|
0:00:14
|
In our next section we are going to talk about the zone based policy firewall application inspection
|
|
0:00:35
|
Now some of the common matches
|
|
0:00:19
|
that allows us to look into the layer7
|
|
0:00:21
|
payload of web sessions
|
|
0:00:24
|
or instant messengers or voice over ip connections
|
|
0:00:27
|
in order to match
|
|
0:00:29
|
and change
|
|
0:00:30
|
the individual parameters that are going inside the actual application
|
|
0:00:38
|
that you would typically do with the application inspection
|
|
0:00:41
|
would be things like to limit what are the particular http
|
|
0:00:46
|
commands that a user can issue
|
|
0:00:48
|
like if I want to prevent someone from uploading
|
|
0:00:50
|
files to the web site with the http post command
|
|
0:00:54
|
or to limit what are the specific urls that a user can or cannot visit
|
|
0:00:59
|
or inspections for mail traffic
|
|
0:01:01
|
like for a sendmail we can say what are the maximum number of reciepients
|
|
0:01:05
|
that you can have an individual message
|
|
0:01:08
|
that would potentially cut down on spam
|
|
0:01:11
|
if there is some sort of, like, open mail relay in the network
|
|
0:01:15
|
but the key is that this individual applications are going to have different types of inspections
|
|
0:01:20
|
where as the http payload is obviously going to be different than the imap
|
|
0:01:26
|
mail paylaod or a SIP voice call
|
|
0:01:30
|
Now the syntax logic for this configuration
|
|
0:01:33
|
is going to be fairly similar to the ASA's application inspection with the Modular Policy Framework
|
|
0:01:38
|
where again we are going to match the traffic with a class map of type inspect
|
|
0:01:44
|
but the key is that these are going to be protocol specific class maps or layer 7 class maps
|
|
0:01:50
|
inside here, this is where we would match the application specific fields
|
|
0:01:55
|
like the http commands or the url or the particular mail commands
|
|
0:02:01
|
once we have classified the individual application match we are trying to use
|
|
0:02:06
|
next thing is that we are going to determine what do we actually want to do with the traffic
|
|
0:02:10
|
and thats gonig to be accomplished with the policy map type inspect
|
|
0:02:14
|
but again here this is going to be a layer7 policy map
|
|
0:02:18
|
that is specific to that individual protocol
|
|
0:02:21
|
So from the application
|
|
0:02:23
|
our policy map, we are going to be calling the application specific class map
|
|
0:02:27
|
and then performing our individual application specific actions
|
|
0:02:31
|
So we will see that a policy map of type inspect for http
|
|
0:02:35
|
would have different potential actions of policy map type inspect for
|
|
0:02:39
|
SMTP or for pop3
|
|
0:02:43
|
Now once we know
|
|
0:02:45
|
what is the type of traffic, how are we going to inspect it
|
|
0:02:48
|
we could also call the parameter map
|
|
0:02:51
|
where previously we saw the parameter map of type inspect
|
|
0:02:56
|
that was used for changing the TCP normalization features
|
|
0:02:59
|
like what are the limits of the half open sessions
|
|
0:03:02
|
are doing the auto trail
|
|
0:03:05
|
what are the timeouts for the UDP sessions
|
|
0:03:07
|
in the case of the parameter maps for the application inspection
|
|
0:03:11
|
most of the time we would calling regular expression parameters
|
|
0:03:15
|
because this is going to allow us to match
|
|
0:03:17
|
any type of arbitrary string
|
|
0:03:20
|
inside the application payload
|
|
0:03:23
|
So I could say look inside of the mail payload
|
|
0:03:26
|
and filter out this specific keyword
|
|
0:03:28
|
based on the regular expression strength
|
|
0:03:31
|
or the same case for the http urls
|
|
0:03:35
|
Now the issue with this when we are actually doing this implementation
|
|
0:03:38
|
is that it assumes you have an application level understanding
|
|
0:03:42
|
of what is actually going on in that protocol
|
|
0:03:45
|
so if you don't understand what are the actual fields that the http server uses
|
|
0:03:50
|
what are the different methods that you can use for uploading and downloading files
|
|
0:03:55
|
and what is the specific syntax behind them
|
|
0:03:58
|
then it would be fairly difficult in order to build one of these policies
|
|
0:04:02
|
So for these type applications, a lot of the times you would rely on the documentation
|
|
0:04:07
|
to see what are the basic examples that they are doing for may be url filtering
|
|
0:04:12
|
or for mail specific inspections
|
|
0:04:14
|
generally you would need to be an expert on these type topics
|
|
0:04:18
|
because you generally going to rely highly on the
|
|
0:04:21
|
the documentation examples to figure out exactly what we are going to do
|
|
0:04:26
|
Now in our particular case here
|
|
0:04:29
|
what we are going to be looking at is router4 configured as a web server
|
|
0:04:35
|
where router3 again is running the zone based policy firewall
|
|
0:04:39
|
where the connection to router
|
|
0:04:41
|
4 is the inside
|
|
0:04:43
|
portion of the network
|
|
0:04:45
|
and the connection to the frame relay network is the outside
|
|
0:04:51
|
So we have clients on the outside network
|
|
0:04:54
|
on the untrusted network that are trying to send web request
|
|
0:04:57
|
into our server
|
|
0:05:00
|
this means that the actual inspection
|
|
0:05:02
|
is going to happen
|
|
0:05:03
|
in the outside
|
|
0:05:05
|
to inside zone pairing
|
|
0:05:08
|
we saw the previous example of this when we are doing the
|
|
0:05:12
|
the TCP normalization
|
|
0:05:14
|
that router3 has a
|
|
0:05:16
|
class map that says match the traffic thats going to the web server
|
|
0:05:20
|
based on an access list and based on the protocol
|
|
0:05:23
|
So we are saying match protocol http
|
|
0:05:26
|
in addition to match an access list
|
|
0:05:28
|
then we are inpecting that inside of the policy map
|
|
0:05:33
|
Now to apply to an application level inspection
|
|
0:05:36
|
when we look at the current syntax on router3
|
|
0:05:40
|
if we look at the show run section
|
|
0:05:44
|
class map or policy map
|
|
0:05:48
|
we see we have the
|
|
0:05:50
|
the class map that is matching the servers traffic
|
|
0:05:54
|
it says match all http server class is the name
|
|
0:05:57
|
says that it has to be the protocol http
|
|
0:06:00
|
but it also has to be this particular access list
|
|
0:06:03
|
So this is where we are constraining it to the actual ip address that the server has assigned
|
|
0:06:08
|
this http server's class is then called from the outside to inside policy
|
|
0:06:15
|
that says to inspect the traffic
|
|
0:06:17
|
with the particular parameters that we configured before
|
|
0:06:21
|
where these parameters are
|
|
0:06:23
|
the tcp normalization
|
|
0:06:24
|
like what are the maximum incomplete sessions on a per minute basis
|
|
0:06:29
|
on a per host basis overall
|
|
0:06:31
|
what are the tcp timeouts, what are the maximum number of sessions that we can inspect
|
|
0:06:36
|
etc
|
|
0:06:38
|
so technically those are not application level inspections
|
|
0:06:41
|
there are more just information about the layer4 header
|
|
0:06:45
|
that were tracking the
|
|
0:06:47
|
the conversation thats going on at the tcp transport layer
|
|
0:06:50
|
but what we want to do next
|
|
0:06:52
|
is to actually look
|
|
0:06:53
|
inside the web payload
|
|
0:06:56
|
to figure out when someone is actually sending a request to that server
|
|
0:07:00
|
whats inside the actual http message
|
|
0:07:04
|
Now in order to do that
|
|
0:07:06
|
inside this class type inspect http server's class
|
|
0:07:11
|
we are going to call a server's policy
|
|
0:07:15
|
and the server's policy
|
|
0:07:17
|
is then going to be referencing
|
|
0:07:19
|
the policy map type inspect that is for http
|
|
0:07:23
|
where the policy map type inspect http is going to call the class map type inspect http
|
|
0:07:29
|
which then in turn matches the actual fields
|
|
0:07:32
|
that we want in the actual application
|
|
0:07:36
|
So when you look at the final configuration, it can be kind of confusing, how its all tied together
|
|
0:07:41
|
but again the key of using the zone based policy firewall
|
|
0:07:45
|
or similar to the ASA's Modular Policy Framework
|
|
0:07:48
|
is that the final resulting configuration
|
|
0:07:51
|
is generally more modular
|
|
0:07:53
|
than using something like
|
|
0:07:54
|
the ip inspect command
|
|
0:07:57
|
with the content based access control
|
|
0:08:02
|
So lets take a look at this on the command line
|
|
0:08:05
|
where currently
|
|
0:08:08
|
router4 is configured as the web server
|
|
0:08:10
|
it has the http server process enabled
|
|
0:08:13
|
and its also configured as a DNS server
|
|
0:08:18
|
right now it has two host entries
|
|
0:08:21
|
these are going to one of its own addresses
|
|
0:08:23
|
the 34.4
|
|
0:08:26
|
addresses
|
|
0:08:27
|
Now if we were to go to the
|
|
0:08:30
|
the web client
|
|
0:08:32
|
which is the windows machine here
|
|
0:08:36
|
this device is pointing at router4
|
|
0:08:38
|
as the dns server
|
|
0:08:41
|
So if we look at the ipconif /all
|
|
0:08:45
|
we could see it says the dns server is router4's address
|
|
0:08:50
|
since the dns is being inspected by the policy on router3
|
|
0:08:54
|
if I were to ping www.abc.com
|
|
0:08:59
|
I see that the dns resolution is successful
|
|
0:09:02
|
and the actual ICMP ping is working because that likewise is being inspected
|
|
0:09:07
|
Now if I were to browse to this address
|
|
0:09:11
|
and go to www.abc.com
|
|
0:09:15
|
I would see that this individual flow is being denied
|
|
0:09:19
|
and the reason why
|
|
0:09:20
|
is that the address that it is resolving to is 34.4
|
|
0:09:25
|
is not one of the addresses that router3 is actually inspecting for
|
|
0:09:30
|
and we could see the alert message occuring
|
|
0:09:32
|
router3 says, I am dropping the http session
|
|
0:09:36
|
on the particular zone pairing because in class default I have the drop action
|
|
0:09:42
|
Now if we look at the show access list
|
|
0:09:45
|
the access list http servers
|
|
0:09:48
|
is matching
|
|
0:09:49
|
the 172.16.4.4 address
|
|
0:09:53
|
but its not matching the
|
|
0:09:55
|
34.4 address
|
|
0:09:58
|
which is what we are trying to resolve
|
|
0:10:01
|
so again this configuration is very Modular now
|
|
0:10:05
|
because if I had an additional web server that I wanted to protect
|
|
0:10:08
|
with the same parameters and the same application level inspection
|
|
0:10:12
|
the only thing that I would need to do now
|
|
0:10:15
|
is go to ip address access list extended
|
|
0:10:18
|
http servers
|
|
0:10:21
|
servers acl
|
|
0:10:23
|
and say permit ip that is going to 172.16.34.4
|
|
0:10:31
|
since the access list is being called from the class map
|
|
0:10:34
|
the class map called from the policy
|
|
0:10:37
|
it means then whatever parameters that I had applied to the class overall
|
|
0:10:42
|
should now apply to
|
|
0:10:46
|
the server that is resolving to this address
|
|
0:10:49
|
hey, so we could see now there is problem we are are browsing to
|
|
0:10:52
|
www.abc.com
|
|
0:10:55
|
likewise if were to do the other entry that I configured
|
|
0:10:59
|
www.xyz.com
|
|
0:11:02
|
this is telling us
|
|
0:11:04
|
that the dns resolution was correct
|
|
0:11:07
|
and the inspection for the http traffic was correct
|
|
0:11:13
|
so now lets say we want to limit
|
|
0:11:16
|
the actual http packets based on the payload
|
|
0:11:20
|
and in the payload we are going to be matching on the url string
|
|
0:11:23
|
where I want to allow
|
|
0:11:26
|
the traffic that is going to this xyz
|
|
0:11:30
|
but I want to deny the traffic that is going to abc.com
|
|
0:11:37
|
So again configuration wise for this
|
|
0:11:40
|
Next thing we would need to do is, is to figure out, how do we actually match that traffic
|
|
0:11:44
|
so how can I categorize urls that are going to abc.com
|
|
0:11:48
|
separately from ones that are going to xyz.com
|
|
0:11:53
|
where again this going to be specific to the individual application
|
|
0:11:57
|
So we are going to configure a new class map that is type inspect
|
|
0:12:01
|
but this time its a not a regular layer3, layer4 class
|
|
0:12:05
|
it is an application class that is just for http
|
|
0:12:10
|
and I will say that this is the
|
|
0:12:12
|
the http application class
|
|
0:12:16
|
So again I am trying to make my
|
|
0:12:17
|
my naming of the policy as
|
|
0:12:21
|
specific as possible
|
|
0:12:22
|
so its essentially self documenting when I look at the resulting configuration
|
|
0:12:28
|
so for this http class if we look at the match option
|
|
0:12:32
|
says you can match you the request
|
|
0:12:34
|
the response or both the request or the response at the same time
|
|
0:12:38
|
where the request
|
|
0:12:40
|
this would be the client
|
|
0:12:42
|
asking the server
|
|
0:12:44
|
am I allowed to use this particular method
|
|
0:12:49
|
where http get
|
|
0:12:51
|
this would be your normal downloading of
|
|
0:12:53
|
web pages
|
|
0:12:55
|
If I were to say http post
|
|
0:12:58
|
this would be for uploading files like through a
|
|
0:13:01
|
web upload interface
|
|
0:13:04
|
so may be there is somebody that you would want to disallow for your users to run
|
|
0:13:09
|
we wan the web server to be read only
|
|
0:13:11
|
neither I don't want to allow them to do post
|
|
0:13:15
|
or I don't want them to be able to
|
|
0:13:17
|
to make a directory, or move any files, or delete a file
|
|
0:13:22
|
So this would then assure
|
|
0:13:24
|
if there was some problem with my actuall web server application, whether this is a apache or IIS or some other server
|
|
0:13:32
|
may be the server got compromised
|
|
0:13:34
|
but if I had this extra layer of protection in front of it
|
|
0:13:37
|
I am still preventing someone from deleting my index. html
|
|
0:13:42
|
or for uploading an additional file, its going to overwrite something else
|
|
0:13:48
|
but again the key behind this is that you would have to know what do this methods actually do
|
|
0:13:53
|
in order to figure out whats an appropriate application level inspection
|
|
0:13:58
|
another one that we would
|
|
0:13:59
|
typically want to match here, would be the
|
|
0:14:01
|
the uri
|
|
0:14:04
|
hey the uri here this is what we could match
|
|
0:14:07
|
what is
|
|
0:14:08
|
inside of the actual url
|
|
0:14:13
|
now we could call a
|
|
0:14:14
|
regular expression here
|
|
0:14:17
|
which is then going to match whats the actual url string that we want to
|
|
0:14:21
|
I could also say like whats the
|
|
0:14:24
|
the link that they have request
|
|
0:14:26
|
So if I wanted to say
|
|
0:14:28
|
if the url string is over 512 Bytes
|
|
0:14:33
|
may be there is some sort of
|
|
0:14:35
|
well known threshold that if you go above
|
|
0:14:37
|
its going to cause some sort of buffer overflow on the actual web server
|
|
0:14:41
|
so we could limit
|
|
0:14:43
|
the traffic based on that
|
|
0:14:45
|
Now in this particular case I am going to actually look at the string
|
|
0:14:48
|
which would then need to be called by the regular expression
|
|
0:14:54
|
Now depending on what particular direction you want this to occur in
|
|
0:14:57
|
it could either be
|
|
0:14:59
|
as I mentioned the request
|
|
0:15:02
|
it could be the response
|
|
0:15:05
|
but the thing is that, the
|
|
0:15:07
|
the request
|
|
0:15:09
|
are sometimes going to be different fields
|
|
0:15:11
|
then the response
|
|
0:15:14
|
so again you need to know at the actual application level how does http work
|
|
0:15:20
|
for most of these if you were to match both of them at the same time
|
|
0:15:24
|
if I were to say to match the request and the response
|
|
0:15:27
|
then its more likely that
|
|
0:15:29
|
may the match is going to only the request or only the response
|
|
0:15:32
|
but I can generally catch it either way if I do it
|
|
0:15:35
|
with both of them
|
|
0:15:37
|
where specifically I am going to look in the header
|
|
0:15:40
|
and I want to look for
|
|
0:15:43
|
a particular regular expression
|
|
0:15:47
|
so we could see like we could say content type
|
|
0:15:51
|
where content type would be like for you mime types
|
|
0:15:55
|
may be I don't want people to be able to use
|
|
0:15:57
|
MP3 files
|
|
0:15:59
|
or may be java files
|
|
0:16:04
|
but in this case I am going to call regular expression that is just going to look for any ISCII string that is inside the actual web payload
|
|
0:16:12
|
Now we could see here the regular expression is then going to be called from a parameter map
|
|
0:16:17
|
so really it means before I actually configure this class map
|
|
0:16:21
|
and match the regular expression
|
|
0:16:23
|
I need to define what are the parameters
|
|
0:16:27
|
so similar as to before, where we did the http normalization
|
|
0:16:31
|
the parameter map
|
|
0:16:32
|
is now going to be type regex
|
|
0:16:36
|
as apposed to type inspect
|
|
0:16:39
|
and this would give it a name, I will say this is going to be our
|
|
0:16:42
|
denied
|
|
0:16:45
|
we will say denied urls
|
|
0:16:48
|
So these are the ones that I want to
|
|
0:16:49
|
limit that the client cannot get to
|
|
0:16:53
|
and now we are going to call the pairer
|
|
0:16:56
|
Now again the issue with this is that you would need to know
|
|
0:16:59
|
whats the exact regular expression syntax
|
|
0:17:02
|
in order to match the particular string that you want
|
|
0:17:06
|
Now the regex patents are going to be case sensitive
|
|
0:17:11
|
So we will see that if we did a match that says
|
|
0:17:13
|
something like
|
|
0:17:15
|
abc.com
|
|
0:17:17
|
generally this is not going to be enough
|
|
0:17:20
|
because
|
|
0:17:21
|
for one thing if
|
|
0:17:24
|
the user was going to
|
|
0:17:26
|
www.abc.com
|
|
0:17:29
|
this is not the same string as just abc.com
|
|
0:17:33
|
or if they were going to aBc.com
|
|
0:17:37
|
likewise thats not going to match
|
|
0:17:40
|
So a lot of times you have to be
|
|
0:17:41
|
a very very granular in the matches
|
|
0:17:44
|
that the regular expressions are using
|
|
0:17:46
|
we say this before in the ASAs
|
|
0:17:49
|
one thing you can do on the ASAs is to look at the
|
|
0:17:53
|
the show run all regex
|
|
0:17:57
|
and it will give you an idea of how some of the syntax works
|
|
0:18:01
|
like for this one here it says
|
|
0:18:03
|
for the msn messenger regex
|
|
0:18:07
|
its looking for the case insensitive string
|
|
0:18:10
|
application/
|
|
0:18:14
|
x-msn-messenger
|
|
0:18:18
|
where inside of these
|
|
0:18:20
|
these brackets were saying, its either uppercase 'A' or a lowercase 'a'
|
|
0:18:25
|
then this one here
|
|
0:18:27
|
is saying its either a
|
|
0:18:29
|
/ [forward slash] or a \ [back slash]
|
|
0:18:33
|
where the \ [back slash] is the escape sequence
|
|
0:18:35
|
for the regular expression
|
|
0:18:37
|
So \\ [two backslashes] together is actually saying
|
|
0:18:40
|
escape then the literal character \ [slash]
|
|
0:18:44
|
So its saying
|
|
0:18:46
|
/ [forward slash] or \ [backslash]
|
|
0:18:49
|
where in router3's case
|
|
0:18:51
|
probably just saying the pattern is 'abc.com' is not really going to be what we would want
|
|
0:18:56
|
it would need to be
|
|
0:18:57
|
something a little bit more complex where we could say
|
|
0:19:02
|
I want to look for
|
|
0:19:04
|
lets say anything before
|
|
0:19:06
|
abc.com
|
|
0:19:08
|
where . [dot] is any character
|
|
0:19:10
|
* [asterix] is
|
|
0:19:12
|
zero or more instances
|
|
0:19:15
|
so .* is going to be anything
|
|
0:19:17
|
then there is going to be an actual . [dot]
|
|
0:19:20
|
so I would need to escape this with a \ [backslash]
|
|
0:19:22
|
\. [backslash dot]
|
|
0:19:24
|
abc
|
|
0:19:26
|
escape the other dot
|
|
0:19:28
|
\. [slash dot] com
|
|
0:19:31
|
So essentially what this should match is that
|
|
0:19:34
|
you have
|
|
0:19:35
|
anything that ends with
|
|
0:19:37
|
.abc.com
|
|
0:19:39
|
but again this is going to case sensitive, so right now its only matching the
|
|
0:19:43
|
the lower case strings
|
|
0:19:49
|
So now I have the parameters, next thing I am going to do is to go back to the class
|
|
0:19:53
|
the class says to match the
|
|
0:19:55
|
either the request or the response
|
|
0:19:58
|
so I don't care, what direction its going in
|
|
0:20:01
|
but in the header
|
|
0:20:02
|
if you see the regular expression that is
|
|
0:20:07
|
the denied urls
|
|
0:20:10
|
then the classes matched is true
|
|
0:20:16
|
Now I don't define what I am actually going to do with the traffic here
|
|
0:20:19
|
thats going to be defined separately with the policy map
|
|
0:20:23
|
but here I am just saying, I now know what the traffic is, its an http packet that is matching this specific string in the payload
|
|
0:20:31
|
Next thing I would need to do is to actually define the policy map
|
|
0:20:36
|
or I will say the poilcy map is type inspect
|
|
0:20:38
|
but the difference now, is that this is a specific
|
|
0:20:41
|
http inspection policy
|
|
0:20:45
|
I will say that this is the http
|
|
0:20:48
|
application policy
|
|
0:20:51
|
where the http application policy is calling
|
|
0:20:54
|
the class that is type inspect
|
|
0:20:57
|
that is the
|
|
0:20:59
|
an http class specifically
|
|
0:21:03
|
and it is the http
|
|
0:21:05
|
application class
|
|
0:21:09
|
Now the idea behind this is that I could have separate
|
|
0:21:12
|
classes inside the policy
|
|
0:21:14
|
or may be I am doing
|
|
0:21:16
|
one inspection for one server
|
|
0:21:19
|
separately then an inspection to a different server
|
|
0:21:22
|
or may be I am logging
|
|
0:21:24
|
the urls that are going abc.com
|
|
0:21:27
|
but I am not logging the other ones
|
|
0:21:29
|
again the key is that its just making the configuration more Modular
|
|
0:21:35
|
So now I am saying if you get to the point where
|
|
0:21:38
|
its web traffic going to the server
|
|
0:21:41
|
and it has abc.com
|
|
0:21:43
|
somewhere in the
|
|
0:21:45
|
the header
|
|
0:21:46
|
what do I actually want to do with it
|
|
0:21:47
|
do I want to allow the packet
|
|
0:21:49
|
do I want to generate a log message
|
|
0:21:52
|
or do I additionally want to
|
|
0:21:55
|
to reset the connection, which is basically going to deny
|
|
0:21:59
|
but I will say both of these at the same time, I want log the packets and I want to reset them
|
|
0:22:07
|
Now the last step if we look at the show run
|
|
0:22:11
|
show run section class map
|
|
0:22:13
|
or policy map
|
|
0:22:19
|
I now have my application
|
|
0:22:21
|
level class
|
|
0:22:24
|
which is
|
|
0:22:26
|
this one here, the application class
|
|
0:22:29
|
that says match the regular expressions denied urls
|
|
0:22:33
|
then this is reference from the application policy
|
|
0:22:39
|
says if those urls are matched
|
|
0:22:42
|
I am going to log the traffic and reset it
|
|
0:22:45
|
but right now this is not actually applied anywhere
|
|
0:22:47
|
so now I need to take the http application policy
|
|
0:22:50
|
and call it from
|
|
0:22:52
|
my outside to inside policy
|
|
0:22:55
|
where the regular inspection is occurring on
|
|
0:22:58
|
the http server traffic
|
|
0:23:02
|
So inside this class
|
|
0:23:04
|
http server class
|
|
0:23:07
|
I now need to say
|
|
0:23:09
|
look at the service policy
|
|
0:23:11
|
that is for http
|
|
0:23:15
|
and its the http application policy
|
|
0:23:19
|
so this is where we were doing the deep packet inspection or the dpi
|
|
0:23:28
|
Now the url filter here
|
|
0:23:30
|
this would be
|
|
0:23:32
|
used if we were using an outside url filtering service
|
|
0:23:36
|
like a web sense server for example
|
|
0:23:38
|
but in this case we are just doing the actual application match locally with a regular expression
|
|
0:23:46
|
hey, so now lets actually test this out, lets go to the web client
|
|
0:23:50
|
and lets open up this new again
|
|
0:23:53
|
in either case I should still be able to ping abc.com
|
|
0:23:58
|
or ping xyz.com
|
|
0:24:01
|
So we could see this is not limiting the ICMP
|
|
0:24:04
|
its also not limiting the actual DNS request
|
|
0:24:08
|
what should happen now
|
|
0:24:10
|
is that I should still be able to get to
|
|
0:24:13
|
xyz.com
|
|
0:24:16
|
which I can
|
|
0:24:21
|
but if our url string
|
|
0:24:23
|
match was correct
|
|
0:24:25
|
I should not be able to get to abc.com
|
|
0:24:29
|
which we can see we can't
|
|
0:24:31
|
now also notice that the page do not hang there while it was waiting for the connection
|
|
0:24:36
|
thats because router3 is generating the reset
|
|
0:24:40
|
and we could see that log message that occured it says in the header
|
|
0:24:44
|
this regex was matched
|
|
0:24:47
|
so we are resetting the connection
|
|
0:24:52
|
if we were to change this to say aB.c
|
|
0:25:00
|
and sometime this is going to depend on the actual web client
|
|
0:25:03
|
I am not sure if this particular version of
|
|
0:25:08
|
internet explorer would allow to do this
|
|
0:25:10
|
but if we could send the case sensitive string
|
|
0:25:14
|
then
|
|
0:25:17
|
we would not be able to
|
|
0:25:19
|
catch that with the policy
|
|
0:25:21
|
So we could see here when I entered
|
|
0:25:23
|
case sensitive abc.com
|
|
0:25:26
|
its automatically normalizing it to lower case
|
|
0:25:32
|
which means that router3 is matching that
|
|
0:25:35
|
Now if I were to go to some of the sub url lets say www1.abc.com
|
|
0:25:48
|
lets try this again here
|
|
0:25:53
|
and what I would then need to do is on router4
|
|
0:25:56
|
lets put a dns entry for this www1.abc.com
|
|
0:26:10
|
and I will ping www1.abc.com
|
|
0:26:14
|
we could see the resolution is correct
|
|
0:26:16
|
if I now actually go to open it
|
|
0:26:19
|
likewise this is denied
|
|
0:26:24
|
because the way the regular expression is matched
|
|
0:26:27
|
is I am saying look for
|
|
0:26:29
|
any string that is occuring before
|
|
0:26:32
|
the .abc.com
|
|
0:26:35
|
which is wha the .* is allowing us to do
|
