-
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
-
Automatic Signature Extraction
-
Cisco IOS Firewall Overview
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall Stateful Failover
-
Cisco IOS Firewall Support for TRP
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Firewall Websense URL Filtering
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall
-
Cisco IOS Firewall H.323 Support
-
H.323 RAS Support in Cisco IOS Firewall
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Application Inspection and Control for SMTP
-
Subscription-based Cisco IOS Content Filtering
-
Cisco IOS Firewall Support for Skinny Local Traffic and CME
-
User Based Firewall Support
-
- Cisco IOS Intrusion Prevention System (IPS)
- Flexible Packet Matching
-
Configuring IP Security Options
-
Configuring Port to Application Mapping
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
- Unicast Reverse Path Forwarding (uRPF)
- Threat Information Distribution Protocol (TIDP) and TMS
-
Table Of Contents
Prerequisites for Granular Inspection Protocol
Restrictions for Granular Inspection Protocol
Information About Granular Protocol Inspection
How to Configure Granular Protocol Inspection
Configuration Examples for Granular Protocol Inspection
Defining an Application for the PAM Table: Example
Setting Up an Inspection Rule: Example
Verifying the Configuration: Example
Feature Information for Granular Protocol Inspection
Granular Protocol Inspection
The Granular Protocol Inspection feature adds flexibility to the Cisco IOS Firewall by allowing it to perform a higher degree of inspection of TCP and User Data Protocol (UDP) traffic for most RFC 1700 application types.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Granular Protocol Inspection" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Granular Inspection Protocol
•
•
•
•
•
Prerequisites for Granular Inspection Protocol
•
•
Restrictions for Granular Inspection Protocol
Port ranges cannot be specified directly in the ip inspect name command; use the port-to-application mapping (PAM) table.
Information About Granular Protocol Inspection
To use the Granular Protocol Inspection feature, you need to understand the following concepts:
Cisco IOS Firewall
The Cisco IOS Firewall is a security-specific option that provides inspection firewall functionality and intrusion detection for every network perimeter. By delivering state-of-the-art security features such as stateful, application-based filtering; dynamic per-user authentication and authorization; and URL filtering, the Cisco IOS Firewall adds greater depth and flexibility to existing Cisco IOS security solutions including authentication, encryption, and failover.
A firewall is a physical software or hardware barrier between one part of an internal network used to control access to and from external networks. This barrier is unique because it allows predefined traffic to pass through the firewall while being monitored for protocol anomalies. The difficult part is determining the criteria by which the packets are granted or denied access through the device.
As mentioned, a firewall blocks traffic and permits other types of traffic to traverse. Firewalls are not just access control lists (ACLs); rather, they are a stateful inspection application.
Granular Protocol Inspection
The Cisco IOS Firewall performs inspections for TCP and UDP traffic. For example, TCP inspections include Telnet traffic (port 23, by default) as well as all other applications on TCP such as Hypertext Transfer Protocol (HTTP), e-mail, instant message (IM) chatter, and so on. Therefore, there is no easy way to inspect Telnet traffic alone and deny all other TCP traffic.
The Granular Protocol Inspection feature allows you to specify TCP or UDP ports using the PAM table. As a result, the Cisco IOS Firewall can restrict traffic inspections to specific applications, thereby permitting a higher degree of granularity in selecting which protocols are to be permitted and denied as shown in Figure 32.
Figure 32 Sample Topology
Benefits
•
•
•
•
How to Configure Granular Protocol Inspection
This section contains the following procedures:
•
•
•
Defining Applications
Perform the following task to define your applications in the PAM table by using the ip port-map command.
SUMMARY STEPS
1.
2.
3.
[list acl-num] [description description_string]4.
DETAILED STEPS
Setting Up Inspection Rules
Perform the following task to set up your inspection rules by using the ip inspect name command.
SUMMARY STEPS
1.
2.
3.
[timeout seconds]4.
DETAILED STEPS
Verifying the Configuration
Perform the following task to verify your applications and inspection rules.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuration Examples for Granular Protocol Inspection
This section contains the following configuration examples:
•
•
•
Defining an Application for the PAM Table: Example
In the following example from the ip port-map command, a user-defined application named user-10 is defined in the PAM table for five ports using the TCP protocol. Standard access list 77 is applied to define host-specific port mapping and "TEST STRING" is the description.
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip port-map user-10 port tcp 4000 5000 6000 7000 8000 list 77 description "TEST STRING"Router(config)# endSetting Up an Inspection Rule: Example
The following example from the ip inspect name command, lists user-10 as an application with the description "TEST STRING."
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip inspect name abc ?bootpc Bootstrap Protocol Clientbootps Bootstrap Protocol Servercisco-fna Cisco FNATIVEcisco-sys Cisco SYSMAINTcisco-tna Cisco TNATIVEcuseeme CUSeeMe Protocolecho Echo portesmtp Extended SMTPfinger Fingerfragment IP fragment inspectionftp File Transfer Protocolgopher Gophergtpv0 GPRS Tunneling Protocol Version 0gtpv1 GPRS Tunneling Protocol Version 1h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone)http HTTP Protocolicmp ICMP Protocolimap IMAP Protocolimap3 Interactive Mail Access Protocol 3kerberos Kerberosldap Lightweight Directory Access Protocolnetbios-dgm NETBIOS Datagram Servicenetshow Microsoft NetShow Protocolnntp Network News Transport Protocolparameter Specify inspection parameterspop3 POP3 Protocolpwdgen Password Generator Protocolrcmd R commands (r-exec, r-login, r-sh)realaudio Real Audio Protocolrpc Remote Prodedure Call Protocolrtsp Real Time Streaming Protocolsecure-http Secure Hypertext Transfer Protocolsip SIP Protocolskinny Skinny Client Control Protocolsmtp Simple Mail Transfer Protocolsnmp Simple Network Management Protocolsnmptrap SNMP Trapsqlnet SQL Net Protocolsqlsrv SQL Servicestreamworks StreamWorks Protocoltacacs Login Host Protocol (TACACS)tacacs-ds TACACS-Database Servicetcp Transmission Control Protocoltelnet Telnettftp TFTP Protocoludp User Datagram Protocolvdolive VDOLive Protocoluser-10 TEST STRING <----- !user-defined application!In the following example from the ip inspect name command, an inspection rule is established for user-10:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip inspect name abc user-10Router(config)# endVerifying the Configuration: Example
The following example verifies your port-map configuration:
Router# show running-config | include port-mapip port-map user-10 port tcp 4000 5000 6000 7000 8000 list 77 description "TEST STRING"The following example verifies your inspection rule configuration:
Router# show running-config | include inspectip inspect name abc user-10The following example displays information about the user-defined application called user-10.
Router# show ip port-map user-10Host specific: user-10 tcp port 4000...8000 in list 77 user definedThe following example displays detailed information about the user-defined application called user-10.
Router# show ip port-map user-10 detailIP port-map entry for application 'user-10':tcp 4000...8000 list 77 "TEST STRING" user definedAdditional References
The following sections provide references related to the Granular Protocol Inspection feature.
Related Documents
Security commands: complete command syntax, command mode, defaults, usage guidelines, and examples
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
Feature Information for Granular Protocol Inspection
Table 35 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 35 Feature Information for Granular Protocol Inspection
Granular Protocol Inspection
12.3(14)T
This feature was introduced.
Glossary
firewall—A router or access server, or several routers or access servers, designated as a buffer between any connected public networks and a private network. A firewall router uses access lists and other methods to ensure the security of the private network.
granular—Degree of componentization. Small, fine-grained components provide greater flexibility in assembling the right combination of functionality, but can be difficult to manage.
inspection rule—A rule that specifies what IP traffic (which application-layer protocols) will be inspected by CBAC at an interface.
PAM—port-to-application mapping. A flexible, per-application port mapping capability that allows the Cisco IOS Firewall to support applications running on nonstandard ports. This feature allows network administrators to customize access control for specific applications and services, in order to meet their distinct network needs.
traffic inspection—A way that CBAC inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow return traffic and additional data connections for permissible sessions (sessions that originated from within the protected internal network).
UDP—User Data Protocol. A connectionless service—there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, similar source/destination addresses and port numbers) and if the packet was detected soon after another similar UDP packet. "Soon" means within the configurable UDP idle timeout period.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007, 2008 Cisco Systems, Inc. All rights reserved
