Cisco ASA 5500 Series Getting Started Guide, Version 7.1 - Configuring the CSC SSM [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Configuring the CSC SSM

About the CSC SSM

About Deploying the Security Appliance with the CSC SSM

Scenario: Security Appliance with CSC SSM Deployed for Content Security

Configuration Requirements

Configuring the CSC SSM for Content Security

Obtain Software Activation Key from Cisco.com

Gather Information

Launch ASDM

Verify Time Settings

Run the CSC Setup Wizard

Divert Traffic to the CSC SSM for Content Scanning

What to Do Next

Configuring the CSC SSM

The ASA 5500 series adaptive security appliance supports the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that is diverted to it by the adaptive security appliance.

Note The CSC SSM requires ASA software release 7.1.1 or later.

This chapter includes the following topics:

•About the CSC SSM

•About Deploying the Security Appliance with the CSC SSM

•Scenario: Security Appliance with CSC SSM Deployed for Content Security

•Configuring the CSC SSM for Content Security

About the CSC SSM

The CSC SSM maintains a file containing signature profiles of suspicious content, updated regularly from an update server at Trend Micro. The CSC SSM scans traffic it receives from the adaptive security appliance and compares it to the content profiles it obtains from Trend Micro. It then forwards legitimate content on to the adaptive security appliance for routing, or blocks and reports content that is suspicious.

In addition to obtaining content profiles from Trend Micro, system administrators can also customize the configuration so that the CSC SSM scans for additional traffic types or locations. For example, system administrators can configure the CSC SSM to block or filter specific URLs, as well as scan for FTP and email parameters.

You use ASDM for system setup and monitoring of the CSC SSM. For advanced configuration of content security policies in the CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM.

This chapter describes how to configure the adaptive security appliance for the deployment. Use of the CSC SSM GUI is explained in the Cisco Content Security and Control SSM Administrator Guide.

About Deploying the Security Appliance with the CSC SSM

In a network in which the adaptive security appliance is deployed with the CSC SSM, you configure the adaptive security appliance to send to the CSC SSM only the types of traffic that you want to be scanned.

Figure 10-1 illustrates the basic traffic flow between a company network, the adaptive security appliance and CSC SSM, and the Internet. The network illustrated in Figure 10-1 includes the following:

•An adaptive security appliance with a CSC SSM installed and configured

•A service policy on the adaptive security appliance specifies which traffic is diverted to the CSC SSM for scanning

Figure 10-1

CSC SSM Traffic Flow

In this example, clients could be network users who are accessing a website, downloading files from an FTP server, or retrieving mail from a POP3 server.

In this configuration, the traffic flow is as follows:

1. The client initiates a request.

2. The adaptive security appliance receives the request and forwards it to the Internet.

3. When the requested content is retrieved, the adaptive security appliance determines whether its service policies define this content type as one that should be diverted to the CSC SSM for scanning, and does so if appropriate.

4. The CSC SSM receives the content from the adaptive security appliance, scans it and compares it to its latest update of the Trend Micro content filters.

5. If the content is suspicious, the CSC SSM blocks the content and reports the event. If the content is not suspicious, the CSC SSM forwards the requested content back to the adaptive security appliance for routing.

Note SMTP traffic is handled somewhat differently than other content types. Instead of forwarding traffic it has scanned back to the adaptive security appliance for routing, the CSC SSM forwards SMTP traffic directly to SMTP servers protected by the adaptive security appliance.

Scenario: Security Appliance with CSC SSM Deployed for Content Security

Figure 10-2 is an illustration of a typical deployment of the adaptive security appliance with CSC SSM. Properties of this scenario are used as examples in the configuration procedures later in this chapter.

Figure 10-2

CSC SSM Deployment Scenario

In this scenario, the customer has deployed an adaptive security appliance with a CSC SSM for content security. Of particular interest are the following points:

•The adaptive security appliance is on a dedicated management network. Although using a dedicated management network is not required, we recommend it for security purposes.

•This adaptive security appliance configuration has two management ports: one for the adaptive security appliance itself, and another for the CSC SSM. All administration hosts must be able to access both IP addresses.

•The HTTP proxy server is connected to both the inside network and the dedicated management network. This enables the CSC SSM to retrieve updated content security filters from the Trend Micro update server.

•The management network includes an SMTP server so that administrators can be notified of CSC SSM events. The management network also includes a syslog server to store logs generated by the CSC SSM.

Configuration Requirements

When you plan the adaptive security appliance deployment, it is critical that the network adheres to the following requirements:

•The SSM management port IP address must be accessible by the hosts used to run ASDM. However, the IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets.

•The SSM management port must be able to connect to the Internet so that the CSC SSM can reach the Trend Micro update server.

Configuring the CSC SSM for Content Security

If you ordered your adaptive security appliance with the optional CSC SSM module, there are several steps you need to perform to complete the initial configuration. Some configuration steps are performed on the adaptive security appliance, and some steps are performed in the software running on the CSC SSM.

If you followed the procedures in earlier chapters of this document, at this point you have an ASA system running with licensed software, and you have entered basic system values using the setup Wizard. Your next steps are to configure the adaptive security appliance for a content security deployment.

The basic steps are:

1. Obtain software activation key from Cisco.com.

2. Gather the information you need to configure the CSC SSM.

3. Obtain activation keys from cisco.com.

4. Open ASDM, which is used for all configuration tasks in this setup process.

5. Verify time settings.

6. Run the CSC setup wizard to configure the CSC SSM.

7. Configure the adaptive security appliance to divert traffic to the CSC SSM for scanning.

These steps are described in detail in the sections that follow.

Obtain Software Activation Key from Cisco.com

With the CSC SSM, you should have received a Product Authorization Key (PAK). Use the PAK to register the CSC SSM at the following URL:
http://www.cisco.com/go/license
After you register, you will receive activation keys by email. The activation keys are required before you can complete the procedure described in"Run the CSC Setup Wizard"

Gather Information

Before you start configuring the adaptive security appliance and the CSC SSM, gather the following information:

•IP address netmask for the CSC SSM management port, gateway IP address and netmask. (The adaptive security appliance IP address was assigned when you performed the Setup Wizard, described in Chapter 5, "Configuring the Adaptive Security Appliance.")

Note The SSM management port IP address must be accessible by the hosts used to run ASDM. The IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets.

•Hostname and domain name to be used for the CSC SSM

•DNS Server IP address

•HTTP proxy server IP address (if your network uses a proxy for HTTP access to the Internet)

•Email address to be used for email notifications; IP address and port number of an SMTP server

•IP addresses of hosts and networks to be allowed management access to the CSC SSM

Launch ASDM

You use ASDM to configure and manage the CSC SSM. For advanced configuration of content security policies in the CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM.

To launch ASDM, perform the following steps:

Step 1 On a PC that has access to the management ports for the adaptive security appliance and the CSC SSM, launch an Internet browser.

Step 2 In the address field of the browser, enter this URL: https://IP_address/

where IP_address is the IP address of the adaptive security appliance.

Note The adaptive security appliance ships with a default IP address of 192.168.1.1. Remember to add the "s" in "https" or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance.

Step 3 In the dialog box that requires a username and password, leave both fields empty. Press Enter.

Step 4 Click Yes to accept the certificates. Click Yes for all subsequent authentication and certificate dialog boxes.

The ASDM Main window appears.

Verify Time Settings

Verify the accuracy of the adaptive security appliance time settings, including the time zone. Time accuracy is important for logging security events, automatic updates of the content filter lists on the CSC SSM. It is also important for licensing, as licenses are time sensitive.

•If you control time settings manually, verify the clock settings. In ASDM, click Configuration > Properties > Device Administration > Clock.

•If you are using NTP to control time settings, verify the NTP configuration. In ASDM, click Configuration > Properties > Device Administration > NTP.

Run the CSC Setup Wizard

Step 1 In the main ASDM window, click the Configuration tab.

Step 2 In the left pane, click the Trend Micro Content Security tab.

The Wizard Setup screen appears.

Step 3 In Step 1 of the CSC Wizard, enter the Software Activation Codes for the Base License and, optionally, the activation code for the Plus License.

You can enter the activation code for the Plus license after the initial configuration of the CSC SSM.

Step 4 Click Next.

Step 5 In Step 2 of the CSC Wizard, enter the following information:

•IP address, netmask and gateway IP address for the CSC Management interface

•IP address for the Primary DNS server

•IP address and proxy port of the HTTP proxy server (only if your network uses an HTTP proxy for sending HTTP requests to the Internet)

Step 6 Click Next.

Step 7 In Step 3 of the CSC Setup Wizard, enter the following information:

•Hostname and Domain name of the CSC SSM.

•Domain name used by the local mail server as the incoming domain.

Note Anti-SPAM policies are applied only to email traffic coming into this domain.

•Administrator email address and the email server IP address and port to be used for notifications.

Step 8 Click Next.

Step 9 In Step 4 of the CSC Setup Wizard, enter the IP address and mask for each subnet and host that should have management access to the CSC SSM.

By default, all networks have management access to the CSC SSM. For security purposes, we recommend that you restrict access to specific subnets or management hosts.

Step 10 Click Next.

Step 11 In Step 5 of the CSC Setup Wizard, enter a new password for management access. Enter the factory default password, "cisco," in the Old Password field.

Step 12 Click Next.

Step 13 In Step 6 of the CSC Setup Wizard, review configuration settings you just entered for the CSC SSM.

If you are satisfied with these settings, click Finish.

ASDM shows a message indicating that the CSC device is now active.

Divert Traffic to the CSC SSM for Content Scanning

The adaptive security appliance diverts packets to the CSC SSM after firewall policies are applied but before the packets exit the egress interface. For example, packets that are blocked by an access list are not forwarded to the CSC SSM.

Configure service policies to specify which traffic the adaptive security appliance should divert to the CSC SSM. The CSC SSM can scan HTTP, POP3, FTP, and SMTP traffic sent to the well-known ports for those protocols.

To simplify the initial configuration process, this procedure creates a global service policy that diverts all traffic for the supported protocols to the CSC SSM, both inbound and outbound. Because scanning all traffic coming through the adaptive security appliance may reduce the performance of the adaptive security appliance and the CSC SSM, you may want to revise this security policy later. For example, it is not usually necessary to scan all traffic coming from your inside network because it is coming from a trusted source. By refining the service policies so that the CSC SSM scans only traffic from untrusted sources, you can achieve your security goals and maximize performance of the adaptive security appliance and the CSC SSM.

To create a global service policy that identifies traffic to be scanned, perform the following steps:

Step 1 In the main ASDM window, click the Configuration tab.

Step 2 Click Security Policies, and then click the Service Policy Rules radio button.

Step 3 Click Add.

The Add Service Policy Rule appears.

Step 4 In the Service Policy page, click the Global - applies to all interfaces radio button.

Step 5 Click Next. The Traffic Classification Criteria page appears.

Step 6 In the Traffic Classification Criteria page, click the User class-default as the traffic class radio button.

Step 7 Click Next. The Add Service Policy Rule Wizard - Rule Actions page appears.

Step 8 In the Service Policy Rule Wizard, click the CSC Scan tab.

Step 9 On the CSC Scan tab page, check the Enable CSC scan for this traffic flow check box.

In the If CSC card fails, then area, choose whether the adaptive security appliance should permit or deny selected traffic if the CSC SSM is unavailable.

Step 10 Click Finish.

The new service policy appears in the Service Policy Rules pane.

Step 11 Click Apply.

By default, the CSC SSM is configured to perform content security scans enabled by the license you purchased (which may include anti-virus, anti-spam, anti-phishing, and content filtering). It is also configured to get periodic updates from the Trend Micro update server.

If included in the license you purchased, you can create custom settings for URL blocking and URL filtering, as well as email and FTP parameters. For more information, see the Cisco Content Security and Control SSM Administrator Guide.

What to Do Next

You are now ready to configure the Trend Micro Interscan for Cisco CSC SSM software. Use the following documents to continue configuring the adaptive security appliance for your implementation.

To Do This ...

See ...

Configure CSC SSM software, such as advanced security policies

Cisco Content Security and Control SSM Administrator Guide

Configure additional CSC SSM features in ASDM, including content filtering

ASDM online help (click the Configuration or Monitoring tab, then click the Trend Micro Content Security tab)

Optimize performance by creating more efficient service policies

"Managing AIP SSM and CSC SSM" in Cisco Security Appliance Command Line Configuration Guide

After you have configured the CSC SSM software, you may want to consider performing some of the following additional steps:

To Do This ...

See ...

Refine configuration and configure optional and advanced features

Cisco Security Appliance Command Line Configuration Guide

Learn about daily operations

Cisco Security Appliance Command Reference

Cisco Security Appliance Logging Configuration and System Log Messages

Review hardware maintenance and troubleshooting information

Cisco ASA 5500 Series Hardware Installation Guide

You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance.

To Do This ...

See ...

Configure a remote-access VPN

Chapter 7, "Scenario: Remote-Access VPN Configuration"

Configure a site-to-site VPN

Chapter 8, "Scenario: Site-to-Site VPN Configuration"

Configure protection of a DMZ web server

Chapter 6, "Scenario: DMZ Configuration"