Options
CCNA: Sec class-map question
mikearama
Member Posts: 749
Hey techies... from the CCNA Security Offical Exam Cert Guide:
"In this case, HTTP traffic must encounter the match protocol http statement first so that the traffic will be handled by the service-specific capabilities of HTTP inspection. What would happen if we reversed the "match" lines so that traffic encounters the match protocol tcp statement before it is compared to the match protocol http statement? If this were the case, the traffic would be classified as TCP traffic and would be inspected according to the capabilities of the TCP inspection component of the firewall. This would create a problem for certain services such as FTP and TFTP, as well as various multimedia and voice signaling services such as H.323, SIP, Skinny, RTSP, and others. It is important that additional inspection capabilities be used to recognize the more complex activites of these services."
This I don't get. Where's the issue? So what if http traffic was first inspected by the TCP inspector, before getting deeper/better analysis by the http filter?
Does the comment above suggest that since http is being inspected ALONG WITH ftp, tftp, skinny, etc, that they will interfere with each other? Looks like it, right?
So if I truly wanted to inspect all tcp traffic, is match protocol tcp not sufficient? or would I have to go with something like:
match protocol FTP
match protocol TFTP
match protocol HTTP
match protocol RTSP
match protocol SMTP
match protocol DNS
before getting to put:
match protocol TCP ??? (Dayum, I don't care for class-maps!)
class-map type inspect match-any my-test-cmap match protocol http match protocol tcp
"In this case, HTTP traffic must encounter the match protocol http statement first so that the traffic will be handled by the service-specific capabilities of HTTP inspection. What would happen if we reversed the "match" lines so that traffic encounters the match protocol tcp statement before it is compared to the match protocol http statement? If this were the case, the traffic would be classified as TCP traffic and would be inspected according to the capabilities of the TCP inspection component of the firewall. This would create a problem for certain services such as FTP and TFTP, as well as various multimedia and voice signaling services such as H.323, SIP, Skinny, RTSP, and others. It is important that additional inspection capabilities be used to recognize the more complex activites of these services."
This I don't get. Where's the issue? So what if http traffic was first inspected by the TCP inspector, before getting deeper/better analysis by the http filter?
Does the comment above suggest that since http is being inspected ALONG WITH ftp, tftp, skinny, etc, that they will interfere with each other? Looks like it, right?
So if I truly wanted to inspect all tcp traffic, is match protocol tcp not sufficient? or would I have to go with something like:
match protocol FTP
match protocol TFTP
match protocol HTTP
match protocol RTSP
match protocol SMTP
match protocol DNS
before getting to put:
match protocol TCP ??? (Dayum, I don't care for class-maps!)
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
scheistermeister
Member Posts: 748 ■□□□□□□□□□
No, it means that if you have the match protocol tcp first every thing that is tcp will be classified the way you wanted only http to be classified. In other words they mean to treat it like an access-list. List the most specific first.Give a man fire and he'll be warm for a day. Set a man on fire and he'll be warm for the rest of his life. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Well the inspection engine will handle a TCP packet differently than a HTTP packet. Although HTTP rides on top of TCP, there are additional parameters that you can apply with HTTP inspection (like URL filtering) that you can't do with simple TCP inspection.The only easy day was yesterday! -
mikearama
Member Posts: 749
scheistermeister wrote:No, it means that if you have the match protocol tcp first every thing that is tcp will be classified the way you wanted only http to be classified. In other words they mean to treat it like an access-list. List the most specific first.
Ah, I think I see. So you're suggesting that the match statements work like ACL's, where once there's a match, the processing stops. Gotcha.
I read it differently... I thought that all the match statements were read from the top down, so even though HTTP traffic would get inspected by the TCP inspector, it would be move down and be inspected by the HTTP inspector.
Okay, I feel better about it now. Thanks guys.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
AutoBahn81
Member Posts: 22 ■□□□□□□□□□
It depends on whether you use the "any" keyword or the "all" keyword in the class-map statement. If you use "any" then there only needs to be one match anywhere in the map whereas with an "and" argument the packet must match all the criteria. The "any" is treated as an <or> operator and the "all" is treated as an <and> operator.
Class maps simply identify traffic, whereas Policy maps state what should actually be done with it once identified.BIT - Network Administration
MBA - IT Management