Wednesday, February 10, 2010

ZFW L7 in-depth packet analysis

Application inspection can be applied on HTTP traffic to control unwanted use of HTTP’s service port for other applications such as IM, P2P file sharing, and tunneling applications that can redirect otherwise firewalled applications through TCP 80. 

First of all, we need to specify class-map for in-depth analysis headers inside HTTP, for example. 

! configure the actions that are not permitted
class-map type inspect http match-any http-aic-cmap
 match request port-misuse any
 match req-resp protocol-violation

Draw attention at http keyword in class-map definition. It specifies that it's not just a regular class map, but an HTTP traffic inspection map.
Then,

! define actions to be applied to unwanted traffic
policy-map type inspect http http-aic-pmap
 class type insp http http-aic-cmap
  reset
  log

The part beyond is really important, because without it we won't be allowed to apply this class-map to a regular policy-map. We will apply it as service-policy to a regular policy-map. There is a http keyword in policy-map definition also.
Then, let's create standard http class-map:

! define class-map for stateful http inspection
class-map type inspect match-any http-cmap
 match protocol http
And after all of these, we can finally create our last policy-map:

! define policy-map, associate class-maps and actions
policy-map type inspect priv-pub-pmap
 class type inspect http-cmap
  inspect
  service-policy http http-aic-pmap
I would like to say it once again - if we didn't associate first class-map with with policy-map (those, specified with http keyword), then it would be impossible to attach this class-map to a regular policy-map at the end.

Working example:

class-map type inspect match-any Int2Pub
 match protocol https
 match protocol dns
 match protocol icmp
class-map type inspect match-any http-cmap
 match protocol http
class-map type inspect http match-any http-aic-cmap
 match  request port-misuse any
 match  req-resp protocol-violation
!
!
policy-map type inspect http http-aic-pmap
 class type inspect http http-aic-cmap
  reset
  log
 class class-default
policy-map type inspect priv-pub-pmap
 class type inspect Int2Pub
  inspect
 class type inspect http-cmap
  inspect
  service-policy http http-aic-pmap
 class class-default
!
zone security private
zone security public
zone-pair security Int2PubZone source private destination public
 service-policy type inspect priv-pub-pmap
!
interface FastEthernet0/0
 ip address 192.168.255.254 255.255.255.0
 zone-member security private
 !
interface FastEthernet0/1
 ip address 192.168.137.100 255.255.255.0
 zone-member security public



Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)