06-23-2011 09:08 PM - edited 03-10-2019 05:23 AM
I am going throug the CCNP SEC. Just got the two thing in my front. Can anybody pls specify the work and difference between AIP SSM and CSC SSM.
Thanks in advance.
06-23-2011 11:23 PM
AIP SSM - is IPS module available on ASA firewall. It's providing intrusion prevention services for malicious traffic going through the module. This is targetted to all network traffic in general.
More info on AIP-SSM:
CSC SSM - is providing Antivirus, Anti Spyware, Anti-Spam, Anti-Phishing, URL filtering, etc capabilities for HTTP, SMTP and FTP traffic.
More info on CSC-SSM:
Hope this helps.
06-23-2011 11:33 PM
hmm - we have "always" been using the AIP module in our ASA's and had websense for url-filtering but I can see that cisco claims that the csc-blade also can be used for webfiltering - I now this is a stupid question to ask but - how easy is this to administrate? Could one f.ex define a virtual sensor #2 which would deny social networks ?
06-23-2011 11:40 PM
Yes, CSC module is similar to Websense.
CSC module can be configured to integrate with Active Directory, and you can configure different user group with different URL filtering policies.
You can however only have 1 module per ASA, and you can't have both AIP and CSC module as there is only 1 slot on the ASA for module. So it's either AIP or CSC.
To administer it, it's just a GUI using browser for management.
Here is the latest version admin guide, if you wish to quickly browse through it:
http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/cscssm66.html
07-27-2020 03:54 PM
Jen
Can csc-ssm integrated with 5515-x i couldn't find any doc showing it can be installed on ASA 5515-x .
07-27-2020 11:19 PM
That product is long past end of sales and was never offered on the ASA 5500-X series.It was last sold in 2013:
The modern alternative is a Firepower service module (or ASA running Firepower Threat Defense image).
07-28-2020 09:25 AM
Thnx Marvin for clarification ,so does the firepower provide antivirus and anti phishing anti malware all in the same product if so what would you think the best one to go with
07-28-2020 12:47 PM - edited 07-28-2020 03:20 PM
Marvin,
I have ASA 5515-x with SSD (micron_M550MTFDDAK128MAY) we have integrated it with web-sense ,we would like to get rid of web-sense so i was wounding if there is any way i can upgrade it to firepower with AMP solution by purchase a license such as L-ASA5515-TMAC-3Y or L-S-ASA5515-TAM-3Y .
07-28-2020 08:37 PM
Cisco Umbrella is generally a superior product for DNS security and is effective protection at the DNS layer against phishing and malware links.
Umbrella plus AMP for Endpoints is a good solution for both endpoint and DNS protection.
If you want to rely on perimeter protection you can use your 5515-X with a Firepower service module and a subscription like the TAM or TAMC ones (T = Threat or IPS, AM = Advanced Malware, C = URL Filtering).
Antimalware at the perimeter tends not to be as effective since most malware travels via encrypted channels and your perimeter firewall is not decrypting it. That's why we recommend AMP for Endpoints as it runs on each client computer. Also, AMP and Umbrella can both protect your computers whether they are on or off your network.
07-28-2020 09:36 PM
thanks alot sir
I have another question ,For 5515-x do you have procedure to upgrade it to firepower or i have to open a ticket with Cisco below is the show module
sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515 *********
ips Unknown N/A ********
cxsc ASA CX5515 Security Appliance ASA CX5515 ***********
Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 ****.****.**** to ****.****.**** 1.0 2.1(9)8 9.1(1)
ips ****.****.**** to ****.****.**** N/A N/A
cxsc ****.****.**** to ****.****.**** N/A N/A 9.1.1
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc ASA CX Up 9.1.1
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Up Up
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual
07-29-2020 12:41 AM
The procedure to install a new Firepower service software module on an existing ASA 5500-X series can be found here:
6.4.x is the latest version of Firepower software supported on the service module for the now-end-of-sale ASA 5515-X. So you would start by installing 6.4.0 and then patching to the latest patch (currently 6.4.0.9).
07-30-2020 08:28 AM
Thanks a lot for the information appreciated.
07-30-2020 11:31 AM
You're welcome. Please ate helpful posts or mark your question as solved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide