Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

    Download as PDF Print this page Share this page

    Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 754
    							 
    11-17
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      FTP Inspection
    load on the ASA. For example, if the DNS server is on the outside interface, you should enable DNS 
    inspection with snooping for all UDP DNS traffic on the outside interface. See the “Enabling DNS 
    Snooping” section on page 26-9.
    Step 8Click OK to return to the Protocol Inspections tab.
    Step 9Click OK to finish editing the service policy.
    Step 10Click Apply.
    FTP Inspection
    This section describes the FTP inspection engine. This section includes the following topics:
    FTP Inspection Overview, page 11-17
    Using Strict FTP, page 11-17
    Select FTP Map, page 11-18
    FTP Class Map, page 11-19
    Add/Edit FTP Traffic Class Map, page 11-19
    Add/Edit FTP Match Criterion, page 11-20
    FTP Inspect Map, page 11-21
    FTP Inspection Overview
    The FTP application inspection inspects the FTP sessions and performs four tasks:
    Prepares dynamic secondary data connection
    Tracks the FTP command-response sequence
    Generates an audit trail
    Translates the embedded IP address
    FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels 
    are negotiated through PORT or PASV commands. The channels are allocated in response to a file 
    upload, a file download, or a directory listing event.
    NoteIf you disable FTP inspection engines with the no inspect ftp command, outbound users can start 
    connections only in passive mode, and all inbound FTP is disabled.
    Using Strict FTP
    Using strict FTP increases the security of protected networks by preventing web browsers from sending 
    embedded commands in FTP requests. To enable strict FTP, click the Configure button next to FTP on 
    the Configuration > Firewall > Service Policy Rules > Edit Service Policy Rule > Rule Actions > 
    Protocol Inspection tab.
    After you enable the strict option on an interface, FTP inspection enforces the following behavior: 
    						
    							 
    11-18
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      FTP Inspection
    An FTP command must be acknowledged before the ASA allows a new command.
    The ASA drops connections that send embedded commands.
    The 227 and PORT commands are checked to ensure they do not appear in an error string.
    CautionUsing the strict option may cause the failure of FTP clients that are not strictly compliant with FTP 
    RFCs.
    If the strict option is enabled, each FTP command and response sequence is tracked for the following 
    anomalous activity:
    Truncated command—Number of commas in the PORT and PASV reply command is checked to see 
    if it is five. If it is not five, then the PORT command is assumed to be truncated and the TCP 
    connection is closed.
    Incorrect command—Checks the FTP command to see if it ends with  characters, as 
    required by the RFC. If it does not, the connection is closed.
    Size of RETR and STOR commands—These are checked against a fixed constant. If the size is 
    greater, then an error message is logged and the connection is closed.
    Command spoofing—The PORT command should always be sent from the client. The TCP 
    connection is denied if a PORT command is sent from the server. 
    Reply spoofing—PASV reply command (227) should always be sent from the server. The TCP 
    connection is denied if a PASV reply command is sent from the client. This prevents the security 
    hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.”
    TCP stream editing—The ASA closes the connection if it detects TCP stream editing.
    Invalid port negotiation—The negotiated dynamic port value is checked to see if it is less than 1024. 
    As port numbers in the range from 1 to 1024 are reserved for well-known connections, if the 
    negotiated port falls in this range, then the TCP connection is freed.
    Command pipelining—The number of characters present after the port numbers in the PORT and 
    PASV reply command is cross checked with a constant value of 8. If it is more than 8, then the TCP 
    connection is closed.
    The ASA replaces the FTP server response to the SYST command with a series of Xs. to prevent the 
    server from revealing its system type to FTP clients. To override this default behavior, use the no 
    mask-syst-reply command in the FTP map.
    Select FTP Map 
    The Select FTP Map dialog box is accessible as follows:
    Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > 
    Select FTP Map
    The Select FTP Map dialog box lets you enable strict FTP application inspection, select an FTP map, or 
    create a new FTP map. An FTP map lets you change the configuration values used for FTP application 
    inspection.The Select FTP Map table provides a list of previously configured maps that you can select 
    for application inspection. 
    						
    							 
    11-19
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      FTP Inspection
    Fields
    FTP Strict (prevent web browsers from sending embedded commands in FTP requests)—Enables 
    strict FTP application inspection, which causes the ASA to drop the connection when an embedded 
    command is included in an FTP request. 
    Use the default FTP inspection map—Specifies to use the default FTP map.
    Select an FTP map for fine control over inspection—Lets you select a defined application inspection 
    map or add a new one.
    Add—Opens the Add Policy Map dialog box for the inspection. 
    FTP Class Map
    The FTP Class Map dialog box is accessible as follows:
    Configuration > Global Objects > Class Maps > FTP
    The FTP Class Map pane lets you configure FTP class maps for FTP inspection.
    An inspection class map matches application traffic with criteria specific to the application. You then 
    identify the class map in the inspect map and enable actions. The difference between creating a class 
    map and defining the traffic match directly in the inspect map is that you can create more complex match 
    criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, 
    H.323, HTTP, IM, and SIP.
    Fields
    Name—Shows the FTP class map name.
    Match Conditions—Shows the type, match criterion, and value in the class map.
    –Match Type—Shows the match type, which can be a positive or negative match. 
    –Criterion—Shows the criterion of the FTP class map.
    –Value—Shows the value to match in the FTP class map.
    Description—Shows the description of the class map.
    Add—Adds an FTP class map.
    Edit—Edits an FTP class map.
    Delete—Deletes an FTP class map.
    Add/Edit FTP Traffic Class Map
    The Add/Edit FTP Traffic Class Map dialog box is accessible as follows:
    Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map
    The Add/Edit FTP Traffic Class Map dialog box lets you define a FTP class map.
    Fields
    Name—Enter the name of the FTP class map, up to 40 characters in length.
    Description—Enter the description of the FTP class map.
    Add—Adds an FTP class map.
    Edit—Edits an FTP class map. 
    						
    							 
    11-20
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      FTP Inspection
    Delete—Deletes an FTP class map.
    Add/Edit FTP Match Criterion
    The Add/Edit FTP Match Criterion dialog box is accessible as follows:
    Configuration > Global Objects > Class Maps > FTP > Add/Edit FTP Traffic Class Map > 
    Add/Edit FTP Match Criterion
    The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP 
    class map.
    Fields
    Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic 
    that does not match the criterion. 
    For example, if No Match is selected on the string “example.com,” then any traffic that contains 
    “example.com” is excluded from the class map.
    Criterion—Specifies which criterion of FTP traffic to match.
    –Request-Command—Match an FTP request command.
    –File Name—Match a filename for FTP transfer.
    –File Type—Match a file type for FTP transfer.
    –Server—Match an FTP server.
    –User Name—Match an FTP user.
    Request-Command Criterion Values—Specifies the value details for the FTP request command 
    match.
    –Request Command—Lets you select one or more request commands to match.
    APPE—Append to a file.
    CDUP—Change to the parent of the current directory.
    DELE—Delete a file at the server site.
    GET—FTP client command for the retr (retrieve a file) command.
    HELP—Help information from the server.
    MKD—Create a directory.
    PUT—FTP client command for the stor (store a file) command.
    RMD—Remove a directory.
    RNFR—Rename from.
    RNTO—Rename to.
    SITE—Specify a server specific command.
    STOU—Store a file with a unique name.
    File Name Criterion Values—Specifies to match on the FTP transfer filename.
    –Regular Expression—Lists the defined regular expressions to match.
    –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
    expressions. 
    						
    							 
    11-21
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      FTP Inspection
    –Regular Expression Class—Lists the defined regular expression classes to match.
    –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
    regular expression class maps.
    File Type Criterion Values—Specifies to match on the FTP transfer file type.
    –Regular Expression—Lists the defined regular expressions to match.
    –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
    expressions.
    –Regular Expression Class—Lists the defined regular expression classes to match.
    –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
    regular expression class maps.
    Server Criterion Values—Specifies to match on the FTP server.
    –Regular Expression—Lists the defined regular expressions to match.
    –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
    expressions.
    –Regular Expression Class—Lists the defined regular expression classes to match.
    –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
    regular expression class maps.
    User Name Criterion Values—Specifies to match on the FTP user.
    –Regular Expression—Lists the defined regular expressions to match.
    –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
    expressions.
    –Regular Expression Class—Lists the defined regular expression classes to match.
    –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
    regular expression class maps.
    FTP Inspect Map
    The FTP Inspect Map dialog box is accessible as follows:
    Configuration > Global Objects  > Inspect Maps > FTP
    The FTP pane lets you view previously configured FTP application inspection maps. An FTP map lets 
    you change the default configuration values used for FTP application inspection. 
    FTP command filtering and security checks are provided using strict FTP inspection for improved 
    security and control. Protocol conformance includes packet length checks, delimiters and packet format 
    checks, command terminator checks, and command validation. 
    Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for 
    download, but restrict access to certain users. You can block FTP connections based on file type, server 
    name, and other attributes. System message logs are generated if an FTP connection is denied after 
    inspection.
    Fields
    FTP Inspect Maps—Table that lists the defined FTP inspect maps. 
    Add—Configures a new FTP inspect map. To edit an FTP inspect map, choose the FTP entry in the 
    FTP Inspect Maps table and click Customize. 
    						
    							 
    11-22
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      FTP Inspection
    Delete—Deletes the inspect map selected in the FTP Inspect Maps table.
    Security Level—Select the security level (medium or low).
    –Low
    Mask Banner Disabled
    Mask Reply Disabled
    –Medium—Default.
    Mask Banner Enabled
    Mask Reply Enabled
    –File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.
    –Customize—Opens the Add/Edit FTP Policy Map dialog box for additional settings.
    –Default Level—Sets the security level back to the default level of Medium.
    File Type Filtering
    The File Type Filtering dialog box is accessible as follows:
    Configuration > Global Objects  > Inspect Maps > FTP > MIME File Type Filtering
    The File Type Filtering dialog box lets you configure the settings for a file type filter. 
    Fields
    Match Type—Shows the match type, which can be a positive or negative match. 
    Criterion—Shows the criterion of the inspection.
    Value—Shows the value to match in the inspection.
    Action—Shows the action if the match condition is met.
    Log—Shows the log state.
    Add—Opens the Add File Type Filter dialog box to add a file type filter.
    Edit—Opens the Edit File Type Filter dialog box to edit a file type filter.
    Delete—Deletes a file type filter.
    Move Up—Moves an entry up in the list.
    Move Down—Moves an entry down in the list.
    Add/Edit FTP Policy Map (Security Level)
    The Add/Edit FTP Policy Map dialog box is accessible as follows:
    Configuration > Global Objects  > Inspect Maps > FTP > FTP Inspect Map > Basic View
    The Add/Edit FTP Policy Map pane lets you configure the security level and additional settings for FTP 
    application inspection maps.
    Fields
    Name—When adding an FTP map, enter the name of the FTP map. When editing an FTP map, the 
    name of the previously configured FTP map is shown. 
    						
    							 
    11-23
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      FTP Inspection
    Description—Enter the description of the FTP map, up to 200 characters in length.
    Security Level—Select the security level (medium or low).
    –Low
    Mask Banner Disabled
    Mask Reply Disabled
    –Medium—Default.
    Mask Banner Enabled
    Mask Reply Enabled
    –File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.
    –Default Level—Sets the security level back to the default level of Medium.
    Details—Shows the Parameters and Inspections tabs to configure additional settings.
    Add/Edit FTP Policy Map (Details)
    The Add/Edit FTP Policy Map (Details) dialog box is accessible as follows:
    Configuration > Global Objects  > Inspect Maps > FTP > FTP Inspect Map > Advanced View
    The Add/Edit FTP Policy Map pane lets you configure the security level and additional settings for FTP 
    application inspection maps.
    Fields
    Name—When adding an FTP map, enter the name of the FTP map. When editing an FTP map, the 
    name of the previously configured FTP map is shown.
    Description—Enter the description of the FTP map, up to 200 characters in length.
    Security Level—Shows the security level and file type filtering settings to configure.
    Parameters—Tab that lets you configure the parameters for the FTP inspect map.
    –Mask greeting banner from the server—Masks the greeting banner from the FTP server to 
    prevent the client from discovering server information.
    –Mask reply to SYST command—Masks the reply to the syst command to prevent the client from 
    discovering server information.
    Inspections—Tab that shows you the FTP inspection configuration and lets you add or edit.
    –Match Type—Shows the match type, which can be a positive or negative match. 
    –Criterion—Shows the criterion of the FTP inspection.
    –Value—Shows the value to match in the FTP inspection.
    –Action—Shows the action if the match condition is met.
    –Log—Shows the log state.
    –Add—Opens the Add FTP Inspect dialog box to add an FTP inspection.
    –Edit—Opens the Edit FTP Inspect dialog box to edit an FTP inspection.
    –Delete—Deletes an FTP inspection.
    –Move Up—Moves an inspection up in the list.
    –Move Down—Moves an inspection down in the list. 
    						
    							 
    11-24
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      FTP Inspection
    Add/Edit FTP Map
    The Add/Edit FTP Map dialog box is accessible as follows:
    Configuration > Global Objects  > Inspect Maps > FTP > FTP Inspect Map > Advanced View  > 
    Add/Edit FTP Inspect
    The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the FTP inspect 
    map.
    Fields
    Single Match—Specifies that the FTP inspect has only one match statement.
    Match Type—Specifies whether traffic should match or not match the values. 
    For example, if No Match is selected on the string “example.com,” then any traffic that contains 
    “example.com” is excluded from the class map.
    Criterion—Specifies which criterion of FTP traffic to match.
    –Request Command—Match an FTP request command.
    –File Name—Match a filename for FTP transfer.
    –File Type—Match a file type for FTP transfer.
    –Server—Match an FTP server.
    –User Name—Match an FTP user.
    Request Command Criterion Values—Specifies the value details for FTP request command match.
    –Request Command:
    APPE—Command that appends to a file.
    CDUP—Command that changes to the parent directory of the current working directory.
    DELE—Command that deletes a file.
    GET—Command that gets a file.
    HELP—Command that provides help information.
    MKD—Command that creates a directory.
    PUT—Command that sends a file.
    RMD—Command that deletes a directory.
    RNFR—Command that specifies rename-from filename.
    RNTO—Command that specifies rename-to filename.
    SITE—Commands that are specific to the server system. Usually used for remote 
    administration.
    STOU—Command that stores a file using a unique filename.
    File Name Criterion Values—Specifies the value details for FTP filename match.
    –Regular Expression—Lists the defined regular expressions to match.
    –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
    expressions.
    –Regular Expression Class—Lists the defined regular expression classes to match. 
    						
    							 
    11-25
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      FTP Inspection
    –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
    regular expression class maps.
    File Type Criterion Values—Specifies the value details for FTP file type match.
    –Regular Expression—Lists the defined regular expressions to match.
    –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
    expressions.
    –Regular Expression Class—Lists the defined regular expression classes to match.
    –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
    regular expression class maps.
    Server Criterion Values—Specifies the value details for FTP server match.
    –Regular Expression—Lists the defined regular expressions to match.
    –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
    expressions.
    –Regular Expression Class—Lists the defined regular expression classes to match.
    –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
    regular expression class maps.
    User Name Criterion Values—Specifies the value details for FTP user name match.
    –Regular Expression—Lists the defined regular expressions to match.
    –Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular 
    expressions.
    –Regular Expression Class—Lists the defined regular expression classes to match.
    –Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure 
    regular expression class maps.
    Multiple Matches—Specifies multiple matches for the FTP inspection.
    –FTP Traffic Class—Specifies the FTP traffic class match.
    –Manage—Opens the Manage FTP Class Maps dialog box to add, edit, or delete FTP Class 
    Maps.
    Action—Reset.
    Log—Enable or disable.
    Verifying and Monitoring FTP Inspection
    FTP application inspection generates the following log messages:
    An Audit record 303002 is generated for each file that is retrieved or uploaded. 
    The FTP command is checked to see if it is RETR or STOR and the retrieve and store commands 
    are logged. 
    The username is obtained by looking up a table providing the IP address.
    The username, source IP address, destination IP address, NAT address, and the file operation are 
    logged.
    Audit record 201005 is generated if the secondary dynamic channel preparation failed due to 
    memory shortage. 
    						
    							 
    11-26
    Cisco ASA Series Firewall ASDM Configuration Guide
     
    Chapter 11      Configuring Inspection of Basic Internet Protocols
      HTTP Inspection
    In conjunction with NAT, the FTP application inspection translates the IP address within the application 
    payload. This is described in detail in RFC 959.
    HTTP Inspection
    This section describes the HTTP inspection engine. This section includes the following topics:
    HTTP Inspection Overview, page 11-26
    Select HTTP Map, page 11-26
    HTTP Class Map, page 11-27
    Add/Edit HTTP Traffic Class Map, page 11-27
    Add/Edit HTTP Match Criterion, page 11-28
    HTTP Inspect Map, page 11-32
    “URI Filtering” section on page 11-33
    “Add/Edit HTTP Policy Map (Security Level)” section on page 11-33
    “Add/Edit HTTP Policy Map (Details)” section on page 11-34
    “Add/Edit HTTP Map” section on page 11-35
    HTTP Inspection Overview
    Use the HTTP inspection engine to protect against specific attacks and other threats that are associated 
    with HTTP traffic. HTTP inspection performs several functions:
    Enhanced HTTP inspection
    URL screening through N2H2 or Websense 
    See Information About URL Filtering, page 29-2 for information.
    Java and ActiveX filtering
    The latter two features are configured in conjunction with Filter rules.
    The enhanced HTTP inspection feature, which is also known as an application firewall and is available 
    when you configure an HTTP map, can help prevent attackers from using HTTP messages for 
    circumventing network security policy. It verifies the following for all HTTP messages:
    Conformance to RFC 2616
    Use of RFC-defined methods only.
    Compliance with the additional criteria.
    Select HTTP Map
    The Select HTTP Map dialog box is accessible as follows:
    Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab > 
    Select HTTP Map 
    						
    All Cisco manuals Comments (0)