Thank you very much King for the verification ....... Buck thanks for your time and the explanation
Regards Anantha Subramanian Natarajan On Thu, Sep 30, 2010 at 2:15 AM, Kingsley Charles < [email protected]> wrote: > > I just checked the filter https and works only for outbound meaning from > higher security to lower security as said in the ccie doc. > > > > Witn regards > Kings > > > On Thu, Sep 30, 2010 at 11:57 AM, Kingsley Charles < > [email protected]> wrote: > >> Buck >> >> I think, you have not got my point. I am not talking about HTTP or FTP L7 >> inspection. I am talking about HTTP and FTP URL filtering using "filter" >> command. Again, I have not tried it rather trying to explain what's there in >> the link. May be you can try it. >> >> When we talk about inbound and outbound there is a diiference when it >> comes to ASA. >> >> Lets apply some maths here :-) >> >> Usually any traffic going from an interface is outbound and coming inside >> an interface is inbound. >> >> Lets see another definition. >> >> >> With respect to firewall, any traffic from local LAN to Internet is >> outbound and from Internet to LAN is inbound. >> >> Internet is untrusted and LAN is trusted, hence replacing them >> With respect to firewall, any traffic from trusted network to untrusted is >> outbound and from untrusted to trusted is inbound. >> >> With respected to ASA, higher levels are more trusted and lower level are >> less trusted. >> With respect to firewall, any traffic from higher level to lower level is >> outbound and from lower level to higher level is inbound. >> >> That is what they are refering to below: >> >> I have highlighted them. Please have look, these point are from >> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744. >> Mostly they should be correct, if they are wrong then you should check with >> Cisco :-) >> >> >> Inspection engines—Some application inspection engines are dependent on >> the security level. For same security interfaces, inspection engines >> apply to traffic in either direction. >> >> NetBIOS inspection engine—Applied only for outbound connections. >> >> SQL*Net inspection engine—If a control connection for the SQL*Net >> (formerly OraServ) port exists between a pair of hosts, then only an >> inbound data connection is permitted through the security appliance. >> >> Filtering—HTTP(S) and FTP filtering applies only for outbound connections >> (from a higher level to a lower level). >> >> If you enable communication for same security interfaces, you can filter >> traffic in either direction. >> >> As I said, I was refering to HTTP and FTP URL filter >> >> >> Filtering—HTTP(S) and FTP filtering applies only for outbound connections >> (from a higher level to a lower level). >> >> If you look at the command syntax, the initial network is local and then >> the remote. >> >> asa2(config)# filter http 80 ? >> >> configure mode commands/options: >> Hostname or A.B.C.D The address of local/internal host which is source >> for >> connections requiring filtering >> asa2(config)# filter http 80 0 0 ? >> >> configure mode commands/options: >> Hostname or A.B.C.D The address of foreign/external host which is >> destination for connections requiring filtering >> >> Hope I am clear now >> >> With regards >> Kings >> >> >> On Thu, Sep 30, 2010 at 11:39 AM, Buck Wallander <[email protected]>wrote: >> >>> Kingsley, >>> >>> That's wrong. Based on your logic one could not filter components of HTTP >>> requests (uri, host, body content, etc.) from the outside/internet towards >>> the inside/server segment. This is false, in fact it's something that I >>> implement on ASA firewalls quite often. You seem to be confused about the >>> idea of inbound/outbound packet flow through an interface policy-map versus >>> connections moving either lower-to-higher or higher-to-lower. >>> While it may be true that SOME app inspects are dependent upon security >>> levels, HTTP and FTP, at least in respect to policy-maps via MPF, are not. >>> >>> Regards, >>> Buck Wallander >>> >>> >>> On Thu, Sep 30, 2010 at 12:40 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> Outbound means from Higher security to lower security >>>> Inbound means from Lower to higher security >>>> >>>> >>>> Irrespective of whether the policy map is applied to inside, outside or >>>> global the "Outbound" and "Inbound" logic will not change. >>>> >>>> Now if you read the following snippet from >>>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744, >>>> you can see that some inspections are dependent on the security levels. >>>> >>>> >>>> >>>> Inspection engines—Some application inspection engines are dependent on >>>> the security level. For same security interfaces, inspection engines apply >>>> to traffic in either direction. >>>> >>>> NetBIOS inspection engine—Applied only for outbound connections. >>>> >>>> SQL*Net inspection engine—If a control connection for the SQL*Net >>>> (formerly OraServ) port exists between a pair of hosts, then only an >>>> inbound >>>> data connection is permitted through the security appliance. >>>> >>>> Filtering—HTTP(S) and FTP filtering applies only for outbound >>>> connections (from a higher level to a lower level). >>>> >>>> If you enable communication for same security interfaces, you can filter >>>> traffic in either direction. >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Thu, Sep 30, 2010 at 9:23 AM, Buck Wallander <[email protected]>wrote: >>>> >>>>> Just another bit of clarification on this topic so that others aren't >>>>> confused. The document that you linked is referring to the anti-X >>>>> filtering >>>>> of HTTP and FTP, ie. when using the "FILTER" command for FTP and HTTP. >>>>> >>>>> Security levels have no bearing on the actual INSPECTS for ftp and http >>>>> (inspect http & inspect ftp), which will inspect traffic bidirectionally >>>>> when applied directly to an interface, or 'ingress only' when applied >>>>> globally via a service-policy, just like most other protocol inspects. >>>>> >>>>> Regards, >>>>> Buck Wallander >>>>> >>>>> >>>>> On Fri, Sep 24, 2010 at 9:25 AM, Anantha Subramanian Natarajan < >>>>> [email protected]> wrote: >>>>> >>>>>> Thanks Kings >>>>>> >>>>>> Regards >>>>>> Anantha Subramanian Natarajan >>>>>> >>>>>> >>>>>> On Fri, Sep 24, 2010 at 1:20 AM, Kingsley Charles < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> It seems that for some application inspections are not bidirectional. >>>>>>> For example the ASA applies http and ftp filtering for outbound >>>>>>> connections >>>>>>> and not for >>>>>>> inbound. It's ASA limitation. >>>>>>> >>>>>>> >>>>>>> Snippet from >>>>>>> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intparam.html#wp1057744 >>>>>>> >>>>>>> Inspection engines—Some application inspection engines are dependent >>>>>>> on the security level. For same security interfaces, inspection engines >>>>>>> apply to traffic in either direction. >>>>>>> >>>>>>> NetBIOS inspection engine—Applied only for outbound connections. >>>>>>> >>>>>>> SQL*Net inspection engine—If a control connection for the SQL*Net >>>>>>> (formerly OraServ) port exists between a pair of hosts, then only an >>>>>>> inbound >>>>>>> data connection is permitted through the security appliance. >>>>>>> >>>>>>> Filtering—HTTP(S) and FTP filtering applies only for outbound >>>>>>> connections (from a higher level to a lower level). >>>>>>> >>>>>>> If you enable communication for same security interfaces, you can >>>>>>> filter traffic in either direction. >>>>>>> >>>>>>> >>>>>>> >>>>>>> With regards >>>>>>> >>>>>>> Kings >>>>>>> >>>>>>> >>>>>>> On Wed, Sep 22, 2010 at 10:00 PM, Anantha Subramanian Natarajan < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> Was going through the Cisco ASA config guide and understanding >>>>>>>> that *some *application inspection engines are dependent on the >>>>>>>> security level.I am trying to understand the relation between >>>>>>>> inspection >>>>>>>> engines and the security-level and also why only some application >>>>>>>> inspection >>>>>>>> engine depends on the security level. >>>>>>>> >>>>>>>> If you could explain or point to me a proper documentation,would >>>>>>>> really appreciate that. >>>>>>>> >>>>>>>> Regards >>>>>>>> Anantha Subramanian Natarajan >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit www.ipexpert.com >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
