cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1492
Views
0
Helpful
5
Replies

Cisco Asa 5520 - csc ssm

emilioj.romero
Level 1
Level 1

How to filter URL which includes "https", using the csc ssm module?

2 Accepted Solutions

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

You can't. CSC module supports or can scan only 4 protocols - http, smtp, ftp and pop3 (80,25,21(and the associated data) and 110)

-KS

View solution in original post

Emilio,

CSC module with the plus license will look for content and block spam in e-mail and virus and other adware, phishing sites with http and ftp.

https traffic is encrypted so, it cannot see what is in within the packet.

Now for the exact reason that you specified we do have an enhancement defect filed: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh18404

Symptom:

When users access web pages via "https" URLs, those requests are not
being sent to the URL filter server for lookup.

Conditions:

CSC module running any code version.  URL blocking and/or
filtering enabled.

Workaround:

None known.

Further Problem Description:

This is an enhancement request to be considered for implementation
by Trend Micro.

This enh: defect is not resolved. May be sometime  in the future.  In the mean time if you do not want people to go out using 443, then only allow certain ports with an acl applied on the inside interface. This will not allow anyone to load any URL with https://.

access-list inside-acl permit tcp any any eq 80

access-list inside-acl permit tcp any any eq 21

access-list inside-acl permit tcp any any eq 25

access-list inside-acl permit udp any any eq 53

access-g inside-acl in int inside

This will only allow the above permitted in the acl and not any other traffic.

-KS

View solution in original post

5 Replies 5

Kureli Sankar
Cisco Employee
Cisco Employee

You can't. CSC module supports or can scan only 4 protocols - http, smtp, ftp and pop3 (80,25,21(and the associated data) and 110)

-KS

Cisco ASA works with Websense in order to filter https traffic, when it is not being used the csc-ssm module. I thought I woult be able to filter https traffic with this module, without using Websense. Now, I don’t understand what is csc-ssm module used for? When I configure the URL filtering in order not to allow the access via streaming and the user uses https instead of http protocol, then the security doesn’t work. For example, if the user writes https://www.youtube.com instead of http://www.youtube.com, he will access to the web page. How to solve this problem?

Emilio,

CSC module with the plus license will look for content and block spam in e-mail and virus and other adware, phishing sites with http and ftp.

https traffic is encrypted so, it cannot see what is in within the packet.

Now for the exact reason that you specified we do have an enhancement defect filed: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsh18404

Symptom:

When users access web pages via "https" URLs, those requests are not
being sent to the URL filter server for lookup.

Conditions:

CSC module running any code version.  URL blocking and/or
filtering enabled.

Workaround:

None known.

Further Problem Description:

This is an enhancement request to be considered for implementation
by Trend Micro.

This enh: defect is not resolved. May be sometime  in the future.  In the mean time if you do not want people to go out using 443, then only allow certain ports with an acl applied on the inside interface. This will not allow anyone to load any URL with https://.

access-list inside-acl permit tcp any any eq 80

access-list inside-acl permit tcp any any eq 21

access-list inside-acl permit tcp any any eq 25

access-list inside-acl permit udp any any eq 53

access-g inside-acl in int inside

This will only allow the above permitted in the acl and not any other traffic.

-KS

Thank you for your help.

I just ran across this question... as of CSC v6.6, you can scan HTTPS traffic with some noted caveats on browser compatibility

Review Cisco Networking for a $25 gift card