ASA AIP Inspection

Answered Question
Oct 14th, 2008

Simple question:


Does the AIP module inspect RETURN packets to a request made from an inside host.


(Or does it just inspect packets that originate outside)?


TIA

Correct Answer by abinjola about 8 years 4 months ago

As another scenario lets say you have a VPN tunnel setup on the firewall.An inside client is talking to a server through the VPN tunnel that goes through the outside interface.If you apply the policy to the inside interface.Then packets to the server will be checked against ACLs (NAT'd if necessary), then sent to the SSM for analysis. When it comes back from the SSM then it is encrypted and sent through the tunnel.

The encryption happens after analysis.

The packets from the server will be checked against ACLS, AND decrypted Before being sent to the SSM.

SO you see that Encryption is the only thing happening After SSM analysis.


If you applied the policy to the Outside interface there is NOT any change to the order of the features.Packets to the server (ino the VPN tunnel) still get analyzed Before encryption, and packets from the server (from the VPN tunnel) still get decrypted Before analysis by the SSM.


So applying the policy to different interface does NOT change the order in which the features get applied to the packet.

A packet goes through the same steps regardless of whether the policy is on the inside or outside interface.


The difference is just in which packets get analyzed.

If you place it on the inside. The packets between inside and outside will be monitored AS WELL AS packets between inside and DMZ, BUT the packets between outside and DMZ will not be monitored.

If you place it on the outside. The packets between the inside and outside will still be monitored. But now packets between outside and DMZ get monitored, and packets between inside and DMZ do NOT get monitored.


Hope it helps !

Correct Answer by abinjola about 8 years 4 months ago

yes the return packet also goes through the SSM Engine...


To explain in a bit more detail...for example,


Lets say you have a connection from an inside machine to a web server on the internet (no encryption being done).

If you apply the policy to the inside, the SSM analysis will be done as the last thing before the packets are transmitted. The to web server packets will be checked against ACLs and NAT'd before being sent to the SSM. Similarly the to inside client packets will be checked against ACLs and NAT's back to internal addresses before being sent to the SSM.

SO in both directions the SSM analysis is the last feature being done.


NOTE: Because NAT changes are done before SSM analysis the SSM sees some packets with NAT addresses and other packets with Local addresses. To help the SSM properly track the packets the ASA adds an additional header to the packet that lets the SSM know the Local addresses for the packets.


So the SSM always looks in the additional header of the packet to know the Local adresses and uses those Local addresses when doing analysis and alarming.


If you were to instead put the policy on the outside interface, there would be no change in the order of the features. The SSM analysis would still be the last thing done on the packets.


Do Rate If Helpful !


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
abinjola Tue, 10/14/2008 - 22:14

yes the return packet also goes through the SSM Engine...


To explain in a bit more detail...for example,


Lets say you have a connection from an inside machine to a web server on the internet (no encryption being done).

If you apply the policy to the inside, the SSM analysis will be done as the last thing before the packets are transmitted. The to web server packets will be checked against ACLs and NAT'd before being sent to the SSM. Similarly the to inside client packets will be checked against ACLs and NAT's back to internal addresses before being sent to the SSM.

SO in both directions the SSM analysis is the last feature being done.


NOTE: Because NAT changes are done before SSM analysis the SSM sees some packets with NAT addresses and other packets with Local addresses. To help the SSM properly track the packets the ASA adds an additional header to the packet that lets the SSM know the Local addresses for the packets.


So the SSM always looks in the additional header of the packet to know the Local adresses and uses those Local addresses when doing analysis and alarming.


If you were to instead put the policy on the outside interface, there would be no change in the order of the features. The SSM analysis would still be the last thing done on the packets.


Do Rate If Helpful !


curt-wwwww Fri, 10/17/2008 - 10:23

ASHISH, a follow-up question:


How does the SSM engine deal with VPN traffic?


1. Remote VPN connection - it would seem the traffic would have to be inspected after decryption. Is this true?


2. L2L VPN connection - similar?


TIA

Correct Answer
abinjola Fri, 10/17/2008 - 18:14

As another scenario lets say you have a VPN tunnel setup on the firewall.An inside client is talking to a server through the VPN tunnel that goes through the outside interface.If you apply the policy to the inside interface.Then packets to the server will be checked against ACLs (NAT'd if necessary), then sent to the SSM for analysis. When it comes back from the SSM then it is encrypted and sent through the tunnel.

The encryption happens after analysis.

The packets from the server will be checked against ACLS, AND decrypted Before being sent to the SSM.

SO you see that Encryption is the only thing happening After SSM analysis.


If you applied the policy to the Outside interface there is NOT any change to the order of the features.Packets to the server (ino the VPN tunnel) still get analyzed Before encryption, and packets from the server (from the VPN tunnel) still get decrypted Before analysis by the SSM.


So applying the policy to different interface does NOT change the order in which the features get applied to the packet.

A packet goes through the same steps regardless of whether the policy is on the inside or outside interface.


The difference is just in which packets get analyzed.

If you place it on the inside. The packets between inside and outside will be monitored AS WELL AS packets between inside and DMZ, BUT the packets between outside and DMZ will not be monitored.

If you place it on the outside. The packets between the inside and outside will still be monitored. But now packets between outside and DMZ get monitored, and packets between inside and DMZ do NOT get monitored.


Hope it helps !

Marwan ALshawi Sat, 10/18/2008 - 16:35

the info from ASHISH is really great :)


but i am wondering about somthing

which is the application of the policy

u mentioned if it is apllied inside,outside and so on which is all true


did u mean the policy is the policy that send traffic to the SSM for inspection ??


if yes

why u dont apply it globaly in this case u will have all the interfaces included in the inspection regardless the traffic direction

and when u apply it globally u can narrow it to inspect only traffic from spcific source going to spcific distination or any destination by using extended ACL !!!


hope this helpful

thank you

Actions

This Discussion