技术学习资料分享MPF2腾科.ppt

, 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.010-1,Advanced Protocol Handling,Need for Advanced Protocol Handling,Some popular protocols or applications behave as follows: They negotiate connections to dynamically assigned source and destination ports and IP addresses. They embed source and destination port and IP address information above the network layer. A good security appliance has to inspect packets above the network layer and do the following as required by the protocol or application: Securely open and close negotiated ports and IP addresses for legitimate client-server connections through the security appliance Use NAT-relevant instances of IP addresses inside a packet Use PAT-relevant instances of ports inside a packet Inspect packets for signs of malicious application misuse,inspect Command,Server,Client,Control Port 2008,Data Port 2010,Data Port 20,Control Port 21,Port 2010,Port 2010 OK,Data,NO FTP Protocol Inspection,TCP S/21- C/2008 TCP S/20- ?,X,Server,Client,Control Port 2008,Data Port 2010,Data Port 20,Control Port 21,Port 2010,Port 2010 OK,Data,FTP Protocol Inspection,TCP S/21- C/2008 TCP S/20- C/2010,Security appliance opens return port for data,No return port for data,Default Traffic Inspection and Port Numbers,fw1(config)# class-map inspection_default fw1(config)# match ? default-inspection-traffic Match default inspection traffic: ctiqbe-tcp-2748 dns-udp-53 ftp-tcp-21 gtp-udp-2123,3386 h323-h225-tcp-1720 h323-ras-udp-1718-1719 http-tcp-80 icmp-icmp ils-tcp-389 mgcp-udp-2427,2727 netbios-udp-137-138 rpc-udp-111 rsh-tcp-514 rtsp-tcp-554 sip-tcp-5060 sip-udp-5060 skinny-tcp-2000 smtp-tcp-25 sqlnet-tcp-1521 tftp-udp-69 xdmcp-udp-177,Default Protocol Inspection Policy,class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect dns maximum length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect sunrpc inspect rsh inspect rtsp inspect sip inspect skinny inspect esmtp inspect sqlnet inspect tftp inspect xdmcp ! service-policy global_policy global,Class Map,Policy Map,Service Policy,Delete Inspection for a Protocol,Disables ctiqbe protocol inspection,fw1(config)# policy-map global_policy fw1(config-pmap)# class inspection_default fw1(config-pmap-c)# no inspect ctiqbe fw1(config-pmap-c)# exit fw1(config-pmap)# exit,Server,Client,Add a Protocol Inspection Port Number,Adds port 8080 HTTP protocol inspection to a default policy map Defines a class map to match the traffic flow identified by a port number, for example 8080 Uses the policy map to associate the traffic flow, 8080, with a protocol inspection, inspect HTTP,fw1(config)# class-map 8080_inspect_traffic fw1(config-ftp-map)# match port tcp eq 8080 fw1(config-ftp-map)# exit fw1(config)# policy-map global_policy fw1(config-pmap)# class 8080_inspect_traffic fw1(config-pmap-c)# inspect http fw1(config-pmap-c)# exit fw1(config-pmap)# exit,Server,Client,Inspect HTTP Add TCP Port 8080, 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.010-8,FTP Application Inspection,FTP Inspection,FTP uses two channels: Command connection (TCP) Data connection (TCP) FTP inspection Address translation in the message Dynamic creation of openings for FTP data connections Stateful tracking of request and response messages (Optional) FTP strict, which prevents web browsers from sending embedded commands in FTP requests FTP deep packet inspection: Is added to strict inspection functionality Enables command filtering,Server,Client,Control Channel,Data,X,No Return Port for Data,Active Mode FTP Inspection,Active mode FTP uses two channels: Client-initiated command connection (TCP) Server-initiated data connection (TCP) For outbound connections, the security appliance handles active mode FTP by opening a temporary inbound channel for the data. For inbound connections, if an FTP ACL exists, the security appliance handles active mode FTP as follows: If outbound traffic is allowed, no special handling is required. If outbound traffic is not allowed, it opens a temporary outbound connection for the data.,Server,Client,Control Port 2008,Data Port 2010,Data Port 20,Control Port 21,Data Port 2010,Port 2010 OK,Data,Server,Client,Control Port 2008,Data Port 2010,Data Port 20,Control Port 21,Data Port 2010,Port 2010 OK,Data,Passive Mode FTP Inspection,PFTP uses two channels: Client-initiated command connection (TCP) Client-initiated data connection (TCP) For outbound connections, the security appliance handles PFTP as follows: If outbound traffic is allowed, no special handling is required. If outbound traffic is not allowed, it opens an outbound port for the data channel. For inbound connections, if an FTP ACL exists, the security appliance opens an inbound port for the data channel.,Data Port 1490,Passive OK Port 1490,Server,Client,Control Port 2008,Data Port 2010,Control Port 21,Outbound PFTP?,Data,Data Port 1490,Passive OK Port 1490,Server,Client,Control Port 2008,Data Port 2010,Control Port 21,Inbound PFTP?,Data,Filtering Commands with FTP Deep Packet Inspection,Blocks specific commands within FTP requests Closes connection when an FTP command is filtered Is defined in the FTP-Map command,FTP Server,Client,Configuring FTP Deep Packet Inspection,Four-step process: ftp-map: Defines which FTP request commands to filter class-map: Identifies a traffic flow policy-map: Associates FTP command filtering (ftp-map) with a traffic flow (class-map) service-policy: Applies policy to an interface, or globally.,FTP Server,Client,request-command deny Command,Defines an FTP map name Identifies denied FTP request commands,request-command deny appe | cdup | dele | get | help | mkd | put | rmd | rnfr | rnto | site | stou ,fw1 (config-ftp-map)#,fw1(config)# ftp-map inbound_ftp fw1(config-ftp-map)# request-cmd deny dele rnfr rnto appe put rmd,FTP Server,Client,Example: FTP Inspection,Define which FTP request commands to deny Identify traffic flow Define policy map Class map: Identify a traffic flow Associate FTP command filtering (FTP map) with traffic flow (class map) Apply policy to an interface,fw1(config)# ftp-map inbound_ftp fw1(config-ftp-map)# request-cmd deny dele rnfr rnto appe put rmd fw1(config)# access-list 101 permit TCP any host 1 eq ftp fw1(config)# class-map inbound_ftp_traffic fw1(config-ftp-map)# match access-list 101 fw1(config-ftp-map)# exit fw1(config)# policy-map inbound fw1(config-pmap)# class inbound_ftp_traffic fw1(config-pmap-c)# inspect ftp strict inbound_ftp fw1(config-pmap-c)# exit fw1(config-pmap)# exit fw1(config)# service-policy inbound outside,FTP Traffic,FTP Server,Client, 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.010-16,HTTP Application Inspection,HTTP Inspection,HTTP Inspection Verification that a packet is compliant with HTTP RFC 2616 Uses one of the RFC-defined or supported extension methods URL screening through N2H2 or Websense* Java and ActiveX filtering* Enhanced HTTP Inspection Controls and filters HTTP messaging and traffic,Web Server,HTTP Traffic,Client,* The last two bulleted feature sets are configured in conjunction with the filter command.,HTTP Inspection,Identify traffic flow Define policy map Class map: Identify a traffic flow Associate HTTP inspection with traffic flow (class map) Apply policy to an interface,class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect ctiqbe inspect dns inspect ftp inspect h323 h225 inspect h323 ras inspect http service-policy global_policy global,HTTP Traffic,Web Server,Client,Enhanced HTTP Inspection,Has the ability to control and filter HTTP traffic flowing through the security appliance Checks whether HTTP message is RFC compliant Specifies which RFC HTTP request methods are permitted Specifies which extension methods are permitted Specifies maximum header length for HTTP request and response messages Specifies minimum and maximum content length Confirms content-type in the message header is the same as the body of the HTTP message Specifies maximum URI length in a request message Specifies supported HTTP transfer-encoding type Specifies supported MIME types,HTTP Traffic,Web Server,Client,HTTP-Map: RFC and Extension Methods,request-method ext ext_methods | rfc rfc_methods action | allow | drop | reset | log,fw1 (config-http-map)#,HTTP extention methods: copy revladd edit revlabel getattribute revlog getattributenames revnum getproperties save index setattribute lock startrev Move stoprev Mkdir unedit default unlock,Define RFC and extension methods RFC Methods: connect delete get head options post put trace,Define an action upon receiving a restricted HTTP method,HTTP Traffic,Web Server,Client,HTTP Map Message Content Criteria,Define HTTP message content criteria: content-length: Content length range inspection content-type-verification: Content type inspection max-header-length: Maximum header size inspection max-uri-length: Maximum URI size inspection,content-length min bytes | max bytes action | allow | drop | reset | log,content-type-verification match-req-rsp action | allow | drop | reset | log,max-header-length request bytes | response bytes action | allow | drop | reset | log,max-uri-length bytes action | allow | drop | reset | log,fw1 (config-http-map)#,HTTP Traffic,Web Server,Client,HTTP Map Application and Encoding Inspection,Define HTTP application and encoding inspection: port-misuse: Application inspection transfer-encoding: Transfer encoding inspection action: Defines actions when a violation occurs.,port-misuse im | p2p | tunneling action | allow | drop | reset | log,fw1 (config-http-map)#,transfer-encoding chunked | compress | deflate | gzip | identity action | allow | drop | reset | log,HTTP Traffic,Web Server,Client,Enhanced HTTP Inspection Configuration,Four-step process: HTTP map: Define HTTP message criteria Class map: Identify a traffic flow Policy map: Associate HTTP controls and filters (HTTP map) with a traffic flow (class map) Service policy: Apply policy to an interface or globally,HTTP Traffic,Web Server,Client,Example: Appling HTTP Inspection,fw1(config)# http-map inbound_http fw1(config-http-map)# request-method rfc delete action reset log fw1(config-http-map)# request-method rfc post action reset log fw1(config-http-map)# request-method rfc put action reset log fw1(config-http-map)# content-type-verification match-req-rsp action reset log fw1(config-http-map)# exit fw1(config)# access-list 102 permit TCP any host 1 eq www fw1(config)# class-map inbound_http_traffic fw1(config-ftp-map)# match access-list 102 fw1(config-ftp-map)# exit fw1(config)# policy-map inbound fw1(config-pmap)# class inbound_http_traffic fw1(config-pmap-c)# inspect http inbound_http fw1(config-pmap-c)# exit fw1(config-pmap)# exit fw1(config)# service-policy inbound outside,Configure an HTTP map Identify traffic flow Define a policy map Associate HTTP command filtering (HTTP map) with traffic flow (class map) Apply policy to an interface, 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.010-25,Protocol Application Inspection,Remote Shell,The rsh protocol uses two channels: Client-initiated command connection (TCP) Server-initiated standard error connection (TCP) For outbound connections, the security appliance opens an inbound port for standard error output For inbound connections, if an rsh ACL exists, the security appliance handles rsh as follows: If outbound traffic is allowed, no special handling is required. If outbound traffic is not allowed, it opens the outbound port for standard error output.,Outbound Connection Request,Port 2010 OK,Standard Error Output,1490,Server,Client,2008,2010,514,Inbound Connection Request,Port 2010 OK,Standard Error Output,1490,2008,2010,514,Server,Client,SQL*Net,Initially the client connects to a well-known port on the server. Oracle uses port 1521. IANA-compliant applications use port 66. The server may assign another port or another host to serve the client. For outbound connections, the security appliance handles SQL*Net connections as follows: If outbound traffic is allowed, no special handling is required. If outbound traffic is not allowed, it opens an outbound port for a redirected channel. For inbound connections, if an ACL exists, the security appliance opens an inbound port for a redirected channel.,2008,1030,1521,Outbound TCP: Connection Request,Redirect Port = 1030,TCP: Tear Down,TCP: Connection Request,Server,Client,2008,1030,1521,Inbound TCP: Connection Request,Redirect Port = 1030,TCP: Tear Down,TCP: Connection Request,Server,Client,ESMTP Inspection,Allows only seven minimum SMTP commands: helo, mail, rcpt, data, rset, noop, and quit (RFC 821) Adds support for eight extended SMTP commands: auth, data, ehlo, etrn, saml, send, soml, and vrfy Defines ports on which to activate ESMTP inspection (default = 25) If disabled, all SMTP commands are allowed through the firewall; potential mail server vulnerabilities are exposed,Inbound SMTP Command,Mail Server,Client,DNS Inspection,DNS Server,Client,1050,53,UDP B/5 - A/1050,Monitors all UDP transactions on port 53: Tracks DNS request ID and opens a connection slot Closes connection slot immediately after answer is received Translates the DNS A record Before release 6.2: alias command Release 6.2 and later: DNS record translation Reassembles the DNS packet to verify its length (default = 512 bytes),Request,Response,DNS Record Translation,Student PC,fw1(config)# nat (inside) 1 dns fw1(config)# global (outside) 1 0-54 netmask fw1(config)# static (inside,outside) 7 0 dns fw1(config)# access-list all permit tcp any host 7 eq www fw1(config)# access-group all in interface outside,,.2,.1,Web Client,.1,,.50,DNS Server,,Web Server ,.10,,.5,2,1, 0 Who is ? Source: 0 Destination: 0,=7 Source: 0 Destination: 0,3,0 (host) 7 0 (DNS) Source: 0 Destination: ,4,ICMP Inspection,Purpose of ICMP inspection is to allow replies only when they match a request Source, destination, ICMP type, identification number, sequence number One request, one reply,SNMP Inspection,fw1(config)# snmp-map snmp_deny_v1 fw1(config-snmp-map)# deny version 1 fw1(config-snmp-map)# exit fw1(config)# policy-map global_policy fw1(config-pmap)# class snmp-port fw1(config-pmap-c)# inspect snmp snmp_deny_v1 fw1(config-pmap-c)# exit fw1(config-pmap)# exit fw1(config)# service-policy global_policy global,SNMP manager ,1,.19,Traps,SNMP- Managed Device,snmp-map: To deny a specific version of SNMP inspect snmp: To enable SNMP application inspection,SNMP v1, 2005 Cisco Systems, Inc. All rights reserved.,SNPA v4.010-33,Multimedia Support,Additional UDP or TCP high ports may be opened.,TCP or UDP Request,Why Multimedia Is an Issue,Multimedia applications behave in unique ways: They use dynamic ports. They transmit requests using TCP and get responses in UDP or TCP. They use the same port for source and destination. The security appliance: Dynamically opens and closes ports for secure multimedia connections Supports multimedia with or without NAT,Real-Time Streaming Protocol,RTSP uses one TCP and two UDP channels. Transport options: RTP RDP Sync or resend channel: RTCP UDP resend,RTSP-TCP-only mode does not require special handling by the security appliance. Supported applications: Cisco IP/TV Apple QuickTime 4 RealNetworks: RealAudio RealPlayer RealServer,Standard RTP Mode,In standard RTP mode, RTP uses three channels: Control connection (TCP) RTP data (simplex UDP) RTCP reports (duplex UDP) For outbound connections, the security appliance opens inbound ports for RTP data and RTCP reports. For inbound connections, if an ACL exists, the security appliance handles standard RTP mode as follows: If outbound traffic is allowed, no special handling is required. If outbound traffic is not allowed, it opens outbound ports for RTP and RTCP.,2008,3057,5000,554,Outbound TCP: Control,Setup transport = rtp/avp/udp,3056,5001,UDP: RTCP Reports,UDP: RTP Data,Server,Client,2008,3057,5000,554,Inbound TCP: Control,Setup transport = rtp/avp/udp,3056,5001,UDP: RTCP Reports,UDP: RTP Data,Server,Client,RealNetworks RDP Mode,In RealNetworks RDP mode, RTSP uses three channels: Control connection (TCP) UDP data (simplex UDP) UDP resend (simplex UDP) For outbound connections, the security appliance handles RealNetworks RDP mode as follows: If outbound traffic is allowed, it opens an inbound port for UDP data. If outbound traffic is not allowed, it opens an inbound port for UDP data and an outbound port for UDP resend. For inbound connections, if an ACL exists, the security appliance handles RealNetworks RDP mode as follows: If outbound traffic is allowed, it opens an inbound port for UDP resend. If outbound traffic is not allowed, it opens an outbound port for UDP data and an inbound port for UDP resend.,2008,554,Outbound TCP: Control,UDP: Resend,Setup Transport = x-real-rdt/udp,UDP: Data,Server,Client,2008,554,Inbound TCP: Control,UDP: Resend,Setup Transport = x-real-rdt/udp,UDP: Data,Server,Client,RTSP Inspection,By default, the security appliance inspects RTSP connections. RTSP dynamically opens UDP connections as required. If disabled: UDP transpor