1) When new SCCP messages are defined and they go past …
Solutions Guide for Inspection Features
PIX/ASA 7.2
Table of Contents
1. ESMTP 3
1.1. Prevent DoS Attacks 3
1.2. Prevent Buffer Over Flow Attacks 4
1.3. Block Infected File Attachments By Creating Black Lists 4
1.4. Prevent EMAIL Spam 5
1.5. Block Malicious Senders Or Domains 6
1.6. Block Specific MIME Encoding Types 6
2. HTTP 7
2.1. Create White List And Black List of Methods to Filter 7
2.2. Prevent Vulnerabilities Through Protocol Validation 7
2.3. Impose Restrictions on HTTP Fields 8
2.4. Prevent Port 80 Exploitation Using Built-In Classes 8
2.5. Prevent Security Threats using HTTP Field Signatures 9
3. DNS 10
3.1. Prevent Cache Poisoning Attack 10
3.2. Restrict Domains by Creating a Black-List 12
4. SIP 13
4.1. Prevent Non-RFC-Compliant SIP Packets 13
4.2. Prevent DoS Attacks 13
4.3. Prevent Buffer Over Flow Attacks 14
4.4. Disallow Black-Listed Users From Using IM Over SIP 14
4.5. Prevent Access To Illegal/Dangerous URLs 15
4.6. Prevent Exploitation Of SIP End Points Or Servers 15
4.7. Disable Instant Messaging 16
4.8. Prevent Unrecognized SIP Messages 16
4.9. Prevent SIP Packets Arriving Out Of State 17
4.10. Drop SIP Packets With Invalid Max-Forwards Field 17
4.11. Provide Privacy To End Customers 18
4.12. Block Rogue Callers 18
4.13. Limit SIP Traffic To Specific Domains 19
4.14. Block SIP Traffic From Rogue Proxy Servers 19
4.15. Allow Only Administrators To Perform Third Party Registrations 20
4.16. Restrict Content Length And Type Of SIP Messages 20
5. Skinny 21
5.1. Enforce Registration To Prevent Rogue Phone Calls 21
5.2. Prevent Buffer Over Flow Attacks 21
5.3. Restrict Services On End-Points 22
5.4. Prevent Unrecognized SCCP Messages 22
5.5. Improve Connection Usage Efficiency 23
5.6. Prevent Potential Misuse Of Idle Media Connections 23
6. H.323 24
6.1. Block Rogue Callers 24
6.2. Restrict Call-Duration 24
6.3. Prevent RAS/H.225 Packets Arriving Out Of State 25
6.4. Restrict H.323 Services That Can Be Used 25
7. RTP 26
7.1. Prevent RTP DoS Attacks 26
8. GTP 26
8.1. Prevent GTP Over-Billing Attack 26
8.2. Prevent DoS Attack By Limiting Tunnels 28
8.3. Block Undesirable Country/Network Codes 28
8.4. Filter Specific Access Point Names (APNs) 28
8.5. GTP Version Based Filtering 29
8.6. Enable Load Balancing 29
9. FTP 30
9.1. Prevent Exploits By Hiding Server Information 30
9.2. Restrict Access To Specific Directories 31
9.3. Prevent Selective Users From Retrieving or Delivering Files 31
9.4. Prevent A Set Of Users From Any FTP Access 32
10. Netbios 33
10.1. Prevent Potential Malicious Activity 33
11. MSRPC 33
11.1. Enforce DCERPC Endpoint Mapper Service To Prevent Exploits 33
11.2. Enable DCERPC Endpoint Mapper Lookup Operation 34
12. Appendix: 35
12.1. Class-maps 35
12.2. Regular Expressions 36
PIX version 7.2 adds a lot of new and exciting functionality to Application Inspection and Control (AIC) features available on PIX/ASA. The tremendous flexibility provided by the CLI to achieve this new functionality can also seem complex to the first time user. The goal of this document is to give a fairly good idea about the new capabilities added and the simplest and cleanest way to configure some of the most common user scenarios.
It assumes that the user is already familiar with the basic concepts and constructs of Modular Policy Framework, such as class-maps, policy-maps and service-policy.
This document by no means is an exhaustive list of all the functionality available, but merely serves as a guide to using Modular Policy Framework (MPF) efficiently to take advantage of these great new features. Also, for each of the cases described, the configuration shown is only a suggestion. It is possible that there could potentially be other ways of achieving some of these same things by using a different combination of the commands. Please refer to Appendix for some examples and notes on different ways of defining class-maps (class-map inspection_default vs using explicit match criteria).
For questions or comments on this document, contact Vijaya Kaza: vkaza@.
Note: All the examples below use the name “mymap” for the name of inspect specific policy-map for demonstration purposes. In real customer configurations these should be unique across all inspections.
ESMTP
1 Prevent DoS Attacks
Rate-limiting of messages can be used to prevent certain DoS attacks.
The following example shows how to prevent DoS attacks on an email server using ETRN command. ETRN (Extended Turn), is an extension to the SMTP mail delivery protocol that allows an SMTP server to request from another SMTP server any e-mail messages it has for a specific domain.
Using the configuration below, the number of ETRN commands to the server is rate limited to 10 packets per second. The “show service-policy inspect esmtp” command will show the number of dropped packets.
policy-map type inspect esmtp mymap
match cmd verb etrn
rate-limit 10
policy-map global_policy
class inspection_default
inspect esmtp mymap
service-policy global_policy global
2 Prevent Buffer Overflow Attacks
To avoid messages that are too long to be sent to an email server and cause buffer overflow, set a maximum message size. With this configuration, all the messages greater than 32KB are dropped and a log message is generated.
policy-map type inspect esmtp mymap
match body length gt 32000
drop-connection log
policy-map global_policy
class inspection_default
inspect esmtp mymap
service-policy global_policy global
To avoid an attacker generating a command line that is too long, causing buffer overflow, enforce a maximum command line length. With this configuration, if an ESMTP command line is greater than 512 bytes, the connection to the server is closed.
policy-map type inspect esmtp mymap
match cmd line length gt 512
drop-connection
policy-map global_policy
class inspection_default
inspect esmtp mymap
service-policy global_policy global
3 Block Infected File Attachments Using Black Lists
To restrict MIME attachments of specified type/name, create a black list of file names and/or file types to be blocked. With the configuration below, any attachment of type .exe or an attachment named virus.doc would be blocked.
regex badfile1 virus\.doc
regex badfile2 \.exe
class-map type regex match-any bad_files
match regex badfile1
match regex badfile2
policy-map type inspect esmtp mymap
match mime filetype regex class bad_files
drop-connection
policy-map global_policy
class inspection_default
inspect esmtp mymap
service-policy global_policy global
4 Prevent EMAIL Spam
The information about the recipient of the message is stored in two places in an ESMTP transaction. 1.) In the RCPT TO: command and 2.) In the header lines (in the DATA part). Depending on the email client one or the other is used to determine the recipients of an email message. The following examples show different ways of preventing email spam depending on which of these is used.
To prevent email spam, enforce limits on the number of “RCPT TO:” commands allowed per transaction. With this configuration, no more than 10 RCPT commands are allowed, per transaction.
policy-map type inspect esmtp mymap
match cmd RCPT count gt 10
drop-connection
policy-map global_policy
class inspection_default
inspect esmtp mymap
service-policy global_policy global
To prevent spam, it is also possible to enforce limits on the number of recipients specified by the To: line in the header. With the configuration below, no more than 20 recipients per transaction are allowed.
policy-map type inspect esmtp mymap
match header to-fields count gt 20
drop-connection
policy-map global_policy
class inspection_default
inspect esmtp mymap
service-policy global_policy global
5 Block Malicious Senders Or Domains
To block mail from user-defined senders or domains, create black lists of users/domains. With this configuration, any sender with a domain “xyz” or a sender named joe@, would be blocked by the ASA module.
regex sender1 joe@abc\.com
regex sender2 @xyz\.com
class-map type regex match-any bad_senders
match regex sender1
match regex sender2
policy-map type inspect esmtp mymap
match sender-address regex class bad_senders
drop-connection
policy-map global_policy
class inspection_default
inspect esmtp mymap
service-policy global_policy global
6 Block Specific MIME Encoding Types
To block messages of a specific encoding type from reaching an email server, specify which encoding types are allowed for that server. With the configuration below, if the MIME encoding-type is “quoted-printable”, a syslog message is generated and if the MIME encoding-type is “other” (not a known type), the connection to the server is closed.
policy-map type inspect esmtp mymap
match mime encoding quoted-printable
log
match mime encoding other
drop-connection
policy-map global_policy
class inspection_default
inspect esmtp mymap
service-policy global_policy global
HTTP
1 Create White List and Black List of Methods to Filter
The HTTP class-map will only allow one “match request method …” command per class but will allow multiple match not request method …” commands. These match criteria can be used to create a “white-list” or “black-list” of methods to filter.
For example, the commands below show how to forbid any request that does not contain a “GET” or “POST” request method.
class-map type inspect http match-all method_list
match not request method get
match not request method post
policy-map type inspect http mymap
parameters
class method_list
reset log
policy-map global-policy
class inspection_default
inspect http mymap
service-policy global_policy global
2 Prevent Vulnerabilities Through Protocol Validation
Protocol validity checks are done on HTTP messages to determine if it is identifiable as a properly formatted HTTP message. If it cannot be identified as HTTP the configured action will be taken.
policy-map type inspect http mymap
parameters
protocol-violation action reset log
policy-map global-policy
class inspection_default
inspect http mymap
service-policy global_policy global
3 Impose Restrictions on HTTP Fields
Impose restrictions on HTTP Fields to detect and prevent tunneling and other attacks, for example, the length of an HTTP header field and the number of times a field can appear in the HTTP header can be limited. Limiting the length of a field can be used to prevent buffer overflows. Limiting the number of times a header field occurs can be used to detect new protocols tunneled over HTTP. The commands below show how to forbid request messages with the field “xyz” from containing a value exceeding 5 bytes in length and to forbid the “xyz” field from appearing in the message more than once.
class-map type inspect http match-all invalid_hlen
match request header xyz length gt 5
class-map type inspect http match-all invalid_hcnt
match request header xyz count 1
policy-map type inspect http mymap
parameters
class invalid_hlen
drop-connection log
class invalid_hcnt
drop-connection log
policy-map global-policy
class inspection_default
inspect http mymap
service-policy global_policy global
4 Prevent Port 80 Exploitation Using Built-In Classes
The HTTP inspection supports a set of built-in class-maps to detect various popular applications like Instant Messenger (IM), Peer-to-peer (P2P) and other tunneling protocols. Using these classes it is very easy to detect and prevent port misuse. The sample configuration below shows a class-map for the “Gator” P2P protocol and the “Yahoo” instant messenger protocol and how they can be blocked.
policy-map type inspect http mymap
parameters
class _default_gator
drop-connection log
class _default_yahoo-messenger
drop-connection log
policy-map global-policy
class inspection_default
inspect http mymap
service-policy global_policy global
5 Prevent Security Threats using HTTP Field Signatures
Actions can be taken on specific HTTP header fields to provide better protection against potential security threats. For example, the commands below show how to forbid request messages with the “user-agent” field containing either the string “Some_New_P2P_Client1” or “Some_New_P2P_Client2”.
regex new_client1 Some_New_P2P_Client1
regex new_client2 Some_New_P2P_Client2
class-map type regex match-any newP2Pclients
match regex new_client1
match regex new_client2
class-map type inspect http match-all blocked_user-agent
match request header user-agent regex class newP2Pclients
policy-map type inspect http mymap
parameters
class newP2Pclients
drop-connection log
policy-map global-policy
class inspection_default
inspect http mymap
service-policy global_policy global
A set of checks can be combined by “ANDing” them together. In this case, actions will be taken when all of the conditions are met in a single message. The commands below show how to forbid and log request messages with the “user-agent” field containing the string “New_P2P_Client” and the method is equal to “POST”. Note that “post” is a built-in keyword.
regex new_client New_P2P_Client
class-map type inspect http match-all block_new_p2p
match request header user-agent regex new_client
match request method post
policy-map type inspect http mymap
parameters
class block_new_p2p
drop-connection log
policy-map global-policy
class inspection_default
inspect http mymap
service-policy global_policy global
DNS
1 Prevent Cache Poisoning Attack
DNS ID Randomization: Some DNS implementations use a weak randomization algorithm to generate DNS identifier for DNS query message, or even use sequential values. This makes the server prone to a cache poisoning attack. The following configuration hardens a DNS server or resolver on the dmz interface, by scrambling the DNS identifier.
policy-map type inspect dns mymap
parameters
id-randomization
policy-map dns_dmz_policy
class inspection_default
inspect dns mymap
service-policy dns_dmz_policy interface dmz
Excessive DNS ID Mismatch: A high rate of DNS ID mismatches may indicate a cache poisoning attack. The following configuration can be applied to monitor and alert such attempts. A summarized syslog will be printed if the mismatch rate exceeds the configured value. This provides system administrators with more information in addition to the event-based syslogs, and helps them to take prompt actions:
policy-map type inspect dns mymap
parameters
id-mismatch count 50 duration 5 action log
policy-map dns_dmz_policy
class inspection_default
inspect dns mymap
service-policy dns_dmz_policy interface dmz
The following sample configuration protects the public DNS server on the dmz interface from cache poisoning. The policy-map mymap filters DNS queries and masks off the RD bit in the DNS header, so that the server does not send recursive queries on behalf a requester. In addition, a list of permitted domains that can be queried on this server is defined since it only serves the user’s zone.
regex domain1 example\.com
regex domain2 foo\.com
! Define the domains that are served by the DNS server
class-map type regex match-any permitted_domains
match regex domain1
match regex domain2
! Define a DNS map for query only
class-map type inspect dns match-all blocked-traffic
match not header-flag QR
match question
match not domain-name regex class permitted_domains
policy-map type inspect dns mymap
class blocked-traffic
drop log
match header-flag RD
mask log
class-map inspection_default
match default-inspection-traffic
policy-map dns_dmz_policy
class inspection_default
inspect dns mymap
service-policy dns_dmz_policy interface dmz
2 Restrict Domains by Creating a Black-List
A black list can be composed and applied to an interface that DNS queries reach. The following example restricts the domains that a DNS client may query.
regex domain1 bad\.example\.com
regex domain2 evil\.com
regex domain3 forbidden\.com
class-map type regex match-any black_list
match regex black1
match regex black2
match regex black3
! Define a DNS map for query only
class-map type inspect dns match-all blocked-traffic
match not header-flag QR
match question
match domain-name regex class black_list
policy-map type inspect dns mymap
parameters
message-length maximum 512
class blocked-traffic
drop log
class-map inspection_default
match default-inspection-traffic
policy-map dns_clnt_policy
class inspection_default
inspect dns mymap
service-policy dns_clnt_policy interface client
SIP
1 Prevent Non-RFC-Compliant SIP Packets
To ensure that all the header fields are conforming to the syntax rules in RFC 3261, the strict-header-validation command can be used. The following configuration logs a header validation check failure. Note that this check is only for the syntax rules in RFC 3261, so if an endpoint or server conforms to RFC 2543 but not to RFC 3261, validation check will fail.
policy-map type inspect sip mymap
parameters
strict-header-validation action log
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
2 Prevent DoS Attacks
The 'match-request method' keyword can be used to take specific actions such as drop, drop-connection, log, reset on the following SIP messages - ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE.
For example the following configuration rate limits INVITE message to 50 messages per second. If the number of INVITE messages exceeds 50 messages per second on an interface, then the connection will be dropped. This feature can be used to protect internal servers and endpoints from being flooded by INVITE messages thereby causing a DoS attack.
policy-map type inspect sip mymap
parameters
match request-method invite
rate-limit 50
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
3 Prevent Buffer Over Flow Attacks
The following configuration drops all SIP REGISTER packets which contain a sip uri or a non-sip uri of length greater than 500 in the From header or To header or Contact header.
Some SIP Proxy Servers or Call Controllers may not have proper delimiter checks for the URI lengths. In such cases, if they receive SIP packets with large URIs, it might cause buffer overflows on these entities. Performing the following checks on the firewall and allowing only the configured lengths to be permissible protects the Proxy Servers and Call controllers from such attacks.
! Define the non-conforming traffic
class-map type inspect sip match-all non-conforming-traffic
match uri sip length gt 500
match uri non-sip length gt 500
match request-method register
policy-map type inspect sip mymap
parameters
class non-conforming-traffic
drop
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
4 Disallow Black-Listed Users From Using IM Over SIP
The following configuration shows how all SIP Instant Messages from a set of blacklisted users can be dropped.
regex im-user1 bad-user1@abc\.com
regex im-user2 bad-user2@abc\.com
!Define Reg Ex to filter undesired IM subscribers
class-map type regex match-any blocked-IM_subscribers
match regex im-user2
match regex im-user1
policy-map type inspect sip mymap
parameters
match im-subscriber regex class blocked-IM_subscriber
drop log
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
5 Prevent Access To Illegal/Dangerous URLs
The Alert-Info and Call-Info are SIP header fields that can contain HTTP URLs and other SIP/non-SIP URIs. A typical usage for an Alert-Info is for a proxy to insert this header field to provide a distinctive ring feature. The Call-Info describes the caller or callee in general, for example, through a web page.
For example:
Alert-Info:
Call-Info: ;purpose=icon,
;purpose=info
The use of the Alert-Info or Call-Info header field can pose a security risk. If a callee fetches the URLs provided by a malicious caller, the callee may be at risk for displaying inappropriate/dangerous or illegal content. To mask the information in these fields, the following configuration can be used. Note: Since these header fields are optional and their use is discouraged by the RFC, the action ‘mask’ would remove them.
policy-map type inspect sip mymap
parameters
uri-non-sip action mask log
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
6 Prevent Exploitation Of SIP End Points Or Servers
The Server and User-Agent header contain the version information of the server and the user agent fields. Revealing the software version may make the server or user agent vulnerable to any security attacks that exploit security holes in that software version. To mask the Server and User-Agent fields, the following configuration can be used. Note: since these header fields are optional and their use discouraged by the RFC, the action ‘mask’ would remove them.
policy-map type inspect sip mymap
parameters
software-version action mask log
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
7 Disable Instant Messaging
To disable instant messaging over SIP, the following configuration can be used. The command 'im' enables instant messages over SIP.
policy-map type inspect sip mymap
parameters
no im
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
8 Prevent Unrecognized SIP Messages
The following configuration disables Non-SIP traffic on the well known SIP port 5060. The positive version of the command enables it. Note: the command ‘traffic-non-sip’ enables or disables non-SIP traffic for the class of traffic for which ‘inspect sip xxx’ is configured.
policy-map type inspect sip mymap
parameters
no traffic-non-sip
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
9 Prevent SIP Packets Arriving Out Of State
Every SIP packet has to go through a state machine. This configuration would cause a packet to be dropped if the SIP packet arrives out of state, based on RFC 3261. It will also log the validation failure. In order to preserve backward compatibility, and provide the capability for individual customers to choose the level of security as desired, this is not enabled by default.
policy-map type inspect sip mymap
parameters
state-checking action drop log
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
10 Drop SIP Packets With Invalid Max-Forwards Field
The max-forwards field in the SIP packet indicates the max number of hops the packet can take before it reaches its destination. The field value must not be zero when the firewall receives the packet. The following configuration closes the connection and logs an error if the max-forwards field is zero. Again, this command is not enabled by default to preserve backward compatibility and provide the customers the flexibility of choosing the desired level of security.
policy-map type inspect sip mymap
parameters
max-forwards-validation action drop-connection log
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
11 Provide Privacy To End Customers
The following configuration enables ip-address privacy. When this feature is turned on, even if two endpoints or servers are on the inside network, their real address will be hidden from each other.
policy-map type inspect sip mymap
parameters
ip-address-privacy
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
12 Block Rogue Callers
The following sample configuration shows how to block and log all SIP INVITE packets from specific SIP endpoints. The 'calling-party' keyword in the example below matches the value in the “From” header field.
regex sip-user1 sip:1000@100\.100\.100\.100
regex sip-user2 sip:2000@100\.100\.100\.100
!Define sip users of interest
class-map type regex match-any sip-users
match regex sip-caller1
match regex sip-caller2
!Define users of interest using From field of INVITE
class-map type inspect sip match-all blocked-callers
match calling-party regex class sip-users
match request-method invite
policy-map type inspect sip mymap
parameters
class blocked-callers
drop log
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
13 Limit SIP Traffic To Specific Domains
The following configuration will rate-limit all the INVITE packets that are sent to endpoints with in their To header field to 50 packets per second.
The keyword "called-party" is to identify the callee as specified by the value in the “To” header field.
regex abc sip:.*@abc\.com
class-map type inspect sip match-all specific-callee
match called-party regex abc
match request-method invite
policy-map type inspect sip mymap
parameters
class specific-callee
rate-limit 50
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
14 Block SIP Traffic From Rogue Proxy Servers
The following configuration drops and logs all SIP packets which are being sent via two sip-servers. The via-header in this case would contain the regex patterns "66.94.230.46" and "66.94.230.45".
regex sip-server1 66\.94\.230\.46
regex sip-server2 66\.94\.230\.45
class-map type regex match-any sip-servers
match regex sip-server1
match regex sip-server2
!Packets whose via header contains sip-servers above
class-map type inspect sip match-all via-bad-servers
match message-path regex class sip-servers
policy-map type inspect sip mymap
parameters
class via-bad-servers
drop log
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
15 Allow Only Administrators To Perform Third Party Registrations
In SIP, it is possible for a user to register another user with the registrar server. This can be identified by checking if the ‘From’ field header value and the ‘To’ field header value in the REGISTER message are different. The ‘From’ field value will indicate the user trying to attempt the 3rd party registration. The following contributions, prohibits all users except admin@ to perform 3rd party registration.
regex admin sip:admin@cisco\.com
policy-map type inspect sip mymap
parameters
match not third-party-registration regex admin
drop log
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
16 Restrict Content Length And Type Of SIP Messages
The following configuration ensures that only SIP packets of Content Type “application/sdp” and only with content length less than 500 are allowed through the firewall.
Typically the SDP portion of a SIP packet would be small, as this mainly contains media information. A very large content length for SDP may indicate a potential security issue and may result in lower performance, as the Firewall now has to scan the entire contents, which may be invalid to begin with. This can be prevented by restricting the content length as shown below:
regex allowed-type application/sdp
! Define class to block content type not allowed
class-map type regex match-any blocked-content-types
match not regex allowed-type
! Define content type and length of interest
class-map type inspect sip match-all non-conforming-traffic
match content type blocked-content-types
match content length gt 500
policy-map type inspect sip mymap
parameters
class non-conforming-traffic
drop
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
Skinny
1 Enforce Registration To Prevent Rogue Phone Calls
To ensure that only registered SCCP endpoints can make phone calls, stricter checking can be enabled using the following configuration. With this configuration, unregistered endpoint’s requests to make calls will be dropped.
policy-map type inspect skinny mymap
parameters
enforce-registration
policy-map global_policy
class inspection_default
inspect skinny mymap
service-policy global_policy global
2 Prevent Buffer Over Flow Attacks
To ensure that SCCP messages sent to phones or CCM are not too long and do not cause buffer overflow, set the maximum SCCPPrefixLen which says how long the SCCP message is. With the following configuration, messages with SCCP prefix len greater than 2000 are dropped.
policy-map type inspect skinny mymap
parameters
sccp-prefix-len max 2000
policy-map global_policy
class inspection_default
inspect skinny mymap
service-policy global_policy global
3 Restrict Services On End-Points
To disallow certain features/functionalities on endpoints, messages that are related to those features can be dropped.
For example, in certain scenarios, speed dial may need to be restricted, to prevent someone over the weekend from trying to snoop for phone numbers using saved entries and speed dialing, administrators can block those after hours or over the weekends.
To prevent a keypad message to be sent from endpoint (this will essentially prevent someone dialing from the phone using the keypad) and to prevent the speed dial from being used, the following can be configured (0x03 is the keypad message and 0x04 is the speed dial message).
policy-map type inspect skinny mymap
match message-id range 0x03 0x04
drop log
policy-map global_policy
class inspection_default
inspect skinny mymap
service-policy global_policy global
4 Prevent Unrecognized SCCP Messages
To set or change the maximum SCCP message permissible through the firewall the message-id maximum command can be used. This will prevent undefined or unrecognized SCCP messages from going through the firewall.
As an example, SCCP version 4.1.2 defines messages up to 0x13F. Use the following configuration to allow only these messages. Message-ids greater than the maximum defined will be dropped:
policy-map type inspect skinny mymap
parameters
message-id max 0x13F
policy-map global_policy
class inspection_default
inspect skinny mymap
service-policy global_policy global
5 Improve Connection Usage Efficiency
By default an idle TCP Skinny connection times out after 1 hour. The usual keepalive interval on Skinny connections is 30 seconds. To be more efficient with connection usage, TCP connections can be timed out after 3 or 4 keepalives are missed. To change the Skinny TCP idle timeout to 2 minutes, such that connections are timed out when 4 keepalives are lost, use the following configuration:
policy-map type inspect skinny mymap
parameters
timeout signaling 0:2:0
policy-map global_policy
class inspection_default
inspect skinny mymap
service-policy global_policy global
6 Prevent Potential Misuse Of Idle Media Connections
By default, media connection from Skinny audio and video calls will timeout in 5 minutes. To be more efficient with connection usage and prevent potential misuse, media connections can be timed out sooner using the following configuration.
policy-map type inspect skinny mymap
parameters
timeout media 0:0:30
policy-map global_policy
class inspection_default
inspect skinny mymap
service-policy global_policy global
H.323
1 Block Rogue Callers
The following sample configuration shows how to block calls from specific phone numbers. In this example, calls from the number (415)794-5741 will be blocked when calling the number (408)295-5949. Note that to enforce checks based on specific numbers, the command call-party-number must first be enabled as shown below. Once the call-party-number command is enabled, if the H.225 negotiation doesn’t contain any phone numbers (as in the case of NetMeeting), the H.225 message will be dropped. The command media-call-type audio in the example below allows only audio traffic to go through.
regex calling-number 4087955741
regex called-number 4082965969
class-map type inspect h323 blocked-calls
match called-party regex called-number
match calling-party regex calling-number
policy-map type inspect h323 mymap
parameters
call-party-number
media-call-type audio
class blocked-calls
drop
policy-map global_policy
class inspect_default
inspect h323 ras mymap
inspect h323 h225 mymap
service-policy global_policy global
2 Restrict Call-Duration
For some courtesy and toll phones it may be desirable to restrict the duration of the call. To specify a maximum duration of a call use the following configuration. With this configuration the maximum audio call duration will be 1 minute.
policy-map type inspect h323 mymap
parameters
call-duration 0:1:0
media-type audio
policy-map global-policy
class inspect_default
inspect h323 ras mymap
inspect h323 h225 mymap
service-policy global_policy global
3 Prevent RAS/H.225 Packets Arriving Out Of State
To enable strong state checking on RAS and H.225 call setup use the following configuration. With this configuration, state checking will be enabled for all audio calls during call setup.
policy-map type inspect h323 mymap
parameters
state-checking ras
state-checking h225
media-type audio
policy-map global-policy
class inspect_default
inspect h323 ras mymap
inspect h323 h225 mymap
service-policy global_policy global
4 Restrict H.323 Services That Can Be Used
To prevent specific H.323 services, use the following configuration. For example, this configuration blocks Chat and Whiteboard services by dropping the T-120 control messages, but allows normal audio and video traffic to go through.
policy-map type inspect h323 my-map
parameters
no t120-control
media-type audio
media-type video
policy-map global-policy
class inspect_default
inspect h323 ras mymap
inspect h323 ras mymap
service-policy global_policy global
RTP
1 Prevent RTP DoS Attacks
When various VoIP Inspection modules are enabled, the firewall dynamically opens pinholes to let the media in the form of RTP traffic to go through. However to ensure that what gets through is in fact RTP traffic conforming to the RTP protocol, enable RTP inspection using the rtp-conformance command. This command is available on a per VoIP protocol basis. This security feature checks to see if the payload is audio/video based, on the signaling exchange. If a validation check fails the packet will be dropped.
For example, to enable RTP inspection for SIP traffic, use the following configuration:
policy-map type inspect sip mymap
parameters
rtp-conformance enforce-payloadtype
policy-map global_policy
class inspection_default
inspect sip mymap
service-policy global_policy global
Similarly, to enable RTP inspection for Skinny traffic, use the following configuration:
policy-map type inspect skinny mymap
parameters
rtp-conformance enforce-payloadtype
policy-map global_policy
class inspection_default
inspect skinny mymap
service-policy global_policy global
GTP
1 Prevent GTP Over-Billing Attack
Configure radius-accounting inspection to ensure connections are torn down after accounting for a user has stopped. In order to use this, the Radius server needs to have the capability to send a gratuitous copy of the accounting requests to the firewall. In the example below, the Radius server 10.0.0.2 is sending accounting start/stop messages to the firewall on port 1888 from the inside interface:
class-map type management receive-radius-messages
match port udp eq 1888
! Define radius server sending accounting messages
policy-map type inspect radius-accounting mymap
parameters
host 10.0.0.2
policy-map over-billing-policy
class receive-radius-messages
inspect radius-acc mymap
service-policy over-billing-policy interface inside
To authenticate accounting requests from the radius server, configure a shared secret along with the radius server in the policy-map mymap, as shown below:
class-map type management receive-radius-messages
match port udp eq 1888
! Define radius server sending accounting messages
policy-map type inspect radius-accounting mymap
parameters
host 10.0.0.2 key abc123
policy-map over-billing-policy
class receive-radius-messages
inspect radius-acc mymap
service-policy over-billing-policy interface inside
If the Accounting Request Stop is not received for a user, it is possible to do additional validations to qualify the new attributes upon receiving an Accounting Request Start. This prevents over-billing attack if the Framed IP has been assigned to a different mobile subscriber. This can be enabled using the "validate-attribute" parameter.
For example, to check if the Calling-Station-ID attribute has changed with a new Accounting Request Start (31) and drop the message if it has changed, configure the following:
class-map type management receive-radius-messages
match port udp eq 1888
! Define radius server sending accounting messages
policy-map type inspect radius-accounting mymap
parameters
host 10.0.0.2 key abc123
validate-attribute 31
policy-map over-billing-policy
class receive-radius-messages
inspect radius-acc mymap
service-policy over-billing-policy interface inside
2 Prevent DoS Attack By Limiting Tunnels
To limit the number of tunnels in the network, configure the tunnel-limit to the maximum number of tunnels allowed for the policy. For example, to allow only 3000 tunnels the following configuration can be used:
policy-map type inspect gtp gmap
parameters
tunnel-limit 3000
policy-map global_policy
class inspection_default
inspect gtp gmap
service-policy global_policy global
3 Block Undesirable Country/Network Codes
To allow only subscribers with specific IMSI prefixes into the network, IMSI prefix filtering can be enabled. For example, the following config will allow only users with the mobile country code (MCC) of 213 and mobile network code (MNC) of 22 into the network:
policy-map type inspect gtp gmap
parameters
mcc 213 mnc 22
policy-map global_policy
class inspection_default
inspect gtp gmap
service-policy global_policy global
4 Filter Specific Access Point Names (APNs)
To apply APN filtering, for example, to drop messages and not create Packet Data Protocol (PDP) contexts based on the specific APNs, the following configuration can be used:
regex blocked_apn badstuff\.com
policy-map type inspect gtp mymap
match apn regex bocked_apn
drop log
policy-map global_policy
class inspection_default
inspect gtp mymap
service-policy global_policy global
5 GTP Version Based Filtering
To drop GTP messages based on a version that is not desirable / not supported yet, match version command can be used. The following configuration drops all version 1 messages:
policy-map type inspect gtp gmap
match version 1
drop log
policy-map global_policy
class inspection_default
inspect gtp gmap
service-policy global_policy global
6 Enable Load Balancing
To provide GSN load balancing, GSN pooling should be enabled on PIX/ASA, using the "permit response" command.
For example, to configure a group of GGSNs servers that are allowed to respond to a request from a SGSN or a group of SGSNs, the following configuration can be used:
object-group network ggsns
network-object host 192.1.1.1
network-object host 192.1.1.2
network-object host 192.1.1.3
object-group network sgsns
network-object host 10.130.8.2
policy-map type inspect gtp mymap
parameters
permit response to-object-group sgsns from-object-group ggsns
policy-map global_policy
class inspection_default
inspect gtp mymap
service-policy global_policy global
FTP
1 Prevent Exploits By Hiding Server Information
Before submitting a username and password, all FTP users are presented with a greeting banner. By default, this banner includes version information useful to hackers trying to identify weaknesses in a system. In order to mask this banner, the following configuration can be used.
policy-map type inspect ftp mymap
parameters
mask-banner
class-map match-all ftp-traffic
match port tcp eq ftp
policy-map ftp-policy
class ftp-traffic
inspect ftp strict mymap
service-policy ftp-policy interface inside
Note: The example above and others in this FTP section show the usage of class-map “ftp-traffic” that explicitly matches on port tcp eq ftp. This is done to demonstrate different ways of configuring class-maps. This configuration can also be written using the “class inspection_default” as follows:
policy-map type inspect ftp mymap
parameters
mask-banner
policy-map ftp-policy
class inspection_default
inspect ftp strict mymap
service-policy ftp-policy interface inside
2 Restrict Access To Specific Directories
FTP users can be blocked to access a particular directory, for example, the following configuration denies all users except root trying to access the '/root' directory:
regex ftp-user root
regex ftp-path \/root
class-map type inspect ftp restricted-access
match not username regex ftp-user
match filename regex ftp-path
policy-map type inspect ftp mymap
class restricted-access
reset log
class-map match-all ftp-traffic
match port tcp eq ftp
policy-map ftp-policy
class ftp-traffic
inspect ftp strict mymap
service-policy ftp-policy interface inside
3 Prevent Selective Users From Retrieving or Delivering Files
FTP users can be selectively blocked from performing specific actions on files on an FTP server. The following configuration shows an example to restrict user from one site to retrieve files and user from another site to deliver files:
regex ftp-user1 abc\.com
regex ftp-user2 xyz\.com
!Match FTP user to restrict file retrieval
class-map type inspect ftp ftp-get
match username regex ftp-user1
match request-command get
!Match FTP user to restrict file-delivery
class-map type inspect ftp ftp-put
match username regex ftp-user2
match request-command put
policy-map type inspect ftp mymap
class ftp-get
reset log
class ftp-put
reset
class-map ftp-traffic
match port tcp eq ftp
policy-map ftp-policy
class ftp-traffic
inspect ftp strict mymap
service-policy ftp-policy interface inside
4 Prevent A Set Of Users From Any FTP Access
FTP users can be blocked from any access. For example, the following configuration denies all access to FTP users johndoe and bobsmith:
regex ftp-user1 johndoe
regex ftp-user2 bobsmith
!Match FTP users johndoe and bobsmith
class-map type regex match-any blocked-users
match regex ftp-user1
match regex ftp-user2
policy-map type inspect ftp mymap
match username regex class blocked-user
reset log
class-map match-all ftp-traffic
match port tcp eq ftp
policy-map ftp-policy
class ftp-traffic
inspect ftp strict mymap
service-policy ftp-policy interface inside
Netbios
1 Prevent Potential Malicious Activity
The following configuration blocks and logs Netbios packets what have incorrect length / count fields, or unsolicited/mismatched reply packets. Malformed packets with incorrect length/count fields can cause buffer overflows on the target host. Unsolicited or mismatched replies can cause DOS attacks. By blocking such packets, we can prevent potential malicious activity:
:
policy-map type inspect netbios mymap
parameters
protocol-violation drop log
policy-map global_policy
class inspection_default
inspect netbios mymap
service-policy global_policy global
MSRPC
1 Enforce DCERPC Endpoint Mapper Service To Prevent Exploits
On the well-known port of endpoint mapper, other MSRPC services besides the endpoint mapper can be requested. There have been exploits of vulnerabilities in services such as the DCOM RPC services. Enforce the endpoint mapper service so that only traffic and messages related to this service will be processed. The following configuration can be used to do this:
policy-map type inspect dcerpc mymap
parameters
endpoint-mapper epm-service-only
policy-map global_policy
class inspection_default
inspect dcerpc mymap
service-policy global_policy global
2 Enable DCERPC Endpoint Mapper Lookup Operation
Troubleshooting tools such as rpcdump use the lookup operation of the endpoint mapper service to verify MSRPC services and check if they are reachable through secondary connections. The following configuration can be used to enable processing of the lookup operation. The lookup operation should only be configured as needed, especially in environments where the application clients are from less secure networks. The specified timeout is for the pinholes generated from the lookup operation.
access-list 200 extended permit tcp host 171.69.38.125 host
172.23.58.176 eq 135
Class-map dcerpc_hosts
match access-list 200
policy-map type inspect dcerpc mymap
parameters
endpoint-mapper lookup-operation timeout 0:10:00
policy-map global_policy
class dcerpc_hosts
inspect dcerpc mymap
service-policy global_policy global
Instant Messaging (IM)
With this release of ASA, the user will be able to block entire IM applications (YMSG and MSN only) or selectively block specific services based on certain attributes.
The set of supported attributes are:
- Filtering based on IP address, address pair
- Filtering based on login-name, login-name pair
The set of supported services are:
- Chat
- Games
- File Transfer (for MSN filtering based on filename is not supported)
- Conferencing
- Video
- Voice (not supported for Yahoo)
IM inspection is supported only for application running on Windows XP/2000 in this release.
Basic IM application blocking should work for most versions though the more specific filtering based on services and the above attributes is supported for the following versions only:
- YMSG: 7.0.0.437
- MSN: 7.0
When IM inspection will not work:
- IM inspection will not work on ports for which other inspection engines have been configured in the firewall. For instance if http inspection has been enabled on port 80 then IM inspection on port 80 will not be done.
- If IM traffic is tunneled over other protocols such as HTTP or SIP then the firewall will not be able to inspect it in this release.
1 Blocking IM applications
The following configuration example is used to block the access to Yahoo!Messenger and MSN Messenger.
class-map type inspect im match-all im-class
match protocol msn-im yahoo-im
policy-map type inspect im im-policy
class im-class
drop-connection log
policy-map global_policy
class inspection_default
inspect im im-policy
2 Blocking IM services
The following configuration example is used to block the Chat, Video and Conferencing service of Yahoo!Messenger.
class-map type inspect im match-all im-yahoo
match protocol yahoo-im
match service chat webcam conference
policy-map type inspect im im-policy
class im-yahoo
drop-connection log
policy-map global_policy
class inspection_default
inspect im im-policy
3 Blocking IM application and services by login name and ip address
The following configuration example is used to filter services on MSN Messenger by login name and ip address.
regex netter-re netter.*@hotmail\.com
class-map type inspect im match-all im-msn
match protocol msn-im
match service chat games
match login-name regex netter-re
match ip-address 192.168.20.1 255.255.255.255
policy-map type inspect im im-policy
class im-msn
drop-connection log
policy-map global_policy
class inspection_default
inspect im im-policy
4 Blocking IM file transfer service by filename
This configuration example can be used to block sending files with “.jpg” extension (Yahoo Messenger only).
regex jpg-file ".*\.jpg"
class-map type inspect im match-all im-yahoo-file
match protocol yahoo-im
match service file-transfer
match filename regex jpg-file
policy-map type inspect im im-policy
class im-yahoo-file
drop-connection log
policy-map global_policy
class inspection_default
inspect im im-policy
5 Blocking IM applications and services by login name pair
The flowing example can be used to block MSN and Yahoo Messenger Chat and Games session between clients with login names match regular expression pattern ".*netter1\@.*" and ".*netter2\@.*".
regex netter ".*netter1\@.*"
regex netter-peer ".*netter2\@.*"
class-map type inspect im match-all im-class
match protocol msn-im yahoo-im
match service chat games
match login-name regex netter
match peer-login-name regex netter-peer
policy-map type inspect im im-policy
class im-class
reset log
policy-map global_policy
class inspection_default
inspect im im-policy
7 Blocking IM applications and services by ip address pair
The flowing example can be used to block MSN and Yahoo Messenger Chat and Games session over TCP connection endpoints 192.168.20.1 and 216.183.27.0/24.
class-map type inspect im match-all im-class
match protocol msn-im yahoo-im
match service chat games
match ip-address 192.168.20.1 255.255.255.255
match peer-ip-address 216.183.27.0 255.255.255.0
policy-map type inspect im im-policy
class im-class
reset log
policy-map global_policy
class inspection_default
inspect im im-policy
Appendix:
1 Class-maps
A class-map used to define and match traffic of interest, can be created in 2 different ways:
1. Using class inspection_default:
class-map inspection_default
match default-inspection-traffic
The keyword “default-inspection-traffic” automatically matches on default criteria for each type of inspection-specific traffic. For example, it matches traffic on port 53 for DNS, port 21 for FTP and so on.
The policy-map “global_policy” can be used in conjunction with this “inspection_default” class as follows:
policy-map global_policy
class inspection_default
inspect esmtp
inspect ftp
service-policy global_policy global
In the above example, the default ESMTP traffic (tcp traffic destined to port 25) is classified for ESMTP inspection and the default FTP traffic (tcp traffic destined to port 21) is classified for FTP inspection.
2. Using explicit match criteria:
access-list ftpserver permit tcp any host FTP-SERVER eq ftp
class-map ftp-server
match access-list ftpserver
This method is more useful if the inspection should be performed on something other than the default traffic.
This user-defined class can then be used in a policy as shown below:
policy-map ftp-policy
class ftp-server
inspect ftp
service-policy ftp-policy interface inside
To demonstrate this concept, the examples in the sections below use different ways of configuration.
2 Regular Expressions
The following are some helpful notes on the usage of regular expressions:
1. Quotes are needed only if there are leading or trailing spaces in the pattern that is being matched:
Example: regex foo " foo "
2. It is not required to have quotes around the patterns in other cases, but if they are used, they are harmless.
Example:
regex sender “bob”
and
regex sender bob
produce the same results.
3. Since ‘.’ has special meaning (match any character), when ‘.’ is part of the pattern that is being matched, it should be used with a ‘\’ as shown below:
Example: regex badfile virus\.doc
4. Single quotes are not supported.
Example: regex badfile ‘virus.doc’
is not supported.
5. The command ‘test regex' can be used to test the regular expressions to ensure they produce desired results before using them in the configuration.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- what are etfs and how they work
- messages of hope and encouragement
- messages of thanks and gratitude
- messages of encouragement and hope
- messages of encouragement and support
- messages of inspiration and hope
- messages of hope and love
- what are defined benefit plans
- are defined benefit plans taxable
- new year messages for friends
- messages of thanks and appreciation
- messages of love and encouragement