Re: advantage/disavantage of disabling "no inspect sqlnet"

cciesec2011 · ‎10-13-2014

What is the advantage of enabling sqlnet inspection and what is the down side of disabling sqlnet inspection "no inspection sqlnet"?

I know very well the pro and con of enabling ftp inspection and disabling of ftp inspection but for the past five years, I have not seen anyone has been to explain the pro and con of enabling/disabling sqlnet inspection

I asked this question five years ago and someone replied but I dont' think he knows what it is. He just copied from cisco documentation: https://supportforums.cisco.com/discussion/10838696/what-advantage-enabling-sqlnet-inspection-asa-appliance

From my production experience, enabling/disabling sqlnet inspection makes no differences and my previous life was an Oracle DBA.

I've seen my security vulnerabilities and when Oracle does not work across the ASA firewalls, Cisco TAC response is always "disable sqlnet inspection".

If that is the case, why have it enable by default in the first place?

Vibhor Amrodia · ‎10-14-2014

Hi,

The advantage of having the any protocol inspection enabled on the ASA device is to make ASA device aware of these two things mainly:-

1) Any Embedded IP address at the application layer for the specific protocol

2) To allow secondary Channel by opening Pin Holes through the ASA device without explicitly allowing it using the ACL rules.

Some other inspections are also used to implement/enforce the RFC for the protocols as well (For Ex:- SMTP , DNS etc.)

Just picking the example from Inspect sqlnet:-

NoteDisable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP port 1521. The ASA acts as a proxy when SQL*Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues. Disable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP port 1521. The ASA acts as a proxy when SQL*Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i2.html#pgfId-1762719

These inspections are enabled by default but can be modified or disabled depending on the application that you are using through the ASA device.

Hope that clarifies your query. Let me know if you have any other questions.

Thanks and Regards,

Vibhor Amrodia

cciesec2011 · ‎10-14-2014

Hi,

then tell me this. I've worked with Oracle database for the past five years and to my knowledge, just about everything that I know about SQL*Net uses tcp port 1521 (unless some explicitly) go in an modify the port. I am quite sure that Oracle SQL*Net does not use random port anymore.

If Cisco knows that it will cause issues, why not just disable it by default? I know I am running Cisco ASA code with some vulnerabilities and the work-around advised from cisco is "disable SQL*Net inspection".

In other words, this feature, IMHO, offers no values and also causes more harm than good.

Am I wrong?

Vibhor Amrodia · ‎10-14-2014

Hi,

Disabling the Inspection due to the vulnerability was a specific issue and has been resolved.

I think inspection policies can be modified as per the usage by different customers.

There are many cases where the inspection is also needed to be enabled on the ASA device for the traffic to work.

Thanks and Regards,

Vibhor Amrodia

cciesec2011 · ‎10-15-2014

really? Unless you're running Oracle 9*i or older, everything I know about Oracle 10g and higher, they always use a single port.

Please point me to a specific case where you have to enable this feature.

Cisco claimed that this issue has been resolved and then a couple months later, another vulnerability and work-around is to disable this feature.

rouzbehta · ‎11-15-2023

Hello,

I have bypassed the sqlnet inspection, in packet-tracer phase 3, it shows that it is bypassed:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 3794 ns
Config:
class-map oracle-tcp-bypass
match access-list oracle-tcp-bypass
policy-map global_policy
class oracle-tcp-bypass
set connection advanced-options tcp-state-bypass
service-policy global_policy global

however, in phase 6, it says the packet is inspected:

Phase: 6
Type: INSPECT
Subtype: inspect-sqlnet
Result: ALLOW
Elapsed time: 14826 ns
Config:
class-map SQLNET-INSPECTION
match access-list SQLNET-INSPECTION
policy-map global_policy
class SQLNET-INSPECTION
inspect sqlnet
service-policy global_policy global

My question is , is the packet really being bypassed or inspected for sqlnet?

Cheers,

-Rouzbeh
Additional Information:

Additional Information:

tvotna · ‎11-16-2023

Bypass question was answered in another thread.

In fact, sqlnet protocol has "redirect" feature in it. If the server A is on the inside and the client is on the outside and TCP/1521 is opened in the outside ACL, the client connects to TCP/1521 to server A, but can be redirected by server A to server B which also lives on the inside. Without inspection connect to server B would fail. With inspection ASA would open a pinhole to server B /1521. That simple. So the sqlnet inspection is not really pointless, although it punts all sqlnet traffic to ASA/FTD control plane CPU core, which can be harmful on SMP systems.