HTTP Inspection
Many known exploits have used HTTP as the transport. Many of these exploits relied on
embedded applications or scripting languages, such as Java or ActiveX, to take control of a
user’s system. Additionally, exploits have been known to take advantage of web browsers or
computers that do not fully comply with RFC 2616 standards. With HTTP inspections, the
Security Appliance can help control these exploits by filtering out specific attacks and threats
that are known to associate with HTTP traffic flows. HTTP inspection is enabled by default
through the inspection_default class-map. HTTP inspections can perform the following
services through the inspect http command:
Example 19-5 Configuring FTP Request Command Inspection
PIXfirewall(config)# ftp-map in_ftp1
PIXfirewall(config-ftp-map)# request-cmd deny dele rnfr rnto appe put rmd
PIXfirewall(config-ftp-map)# exit
PIXfirewall(config)# class-map ftp_port
PIXfirewall(config-cmap)# match port 1024
PIXfirewall(config-cmap)# exit
PIXfirewall(config)# policy-map inbound
PIXfirewall(config-pmap)# class ftp_port
PIXfirewall(config-pmap-c)# inspect ftp strict in_ftp1
PIXfirewall(config-pmap-c)# exit
PIXfirewall(config-pmap)# exit
Application Inspection 603
■ URL screening through N2H2 or Websense.
■ Java and ActiveX filtering.
■ HTTP inspection—Check whether an HTTP message is compliant to the RFC.
■ Enhanced HTTP inspection—Verify that HTTP messages conform to RFC 2616, use
RFC-defined methods or supported extension methods, and comply with various other
configurable message criteria.
To use the enhanced HTTP inspection features, you must use an http-map command, similar
to the ftp-map command for FTP request command filters. The http-map command supports
several options to control HTTP traffic flow. You can verify that the HTTP traffic flow
conforms to the RFC 2616 standard, uses RFC-defined methods of access, or uses supported
extension methods by using the request-method command in the http-map configuration
mode:
request-method { ext ext_methods | rfc rfc_methods } action | allow | drop | reset | [log]
Table 19-3 describes the request-method command options and arguments.