ACLs can filter traffic at layer 3 and 4. Usually it will be enough, but sometime we need to subject the trafic to more granular inspection before we reject any host ? Then filtering on access lists will not work and Modular Policy Framework has to be used. But as you see for yourself MPF can do for us much much more.
What is MPF and what can do for us?
MPF among others provides application inspection for application with dynamic ports (example below), Quality of Service – traffic prioritazing, Policy – rate limiting (bandwith limitation), traffic shaping, sending traffic to IPS module in ASA, tweaking connection setting – setting TCP max half form sessions (preventing DoS attacks).
MPF consists of 3 parts CLASS MAP , POLICY MAP and POLICY SERVICE.
CLASS MAP – defines what traffic we are going to deal with – WHAT
POLICY MAP – defines what we are going to do with defined traffic in class map – ACTION
SERVICE POLICY – defines where we are going to apply our policy for defined traffic – WHERE
Now, when we know what is MPF and what consists of, lets check how it works. The topology is very simple and relates to both below cases.
FTP server in “passive mode” – case study
Let’s assume we have FTP server in DMZ zone, the client wants connect to our FTP server via “passive mode” What means “passive mode” ? In active mode when the client connects to the FTP server uses 2 privileged port, the FTP server always uses port 21 as a control channel and port 20 as a data channel. In passive mode FTP server still uses port 21 as a control channel but instead of channel 20 uses a random port it may be 4234 port for example. When we applied an access list with allowed ports 20 and 21 on the outside interface that allows client from the outside for connection, then everything is going fine in active mode. The problem will occur when we want to connect in passive mode, because there is no random data channel port in the access list, unless we allow all 65000 ports 😉 So how we may prevent from being rejected the client from the server ?
Modular Policy Framework and packet inspection is comming forward.
access-list FTP_permit permit tcp any any eq ftp – marking trafic from outside to FTP
class-map FTP_class_map – class map with interesting traffic
match access-list FTP_permit
policy-map FTP_policy_map – we want to subject interesting traffic to inspection regarding ftp protocol
service-policy FTP_policy_map interface dmz – applying MPF on dmz interface with ftp server
What above configuration actually does ? ASA will be inspecting ftp connection from outside do dmz, from now on if there will be any random port opend up for data connection then will be included in statefull connection between the client and the server.
Limitation of TCP half open sessions
Opening a lot of TCP half open sessions is one of way to make Denial of service attack. We know what is 3 way handshake during establishing of TCP session, but in this case only 2 way handshake takes place. Client sends SYN to the Server, Server reply with SYN/ACK and Client doesn’t answer, but the session is still open on the server. Thousands of opend sessions may kill the Server. But thanks to MPF we can prevent this easily, let’s see how.
match port tcp range 1 65000
set connection conn-max 100 embryonic-conn-max 20
set connection timeout embryonic 0:00:10
service-policy Connections_limits interface outside
So, what we just set up ? For any connection from outside on ports range 1-65000 set up maximum number of connections for 100 and allow for 20 of half form sessions. We also set up the maximum time for finishing 3 way handshake for 10 seconds. After this time the session will be closed. That’s all. Now ASA works as the proxy for our internal server
ASA inspection default
Each ASA firewall has implemented default inspection MPF. Traffic that suits to inspected protocols will be passing through the firewall without any problems. This inspection list may be modified and is applied globally what means on each interface. If you take a look closure you’ll notice icmp is not present on this default list, this is why ASA is not pingable out of the box.
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global