One of the key areas for the Cisco ASA is giving us great control when it comes to ensuring applications running across the device are not trying to do us harm. This is implemented, of course, with Application Inspection. This permits us to only examine the packet header, but also the contents of the packet right up to Layer 7.
Another nice thing is the fact that the ASA is trained to deal with applications that require special handling. Examples would be the handling of data packets that embed IP addressing information in the data payload, or that open up secondary channels on dynamically assigned ports.
The list of applications supported is impressive and continues to grow. Here are just some:
- HTTP
- FTP
- IM
- H.323
- TFTP
- SIP
- DNS
Application Inspection is enabled and tweaked through the use of the Modular Policy Framework (MPF). Remember, this follows the general structure of a traffic class to identify traffic (class-map), actions assigned with policies (policy-map), and then the service policies activated on interfaces (service-policy).
Remember, the ASA is setup for some Application Inspection right out of the box. You can see this with the default class-map of inspection_default, the policy-map of global_policy, and the service-policy globally assigned.
Here is a look at these default structures. Note this shows you which specific protocols are being inspected by default on all interfaces:
class-map inspection_default match default-inspection-traffic
policy-map type inspect dns preset_dns_map parameters message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225 inspect h323 ras
inspect ip-options
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
At your fingertips is your own manipulation of Application Inspection on the ASA. In this example of HTTP inspection, we selectively inspect HTTP traffic to our Web server, spoof that our server is an Apache Server, reset connections with a long header length, and guard against DoS attacks:
access-list OUT_IN extended permit tcp any host 192.168.65.3 eq www access-group OUT_IN in interface outside access-list AHTTP permit tcp any host 192.168.65.3 eq www class-map CHTTP match access-list AHTTP policy-map type inspect http PDHTTP parameters spoof-server "Apache Server" match request header length gt 4096 reset policy-map POUTSIDE class CHTTP inspect http PDHTTP set connection conn-max 2 embryonic-conn-max 1 service-policy POUTSIDE interface outside