Re: [OSL | CCIE_Security] Application inspection engine and Security-level

Thu, 23 Sep 2010 23:42:35 -0700

Hi Kings,

thanks for that snippet of info. Altough I would also expect to actually be able to filter inbound connections on http as you might have a dmz webserver and want to restrict the type and length of requests to be sent to that server.

But would the MPF (e.g. inspect in combination with a class-map) not be an option?
It's perhaps not part for the global application inspection,but it might be worth a try..

Kind regards
Pieter-Jan

On 24 sep 2010, at 08:20, Kingsley Charles wrote:

It seems that for some application inspections are not bidirectional. For example the ASA applies http and ftp filtering for outbound connections and not for
inbound. It's ASA limitation.


Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744

Inspection engines—Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

NetBIOS inspection engine—Applied only for outbound connections.

SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance. 


Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

If you enable communication for same security interfaces, you can filter traffic in either direction.



With regards

Kings



On Wed, Sep 22, 2010 at 10:00 PM, Anantha Subramanian Natarajan <[email protected]> wrote:
Hi All,

  Was going through the Cisco ASA config guide and understanding that some application inspection engines are dependent on the security level.I am trying to understand the relation between inspection engines and the security-level and also why only some application inspection engine depends on the security level.

If you could explain or point to me a proper documentation,would really appreciate that.

Regards
Anantha Subramanian Natarajan

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com

---

Nefkens Advies

Enk 26

4214 DD Vuren

The Netherlands


Tel: +31 183 634730

Fax: +31 183 690113

Cell: +31 654 323221

Email: [email protected]

Web: http://www.nefkensadvies.nl/


 Think before you print.




_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to