HTTP Analysis Engine
The HTTP analysis agent in the IOS Firewall has been added with the addition of Advanced Application Inspection
and Control. For HTTP anchorage 80 web cartage casual through the accepted firewalls, there is a achievability that non-HTTP
traffic can be anchored or tunneled in the HTTP cartage (for example, Instant Messaging (IM) or any awful traffic),
thereby bypassing the firewall. Using this embedding technique, abnormal packets can be crafted to backpack viruses, worms,
Trojans, or any added awful activity. With abysmal packet inspection, IOS Firewall inspects the abstracts streams to ensure that
traffic that is affected to be HTTP is accepted web browsing and not IM or adulterine cartage that is aggravating to gain
unauthorized admission through the firewall.
As apparent in Figure 5-5 , the HTTP Analysis Agent gives IOS Firewall agent added diminutive ascendancy and the intelligence to
block non-HTTP cartage by arduous its angary and acclimation to standards. The HTTP analysis performs packet
inspection to ascertain whether any applications are actuality tunneled through anchorage 80.
Figure 5-5. HTTP Analysis Agent with Advanced Application Inspection
[View abounding admeasurement image]
Packets not befitting to the standards in HTTP agreement are dropped. A displace bulletin is beatific out, and a SYSLOG message
is generated accordingly.
This affection was alien in IOS Version 12.3(14)T.
Note
For a agreement template, visit
www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455927.html#wp1027188