Application Inspection
Hackers use several methods to cause network service disruption. Denial of service (DoS) is
a popular way of causing network disruption. Cisco Security Appliance has some attack
mitigation features to combat against some of the following attacks:
NOTE Cisco IP Phones need to reregister with the Cisco CallManager to establish calls
through the Security Appliance if the clear xlate command is entered. This is because the
xlates for the Cisco CallManager are permanently deleted.
Application Inspection 599
■ File Transfer Protocol (FTP) attacks
■ Hypertext Transfer Protocol (HTTP) attacks
■ Domain Name System (DNS) attacks
■ Simple Mail Transfer Protocol (SMTP)–based attacks
■ Internet Control Message Protocol (ICMP) flooding and spoofing attacks
■ Remote shell connection hijacking
■ SQL*Net connection hijacking and attacks
The Security Appliance supports application inspection through the Adaptive Security
Algorithm (ASA) function. Through the stateful application inspection used by the ASA, the
Security Appliance tracks each connection traversing the firewall and ensures that they are
valid. The firewall, through stateful inspection, also monitors the state of the connection to
compile information to place in a state table. Using the state table in addition to
administrator-defined rules, filtering decisions are based on context that has been established
by packets previously passed through the firewall. Some applications require additional
handling that goes beyond the ASA’s stateful inspection feature. These applications embed IP
addressing information in the user data packet or require a second communications channel
to be dynamically opened, causing the additional handling through specific inspect
commands. Application inspection and the inspect command will work with NAT enabled
to help identify the location of embedded addressing information.
By default, protocol inspection is enabled on the Security Appliance. Through the
inspection_default class-map, the Security Appliance monitors, by default, the following
protocols:
■ ctiqbe
■ dns
■ ftp
■ gtp
■ h323-h225
■ h323-ras
■ http
■ icmp
■ ils
■ mgcp
■ netbios
■ rpc
■ rsh
■ rtsp
■ sip
■ skinny
■ smtp
■ sqlnet
■ tftp
■ xdmcp
The default inspection_default class-map is applied to the global_policy policy-map,
affecting all TCP and UDP traffic through the Security Appliance. Remember that the
global_policy policy-map is applied to the global interface. At times, common applications
must be run over a nonstandard port. This can be the case for specialized applications or to
hide the port from malicious users. The inspect command uses the standard ports for each of
the assigned applications it will inspect, such as TCP port 80 for HTTP. To change the port
in which the inspect command will monitor, you must assign a specific class map to direct
the traffic flow, as shown in Example 19-4. Unless you deny port 80 traffic to the class map,
the inspect HTTP will inspect port 80 traffic in addition to the new port assigned in Example
19-4. You will then assign the class map to a policy and configure the appropriate inspect
command to the traffic class.