Filter
Top Products
17-28
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Configuring Protocols and Maps for Inspection
• Configuring Protocols and Maps for Inspection, page 17-21
Field Reference
Configuring DNS Maps
Use the Add and Edit DNS Map dialog boxes to define DNS Maps for inspection. A DNS map lets you
change the default configuration values used for DNS application inspection.
DNS application inspection supports DNS message controls that provide protection against DNS
spoofing and cache poisoning. You can configure rules for certain DNS types to be allowed, dropped, or
logged, while others are blocked. For example, you can restrict zone transfer between servers.
The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a
public server from attack if that server only supports a particular internal zone. In addition, DNS
randomization can be enabled to avoid spoofing and cache poisoning of servers that either do not support
randomization or that use a weak pseudo random number generator. Limiting the domain names that can
be queried protects the public server further.
You can configure a DNS mismatch alert as notification if an excessive number of mismatching DNS
responses are received, which could indicate a cache poisoning attack.
Table 17-12 Add and Edit DCE/RPC Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is
allowed.
Pinhole Timeout The timeout for DCE/RPC pinholes. The default is 2 minutes
(00:02:00). Valid values are between 00:00:01 and 1193:00:00.
Enforce Endpoint Mapper
Service
Whether to enforce the endpoint mapper service during binding. Using
this service, a client queries a server, called the Endpoint Mapper, for
the dynamically allocated network information of a required service.
Enable Endpoint Mapper
Service Lookup
Service Lookup Timeout
Whether to enable the lookup operation of the endpoint mapper service.
If you select this option, you can enter the time out for the lookup
operation. If you do not specify a timeout, the pinhole timeout or
default pinhole timeout value is used. Valid values are between
00:00:01 and 1193:00:00.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Allow Value Override per
Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level.
For more information, see Allowing a Policy Object to Be Overridden,
page 6-18 and Understanding Policy Object Overrides for Individual
Devices, page 6-17.
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.