Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Configuring the Content Security and Control Application on the CSC SSM
Downloads: This chapterpdf (PDF - 397.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Configuring the Content Security and Control Application on the CSC SSM

Table Of Contents

Configuring the Content Security and Control Application on the CSC SSM

Information About the CSC SSM

Determining What Traffic to Scan

Licensing Requirements for the CSC SSM

Prerequisites for the CSC SSM

Guidelines and Limitations

Default Settings

Configuring the CSC SSM

Before Configuring the CSC SSM

Connecting to the CSC SSM

Determining Service Policy Rule Actions for CSC Scanning

Monitoring the CSC SSM

Threats

Live Security Events

Live Security Events Log

Software Updates

Resource Graphs

CSC CPU

CSC Memory

Where to Go Next

Additional References

Feature History for the CSC SSM


Configuring the Content Security and Control Application on the CSC SSM


This chapter describes how to configure the Content Security and Control (CSC) application that is installed in a CSC SSM in the adaptive security appliance.

The chapter includes the following sections:

Information About the CSC SSM

Licensing Requirements for the CSC SSM

Prerequisites for the CSC SSM

Guidelines and Limitations

Default Settings

Configuring the CSC SSM

Monitoring the CSC SSM

Where to Go Next

Additional References

Feature History for the CSC SSM

Information About the CSC SSM


Note The ASA 5580 does not support the CSC SSM feature.


The ASA 5500 series adaptive security appliance supports the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic by scanning the FTP, HTTP, POP3, and SMTP packets that you configure the adaptive security appliance to send to it.

For more information about the CSC SSM, see the following URL:

http://www.cisco.com/en/US/products/ps6823/index.html

Figure 56-1 shows the flow of traffic through an adaptive security appliance that has the following:

A CSC SSM installed and configured.

A service policy that determines what traffic is diverted to the CSC SSM for scanning.

In this example, the client could be a network user who is accessing a website, downloading files from an FTP server, or retrieving mail from a POP3 server. SMTP scans differ in that you should configure the adaptive security appliance to scan traffic sent from the outside to SMTP servers protected by the adaptive security appliance.

Figure 56-1

Flow of Scanned Traffic with CSC SSM

You use ASDM for system setup and monitoring of the CSC SSM. For advanced configuration of content security policies in the CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM. The CSC SSM GUI appears in a separate web browser window. To access the CSC SSM, you must enter the CSC SSM password. To use the CSC SSM GUI, see the Cisco Content Security and Control (CSC) SSM Administrator Guide.


Note ASDM and the CSC SSM maintain separate passwords. You can configure their passwords to be identical; however, changing one of these two passwords does not affect the other password.


The connection between the host running ASDM and the adaptive security appliance is made through a management port on the adaptive security appliance. The connection to the CSC SSM GUI is made through the SSM management port. Because these two connections are required to manage the CSC SSM, any host running ASDM must be able to reach the IP address of both the adaptive security appliance management port and the SSM management port.

Figure 56-2 shows an adaptive security appliance with a CSC SSM that is connected to a dedicated management network. While use of a dedicated management network is not required, we recommend it. In this configuration, the following items are of particular interest:

An HTTP proxy server is connected to the inside network and to the management network. This HTTP proxy server enables the CSC SSM to contact the Trend Micro Systems update server.

The management port of the adaptive security appliance is connected to the management network. To allow management of the adaptive security appliance and the CSC SSM, hosts running ASDM must be connected to the management network.

The management network includes an SMTP server for e-mail notifications for the CSC SSM and a syslog server to which the CSC SSM can send syslog messages.

Figure 56-2

CSC SSM Deployment with a Management Network

Determining What Traffic to Scan

The CSC SSM can scan FTP, HTTP, POP3, and SMTP traffic only when the destination port of the packet requesting the connection is the well-known port for the specified protocol. The CSC SSM can scan only the following connections:

FTP connections opened to TCP port 21.

HTTP connections opened to TCP port 80.

POP3 connections opened to TCP port 110.

SMTP connections opened to TCP port 25.

You can choose to scan traffic for all of these protocols or any combination of them. For example, if you do not allow network users to receive POP3 e-mail, do not configure the adaptive security appliance to divert POP3 traffic to the CSC SSM. Instead, block this traffic.

To maximize performance of the adaptive security appliance and the CSC SSM, divert only the traffic to the CSC SSM that you want the CSC SSM to scan. Diverting traffic that you do not want scanned, such as traffic between a trusted source and destination, can adversely affect network performance.


Note When traffic is first classified for CSC inspection, it is flow-based. If traffic is part of a pre-existing connection, the traffic goes directly to the service policy set for that connection.


You can apply service policies that include CSC scanning globally or to specific interfaces; therefore, you can choose to enable CSC scans globally or for specific interfaces. For more information, see the "Determining Service Policy Rule Actions for CSC Scanning" section.

Based on the configuration shown in Figure 56-3, configure the adaptive security appliance to divert to the CSC SSM only requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network, and incoming SMTP connections from outside hosts to the mail server on the DMZ network. Exclude from scanning HTTP requests from the inside network to the web server on the DMZ network.

Figure 56-3 Common Network Configuration for CSC SSM Scanning

There are many ways you could configure the adaptive security appliance to identify the traffic that you want to scan. One approach is to define two service policies: one on the inside interface and the other on the outside interface, each with access lists that match traffic to be scanned.

Figure 56-4 shows service policy rules that select only the traffic that the adaptive security appliance should scan.

Figure 56-4 Optimized Traffic Selection for CSC Scans

In the inside-policy, the first class, inside-class1, ensures that the adaptive security appliance does not scan HTTP traffic between the inside network and the DMZ network. The Match column indicates this setting by displaying the "Do not match" icon. This setting does not mean the adaptive security appliance blocks traffic sent from the 192.168.10.0 network to TCP port 80 on the 192.168.20.0 network. Instead, this setting exempts the traffic from being matched by the service policy applied to the inside interface, which prevents the adaptive security appliance from sending the traffic to the CSC SSM.

The second class of the inside-policy, inside-class matches FTP, HTTP, and POP3 traffic between the inside network and any destination. HTTP connections to the DMZ network are exempted because of the inside-class1 setting. As previously mentioned, policies that apply CSC scanning to a specific interface affect both incoming and outgoing traffic, but by specifying 192.168.10.0 as the source network, inside-class1 matches only connections initiated by the hosts on the inside network.

In the outside-policy, outside-class matches SMTP traffic from any outside source to the DMZ network. This setting protects the SMTP server and inside users who download e-mail from the SMTP server on the DMZ network, without having to scan connections from SMTP clients to the server.

If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you can add a rule to the outside policy that matches HTTP traffic from any source to the DMZ network. Because the policy is applied to the outside interface, the rule would only match connections from HTTP clients outside the adaptive security appliance.

Licensing Requirements for the CSC SSM

The following table shows the licensing requirements for this feature:

Model
License Requirement

ASA 5505

No support.

ASA 5510

Security Plus License: 2 contexts.

Optional license: 5 contexts.

ASA 5520

Base License: 2 contexts.

Optional licenses: 5, 10, or 20 contexts.

ASA 5540

Base License: 2 contexts.

Optional licenses: 5, 10, 20, or 50 contexts.

For the ASA 5510, 5520, and 5540:

With a Base License, the features enabled by default are SMTP virus scanning, POP3 virus scanning and content filtering, webmail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates.

With a Security Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering.


Prerequisites for the CSC SSM

The CSC SSM has the following prerequisites:

A CSC SSM card must be installed in the adaptive security appliance.

A Product Authorization Key (PAK) for use in registering the CSC SSM.

Activation keys that you receive by e-mail after you register the CSC SSM.

The management port of the CSC SSM must be connected to your network to allow management and automatic updates of the CSC SSM software.

The CSC SSM management port IP address must be accessible by the hosts used to run ASDM.

You must obtain the following information to use in configuring the CSC SSM:

The CSC SSM management port IP address, netmask, and gateway IP address.

DNS server IP address.

HTTP proxy server IP address (needed only if your security policies require the use of a proxy server for HTTP access to the Internet).

Domain name and hostname for the CSC SSM.

An e-mail address and an SMTP server IP address and port number for e-mail notifications.

IP addresses of hosts or networks that are allowed to manage the CSC SSM. The IP addresses for the CSC SSM management port and the adaptive security appliance management interface can be in different subnets.

Password for the CSC SSM.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context modes.

Firewall Mode Guidelines

Supported in routed and transparent modes.

Failover Guidelines

Does not support sessions in Stateful Failover. The CSC SSM does not maintain connection information, and therefore cannot provide the failover unit with the required information. The connections that a CSC SSM is scanning are dropped when the adaptive security appliance in which the CSC SSM is installed fails. When the standby adaptive security appliance becomes active, it forwards the scanned traffic to the CSC SSM and the connections are reset.

IPv6 Guidelines

Does not support IPv6.

Model Guidelines

Supported on the ASA 5510, ASA 5520, and ASA 5540 only.

Default Settings

Table 56-1 lists the default settings for the CSC SSM.

Table 56-1 Default CSC SSM Parameters 

Parameter
Default

FTP inspection on the adaptive security appliance

Enabled

All features included in the license(s) that you have purchased

Enabled


Configuring the CSC SSM

This section describes how to configure the CSC SSM and includes the following topics:

Before Configuring the CSC SSM

Connecting to the CSC SSM

Before Configuring the CSC SSM

Before configuring the adaptive security appliance and the CSC SSM, perform the following steps:


Step 1 If the CSC SSM did not come preinstalled in a Cisco ASA 5500 series adaptive security appliance, install it and connect a network cable to the management port of the SSM. For assistance with installation and connecting the SSM, see the Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide.

The management port of the CSC SSM must be connected to your network to allow management of and automatic updates to the CSC SSM software. Additionally, the CSC SSM uses the management port for e-mail notifications and syslog messages.

Step 2 You should have received a Product Authorization Key (PAK) with the CSC SSM. Use the PAK to register the CSC SSM at the following URL.

http://www.cisco.com/go/license

After you register, you receive activation keys by e-mail. The activation keys are required before you can complete Step 6.

Step 3 Obtain the following information for use in Step 6:

Activation keys

CSC SSM management port IP address, netmask, and gateway IP address

DNS server IP address

HTTP proxy server IP address (needed only if your security policies require the use of a proxy server for HTTP access to the Internet)

Domain name and hostname for the CSC SSM

An e-mail address, and SMTP server IP address and port number for e-mail notifications

IP addresses of hosts or networks that are allowed to manage the CSC SSM

Password for the CSC SSM

Step 4 In a web browser, access ASDM for the adaptive security appliance in which the CSC SSM is installed.


Note If you are accessing ASDM for the first time, see the "Additional References" section.


For more information about enabling ASDM access, see the "Configuring Device Access for ASDM, Telnet, or SSH" section.

Step 5 Verify time settings on the adaptive security appliance. Time setting accuracy is important for logging of security events and for automatic updates of CSC SSM software. Do one of the following:

If you manually control time settings, verify the clock settings, including time zone. Choose Configuration > Properties > Device Administration > Clock.

If you are using NTP, verify the NTP configuration. Choose Configuration > Properties > Device Administration > NTP.

Step 6 Open ASDM.

Step 7 Connect to and log in to the CSC SSM. For instructions, see the "Connecting to the CSC SSM" section.

Step 8 Run the CSC Setup Wizard.

To access the CSC Setup Wizard, choose Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup > Launch Setup Wizard.

If you are rerunning the CSC Setup Wizard, perform the same steps listed in the previous bullet.

The CSC Setup Wizard appears.

Step 9 Complete the CSC Setup Wizard, which includes configuration of service policies to divert traffic that you want scanned to the CSC SSM.


Note If you create a global service policy to divert traffic for CSC scans, all traffic (inbound and outbound) for the supported protocols is scanned. To maximize performance of the adaptive security appliance and the CSC SSM, scan traffic only from untrusted sources.


Step 10 To reduce the load on the CSC SSM, configure the service policy rules that send packets to the CSC SSM to support only HTTP, SMTP, POP3, or FTP traffic. For instructions, see the "Determining Service Policy Rule Actions for CSC Scanning" section.

Step 11 (Optional) Review the default content security policies in the CSC SSM GUI, which are suitable for most implementations. You review the content security policies by viewing the enabled features in the CSC SSM GUI. For the availability of features, see the "Licensing Requirements for the CSC SSM" section. For the default settings, see the "Default Settings" section.


What to Do Next

See the "Connecting to the CSC SSM" section.

Connecting to the CSC SSM

With each session you start in ASDM, the first time you access features related to the CSC SSM, you must specify the management IP address and provide the password for the CSC SSM. After you successfully connect to the CSC SSM, you are not prompted again for the management IP address and password. If you start a new ASDM session, the connection to the CSC SSM is reset and you must specify the IP address and the CSC SSM password again. The connection to the CSC SSM is also reset if you change the time zone on the adaptive security appliance.


Note The CSC SSM has a password that is maintained separately from the ASDM password. You can configure the two passwords to be identical, but changing the CSC SSM password does not affect the ASDM password.


To connect to the CSC SSM, perform the following steps:


Step 1 In the ASDM main application window, click the Content Security tab.

Step 2 In the Connecting to CSC dialog box, click one of the following radio buttons:

To connect to the IP address of the management port on the SSM, click Management IP Address. ASDM automatically detects the IP address for the SSM in the adaptive security appliance. If this detection fails, you can specify the management IP address manually.

To connect to an alternate IP address or hostname on the SSM, click Other IP Address or Hostname.

Step 3 Enter the port number in the Port field, and then click Continue.

Step 4 In the CSC Password field, type your CSC password, and then click OK.


Note If you have not completed the CSC Setup Wizard (choose Configuration > Trend Micro Content Security  > CSC Setup > Wizard Setup), complete the configuration in the CSC Setup Wizard, which includes changing the default password, "cisco."

For ten minutes after you have entered the password, you do not need to reenter the CSC SSM password to access other parts of the CSC SSM GUI.


Step 5 To access the CSC SSM GUI, choose Configuration > Trend Micro Content Security, and then click one of the following tabs: Web, Mail, File Transfer, or Updates.


What to Do Next

See the "Determining Service Policy Rule Actions for CSC Scanning" section.

Determining Service Policy Rule Actions for CSC Scanning

The CSC SSM scans only HTTP, SMTP, POP3, and FTP traffic. If your service policy includes traffic that supports other protocols in addition to these four, packets for other protocols are passed through the CSC SSM without being scanned. You should configure the service policy rules that send packets to the CSC SSM to support only HTTP, SMTP, POP3, or FTP traffic.

The CSC Scan tab in the Add Service Policy Rule Wizard lets you determine whether or not the CSC SSM scans traffic identified by the current traffic class. This tab appears only if a CSC SSM is installed in the adaptive security appliance.

To configure service policy rules for CSC scanning, perform the following steps:


Step 1 In the ASDM main application window, choose Configuration > Firewall > Service Policy Rules.

Step 2 On the toolbar, click Add.

The Add Service Policy Rule Wizard screen appears.

Step 3 Click the Global - applies to all interfaces option, and then click Next.

The Traffic Classification Criteria screen appears.

Step 4 Click the Create a new traffic class option, type a name for the traffic class in the adjacent field, check the Any traffic check box, and then click Next.

The Rule Actions screen appears.

Step 5 Click the CSC Scan tab, and then check the Enable CSC scan for this traffic flow check box.

Step 6 Choose whether the adaptive security appliance should permit or deny selected traffic to pass if the CSC SSM is unavailable by making the applicable selection in the area labeled: If CSC card fails, then. When this check box is checked, the other parameters on this tab become active.

Step 7 In the If CSC card fails area, if the CSC SSM becomes inoperable, choose one of the following actions:

To allow traffic, check the Permit traffic check box.

To block traffic, check the Close traffic check box.

Step 8 Click Finish.

The new service policy rule appears in the Service Policy Rules pane.

Step 9 Click Apply.

The adaptive security appliance begins diverting traffic to the CSC SSM, which performs the content security scans that have been enabled according to the license that you purchased.


What to Do Next

See the "Monitoring the CSC SSM" section.

Monitoring the CSC SSM

ASDM lets you monitor the CSC SSM statistics as well as CSC SSM-related features.


Note If you have not completed the CSC Setup Wizard in Configuration > Trend Micro Content Security > CSC Setup, you cannot access the panes under Monitoring > Trend Micro Content Security. Instead, a dialog box appears and lets you access the CSC Setup Wizard directly from Monitoring > Trend Micro Content Security.


This section includes the following topics:

Threats

Live Security Events

Live Security Events Log

Software Updates

Resource Graphs

Threats

To view information about various types of threats detected by the CSC SSM in a graph, perform the following steps:


Step 1 Choose Monitoring > Trend Micro Content Security > Threats.

The Available Graphs area lists the components whose statistics you can view in a graph. You can include a maximum of four graphs in one frame. The graphs display real-time data in 12-second intervals for the following:

Viruses detected

URLs filtered, URLs blocked

Spam detected

Files blocked

Spyware blocked

Damage Cleanup Services

Step 2 The Graph Window Title lists the types of statistics available for monitoring. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. The statistics already included in the graph window appear in the Selected Graphs list.

Step 3 To move the selected statistics type in the Available Graphs For list to the Selected Graphs list, click Add.

Step 4 To remove the selected statistics type from the Selected Graphs list, click Remove. The button name changes to Delete if the item you are removing was added from another pane, and is not being returned to the Available Graphs pane.

Step 5 To display a new window that shows a Graph tab and an updated graph with the selected statistics, click Show Graphs. Click the Table tab to display the same information in tabular form.

Step 6 From the Graph or Table tab, click Export in the menu bar or choose File > Export to save the graph or tabular information as a file on your local PC.

Step 7 From the Graph or Table tab, click Print in the menu bar or choose File > Print to print the information displayed in the window.


What to Do Next

See the "Live Security Events" section.

Live Security Events

To view live, real-time security events in a separate window, perform the following steps:


Step 1 Choose Monitoring > Trend Micro Content Security > Live Security Events.

The Buffer Limit field shows the maximum number of log messages that you may view. The default is 1000.

Step 2 Click View to display the Live Security Events Log dialog box. You can pause incoming messages, clear the message window, and save event messages. You can also search messages for specific text.


What to Do Next

See the "Live Security Events Log" section.

Live Security Events Log

To view live security events messages that are received from the CSC SSM, perform the following steps:


Step 1 To filter security event messages from the Filter By drop-down list, choose one of the following:

Filter by Text, type the text, then click Filter.

Show All, to display all messages or remove the filter.

Step 2 To use the Latest CSC Security Events pane, in which all columns are display-only, choose one of the following options:

The time an event occurred.

The IP address or hostname from which the threat came.

The type of threat, or the security policy that determines event handling, or in the case of a URL filtering event, the filter that triggered the event.

The subject of e-mails that include a threat, or the names of FTP files that include a threat, or blocked or filtered URLs.

The recipient of e-mails that include a threat, or the IP address or hostname of a threatened node, or the IP address of a threatened client.

The type of event (such as Web, Mail, or FTP), or the name of a user or group for HTTP or FTP events, which include a threat.

The action taken upon the content of a message, such as cleaning attachments or deleting attachments.

The action taken on a message, such as delivering it unchanged, delivering it after deleting the attachments, or delivering it after cleaning the attachments.

Step 3 To search security event messages based on the text that you enter, choose one of the following:

In the Text field, enter the text to search for in the security event messages log, then click Find Messages.

To find the next entry that matches the text you typed in this field, click Find.

Step 4 To pause scrolling of the Latest CSC Security Events pane, click Pause. To resume scrolling of the Latest CSC Security Events pane, click Resume.

Step 5 To save the log to a file on your PC, click Save.

Step 6 To clear the list of messages shown, click Clear Display.

Step 7 To close the pane and return to the previous one, click Close.


What to Do Next

See the "Software Updates" section.

Software Updates

To view information about CSC SSM software updates, choose Monitoring > Trend Micro Content Security > Software Updates.

The Software Updates pane displays the following information, which is refreshed automatically about every 12 seconds:

The names of parts of the CSC SSM software that can be updated.

The current version of the corresponding component.

The date and time that the corresponding component was last updated. If the component has not been updated since the CSC SSM software was installed, "None" appears in this column.

The date and time that ASDM last received information about CSC SSM software updates.

What to Do Next

See the "CSC CPU" section.

Resource Graphs

The adaptive security appliance lets you monitor CSC SSM status, including CPU resources and memory usage. This section includes the following topics:

CSC CPU

CSC Memory

CSC CPU

To view CPU usage by the CSC SSM in a graph, perform the following steps:


Step 1 Choose Monitoring > Trend Micro Content Security > Resource Graphs > CSC CPU.

The CSC CPU pane displays the components whose statistics you can view in a graph, including statistics for CPU usage on the CSC SSM.

Step 2 To continue, go to Step 2 of the "Threats" section.


What to Do Next

See the "CSC Memory" section.

CSC Memory

To view information about memory usage on the CSC SSM in a graph, perform the following steps:


Step 1 Choose Monitoring > Trend Micro Content Security > Resource Graphs > CSC Memory.

The Available Graphs area lists the components whose statistics you can view in a graph, including the following.

The amount of memory not in use.

The amount of memory in use.

Step 2 To continue, go to Step 2 of the "Threats" section.


Where to Go Next

For instructions on how to use the CSC SSM GUI, see the Cisco Content Security and Control (CSC) SSM Administrator Guide.

Additional References

For additional information related to implementing the CSC SSM, see the following documents:

Related Topic
Document Title

Assistance with SSM hardware installation and connection to the adaptive security appliance.

Cisco ASA 5500 Series Hardware Installation Guide

Accessing ASDM for the first time and assistance with the Startup Wizard.

Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide

Instructions on use of the CSC SSM GUI.
Additional licensing requirements of specific windows available in the CSC SSM GUI.
Reviewing the default content security policies in the CSC SSM GUI before modifying them or entering advanced configuration settings.

Cisco Content Security and Control (CSC) SSM Administrator Guide

Technical Documentation, Marketing, and Support-related information.

See the following URL:

http://www.cisco.com/en/US/products/ps6823/index.html.


Feature History for the CSC SSM

Table 56-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 56-2 Feature History for the CSC SSM 

Feature Name
Platform Releases
Feature Information

CSC SSM

7.0(1)

The CSC SSM runs Content Security and Control software, which provides protection against viruses, spyware, spam, and other unwanted traffic.

The CSC Setup Wizard enables you to configure the CSC SSM in ASDM. The following screen was introduced: Configuration > Trend Micro Content Security > CSC Setup.

CSC SSM

8.1(1) and 8.1(2)

This feature is not supported on the ASA 5580.

CSC syslog format

8.3(1)

CSC syslog format is consistent with the adaptive security appliance syslog format. Syslog message explanations have been added to the Cisco Content Security and Control (CSC) SSM Administrator Guide. The source and destination IP information has been added to the ASDM Log Viewer GUI. All syslog messages include predefined syslog priorities and cannot be configured through the CSC SSM GUI.

Clearing CSC events

6.3(2)

Support for clearing CSC events in the Latest CSC Security Events pane has been added. The following screen was modified: Home > Content Security.