Previous Page Next Page

Application Layer Protocol Inspection

In addition to the stateful-inspection previously discussed, the Adaptive Security Algorithm is enhanced with powerful capabilities and is built with application-layer intelligence that assists in detecting and preventing protocol and application-layer attacks. It performs deep packet inspection of application-layer protocol traffic (such as HTTP) by checking the packet IP header and the payload contents. Conventional firewalls maintain the session information details up to Layer 4, whereas the Security Appliance adds another tier of security by extending its inspection in the data payload at Layer 7.

With the application-layer awareness, Security Appliance performs deep packet inspection in the data payload for any malicious activity. As shown in Figure 6-4, when the Security Appliance receives a packet that is of well-known application protocol (such as HTTP), it further examines the packet for respective application operation to check for adherence to RFC standards and compliance operations to ensure there is no malicious intent. If the packet is crafted maliciously with unauthorized, nonstandard activity and found to be performing noncompliance operations (illegal commands), the packet is blocked. In a conventional access-list filtering, this packet would be allowed, because only the Layer 3 and Layer 4 information in the packet would be checked.

Figure 6-4. Application Layer Intelligence


The Security Appliance armed with the application intelligence provides protection from several types of network attacks that use the embedding technique to pass malicious traffic encapsulating in well-known application protocols.

Application inspection is enabled by default for most standard well-known protocols with specific TCP or UDP port numbers. See Table 6-2 for a complete list of supported protocols, with their respective standard compliance enforcement. Security Appliance can be tuned to inform the inspection engine to listen on nonstandard ports. For example, the HTTP port can be changed from a standard TCP/80 to a nonstandard TCP/8080 port. Some protocols cannot be changed; Table 6-2 identifies which protocols can be modified to inspect for nonstandard ports. The Modular Policy Framework Command Line Interface (CLI) is used to change the default settings for application inspection for any application layer inspection (discussed further in this chapter). The MPF is similar to the Cisco IOS Software technique called Modular QoS CLI (MQC).

Table 6-2. Application Inspection Engines
ApplicationPAT?NAT (1-1)?Ports Can Be Modified to Nonstandard?Default PortStandards Compliance
CTIQBEYesYesYesTCP/2748
DNSYesYesNoUDP/53RFC 1123
FTPYesYesYesTCP/21RFC 959
GTPYesYesYesUDP/3386 UDP/2123
H.323YesYesYesTCP/1720 UDP/1718 UDP (RAS) 1718-1719ITU-T H.323, H.245, H225.0, Q.931, Q.932
HTTPYesYesYesTCP/80RFC 2616
ICMPYesYesNo
ICMP ERRORYesYesNo
ILS (LDAP)YesYesYes
MGCPYesYesYes2427, 2727RFC 2705bis-05
NBDS / UDPYesYesNoUDP/138
NBNS / UDPNoNoNoUDP/137
NetBIOS over IP3NoNoNo
PPTPYesYesYes1723RFC 2637
RSHYesYesYesTCP/514Berkeley UNIX
RTSPNoNoYesTCP/554RFC 2326, RFC 2327, RFC 1889
SIPYesYesYesTCP/5060 UDP/5060RFC 2543
SKINNY (SCCP)YesYesYesTCP/2000
SMTP/ESMTPYesYesYesTCP/25RFC 821, 1123
SQL*NetYesYesYesTCP/1521 (v.1)
Sun RPCNoYesNoUDP/111 TCP/111
XDCMPNoNoNoUDP/177
The information in Table 6-2 is taken from "Cisco Security Appliance Command Line Configuration Guide, Version 7.0" at http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html#wp1250375.


Previous Page Next Page