Application Band Agreement Inspection
In accession to the stateful-inspection ahead discussed, the Adaptive Aegis Algorithm is added with
powerful capabilities and is congenital with application-layer intelligence that assists in audition and preventing
protocol and application-layer attacks. It performs abysmal packet analysis of application-layer agreement traffic
(such as HTTP) by blockage the packet IP attack and the burden contents. Accepted firewalls advance the
session advice capacity up to Band 4, admitting the Aegis Appliance adds addition bank of aegis by
extending its analysis in the abstracts burden at Band 7.
With the application-layer awareness, Aegis Appliance performs abysmal packet analysis in the abstracts payload
for any awful activity. As apparent in Figure 6-4, back the Aegis Appliance receives a packet that is of wellknown
application agreement (such as HTTP), it added examines the packet for corresponding appliance operation to
check for adherence to RFC standards and acquiescence operations to ensure there is no awful intent. If the
packet is crafted maliciously with unauthorized, abnormal action and begin to be assuming noncompliance
operations (illegal commands), the packet is blocked. In a accepted access-list filtering, this packet would be
allowed, because alone the Band 3 and Band 4 advice in the packet would be checked.
Figure 6-4. Appliance Band Intelligence
[View abounding admeasurement image]
The Aegis Appliance armed with the appliance intelligence provides aegis from several types of network
attacks that use the embedding address to canyon awful cartage encapsulating in acclaimed application
protocols.
Application analysis is enabled by absence for best accepted acclaimed protocols with specific TCP or UDP
port numbers. See Table 6-2 for a complete account of accurate protocols, with their corresponding standard
compliance enforcement. Aegis Appliance can be acquainted to acquaint the analysis agent to accept on
nonstandard ports. For example, the HTTP anchorage can be afflicted from a accepted TCP/80 to a nonstandard
TCP/8080 port. Some protocols cannot be changed; Table 6-2 identifies which protocols can be adapted to
inspect for abnormal ports. The Modular Policy Framework Command Line Interface (CLI) is acclimated to change
the absence settings for appliance analysis for any appliance band analysis (discussed added in this
chapter). The MPF is agnate to the Cisco IOS Software address alleged Modular QoS CLI (MQC).
Table 6-2. Appliance Analysis Engines
Application PAT? NAT
(1-1)?
Ports Can Be
Modified to
Nonstandard?
Default Anchorage Standards
Compliance
CTIQBE Yes Yes Yes TCP/2748 —
DNS Yes Yes No UDP/53 RFC 1123
FTP Yes Yes Yes TCP/21 RFC 959
GTP Yes Yes Yes UDP/3386
UDP/2123
—
H.323 Yes Yes Yes TCP/1720
UDP/1718 UDP
(RAS) 1718-
1719
ITU-T H.323,
H.245, H225.0,
Q.931, Q.932
HTTP Yes Yes Yes TCP/80 RFC 2616
ICMP Yes Yes No — —
ICMP ERROR Yes Yes No — —
ILS (LDAP) Yes Yes Yes — —
MGCP Yes Yes Yes 2427, 2727 RFC 2705bis-05
NBDS / UDP Yes Yes No UDP/138 —
NBNS / UDP No No No UDP/137 —
NetBIOS over IP3 No No No — —
PPTP Yes Yes Yes 1723 RFC 2637
RSH Yes Yes Yes TCP/514 Berkeley UNIX
RTSP No No Yes TCP/554 RFC 2326, RFC
2327, RFC 1889
SIP Yes Yes Yes TCP/5060
UDP/5060
RFC 2543
SKINNY (SCCP) Yes Yes Yes TCP/2000 —
SMTP/ESMTP Yes Yes Yes TCP/25 RFC 821, 1123
SQL*Net Yes Yes Yes TCP/1521 (v.1) —
Sun RPC No Yes No UDP/111
TCP/111
—
Application PAT? NAT
(1-1)?
Ports Can Be
Modified to
Nonstandard?
Default Anchorage Standards
Compliance
XDCMP No No No UDP/177 —
The advice in Table 6-2 is taken from "Cisco Aegis Appliance Command Line Configuration
Guide, Version 7.0" at
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html#wp1250375.