HTTP Inspection concept

snarayanaraju · ‎10-09-2009

Hi Experts,

This is in reference to ZBFW and NBAR URL Filtering

What is the difference between Header field inspection and URL inspection in Zone based Firewall. After reading the Cisco documents I learned that,

URL inspection is used as below:

parameter-map type regex uri_regex_cm

pattern.*cmd.exe

pattern.*gambling

Header field inspection is used as below:

parameter-map type regex ref_regex

pattern \.delfinproject\.com

pattern \.looksmart\.com

For me both seems to do the same job.

I know I have understood this wrong way.

Can you please educate me

Thanks in advance

Sairam

Giuseppe Larosa · ‎10-10-2009

Hello Sairam.

giving a quick look at 12.4T config guide

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055610

I would say a URL filter can use an external server to decide if a specific web site is acceptable/secure or not.

The external server can be a websense or N2H2 server. Or it can be local, locally defined.

parameter-map type urlfpolicy {local | n2h2 |

websense} parameter-map-name

Header fields inspection should be something different: looking for abnormal size of one field or other uncommon cases that could mean a security threat.

As you can see in the configuration guide inspecting HTTP provides a lot of options related to header fields including for example the size of the URI that is the string length.

a too big URI could carry a worm for example.

match request uri length gt 500

the uri filter should look at the URI string contents and to check it against black lists or other criteria.

Hope to help

Giuseppe