, you must enter the prefix user-; otherwise, the following error message appears: "Unable to add port-map entry. Names for user-defined applications must start with 'user-'."

Note Write the text string in the following format: "C description_string C," where "C" is a delimiting character.

Step 4 

exit

Example:

Router(config)# exit

Exits global configuration mode.

Setting Up Inspection Rules

Perform the following task to set up your inspection rules by using the ip inspect name command.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}]
[
timeout seconds]

4. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip inspect name inspection-name protocol [alert {on | off}] [audit-trail {on | off}]
[timeout seconds]

Example:

Router(config)# ip inspect name abc user-10

Defines inspection rules.

Note Replace the protocol argument with the application (PAM entry) that you just defined in the previous step. In this example, it is user-10.

Step 4 

exit

Example:

Router(config)# exit

Exits global configuration mode.

Verifying the Configuration

Perform the following task to verify your applications and inspection rules.

SUMMARY STEPS

1. enable

2. show ip port-map [appl-name | port port-num [detail]]

3. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show ip port-map [appl-name | port port-num [detail]]

Example:

Router# show ip port-map port 70 detail

Establishes PAM entries.

Step 3 

exit

Example:

Router# exit

(Optional) Exits privileged EXEC mode.

Configuration Examples for Granular Protocol Inspection

This section contains the following configuration examples:

Defining an Application for the PAM Table: Example

Setting Up an Inspection Rule: Example

Verifying the Configuration: Example

Defining an Application for the PAM Table: Example

In the following example from the ip port-map command, a user-defined application named user-10 is defined in the PAM table for five ports using the TCP protocol. Standard access list 77 is applied to define host-specific port mapping and "TEST STRING" is the description.

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip port-map user-10 port tcp 4000 5000 6000 7000 8000 list 77 description 
"TEST STRING"

Router(config)# end

Setting Up an Inspection Rule: Example

The following example from the ip inspect name command, lists user-10 as an application with the description "TEST STRING."

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip inspect name abc ?

  bootpc       Bootstrap Protocol Client
  bootps       Bootstrap Protocol Server
  cisco-fna    Cisco FNATIVE
  cisco-sys    Cisco SYSMAINT
  cisco-tna    Cisco TNATIVE
  cuseeme      CUSeeMe Protocol
  echo         Echo port
  esmtp        Extended SMTP
  finger       Finger
  fragment     IP fragment inspection
  ftp          File Transfer Protocol
  gopher       Gopher
  gtpv0        GPRS Tunneling Protocol Version 0
  gtpv1        GPRS Tunneling Protocol Version 1
  h323         H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)
  http         HTTP Protocol
  icmp         ICMP Protocol
  imap         IMAP Protocol
  imap3        Interactive Mail Access Protocol 3
  kerberos     Kerberos
  ldap         Lightweight Directory Access Protocol
  netbios-dgm  NETBIOS Datagram Service
  netshow      Microsoft NetShow Protocol
  nntp         Network News Transport Protocol
  parameter    Specify inspection parameters
  pop3         POP3 Protocol
  pwdgen       Password  Generator Protocol
  rcmd         R commands (r-exec, r-login, r-sh)
  realaudio    Real Audio Protocol
  rpc          Remote Prodedure Call Protocol
  rtsp         Real Time Streaming Protocol
  secure-http  Secure Hypertext Transfer Protocol
  sip          SIP Protocol
  skinny       Skinny Client Control Protocol
  smtp         Simple Mail Transfer Protocol
  snmp         Simple Network Management Protocol
  snmptrap     SNMP Trap
  sqlnet       SQL Net Protocol
  sqlsrv       SQL Service
  streamworks  StreamWorks Protocol
  tacacs       Login Host Protocol (TACACS)
  tacacs-ds    TACACS-Database Service
  tcp          Transmission Control Protocol
  telnet       Telnet
  tftp         TFTP Protocol
  udp          User Datagram Protocol
  vdolive      VDOLive Protocol
  user-10      TEST STRING		<----- !user-defined application!

In the following example from the ip inspect name command, an inspection rule is established for user-10:

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip inspect name abc user-10 

Router(config)# end

Verifying the Configuration: Example

The following example verifies your port-map configuration:

Router# show running-config  | include port-map

ip port-map user-10 port tcp 4000 5000 6000 7000 8000 list 77 description "TEST STRING" 

The following example verifies your inspection rule configuration:

Router# show running-config | include inspect

ip inspect name abc user-10

The following example displays information about the user-defined application called user-10.

Router# show ip port-map user-10

Host specific:    user-10              tcp port 4000...8000    in list 77    user defined

The following example displays detailed information about the user-defined application called user-10.

Router# show ip port-map user-10 detail

IP port-map entry for application 'user-10':
     tcp 4000...8000                   list 77 "TEST STRING"                  user defined

Additional References

The following sections provide references related to the Granular Protocol Inspection feature.

Related Documents

Related Topic
Document Title

Security commands: complete command syntax, command mode, defaults, usage guidelines, and examples

Cisco IOS Security Command Reference, Release 12.3 T

Security features including firewalls and authentication

Cisco IOS Security Configuration Guide, Release 12.3


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport


Command Reference

This section documents modified commands.

ip inspect name

ip port-map

show ip port-map

ip inspect name

To define a set of inspection rules, use the ip inspect name command in global configuration mode. To remove the inspection rule for a protocol or to remove the entire set of inspection rules, use the no form of this command.

ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

no ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

HTTP Inspection Syntax

ip inspect name inspection-name http [urlfilter] [java-list access-list] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

no ip inspect name inspection-name protocol

SMTP and ESMTP Inspection Syntax

ip inspect name inspection-name {smtp | esmtp} [alert {on | off}] [audit-trail {on | off}] [max-data number] [timeout seconds]

remote-procedure call (RPC) Inspection Syntax

ip inspect name inspection-name [parameter max-sessions number] rpc program-number number [wait-time minutes] [alert {on | off}] [audit-trail {on | off}] [timeout seconds]

no ip inspect name inspection-name protocol

POP3/IMAP Inspection Syntax

ip inspect name inspection-name imap [alert {on | off}] [audit-trail {on | off}] [reset] [secure-login] [timeout number]

ip inspect name inspection-name pop3 [alert {on | off}] [audit-trail {on | off}] [reset] [secure-login] [timeout number]

Fragment Inspection Syntax

ip inspect name inspection-name [parameter max-sessions number] fragment [max number timeout seconds]

no ip inspect name inspection-name [parameter max-sessions number] fragment [max number timeout seconds]

Application Firewall Provisioning Syntax

ip inspect name inspection-name [parameter max-sessions number] appfw policy-name

no ip inspect name inspection-name [parameter max-sessions number] appfw policy-name

User-Defined Application Syntax

ip inspect name inspection-name user-10 [alert {on | off}] [audit-trail {on | off}] [timeout seconds}

no ip inspect name inspection-name user-10 [alert {on | off}] [audit-trail {on | off}] [timeout seconds}

Session Limiting Syntax

no ip inspect name inspection-name [parameter max-sessions number]

Syntax Description

inspection-name

Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules.

Note The inspection-name cannot exceed 16 characters; otherwise, the name will be truncated to the 16-character limit.

parameter
max-sessions number

(Optional) Limits the number of established firewall sessions that a firewall rule creates. The default is that there is no limit to the number of firewall sessions.

protocol

A protocol keyword listed in Table 1 or Table 2.

alert {on | off}

(Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated on the basis of the setting of the ip inspect alert-off command.

audit-trail {on | off}

(Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, an audit trail message are generated on the basis of the setting of the ip inspect audit-trail command.

timeout seconds

(Optional) To override the global TCP or User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout.

This timeout overrides the global TCP, UDP, or ICMP timeouts but will not override the global Domain Name System (DNS) timeout.

http

Specifies the HTTP protocol for Java applet blocking.

urlfilter

(Optional) Associates URL filtering with HTTP inspection.

java-list access-list

(Optional) Specifies the numbered standard access list to use to determine "friendly" sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with numbered standard access lists.

smtp | esmtp

Specifies the protocol being used to inspect the traffic.

max-data number

(Optional) Specifies the maximum number of bytes (data) that can be transferred in a single Simple Mail Transport Protocol (SMTP) session. After the maximum value is exceeded, the firewall logs an alert message and closes the session. Default value: 20 MB

rpc program-number number

Specifies the program number to permit. This keyword is available only for the remote-procedure call protocol.

wait-time minutes

(Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the remote-procedure call (RPC) protocol.

reset

(Optional) Resets the TCP connection if the client enters a non-protocol command before authentication is complete.

secure-login

(Optional) Causes a user at a non-secure location to use encryption for authentication.

imap

Specifies that the Internet Message Access Protocol (IMAP) is being used.

pop3

Specifies that the Post Office Protocol, Version 3 (POP3) is being used.

fragment

Specifies fragment inspection for the named rule.

max number

(Optional) Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through 10000. The default is 256 state entries.

Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

timeout seconds
(fragmentation)

(Optional) Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is 1 second.

If this number is set to a value greater that 1 second, it is automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is fewer than 32, the timeout is divided by 2. When the number of free states is fewer than 16, the timeout is set to 1 second.

appfw

Specifies application firewall provisioning.

policy-name

Application firewall policy name.

Note This name must match the name specified via the appfw policy-name command.

appname

Specifies a user- or a system-defined application; for example, user-payroll-sap and user-sametime. Application names can contain hyphens and underscores; however, a user-defined application must have the prefix user- in its title.

port

Specifies the port range for an application.

tcp | udp

Specifies the protocol being used to inspect the traffic.

from begin_port_num to end_port_num | port_num1 ...

Specifies the starting and ending port numbers or a range of ports from 1 to 5. You must use the from and to keywords together.

list acl_list_num

(Optional) Specifies an access control list number. Only standard ACLs are supported.

description description_string

(Optional) Specifies a description of up to 40 characters.

user-10

Represents a user-defined application in the port-to-application mapping (PAM) table of the ip port-map command.

router-traffic

(Optional) Enables inspection of traffic destined to or originated from a router. Applicable only for H.323, TCP, and UDP protocols. For the command format, see the Note after Table 1.


Defaults

No inspection rules are defined until you define them using this command.

no ip inspect-name protocol removes the inspection rule for the specified protocol.

no ip inspect name removes the entire set of inspection rules.

Command Modes

Global configuration

Command History

Release
Modification

11.2 P

This command was introduced.

12.0(5)T

Introduced configurable alert and audit trail, IP fragmentation checking, and NetShow protocol support.

12.2(11)YU

Support was added for ICMP and SIP protocols and the urlfilter keyword was added to the HTTP inspection syntax.

12.2(15)T

Support was added for ICMP, SIP protocols, and the urlfilter keyword was integrated into Cisco IOS Release 12.2(15)T.

12.3(1)

Skinny protocol support was added.

12.3(7)T

Extended Simple Mail Transfer Protocol (ESMTP) protocol support was added.

12.3(14)T

The appfw keyword and the policy-name argument were added to support application firewall provisioning. The parameter max-sessions, secure-login, reset, and router-traffic keywords were added.

Support for a larger list of protocols including user-defined applications was added.


Usage Guidelines

To define a set of inspection rules, enter this command for each protocol that you want the Cisco IOS firewall to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name, which should not exceed the 16-character limit. Define either one or two sets of rules per interface—you can define one set to examine both inbound and outbound traffic, or you can define two sets: one for outbound traffic and one for inbound traffic.

To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for ICMP, TCP, and UDP, or as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name. (There are no application-layer protocols associated with ICMP.)

To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol; to remove the entire set of inspection rules, use the no form of this command only; that is, do not list any inspection names or protocols.

In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained.

Table 1 Protocol Keywords—Transport-Layer and Network-Layer Protocols 

Protocol
Keyword

ICMP

icmp

TCP

tcp

UDP

udp


Note The TCP, UDP, and H.323 protocols support the router-traffic keyword, which enables inspection of traffic destined to or originated from a router. The command format is as follows:

ip inspect name inspection-name {TCP | UDP | H323} [alert {on | off}] [audit-trail {on | off}][router-traffic][timeout seconds]

TCP and UDP Inspection

You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number from the previous exiting packet.

Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant.

With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source or destination addresses and source or destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface.

Granular protocol inspection allows you to specify TCP or UDP ports by using the PAM table. This eliminates having to inspect all applications running under TCP or UDP and the need for multiple access control lists (ACLs) to filter the traffic.

Using the PAM table, you simply pick an existing application or define a new one for inspection thereby simplifying ACL configuration.

ICMP Inspection

An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic access control lists (ACLs) are created for return ICMP packets of the allowed types (echo-reply, time-exceeded, destination unreachable, and timestamp reply) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wildcard address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination.

Application-Layer Protocol Inspection

In general, if you configure inspection for an application-layer protocol, packets for that protocol should be permitted to exit the firewall (by configuring the correct access control list), and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state.

Java, H.323, RPC, SIP, and SMTP inspection have additional information, described in the next five sections. Table 2 lists the supported application-layer protocols.

Table 2 Protocol Keywords—Application-Layer Protocols 

Protocol
Keyword

Application Firewall

appfw

CU-SeeMe

cuseeme

ESMTP

smtp

FTP

ftp

IMAP

imap

Java

http

H.323

h323

Microsoft NetShow

netshow

POP3

pop3

RealAudio

realaudio

RPC

rpc

SIP

sip

Simple Mail Transfer Protocol (SMTP)

smtp

Skinny Client Control Protocol (SCCP)

skinny

StreamWorks

streamworks

Structured Query Language*Net (SQL*Net)

sqlnet

TFTP

tftp

UNIX R commands (rlogin, rexec, rsh)

rcmd

VDOLive

vdolive

WORD

user-defined application name; use prefix -user

Note All applications that appear under the show ip port-map command are supported.


Java Inspection

Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as "friendly." If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except sites specifically designated as "hostile."


Note Before you configure Java inspection, you must configure a numbered standard access list that defines "friendly" and "hostile" external sites. You configure this numbered standard access list to permit traffic from friendly sites, and to deny traffic from hostile sites. If you do not configure a numbered standard access list, but use a "placeholder" access list in the ip inspect name inspection-name http command, all Java applets will be blocked.



Note Java blocking forces a strict order on TCP packets. To properly verify that Java applets are not in the response, a firewall will drop any TCP packet that is out of order. Because the network—not the firewall—determines how packets are routed, the firewall cannot control the order of the packets; the firewall can only drop and retransmit all TCP packets that are not in order.



Caution Context-Based Access Control (CBAC) does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in .zip or .jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded via FTP, gopher, or HTTP on a nonstandard port.

H.323 Inspection

If you want CBAC inspection to work with NetMeeting 2.0 traffic (an H.323 application-layer protocol), you must also configure inspection for TCP, as described in the chapter "Configuring Context-Based Access Control" in the Cisco IOS Security Configuration Guide. This requirement exists because NetMeeting 2.0 uses an additional TCP channel not defined in the H.323 specification.

RPC Inspection

RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number will be blocked. For example, if you created an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall.

SIP Inspection

You can configure SIP inspection to permit media sessions associated with SIP-signaled calls to traverse the firewall. Because SIP is frequently used to signal both incoming and outgoing calls, it is often necessary to configure SIP inspection in both directions on a firewall (both from the protected internal network and from the external network). Because inspection of traffic from the external network is not done with most protocols, it may be necessary to create an additional inspection rule to cause only SIP inspection to be performed on traffic coming from the external network.

SMTP Inspection

SMTP inspection causes SMTP commands to be inspected for illegal commands. Packets with illegal commands are modified to a "xxxx" pattern and forwarded to the server. This process causes the server to send a negative reply, forcing the client to issue a valid command. An illegal SMTP command is any command except the following:

DATA

HELO

HELP

MAIL

NOOP

QUIT

RCPT

RSET

SAML

SEND

SOML

VRFY

ESMTP Inspection

Like SMTP, ESMTP inspection also causes the commands to be inspected for illegal commands. Packets with illegal commands are modified to a "xxxx" pattern and forwarded to the server. This process causes the server to send a negative reply, forcing the client to issue a valid command. An illegal ESMTP command is any command except the following:

AUTH

DATA

EHLO

ETRN

HELO

HELP

MAIL

NOOP

QUIT

RCPT

RSET

SAML

SEND

SOML

VRFY

In addition to inspecting commands, the ESMTP firewall also inspects the following extensions via deeper command inspection:

Message Size Declaration (SIZE)

Remote Queue Processing Declaration (ETRN)

Binary MIME (BINARYMIME)

Command Pipelining

Authentication

Delivery Status Notification (DSN)

Enhanced Status Code (ENHANCEDSTATUSCODE)

8bit-MIMEtransport (8BITMIME)


Note SMTP and ESMTP cannot exist simultaneously. An attempt to configure both protocols will result in an error message.


Use of the urlfilter Keyword

If you specify the urlfilter keyword, the Cisco IOS Firewall will interact with a URL filtering software to control web traffic for a given host or user on the basis of a specified security policy.


Note Enabling HTTP inspection with or without any option triggers the Java applet scanner, which is CPU intensive. The only way to stop the Java applet scanner is to specify the java-list access-list option. Configuring URL filtering without enabling the java-list access-list option will severely impact performance.


Use of the timeout Keyword

If you specify a timeout for any of the transport-layer or application-layer protocols, the timeout will override the global idle timeout for the interface to which the set of inspection rules is applied.

If the protocol is TCP or a TCP application-layer protocol, the timeout will override the global TCP idle timeout. If the protocol is UDP or a UDP application-layer protocol, the timeout will override the global UDP idle timeout.

If you do not specify a timeout for a protocol, the timeout value applied to a new session of that protocol will be taken from the corresponding TCP or UDP global timeout value valid at the time of session creation.

The default ICMP timeout is deliberately short (10 seconds) due to the security hole that is opened by allowing ICMP packets with a wild-carded source address back into the inside network. The timeout will occur 10 seconds after the last outgoing packet from the originating host. For example, if you send a set of 10 ping packets spaced one second apart, the timeout will expire in 20 seconds or 10 seconds after the last outgoing packet. However, the timeout is not extended for return packets. If a return packet is not seen within the timeout window, the hole will be closed and the return packet will not be allowed in. Although the default timeout can be made longer if desired, it is recommended that this value be kept relatively short.

IP Fragmentation Inspection

CBAC inspection rules can help protect hosts against certain denial-of-service attacks involving fragmented IP packets. Even though the firewall keeps an attacker from making actual connections to a given host, the attacker may still be able to disrupt services provided by that host. This is done by sending many noninitial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets.

Using fragmentation inspection, the firewall maintains an interfragment state (structure) for IP traffic. Noninitial fragments are discarded unless the corresponding initial fragment was permitted to pass through the firewall. Noninitial fragments received before the corresponding initial fragments are discarded.


Note Fragmentation inspection can have undesirable effects in certain cases, because it can result in the firewall discarding any packet whose fragments arrive out of order. There are many circumstances that can cause out-of-order delivery of legitimate fragments. Apply fragmentation inspection in situations where legitimate fragments, which are likely to arrive out of order, might have a severe performance impact.


Because routers running Cisco IOS software are used in a very large variety of networks, and because the CBAC feature is often used to isolate parts of internal networks from one another, the fragmentation inspection feature is not enabled by default. Fragmentation detection must be explicitly enabled for an inspection rule using the ip inspect name command. Unfragmented traffic is never discarded because it lacks a fragment state. Even when the system is under heavy attack with fragmented packets, legitimate fragmented traffic, if any, will still get some fraction of the firewall's fragment state resources, and legitimate, unfragmented traffic can flow through the firewall unimpeded.

Application Firewall Provisioning

Application firewall provisioning allows you to configure your Cisco IOS Firewall to detect and prohibit a specific protocol type of traffic.

Most firewalls provide only packet filtering capabilities that simply permit or deny traffic without inspecting the data stream; the Cisco IOS application firewall can detect whether or not a packet is in compliance with given HTTP protocol. If the packet is determined to be unauthorized, it will be dropped, the connection will be reset, and a syslog message will be generated, as appropriate.

User-Defined Applications

You can define your own applications and enter them into the port-to-application mapping (PAM) table using the ip port-map command. Then you set up your inspection rules by inserting your user-defined application as a value for the protocol argument in the ip inspect name command.

Session Limiting

Users can limit the number of established firewall sessions that a firewall rule creates by setting the "max-sessions" threshold. A session counter is maintained for each firewall interface. When a session count exceeds the specified threshold, an alert FW-4-SESSION_THRESHOLD_EXCEEDED message is logged to the syslog server and no new sessions can be created.

Examples

The following example causes the software to inspect TCP sessions and UDP sessions, and to specifically allow CU-SeeMe, FTP, and RPC traffic back through the firewall for existing sessions only. For UDP traffic, audit-trail is on. For FTP traffic, the idle timeout is set to override the global TCP idle timeout. For RPC traffic, program numbers 100003, 100005, and 100021 are permitted.

ip inspect name myrules tcp
ip inspect name myrules udp audit-trail on
ip inspect name myrules cuseeme
ip inspect name myrules ftp timeout 120
ip inspect name myrules rpc program-number 100003
ip inspect name myrules rpc program-number 100005
ip inspect name myrules rpc program-number 100021

The following example adds fragment checking to software inspection of TCP and UDP sessions for the rule named "myrules." In this example, the firewall software will allocate 100 state structures, and the timeout value for dropping unassembled packets is set to 4 seconds. If 100 initial fragments for 100 different packets are sent through the router, all of the state structures will be used up. The initial fragment for packet 101 will be dropped. Additionally, if the number of free state structures (structures available for use by unassembled packets) drops below the threshold values, 32 or 16, the timeout value is automatically reduced to 2 or 1, respectively. Changing the timeout value frees up packet state structures more quickly.

ip inspect name myrules tcp
ip inspect name myrules udp audit-trail on
ip inspect name myrules cuseeme
ip inspect name myrules ftp timeout 120
ip inspect name myrules rpc program-number 100003
ip inspect name myrules rpc program-number 100005
ip inspect name myrules rpc program-number 100021
ip inspect name myrules fragment max 100 timeout 4

The following firewall and SIP example shows how to allow outside-initiated calls and internal calls. For outside-initiated calls, an ACL needs to be punched to allow for the traffic from the initial signaling packet from outside. Subsequent signaling and media channels will be allowed by the inspection module.

ip inspect name voip sip 
interface FastEthernet0/0
 ip inspect voip in
!
!
interface FastEthernet0/1
 ip inspect voip in
 ip access-group 100 in
!
!
access-list 100 permit udp host <gw ip> any eq 5060
access-list 100 permit udp host <proxy ip> any eq 5060
access-list deny ip any any

The following example shows two configured inspections named fw_only and fw_urlf; URL filtering will work only on the traffic that is inspected by fw_urlf. Note that the java-list access-list option has been enabled, which disables java scanning.

ip inspect name fw_only http java-list 51 timeout 30
interface e0
 ip inspect fw_only in
!
ip inspect name fw_urlf  http urlfilter java-list 51 timeout 30
interface e1
 ip inspect fw_urlf in

The following example shows how to define the HTTP application firewall policy mypolicy. This policy includes all supported HTTP policy rules. This example also includes sample output from the show appfw configuration and show ip inspect config commands, which allow you to verify the configured setting for the application policy.

! Define the HTTP policy.
appfw policy-name mypolicy
 application http
  strict-http action allow alarm
  content-length maximum 1 action allow alarm
  content-type-verification match-req-rsp action allow alarm
  max-header-length request 1 response 1 action allow alarm
  max-uri-length 1 action allow alarm
  port-misuse default action allow alarm
  request-method rfc default action allow alarm
  request-method extension default action allow alarm
  transfer-encoding type default action allow alarm
!
!
! Apply the policy to an inspection rule. 
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
!
!
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
 ip inspect firewall in
!
!
! Issue the show appfw configuration command and the show ip inspect config command after 
the inspection rule "mypolicy" is applied to all incoming HTTP traffic on the 
FastEthernet0/0 interface.
!
Router# show appfw configuration 

Application Firewall Rule configuration
  Application Policy name mypolicy
    Application http
      strict-http action allow alarm
      content-length minimum 0 maximum 1 action allow alarm
      content-type-verification match-req-rsp action allow alarm
      max-header-length request length 1 response length 1 action allow alarm
      max-uri-length 1 action allow alarm
      port-misuse default action allow alarm
      request-method rfc default action allow alarm
      request-method extension default action allow alarm
      transfer-encoding default action allow alarm

Router# show ip inspect config 

Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name firewall
http alert is on audit-trail is off timeout 3600

Related Commands