NBAR confusion – usage of “match protocol http url”
September 5, 2008 at 5:04 pm | In Blogroll, QoS, Security | 2 CommentsDoing IE WB1, Section Security – Task Using NBAR to Filter Traffic. I am confused by the solution guide . The tasks is to drop HTTP IMAGE requests from Client to Server.
HTTP Client ------- R4 ------- Server HTTP S0/1
Solution creates a policy that match images using match http url, but the policy is applied INBOUND on the WAN interfaces (S0/1) ! I believe that this policy should be applied OUTBOUND to stop HTTP Requests.
However, that is not my main concern. I used to believe that “match protocol http url” can only be used to match HTTP REQUESTS, and not to match HTTP RESPONSES (IMAGE data) from server. To match IMAGE data themselves, I thought that match MIME type should be used. But it seems I may be WRONG!
“match protocol http url” seems to be able to match HTTP RESPONSE from Servers as well.
I tried snipping (using Wireshark) a real HTTP session. I could see the reference to URL in the GET request, but I do not see any reference to that URL in the data response from the server!
Below is config and verification to show that both HTTP requests for Images and Image return data can be matched by using “match protocol http url”.
Configuration:
R4# class-map match-any IMAGES match protocol http url "*.gif" match protocol http url "*.jpeg|*.jpg" ! ! ! HTTP_REQUEST policy is my additional config for matching illustration policy-map HTTP_REQUEST class IMAGES policy-map DROP_IMAGES class IMAGES drop interface Serial0/1 service-policy input DROP_IMAGES service-policy output HTTP_REQUEST
Verification:
Try to generate HTTP get request from inside (R1) to outside 150.1.5.5 (HTTP Server)
R1#copy http://150.1.5.5/test.jpg null: %Error opening http://150.1.5.5/test.jpg (I/O error) R4#sh policy-map interface s0/1 Serial0/1 Service-policy input: DROP_IMAGES Class-map: IMAGES (match-any) 8 packets, 1657 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol http url "*.gif" 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol http url "*.jpeg|*.jpg" 8 packets, 1657 bytes 5 minute rate 0 bps drop Class-map: class-default (match-any) 18 packets, 1530 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Service-policy output: HTTP_REQUEST Class-map: IMAGES (match-any) 5 packets, 708 bytes 5 minute offered rate 0 bps Match: protocol http url "*.gif" 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol http url "*.jpeg|*.jpg" 5 packets, 708 bytes 5 minute rate 0 bps Class-map: class-default (match-any) 27 packets, 1936 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any
Wireshark view of HTTP GET request
Wireshark view of return IMAGE DATA
Lock & Key
September 5, 2008 at 1:04 pm | In Security | Leave a CommentConfiguration
R4# ip access-list extended INBOUND permit ospf any any permit tcp any any eq bgp permit tcp any eq bgp any permit tcp any host 150.1.4.4 eq telnet dynamic ACCESS timeout 10 permit ip any any deny ip any any log interface Serial0/0.1 point-to-point ip access-group INBOUND in ! interface Serial0/1 ip access-group INBOUND in username DYNACL password 0 CISCO username DYNACL autocommand access-enable host timeout 5 line vty 0 4 login local
The first 3 access-list entry allow routing traffic to pass through, which is not subject to lock & key. The forth command only Telnet into the router. The fifth access-list entry is always ignored until lock-and-key is triggered.
In the access-list command, the timeout is the absolute timeout. In this example, the lifetime of the ACCESS ACL is 10 minutes; that is, when a user logs in and enable the access-enable command, a dynamic ACL is created for 10 minutes (the maximum absolute time). The session is closed after 10 minutes, whether or not anyone is using it.
In the autocommand command, the timeout is the idle timeout. In this example, each time the user logs in or authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in 10 minutes.
After a user opens a Telnet session into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the S0/0.1 and S0/1 interfaces, based on the fifth access-list entry (ACCESS). This temporary entry will expire after 5 minutes of inactivity, as specified by the timeout.
Verification
R5#telnet 150.1.4.1 Trying 150.1.4.1 ... % Destination unreachable; gateway or host down R5#telnet 150.1.4.6 Trying 150.1.4.6 ... % Destination unreachable; gateway or host down R4# Sep 5 11:47:07.695: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 155.1.45.5(55291) -> 150.1.4.1(23), 1 packet Sep 5 11:47:09.091: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 155.1.45.5(59072) -> 150.1.4.6(23), 1 packet R5#telnet 150.1.4.4 Trying 150.1.4.4 ... Open User Access Verification Username: DYNACL Password: [Connection to 150.1.4.4 closed by foreign host] R5#telnet 150.1.4.1 Trying 150.1.4.1 ... Open R1#exit [Connection to 150.1.4.1 closed by foreign host] R5#telnet 150.1.4.6 Trying 150.1.4.6 ... Open R4#sh access-lists Extended IP access list INBOUND 10 permit ospf any any (92 matches) 20 permit tcp any any eq bgp 30 permit tcp any eq bgp any (21 matches) 35 permit tcp any host 150.1.4.4 eq telnet (297 matches) 40 Dynamic ACCESS permit ip any any permit ip host 155.1.45.5 any (36 matches) (time left 287) 50 deny ip any any log (8 matches) R5#telnet 150.1.4.6 /source-interface Serial0/0.1 Trying 150.1.4.6 ... % Destination unreachable; gateway or host down R5#telnet 150.1.4.4 /source-interface Serial0/0.1 Trying 150.1.4.4 ... Open User Access Verification Username: DYNACL Password: [Connection to 150.1.4.4 closed by foreign host] R5#telnet 150.1.4.6 /source-interface Serial0/0.1 Trying 150.1.4.6 ... Open R6#exit [Connection to 150.1.4.6 closed by foreign host]
Doc CD Navigation
- Cisco IOS Security Configuration Guide, Release 12.4
- Traffic Filtering, Firewalls, and Virus Detection
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- Lock-and-Key Configuration Examples
- Lock-and-Key with Local Authentication Example
Blog at WordPress.com. | Theme: Pool by Borja Fernandez.
Entries and comments feeds.
