+ Reply to Thread
Results 1 to 5 of 5
  1. Senior Member mikearama's Avatar
    Join Date
    May 2007
    Location
    Oshawa, Ontario
    Posts
    757

    Certifications
    CCNP, CCSP, CISSP, MCSE
    #1

    Default CCNA: Sec class-map question

    Hey techies... from the CCNA Security Offical Exam Cert Guide:

    Code:
    class-map type inspect match-any my-test-cmap
    match protocol http
    match protocol tcp
    "In this case, HTTP traffic must encounter the match protocol http statement first so that the traffic will be handled by the service-specific capabilities of HTTP inspection. What would happen if we reversed the "match" lines so that traffic encounters the match protocol tcp statement before it is compared to the match protocol http statement? If this were the case, the traffic would be classified as TCP traffic and would be inspected according to the capabilities of the TCP inspection component of the firewall. This would create a problem for certain services such as FTP and TFTP, as well as various multimedia and voice signaling services such as H.323, SIP, Skinny, RTSP, and others. It is important that additional inspection capabilities be used to recognize the more complex activites of these services."

    This I don't get. Where's the issue? So what if http traffic was first inspected by the TCP inspector, before getting deeper/better analysis by the http filter?

    Does the comment above suggest that since http is being inspected ALONG WITH ftp, tftp, skinny, etc, that they will interfere with each other? Looks like it, right?

    So if I truly wanted to inspect all tcp traffic, is match protocol tcp not sufficient? or would I have to go with something like:

    match protocol FTP
    match protocol TFTP
    match protocol HTTP
    match protocol RTSP
    match protocol SMTP
    match protocol DNS

    before getting to put:

    match protocol TCP ??? (Dayum, I don't care for class-maps!)
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jan 2008
    Location
    Cincy, OH
    Posts
    750

    Certifications
    CCNP, CCNA, Linux+
    #2
    No, it means that if you have the match protocol tcp first every thing that is tcp will be classified the way you wanted only http to be classified. In other words they mean to treat it like an access-list. List the most specific first.
    Reply With Quote Quote  

  4. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #3
    Well the inspection engine will handle a TCP packet differently than a HTTP packet. Although HTTP rides on top of TCP, there are additional parameters that you can apply with HTTP inspection (like URL filtering) that you can't do with simple TCP inspection.
    Reply With Quote Quote  

  5. Senior Member mikearama's Avatar
    Join Date
    May 2007
    Location
    Oshawa, Ontario
    Posts
    757

    Certifications
    CCNP, CCSP, CISSP, MCSE
    #4
    Quote Originally Posted by scheistermeister
    No, it means that if you have the match protocol tcp first every thing that is tcp will be classified the way you wanted only http to be classified. In other words they mean to treat it like an access-list. List the most specific first.
    Ah, I think I see. So you're suggesting that the match statements work like ACL's, where once there's a match, the processing stops. Gotcha.

    I read it differently... I thought that all the match statements were read from the top down, so even though HTTP traffic would get inspected by the TCP inspector, it would be move down and be inspected by the HTTP inspector.

    Okay, I feel better about it now. Thanks guys.
    Reply With Quote Quote  

  6. Junior Member
    Join Date
    Sep 2008
    Posts
    22

    Certifications
    Security+ CCNA Security
    #5
    It depends on whether you use the "any" keyword or the "all" keyword in the class-map statement. If you use "any" then there only needs to be one match anywhere in the map whereas with an "and" argument the packet must match all the criteria. The "any" is treated as an <or> operator and the "all" is treated as an <and> operator.

    Class maps simply identify traffic, whereas Policy maps state what should actually be done with it once identified.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks