Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HTTP Inspection concept

Hi Experts,

This is in reference to ZBFW and NBAR URL Filtering

What is the difference between Header field inspection and URL inspection in Zone based Firewall. After reading the Cisco documents I learned that,

URL inspection is used as below:

parameter-map type regex uri_regex_cm

pattern.*cmd.exe

pattern.*gambling

Header field inspection is used as below:

parameter-map type regex ref_regex

pattern \.delfinproject\.com

pattern \.looksmart\.com

For me both seems to do the same job.

I know I have understood this wrong way.

Can you please educate me

Thanks in advance

Sairam

1 REPLY
Hall of Fame Super Silver

Re: HTTP Inspection concept

Hello Sairam.

giving a quick look at 12.4T config guide

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1055610

I would say a URL filter can use an external server to decide if a specific web site is acceptable/secure or not.

The external server can be a websense or N2H2 server. Or it can be local, locally defined.

parameter-map type urlfpolicy {local | n2h2 |

websense} parameter-map-name

Header fields inspection should be something different: looking for abnormal size of one field or other uncommon cases that could mean a security threat.

As you can see in the configuration guide inspecting HTTP provides a lot of options related to header fields including for example the size of the URI that is the string length.

a too big URI could carry a worm for example.

match request uri length gt 500

the uri filter should look at the URI string contents and to check it against black lists or other criteria.

Hope to help

Giuseppe

126
Views
5
Helpful
1
Replies