Filter
Top Products
17-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Understanding Inspection Rules
In many cases, you will configure inspection in one direction only at a single interface, which causes
traffic to be permitted back into the internal network only if the traffic is part of a permissible (valid,
existing) session. This is a typical configuration for protecting your internal networks from traffic that
originates on the Internet.
You can also configure inspection in two directions at one or more interfaces. Configure inspection in
two directions when the networks on both sides of the firewall should be protected, such as with extranet
or intranet configurations, and to protect against DoS attacks. For example, if the device is situated
between two partner companies’ networks, you might want to restrict traffic in one direction for certain
applications, and restrict traffic in the opposite direction for other applications. If you are protecting a
web server in the DMZ zone, you might want to configure deep inspection on HTTP traffic to identify
and reset connections that have undesirable characteristics.
You might want to configure your inspection rules on the outbound interfaces of your network, those that
connect to the Internet or another uncontrolled network, while allowing unfiltered connections within
the trusted network. Thus, your devices use resources for inspection only on sessions that travel over
unsecured and therefore potentially dangerous networks.
Related Topics
• Selecting Which Protocols To Inspect, page 17-3
• Understanding Access Rule Requirements for Inspection Rules, page 17-4
• Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 17-4
• Configuring Protocols and Maps for Inspection, page 17-21
• Configuring Inspection Rules, page 17-5
Selecting Which Protocols To Inspect
You can generically inspect TCP and UDP, which covers all applications that use these protocols.
However, you can also inspect more specific protocols. In some cases, inspecting a specific protocol
provides better service than generic TCP/UDP inspection. TCP and UDP inspection do not recognize
application-specific commands, and therefore might not permit all return packets for an application,
particularly if the return packets have a different port number than the previous exiting packet.
For example:
• Some protocols allow you to configure deep inspection. Deep inspection allows you to configure
more specific rules for a traffic stream. For example, you can drop HTTP connections where the
content type of the request and response do not match. For information on deep inspection and your
configuration options, see Configuring Protocols and Maps for Inspection, page 17-21.
• Protocols that negotiate return channels, such as FTP, should be specifically inspected. If you use
simple generic TCP inspection of FTP traffic, the negotiated channels are not opened, and the
connection will fail. If you want to allow FTP, ensure that you create a specific inspection rule for it.
Multimedia protocols also negotiate return channels and should be specifically inspected. These
include H.323, RTSP (Real Time Streaming Protocol), and other application-specific protocols.
Some applications also use a generic TCP channel, so you might also need to configure generic TCP
inspection. Any generic TCP inspection rule should appear below a more specific inspection rule in
the table (that is, any rule that specifies TCP or UDP should appear at the end of the inspection rule
table).
Related Topics
• Choosing the Interfaces for Inspection Rules, page 17-2