10-12-2013 05:20 AM - edited 03-11-2019 07:51 PM
Hello there,
I just wanna verify what I've learned about:
Stateful Inspection (packet filtering up to L5) and
Application Inspection (packet filtering up to L7)
Regarding an IOS ZBF (IOS ver 12.4(20)T on a router, do these commands implement Application Inspection ?
(I mean: do they satisfy a protocol like ftp and enable the router to learn about dynamic ports and unwanted activities?)
class-map type inspect match-any CM
match protocol ftp
match protocol http
policy-map type inspect PM
class type inspect CM
inspect
zone-pair security IN-OUT source inside destination outside
service-policy type inspect PM
or do they implement Stateful Inspection only ? if so yes, how to add Application Inspection feature (on ftp traffic ,for example)?
1 more question, is "application-specific matching" another expression of "application inspection feature" ?
thanks !
Solved! Go to Solution.
10-14-2013 01:43 AM
Hi,
match protocol is using PAM entries( show ip port-map) to categorize traffic and the inspect keyword in the policy-map is for enabling stateful inspection. Now according to Cisco:
Layer 7 class maps can be used in inspect policy maps only for deep packet inspection (DPI). The DPI functionality is delivered through Layer 7 class maps and policy maps.
To create a Layer 7 class map, use the class-map type inspect command for the desired protocol. For example, for the HTTP protocol, enter the class-map type inspect http command.
The type of class map (for example, HTTP) determines the match criteria that you can use. If you want to specify HTTP traffic that contains Java applets, you must specify a “match response body java” statement in the context of an “inspect HTTP” class map.
A Layer 7 policy map provides application level inspection of traffic. The policy map can include class maps of the same type.
To create a Layer 7 policy map, specify the protocol in the policy-map type inspect command. For example, to create a Layer 7 HTTP policy map, use the policy-map type inspect http policy-map-name command. Enter the name of the HTTP policy-map for the policy-map-name argument.
If you do not specify a protocol name (for example, if you use the policy-map type inspect command), you will create a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map.
A Layer 7 policy map must be contained in a Layer 3 or Layer 4 policy map; it cannot be attached directly to a target. To attach a Layer 7 policy map to a top-level policy map, use the service-policy command and specify the application name (that is, HTTP, Internet Message Access Protocol [IMAP], Post Office Protocol, version 3 [POP3], Simple Mail Transfer Protocol [SMTP], or SUN Remote Procedure Call [SUNRPC]). The parent class for a Layer 7 policy should have an explicit match criterion that matches only one Layer 7 protocol before the policy is attached.
If the Layer 7 policy map is in a lower level, you must specify the inspect action at the parent level for a Layer 7 policy map.
So there is indeed a difference between a L3-L4 inspection and a L7 inspection according to this document.
Regards
Alain
Don't forget to rate helpful posts.
10-14-2013 06:53 AM
Hello Cadet,
How are you man?
I am not with Cisco any more, I moved to a different company last week actually
Now, as we all know there has been always problems with some Cisco documentation (I have found at least 2 documentation bugs related to ZBFW).
At the end all comes to this:
if you use a class-map as follows
ip access-list extended test
permit tcp any any eq 21
class-map type inspect test
match access-group name test
You are basically telling the router whenever you see a packet with TCP destination port 21, it's a match for this class-map
And U have a policy like this
policy-map type inspect In-out
class test
inspect
You will be inspecting that traffic but what the router will care about is:
Just inspect traffic that matches destination port 21.
If you do it like this instead
class-map type inspect test
match protocol ftp
The router will now inspect the traffic as FTP traffic not just as TCP destination port 21.
That's it
Hope that I explained it properly
Regards,
Jcarvaja
10-12-2013 12:31 PM
Hello Odysious,
When you match traffic on a class-map with the match protocol http or ftp you are indeed matching a L7 protocol so when you inspect this class-map on a policy-map you will be handeling a L7 policy-map which means application stateful (so if a protocol like FTP that uses additional channels the Router will be able to open the right pinholes).
I hope I was clear hehe
Let me know anyway
10-13-2013 10:43 AM
Julio,
Refering to the following doc, I think you're wrong. L7 inspection uses "parameter-maps" or something like that.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Actually that doc is too tough to me and I can't get the answer from it. I know it's there, but it's very hard to me to find it.
10-13-2013 11:33 AM
Hello,
No I am not.. 101 % sure about it!.
You use parameter-maps, L7 class maps and L7 policy-maps in order to do specific L7 tasks such as blocking files that contains certaing strings or block websites, etc. etc.
But still matching traffic with a match protocol and using the keyword inspect will be a l7 action as the router will get into the content of the packets to make sure the protocol is honored.
Hey remember to rate all of the helpful posts,
If you do not know how, just let me know.
Regards
10-14-2013 01:25 AM
Have u looked at the example in the above maintioned link ?
Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier:
conf t class-map type inspect match-any internet-traffic-class match protocol http match protocol https match protocol dns match protocol icmp
Configure a policy-map to inspect traffic on the class-maps you just defined:
conf t policy-map type inspect private-internet-policy class type inspect internet-traffic-class inspect
Configure the private and Internet zones and assign router interfaces to their respective zones:
conf t zone security private zone security internet int bvi1 zone-member security private int fastethernet 0 zone-member security internet
Configure the zone-pair and apply the appropriate policy-map.
Note: You only need to configure the private Internet zone pair at present in order to inspect connections sourced in the private zone traveling to the Internet zone:
conf t zone-pair security private-internet source private destination internet service-policy type inspect private-internet-policy
This completes the configuration of the Layer 7 inspection policy on the private Internet zone-pair to allow HTTP, HTTPS, DNS, and ICMP connections from the clients zone to the servers zone and to apply application inspection to HTTP traffic to assure that unwanted traffic is not allowed to pass on TCP 80, HTTP’s service port.
Define class-maps that describe the traffic that you want to permit between zones, according to policies described earlier:
conf t class-map type inspect match-any L4-inspect-class match protocol tcp match protocol udp match protocol icmp
Configure policy-maps to inspect traffic on the class-maps you just defined:
conf t policy-map type inspect clients-servers-policy class type inspect L4-inspect-class inspect
Configure the clients and servers zones and assign router interfaces to their respective zones:
conf t zone security clients zone security servers int vlan 1 zone-member security clients int vlan 2 zone-member security servers
Configure the zone-pair and apply the appropriate policy-map.
Note: You only need to configure the clients-servers zone-pair at present, to inspect connections sourced in the clients zone traveling to the servers zone:
conf t zone-pair security clients-servers source clients destination servers service-policy type inspect clients-servers-policy
This completes the configuration of the Layer 4 inspection policy for the clients-servers zone-pair to allow all TCP, UDP, and ICMP connections from the client zone to the server zone. The policy does not apply fixup for subordinate channels, but provides an example of simple policy to accommodate most application connections.
Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.
So, It depends on the protocol being inspected, not on the keyword "inspect".
But I'm not sure what's going on with icmp ? It is in both cases matched and inspected.
10-14-2013 01:43 AM
Hi,
match protocol is using PAM entries( show ip port-map) to categorize traffic and the inspect keyword in the policy-map is for enabling stateful inspection. Now according to Cisco:
Layer 7 class maps can be used in inspect policy maps only for deep packet inspection (DPI). The DPI functionality is delivered through Layer 7 class maps and policy maps.
To create a Layer 7 class map, use the class-map type inspect command for the desired protocol. For example, for the HTTP protocol, enter the class-map type inspect http command.
The type of class map (for example, HTTP) determines the match criteria that you can use. If you want to specify HTTP traffic that contains Java applets, you must specify a “match response body java” statement in the context of an “inspect HTTP” class map.
A Layer 7 policy map provides application level inspection of traffic. The policy map can include class maps of the same type.
To create a Layer 7 policy map, specify the protocol in the policy-map type inspect command. For example, to create a Layer 7 HTTP policy map, use the policy-map type inspect http policy-map-name command. Enter the name of the HTTP policy-map for the policy-map-name argument.
If you do not specify a protocol name (for example, if you use the policy-map type inspect command), you will create a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map.
A Layer 7 policy map must be contained in a Layer 3 or Layer 4 policy map; it cannot be attached directly to a target. To attach a Layer 7 policy map to a top-level policy map, use the service-policy command and specify the application name (that is, HTTP, Internet Message Access Protocol [IMAP], Post Office Protocol, version 3 [POP3], Simple Mail Transfer Protocol [SMTP], or SUN Remote Procedure Call [SUNRPC]). The parent class for a Layer 7 policy should have an explicit match criterion that matches only one Layer 7 protocol before the policy is attached.
If the Layer 7 policy map is in a lower level, you must specify the inspect action at the parent level for a Layer 7 policy map.
So there is indeed a difference between a L3-L4 inspection and a L7 inspection according to this document.
Regards
Alain
Don't forget to rate helpful posts.
10-14-2013 05:12 AM
Cadet,
This is a very helpful reply from you. the following line reveals the mystery of "inspect" within ZFW:
If you do not specify a protocol name (for example, if you use the policy-map type inspect command), you will create a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map.
In short, it depends on the "type inspect" in the policy-map, not on the "match" in the class-map neither on the "action" in the policy-map.
This implements a L4 inspection
class-map type inspect match-all c-name match protocol httppolicy-map type inspect p-name class type inspect c-name
inspect
And this implements a L7 inspection:
class-map type inspect http match-any c-name-httpmethods
match request method bpropfind
match request method bproppatch
match request method connect
match request method index
match request method notify
policy-map type inspect http p-name-app-http
class type inspect http c-name-httpmethods
log
reset
Thank you !
10-14-2013 06:20 AM
Hello Oydious,
Obviously, "Inspect" is used for both L4 (tcp, udp) and L7 (http, dns) inspection.
So, It depends on the protocol being inspected, not on the keyword "inspect".
But I'm not sure what's going on with icmp ? It is in both cases matched and inspected.
Answer/
Here is were most people get confused.
Using class-maps:
You can match traffic at layer 7,layer 3 or Layer4.
Using match access-list = Layer 4 or layer 3 depending on the structure.
Using match protocol = Matching layer 7 ( layer 4 if match protocol tcp,udp)
Now, what happens if you want to inspect FTP packets to open additional channels?
You should use a class-map matching the protocol (L7) and then inspect it otherwise the Router will only care about matching the TCP port 21 for FTP.
I know, it might be difficult to understand it but after taking cases for more than 2 years on TAC regarding this feature I can ensure that I know what I am talking about
So when talking about Class-maps you can match L7 or L4, what to use will depend on the protocol and what you want to do.
!!!
10-14-2013 06:41 AM
HI Julio,
So why does Cisco seem to tell the opposite, it's very confusing from them especially when using protocol is only using PAM to get the match instead of an access-list. I didn't say I don't believe you because you seem to have much experience about this but in this case the Cisco documentation is rather misleading( not to say the least).
To add to the confusion this link says exactly what you're telling: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#stateful-1
If you're still working with TAC it could be interesting pointing out to Cisco that their docs are inconsistent and/or misleading about this subject.
Regards
Alain
Don't forget to rate helpful posts.
10-14-2013 06:53 AM
Hello Cadet,
How are you man?
I am not with Cisco any more, I moved to a different company last week actually
Now, as we all know there has been always problems with some Cisco documentation (I have found at least 2 documentation bugs related to ZBFW).
At the end all comes to this:
if you use a class-map as follows
ip access-list extended test
permit tcp any any eq 21
class-map type inspect test
match access-group name test
You are basically telling the router whenever you see a packet with TCP destination port 21, it's a match for this class-map
And U have a policy like this
policy-map type inspect In-out
class test
inspect
You will be inspecting that traffic but what the router will care about is:
Just inspect traffic that matches destination port 21.
If you do it like this instead
class-map type inspect test
match protocol ftp
The router will now inspect the traffic as FTP traffic not just as TCP destination port 21.
That's it
Hope that I explained it properly
Regards,
Jcarvaja
10-14-2013 07:08 AM
Hi Julio,
I'm doing fine,thanks and I hope you too
I wish you the best in your new position.
Thanks for the explanation and sorry for misleading the OP with this link content which is very confusing.
Regards
Alain
Don't forget to rate helpful posts.
10-14-2013 07:41 AM
Hello Cadet,
Thank U man,
It's always a pleasure to help.
Regards,
Jcarvaja
10-14-2013 08:00 AM
Great Example... Jcarvaja
I've got it
Would you please post your answer here too:
https://learningnetwork.cisco.com/thread/61307?tstart=0
It's the same question, but no one could answer it yet.
thanks a lot !
10-14-2013 08:07 AM
Hello,
Sure, I will.
Was a pleasure to help
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: