Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

HTTP Packet Inspection > Configuring Simple HTTP Inspection

Configuring Simple HTTP Inspection

Consider, for example, the simple LAN-to-Internet firewall with no traffic restrictions (from Chapter 3) that was improved in the previous section (Figure 5-3). Now the IT manager would like to implement a simple HTTP inspection policy: HTTP misuses and uncommon HTTP commands (anything but GET, POST, and HEAD) shall be denied. To configure this requirement, you have to perform the following configuration steps (final configuration is in Listing 5-17):

  • class-map validHttpCommands is defined to match all allowed HTTP request methods.

  • class-map httpPortMisuse is defined to match any misuses of TCP port 80.

  • class-map anyOtherHttp matches all HTTP traffic, effectively replacing the class-default.

  • policy-map validHttp defines the HTTP inspection policy. The TCP session is reset when a port misuse is detected or when the HTTP request method does not match one of the allowed methods.

  • A new inspect class-map is defined to match the HTTP traffic and is appended at the end of the existing InsideToOutside policy map (just in front of the class-default line).


  

You are currently reading a PREVIEW of this book.

                                                                                                                    

Get instant access to over $1 million worth of books and videos.

  

Start a Free 10-Day Trial


  
  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint