topic ASA andalso would like to in Network Security

how to allow some fixed extension go in from outside to inside but not allow go from inside to outside

Maivoko — Tue, 12 Mar 2019 05:44:59 GMT

how to allow some fixed extension go in from outside to inside but not allow go from inside to outside

for example, allow JPEG, MOV, AVI data flow from outside to inside

but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside

how to configure?

Hi, Is it a ASA or any other

Pranay Prasoon — Wed, 08 Apr 2015 18:00:19 GMT

Hi,

Is it a ASA or any other device? Here is the link that can be helpful:-

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html

ASA andalso would like to

Maivoko — Wed, 08 Apr 2015 18:17:04 GMT

ASA

and

also would like to know whether general router has this function and how to do?

actually i mean not only web site, for example, in window , share drive, net drive, in linux, you can get file with ftp , or get software, or other kind of methods.

i just afraid hackers can get word file, movie file, or photo if they succeed to pass firewall

You can use zone based

Pranay Prasoon — Wed, 08 Apr 2015 18:20:39 GMT

You can use zone based firewall feature of URI inspection:-

Please see in detail at below link:-

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

zone based web do not have

Maivoko — Wed, 08 Apr 2015 18:51:01 GMT

zone based web do not have file extension to choose, how do it know the extension of file? or type of file?

can hacker bypass the file name extension filter of firewall?

i see that ASA has policy , do ASA have zone based?

Hi, The ZBF link sent earlier

Pranay Prasoon — Wed, 08 Apr 2015 21:26:13 GMT

Hi,

The ZBF link sent earlier show how we can inspect URI in http request

parameter-map type regex uri_regex_cm
pattern “.*cmd.exe”

class-map type inspect http uri_check_cm
match request uri regex uri_regex_cm

ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.

Thanks

if application is unknown,

Maivoko — Thu, 09 Apr 2015 00:29:51 GMT

if application is unknown, how to set?

well there are some

Pranay Prasoon — Thu, 09 Apr 2015 01:18:21 GMT

well there are some limitations with asa and cisco routers as they don't primarily designed for all application. In that case you will need to use other devices.