I think because it would be horridly difficult and tedious to use FPM - you would need to know the different types of 'bad' HTTP packets you are looking for and how they manifest at a bit level, e.g. is 0x3452 8 bytes into the payload a bad HTTP packet? What about 0xBE32? etc etc etc. How many different ways could someone tunnel traffic in HTTP? - I bet there's a pile. If you were using FPM, you'd need to know all the ways to cheat HTTP and program the FPM match criteria accordingly.
OR, you could just inspect HTTP with ZBF and let the inspection engine worry about all the different ways HTTP can be abused : ) On Tue, Feb 15, 2011 at 6:56 AM, Pemasiri Devanarayana <[email protected]>wrote: > Hi All, > > thanks for all your response.. I now understand we cant use role-base CLI > for the 2nd question. but can someone give me the reason why cant we use > FPM on 1st question?. > > thanks > Pemasiri > > > On Mon, Feb 14, 2011 at 8:08 PM, Tyson Scott <[email protected]> wrote: > >> 1. FPM would be difficult to use. The answer is the better option. >> >> 2. The key is " authenticate and authorize remote users with >> >> per-user level acess control *before*" >> >> >> >> >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Pemasiri >> Devanarayana >> *Sent:* Monday, February 14, 2011 8:14 AM >> >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] Yusuf's Flash Card - OEQ >> >> >> >> Hi, >> >> >> >> I just need some one's feedback on below two questions; >> >> >> >> 1) which cisco IOS feacture can prevent bad http packet from tunneling >> malicious traffic >> >> - answer was ZFW >> >> why cant we considered FPM..? >> >> >> >> ) which IOS security technology can be used to authenticate and authorize >> remote users with >> >> per-user level acess control before permiting access to local/network >> services or hosts/servers >> >> -authentication proxy >> >> -why cant considerd role-base CLI >> >> >> >> >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
