- ZFW Rate Limiting
- Capability to police traffic matching the definitions of a specific class-map as it traverses the firewall from one security zone to another. (Traffic-rate policing is not supported with the zone self)
policy-map type inspect PMAP_INSIDE_TO_OUTSIDEVerification:
class type inspect CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
inspect
police rate 1024000 burst 64000
R1#show policy-map type inspect zone-pair INSIDE_TO_OUTSIDE
Zone-pair: INSIDE_TO_OUTSIDE
Police
rate 1024000 bps,64000 limit
conformed 7083 packets, 3573091 bytes; actions: transmit
exceeded 8937 packets, 12913808 bytes; actions: drop
conformed 0 bps, exceed 0 bps
In order to apply connection-based limits to a particular class applied under a policy map you need to define an inspect parameter-map first.
parameter-map type inspect OUTSIDE_TRAFFIC_PARAMS
max-incomplete low 50
max-incomplete high 100
one-minute low 10
one-minute high 50
tcp max-incomplete host 10 block-time 1
sessions maximum 3000
R1#show parameter-map type inspect default
parameter-map type inspect default values
audit-trail off
alert on
max-incomplete low unlimited
max-incomplete high unlimited
one-minute low unlimited
one-minute high unlimited
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host unlimited block-time 0
sessions maximum 2147483647
R1#show parameter-map type inspect
parameter-map type inspect OUTSIDE_TRAFFIC_PARAMS
audit-trail off
alert on
max-incomplete low 50
max-incomplete high 100
one-minute low 10
one-minute high 50
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host 10 block-time 1
sessions maximum 3000
R1#show policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
Policy Map type inspect PMAP_INSIDE_TO_OUTSIDE
Class CMAP_INSIDE_TO_OUTSIDE_TRAFFIC
Inspect OUTSIDE_TRAFFIC_PARAMS
Police rate 1024000 burst 64000
- ZFW Application Inspection
- HTTP
- SMTP
- POP3
- IMAP
- Sun RPC
- P2P Application Traffic
- IM Applications
HTTP Application Inspection:
-Application inspection can be applied on HTTP traffic to control unwanted use of HTTP’s service port for other applications such as IM, P2P file sharing, and tunneling applications that can redirect otherwise firewalled applications through TCP 80
- Ability to permit, deny, and monitor requests and responses based on header name and header values. This is useful to block requests and responses that carry vulnerable header fields.
-Ability to limit the sizes of different elements in the HTTP request and response headers such as maximum URL length, maximum header length, maximum number of headers, maximum header-line length, etc. This is useful to prevent buffer overflows.
- Ability to block requests and responses that carry multiple headers of the same type; for instance, a request with two content-length headers.
- Ability to block requests and responses with non-ASCII headers. This is useful to prevent various attacks that use binary and other non-ASCII characters to deliver worms and other malicious contents to web servers.
-Ability to group HTTP methods into user-specified categories and flexibility to block/allow/monitor each of the group is offered. The HTTP RFC allows a restricted set of HTTP methods. Some of the standard methods are considered unsafe because they can be used to exploit vulnerabilities on a web server. Many of the non-standard methods have a bad security record.
- Method to block specific URIs based on a user configured regular expression. This feature gives a user the capability to block custom URIs and queries.
- Ability to spoof header types (especially server header type) with user customizable strings. This is useful in a case where an attacker analyzes web server responses and learns as much information as possible, then launches an attack that exploits weaknesses in that particular web server.
-Ability to block or issue an alert on an HTTP connection if one or more HTTP parameter values match values entered by the user as a regular expression. Some of the possible HTTP value contexts include header, body, username, password, user agent, request line, status line, and decoded CGI variables.
Instant Messaging and Peer-to-Peer Application Control
IM services:
AOL Instant Messenger
MSN Messenger
Yahoo! Messenger
P2P application protocols:
BitTorrent
eDonkey
FastTrack
Gnutella
KaZaA / KaZaA2
WinMX
Example:
parameter-map type regex REGEX_TORRENT
pattern .*\.([tT][oO][rR]|[rR][eE][nN]|[tT])
parameter-map type regex REGEX_ALL_DOT_COM
pattern .*\.[cC][oO][mM]
class-map type inspect http match-all CMAP_TORRENT
match request header host regex REGEX_ALL_DOT_COM
match request uri regex REGEX_TORRENT
class-map type inspect match-all CMAP_INSIDE_TO_OUTSIDE_HTTP
match protocol http
match access-group name FROM_INSIDE_NETWORK
policy-map type inspect http PMAP_HTTP_POLICY
class type inspect http CMAP_TORRENT
reset
log
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class type inspect CMAP_INSIDE_TO_OUTSIDE_HTTP
inspect
service-policy http PMAP_HTTP_POLICY
This config will block files downloads that match the extension *.torrent from all ".com" sites
Verification:
*Apr 1 21:52:38.246: %APPFW-4-HTTP_HDR_FIELD_REGEX_MATCHED: Header field (^[Hh][Oo][Ss][Tt]:.*\.[cC][oO][mM]) matched - resetting session 10.1.1.2:41425 208.95.172.130:80 on zone-pair INSIDE_TO_OUTSIDE class CMAP_INSIDE_TO_OUTSIDE_HTTP appl-class CMAP_TORRENT
*Apr 1 21:52:38.246: %APPFW-4-HTTP_URI_REGEX_MATCHED: URI regex (.*\.([tT][oO][rR]|[rR][eE][nN]|[tT])) matched - resetting session 10.1.1.2:41425 208.95.172.130:80 on zone-pair INSIDE_TO_OUTSIDE class CMAP_INSIDE_TO_OUTSIDE_HTTP appl-class CMAP_TORRENT
No comments:
Post a Comment