Solved: Question About HTTP inspection on ASA

mahesh18 · ‎07-06-2013

Hi Everyone,

Need to confirm about HTTP inspection on ASA.

When we open up any http website pages opens up and return traffic is allowed as ASA is statefull and remembers TCP/UDP session by default.

Even though HTTP is not enabled under class inspection default or under global policy.

does this mean that when we open up any website then that HTTP connection is considered normal TCP traffic thats why it is allowed even though it is

not enabled under global policy?

Secondly when we enable http under class inspection default and apply it under global policy does that mean that now we are doing layer 7 inspection?

Also does it mean that now ASA is inspecting the traffic for config rules under global service policy?

Regards

MAhesh

Eddy Duran · ‎07-06-2013

Hello Mahesh,

If the connections is established from the Inside to Outside, the ASA will keep track of it and will permit the returning traffic.

When you enable the HTTP inspection under the Global Policy, you are performing application inspection:

Use the HTTP inspection engine to protect against specific attacks and other threats that may be associated with HTTP traffic. HTTP inspection performs several functions:

•Enhanced HTTP inspection

•URL screening through N2H2 or Websense

•Java and ActiveX filtering

The enhanced HTTP inspection feature, can help prevent attackers from using HTTP messages for circumventing network security policy. It verifies the following for all HTTP messages:

•Conformance to RFC 2616

•Use of RFC-defined methods only.

•Compliance with the additional criteria.

-Eddy Duran

View solution in original post

Julio Carvajal · ‎07-06-2013

Hello Mahesh,

Just to add something to the great answer Eddy provided,

The ASA will start logging the websites you access when you have the HTTP inspection.

does this mean that when we open up any website then that HTTP connection is considered normal TCP traffic thats why it is allowed even though it is

not enabled under global policy?

Exactly, regular TCP session inspection

While adding the inspect HTTP will start looking at the content of the HTTP payload,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Eddy Duran · ‎07-06-2013

Hello Mahesh,

If the connections is established from the Inside to Outside, the ASA will keep track of it and will permit the returning traffic.

When you enable the HTTP inspection under the Global Policy, you are performing application inspection:

Use the HTTP inspection engine to protect against specific attacks and other threats that may be associated with HTTP traffic. HTTP inspection performs several functions:

•Enhanced HTTP inspection

•URL screening through N2H2 or Websense

•Java and ActiveX filtering

The enhanced HTTP inspection feature, can help prevent attackers from using HTTP messages for circumventing network security policy. It verifies the following for all HTTP messages:

•Conformance to RFC 2616

•Use of RFC-defined methods only.

•Compliance with the additional criteria.

-Eddy Duran

Julio Carvajal · ‎07-06-2013

Hello Mahesh,

Just to add something to the great answer Eddy provided,

The ASA will start logging the websites you access when you have the HTTP inspection.

does this mean that when we open up any website then that HTTP connection is considered normal TCP traffic thats why it is allowed even though it is

not enabled under global policy?

Exactly, regular TCP session inspection

While adding the inspect HTTP will start looking at the content of the HTTP payload,

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎07-07-2013

Hi Eddy & Julio,

Thanks for your answers now my doubts about HTTP are clear and i can understand the concept better.

Best regards

Mahesh