In this blog, we’ll look at how these tasks — enforcing HTTP protocol compliance, restricting HTTP methods, and protecting web servers — are handled in Cisco ASA post-9.7 using the FirePOWER module or Next-Generation Firewall (NGFW) capabilities.
### Why Move Away from the Old Method?
Before delving into the modern approach, it’s essential to understand why the old method had its limitations:
- **Complex Configuration**: The previous method required detailed configurations for L7 inspection, access lists, and various MPF policies, making it time-consuming and prone to human error.
- **Protocol Evolution**: The HTTP protocol has evolved significantly, and administrators often found themselves adjusting configurations as new methods were introduced.
- **Banner Masking**: Masking server banners required specific parameter checks in L7 policy maps, which, while effective, was not always intuitive.
### The Modern Approach: Cisco ASA Post-9.7
Cisco ASA post-9.7 integrates advanced security features through the **FirePOWER** module and Next-Generation Firewall (NGFW) capabilities. These provide a more streamlined way to enforce HTTP protocol compliance, filter HTTP methods, and protect web servers. With these modules, deep protocol inspection is more efficient, rules are easier to manage, and security is enhanced.
Let’s walk through how you can achieve the same goals using modern techniques:
### 1. **HTTP Protocol Compliance and Banner Masking**
In previous versions, ensuring HTTP protocol compliance and masking server banners required manually configuring L7 policy maps. However, with ASA post-9.7, you can easily enable **HTTP normalization** and enforce protocol compliance using FirePOWER’s application control and intrusion prevention features.
#### Steps:
- **Access FirePOWER Management Center (FMC)**: If you have FirePOWER or a Next-Generation Firewall module, the HTTP deep inspection policies can be managed from the FirePOWER Management Center (FMC).
- **Create an Intrusion Policy**:
- Navigate to **Policies > Intrusion**.
- Create a new **Intrusion Policy** or modify an existing one.
- In the HTTP preprocessor settings, enable **HTTP normalization** and other protocol checks to ensure strict compliance with the HTTP protocol. These checks ensure that the traffic adheres to HTTP standards, preventing malformed requests or non-standard traffic from reaching your server.
- **Banner Masking**:
- FirePOWER automatically performs banner obfuscation by modifying HTTP responses and hiding server information to prevent fingerprinting attacks.
- Go to the **HTTP Protocol Compliance** section in the intrusion policy and ensure **banner obfuscation** is enabled. This will prevent the disclosure of server details in the response headers.
After configuring, deploy the updated intrusion policy to the ASA.
### 2. **Allow Only GET and POST HTTP Methods**
In the traditional approach, restricting HTTP methods required the use of L7 class maps with the `NOT` match option to filter out unwanted methods. In the modern method, this can be done more easily using FirePOWER’s application filtering features.
#### Steps:
- **Create an Access Control Policy**:
- In **FMC**, navigate to **Policies > Access Control**.
- Edit an existing access control policy or create a new one specifically for your web server.
- **Configure Allowed HTTP Methods**:
- In the access control rule, specify the allowed HTTP methods.
- You can allow only **GET** and **POST** methods by selecting them from the HTTP method list. All other methods (e.g., PUT, DELETE, OPTIONS) will be implicitly blocked, ensuring only legitimate requests are allowed through to your server.
- **Deploy the Policy**:
- After configuring the policy, deploy it to your ASA device. This ensures only `GET` and `POST` methods are allowed, and any other HTTP methods are blocked before they reach your web server.
### 3. **Protecting the Web Server with Access Control**
Protecting your web server requires applying access controls that define which traffic can reach your server, typically based on source IPs, ports, and protocols. The key difference post-9.7 is that this protection is now integrated with the FirePOWER NGFW capabilities, making it easier to define these rules.
#### Steps:
- **Create an Access Control Rule**:
- In **FMC**, under **Policies > Access Control**, create a new rule to control access to the web server.
- In this rule, define the **source** as the outside (untrusted) network and the **destination** as your web server’s IP address or network.
- Specify the **HTTP (port 80)** as the allowed protocol to ensure the rule applies only to web traffic.
- **Combine with Intrusion and URL Filtering Policies**:
- In the same access control rule, link the intrusion policy (configured in step 1) to ensure that only compliant traffic reaches the web server.
- You can also apply URL filtering policies to block malicious websites, external threats, or users attempting to visit unauthorized destinations through the web server.
- **Deploy to the Outside Interface**:
- The rule must be applied to the **outside interface** of your ASA, ensuring that incoming traffic is filtered before it reaches your server. FirePOWER handles this deployment automatically.
### 4. **Monitoring and Logging**
With the modern approach, FirePOWER provides advanced logging and monitoring capabilities, allowing you to track the performance of your HTTP inspection rules and detect any anomalies in real-time.
- **Monitor HTTP Traffic**: Go to **Analysis > Connections > Events** in FMC, where you can see logs of all the HTTP traffic, the allowed and blocked methods, and any protocol violations.
- **Intrusion Events**: Under **Analysis > Intrusion > Events**, you can monitor for any HTTP protocol violations or intrusion attempts detected by the policy.
This visibility helps in quickly identifying any attack attempts, unauthorized access, or misconfigurations in your policies.
### Conclusion
The introduction of FirePOWER and NGFW features in Cisco ASA post-9.7 has simplified the process of HTTP protocol inspection and protection. Rather than manually configuring MPF-based class maps, policy maps, and regex filters, administrators can now rely on streamlined, centralized controls within the FirePOWER Management Center (FMC).
With these capabilities, enforcing HTTP protocol compliance, masking server banners, filtering HTTP methods, and protecting your web server has become easier to manage, more scalable, and more secure. By leveraging FirePOWER's application filtering and intrusion prevention features, you can now ensure your web server is protected against potential threats while maintaining compliance with HTTP standards.
For administrators managing web servers behind Cisco ASA, upgrading to ASA 9.7 or later is highly recommended to take full advantage of these modern features and ensure a robust security posture.
