Table Of Contents
Configuring the CSC SSM
About the CSC SSM
About Deploying the Adaptive Security Appliance with the CSC SSM
Scenario: Security Appliance with CSC SSM Deployed for Content Security
Configuration Requirements
Configuring the CSC SSM for Content Security
Obtain Software Activation Key from Cisco.com
Gather Information
Verify Time Settings
Run the CSC Setup Wizard
What to Do Next
Configuring the CSC SSM
The ASA 5500 series adaptive security appliance supports the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic by scanning the FTP, HTTP, POP3, and SMTP traffic that the adaptive security appliance diverts to it.
Note 
The CSC SSM requires the Cisco ASA 5500 series software Version 7.1(1) or later.
This chapter includes the following sections:
•About the CSC SSM
•About Deploying the Adaptive Security Appliance with the CSC SSM
•Scenario: Security Appliance with CSC SSM Deployed for Content Security
•What to Do Next
About the CSC SSM
The CSC SSM maintains a file containing signature profiles of suspicious content, updated regularly from an update server at Trend Micro. The CSC SSM scans traffic it receives from the adaptive security appliance and compares it to the content profiles it obtains from Trend Micro. It then forwards legitimate content on to the adaptive security appliance for routing, or blocks and reports content that is suspicious.
In addition to obtaining content profiles from Trend Micro, system administrators can also customize the configuration so that the CSC SSM scans for additional traffic types or locations. For example, system administrators can configure the CSC SSM to block or filter specific URLs, as well as scan for FTP and e-mail parameters.
You use ASDM for system setup and monitoring of the CSC SSM. For advanced configuration of content security policies in the CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM.
This chapter describes how to configure the adaptive security appliance for the deployment. Use of the CSC SSM GUI is explained in the Cisco Content Security and Control SSM Administrator Guide.
About Deploying the Adaptive Security Appliance with the CSC SSM
In a network in which the adaptive security appliance is deployed with the CSC SSM, you configure the adaptive security appliance to send to the CSC SSM only the types of traffic that you want to be scanned.
Figure 14-1 illustrates the basic traffic flow between a company network, the adaptive security appliance and CSC SSM, and the Internet. The network illustrated in Figure 14-1 includes the following:
•An adaptive security appliance with a CSC SSM installed and configured
•A service policy on the adaptive security appliance specifies which traffic is diverted to the CSC SSM for scanning
Figure 14-1
CSC SSM Traffic Flow
In this example, clients could be network users who are accessing a website, downloading files from an FTP server, or retrieving mail from a POP3 server.
In this configuration, the traffic flow is as follows:
1. The client initiates a request.
2. The adaptive security appliance receives the request and forwards it to the Internet.
3. When the requested content is retrieved, the adaptive security appliance determines whether its service policies define this content type as one that should be diverted to the CSC SSM for scanning, and does so if appropriate.
4. The CSC SSM receives the content from the adaptive security appliance, scans it and compares it to its latest update of the Trend Micro content filters.
5. If the content is suspicious, the CSC SSM blocks the content and reports the event. If the content is not suspicious, the CSC SSM forwards the requested content back to the adaptive security appliance for routing.
Note The CSC SSM handles SMTP traffic somewhat differently than other content types. After the CSC SSM receives SMTP traffic and scans it, it does not forward the traffic back to the adaptive security appliance for routing. Rather, the CSC SSM forwards the SMTP traffic directly to the SMTP servers protected by the adaptive security appliance.
Scenario: Security Appliance with CSC SSM Deployed for Content Security
Figure 14-2 is an illustration of a typical deployment of the adaptive security appliance with CSC SSM.
Figure 14-2
CSC SSM Deployment Scenario
In this scenario, the customer has deployed an adaptive security appliance with a CSC SSM for content security. Of particular interest are the following points:
•The adaptive security appliance is on a dedicated management network. Although using a dedicated management network is not required, we recommend it for security purposes.
•This adaptive security appliance configuration has two management ports: one for the adaptive security appliance itself, and another for the CSC SSM. All administration hosts must be able to access both IP addresses.
•The HTTP proxy server is connected to both the inside network and the dedicated management network. This enables the CSC SSM to retrieve updated content security filters from the Trend Micro update server.
•The management network includes an SMTP server so that administrators can be notified of CSC SSM events. The management network also includes a syslog server to store logs generated by the CSC SSM.
This section includes the following topics:
•Configuration Requirements
•Configuring the CSC SSM for Content Security
Configuration Requirements
When you plan the adaptive security appliance deployment, it is critical that the network adheres to the following requirements:
•The SSM management port IP address must be accessible by the hosts used to run ASDM. However, the IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets.
•The SSM management port must be able to connect to the Internet so that the CSC SSM can reach the Trend Micro update server.
Configuring the CSC SSM for Content Security
If you ordered your adaptive security appliance with the optional CSC SSM module, there are several steps you need to perform to complete the initial configuration. Some configuration steps are performed on the adaptive security appliance, and some steps are performed in the software running on the CSC SSM.
If you followed the procedures in earlier chapters of this document, at this point you have an adaptive security appliance system running with licensed software, and you have entered basic system values using the Startup Wizard. Your next steps are to configure the adaptive security appliance for a content security deployment.
The basic steps are as follows:
1. Obtain software activation key from Cisco.com.
2. Gather the information you need to configure the CSC SSM.
3. Using ASDM, verify time settings.
4. In ASDM, run the CSC setup wizard to configure the CSC SSM.
5. Using ASDM, configure the adaptive security appliance to divert traffic to the CSC SSM for scanning.
These steps are described in detail in the sections that follow.
This section includes the following topics:
•Obtain Software Activation Key from Cisco.com
•Gather Information
•Verify Time Settings
•Run the CSC Setup Wizard
Obtain Software Activation Key from Cisco.com
With the CSC SSM, you should have received a Product Authorization Key (PAK). Use the PAK to register the CSC SSM at the following URL:
After you register, you will receive activation keys by e-mail. The activation keys are required before you can complete the procedure described in the "Run the CSC Setup Wizard" section.
Gather Information
Before you start configuring the adaptive security appliance and the CSC SSM, gather the following information:
•IP address and netmask for the CSC SSM management port, gateway IP address and netmask. The adaptive security appliance IP address was assigned when you completed the Startup Wizard, described in Appendix A, "Obtaining a 3DES/AES License."
Note The SSM management port IP address must be accessible by the hosts used to run ASDM. The IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets.
•Hostname and domain name to be used for the CSC SSM
•DNS Server IP address
•HTTP proxy server IP address (if your network uses a proxy for HTTP access to the Internet)
•E-mail address to be used for e-mail notifications; IP address and port number of an SMTP server
•IP addresses of hosts and networks to be allowed management access to the CSC SSM
Verify Time Settings
Verify the accuracy of the adaptive security appliance time settings, including the time zone. Time accuracy is important for logging security events, automatic updates of the content filter lists on the CSC SSM and for licensing, because licenses are time sensitive.
•If you control time settings manually, verify the clock settings. In ASDM, choose Configuration > Device Setup > System Time > Clock.
•If you are using NTP to control time settings, verify the NTP configuration. In ASDM, choose Configuration > Device Setup > System Time > NTP.
Run the CSC Setup Wizard
Step 1 In the ASDM main application window, choose Configuration > Trend Micro Content Security > Wizard Setup > Launch Wizard Setup.
The CSC Setup Wizard screen appears.
Step 2 In Step 1 of the CSC Setup Wizard, enter the product activation codes for the Base license and if applicable, for the Plus license. You can enter the activation code for the Plus license after the initial configuration of the CSC SSM.
Step 3 Click Next.
Step 4 In Step 2 of the CSC Setup Wizard, enter the following information:
•IP address, network mask, and gateway IP address for the CSC management interface
•IP address for the Primary DNS server
•(Optional) IP address and proxy port of the HTTP proxy server (only if your network uses an HTTP proxy server to send HTTP requests to the Internet)
Step 5 Click Next.
Step 6 In Step 3 of the CSC Setup Wizard, enter the following information:
•Hostname and domain name of the CSC SSM.
•Domain name used by the local mail server as the incoming domain.
Note Anti-spam policies are applied only to e-mail traffic entering this domain.
•Administrator e-mail address, e-mail server IP address, and port to be used for notifications.
Step 7 Click Next.
Step 8 In Step 4 of the CSC Setup Wizard, enter the following information:
•IP address and network mask for each subnet and host that should have management access to the CSC SSM. By default, all networks have management access to the CSC SSM.
Note For security purposes, we recommend that you restrict access to specific subnets or management hosts.
•To enter a new host and network combination of settings, click Add.
•To remove an existing host and network combination, choose one from the Selected Hosts/Networks list, and click Delete.
Step 9 Click Next.
Step 10 In Step 5 of the CSC Setup Wizard, enter the following information:
•The default factory configuration password, "cisco."
•A new password for management access.
•Confirmation of the new password.
Step 11 Click Next.
Step 12 In Step 6 of the CSC Setup Wizard, define traffic selections for CSC scanning. Click Add.
The Specify Traffic for CSC Scan dialog box appears.
Step 13 Choose the interface from the drop-down list. Available options are global (all interfaces), inside, management, and ssm management.
Step 14 Choose the source of network traffic from the IPv4 Network Objects list, and click OK.
Step 15 To specify the destination of network traffic for the CSC to scan, click the ellipses to display the Browse Destination dialog box.
Step 16 Choose the destination of network traffic from the IPv4 Network Objects list, and click OK.
Step 17 To specify the type of service for the CSC to scan, click the ellipses to display the Browse Service dialog box.
Step 18 Choose the service(s) from the list, and click OK.
Step 19 Enter a description for the network traffic that you want the CSC to scan in the field provided.
Step 20 To specify whether or not to allow the CSC to scan network traffic if it fails, do the following:
•To allow traffic through without being scanned, click Permit.
•To prevent traffic from going through without being scanned, click Deny.
•To save your settings, click OK. The added traffic details appear on the Traffic Selection for CSC Scan screen.
•To discard these settings and return to the Traffic Selection for CSC Scan screen, click Cancel. If you click Cancel, ASDM displays a dialog box to confirm your decision.
Step 21 Click Next.
Step 22 In Step 7 of the CSC Setup Wizard, review the configuration settings that you have entered for the CSC SSM in the Summary screen.
Step 23 If you are satisfied with these settings, click Finish. To make changes, click Back until you reach the screen whose settings you want to modify.
An informational message appears, indicating that the CSC SSM is active.
By default, the CSC SSM is configured to perform content security scans that were enabled according to the license that you purchased (which may include anti-virus, anti-spam, anti-phishing, and content filtering). It is also configured to obtain periodic updates from the Trend Micro Update Server.
If you purchased the Plus license, you can create custom settings for URL blocking and URL filtering, as well as e-mail and FTP parameters. For more information, see the Cisco Content Security and Control SSM Administrator Guide.
What to Do Next
You are now ready to configure the Trend Micro Interscan for Cisco CSC SSM software. Use the following documents to continue configuring the adaptive security appliance for your implementation.
To Perform This Task...
|
See...
|
Configure CSC SSM software, such as advanced security policies
|
Cisco Content Security and Control SSM Administrator Guide
|
Configure additional CSC SSM features in ASDM, including content filtering
|
ASDM online help
|
Optimize performance for the AIP SSM and CSC SSM by creating more efficient service policies
|
Cisco ASA 5500 Series Configuration Guide using the CLI
|
After you have configured the CSC SSM software, you may want to perform some of the following additional steps.
To Perform This Task...
|
See...
|
Refine the existing configuration and configure optional and advanced features
|
Cisco ASA 5500 Series Configuration Guide using the CLI
|
Learn about daily operations
|
Cisco ASA 5500 Series Command Reference
Cisco ASA 5500 Series System Log Messages
|
Review hardware maintenance and troubleshooting information
|
Cisco ASA 5500 Series Hardware Installation Guide
|
You can configure the adaptive security appliance for more than one application. The following chapters provide configuration procedures for other common applications of the adaptive security appliance.
