Cisco Firewalls > Application Inspection > Inspection Capabilities in the Classic IOS Firewall

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Search

Table of Contents

About the Author

About the Technical Reviewers

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

Foreword

Introduction

Ch. 1. Firewalls and Network Security

Ch. 2. Cisco Firewall Families Overview

Ch. 3. Configuration Fundamentals

Ch. 4. Learn the Tools. Know the Firewall

Ch. 5. Firewalls in the Network Topology

Ch. 6. Virtualization in the Firewall World

Ch. 7. Through ASA Without NAT

Ch. 8. Through ASA Using NAT

Ch. 9. Classic IOS Firewall Overview

Ch. 10. IOS Zone Policy Firewall Overview

Ch. 11. Additional Protection Mechanisms

Ch. 12. Application Inspection

Inspection Capabilities in the Classic IOS Firewall

Application Inspection in the Zone Policy Firewall

DNS Inspection in the Zone Policy Firewall

FTP Inspection in the Zone Policy Firewall

HTTP Inspection in the Zone Policy Firewall

IM Inspection in the Zone Policy Firewall

Overview of ASA Application Inspection

DNS Inspection in ASA

FTP Inspection in ASA

HTTP Inspection in ASA

Inspection of IM and Tunneling Traffic in ASA

Botnet Traffic Filtering in ASA

Summary

Inspection Capabilities in the Classic IOS Firewall

This section extends the Context Based Access Control (CBAC) philosophy initially looked at in Chapter 9 to protocols that need special handling when crossing Layer 3 devices. The Classic IOS Firewall solution essentially focuses on fixing up misbehaved protocols, rather than using application awareness for advanced filtering. The main exception to this rule is HTTP, which somewhat enables customization.

Figure 12-1 depicts the reference scenario for the CBAC examples that follow. Example 12-1 assembles the commands used to implement a policy that permits the setup of outbound DNS, FTP, and HTTP sessions. The ip inspect rules are not L4-based as those employed in Chapter 9. They make direct reference to the application protocols themselves, instead of being TCP- or UDP-based. Some additional aspects explored in this example deserve special mention:

You are currently reading a PREVIEW of this book.

Get instant access to over
$1 million worth of books and videos.

Start a Free Trial

Download Safari Books Online apps: Apple iOS | Android

This Book

Search

Contents

Chapter 12. Application Inspection > Inspection Capabilities in the Classic IOS...

Inspection Capabilities in the Classic IOS Firewall