ASDM IPS Configuration Panel
Figure 19-6 ASDM IPS Add Service Policy Rule Window
PIX Firewall version 6.3 and later support application inspection of the major protocols and
applications that provide VoIP services, including the following:
■ CTIQBE
■ H.323
■ MGCP
■ SCCP
■ SIP
Cisco Security Appliance has preconfigured application inspection commands that help it
mitigate most known attacks:
■ FTP Inspection—Protects the inside systems for hijacked connections and allows
dynamic port assignments when using FTP passive transfer mode. Using FTP-maps will
allow greater control over what can be done through the inspected FTP session,
restricting specific commands from being run.
■ HTTP Inspection—Protects the inside systems from HTTP messages that fail to meet
RFC 2616 standards. Additionally, with the use of an http-map, HTTP inspection can
restrict the allowed HTTP commands that can be accessed through the connection.
HTTP inspection can also control port misuse, such as peer-to-peer applications and
instant messaging.
■ rsh Inspections—Protects the inside systems from hijacked rsh connections and allows
for dynamic port assignments for the Standard Error Channel.
■ DNS Inspection—DNS queries and responses are torn down as soon as a reply to a DNS
query is received, dropping all other responses and averting a DoS attack.
■ Mail Inspection—The inspect esmtp command enables the Mail Guard feature, which
restricts mail servers to receiving only the seven commands defined in RFC 821 section
4.5.1 (HELO, MAIL, RCPT, DATA, RSET, NOOP, and QUIT). Additionally, mail
inspection supports eight ESMTP commands (AUTH, DATA, EHLO, ETRN,
SAML, SEND, SOML, and VRFY). All other commands are rejected.
■ ICMP Inspection—Protects inside systems from DoS attacks that flood the network
broadcast with SYN packets or modified ICMP packets.
■ SQL*Net Inspection—Protects the inside systems from hijacked SQL*Net connections
and allows for dynamic port assignments for the reassigned communications channel.
The Cisco Security Appliance also includes an intrusion protection feature. The Security
Appliance supports both inbound and outbound auditing through the AIP-SSM module. The
AIP-SSM module can work in promiscuous mode or inline mode when analyzing traffic
flows. The AIP-SSM can also be set to fail-open or fail-closed when the AIP-SSM goes offline.
Through the use of a service-policy, the Security Appliance can redirect traffic flows to the
AIP-SSM and allow auditing through the IPS feature. When an attack is detected, the AIPSSM
can send an alarm, drop the packet, or reset the TCP connection.