Configuring http-map Inspection
PIXfirewall(config)# http-map http_office
PIXfirewall(config-http-map)# request-method rfc post action reset log
PIXfirewall(config-http-map)# request-method rfc-put action reset log
PIXfirewall(config-http-map)# port-misuse p2p action reset log
PIXfirewall(config-http-map)# exit
PIXfirewall(config)# policy-map inbound
PIXfirewall(config-pmap)# class inbound_http_traffic
PIXfirewall(config-pmap-c)# inspect http http_office
PIXfirewall(config-pmap-c)# exit
PIXfirewall(config-pmap)# exit
In Example 19-6, port 80 traffic is inspected for HTTP RFC compliance using the requestmethod
command. Each request-method command has been assigned a reset action if any
part of the HTTP traffic flow fails to comply with RFC standards. The reset action will cause
the HTTP connection to reset if the request-method fails. Additional actions that can be used
are allow and drop.
To inspect the content length of an HTTP message, you must use the content-length
command in http-map configuration mode. You can set the minimum and maximum length
of the complete HTTP message and assign actions that react to noncompliance to these
settings:
content-length { min bytes | max bytes } action | allow | drop | reset | [log]
The content-type-verification command checks the content-type field in the HTTP response
to verify that it matches the accept field in the corresponding HTTP request message:
content-type-verification [match-re-rsp] action {allow | reset | drop} [log]
Several exploits using popular web servers have exploited HTTP header sizes. You can
control the allowed HTTP message header size using the max-header-length command in the
http-map configuration mode. All messages that do not exceed the maximum header size will
be allowed through the Security Appliance. You can assign a maximum header size of no
more than 65,635 bytes:
max-header-length {request bytes | response bytes} action | allow | drop | reset | [log]
In addition to limiting the length of HTTP message headers, you can limit the length of
Uniform Resource Identifiers (URI). Using the max-uri-length command in http-map
configuration mode, you can set the maximum length to no more than 65,535 bytes:
max-uri-length bytes action | allow | drop | reset | [log]