Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

ip inspect generic tcp or udp

hi,

When we are using Cisco IOS firewall on ISR we can enable generic ip inspection as tcp or udp. When this is done why is it necessary to inspect application protocols like say telnet,http, Kazza_Version2 etc. as all these protocols are tcp (protocol number 5) which we are inspecting. Why is it necessary to inspect ports for say 23,or 80 or SMTP 25?

Please share the experience.

Any explanation on cisco.com or on any other URL is highly appereciable.

Thanks in advance.

Subodh

2 REPLIES

Re: ip inspect generic tcp or udp

Hi Subodh,

Generic tcp or udp inspection inspects traffic for conformance to RFCs describing tcp and udp protocols.

When you enable the application level inspection, the inspection engine inspects packets deeper, into the application level, in addition to generic tcp or udp protocol inspection of the same packet.

For example, when you inspect http traffic, you can inspect for java applets.

When you inspect smtp, the inspection engine inspects for the format and contents of mails passing through the firewall.

All this results in a more thorough and scrupulous inspection of packets passing through the firewall in order to protect the internal parts of the network from attacks or intrusions.

Cheers:

Istvan

Super Bronze

Re: ip inspect generic tcp or udp

If you enable generic inspection (TCP or UDP), then there isn't a point in also having granular protocol inspection for the same base protocol (TCP/UDP). The purpose of granular protocol inspection is to be more restrictive than generic.

From config guide:

"The Cisco IOS Firewall performs inspections for TCP and UDP traffic. For example, TCP inspections include Telnet traffic (port 23, by default) as well as all other applications on TCP such as Hypertext Transfer Protocol (HTTP), e-mail, instant message (IM) chatter, and so on. Therefore, there is no easy way to inspect Telnet traffic alone and deny all other TCP traffic.

The Granular Protocol Inspection feature allows you to specify TCP or UDP ports using the PAM table. As a result, the Cisco IOS Firewall can restrict traffic inspections to specific applications, thereby permitting a higher degree of granularity in selecting which protocols are to be permitted and denied as shown in Figure 32. "

[edit]

Above from: http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_gran_protcl_insp_ps6350_TSD_Products_Configuration_Guide_Chapter.html

[edit2]

Reading Istvan's post, I could see where our two posts might cause confusion.

Istvan is correct, that specific application inspections can provide a higher level of security when used with generic inspection. For example, such exists for some you ask about HTTP (http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_http_insp_eng_ps6350_TSD_Products_Configuration_Guide_Chapter.html) and SMTP (http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_email_insp_eng_ps6350_TSD_Products_Configuration_Guide_Chapter.html and http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_esmtp_fwall_supp_ps6350_TSD_Products_Configuration_Guide_Chapter.html), but not for telnet (I believe). Also granular "knows" telnet, http, smtp, esmtp, but only at the "port" number.

841
Views
0
Helpful
2
Replies
CreatePlease to create content