Configure Advanced Protocol Inspection
Protocol application inspection

This topic discusses the configuration and handling of the remote shell (RSH), SQL, SMTP, ICMP, SNMP protocols.

Remote Shell
Remote shell (RSH) uses two channels for communications. When a client first starts an RSH connection, it opens a TCP channel from one of its high-order ports to port 514 on the server. The server opens another channel for standard error output to the client.

For RSH traffic, the PIX Security Appliance behaves in the manner shown in Figure .

By default, the security appliance inspects port 514 connections for RSH traffic. If RSH servers are using ports other than port 514, the class-map command can be used to identify these other traffic flows with their different RSH TCP port numbers. To enable RSH application inspection use the inspect rsh command in a policy map, class configuration mode. To remove the rsh inspection, use the no form of this command. If the inspect rsh command is not enabled, then:

  • Outbound RSH will not work properly on that flow of traffic.
  • Inbound RSH will work properly on that port if an ACL to the inside server exists.

SQL*Net
SQL*Net only uses one channel for communications but it could be redirected to a different port, and even more commonly to a different secondary server altogether. When a client starts an SQL*Net connection, it opens a standard TCP channel from one of its high-order ports to port 1521 on the server. The server then proceeds to redirect the client to a different port or IP address. The client tears down the initial connection and establishes the second connection.

For SQL*Net traffic, the PIX Security Appliance behaves in the manner shown in Figure .

By default, the PIX Security Appliance inspects port 1521 connections for SQL*Net traffic. If SQL*Net servers are using ports other than port 1521, the class-map command can be used to identify these other traffic flows with their different SQL*Net port numbers. To enable SQL*Net application inspection use the inspect sqlnet command in a policy map, class configuration mode. To remove the sqlnet inspection, use the no form of this command. If the inspect sqlnet command is not enabled, then:

  • Outbound SQL*Net will work properly on that port as long as outbound traffic is not explicitly disallowed.
  • Inbound SQL*Net will not work properly on that port.

ESMTP
Extended SMTP (ESMTP) is an enhancement to the SMTP protocol and is similar is most respects to SMTP. ESMTP application inspection provides improved protection against SMTP-based attacks by restricting the types of SMTP commands that can pass through the PIX Security Appliance. ESMTP application inspection supports the commands shown in Figure . To enable ESMTP inspection, use the inspect esmtp command.

ICMP
Without ICMP stateful inspection, ICMP can be used to attack the network. ICMP inspection enables the PIX Security Appliance to track ICMP traffic so it can be inspected like TCP and UDP traffic. For any single request, there will always be a single reply. When ICMP inspection is enabled, the ICMP payload is scanned to retrieve the pertinent information, source IP address, destination IP address, protocol, identification number, and sequence number, from the original packet. The idea is to match this session information in the PIX for each ICMP request and response pair. ICMP inspection allows replies only when the ICMP reply session information matches a request. The ICMP inspection ensures that there is only one response for each request. An example of ICMP inspection is shown in Figure . To configure the ICMP inspection engine, use the inspect icmp command in policy map class configuration mode.

SNMP
By default, the PIX Security Appliance performs no inspection of SNMP. The snmp-map and inspect snmp commands can be used to filter out SNMP traffic based on the SNMP protocol version field in the packets. To configure SNMP version blocking, first define an SNMP map and then apply the SNMP map to a SNMP inspection policy.

Use the snmp-map command to identify the SNMP protocol version or versions to deny . When the administrator enters this command, the PIX Security Appliance enters the SNMP map configuration mode. From the SNMP map configuration mode, the administrator can define which SNMP protocol version to deny, version 1, 2, 2c, or 3. After defining the SNMP map, the administrator can apply the map parameters using the inspect snmp map_name command. The PIX will inspect the SNMP traffic based on the contents of the SNMP map configuration.

To identify a specific map for defining the parameters for SNMP inspection, use the snmp-map map_name command. To remove the map, use the no form of this command. To enable SNMP inspection, use the inspect snmp map_name command in a policy map. To remove the configuration, use the no form of this command.


Web Links