HTTP Inspection concept

Unanswered Question
Oct 9th, 2009
User Badges:

Hi Experts,


This is in reference to ZBFW and NBAR URL Filtering

What is the difference between Header field inspection and URL inspection in Zone based Firewall. After reading the Cisco documents I learned that,

URL inspection is used as below:


parameter-map type regex uri_regex_cm

pattern.*cmd.exe

pattern.*gambling

Header field inspection is used as below:


parameter-map type regex ref_regex

pattern \.delfinproject\.com

pattern \.looksmart\.com

For me both seems to do the same job.


I know I have understood this wrong way.


Can you please educate me


Thanks in advance


Sairam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Sat, 10/10/2009 - 10:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sairam.

giving a quick look at 12.4T config guide


http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055610


I would say a URL filter can use an external server to decide if a specific web site is acceptable/secure or not.

The external server can be a websense or N2H2 server. Or it can be local, locally defined.


parameter-map type urlfpolicy {local | n2h2 |

websense} parameter-map-name




Header fields inspection should be something different: looking for abnormal size of one field or other uncommon cases that could mean a security threat.


As you can see in the configuration guide inspecting HTTP provides a lot of options related to header fields including for example the size of the URI that is the string length.

a too big URI could carry a worm for example.


match request uri length gt 500


the uri filter should look at the URI string contents and to check it against black lists or other criteria.



Hope to help

Giuseppe




Actions

This Discussion