topic Re: ASA with CSC-SSM in Network Security

ASA with CSC-SSM

patrick.bolt — Fri, 21 Feb 2020 09:07:51 GMT

I have a ASA 5510 with a CSC-SSM and i have special question concerning the CSC features.

I would like to use a different set of CSC features for two types of traffic.

--> Standard Workplaces (Source Subnet 1), URL blocking, threath/virus protection

--> Management Workplaces (Source Subnet 2), only threath/virus protection

Can that configured like that?

I didn't find any possibility. Because the CSC is like a blackbox in that the the features can enabled/disaled only globally. I pass the traffic to the CSC based on a ACL.

Does anybody know if there is a solution for that?

Thanks Patrik Bolt

Re: ASA with CSC-SSM

wong34539 — Tue, 29 Aug 2006 13:21:27 GMT

If you purchased the Plus level of the CSC SSM license in addition to the Base License, you can also:

Reduce spam and protect against phishing fraud in your SMTP and POP3 traffic

Set up content filters that enable you to allow or prohibit email traffic containing key words or phrases

Block URLs that you do not want employees to access, or URLs that are known to have hidden or malicious purposes

Filter URL traffic according to predefined categories that you allow/disallow, such as adult/mature content, games, chat/instant messaging, or gambling sites.

With Trend Micro InterScan for Cisco CSC SSM, you do not have to install separate applications for virus protection, spyware blocking, spam detection, or content filtering?all of these functions are available in a single package. Trend Micro InterScan for Cisco CSC SSM provides protection for major traffic protocols?SMTP, HTTP, and FTP, as well as POP3 traffic, to ensure that employees don't accidentally introduce viruses from their personal email accounts. And, the application is easy to maintain.

Re: ASA with CSC-SSM

patrick.bolt — Wed, 30 Aug 2006 10:08:13 GMT

Thanks. But that was not my question. I know the features of CSC-SSM with plus license. The goal is to differentiate between different source traffic types and apply a URL blocker or not.

After intense reading of the technical references i know that Websense / N2H2 is the solution for my goal.

Greets Patrik

Re: ASA with CSC-SSM

l.tating — Thu, 21 Dec 2006 06:23:59 GMT

Hello!

I am currently working on a ASA5520 with CSC SSM on it. Im trying to test URL blocking, but Im not sucessful. Is it absolutely necessary to have Websense or N2H2 to successfully filter or block URLs? I want to know if ASA CSC SSM can to the URL blocking by itself.

Lorenz

Re: ASA with CSC-SSM

Patrik Bolt — Thu, 21 Dec 2006 07:20:58 GMT

Hi Lorenz

There are different things to configure when using CSC-SSM. first the CSC module must have a LAN connection with a dedicated cable and a own IP Adddress. Second you have to define the traffic which must be passed to the CSC. Third you must configure the CSC itself (webfrontend on the CSC IP).

Below you can see my CSC config. I pass only traffic defined in the ACL's to the CSC module. You can althoug use the default-class if you like.

The key part used is the modular policy framework.

If you read that, you have a real understanding of the stuff http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_book09186a008054c15c.html

Greetz

Patrik

access-list csc_out extended permit tcp LAN 255.255.252.0 any eq www

access-list csc_out extended permit tcp LAN 255.255.252.0 any eq smtp

access-list csc_out extended permit tcp LAN 255.255.252.0 any eq ftp

access-list csc_in extended permit tcp any PUBLIC 255.255.255.192 eq www

access-list csc_in extended permit tcp any PUBLIC 255.255.255.192 eq smtp inactive

access-list csc_in extended permit tcp any PUBLIC 255.255.255.192 eq pop3 inactive

access-list csc_in extended permit tcp any PUBLIC 255.255.255.192 eq ftp

' which traffic

class-map global-class

match default-inspection-traffic

class-map csc_in_class

match access-list csc_in

class-map csc_out_class

match access-list csc_out

' what happens to the traffic

policy-map csc_out_policy

description Outbound Traffic Policy

class csc_out_class

csc fail-open

policy-map global-policy

class global-class

inspect sqlnet

inspect netbios

inspect pptp

inspect ftp

inspect dns

inspect icmp error

inspect icmp

policy-map csc_in_policy

description Inbound Traffic Policy

class csc_in_class

csc fail-open

' bind the policy to an interface

service-policy global-policy global

service-policy csc_in_policy interface outside

service-policy csc_out_policy interface inside

service-policy csc_out_policy interface dmz

Re: ASA with CSC-SSM

Patrik Bolt — Thu, 21 Dec 2006 07:33:15 GMT

Sorry Lorenz

I did not answer your question.

You can filter and block URLs using the CSC-SSM. But the blocking feature is only globally for all traffic which will be passed into the CSC using the modular policy framework on the ASA like described in my other post. Websense/N2H2 is a step more than the filtering using a CSC module. It provides a possibility to filter user based. Example: a standard user has no rights to open a website like ebay.com but the managers can open it. That config is not possible using CSC.

If you can live with a globally defined filtering rule for all users the CSC is right for you. If you use a more complex filtering you should use Websense/N2H2.

But in the Websense/N2H2 case you have to use a Server in conjunction with your ASA.

But there are although the other nice features of a CSC-SSM.

- Antivirus

- Antispam

- Antispy

...

I hope i could help you.

Greets Patrik

Re: ASA with CSC-SSM

l.tating — Thu, 21 Dec 2006 07:33:57 GMT

Hi Patrick,

Thank you for the CLI configuration hints. Have you configured URL blocking without the use of N2H2 or Websense? I know blocking URL one by one is a quite cumbersome task, but for simplicity I want to know if it can be done on the ASA box alone. Were you successful in doing the blocking by the ASA?

You responses are greatly appreciated.

Lorenz

Re: ASA with CSC-SSM

l.tating — Thu, 21 Dec 2006 07:39:32 GMT

Hi Patrik,

Looks like our email missed each other. I will try again to reconfigure the ASA and set the modular policies carefully. By the way, Im using 7.2.1 for the Main System and CSC-SSM-10 for the CSC. my ASDM is 5.2.1. I will let you know immediately the result of my tests. Maybe within an hour.

Lorenz

Re: ASA with CSC-SSM

Patrik Bolt — Thu, 21 Dec 2006 08:33:19 GMT

Hi Lorenz

Yes, the ASA does the URL blocking alone without any Websense or N2H2 Server. And it works well in my network since some months.

Patrik

Re: ASA with CSC-SSM

l.tating — Fri, 22 Dec 2006 08:49:52 GMT

Hi Patrik,

The license needs to be updated and hence the CSC to be activated. I will get back when there are results probably after Dec.26. we will have our vacation quite long weekend here.

Thanks for your time.

Lorenz

Re: ASA with CSC-SSM

Patrik Bolt — Fri, 22 Dec 2006 09:11:00 GMT

Hi Lorenz

If it helps. I have the ASA with a CSC-SSM and these additional licenses.

- CSC-SSM User Upgrade

- CSC-SSM Plus License (URL blocking, Anti phisihing ...)

- ASA Security Plus (if you need multiple contexts or failover ..)

Nice holidays

Greets from Switzerland Patrik

Re: ASA with CSC-SSM

l.tating — Wed, 03 Jan 2007 02:58:54 GMT

Hi Patrik,

Happy New Year 2007!

Im still waiting for one of our group responsible for communicating license matters to Cisco. If I can get the CSC-SSM Plus activated, I can get back to you as soon as possible, and hopefully get same results as you have. For the mean time, im also working on other features of the ASA.

Regards,

Lorenz