10-26-2006 08:59 AM - edited 02-21-2020 01:16 AM
With Pix/ASA OS 7.1 to configure http inspection the configuration guide shows expamples like the following:
access-list HTTP_PORTS extended permit tcp any any range 80 81
!
class-map http-ports
match access-list HTTP_PORTS
exit
!
http-map maphttp
max-uri-length 256 action reset log
port-misuse default action drop log
request-method rfc default action reset log
request-method rfc get action allow
request-method rfc post action allow
request-method rfc head action allow
strict-http action allow log
exit
!
policy-map global_policy
...
class http-ports
inspect http maphttp
exit
exit
All packets matched by class "http-port" are inspected using configuration defined in http-map "maphttp".
In OS 7.2 configuration guide the examples showing http inspect configuration are quite different. It seems that in OS 7.2 the "http-map" has been substituted by a mix of "class map type inspect http" and "policy map type inspect http" commands.
So an example of http inspection configuration with OS 7.2 is:
class-map type inspect http HTTP_METHOD_CLASS
match not request method get
match not request method post
match not request method head
exit
!
policy-map type inspect http HTTP_OUT_INSPECT
match request uri length gt 256
reset log
exit
class HTTP_METHOD_CLASS
reset log
exit
parameters
protocol-violation action reset log
exit
exit
!
policy-map global_policy
....
class http-ports
inspect http HTTP_OUT_INSPECT
exit
exit
The first question is: is it true? Is "http-map" deprecated or outdated in OS 7.2? I couldn't find clear documentation about it.
Actually is still possible configure a PIX/ASA with OS 7.2 using "http-map", the command is still there and is still described in the 7.2 command reference documentation (but not in the configuration guide).
I believe that the "http-map" configuration and the "class-map/policy-map type inspect http" configuration are quite different. Using "http-map" we can configure the "port-misuse" command and the strict-http command too, which are not available in "class-map/policy-map type inspect http" configuration "style". Moreover with "policy-map type inspect http" only we can configure the mysterious "protocol-violation" parameter.
I called protocol-violation "mysterious" because if you look for it in the command reference you can find that it is related to netbios protocol inspection, not http... So the second question is: is there anybody who can exactly explain what the "protocol-violation" command does in the http inspection context?
The two configuration styles seems both available in OS 7.2 but I can't understand how they can be mixed (if they can), which should be used and why it seems there are two ways to configure quite the same thing (not exactly the same: "port-misuse" is used to detect tunneling protocols in http and I don't know how to do it using the 7.2 configuration style).
The third (and last) question is: is there anybody who can clearly explain the difference between the http inspection configuration methods (if there is any) and which will be valid in the future?
I hope I could explain my doubts clearly.
Thanks.
10-31-2006 06:53 PM
Sorry to say I can't be of help,
but if it's any consulation, I too have noted and pondered about the introduction of the "class-map type inspect" and the "policy-map type inspect" commands. However I have this feeling that I don't grapst their full significance nor exactly understand how they improve upon the previous method.
At least for me, Cisco documentation seems rather sparse for such an abrupt change in syntax and ....capabilities?
And for those of you who think this is insigificant, let me point out that Cisco was rather late to the firewall deep-packet inspection party. However once there, they've jumped into it in a big way. So when a change is made in this regard... it's likely worth taking the time to understand.
How about it Cisco...could you please issue some white papers or something to clarify this.
11-01-2006 12:53 AM
Thanks for your reply, you make me feel not alone with my doubts.
I opened a TAC request (id 604679873) to ask about the new "class-map/policy-map type inspect" command. The case is still opened because I still had not received a full and clear explanation.
A Cisco engineer told me clearly that the "http-map" command is deprecated in 7.2 and from now on we should use the "class-map/policy-map type inspect" commands (but why Cisco didn't tell this clearly and in every release notes document?). These newer commands are more powerful (or so they could appear) but are really bad explained in documentation. The Cisco engineer posted me an example configuration to stop instant messaging tunnels over http with 7.2:
policy-map type inspect http DenyIM_HTTP
description Deny IM over HTTP
parameters
match request uri regex _default_aim-messenger
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_windows-media-player-tunnel
drop-connection log
match request uri regex _default_yahoo-messenger
drop-connection log
I believe this example is very interesting, but it points out that there are a lot of commands that are not described at all in documentation.
I tried to enter this commands and I found that the PIX accepted them! So actually there are a lot of embedded "_default_*" regular expressions to be used in http deep inspection but nothing is written about them in documentation!
Now I think that the 7.2 documentation and references are only a copy, with little changes, of the previous release documents; it's not updated and we should not take care of it because may be really wrong (and a number of months are passed since OS 7.2 has been released...).
We all should complain about this lacks in documentation sending e-mails, talking about it in forum like this or opening a lot of TAC requests. I work with Cisco routers, switch and other appliances since 1995 and since now I could not expect a situation like this from Cisco. I'm very disappointed.
I hope that someone from Cisco read this messages and answer posting a correct and complete documentation with a lot of examples.
11-01-2006 09:00 AM
hi thanks a lot for ur detailed observation of the differences of teh http-map in different code. my friend is preparing for the new ccie security track and puzzled since in the new code right from 7.0,7.1 and 7.2 they are papidly changes commands in the ios. and for the lab they have only mentiioned they will be 7.x code not the specific one . if onw should prepare for it he should be well versed with the ios that is going ot be tested or the one which is more stable.
abt the regular expression atleast they should mention a configuration example or the task we can do with it.
waiting for cisco to clear the thin air of confusion.
regards
sebastan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide