Kingsley, That's wrong. Based on your logic one could not filter components of HTTP requests (uri, host, body content, etc.) from the outside/internet towards the inside/server segment. This is false, in fact it's something that I implement on ASA firewalls quite often. You seem to be confused about the idea of inbound/outbound packet flow through an interface policy-map versus connections moving either lower-to-higher or higher-to-lower. While it may be true that SOME app inspects are dependent upon security levels, HTTP and FTP, at least in respect to policy-maps via MPF, are not.
Regards, Buck Wallander On Thu, Sep 30, 2010 at 12:40 AM, Kingsley Charles < [email protected]> wrote: > Outbound means from Higher security to lower security > Inbound means from Lower to higher security > > > Irrespective of whether the policy map is applied to inside, outside or > global the "Outbound" and "Inbound" logic will not change. > > Now if you read the following snippet from > http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744, > you can see that some inspections are dependent on the security levels. > > > > Inspection engines—Some application inspection engines are dependent on the > security level. For same security interfaces, inspection engines apply to > traffic in either direction. > > NetBIOS inspection engine—Applied only for outbound connections. > > SQL*Net inspection engine—If a control connection for the SQL*Net (formerly > OraServ) port exists between a pair of hosts, then only an inbound data > connection is permitted through the security appliance. > > Filtering—HTTP(S) and FTP filtering applies only for outbound connections > (from a higher level to a lower level). > > If you enable communication for same security interfaces, you can filter > traffic in either direction. > > > With regards > Kings > > On Thu, Sep 30, 2010 at 9:23 AM, Buck Wallander <[email protected]> wrote: > >> Just another bit of clarification on this topic so that others aren't >> confused. The document that you linked is referring to the anti-X filtering >> of HTTP and FTP, ie. when using the "FILTER" command for FTP and HTTP. >> >> Security levels have no bearing on the actual INSPECTS for ftp and http >> (inspect http & inspect ftp), which will inspect traffic bidirectionally when >> applied directly to an interface, or 'ingress only' when applied globally >> via a service-policy, just like most other protocol inspects. >> >> Regards, >> Buck Wallander >> >> >> On Fri, Sep 24, 2010 at 9:25 AM, Anantha Subramanian Natarajan < >> [email protected]> wrote: >> >>> Thanks Kings >>> >>> Regards >>> Anantha Subramanian Natarajan >>> >>> >>> On Fri, Sep 24, 2010 at 1:20 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> It seems that for some application inspections are not bidirectional. >>>> For example the ASA applies http and ftp filtering for outbound connections >>>> and not for >>>> inbound. It's ASA limitation. >>>> >>>> >>>> Snippet from >>>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744 >>>> >>>> Inspection engines—Some application inspection engines are dependent on >>>> the security level. For same security interfaces, inspection engines apply >>>> to traffic in either direction. >>>> >>>> NetBIOS inspection engine—Applied only for outbound connections. >>>> >>>> SQL*Net inspection engine—If a control connection for the SQL*Net >>>> (formerly OraServ) port exists between a pair of hosts, then only an >>>> inbound >>>> data connection is permitted through the security appliance. >>>> >>>> Filtering—HTTP(S) and FTP filtering applies only for outbound >>>> connections (from a higher level to a lower level). >>>> >>>> If you enable communication for same security interfaces, you can filter >>>> traffic in either direction. >>>> >>>> >>>> >>>> With regards >>>> >>>> Kings >>>> >>>> >>>> On Wed, Sep 22, 2010 at 10:00 PM, Anantha Subramanian Natarajan < >>>> [email protected]> wrote: >>>> >>>>> Hi All, >>>>> >>>>> Was going through the Cisco ASA config guide and understanding that >>>>> *some *application inspection engines are dependent on the security >>>>> level.I am trying to understand the relation between inspection engines >>>>> and >>>>> the security-level and also why only some application inspection engine >>>>> depends on the security level. >>>>> >>>>> If you could explain or point to me a proper documentation,would really >>>>> appreciate that. >>>>> >>>>> Regards >>>>> Anantha Subramanian Natarajan >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
