cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1093
Views
0
Helpful
7
Replies

how to allow some fixed extension go in from outside to inside but not allow go from inside to outside

Maivoko
Level 1
Level 1

how to allow some fixed extension go in from outside to inside but not allow go from inside to outside

for example, allow JPEG, MOV, AVI data flow from outside to inside

but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside

 

how to configure?

7 Replies 7

Pranay Prasoon
Level 3
Level 3

Hi,

 

Is it a ASA or any other device? Here is the link that can be helpful:-

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html

 

ASA 

and

also would like to know whether general router has this function and how to do?

 

actually i mean not only web site, for example, in window , share drive, net drive, in linux, you can get file with ftp , or get software, or other kind of methods.

i just afraid hackers can get word file, movie file, or photo if they succeed to pass firewall

You can use zone based firewall feature of URI inspection:-

Please see in detail at below link:-

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

zone based web do not have file extension to choose, how do it know the extension of file? or type of file?

 

can hacker bypass the file name extension filter of firewall?

 

i see that ASA has policy , do ASA have zone based?

Hi,

 

The ZBF link sent earlier show how we can inspect URI in http request

parameter-map type regex uri_regex_cm
   pattern “.*cmd.exe”
  

class-map type inspect http uri_check_cm
   match request uri regex uri_regex_cm

 

ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.

 

Thanks

if application is unknown, how to set?

well there are some limitations with asa and cisco routers as they don't primarily designed for all application. In that case you will need to use other devices.

 

Review Cisco Networking for a $25 gift card