Lesson 9 Flashcards
_________ are used to look for certain things in the application - layer payload; they can be used to qualify a Layer 3/4 class map, which identifies the Layer 3 addresses, the protocol, and the port numbers of the application involved.
Application layer class maps
Application layer class maps fall under two categories: _____ and ______ .
inspection class maps
regular expressions
When using MPF, you can inspect at the application layer by using the ________ command and/or by using the _________ command .
class-map type inspect
policy-map type inspect
Advanced Protocol Inspection (aka ______________ )
deep packet inspection
App layer attacks:
–
Blocking .exe attachments
–
Prohibiting peer-to-peer file sharing
–
Setting limits on URL lengths (buffer overflow)
–
Prohibiting file transfer as part of IM sessions
–
Protecting web services by ensuring XML schema is valid
–
Resetting a TCP session if a string is known to be malicious
–
Dropping sessions with packets that are out of order (SIP).
class-map type inspect =
used to match criteria specific to an application
policy-map type inspect =
used to define special actions for inspection application traffic
class-map supported apps
dns, ftp, h323, http, im , and sip
The _________ parameter specifies that all the match commands must be matched to classify the traffic and associate a policy to it
match-all
the _________ parameter specifies that only one match command has to be matched; if you omit it, the parameter defaults to match-all .
match-any
Inspection Class Map config
fw1(config )# class-map type inspect http match-any EXAMINE- PUT-AND-POST
fw1( config-cmap )# match request method put
fw1( config-cmap )# match request method post
policy-map supported apps
dcerpc , dns, esmtp, ftp, gtp , h323, http, im , mgcp , netbios, radius - accounting, rtsp, sip, skinny, and snmp .
Policy Map Example
fw1(config )# policy - map type inspect http OUTPOL
fw1( config - pmap )# match request header length gt 512
fw1( config - pmap - c )# log
fw1( config - pmap - c )# exit
fw1( config - pmap )# match request header length gt 1024
fw1( config - pmap - c)# reset
Regular Expressions
fw1( config )# regex
fw1( config )# class-map type regex match-any
fw1( config - cmap )# match regex
If the policy is applied _______ , actions are applied to traffic in the ingress direction only
globally
If the policy is applied to a ________ , actions are applied to all traffic bidirectionally . All traffic that enters or exits is affected if the traffic matches the class map for both directions.
specific interface
QoS policing and priority queuing are always applied in the _____ direction, whether on a specific interface or globally .
egress
To display statistics on the traffic being inspected on the ASA , use the ____________command
show service-policy
The DNS Guard function
enforces one DNS response per query is enabled by default.
________ is used to provide a way for DNS records to be trusted by whoever receives them.
DNSSEC
The key component of DNSSEC is the use of ____________ to ensure that DNS records are authentic. DNSSEC not only allows a DNS server to prove the authenticity of the records it returns. It also allows the assertion of “non - existence of records ”.
public key cryptography
With DNSSEC, many DNS packets will exceed____bytes
512 bytes and may approach 4096 bytes.
(THis is for what?)
message - length maximum client auto
message - length maximum 512
the message - length maximum client auto command allows the firewall to reference the EDNS packets to properly set the message - length size. Non - DNSSEC traffic will still reference the message - length maximum 512 command to filter DNS packet size accordingly
id - randomization
Enables id - randomization to generate unpredictable DNS transaction IDs in DNS messages and protect DNS servers and resolvers with poor randomization of DNS transaction IDs
id - mismatch count 10 duration 2 action log
Enable id - mismatch to count DNS transaction ID mismatches within a specified period of time and generate a syslog when the defined threshold has been reached.
match header - flag RD
drop
Check for DNS query messages with the recursion desired (RD) flag set in the DNS header and drop those packets to avoid being used as a recursive resolver
