-
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
-
Automatic Signature Extraction
-
Cisco IOS Firewall Overview
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall Stateful Failover
-
Cisco IOS Firewall Support for TRP
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Firewall Websense URL Filtering
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall
-
Cisco IOS Firewall H.323 Support
-
H.323 RAS Support in Cisco IOS Firewall
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Application Inspection and Control for SMTP
-
Subscription-based Cisco IOS Content Filtering
-
Cisco IOS Firewall Support for Skinny Local Traffic and CME
-
User Based Firewall Support
-
- Cisco IOS Intrusion Prevention System (IPS)
- Flexible Packet Matching
-
Configuring IP Security Options
-
Configuring Port to Application Mapping
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
- Unicast Reverse Path Forwarding (uRPF)
- Threat Information Distribution Protocol (TIDP) and TMS
-
Table Of Contents
Application Firewall—Instant Message Traffic Enforcement
Restrictions for Application Firewall—Instant Message Traffic Enforcement
Information About Application Firewall—Instant Message Traffic Enforcement
What Is an Application Policy?
Instant Messenger Application Policy Overview
How to Define and Apply an Application Policy to a Firewall for Inspection
Defining an Application Policy to Permit or Deny Instant Messenger Traffic
Applying an Instant Messenger Traffic Application Policy to a Firewall for Inspection
Configuration Examples for Setting Up an Instant Messenger Traffic Inspection Engine
Instant Messenger Application Policy Configuration: Example
Application Firewall—Instant Message Traffic Enforcement
The Application Firewall—Instant Message Traffic Enforcement feature enables users to define and enforce a policy that specifies which instant messenger traffic types are allowed into the network. Thus, the following additional functionality can also be enforced:
•
Configuration of firewall inspection rules
•
History for the Application Firewall—Instant Message Traffic Enforcement Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
•
•
•
Restrictions for Application Firewall—Instant Message Traffic Enforcement
If an instant messenger traffic enforcement policy is configured on a Cisco IOS router with a server command, traffic destined to other services (such as Telnet, FTP, SMTP) that is running on the instant message server's IP address will also be treated as IM traffic by the Cisco IOS router. Thus, access to the other services is prevented through the Cisco IOS firewall; however, this limitation is not a problem for most IM application users who are connecting from a user's network.
Information About Application Firewall—Instant Message Traffic Enforcement
Before creating an application firewall policy for instant message traffic enforcement, you should understand the following concept:
•
•
What Is an Application Policy?
The application firewall uses an application policy, which consists of a collection of static signatures, to detect security violations. A static signature is a collection of parameters that specify protocol conditions that must be met before an action is taken. These protocol conditions and reactions are defined by the end user via the command-line interface (CLI) to form an application policy.
Instant Messenger Application Policy Overview
Cisco IOS application firewall has been enhanced to support instant native messenger application policies. Thus, the Cisco IOS firewall can now detect and prohibit user connections to instant messenger servers for the AOL Instant Messenger (AIM), Yahoo! Messenger, and MSN Messenger instant messaging services. This functionality controls all connections for supported servies, including text, voice, video, and file-transfer capabilities. The three applications can be individually denied or permitted. Each service may be individually controlled so that text-chat service is allowed, and voice, file transfer, video, and other services are restricted. This functionality augments existing Application Inspection capability to control IM application traffic that has been disguised as HTTP (web) traffic.
Note
How to Define and Apply an Application Policy to a Firewall for Inspection
This section contains the following procedures:
•
•
Defining an Application Policy to Permit or Deny Instant Messenger Traffic
Use this task to create an instant messenger application firewall policy.
Prerequisites
Before defining and enabling an application policy for instant messenger traffic, you must have already properly configured your router with a Domain Name System (DNS) server IP address via the ip domain lookup command and the ip name-server command.
The IP address of the DNS server configured on the Cisco IOS router must be the same as that configured on all PCs connecting to the IM servers from behind the Cisco IOS firewall.
Note
Restrictions
Although application firewall policies are defined in global configuration mode, only one global policy for a given protocol is allowed per interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Troubleshooting Tips
Resolved IP addresses are never "timed out" and not automatically removed from the DNS cache. Thus, if you find an obsolete IP address in the instant messenger database (DNS cache), you can issue the clear appfw dns cache command to remove the IP address and prevent the address from being interpreted by the router as that of an IM server.
Always allow a couple of minutes for the DNS cache to populate after configuring the server command (with the name string option) in an application firewall policy for IM applications.
If you do not want the DNS resolver to send periodic queries, do not use the server command (with the name string option); instead, use the server command (with the ip address option).
If you issue the server command (with the name string option), ensure that you specify the name of every DNS server for an IM application in your policy. Always be alert to new names.
What to Do Next
After you have successfully defined an application policy for instant message traffic inspection, you must apply the policy to an inspection rule. Thereafter, the inspection rule must be applied to an interface. For information on completing this task, see the section "Applying an Instant Messenger Traffic Application Policy to a Firewall for Inspection."
Applying an Instant Messenger Traffic Application Policy to a Firewall for Inspection
Use this task to apply an IM application policy to an inspection rule, followed by applying the inspection rule to an interface.
Prerequisites
You must have already defined an application policy (as shown in the section "Defining an Application Policy to Permit or Deny Instant Messenger Traffic").
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Configuration Examples for Setting Up an Instant Messenger Traffic Inspection Engine
This section contains the following configuration example:
•
Instant Messenger Application Policy Configuration: Example
The following example shows to configure application policy "my-im-policy," which allows text-chat for Yahoo! instant messenger users and blocks instant messenger traffic for all other users:
appfw policy-name my-im-policyapplication httpport-misuse im reset!application im yahooserver permit name scs.msg.yahoo.comserver permit name scsa.msg.yahoo.comserver permit name scsb.msg.yahoo.comserver permit name scsc.msg.yahoo.comservice text-chat action allowservice default action reset!application im aolserver deny name login.oscar.aol.com!application im msnserver deny name messenger.hotmail.com!ip inspect name test appfw my-im-policyinterface FastEthernet0/0description Inside interfaceip inspect test inThe port-misuse im command blocks all the three IM applications going through the HTTP protocol. It is always recommended that you block IM activity through HTTP and allow IM traffic to pass, if at all, through its native port.
The server permit commands help to identify all the servers for Yahoo! messenger services. A connection to any one of the specified servers will be recognized by the firewall as a Yahoo! IM session—even if the Yahoo! client uses port-hopping techniques (which can be accomplished by using server port-numbers such as 25 instead of the standard 5050.)
If a server permit command is not issued within the application im yahoo command, the Cisco IOS firewall will classify only the traffic going to server port 5050 as Yahoo! messenger traffic. Because the port classification scheme breaks if any of the Yahoo! clients are configured to use a port other than 5050, it is more reliable to have server permit command entries instead of relying on the port classification method.
The server deny commands under other IM applications deny connection to respective servers. This action operates at the network layer connection level—not at the application session level. When traffic is denied, the TCP connection to the server is denied, no data traffic is allowed, and all packets are dropped in the firewall.
Additional References
The following sections provide references related to the Application Firewall—Instant Message Traffic Enforcement feature.
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
•
•
•
•
•
CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
