Configure Advanced Protocol Inspection
HTTP inspection

The inspect http command protects against specific attacks and other threats that may be associated with HTTP traffic. HTTP inspection performs the following functions :

  • HTTP inspection
  • URL screening through N2H2 or Websense
  • Java and ActiveX filtering
NOTE:

The latter two features are configured in conjunction with the filter command. The no inspect http command statement also disables the filter url command.

  • Enhanced HTTP inspection – Verifies that HTTP messages conform to RFC 2616, use RFC-defined methods or supported extension methods, and comply with various other configurable message criteria. In many cases, the administrator can configure these criteria and the system response when the criteria are not met.

By default, HTTP inspection is enabled globally. Inspection of HTTP port 80 traffic is defined in the inspection_default class map . In the asa_global_fw_policy policy map, HTTP inspection is associated with the inspection_default class of traffic, http port 80. HTTP inspection is enabled globally in the asa_global_fw_policy service policy. To remove HTTP inspection, use the no inspect http command in the policy map.

Enhanced HTTP Inspection
Enhanced HTTP inspection verifies that HTTP messages conform to RFC 2616, use RFC-defined methods or supported extension methods, and comply with various other criteria. In many cases, these criteria and the system response when the criteria are not met can be configured. The criteria that can be applied to HTTP messages are shown in Figure .

To enable enhanced HTTP inspection, use the inspect http http-map command. The enhanced rules that apply to HTTP traffic are defined by http-map command.

Enhanced HTTP Inspection Configuration
Configuring enhanced HTTP inspection is a four step process . The four steps in the process are as follows:

Step 1 Configure the http-map command to define the enhanced HTTP inspection parameters and the action taken when a parameter in the configured category is detected.
Step 2 Identify the flow of traffic using the class-map command. The administrator can use the default class map, inspection_default. The administrator can also define a new traffic flow, for example any hosts trying to access the corporate web server from the internet.
Step 3 Associate the HTTP map with a class of traffic with the policy-map command. The administrator can use the default policy map, asa_global_fw_policy. The administrator can also define a new policy, such as an inbound traffic policy for any hosts trying to access the corporate web server from the internet.
Step 4 Apply the policy to an interface, or globally, using the service-policy command. The administrator can use the default service-policy, asa_global_fw_policy. The administrator can also define a new service policy, such as a policy for all inbound internet-sourced traffic, and apply the service policy to the outside interface.

In the example in Figure , the administrator created a new modular policy for HTTP traffic from the Internet to the corporate web server with an IP address of 192.168.1.11, rather than modify the existing default global modular policy. To accomplish this, the administrator configured a new HTTP map, class map, policy map and service policy. The administrator created an HTTP map, inbound_http. In the HTTP map, they restricted RPC request methods, defined message critera, and restricted HTTP applications. In the class map, they identified the traffic flow with a matching ACL, access-list 102. In a new policy map, the administrator associated the actions in the new HTTP map with traffic identified in the ACL. Lastly, the new service policy is enabled on the outside interface.


Web Links