In the evolving world of network security, deep packet inspection (DPI) is crucial to ensuring that traffic is secure and protocols like FTP (File Transfer Protocol) are properly handled. Cisco ASA’s software versions before 9.7 followed a complex, layered approach to DPI configuration, especially when it came to managing and inspecting protocol-specific traffic, such as FTP.
However, with ASA version 9.7 and later, some significant improvements have been introduced that streamline the configuration process while enhancing the functionality. In this blog, we’ll discuss how to configure FTP inspection using DPI on Cisco ASA Post-9.7 and how the new approach makes things simpler compared to the old way.
### The Old Way (Pre-9.7 ASA)
Before ASA version 9.7, setting up DPI for FTP involved a multi-layered process with multiple policy maps and class maps. You had to create:
1. **L7 class maps** to define application-layer conditions (FTP commands).
2. **L7 policy maps** to apply the actions based on those conditions.
3. **L3/L4 class maps** to match traffic flows using access control lists (ACLs) or specific protocols/ports.
4. **L3/L4 policy maps** to bring together the L3/L4 and L7 configurations.
5. Finally, apply the L3/L4 policy map to the ASA interface.
This required multiple steps and a good understanding of both layer-specific configurations and ASA’s hierarchical policy structure.
---
### The New Way (Post-9.7 ASA)
With ASA version 9.7 and later, Cisco streamlined the deep packet inspection process and enhanced the ability to manipulate traffic at Layer 7. While the core concepts remain the same (layered policy maps and class maps), there are key changes that make the configuration easier and more powerful:
1. **Simplified Class Maps & Policy Maps:**
Instead of having separate configurations for L7 (application layer) and L3/L4 (network/transport layers), ASA Post-9.7 allows a more direct and simplified approach by reducing the number of objects you need to configure.
2. **Unified Inspection:**
Now you can inspect protocols like FTP directly with built-in application protocol inspection engines. ASA 9.7 introduced **Application Layer Protocol Inspection** (like FTP) that enables automatic parsing of FTP commands without needing as many specific manual definitions.
3. **Advanced Command Inspection:**
Post-9.7, Cisco ASA introduced the ability to inspect specific FTP commands directly in a more concise manner. You can now reset specific FTP commands with less configuration complexity.
---
### Step-by-Step: FTP Inspection on ASA Post-9.7
Let’s walk through a configuration where the goal is to reset packets containing certain FTP commands sent to a protected FTP server in the DMZ, while the client is on the external network.
#### 1. **Define the FTP Commands to Inspect (Layer 7 Policy Map)**
In this step, we define an **L7 policy map** that inspects the FTP traffic and looks for specific commands (e.g., PUT or DELETE commands that may be undesirable).
policy-map type inspect ftp FTP_POLICY
parameters
reset on-command USER PUT DELETE
Here, we use the `reset on-command` to define which FTP commands will trigger a reset. In this case, the ASA will reset any FTP session where the client tries to use the `PUT` or `DELETE` command.
#### 2. **Create an Access Control List (ACL) for FTP Traffic (L3/L4 Class Map)**
Next, we define an ACL to match FTP traffic destined for our FTP server in the DMZ. The ACL will match based on the destination IP address of the FTP server.
access-list FTP_TRAFFIC_ACL extended permit tcp any host 192.168.2.10 eq ftp
This ACL allows traffic from any external source (FTP client) destined for the FTP server at `192.168.2.10`.
#### 3. **Create the L3/L4 Class Map to Match the ACL**
Now we create a class map to match the traffic defined by the ACL. This is required because L7 policy maps cannot be applied directly to an interface.
class-map FTP_TRAFFIC_CLASS
match access-list FTP_TRAFFIC_ACL
This class map tells the ASA to match any traffic that meets the conditions in the ACL we created earlier.
#### 4. **Create the L3/L4 Policy Map to Apply the L7 Inspection**
Next, we bind everything together in a policy map. This policy map will inspect FTP traffic (as matched by the class map) and apply the FTP inspection policy.
policy-map FTP_INSPECT_POLICY
class FTP_TRAFFIC_CLASS
inspect ftp FTP_POLICY
Here, we tell the ASA to inspect the FTP traffic using the `FTP_POLICY` we defined earlier, which resets certain FTP commands.
#### 5. **Apply the Policy Map to the Outside Interface**
Finally, we apply the L3/L4 policy map to the **outside** interface of the ASA, where traffic from FTP clients will enter.
service-policy FTP_INSPECT_POLICY interface outside
This step ensures that any FTP traffic coming into the ASA on the outside interface is inspected according to the policies we’ve set up.
---
### Key Improvements in ASA Post-9.7
- **Streamlined Policy Configuration:** Instead of multiple, convoluted steps, ASA 9.7 and later allows for a more intuitive and direct configuration of deep packet inspection policies.
- **Improved Command Matching:** The ability to match and reset specific FTP commands in a single line under the L7 policy map makes the configuration much easier.
- **Simplified Protocol Inspection:** With enhanced protocol inspection engines, ASA can now natively inspect and manipulate many application-layer protocols without requiring as much manual configuration.
- **More Efficient Packet Handling:** The architecture improvements reduce overhead, making packet inspection more efficient.
---
### Conclusion
With Cisco ASA Post-9.7, configuring deep packet inspection for protocols like FTP has become a much simpler and more efficient process. By utilizing unified class and policy maps, ACLs, and the ability to inspect and manipulate specific FTP commands, network administrators can quickly secure FTP traffic and take actions like resetting undesirable commands. The shift from the older, more complex configurations to the more streamlined process of Post-9.7 versions makes managing DPI on ASA both user-friendly and powerful.
Whether you're safeguarding sensitive servers in your DMZ or simply enforcing better security policies, ASA's improvements make securing FTP traffic much easier.
No comments:
Post a Comment