Application Protocol Inspection Overview
HTTP Deep Packet Inspection
ICMP Inspection
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
3-12
Reply spoofing—Verifies that the PASV reply command (227) is always
–
sent from the server. If a PASV reply command is sent from the client,
the ACE denies the TCP connection. This denial prevents a security hole
when the user executes "227 xxxxx a1, a2, a3, a4, p1, p2."
Translates embedded IP addresses with NAT. FTP command inspection
•
translates the IP address within the application payload. See RFC 959 for
more details.
The ACE performs a stateful deep packet inspection of the HTTP protocol. Deep
packet inspection is a special case of application inspection where the ACE
examines the application payload of a packet or a traffic stream and makes
decisions based on the content of the data. During HTTP deep inspection, the
main focus of the application inspection process is on HTTP attributes such as the
HTTP header, the URL, and to a limited extent, the payload. User-defined regular
expressions can also be used to detect "signatures" in the payload.
You define policies to permit or deny the traffic, or to send a TCP reset message
to the client or server to close the connection.
The security features covered by HTTP application inspection are as follows:
RFC compliance monitoring and RFC method filtering
•
Content, URL, and HTTP header length checks
•
•
Transfer-encoding methods
Content type verification and filtering
•
Port 80 misuse
•
Internet Control Message Protocol (ICMP) inspection allows ICMP traffic to have
a "session" so that it can be inspected similarly to TCP and UDP traffic. If you do
not use ICMP inspection, we recommend that you do not create an ACL that
allows ICMP traffic to pass through the ACE. Without stateful inspection, ICMP
can be used to attack your network. ICMP inspection ensures that there is only
one response for each request, and that the sequence number is correct.
Chapter 3
Configuring Application Protocol Inspection
OL-16202-01