1. HTTP Deep Packet Inspection on ASA
Configure http policy, to block site which are Temporary Redirected (307), use proxy(305) & moved permently
(301)
Can Redirection pose security threat ?
If you try to login any websites or forums with your social accounts, it has to be redirected back to the original
website once after completing the authentication, but this bug allows hackers to redirect (mislead) users to
other malicious websites so that they can also have your credentials, indirectly.
Example how the status-line looks: HTTP/1.x 300 OK
ciscoasa(config)#regex REDIRECTION_BLOCK "^3.."
ciscoasa(config)#class-map type inspect http BLOCK_REDIRECTION
ciscoasa(config-cmap)# match response status-line regex class REDIRECTION_BLOCK
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION
ciscoasa(config-pmap)# class BLOCK_REDIRECTION
ciscoasa(config-pmap-c)# drop-connection
ciscoasa(config-pmap-c)# exit
Configure http policy, to block java applet
What is Java Applet??
Java Applets are mini applications. They are developed using Java and have a structured security environment in
which the developer can implement specific security rules for the Applets to follow once they are downloaded to
a user’s computer. Applets are downloaded into the user’s computer RAM. Therefore, once the computer is
shutdown, or restarted, the Applet goes away. However, only the Applet is gone, the actions taken by the Applet
while it is in RAM are not undone.
ciscoasa(config)#access-list 1 extended permit tcp 0.0.0.0 0.0.0.0 eq 80
ciscoasa(config)#class-map type inspect http match-all BLOCK_JAVA_APPLET_CLASS
ciscoasa(config-cmap)# match access-list 1
ciscoasa(config-cmap)# match response body java-applet
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION
ciscoasa(config-pmap)# class BLOCK_JAVA_APPLET_CLASS
ciscoasa(config-pmap-c)# drop-connection
2. ciscoasa(config-pmap-c)# exit
Configure http policy, to block activex
What is ActiveX??
Once the ActiveX control is installed on a user’s computer, it can do anything the user can do. For example,
ActiveX controls can insert harmful code into the user’s operating system, surf company’s secure intranet,
change a user’s password(s), or retrieve documents off the user’s hard disk or network drives and then mail
ciscoasa(config)#access-list 1 extended permit tcp 0.0.0.0 0.0.0.0 eq 80
ciscoasa(config)#class-map type inspect http match-all BLOCK_ACTIVEX_CLASS
ciscoasa(config-cmap)# match access-list 1
ciscoasa(config-cmap)# match response body active-x
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION
ciscoasa(config-pmap)# class BLOCK_ACTIVEX_CLASS
ciscoasa(config-pmap-c)# drop-connection
ciscoasa(config-pmap-c)# exit
Configure http policy, to block .exe file extention
How does .exe file extension pose security threat ?
In Windows, executable programs have file extensions like “exe”, “vbs”, “com”, “bat”, etc. Some actual trojan
filenames include: “dmsetup.exe” and “LOVE-LETTER-FOR-YOU.TXT.vbs”. Which can harm you computer & steal
all you personal data.
regex BLOCK_FILE_EXTENSION ".*.([Ee][Xx][Ee])"
regex CONTENT_TYPE "Content-Type"
ciscoasa(config)#class-map type inspect http match-all BLOCK_FILE_EXTENSION_CLASS
ciscoasa(config-cmap)#match response header regex CONTENT_TYPE regex BLOCK_FILE_EXTENSION
ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION
ciscoasa(config-pmap)# class BLOCK_FILE_EXTENSION_CLASS
ciscoasa(config-pmap-c)# drop-connection
ciscoasa(config-pmap-c)# exit
OR
3. regex BLOCK_FILE_EXTENSION ".*.([Vv][Bb][Ss])"
regex Content-Disposition "Content-Disposition"
ciscoasa(config)#class-map type inspect http match-all BLOCK_FILE_EXTENSION_CLASS
ciscoasa(config-cmap)#match response header regex Content-Disposition regex BLOCK_FILE_EXTENSION
ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION
ciscoasa(config-pmap)# class BLOCK_FILE_EXTENSION_CLASS
ciscoasa(config-pmap-c)# reset log
ciscoasa(config-pmap-c)# exit
Configure http policy, to block any http/https sites with "host" option
What does host field in http header specify ?
The Host request-header field specifies the Internet host and port number of the resource being requested, as
obtained from the original URI given by the user or referring resource (generally an HTTP URL.)
Example how http header looks like:
POST /index.html HTTP/1.1 -- Status Line
Host: www.example.com -- Header
ciscoasa(config)# regex BLOCK_ANY_HTTP/HTTPS_SITE1 ".facebook.com"
ciscoasa(config)# regex BLOCK_ANY_HTTP/HTTPS_SITE2 ".gmail.com"
ciscoasa(config)# class-map type regex match-any BLOCK_SITES
ciscoasa(config-cmap)# match BLOCK_ANY_HTTP/HTTPS_SITE1
ciscoasa(config-cmap)# match BLOCK_ANY_HTTP/HTTPS_SITE2
ciscoasa(config-cmap)# exit
ciscoasa(config)# class-map type inspect http match-all BLOCK_SITES_CLASS
ciscoasa(config-cmap)# match request header host regex class BLOCK_SITES
ciscoasa(config)# class-map type regex match-any URLBlockList
ciscoasa(config)# class-map type inspect http match-all BlockURLsClass
ciscoasa(config-cmap)#match request uri regex class URLBlockList
ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# protocol-violation action drop-connection
ciscoasa(config-pmap-p)# class URLBlockList
ciscoasa(config-pmap-c)# reset log
ciscoasa(config-pmap-p)# class BlockURLsClass
ciscoasa(config-pmap-c)# reset log
4. ciscoasa(config-pmap-c)# exit
Configure http policy, to support only English language
ciscoasa(config)#regex LANGUAGES_USER_EXPECT_THE_PAGE_IN "([Ee][Nn])"
ciscoasa(config)#class-map type inspect http LANGUAGES_USER_EXPECT_THE_PAGE_IN_CLASS
ciscoasa(config-cmap)# match not request header accept-language regex class LANGUAGES_USER_EXPECT_THE_PAGE_IN
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION
ciscoasa(config-pmap)# class LANGUAGES_USER_EXPECT_THE_PAGE_IN_CLASS
ciscoasa(config-pmap-c)# drop-connection
ciscoasa(config-pmap-c)# exit
Configure http policy, to support only .zip/.rar compression method
ciscoasa(config)#regex COMPRESSION_SUPPORTED_BY_USER ".([Zz][Ii][Pp] | [Rr][Aa][Rr])"
ciscoasa(config)#class-map type inspect http COMPRESSION_SUPPORTED_BY_USER_CLASS
ciscoasa(config-cmap)# match not request header accept-encoding regex class COMPRESSION_SUPPORTED_BY_USER
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map type inspect http HTTP_INSPECTION
ciscoasa(config-pmap)# class COMPRESSION_SUPPORTED_BY_USER_CLASS
ciscoasa(config-pmap-c)# drop-connection
ciscoasa(config-pmap-c)# exit
Block https site using DNS
How can you block https site, when all the packets are encrypted ?
Since HTTPS traffic is encrypted, the ASA does not have the functionality to inspect that type of packets. So we
have come up with a solution that is, to inspect dns packet instead of http/https packet.
ciscoasa(config)# regex BLOCK_HTTPS "facebook.com"
ciscoasa(config)# class-map type inspect dns CMAP
ciscoasa(config-cmap)# match domain-name REGEX1
5. ciscoasa(config)# policy-map type inspect dns PMAP
ciscoasa(config-pmap)# class CMAP
ciscoasa(config-pmap-c)# drop
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# no inspect dns present_dns_map
ciscoasa(config-pmap-c)# inspect dns PMAP
Block URLs using FQDN objects
The Cisco ASA firewall 8.4.2 introduced something called Identity Firewall. The IDFW gives a new level of control
to ACLs. You can now configured ACLs to block domain names.
A cool thing about this solution is that it doesn’t slow down the firewall at all. It does the DNS look up probably
once every few hours for when the TTL expires and then stores the IPs in memory. In other words it does not do
a DNS lookup for every packet that comes through the firewall, it does it before hand. Works for both HTTPS and
HTTP. The firewall doesn’t inspect domain names or URLs and it doesn’t care if the packet is encrypted or not.
The packet has to have a destination IP and that’s what the firewall will check.
ciscoasa(config)#dns domain-lookup OUTSIDE ( Public DNS )
ciscoasa(config)#DNS server-group DefaultDNS
name-server 4.2.2.2
ciscoasa(config)#object network OBJ-FACEBOOK-COM
fqdn facebook.com
ciscoasa(config)# access-list ACL_INSIDE extended deny ip any object OBJ-FACEBOOK-COM
Configure ASA to inspect http on non-standard port
Configure ASA to inspect http on non-standard port
ciscoasa(config)# class-map CMAP
ciscoasa(config-cmap)# macth port tcp eq 8080
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class CMAP
ciscoasa(config-pmap-c)#inspect http
6. Configure ASA to block Hotmail Attachments
ciscoasa(config)# regex GET_ATTACH ".*([Gg][Ee][Tt][Aa][Tt][Tt][Aa][Cc][Hh][Mm][Ee][Nn][Tt]).([Aa][Ss][Pp][Xx]).*"
ciscoasa(config)# regex SCAN_ATTACH ".*([Ss][Cc][Aa][Nn][Aa][Tt][Tt][Aa][Cc][Hh][Mm][Ee][Nn][Tt]).([Aa][Ss][Pp][Xx]).*"
ciscoasa(config)# regex HOTMAIL_URL ".*([Mm][Aa][Ii][Ll]).([Ll][Ii][Vv][Ee]).([Cc][Oo][Mm])"
ciscoasa(config)# class-map type inspect http match-all HOTMAIL_SMACKDOWN
ciscoasa(config-cmap)# match request header host regex HOTMAIL_URL
ciscoasa(config-cmap)# match request uri regex SCAN_ATTACH
ciscoasa(config)# class-map type inspect http match-all HOTMAIL_SMACKDOWN_THE_SEQUEL
ciscoasa(config-cmap)# match request header host regex HOTMAIL_URL
ciscoasa(config-cmap)# match request uri regex GET_ATTACH
ciscoasa(config)# policy-map type inspect http HOTMAIL_SMACKDOWN
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap)# class HOTMAIL_SMACKDOWN_THE_SEQUEL
ciscoasa(config-pmap-c)# drop-connection log
ciscoasa(config-pmap)# class HOTMAIL_SMACKDOWN
ciscoasa(config-pmap-c)# drop-connection log
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect http HOTMAIL_SMACKDOWN
Configure ASA to block torrent
ciscoasa(config)# object-group service Blocked-UDP-Ports udp
description All ports blocked for Bit Torrent UDP DHT (all ephemeral ports except VPN encapsulation)
port-object range 10001 65535
port-object range 1024 9999
ciscoasa(config)# object-group service BitTorrent-Tracker tcp
description TCP Ports used by Bit Torrent for tracker communication
port-object eq 2710
port-object range 6881 6999
ciscoasa(config)# access-list inside_access_in extended deny udp any any object-group Blocked-UDP-Ports log warnings inact
ciscoasa(config)# access-list inside_access_in extended deny tcp any any object-group BitTorrent-Tracker log warnings inactiv
ciscoasa(config)# access-list inside_access_in extended permit tcp any any
Apply the access list in the inside interface it might need modifications depending on your configuration and its
just a sample configuration
7. ciscoasa(config)# regex bit-torrent-tracker ".*[Ii][Nn][Ff][Oo]_[Hh][Aa][Ss][Hh]=.*"
ciscoasa(config)# class-map type inspect http match-all bit-torrent-tracker
ciscoasa(config-cmap)#description Bit Torrent Tracker communication
ciscoasa(config-cmap)#match request args regex bit-torrent-tracker
ciscoasa(config-cmap)#match request method get
ciscoasa(config)# policy-map type inspect http Drop-P2P
ciscoasa(config-pmap)#description Drop protocol violations Bit Torrent Tracker traffic
ciscoasa(config-pmap)#parameters
protocol-violation action log
ciscoasa(config-pmap)#class bit-torrent-tracker
drop-connection log
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)#class inspection_default
inspect http Drop-P2P