Application Protocol Inspection Overview
FTP Inspection
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
3-10
If you enter the inspect dns command without specifying the
Note
maximum-length optional keyword, the ACE does not check the DNS
packet size.
Performs a number of security checks as follows:
•
–
Verifies that the maximum label length is no greater than 63 bytes
Verifies that the maximum domain name length is no greater than
–
255 bytes
Checks for the existence of compression loops
–
A single connection is created for multiple DNS sessions if the DNS sessions are
between the same two hosts and the sessions have the same 5-tuple (source and
destination IP address, source and destination port, and protocol). DNS
identification is tracked by app_id, and the idle timer for each app_id runs
independently.
Because the app_id expires independently, a legitimate DNS response can only
pass through the ACE within a limited period of time and there is no resource
build-up. However, if you enter the show conn command, you will see the idle
timer of a DNS connection being reset by a new DNS session. This reset action is
due to the shared DNS connection.
FTP inspection inspects FTP sessions for address translation in a message,
dynamic opening of ports, and stateful tracking of request and response messages.
Each specified FTP command must be acknowledged before the ACE allows a
new command. Command filtering allows you to restrict specific commands by
the ACE. When the ACE denies a command, it closes the connection.
The ACE performs the FTP command inspection process as follows:
Prepares a dynamic secondary data connection. The channels are allocated in
•
response to a file upload, a file download, or a directory listing event and
must be prenegotiated. The port is negotiated through the PORT or PASV
commands.
Chapter 3
Configuring Application Protocol Inspection
OL-16202-01