Filter
Top Products
24-25
Cisco ASDM User Guide
OL-16647-01
Chapter 24 Configuring Application Layer Protocol Inspection
SNMP Inspection
With SMTP inspection enabled, a Telnet session used for interactive SMTP may hang if the following
rules are not observed: SMTP commands must be at least four characters in length; must be terminated
with carriage return and line feed; and must wait for a response before issuing the next reply.
An SMTP server responds to client requests with numeric reply codes and optional human-readable
strings. SMTP application inspection controls and reduces the commands that the user can use as well
as the messages that the server returns. SMTP inspection performs three primary tasks:
• Restricts SMTP requests to seven basic SMTP commands and eight extended commands.
• Monitors the SMTP command-response sequence.
• Generates an audit trail—Audit record 108002 is generated when invalid character embedded in the
mail address is replaced. For more information, see RFC 821.
SMTP inspection monitors the command and response sequence for the following anomalous signatures:
• Truncated commands.
• Incorrect command termination (not terminated with <CR><LR>).
• The MAIL and RCPT commands specify who are the sender and the receiver of the mail. Mail
addresses are scanned for strange characters. The pipeline character (|) is deleted (changed to a blank
space) and “<” ‚”>” are only allowed if they are used to define a mail address (“>” must be preceded
by “<”).
• Unexpected transition by the SMTP server.
• For unknown commands, the security appliance changes all the characters in the packet to X. In this
case, the server generates an error code to the client. Because of the change in the packed, the TCP
checksum has to be recalculated or adjusted.
• TCP stream editing.
• Command pipelining.
SNMP Inspection
SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier
versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your
security policy. The security appliance can deny SNMP versions 1, 2, 2c, or 3. You control the versions
permitted by creating an SNMP map.
SQL*Net Inspection
SQL*Net inspection is enabled by default.
The SQL*Net protocol consists of different packet types that the security appliance handles to make the
data stream appear consistent to the Oracle applications on either side of the security appliance.
The default port assignment for SQL*Net is 1521. This is the value used by Oracle for SQL*Net, but
this value does not agree with IANA port assignments for Structured Query Language (SQL). Use the
class-map command to apply SQL*Net inspection to a range of port numbers.
The security appliance translates all addresses and looks in the packets for all embedded ports to open
for SQL*Net Version 1.
For SQL*Net Version 2, all DATA or REDIRECT packets that immediately follow REDIRECT packets
with a zero data length will be fixed up.