Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1324
Views
0
Helpful
5
Replies

ACE module and inspect http

Go to solution
falcon9falcon
Level 1
Level 1

‎03-24-2011 12:00 PM

I find information on Cisco.COM how to perform the deep packet inspection of Layer 7 HTTP but I don’t want to use such deep inspection so I decided to use inspect http without policy Layer7 and I don’t know what ACE performs.  Could you tell me what ACE checks? Is it possible to customize?

I have to be honest. I found something like this “the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC “ but I couldn’t image how HTTP could be fixup and what is internal RFC.

Regards

Falcon

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Christopher Miles
Cisco Employee
Cisco Employee

‎03-28-2011 10:32 AM

Hi Falcon,


The general fixups put a level of security there by doing a general sanity check these are valid HTTP requests. If you would like to specify exactly what type of HTTP requests you want to allow e.g PUT, GET or 302 redirect, 404 not found etc..  that is when you can configure the L7 Policy

I assuming you already have this link but here are the specifics for L7 Policy creation

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/policy.html#wp1176025

"Internal RFC compliance checks is just referring to the ACE checking that these requests are valid based on the HTTP RFC"

cheers,

Chris

View solution in original post

0 Helpful

Go to solution
Christopher Miles
Cisco Employee
Cisco Employee
In response to falcon9falcon

‎03-28-2011 11:38 AM

Hi Falcon,

If you wish purely to only allow specific methods then you need to configure  a L7 Policy to just look at the method.. see link below

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/policy.html#wp1019108

The ACE supports the inspection of the following RFC 2616 HTTP request methods: connect, delete, get, head, options, post, put, and trace.

The ACE supports the inspection of the following HTTP request extension methods: copy, edit, getattr, getattrname, getprops, index, lock, mkcol, mkdir, move, propfind, proppatch, revadd, revlabel, revlog, revnum, save, setattr, startrev, stoprev, unedit, and unlock.

So you do have quite an extensive list to customise. By default all these methods would be allowed in the L3/L4 rule for inspect http.

cheers,

Chris

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Christopher Miles
Cisco Employee
Cisco Employee

‎03-28-2011 10:32 AM

Hi Falcon,


The general fixups put a level of security there by doing a general sanity check these are valid HTTP requests. If you would like to specify exactly what type of HTTP requests you want to allow e.g PUT, GET or 302 redirect, 404 not found etc..  that is when you can configure the L7 Policy

I assuming you already have this link but here are the specifics for L7 Policy creation

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/policy.html#wp1176025

"Internal RFC compliance checks is just referring to the ACE checking that these requests are valid based on the HTTP RFC"

cheers,

Chris

0 Helpful

Go to solution
falcon9falcon
Level 1
Level 1
In response to Christopher Miles

‎03-28-2011 11:01 AM

Hi Chris,

I’ m so grateful to you for answering to me but I still have a problem “inspect http”. In my case I would like to check only method. I don’t want to check URL parsing or header parsing etc. Is it possible? I ask because the owner of webside is not sure about standard in URL or Header response.

Cheers,

Falcon

0 Helpful

Go to solution
Christopher Miles
Cisco Employee
Cisco Employee
In response to falcon9falcon

‎03-28-2011 11:38 AM

Hi Falcon,

If you wish purely to only allow specific methods then you need to configure  a L7 Policy to just look at the method.. see link below

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/policy.html#wp1019108

The ACE supports the inspection of the following RFC 2616 HTTP request methods: connect, delete, get, head, options, post, put, and trace.

The ACE supports the inspection of the following HTTP request extension methods: copy, edit, getattr, getattrname, getprops, index, lock, mkcol, mkdir, move, propfind, proppatch, revadd, revlabel, revlog, revnum, save, setattr, startrev, stoprev, unedit, and unlock.

So you do have quite an extensive list to customise. By default all these methods would be allowed in the L3/L4 rule for inspect http.

cheers,

Chris

0 Helpful

Go to solution
falcon9falcon
Level 1
Level 1
In response to Christopher Miles

‎03-28-2011 12:05 PM

Hi Chris,

Thanks again, but I still afraid that ACE will check “Header parsing and URL parsing”. Please open the link.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/security/guide/appinsp.html#wp1519249

I wonder about possibility to disable header and URL parsing.

cheers,

Falcon

0 Helpful

Go to solution
Christopher Miles
Cisco Employee
Cisco Employee
In response to falcon9falcon

‎03-28-2011 01:13 PM

Hi Falcon,

I see your point .. you are correct once enabled there are a default set of polices applied  ( URL parsing and deobfuscation, Header parsing and parser validation, Strict HTTP inspection and Method validation ).  There is no specific command to turn these off other than to disable inspect itself.. I will have a look around and let you know if I find something, but i would say unless there was an option to override the preference with a match in a L7 rule then the L3/L4 rules would stand.

chris

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card