The inspect http command protects against specific
attacks and other threats that may be associated with HTTP traffic. HTTP
inspection performs the following functions
:
- HTTP inspection
- URL screening through N2H2 or Websense
- Java and ActiveX filtering
 |
NOTE:
The latter two features are configured in conjunction with the
filter command. The no inspect http
command statement also disables the filter url command.
|
- Enhanced HTTP inspection – Verifies that HTTP messages conform to RFC 2616,
use RFC-defined methods or supported extension methods, and comply with various
other configurable message criteria. In many cases, the administrator can
configure these criteria and the system response when the criteria are not
met.
By default, HTTP inspection is enabled globally. Inspection of HTTP
port 80 traffic is defined in the inspection_default class map
. In the
asa_global_fw_policy policy map, HTTP inspection is associated with the
inspection_default class of traffic, http port 80. HTTP inspection is enabled
globally in the asa_global_fw_policy service policy. To remove HTTP inspection,
use the no inspect http command in the policy map.
Enhanced HTTP Inspection
Enhanced HTTP inspection verifies that
HTTP messages conform to RFC 2616, use RFC-defined methods or supported
extension methods, and comply with various other criteria. In many cases, these
criteria and the system response when the criteria are not met can be
configured. The criteria that can be applied to HTTP messages are shown in
Figure
.
To enable
enhanced HTTP inspection, use the inspect http http-map
command. The enhanced rules that apply to HTTP traffic are defined
by http-map command.
Enhanced HTTP Inspection
Configuration
Configuring enhanced HTTP inspection is a four step
process
. The four steps
in the process are as follows:
Step 1 Configure the
http-map command to define the enhanced HTTP inspection
parameters and the action taken when a parameter in the configured category is
detected.
Step 2 Identify the flow of traffic
using the class-map command. The administrator can use the
default class map, inspection_default. The administrator can also define a new
traffic flow, for example any hosts trying to access the corporate web server
from the internet.
Step 3 Associate the HTTP map
with a class of traffic with the policy-map command. The
administrator can use the default policy map, asa_global_fw_policy. The
administrator can also define a new policy, such as an inbound traffic policy
for any hosts trying to access the corporate web server from the
internet.
Step 4 Apply the policy to an interface, or globally, using
the service-policy command. The administrator can use the
default service-policy, asa_global_fw_policy. The administrator can also define
a new service policy, such as a policy for all inbound internet-sourced
traffic, and apply the service policy to the outside interface.
In the example in Figure
, the
administrator created a new modular policy for HTTP traffic from the Internet
to the corporate web server with an IP address of 192.168.1.11, rather than
modify the existing default global modular policy. To accomplish this, the
administrator configured a new HTTP map, class map, policy map and service
policy. The administrator created an HTTP map, inbound_http. In the HTTP map,
they restricted RPC request methods, defined message critera, and restricted
HTTP applications. In the class map, they identified the traffic flow with a
matching ACL, access-list 102. In a new policy map, the administrator
associated the actions in the new HTTP map with traffic identified in the ACL.
Lastly, the new service policy is enabled on the outside interface.