Advanced HTTP Inspection (CCIE Notes)


Configuring HTTP inspection:-

1. Create a L7 class-map with the type (inspect or regex) depending on your requirement.

regex reg_google "www\.google\.com"
!
class-map type regex match-any regex_class
 match regex reg_google
class-map type inspect http match-any http_class
 match request method get
 match request header host regex class regex_class

Note: If you have multiple matches to be performed you can use different types of class-maps and those can then be referred in a L7 policy-map. If you have a single match to be made then that can directly be done under a L7 policy-map like below;

policy-map type inspect http http_policy_single_match
 parameters
 match request method get
  drop-connection log

2. Create a L7 policy-map for HTTP, refer the previously configured inspect class-map within this policy-map and assign the required type of action;

policy-map type inspect http http_policy1
 parameters
  spoof-server "NETWORKOLOGY"
  protocol-violation action drop-connection
 class http_class
  drop-connection log

3. Create a L3/L4 class-map which matches the traffic you want to inspect. Or you could also use the inspection_default class as that matches HTTP port 80.

class-map http_class_l3l4
 match port tcp eq www

4. Create L3/L4 policy-map, refer the L3/L4 class-map and L7 policy-map underneath it Apply it to the source interface;

policy-map inside_policy
 class http_class_l3l4
 inspect http http_policy1
!
service-policy inside_policy interface IN

5. Verifying the configuration:-

ASA-FW# show service-policy interface IN inspect http

Interface IN:
Service-policy: inside_policy
Class-map: http_class_l3l4
Inspect: http http_policy1, packet 0, drop 0, reset-drop 0
protocol violations
packet 0
server spoofs, packet 0
class http_class (match-any) 
Match: request method get, 0 packets
Match: request header host regex class regex_class, 0 packets
drop-connection log, packet 0

Types of matches that can be made for inspecting HTTP packets;

class-map type inspect http match-any 
class-map type inspect http match-all 
 match not
 match req-resp
 match request [ args | body | header | method | uri ]
 match response [ body | header | status-line ]

Common match statements used for inspecting HTTP packets;

match request body length gt 1024
match request body regex
match request header date regex
match request header host regex xxxx        (domain name of the web server)
match request header user-agent regex xxxx  (user-agent string of the http client)
match request header length gt 1024
match request method get                  (Requests data from a specified resource)
match request method post                 (Submits data to be processed to a 
                                           specified resource)
match request method put                  (Submits data to be processed or updated
                                           to a specified resource)
match request uri length gt
match request uri regex xxx

match response body java-applet
match response body length
match response body regex xxx
match response header date regex
match response header length gt 
match response header server regex xxx

Quick summarization of steps to remember while configuring HTTP inspection:-

1. Define L7 class-map (type or inspect) that matches the stuff that you want to inspect in an HTTP packet. (request/response, header/body/method/uri)

2. Define L7 policy-map and configure the action to be taken on the referenced L7 class-map. (drop-connection/reset)

3. Define a L3/L4 class-map which matches the L3/L4 properties of the traffic to be matched.

4. Define the L3/L4 policy-map. Reference the L3/L4 class-map and inspect the HTTP protocol with specifying the L7 policy-map after it.

5. Apply it it to the source interface. In the lab exam, if specific direction or interface isn’t mentioned and the question speaks for the generic HTTP traffic in all directions, then the L7 policy-map can be applied to the HTTP inspection under the inspection_default class-map used in the global_policy.

Parameters of a protocol:-

– Each protocol inspection has its own parameters which are specific to that protocol. These can be used per the requirement.

policy-map type inspect http http_policy3
 parameters
 spoof-server "MySecureServer"
 protocol-violation action drop-connection

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/tag/ccie

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s