cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

940
Views
20
Helpful
12
Replies
Highlighted
Beginner

AIP SSM and CSC SSM

I am going throug the CCNP SEC. Just got the two thing in my front. Can anybody pls specify the work and difference between AIP SSM and CSC SSM.

Thanks in advance.

12 REPLIES 12
Highlighted
Cisco Employee

AIP SSM and CSC SSM

AIP SSM - is IPS module available on ASA firewall. It's providing intrusion prevention services for malicious traffic going through the module. This is targetted to all network traffic in general.

More info on AIP-SSM:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6825/product_data_sheet0900aecd80404916_ps6120_Products_Data_Sheet.html

CSC SSM - is providing Antivirus, Anti Spyware, Anti-Spam, Anti-Phishing, URL filtering, etc capabilities for HTTP, SMTP and FTP traffic.

More info on CSC-SSM:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/ps6823/product_data_sheet0900aecd80402e4f_ps6120_Products_Data_Sheet.html

Hope this helps.

Highlighted
Participant

AIP SSM and CSC SSM

hmm - we have "always" been using the AIP module in our ASA's and had websense for url-filtering but I can see that cisco claims that the csc-blade also can be used for webfiltering - I now this is a stupid question to ask but - how easy is this to administrate? Could one f.ex define a virtual sensor #2 which would deny social networks ?

Highlighted
Cisco Employee

AIP SSM and CSC SSM

Yes, CSC module is similar to Websense.

CSC module can be configured to integrate with Active Directory, and you can configure different user group with different URL filtering policies.

You can however only have 1 module per ASA, and you can't have both AIP and CSC module as there is only 1 slot on the ASA for module. So it's either AIP or CSC.

To administer it, it's just a GUI using browser for management.

Here is the latest version admin guide, if you wish to quickly browse through it:

http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/cscssm66.html

Highlighted
Beginner

Re: AIP SSM and CSC SSM

Jen

Can csc-ssm integrated with 5515-x i  couldn't find any doc showing it can be installed on ASA 5515-x .

Highlighted
Hall of Fame Guru

Re: AIP SSM and CSC SSM

That product is long past end of sales and was never offered on the ASA 5500-X series.It was last sold in 2013:

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727284.html

The modern alternative is a Firepower service module (or ASA running Firepower Threat Defense image).

Highlighted
Beginner

Re: AIP SSM and CSC SSM

Thnx Marvin for clarification ,so does the firepower provide antivirus and anti phishing anti malware all in the same product if so what would you think the best one to go with 

Highlighted
Beginner

Re: AIP SSM and CSC SSM

Marvin,

I have ASA 5515-x with SSD (micron_M550MTFDDAK128MAY) we have integrated it with web-sense ,we would like to get rid of web-sense so i was wounding if there is  any way i can upgrade it to firepower with AMP solution by purchase a license   such as L-ASA5515-TMAC-3Y   or L-S-ASA5515-TAM-3Y  .

Highlighted
Hall of Fame Guru

Re: AIP SSM and CSC SSM

Cisco Umbrella is generally a superior product for DNS security and is effective protection at the DNS layer against phishing and malware links.

Umbrella plus AMP for Endpoints is a good solution for both endpoint and DNS protection.

If you want to rely on perimeter protection you can use your 5515-X with a Firepower service module and a subscription like the TAM or TAMC ones (T = Threat or IPS, AM = Advanced Malware, C = URL Filtering).

Antimalware at the perimeter tends not to be as effective since most malware travels via encrypted channels and your perimeter firewall is not decrypting it. That's why we recommend AMP for Endpoints as it runs on each client computer. Also, AMP and Umbrella can both protect your computers whether they are on or off your network.

Highlighted
Beginner

Re: AIP SSM and CSC SSM

thanks alot sir

I have another question ,For  5515-x do you have procedure to upgrade it to firepower or i have to open a ticket with Cisco  below is the show module 

 

sh module

Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515 *********
ips Unknown N/A  ********
cxsc ASA CX5515 Security Appliance ASA CX5515 ***********

Mod MAC Address Range Hw Version Fw Version Sw Version
---- --------------------------------- ------------ ------------ ---------------
0 ****.****.**** to ****.****.**** 1.0 2.1(9)8 9.1(1)
ips ****.****.**** to ****.****.**** N/A N/A
cxsc ****.****.**** to ****.****.**** N/A N/A 9.1.1

Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc ASA CX Up 9.1.1

Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Up Up

Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual

Highlighted
Hall of Fame Guru

Re: AIP SSM and CSC SSM

The procedure to install a new Firepower service software module on an existing ASA 5500-X series can be found here:

https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html

6.4.x is the latest version of Firepower software supported on the service module for the now-end-of-sale ASA 5515-X. So you would start by installing 6.4.0 and then patching to the latest patch (currently 6.4.0.9).

Highlighted
Beginner

Re: AIP SSM and CSC SSM

Thanks a lot for the information appreciated.

Highlighted
Hall of Fame Guru

Re: AIP SSM and CSC SSM

You're welcome. Please ate helpful posts or mark your question as solved.