Application Inspection Policies in Cisco 7.x

Application Inspection Policies in Cisco Pix 7.x


Cisco service policies, formerly Fixup protocols, allow granular application control over common services. For example, Application Inspection allows dynamic port allocation for services like FTP, or set connection limits or maximum header lengths for HTTP. Service policies also provide sanity checks for specific services . If for example, a Proxy server is using port 8080 for HTTP traffic, a service policy is needed to flag all traffic over this port as HTTP. Otherwise, HTTP sanity checks cannot be performed and the firewall will treat the traffic as standard source/destination traffic.

Application Inspection Policies are also applied before any nat rules or acls. Therefore, if it is determined that the traffic does not meet the service policy’s specifications, the traffic will not be applied to any security policies and will be dropped.

Service policies involve 3 steps (called Modular Policy Framework). These steps involve:
1. Defining a class-map – This defines the “match” conditions. In other words, this specifies what traffic will be flagged for this security policy.
2. Create a Policy-map – set conditions, send to IPS, set priority, etc. In other words, specify what the firewall will do with the “matched” traffic.
3. Modify the service map- (optional) This changes the default inspections performed on the specified service. For example, this is where you would change the default http header length. You can also specify the ftp commands that can be ran.
4. Specify a service-policy – This binds a policy map to an interface.

When defining what traffic will be matched, defining conditions, or modifying service settings, “?” is your friend. For example if you would like to restrict commands that can be ran for FTP traffic, you can get a list of the available commands by typing “?”.

ftp-map FTP-Inspection
request-command deny ?

ftp-map mode commands/options:
appe Append
cdup Change to parent of current directory
dele Delete a file
get FTP client command for retr command-retrieve
help Get Help information
mkd Create a directory
put Store a file
rmd Remove a directory
rnfr Rename from
rnto Rename to
site Specify server specific command
stou Store a unique file.

Also please refer to the ASA 70 config guide for more infor on application inspection.

Examples:

Sets maximum uri length and drops p2p traffic:
Class-map inspection_default_http
Match port tcp eq www will match all www traffic

Policy-map inbound_policy This policy map will be called inbound_policy
Class inspection_default_http Matches the inspection_default_http class

http-map inbound_http http-map is a predefined service map.
max-header-length request 100 action reset log
max-uri-length 100 action reset log
port-misuse p2p action drop
port-misuse default action allow

service-policy inbound_policy interface outside binds the policy map to the outside int.

Only allows GET commands on the ftp server:
Access-list ftp_server extended permit tcp any host 192.168.128.21 eq ftp
define the acl
ftp-map ALLOW_GET_ONLY
create a new ftp-map
request-command deny appe help rnfr rnto put stou site dele mkd rmd
specify the commands that are denied
class-map FTP_SERVER_CLASS
create the class-map
match access-list ftp_server
match the class-map to the acl
policy-map global_policy
create the policy-map
class FTP_SERVER_CLASS
match the class-map
inspect ftp strict ALLOW_GET_ONLY
specify the ftp-map to be used
class inspection_default
allow all other ftp traffic to match the default service-map
inspect ftp
service-policy global_policy global
This policy is applied globally.


Service policy that sets TCP connection timeouts:
This service policy will match all tcp traffic defined in an acl, therefore step #1 is to define the acl.

Access-list tcp_inspect extended permit tcp any any will match all tcp traffic
Access-list tcp_inspect extended deny ip any any will not match all other traffic

Next we define the class-map (match). This service policy will match the above acl.

Class-map tcp_inspect_class we called this class-map “tcp_inspect_class
Match access-list tcp_inspect


Next we create a policy map that sets the connection timeout

Policy-map global_tcp_timeout
Class tcp_inspect_class
Set connection timeout embryonic 0:00:10

Finally were bind the policy-map to all interfaces:

Service-policy global_tcp_timeout global

Defines DNS traffic on port 8053 and specifys a max length of 1500:

Class-map dns_port
Match port udp eq 8053

Policy-map dns_policy
Class dns_port
Inspect dns maximum-length 1500

Service-policy dns_policy interface outside