Previously, before ASA version 9.7, configuring DPI for HTTP traffic involved using global policies with `class-map` and `policy-map` configurations, focusing on Layer 7 traffic like HTTP and matching against specific fields like the `User-Agent` header. This method, while still useful, has been significantly refined in post-9.7 versions of ASA software, offering a more streamlined and flexible approach to DPI.
### What's New Post-9.7?
Starting with ASA 9.7 and beyond, Cisco introduced several enhancements that simplify and extend the capabilities of DPI. These improvements include:
- **Unified Threat Defense (UTD):** This feature integrates advanced security services like Cisco’s Next-Generation Intrusion Prevention System (NGIPS) and deep packet inspection under one framework.
- **Flexible Layer 7 Inspection:** ASA now supports more granular inspection policies for specific protocols and applications. The matching engine can analyze packet payloads more accurately by focusing on specific protocol details like HTTP headers.
- **Improved Regular Expression (Regex) Support:** Post-9.7 versions of ASA allow for more flexible and optimized regex matching, improving performance when identifying patterns such as `User-Agent` strings.
Now, let’s go through the modern approach to configuring deep packet inspection for HTTP traffic in ASA, specifically targeting the `User-Agent` field in HTTP headers to identify peer-to-peer (P2P) software.
### Step 1: Define a Layer 7 Class Map for HTTP
The first step is to create a **Layer 7 class map** that matches specific HTTP traffic. In this case, we’ll focus on inspecting the `User-Agent` field to identify traffic from peer-to-peer software.
Here’s a configuration example:
! Define a Layer 7 class map for HTTP traffic
class-map type inspect http match-any L7_P2P_HTTP_USER_AGENT
match request header user-agent regex ".*(BitTorrent|uTorrent|FrostWire|Deluge).*"
In the above command:
- `class-map type inspect http match-any` defines the class map for HTTP inspection.
- `match request header user-agent regex` specifies that we are looking for specific strings (e.g., BitTorrent, uTorrent, FrostWire, Deluge) within the `User-Agent` header using a regular expression.
### Step 2: Define a Layer 7 Policy Map
Next, we need to define a **Layer 7 policy map** that will apply actions to the matched HTTP traffic.
! Define a policy map that takes action on matched P2P HTTP traffic
policy-map type inspect http L7_HTTP_POLICY
class L7_P2P_HTTP_USER_AGENT
drop log
In this configuration:
- `policy-map type inspect http` defines the policy for HTTP inspection.
- `class L7_P2P_HTTP_USER_AGENT` specifies that this policy applies to the traffic matched by the previously defined `class-map`.
- `drop log` instructs the ASA to drop the matching traffic and log it for further analysis. You can change this action depending on your needs, such as `inspect` or `pass`.
### Step 3: Apply Policy to the Service Policy
Once the Layer 7 policy is configured, it needs to be applied globally to ensure that HTTP traffic from all directions is inspected. The following commands integrate this policy into the ASA’s global service policy.
! Apply the Layer 7 policy to the global service policy
policy-map global_policy
class inspection_default
inspect http policy-map L7_HTTP_POLICY
In this step:
- `policy-map global_policy` refers to the global policy that applies to all traffic passing through the ASA.
- `class inspection_default` ensures the default inspection for protocols such as HTTP, SMTP, etc., remains in place.
- `inspect http policy-map L7_HTTP_POLICY` applies the custom HTTP inspection policy defined earlier to all HTTP traffic.
### Step 4: Verify the Configuration
After configuring the inspection policies, you can verify their functionality using the following commands:
show policy-map type inspect http
show service-policy
show log | include "User-Agent"
These commands will allow you to:
- View the current HTTP inspection policies.
- Confirm that the global service policy is actively inspecting HTTP traffic.
- Check the ASA’s log for any matches of the `User-Agent` patterns you configured.
### Step 5: Monitor and Tune the Policy
Once the configuration is active, it's essential to monitor how it affects traffic and network performance. Use logging and monitoring tools on the ASA to track blocked connections and analyze traffic patterns. Fine-tune the regex expressions or the actions in the policy map as necessary.
For instance, you may want to allow certain P2P traffic in specific scenarios or block new types of traffic based on changing patterns in the `User-Agent` field.
### Conclusion
With ASA post-9.7, deep packet inspection for HTTP traffic becomes more efficient and flexible, particularly when you need to identify peer-to-peer software based on `User-Agent` strings. The improvements in regular expression support and the unified inspection engine allow administrators to craft highly specific inspection policies that can block or log unwanted traffic.
By following the steps outlined above, you can leverage the advanced capabilities of modern ASA software to effectively control HTTP traffic and enforce security policies based on application-layer details.
**Key Points Recap:**
- **Layer 7 Class Map:** Matches HTTP traffic based on the `User-Agent` field using regex.
- **Layer 7 Policy Map:** Defines the action for the matched traffic (e.g., drop, inspect, log).
- **Global Policy Application:** Applies the custom Layer 7 inspection policy to HTTP traffic globally.
- **Monitoring and Tuning:** Ensures the policies perform as expected, allowing for necessary adjustments.
By utilizing the enhanced inspection features in ASA 9.7 and later, organizations can better protect their networks from unauthorized peer-to-peer applications and other unwanted traffic.
No comments:
Post a Comment