In this blog, we will explore how to effectively block HTTP tunneling using modern methods on Cisco ASA post-9.7, focusing on inspecting traffic sourced from a Proxy server located in the DMZ.
### Understanding HTTP Tunneling
HTTP tunneling allows applications to encapsulate their data within HTTP packets, which can make it difficult to identify the underlying traffic. This can lead to security vulnerabilities, as malicious users can exploit this method to circumvent firewalls and other security measures.
Typical signs of HTTP tunneling include:
- **Increased Header Count**: Tunneling applications often add additional header information that is not present in standard HTTP traffic.
- **Long Host Fields**: The `Host` header in tunneled traffic tends to be longer than in typical HTTP requests, as it may include additional information about the tunneled application.
### Why Move Away from the Old Method?
Previously, blocking HTTP tunneling on Cisco ASA involved manually configuring MPF to inspect the number of headers and the length of the `Host` field. This approach was complicated and required detailed knowledge of the traffic patterns.
The limitations of the old method included:
- **Complex Configurations**: Setting up MPF to accurately inspect HTTP headers and lengths required intricate policies and was prone to misconfiguration.
- **Difficulty in Maintenance**: Changes in traffic patterns or the introduction of new tunneling methods necessitated frequent updates to the MPF configurations.
- **Limited Visibility**: The old method offered limited insight into what was actually being blocked or allowed.
### Modern Approach: Cisco ASA Post-9.7
With Cisco ASA post-9.7, the introduction of the **FirePOWER module** allows for more efficient detection and blocking of tunneling applications. The FirePOWER Next-Generation Firewall (NGFW) capabilities include advanced application visibility, enhanced inspection, and intelligent threat prevention.
### Steps to Block HTTP Tunneling Using FirePOWER
Here’s how you can effectively block HTTP tunneling sourced from a Proxy server in the DMZ using Cisco ASA post-9.7.
#### 1. **Access the FirePOWER Management Center (FMC)**
To configure blocking for HTTP tunneling, you will need to access the FirePOWER Management Center. Ensure you have the necessary permissions to make configuration changes.
#### 2. **Create an Access Control Policy**
You’ll need to create or modify an existing access control policy that inspects traffic coming from the Proxy server in the DMZ.
- Navigate to **Policies > Access Control** in FMC.
- Create a new access control policy or edit an existing one that applies to traffic from the DMZ interface.
#### 3. **Define Traffic Source and Destination**
When creating the access control rule, define the source as the Proxy server's IP address located in the DMZ and specify the appropriate destination (e.g., internal servers, internet).
- **Source**: Proxy Server IP (DMZ)
- **Destination**: Internal Web Server or Internet (depending on your policy)
#### 4. **Inspect HTTP Traffic**
To detect HTTP tunneling, you need to enable HTTP inspection. This will allow FirePOWER to analyze HTTP headers more thoroughly.
- In the access control rule, ensure that you enable the **HTTP inspection** option.
- You can set it to **“block”** if it detects abnormal patterns, such as a high number of headers or an unusually long `Host` field.
#### 5. **Create a Custom Application Control Rule**
FirePOWER’s application control capabilities allow you to define rules based on application behavior.
- Navigate to **Policies > Application Control**.
- Create a new rule that specifically looks for signs of HTTP tunneling:
- **Conditions**: Check for high header counts and long `Host` field lengths.
- You can use application signatures that identify tunneling protocols or suspicious HTTP behavior.
#### 6. **Monitor HTTP Header Count and Host Field Length**
To monitor and block traffic based on HTTP header counts and the length of the `Host` field, you might need to configure intrusion policies:
- Go to **Policies > Intrusion**.
- Create an intrusion policy that includes rules to monitor HTTP requests for:
- **High header counts**: Set a threshold for the maximum number of headers allowed in an HTTP request.
- **Length of `Host` header**: Specify a maximum length for the `Host` header that would be considered normal.
#### 7. **Deploy the Configuration**
Once you have configured the access control policy, application control rules, and intrusion policy, deploy the changes to the ASA device.
- Go to **Policies > Access Control** and hit the **Deploy** button.
- Ensure that the changes are applied to the DMZ interface where the Proxy server is located.
### 8. **Monitoring and Reporting**
After deploying the policies, you need to actively monitor the traffic for any potential tunneling attempts. FirePOWER provides robust logging and reporting capabilities:
- Navigate to **Analysis > Connections** to view HTTP traffic logs.
- Under **Analysis > Intrusion > Events**, check for any intrusion events that may indicate tunneling attempts.
You can also set up alerts for when specific thresholds are met, allowing you to take proactive measures.
### Conclusion
Blocking HTTP tunneling in Cisco ASA post-9.7 has become significantly easier and more efficient with the integration of FirePOWER’s advanced features. By using access control policies, application control rules, and intrusion prevention capabilities, network administrators can effectively identify and mitigate the risks associated with HTTP tunneling.
This modern approach not only simplifies the configuration process but also enhances visibility into the traffic traversing your network, allowing you to enforce stricter security policies while maintaining essential connectivity for legitimate applications.
If you are still relying on older methods, upgrading to ASA version 9.7 or later and leveraging the FirePOWER module is highly recommended to better secure your network against unauthorized tunneling and other threats.
No comments:
Post a Comment