-
- IP Access List Features Roadmap
- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values
- Refining an IP Access List
- Displaying and Clearing IP Access List Data Using ACL Manageability
- Controlling Access to a Virtual Terminal Line
- Access List-Based RBSCP
- ACL IP Options Selective Drop
- ACL Authentication of Incoming rsh and rcp Requests
- Configuring Lock-and-Key Security for Dynamic Access Lists
- Configuring IP Session Filtering of Reflexive Access Lists
- Configuring TCP Intercept and Preventing Denial-of-Service Attacks
-
- Configuring Context-based Access Control
- Application Firewall - Instant Message Traffic Enforcement
- Cisco IOS Firewall MIB
- Cisco IOS Firewall Performance Improvements
- Cisco IOS Firewall Stateful Failover
- Cisco IOS Firewall Support for TRP
- Email Inspection Engine
- ESMTP Support for Cisco IOS Firewall
- Firewall ACL Bypass
- Firewall N2H2 Support
- Firewall Stateful Inspection of ICMP
- Firewall Support for SIP
- Firewall Support of Skinny Client Control Protocol
- Firewall Websense URL Filtering
- Granular Protocol Inspection
- HTTP Inspection Engine
- Inspection of Router-Generated Traffic
- TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
- Transparent Cisco IOS Firewall
- Virtual Fragmentation Reassembly
- VRF Aware Cisco IOS Firewall
- Configuring Port to Application Mapping
- Configuring Cisco IOS Intrusion Prevention System (IPS)
- Configuring IP Security Options
- Finding Feature Information
- Contents
- Restrictions for HTTP Inspection Engine
- Information About HTTP Inspection Engine
- How to Define and Apply an HTTP Application Policy to a Firewall for Inspection
HTTP Inspection Engine
The HTTP Inspection Engine feature allows users to configure their Cisco IOS Firewall to detect and prohibit HTTP connections—such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers—that are not authorized within the scope of the security policy configuration. Tunneling unauthorized protocols through port 80 and over HTTP exposes a network to significant security risks.
The Cisco IOS Firewall can now be configured with a security policy that adheres to the following tasks:
•
Allowing specific traffic targeted for port 80 to traverse the firewall. The traffic is inspected for protocol conformance and for the types of HTTP commands that are allowed or disallowed.
•Denying specific traffic targeted for port 80 that does not comply to HTTP traffic standards. The firewall is enabled to drop the packet, reset the connection, and send a syslog message, as appropriate.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Setting Up an HTTP Inspection Engine" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Restrictions for HTTP Inspection Engine
•Information About HTTP Inspection Engine
•How to Define and Apply an HTTP Application Policy to a Firewall for Inspection
•Configuration Examples for Setting Up an HTTP Inspection Engine
•Feature Information for Setting Up an HTTP Inspection Engine
Restrictions for HTTP Inspection Engine
The Cisco 831 router with 48M RAM does not have enough memory to support this feature.
Information About HTTP Inspection Engine
Before configuring an application firewall to detect and police specific traffic targeted for port 80, you should understand the following concepts:
•Cisco IOS HTTP Application Policy Overview
What Is a Security Policy
The application firewall uses a security policy, which consists of a collection of static signatures, to detect security violations. A static signature is a collection of parameters that specify protocol conditions that must be met before an action is taken. (For example, a signature may specify that an HTTP data stream containing the POST method must reset the connection.) These protocol conditions and reactions are defined by the end user via the command-line interface (CLI) to form a security policy.
Cisco IOS HTTP Application Policy Overview
HTTP uses port 80 to transport Internet web services, which are commonly used on the network and rarely challenged with regards to their legitimacy and conformance to standards. Because port 80 traffic is typically allowed through the network without being challenged, many application developers are leveraging HTTP traffic as an alternative transport protocol in which to enable their application to travel through or even bypass the firewall.
Most firewalls provide only packet filtering capabilities that simply permit or deny port 80 traffic without inspecting the data stream; the Cisco IOS application firewall for HTTP performs packet inspection as follows:
•Detects HTTP connections that are not authorized within the scope of the security policy configuration.
•Detects users who are tunneling applications through port 80.
If the packet is not in compliance with the HTTP protocol, it will be dropped, the connection will be reset, and a syslog message will be generated, as appropriate.
How to Define and Apply an HTTP Application Policy to a Firewall for Inspection
•Defining an HTTP Application Policy
•Applying an HTTP Application Policy to a Firewall for Inspection
Defining an HTTP Application Policy
Use this task to create an HTTP application firewall policy.
Restrictions
Although application firewall policies are defined in global configuration mode, only one global policy for a given protocol is allowed per interface.
SUMMARY STEPS
1. enable
2. configure terminal
3. appfw policy-name policy-name
4. application protocol
5. strict-http action {reset | allow} [alarm]
6. content-length {min bytes max bytes | min bytes | max bytes} action {reset | allow} [alarm]
7. content-type-verification [match-req-resp] action {reset | allow} [alarm]
8. max-header-length {request bytes response bytes} action {reset | allow} [alarm]
9. max-uri-length bytes action {reset | allow} [alarm]
10. request-method {rfc rfc-method | extension extension-method} action {reset | allow} [alarm]
11. port-misuse {p2p | tunneling | im | default} action {reset | allow} [alarm
12. transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]
13. timeout seconds
14. audit-trail {on | off}
15. exit
16. exit
DETAILED STEPS
What to Do Next
After you have successfully defined an application policy for HTTP traffic inspection, you must apply the policy to an inspection rule. Thereafter, the inspection rule must be applied to an interface. For information on completing this task, see the section "Applying an HTTP Application Policy to a Firewall for Inspection."
Applying an HTTP Application Policy to a Firewall for Inspection
Use this task to apply an HTTP application policy to an inspection rule, followed by applying the inspection rule to an interface.
Note An application policy can coexist with other inspection protocols (for example, an HTTP policy and an FTP policy can coexist).
Prerequisites
You must have already defined an application policy (as shown in the section "Defining an HTTP Application Policy").
SUMMARY STEPS
1. enable
2. configure terminal
3. ip inspect name inspection-name appfw policy-name
4. ip inspect name inspection-name http [alert {on | off}] [audit-trail {on | off}] [timeout seconds]
5. interface type number
6. ip inspect inspection-name {in | out}
7. exit
8. exit
9. show appfw configuration [name]
or
show ip inspect {name inspection-name | config | interfaces | session [detail] | statistics | all}
DETAILED STEPS
Troubleshooting Tips
To help troubleshoot the application firewall configuration, issue the following application-firewall specific debug command: debug appfw {application protocol | function-trace | object-creation | object-deletion | events | timers | detailed}.
The following sample configuration shows how to configure an HTTP policy with application firewall debugging enabled:
Router(config)# appfw policy-name myPolicyAPPFW FUNC:appfw_policy_find
APPFW FUNC:appfw_policy_find -- Policy myPolicy is not found
APPFW FUNC:appfw_policy_alloc
APPFW FUNC:appfw_policy_alloc -- policy_alloc 0x65727278
APPFW FUNC:appfw_policy_alloc -- Policy 0x65727278 is set to valid
APPFW FUNC:appfw_policy_alloc -- Policy myPolicy has been created
APPFW FUNC:appfw_policy_command -- memlock policy 0x65727278
! Debugging sample for application (HTTP) creation
Router(cfg-appfw-policy)# application httpAPPFW FUNC:appfw_http_command
APPFW FUNC:appfw_http_appl_find
APPFW FUNC:appfw_http_appl_find -- Application not found
APPFW FUNC:appfw_http_appl_alloc
APPFW FUNC:appfw_http_appl_alloc -- appl_http 0x64D7A25C
APPFW FUNC:appfw_http_appl_alloc -- Application HTTP parser structure 64D7A25C created
! Debugging sample for HTTP-specific application inspection
Router(cfg-appfw-policy-http)#
Router(cfg-appfw-policy-http)# strict-http action reset alarm
APPFW FUNC:appfw_http_subcommand
APPFW FUNC:appfw_http_subcommand -- strict-http cmd turned on
Router# debug appfw detailed
APPFW Detailed Debug debugging is on
fw7-7206a#debug appfw object-creation
APPFW Object Creations debugging is on
fw7-7206a#debug appfw object-deletion
APPFW Object Deletions debugging is on
Configuration Examples for Setting Up an HTTP Inspection Engine
•Example: Setting Up and Verifying an HTTP Inspection Engine
Example: Setting Up and Verifying an HTTP Inspection Engine
The following example show how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. This example also includes sample output from the show appfw configuration and show ip inspect config commands, which allow you to verify the configured setting for the application policy.
! Define the HTTP policy.
appfw policy-name mypolicy
application http
strict-http action allow alarm
content-length maximum 1 action allow alarm
content-type-verification match-req-rsp action allow alarm
max-header-length request 1 response 1 action allow alarm
max-uri-length 1 action allow alarm
port-misuse default action allow alarm
request-method rfc put action allow alarm
transfer-encoding type default action allow alarm
!
!
! Apply the policy to an inspection rule.
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
!
!
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
ip inspect firewall in
!
!
! Issue the show appfw configuration command and the show ip inspect config command after
the inspection rule "mypolicy" is applied to all incoming HTTP traffic on the
FastEthernet0/0 interface.
!
Router# show appfw configuration
Application Firewall Rule configuration
Application Policy name mypolicy
Application http
strict-http action allow alarm
content-length minimum 0 maximum 1 action allow alarm
content-type-verification match-req-rsp action allow alarm
max-header-length request length 1 response length 1 action allow alarm
max-uri-length 1 action allow alarm
port-misuse default action allow alarm
request-method rfc put action allow alarm
transfer-encoding default action allow alarm
Router# show ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name firewall
http alert is on audit-trail is off timeout 3600
Additional References
Related Documents
|
|
|
|---|---|
Cisco IOS commands |
|
Firewall commands: complete command syntax, command mode, defaults, usage guidelines, and examples |
Standards
|
|
|
|---|---|
No new or modified standards are supported by this feature. |
— |
MIBs
RFCs
|
|
|
|---|---|
RFC 2616 |
Technical Assistance
Feature Information for Setting Up an HTTP Inspection Engine
Table 1 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
Feedback