CCNA Security 30

Why do we need Advanced Protocol Inspection? Some applications are able to dynamically negotiate source and destination ports, and some may even tunnel through known protocols by wrapping data through protocols like HTTP. We need to be able to inspect packets for signs of misuse. This is done through Advanced Protocol Inspection.
An example of a protocol which dynamically negotiates ports is FTP. Let's begin the introduction of Advanced Protocol Inspection with a scenario:


Now, let's begin by describing how FTP works in Active mode. In Active mode, the client first connects from a random port from the INSIDE interface of the ASA to the OUTSIDE interface towards port 21 of the FTP Server. Port 21 is the control port of the FTP server. At this point, the ASA would have statefully inspected the connection and permitted the return traffic.

For a file transfer to occur, the client must notify the server to send the file back. The file transfer is sent back from port 20 which is the data channel. This data is then seen by the firewall as a new connection inbound so it is denied. Active mode would not be very practical to be used without Advanced Protocol Inspection as the client-sided ports are always dynamic.

Advanced Protocol Inspection allows the ASA to inspect the control channel of the FTP for information about the data port. Once it has learnt about the data port, it will temporarily open that port for the duration of the FTP session.

Advanced Protocol Inspection can also inspect viruses and worms and effectively block them out of operation. We will now begin implementation of strict FTP inspection. To do this in ASDM, we'll need to go to Configure - Firewall - Service Policy Rules. When creating a service policy, we can turn on Protocol Inspection for FTP. Clicking Configure allows us to ensure strict adherence to FTP standards.

FTP is one of the services we can perform Advanced Protocol Inspection for. Other protocols like those used by instant messaging applications can also be inspected to ensure viruses don't spread.

There are various ways Advanced Protocol Inspection can hinder attackers. For example, ESMTP protocol inspection allows blockage of extended commands and force the command-set to the 7 RFC standard commands.

DNS Doctoring or DNS Rewriting allows the ASA to modify the packets exchanged between the DNS and the client. DNS Rewriting is designed to resolve problems where the client resides in the a private network with another server it is trying to access, while the DNS is actually outside in the public network. In this case, when the client tries to resolve the URL of the web server, it will get a public IP which may cause problems. What DNS rewriting does is that the ASA actually intercepts the reply from the DNS, rewrite the external IP to the correct internal IP, then forward it to the host. If the internal host tried to access the public address instead, the packet would be dropped by the ASA because it does not allow redirection of packets on the same interface.

To turn on DNS doctoring, we would need to tweak the NAT configuration of the ASA. To do this, let us first refer to an example static NAT entry used by the appliance:
static (DMZ,OUTSIDE) interface 2.2.2.2 netmask 255.255.255.255

To inform the ASA to intercept DNS replies relating to this static NAT, we'll need to add the DNS keyword like this:
static (DMZ,OUTSIDE) interface 2.2.2.2 netmask 255.255.255.255 dns

ASA can also detect and handle scanners like port scanners and sweepers. These tools are becoming harder and harder to detect, with the advent of stealth modes and other techniques. ASA supports three different types of threat detection:
1) Basic - Monitors the rate of dropped packets due to denial by access list, bad packet format, connection limit exceeded, DoS attacks, suspicious ICMP packets, and so on. To enable basic threat detection, we'll type:
threat-detection basic-threat

2) Scanning - Able to detect sweeps and scanners. This is different from an IPS detection as it does not match by signatures, but by a database of statistics gathered. When hosts are identified as attackers, they can be shun for a duration. By default, they are shun for 1 hour. To enable scanning threat detection, we'll use:
threat-detection scanning-threat shun duration 86400

3) Threat Statistics - Able to determine the host, protocol and port statistics. This is designed to collect extensive statistics. To enable, we can type:
threat-detection statistics

Default configuration are hidden from view. To view default configurations, we'll need to type:
show run all

To view threat-detection statistics, we can use the show command:
threat-detection statistics

By default, basic and statistics threat-detection is enabled. Scanning threat detection is not enabled by default.