Understanding Application Support
The release of FWSM 4.01 code introduces a very powerful feature with regular expressions. Regular expressions allow you to match a variety of parameters using strings or variables that you assign. Also, four additional inspection engines have been added: DCEPRC, ESMTP, HTTP, and SIP.
Configuring Regular Expressions
If you have had an opportunity to work with Border Gateway Protocol (BGP), you may have been introduced to regular expressions. Regular expressions provide a way to match a group of characters using either an exact string match or by meta-characters that allow you to define a range, a character set, and so on. This feature can be used to match URL strings when inspecting HTTP traffic and perform an action based on a match, or perform an action on the traffic that does not match the regular expression.
The following configuration example shows how to implement regular expression matching. A client on the inside is connecting to a server on the outside. In this example, you will be inspecting the content for the permutation of the keyword "flash." If the keyword is found, the connection will be reset.
- Step 1 The first step requires that you create a regular expression to match the specific content. Ensure that the regular expression command matches on the keywords of Flash, FLaSh, flASH, and so on:
regex URL_NOFLASH "[Ff][Ll][Aa][Ss][Hh]"
- Step 2 Create and set a regular expression (regex) class map to match the regular expression (URL_NOFLASH):
class-map type regex match-any RESTRICTED_URL match regex URL_NOFLASH
- Step 3 Add an inspection class map to match the previously created class map (RESTRICTED_URL):
class-map type inspect http match-all RESTRICTED_HTTP match request uri regex class RESTRICTED_URL
- Step 4 Add a policy map to search through the body of the HTTP string. The numeric value of 48 specifies how many characters to search through. The maximum length of the string can be from 1 to 4,294,967,295 characters. Longer search strings will impact the performance of the FWSM. When a match is found, using the class map RESTRICTED_HTTP, the action assigned is to reset and log the connection:
policy-map type inspect http HTTP_PMAP parameters body-match-maximum 48 class RESTRICTED_HTTP reset log
- Step 5 Create and use a final policy map to match the policy map (HTTP_PMAP):
policy-map INSIDE_POLICY class inspection_default inspect http HTTP_PMAP
Step 6 Apply the service policy to the interface:
service-policy INSIDE_POLICY interface Inside
When a match is found, the following log message is generated:
%FWSM-5-415006: HTTP - matched Class 23: RESTRICTED_HTTP in policy-map HTTP_PMAP, URI matched - Resetting connection from Inside:192.168.1.23/3898 to Outside:10.133.219.25/80
Figure 25-3 shows a screenshot of what the client's experience would be without the service policy.
Figure 25-3 Regular Expression Without the Service Policy
Figure 25-4 shows a screenshot of what the client's experience would be with the service policy.
Figure 25-4 Regular Expression with the Service Policy
Notice now that the graphic has been removed from the display.
There is also a simple tool that you can use to test a regular expression from the command line. Use the following test command:
FWSM# test regex http://www.cIsCo123.com [Cc][Ii][Ss][Cc][Oo][0-9] INFO: Regular expression match succeeded.
The first argument is the string, and the second argument is the match criteria. Notice that both upper and lowercase characters will match the string "cIsCo" but must be followed by a numeric value.
In the next example, the hyphen does not match a numeric value, consequently the match fails.
FWSM# test regex http://www.cIsCo-123.com [Cc][Ii][Ss][Cc][Oo][0-9] INFO: Regular expression match failed.
Regular expressions are a very helpful tool that could be used to match on viruses, worms, questionable material, and so on. A maximum of 100 characters can be used in the regular expression; remember that implementing regular expressions will impact the performance of the FWSM.
Inspecting content within a packet and matching against a user defined regular expression is a very powerful feature. Because additional CPU cycles are required when you employ this feature, use caution that you do not overwhelm the processor on the FWSM. As an alternative to the FWSM for high-performance regular expression matching, consider using an Intrusion Prevention System (IPS).
Understanding Application Inspection Improvements
One of the primary functions of the FWSM is to provide application inspection, looking for protocol conformance, changing imbedded IP addressing, and so on. Increasing the capabilities of this feature only adds benefit to the services you are offering to your customers.
Domain Name Service (DNS) guard is a feature used when a client requests DNS information through the FWSM to a DNS server or servers. The default behavior of the FWSM is to allow only a single reply and drop any additional responses, consequently helping to prevent against DNS poisoning attacks. Although not recommended because of the possibility of exploiting the host, the FWSM can be configured to allow all responses using the following command:
FWSM/Context-A(config)# no dns-guard
As you may have noticed from the preceding command syntax, this command also works in multi-context mode.
Policy maps are covered in detail in Chapter 11, "Modular Policy," but the introduction of 4.01 includes additional support/enhancements for inspection policy and/or class maps for the following applications:
- Distributed Computing Environment Remote Procedure Call (DCEPRC): A protocol used across multiple computers to distribute the load. Policy map inspection is the new addition to 4.01.
- Extended Simple Mail Transfer Protocol (ESMTP): Added extensions to SMTP. The 4.01 code added the capability for application support and the capability to define inspection policy maps that match traffic using regular expressions.
- HTTP: A protocol used generally to transfer information across the Internet.
Session Initiation Protocol (SIP): A signaling protocol used for voice communications over IP.
The following options are available using policy maps with the previously listed protocols, as follows:
- —drop: Drops all packets that match the defined pattern.
- —drop-connection: Drops the packet and closes the connection.
- —log: Sends a syslog message.
- —mask: Masks that portion of the packet that has been matched.
- —rate-limit: Limits the rate of received messages.
- —reset: Drops the packet; closes and resets the connection.
- —send-protocol-error: Sends an error message when the packet does not match the ESMTP protocol.
The capability added with policy maps for DCEPRC, ESMTP, HTTP, and SIP adds tremendous functionality for the inspection of these protocols. With the option to drop, drop-connection, log, mask, rate-limit, reset, and send-protocol-error, for many of these protocols, the functionality also significantly improves.