Blocking Instant Messaging Services on Cisco ASA Post-9.7: A Modern Approach

Blocking Instant Messaging Services on Cisco ASA Post-9.7

With the rise of Instant Messaging (IM) applications such as Microsoft MSN and Yahoo IM, managing the security risks associated with their various services (chat, conferencing, file transfer, webcam, etc.) is crucial. These services can expose your network to potential vulnerabilities, such as malicious file uploads or unauthorized access to sensitive data.

Before Cisco ASA 9.7, blocking IM required complex Modular Policy Framework (MPF) and Layer-7 configurations. Post-9.7, FirePOWER NGFW capabilities dramatically simplify this process.

📉 Why the Old Approach Was Challenging ➕

• Multiple L7 class-maps and policy-maps were required
• Each IM feature needed separate inspection logic
• User-specific blocks required additional handling
• High operational complexity and maintenance overhead

Legacy MPF-based IM blocking was powerful but fragile and difficult to scale.

🚀 Modern Approach: FirePOWER Post-9.7 ➕

FirePOWER introduces Application Visibility and Control (AVC), allowing IM traffic to be identified and controlled at the application and sub-application level.

INTERNAL USER | v [ ASA DATA PLANE ] | v [ FirePOWER AVC Engine ] | +--> Application: MSN / Yahoo IM | +--> Chat → ALLOW +--> File Tx → BLOCK +--> Webcam → BLOCK +--> Conference → BLOCK

FirePOWER understands IM behavior natively—no protocol decoding required.

🔒 Blocking Specific IM Services ➕

Using FirePOWER Application Filtering, you can selectively block high-risk IM services while permitting basic chat functionality.

• Create or modify an Access Control Policy
• Set Source Zone: Inside
• Set Destination Zone: Outside
• Select MSN and Yahoo IM applications
• Block File Transfer, Webcam, Conference, Games
• Deploy the policy

RULE #10 (GENERAL USERS) ---------------------------------- Source: Inside Destination: Internet Application: MSN / Yahoo IM Action: - Chat → ALLOW - File Tx → BLOCK - Webcam → BLOCK

🚫 Blocking a Specific User Completely ➕

FirePOWER allows IP-based and application-based logic to be combined seamlessly.

• Create a higher-priority Access Control Rule
• Match the specific user’s IP address
• Block all IM applications
• Place the rule above the general IM rule

RULE #1 (SPECIFIC USER) ---------------------------------- Source IP: 192.168.10.25 Application: ALL IM Action: BLOCK ⬇ (Rule Order) RULE #10 (ALL USERS) ---------------------------------- IM with limited features

Rule order is critical. User-specific deny rules must be evaluated first.

📊 Monitoring & Reporting ➕

• View blocked IM traffic under Analysis → Connections → Events
• Filter by application (MSN, Yahoo IM)
• Monitor bypass attempts via Intrusion → Events
• Set alerts for repeated violations

FirePOWER provides forensic-level visibility unavailable with legacy ASA inspection.

✅ Key Takeaways

• FirePOWER replaces complex MPF L7 inspection
• Granular IM service control is native and scalable
• User-specific and application-specific logic coexist cleanly
• Rule order determines enforcement accuracy
• Post-9.7 ASA offers visibility, not just blocking

Cisco ASA Post-9.7 • FirePOWER NGFW • IM Control Done Right

Blocking HTTP Tunneling on Cisco ASA Post-9.7: A Modern Approach

HTTP tunneling has become a common technique used by applications to bypass network restrictions and facilitate communication over HTTP. While this can be useful for legitimate applications, it can also pose significant security risks by allowing unauthorized traffic to traverse the network undetected. In previous versions of Cisco Adaptive Security Appliance (ASA), blocking such applications required complex configurations using the Modular Policy Framework (MPF). However, with the advent of ASA post-9.7, Cisco has streamlined the process through its advanced FirePOWER capabilities.

In this blog, we will explore how to effectively block HTTP tunneling using modern methods on Cisco ASA post-9.7, focusing on inspecting traffic sourced from a Proxy server located in the DMZ.

### Understanding HTTP Tunneling

HTTP tunneling allows applications to encapsulate their data within HTTP packets, which can make it difficult to identify the underlying traffic. This can lead to security vulnerabilities, as malicious users can exploit this method to circumvent firewalls and other security measures.

Typical signs of HTTP tunneling include:

- **Increased Header Count**: Tunneling applications often add additional header information that is not present in standard HTTP traffic.

- **Long Host Fields**: The `Host` header in tunneled traffic tends to be longer than in typical HTTP requests, as it may include additional information about the tunneled application.

### Why Move Away from the Old Method?

Previously, blocking HTTP tunneling on Cisco ASA involved manually configuring MPF to inspect the number of headers and the length of the `Host` field. This approach was complicated and required detailed knowledge of the traffic patterns.

The limitations of the old method included:

- **Complex Configurations**: Setting up MPF to accurately inspect HTTP headers and lengths required intricate policies and was prone to misconfiguration.

- **Difficulty in Maintenance**: Changes in traffic patterns or the introduction of new tunneling methods necessitated frequent updates to the MPF configurations.

- **Limited Visibility**: The old method offered limited insight into what was actually being blocked or allowed.

### Modern Approach: Cisco ASA Post-9.7

With Cisco ASA post-9.7, the introduction of the **FirePOWER module** allows for more efficient detection and blocking of tunneling applications. The FirePOWER Next-Generation Firewall (NGFW) capabilities include advanced application visibility, enhanced inspection, and intelligent threat prevention.

### Steps to Block HTTP Tunneling Using FirePOWER

Here’s how you can effectively block HTTP tunneling sourced from a Proxy server in the DMZ using Cisco ASA post-9.7.

#### 1. **Access the FirePOWER Management Center (FMC)**

To configure blocking for HTTP tunneling, you will need to access the FirePOWER Management Center. Ensure you have the necessary permissions to make configuration changes.

#### 2. **Create an Access Control Policy**

You’ll need to create or modify an existing access control policy that inspects traffic coming from the Proxy server in the DMZ.

- Navigate to **Policies > Access Control** in FMC.

- Create a new access control policy or edit an existing one that applies to traffic from the DMZ interface.

#### 3. **Define Traffic Source and Destination**

When creating the access control rule, define the source as the Proxy server's IP address located in the DMZ and specify the appropriate destination (e.g., internal servers, internet).

- **Source**: Proxy Server IP (DMZ)

- **Destination**: Internal Web Server or Internet (depending on your policy)

#### 4. **Inspect HTTP Traffic**

To detect HTTP tunneling, you need to enable HTTP inspection. This will allow FirePOWER to analyze HTTP headers more thoroughly.

- In the access control rule, ensure that you enable the **HTTP inspection** option.

- You can set it to **“block”** if it detects abnormal patterns, such as a high number of headers or an unusually long `Host` field.

#### 5. **Create a Custom Application Control Rule**

FirePOWER’s application control capabilities allow you to define rules based on application behavior.

- Navigate to **Policies > Application Control**.

- Create a new rule that specifically looks for signs of HTTP tunneling:

  - **Conditions**: Check for high header counts and long `Host` field lengths.

  - You can use application signatures that identify tunneling protocols or suspicious HTTP behavior.

#### 6. **Monitor HTTP Header Count and Host Field Length**

To monitor and block traffic based on HTTP header counts and the length of the `Host` field, you might need to configure intrusion policies:

- Go to **Policies > Intrusion**.

- Create an intrusion policy that includes rules to monitor HTTP requests for:

  - **High header counts**: Set a threshold for the maximum number of headers allowed in an HTTP request.

  - **Length of `Host` header**: Specify a maximum length for the `Host` header that would be considered normal.

#### 7. **Deploy the Configuration**

Once you have configured the access control policy, application control rules, and intrusion policy, deploy the changes to the ASA device.

- Go to **Policies > Access Control** and hit the **Deploy** button.

- Ensure that the changes are applied to the DMZ interface where the Proxy server is located.

### 8. **Monitoring and Reporting**

After deploying the policies, you need to actively monitor the traffic for any potential tunneling attempts. FirePOWER provides robust logging and reporting capabilities:

- Navigate to **Analysis > Connections** to view HTTP traffic logs.

- Under **Analysis > Intrusion > Events**, check for any intrusion events that may indicate tunneling attempts.

You can also set up alerts for when specific thresholds are met, allowing you to take proactive measures.

### Conclusion

Blocking HTTP tunneling in Cisco ASA post-9.7 has become significantly easier and more efficient with the integration of FirePOWER’s advanced features. By using access control policies, application control rules, and intrusion prevention capabilities, network administrators can effectively identify and mitigate the risks associated with HTTP tunneling.

This modern approach not only simplifies the configuration process but also enhances visibility into the traffic traversing your network, allowing you to enforce stricter security policies while maintaining essential connectivity for legitimate applications.

If you are still relying on older methods, upgrading to ASA version 9.7 or later and leveraging the FirePOWER module is highly recommended to better secure your network against unauthorized tunneling and other threats.