I have begun my goal of reading the entire 12.4 Security Configuration Guide. I likely won't read it all because many things are probably unrelated to CCIE R&S, but you never really can tell. Especially since the blueprint has "Other Security Features" on it. This configuration is part of CBAC and so I thought I would test a small scenario.
R4----s1/0 R5----R6
R4 is the http server and R6 is the client. Here is how I set them up to verify it's working:
R4#copy run test.html
Destination filename [test.html]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Verifying checksum... OK (0x7071)
1942 bytes copied in 4.628 secs (420 bytes/sec)
R4#
R4#dir
Directory of flash:/
1 -rw- 1942 test.html
7864316 bytes total (7862308 bytes free)
R4#conf t
R4(config)#ip http path flash:
R4 is setup, let's test R6 the client:
R6#copy http://192.168.45.4/test.html flash:
Destination filename [test.html]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading http://192.168.45.4/test.html !
Verifying checksum... OK (0x7071)
1942 bytes copied in 0.688 secs (2823 bytes/sec)
R6#
Good, so we know that works. Now we can configure R5 as the HTTP Application FW. This does require CBAC as well as some new appfw commands which I have never used. There are MANY more options besides this, so I suggest you read the DocCD for a more in depth explanation. I just wanted to get the gist of it here:
ip inspect name APPFW appfw HTTPFW
ip inspect name APPFW http
!
appfw policy-name HTTPFW
application http
strict-http action allow alarm
content-length minimum 1945 action reset alarm
port-misuse tunneling action reset
interface Serial1/0
description TO R4
ip inspect APPFW out
Notice the minimum content length is 1945 byes. This will prevent R6 from copying the file via HTTP (test.html is 1942 bytes as we can see above):
6#copy http://192.168.45.4/test.html flash:
Destination filename [test.html]?
Erase flash: before copying? [confirm]n
%Error opening http://192.168.45.4/test.html (I/O error)
R6#
Jump to R5 and see the message:
R5#
*Mar 2 05:34:02.708: %APPFW-4-HTTP_CONT_TYPE_SIZE: Sig:11 Content size 1942 out of range - Reset - Content size out-of-bounds from 192.168.56.6:25101 to 192.168.45.4:80
If we change the minimum content legth to 1942, everything works as expected:
R5(config)#appfw policy-name HTTPFW
R5(cfg-appfw-policy)#application http
R5(cfg-appfw-policy-http)#content-length minimum 1942 action reset alarm
R6#copy http://192.168.45.4/test.html flash:
Destination filename [test.html]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]y
Erase flash: before copying? [confirm]n
Loading http://192.168.45.4/test.html !
Verifying checksum... OK (0x7071)
1942 bytes copied in 0.396 secs (4904 bytes/sec)
R6#
R4----s1/0 R5----R6
R4 is the http server and R6 is the client. Here is how I set them up to verify it's working:
R4#copy run test.html
Destination filename [test.html]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Verifying checksum... OK (0x7071)
1942 bytes copied in 4.628 secs (420 bytes/sec)
R4#
R4#dir
Directory of flash:/
1 -rw- 1942
R4 is setup, let's test R6 the client:
R6#copy http://192.168.45.4/test.html flash:
Destination filename [test.html]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading http://192.168.45.4/test.html !
Verifying checksum... OK (0x7071)
1942 bytes copied in 0.688 secs (2823 bytes/sec)
R6#
Good, so we know that works. Now we can configure R5 as the HTTP Application FW. This does require CBAC as well as some new appfw commands which I have never used. There are MANY more options besides this, so I suggest you read the DocCD for a more in depth explanation. I just wanted to get the gist of it here:
ip inspect name APPFW appfw HTTPFW
ip inspect name APPFW http
!
appfw policy-name HTTPFW
application http
strict-http action allow alarm
content-length minimum 1945 action reset alarm
port-misuse tunneling action reset
interface Serial1/0
description TO R4
ip inspect APPFW out
Notice the minimum content length is 1945 byes. This will prevent R6 from copying the file via HTTP (test.html is 1942 bytes as we can see above):
6#copy http://192.168.45.4/test.html flash:
Destination filename [test.html]?
Erase flash: before copying? [confirm]n
%Error opening http://192.168.45.4/test.html (I/O error)
R6#
Jump to R5 and see the message:
R5#
*Mar 2 05:34:02.708: %APPFW-4-HTTP_CONT_TYPE_SIZE: Sig:11 Content size 1942 out of range - Reset - Content size out-of-bounds from 192.168.56.6:25101 to 192.168.45.4:80
If we change the minimum content legth to 1942, everything works as expected:
R5(config)#appfw policy-name HTTPFW
R5(cfg-appfw-policy)#application http
R5(cfg-appfw-policy-http)#content-length minimum 1942 action reset alarm
R6#copy http://192.168.45.4/test.html flash:
Destination filename [test.html]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]y
Erase flash: before copying? [confirm]n
Loading http://192.168.45.4/test.html !
Verifying checksum... OK (0x7071)
1942 bytes copied in 0.396 secs (4904 bytes/sec)
R6#