|
|
< Day Day Up > |
|
Deployment ScenariosThis section covers how SecureMe deploys a Cisco ASA in its London branch to perform application inspection for the following protocols: Figure 8-14 illustrates the topology of SecureMe's London office. Figure 8-14. SecureMe London Office
There are three interfaces configured in the London Cisco ASA (inside, outside, and DMZ). The DMZ has a web server, an e-mail server, and an FTP server. The outside is connected to the Internet via an ISP router. The goal is to configure application inspection for the previously mentioned protocols as outlined in the next sections. ESMTPThe security administrator wants to inspect all ESMTP traffic from inside and outside hosts to the e-mail server (192.168.118.25) in the DMZ. The following steps are completed to achieve this goal:
Each policy map is applied to the inside and outside interfaces, respectively. All TCP port 25 traffic that matches access list SMTPInspect will be inspected in the inside and outside interfaces. HTTPSecureMe's security policies dictate that the following HTTP extensions should not be allowed by any connections originating from the inside or outside hosts to the web server (192.168.118.80) in the DMZ:
You follow these steps to achieve this goal:
Suppose that you receive several complaints from users a few days after you enter the commands in the Cisco ASA. The users are not able to successfully use several web-based applications to certain websites on the Internet. After further investigation, you notice that these applications use the HTTP extensions MOVE, COPY, and MKDIR for legitimate transactions. You proceed to modify the class map named httpclass to use an ACL to only inspect traffic going to the web server (192.168.118.80) in the DMZ, as shown in Example 8-16. Example 8-16. Correcting the Class MapLondon(config) # access-list HTTPInspect permit tcp any host 192.168.118.80 eq 80 London(config) # access-list HTTPInspect permit tcp any host 192.168.118.80 eq 443 London(config) # class-map httpclass London(config-cmap)# match access-list HTTPInspect The access list HTTPInspect matches all HTTP (TCP port 80) and HTTPS (TCP port 443) traffic destined to 192.168.118.80. FTPSuppose that now you need to configure the Cisco ASA to inspect all FTP connections that originated from inside users to the FTP server (192.168.118.21) in the DMZ. The inside users must not be allowed to delete any files on the FTP server. Complete the following steps to achieve this goal.
Example 8-17 shows how an internal user (user1) logs in to the FTP server and is denied while trying to delete a file. Example 8-17. FTP User Connectionbash$ ftp 192.168.118.21 Connected to 192.168.118.21 220 (vsFTPd 2.0.3) Username: user1 331 Please specify the password. Password: ***** 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,254,102) 150 Here comes the directory listing. drwxr-xr-x 2 500 500 4096 Jul 07 19:20 Desktop -rw-rw-r-- 1 500 500 1216 Jul 08 01:03 order -rw-rw-r-- 1 500 500 944 Jul 08 01:58 test 226 Directory send OK. ftp> dele test 550 Delete operation failed. ftp> The internal user (user1) attempts to delete a file called test and is denied by the Cisco ASA, as shown in the highlighted lines in Example 8-18. |
|
|
< Day Day Up > |
|