|
|
< Day Day Up > |
|
HTTPThe Cisco ASA HTTP inspection engine checks whether an HTTP transaction is compliant with RFC 2616 by checking the HTTP request message. The following are the predefined HTTP commands:
The Cisco ASA checks for these HTTP commands; if the message does not have any of these, the Cisco ASA verifies that it is an HTTP extension method/command (such as MOVE, COPY, EDIT). A syslog message is generated if both checks fail and the packet can be dropped. The Cisco ASA also has the ability to detect double-encoding attacks. This method, known as HTTP de-obfuscation, is one where an HTTP message is encoded by normalizing encoded characters to ASCII-equivalent characters (sometimes also referred to as ASCII normalization). In a double-encoding attack, the attacker sends an encoded HTTP URI request that has been through two rounds of encoding. Traditionally, firewalls and intrusion detection devices detect the first round of encoding and normalize it. The attack still evades the firewall or IDS. The Cisco ASA HTTP inspection engine is able to detect double encoding and prevent this from happening. The Cisco ASA also provides a feature to filter HTTP messages based on keywords. This is useful when looking for specific applications running over HTTP, such as online instant messenger (IM) applications, music sharing applications, and so on. Enabling HTTP InspectionUse the inspect http command to enable HTTP inspection. You can also enable enhanced HTTP inspection by creating an HTTP map and associating it to the inspect http command. To create an HTTP map, use the http-map command, as shown in Example 8-12. Example 8-12. HTTP Inspection Using an HTTP Maphttp-map myhttpmap request-method rfc default action allow request-method ext move action reset request-method ext copy action reset policy-map asa_global_fw_policy class inspection_default inspect http myhttpmap In Example 8-12, an HTTP map named myhttpmap is configured. Request method inspection is enabled to allow all default RFC-compliant methods. The two extension methods, move and copy, are not allowed. If these two extensions are detected, the HTTP connection will be reset. The following HTTP extensions are supported by the Cisco ASA:
Several enhanced HTTP inspection options can be configured under the http-map subcommands. When you configure an HTTP map, you are placed into the http-map prompt. The following subcommands are available to configure the necessary rules for enhanced HTTP inspection: strict-httpThe strict-http command changes the default action taken when noncompliant HTTP traffic is detected. The following is the subcommand syntax: strict-http action {allow | reset | drop} [log] Table 8-5 describes the strict-http command options.
The strict-http command is enabled by default. The default action is to log and send a TCP reset. content-lengthThe content-length command limits the HTTP traffic allowed through the Cisco ASA based on the content length of the HTTP message body. The following is the command syntax: content-length {min bytes max bytes}action {allow | reset | drop} [log] Table 8-6 describes the content-length command options.
content-type-verificationWhen a web browser receives a document via HTTP, it must determine the document's encoding (sometimes referred to as charset). The browser must know this in order to display non-ASCII characters correctly. The content-type-verification command limits the content types in HTTP messages transferred through the Cisco ASA. The Cisco ASA verifies that the header content-type value is in the internal list of supported content types. Additionally, it checks that the header content type matches the actual content in the data or entity body portion of the message. Here are the currently supported HTTP content types:
The following is the content-type-verification command syntax: content-type-verification [match-req-rsp] action {allow | reset | drop} [log] The match-req-rsp keyword enables the Cisco ASA to verify that the content-type field in the HTTP response matches the accept field in the corresponding HTTP request message. max-header-lengthThe max-header-length command limits the HTTP header length on traffic that passes through the Cisco ASA. Messages with a header length less than or equal to the configured value will be allowed; otherwise, the configured action will be taken. The following is the command syntax: max-header-length {request bytes response bytes} action {allow | reset | drop} [log] Table 8-7 describes the max-header-length command options.
max-uri-lengthThe max-uri-length command limits the length of the Universal Resource Identifier (URI) in a request message. The command syntax is as follows: max-uri-length bytes action {allow | reset | drop} [log] Table 8-8 describes the max-uri-length command options.
port-misuseThe port-misuse command restricts applications, such as instant messengers, that use HTTP as a transport protocol. The following is the command syntax: port-misuse {default | im | p2p | tunneling} action {allow | reset | drop} [log] Table 8-9 describes the port-misuse command options.
Note The port-misuse command is disabled by default. request-methodThe request-method command configures a specific action for each of the supported HTTP request methods. The following is the command syntax: request-method rfc rfc _ method action {allow | reset | drop} [log] request-method ext ext_method action {allow | reset | drop} [log] Table 8-10 describes the request-method command options.
Note The request-method command is disabled by default. transfer-encoding typeThe transfer-encoding type command configures a specific action for each of the supported HTTP transfer-encoding types passing through the Cisco ASA. The following is the command syntax: transfer-encoding type encoding_types action {allow | reset | drop} [log] Table 8-11 describes the transfer-encoding type command options.
|
|
|
< Day Day Up > |
|