CCNA: Sec class-map question
mikearama
Senior MemberMember Posts: 749
Hey techies... from the CCNA Security Offical Exam Cert Guide:
"In this case, HTTP traffic must encounter the match protocol http statement first so that the traffic will be handled by the service-specific capabilities of HTTP inspection. What would happen if we reversed the "match" lines so that traffic encounters the match protocol tcp statement before it is compared to the match protocol http statement? If this were the case, the traffic would be classified as TCP traffic and would be inspected according to the capabilities of the TCP inspection component of the firewall. This would create a problem for certain services such as FTP and TFTP, as well as various multimedia and voice signaling services such as H.323, SIP, Skinny, RTSP, and others. It is important that additional inspection capabilities be used to recognize the more complex activites of these services."
This I don't get. Where's the issue? So what if http traffic was first inspected by the TCP inspector, before getting deeper/better analysis by the http filter?
Does the comment above suggest that since http is being inspected ALONG WITH ftp, tftp, skinny, etc, that they will interfere with each other? Looks like it, right?
So if I truly wanted to inspect all tcp traffic, is match protocol tcp not sufficient? or would I have to go with something like:
match protocol FTP
match protocol TFTP
match protocol HTTP
match protocol RTSP
match protocol SMTP
match protocol DNS
before getting to put:
match protocol TCP ??? (Dayum, I don't care for class-maps!)
class-map type inspect match-any my-test-cmap match protocol http match protocol tcp
"In this case, HTTP traffic must encounter the match protocol http statement first so that the traffic will be handled by the service-specific capabilities of HTTP inspection. What would happen if we reversed the "match" lines so that traffic encounters the match protocol tcp statement before it is compared to the match protocol http statement? If this were the case, the traffic would be classified as TCP traffic and would be inspected according to the capabilities of the TCP inspection component of the firewall. This would create a problem for certain services such as FTP and TFTP, as well as various multimedia and voice signaling services such as H.323, SIP, Skinny, RTSP, and others. It is important that additional inspection capabilities be used to recognize the more complex activites of these services."
This I don't get. Where's the issue? So what if http traffic was first inspected by the TCP inspector, before getting deeper/better analysis by the http filter?
Does the comment above suggest that since http is being inspected ALONG WITH ftp, tftp, skinny, etc, that they will interfere with each other? Looks like it, right?
So if I truly wanted to inspect all tcp traffic, is match protocol tcp not sufficient? or would I have to go with something like:
match protocol FTP
match protocol TFTP
match protocol HTTP
match protocol RTSP
match protocol SMTP
match protocol DNS
before getting to put:
match protocol TCP ??? (Dayum, I don't care for class-maps!)
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
Ah, I think I see. So you're suggesting that the match statements work like ACL's, where once there's a match, the processing stops. Gotcha.
I read it differently... I thought that all the match statements were read from the top down, so even though HTTP traffic would get inspected by the TCP inspector, it would be move down and be inspected by the HTTP inspector.
Okay, I feel better about it now. Thanks guys.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Class maps simply identify traffic, whereas Policy maps state what should actually be done with it once identified.
MBA - IT Management