Cisco FWSM -> ASA upgrade broke our mail server

firewall unicode smtp cisco

Solution 1:

Are there UTF-8 characters in the 'real' version of that username (after decoding)? If the inspection has triggered on it, I'm guessing there's a reason that it's picked that specific line.

But maybe not; the inspection feature is more akin to the chaos monkey than an IPS. Personally, the only things the inspection features have really provided for me have been headaches (through overly aggressive sanitizing of perfectly valid traffic) and security vulnerabilities. From a quick search:

  • CVE-2011-0394 (reboot of the ASA from inspect skinny)
  • CVE-2012-2472 (CPU DoS from inspect sip)
  • CVE-2012-4660/4661/4662 (more reboots, you get the idea)

My recommendation is to not lose much sleep over needing to turn off aspects of the ASA's protocol inspection; the endpoint server applications (or a targeted security platform like a web application firewall) tend to do a much better job of enforcing protocol compliance anyway.

Related

Very uneven CPU utilization with SQL Server 2012 on 2 processor computer with 16 cores / processor
Limiting interface bandwidth with tc under Linux
Is it possible to duplicate a UDP unicast stream with iptables?
Track memory usage of a job on SGE
Maintenance of tables: do I need to REINDEX a table after truncating and repopulating?
Connecting two devices over 10Base-T Ethernet without a Switch
Reset Domain Trust with workstations from Samba 3.x server
How Fibre Channel Frames are populated and traverse a Fabric?
Is there a way to control where a windows update extracts temporary files?
How to tell if SSL session caching is in fact working correctly with Apache 2.2?
IBM System i Permissions on Database views
Safely providing passwords to a linux daemon