ASA to CSC-SSM.pdf

8/9/2019 ASA to CSC-SSM.pdf

1/32

ASA: Send Network Traffic from the ASA to theCSCSSM Configuration ExampleDocument ID: 99141

IntroductionPrerequisites Requirements Components Used ConventionsBackground InformationConfigure ASA CSC SSM Flow Diagram CSC Initial Setup How to Configure ASA to Divert Traffic to CSCSSM Network Diagram ASA Configuration

CSC Home Page CSC SetupSMTP Configuration Trend Micro SMTP ConfigurationHTTP Configuration Scanning File Blocking URL Blocking URL FilteringFTP Configuration Trend Micro FTP Configuration

VerifyTroubleshoot Internet Access License violation errors Performance Issue Troubleshooting CommandsRelated Information

Introduction

This document provides a sample configuration for how to send network traffic from the Cisco ASA 5500

Series Adaptive Security Appliance (ASA) to the Content Security and Control Security Services Module(CSCSSM).

The CSCSSM provides protection against viruses, spyware, spam, and other unwanted traffic. Itaccomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that is diverted to it by the adaptivesecurity appliance. In order to force the ASA to divert the traffic to the CSCSSM, you need to use ModularPolicy Framework.

Refer to ASA: Send Network Traffic from the ASA to the AIP SSM Configuration Example in order to sendnetwork traffic that passes through the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) to theAdvanced Inspection and Prevention Security Services Module (AIPSSM) (IPS) module.


2/32

Note: The CSCSSM can scan FTP, HTTP, POP3, and SMTP traffic only when the destination port of thepacket that requests the connection is the wellknown port for the specified protocol. The CSCSSM can scanonly these connections:

FTP connections opened to TCP port 21HTTP connections opened to TCP port 80POP3 connections opened to TCP port 110SMTP connections opened to TCP port 25

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

A basic understanding of how to configure Cisco ASA 5500 Series runs software version 7.1 andlater.

The CSCSSM has been installed.

Components Used

The information in this document is based on these software and hardware versions:

ASA 5520 with software version 7.1 and laterCSCSSM10 with software version 6.1

The information in this document was created from the devices in a specific lab environment. All of thedevices used in this document started with a cleared (default) configuration. If your network is live, make surethat you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

The CSCSSM maintains a file that contains signature profiles of suspicious content, updated regularly froman update server at Trend Micro. The CSCSSM scans traffic it receives from the adaptive security applianceand compares it to the content profiles it obtains from Trend Micro. It then forwards legitimate content on tothe adaptive security appliance for routing, or blocks and reports content that is suspicious.

By default, CSCSSM comes with a base license that provides these features:

Detects and takes action on viruses and malware in the network trafficBlocks compressed or very large files that exceed specified parametersScans for and remove spyware, adware, and other types of grayware

Additionally, if it is equipped with a Plus License, it also performs these tasks:

Reduces spam and protect against phishing fraud in your SMTP and POP3 trafficSets up content filters that enable you to allow or prohibit email traffic that contain key words or

phrases


3/32

Filters/Blocks URLs that you do not want users to access, or URLs that are known to have hidden ormalicious purposes

Note: The CSCSSM can scan FTP file transfers only when FTP inspection is enabled on the ASA. Bydefault, FTP inspection is enabled.

Note: The CSCSSM cannot support Stateful Failover because the CSCSSM does not maintain connectioninformation, and therefore cannot provide the failover unit with the required information for Stateful Failover.

The connections that a CSCSSM is scanning are dropped when the security appliance in which theCSCSSM is installed fails. When the standby adaptive security appliance becomes active, it forwards thescanned traffic to the CSCSSM and the connections are reset.

Configure

In a network in which the adaptive security appliance is deployed with the CSCSSM, you configure theadaptive security appliance to send to the CSCSSM only the types of traffic that you want to be scanned.

Note: Use the Command Lookup Tool ( registered customers only ) to obtain more information on the commandsused in this section.

ASA CSC SSM Flow Diagram

This diagram shows the flow of traffic within ASA and CSCSSM:

In this example, clients can be network users who access a web site, download files from an FTP server, orretrieve mail from a POP3 server.

In this configuration, this is how the traffic flows:

The client initiates a request.1.The adaptive security appliance receives the request and forwards it to the Internet.2.When the requested content is retrieved, the adaptive security appliance determines whether itsservice policies define this content type as one that should be diverted to the CSCSSM for scanning,

and does so if appropriate.

3.


4/32

The CSCSSM receives the content from the adaptive security appliance, scans it and compares it toits latest update of the Trend Micro content filters.

4.

If the content is suspicious, the CSCSSM blocks the content and reports the event. If the content isnot suspicious, the CSCSSM forwards the requested content back to the adaptive security appliancefor routing.

5.

CSC Initial Setup

In the initial setup, several parameters need to be configured. Make sure you have gathered the informationrequired for these parameters before you begin.

As the first step to configure the CSCSSM, launch the Cisco ASDM. By default, you can access theCSCSSM through the management IP address of the ASA at https://192.168.1.1/. You need to ensure thatyour PC and the management interface of ASA are in the same network. Alternatively, you can download theASDM Launcher for subsequent accesses.

Configure these parameters with the ASDM:

Once in main ASDM window, choose Configuration > Trend Micro Content Security > Wizard

Setup and click Launch Setup Wizard .

1.

Activation key:

The first step to obtain the activation key is to identify the Product Authorization Key (PAK) shippedalong with the product. It contains a barcode and 11 hexadecimal characters. For example, a samplePAK can be 120106C7D4A.

Use the PAK to register the CSCSSM at Product License Registration ( registered customers only )webpage. After you register, you receive activation keys by email.

2.


5/32

Management port IP parameters:

Specify IP address, netmask and gateway IP address for the CSC Management interface.

DNS server address IP address for the Primary DNS server.

3.


6/32

Hostname and Domain name of the CSCSSM Specify a host name as well as the domain name of the CSCSSM.

Incoming domain Domain name used by the local mail server as the incoming email domain.

Note: AntiSPAM policies are applied only to email traffic that come into this domain.

Notification settings Administrator email address and the email server IP address and port to be

used for notifications.

4.

Management host access parameters:

Enter the IP address and mask for each subnet and host that should have management access to theCSCSSM.

Note: By default, all networks have management access to the CSCSSM. For security purposes,Cisco recommends that you restrict access to specific subnets or management hosts.

5.


7/32

New password for CSCSSM:

Change the default password, cisco , to a new password for management access.

6.

In step 6 of the CSC Setup Wizard, specify the type of traffic to be scanned.7.


8/32

The adaptive security appliance diverts packets to the CSCSSM after firewall policies are appliedbut before the packets exit the egress interface. For example, packets that are blocked by an access listare not forwarded to the CSCSSM.

Configure service policies to specify which traffic the adaptive security appliance should divert to theCSCSSM. The CSCSSM can scan HTTP, POP3, FTP, and SMTP traffic sent to the wellknownports for those protocols.

In order to simplify the initial configuration process, this procedure creates a global service policy thatdiverts all traffic for the supported protocols to the CSCSSM, both inbound and outbound. Becausescanning all traffic that comes through the adaptive security appliance can reduce the performance of the adaptive security appliance and the CSCSSM, you want to revise this security policy later. Forexample, it is not usually necessary to scan all traffic that comes from your inside network because itcomes from a trusted source. If you refine the service policies so that the CSCSSM scans only trafficfrom untrusted sources, you can achieve your security goals and maximize the performance of theadaptive security appliance and the CSCSSM.

Complete these steps in order to create a global service policy that identifies traffic to be scanned:

Click Add in order to add a new type of traffic.a.Choose Global from the Interface dropdown list.b.Leave the Source and Destination fields set to Any .c.In the Service are, click the ellipsis (...) radio button. In this dialog box, choose a predefinedservice or click Add in order to define a new service.

d.

In the If CSC card fails, then area, choose whether the adaptive security appliance shouldpermit or deny selected traffic if the CSCSSM is unavailable.

e.

Click OK in order to return to the Traffic Selection for CSC Scan window.f.Click Next .g.

In step 7 of the CSC Setup Wizard, review configuration settings you entered for the CSCSSM.8.


9/32

If you are satisfied with these settings, click Finish .

The ASDM shows a message that indicates that the CSC device is now active.

By default, the CSCSSM is configured to perform content security scans enabled by the license youpurchased, which can include antivirus, antispam, antiphishing, and content filtering. It is alsoconfigured to get periodic updates from the Trend Micro update server.

If included in the license you purchased, you can create custom settings for URL blocking and URLfiltering, as well as email and FTP parameters. See the Cisco Content Security and Control SSMAdministrator Guide for more information.

How to Configure ASA to Divert Traffic to CSCSSM

In order to force the ASA to divert the traffic to the CSCSSM, you need to use Modular Policy Framework.Complete these steps in order to accomplish the identification and diversion of the traffic to CSCSSM:

Create an access list that matches the traffic you want scanned by the CSCSSM, in order to divertthe traffic to CSCSSM, with the accesslist extended command:

hostname(config)# accesslist aclname extended {deny | permit} protocol src_ip mask

1.

Create a class map in order to identify the traffic that should be diverted to the CSCSSM with theclassmap command:

hostname(config)# classmap class_map_name

2.

Once in class map configuration mode, use the match accesslist command in order to identify thetraffic with the use of the accesslist previously specified:

3.


10/32

hostname(configcmap)# match accesslist aclname

hostname(configcmap)# exit

Create a policy map in order to send traffic to the CSCSSM with the policymap command:

hostname(config)# policymap policy_map_name

4.

Once in the policy map configuration mode, use the class command in order to specify the class map,previously created, that identifies the traffic to be scanned:

hostname(configpmap)# class class_map_name

5.

Once in policy map class configuration mode, you can configure these:

If you want to enforce a perclient limit for simultaneous connections that the adaptivesecurity appliance diverts to the CSCSSM, use the set connection command, as follows:

hostname(configpmapc)# set connection perclientmax n

where n is the maximum simultaneous connections the adaptive security appliance allows foreach client. This command prevents a single client from abusing the services of theCSCSSM or any server protected by the SSM, which includes the prevention of attempts atDoS attacks on HTTP, FTP, POP3, or SMTP servers that the CSCSSM protects.

Use the csc command in order to control how the ASA handles traffic when the CSCSSM isunavailable:

hostname(configpmapc)# csc {failclose | failopen}

where failclose specifies that the ASA should block traffic if the CSCSSM fails and incontrast, failopen specifies that the ASA should allow traffic if the CSCSSM fails.

Note: This applies to the traffic selected by the class map only. Other traffic not sent to theCSCSSM is not affected by a CSCSSM failure.

6.

Lastly, apply the policy map globally or to a specific interface with the servicepolicy command:

hostname(configpmapc)# servicepolicy policy_map_name [global | interface interfac

where interface_ID is the name assigned to the interface with the nameif command.

Note: Only one global policy is allowed. You can override the global policy on an interface with theapplication of a service policy to that interface. You can only apply one policy map to each interface.

7.

Network Diagram

This diagram is an example of an ASA 5500 configured for these parameters:


11/32

The summary of the network diagram illustrates these:

HTTP connection to the outside networksFTP connection from clients inside the security appliance to the servers outside the security appliancePOP3 clients from the clients inside the security appliance to the servers outside the securityappliance.

Incoming SMTP connections designated to the inside mail server

ASA Configuration

ASA5520

ciscoasa(config)# show runningconfig: Saved:ASA Version 8.0(2)!hostname ciscoasadomainname Security.lab.com

enable password 2kxsYuz/BehvglCF encryptedno namesdnsguard!interface GigabitEthernet0/0 speed 100 duplex full nameif outside securitylevel 0 ip address 172.30.21.222 255.255.255.0!interface GigabitEthernet0/1 description INSIDE nameif inside securitylevel 100 ip address 192.168.5.1 255.255.255.0!

! Output suppressed

accesslist cscacl remark Exclude CSC module traffic from being scanned accesslist cscacl deny ip host 10.89.130.241 any

! In order to improve the performance of the ASA and CSC Module.! Any traffic from CSC Module is excluded from the scanning.

accesslist cscacl remark Scan Web & Mail traffic


12/32

accesslist cscacl permit tcp any any eq wwwaccesslist cscacl permit tcp any any eq smtpaccesslist cscacl permit tcp any any eq pop3

!

! All Inbound and Outbound traffic for WEB, Mail services is scanning.

accesslist cscaclftp permit tcp any any eq ftp

! All Inbound and Outbound traffic for FTP service is scanning.

classmap cscclass match accesslist cscacl

!

classmap cscftpclass match accesslist cscaclftp

! policymap global_policy

class cscclasscsc failopen

class cscftpclasscsc failopenpolicymap global_policy class inspection_default

! Inspect FTP traffic for scanning.

inspect ftp inspect h323 h225

inspect h323 rasinspect rshinspect sqlnetinspect skinny

inspect sunrpcinspect xdmcpinspect sipinspect netbiosinspect tftpinspect icmpinspect http

servicepolicy global_policy global

! Output suppressed

CSC Home PageCSC Setup

Trend Micro InterScan for Cisco CSCSSM provides protection for major traffic protocols, such as SMTP,HTTP, and FTP, as well as POP3 traffic, in order to ensure that employees do not accidentally introduceviruses from their personal email accounts.

Choose Configuration > Trend Micro Content Security in order to open the CSCSSM. From the


13/32

Configuration menu, choose from these configuration options:

CSC Setup Launches the Setup Wizard to install and configure the CSCSSMWeb Configures Web scanning, file blocking, URL filtering, and URL blockingMail Configures scanning, content filtering, and spam prevention for incoming and outgoing SMTPand POP3 email

File Transfer Configures file scanning and blockingUpdates Schedules updates for content security scanning components, for example, virus patternfile, scan engine, and so forth

The Web, Mail, File Transfer, and Updates options are described in more detail in these chapters:

Mail Configuring SMTP and POP3 Mail TrafficWeb and File Transfer Configuring Web (HTTP) and File Transfer (FTP) TrafficUpdates Managing Updates and Log Queries

This example shows how to configure a CSCSSM to scan the incoming SMTP message to the internalnetwork network.

The incoming SMTP messages are diverted to the CSCSSM for scanning. In this example, all the trafficfrom outside to access the inside mail server (192.168.5.2/24) for SMTP services are diverted to theCSCSSM.

accesslist csc_inbound extended permit tcp any host 192.168.5.2 eq smtp

These default settings give you some protection for your email traffic after you install Trend MicroInterScan for Cisco CSCSSM.

SMTP Configuration

Trend Micro SMTP Configuration

Complete these steps in order to configure the CSCSSM to scan the incoming SMTP message using ASDM:


14/32

Choose Configuration > Trend Micro Content Security > Mail in ASDM and click ConfigureIncoming Scan in order to display the SMTP Incoming Message Scan/Target window.

1.

The window takes you to the Trend Micro InterScan for Cisco CSCSSM Login prompt. Enter theCSCSSM Password.

2.

The SMTP Incoming Message Scan window has these three views:

TargetActionNotification

You can switch among views if you click the appropriate tab for the information you want. The activetab name appears in brown text; inactive tab names appear in black text. Use all three tabs in order toconfigure virus scanning of incoming SMTP traffic.

Click Target in order to allow you to define the scope of activity upon which is acted.

The SMTP Incoming message scan is enabled by default.

3.


15/32

In the Default Scanning section, All scannable files is selected by default. It scans regardless of thefile name extensions.4.

Configure the SMTP compressed file handling for incoming mail.5.


16/32


17/32

Click Save in order to enable the new configurationClick the Action tab, which allows you to define the action to be taken when a threat is detected.Examples of actions are clean or delete.

These values are default action taken for the incoming mails.

For Messages with Virus/Malware Detection section Clean the message or attachment inwhich the malware was detected, and if the message or attachment is uncleanable, delete it.

For Spyware/Grayware Detections These are the files to be delivered if the SMTPmessages in which spyware or grayware is detected.

Click Save in order to enable the new configuration

7.

Click Notification tab, which allows you to compose a notification message, as well as define who isnotified of the event and the action.

8.


18/32

If you are satisfied with the default notification setup, no further action is required. But, you canreview the notification options and decide whether you want to change the defaults. For example, youcan send a notification to the administrator when a security risk has been detected in an emailmessage. For SMTP, you can also notify the sender or recipient.

Check the Administrator and Recipient boxes for email notification. You can also tailor the defaulttext in the notification message to something more appropriate for your organization such as in thisscreen shot.

In the Inline Notifications section of the window, choose one of the listed options, neither, or both.9.


19/32

In our example, choose Risk free message and type your own message in the field provided.

Click Save in order to enable the new configuration.

HTTP Configuration

Scanning

After installation, by default your HTTP and FTP traffic is scanned for viruses, worms, and Trojans. Malwaresuch as spyware and other grayware require a configuration change before they are detected.

These default settings give you some protection for your Web and FTP traffic after you install Trend Micro


20/32

InterScan for Cisco CSCSSM. You can change these settings. For example, you can prefer to use the Scanby specified file extensions option rather than All Scannable Files for malware detection. Before you makechanges, review the online help for more information about these selections.

After installation, it is possible that you want to update additional configuration settings in order to obtain themaximum protection for your Web and FTP traffic. If you purchased the Plus License, which entitles you toreceive URL blocking, antiphishing, and URL filtering functionality, you must configure these additionalfeatures.

Complete these steps in order to configure the CSCSSM to scan the HTTP message with ASDM:

Click the Web (HTTP) in the Trend Micro page, and this Web Message Scan window has four views:

TargetWebmail ScanningActionNotification

Click the appropriate tab for the information you want in order to switch among views. The active tabname appears in brown text; inactive tab names appear in black text. Use all tabs in order to configure

virus scanning of Web traffic.

Click the Target in order to allow you to define the scope of activity upon which is to be acted.

The HTTP message scan is enabled by default.Enabled with the use of All Scannable Files as the scanning method.Web (HTTP) compressed file handling for downloading from the Web Configured to skipscanning of compressed files when one of these is true:

Decompressed file count is greater than 200.Decompressed file size exceeds 30 MB.Number of compression layers exceeds three.Decompressed or compressed file size ratio is greater than 100 to 1.

For Webmail scanning Configured to scan Webmail sites for Yahoo, AOL, MSN, and Google.

1.

Large File handling2.


21/32

The Target tabs on the HTTP Scanning and FTP Scanning windows allow you to define the size of the largest download you want scanned. For example, you can specify that a download under 20 MBis scanned, but a download larger than 20 MB is not scanned.

In addition, you can:

Specify large downloads to be delivered without scanning, which can introduce a securityrisk.

Specify that downloads greater than the specified limit are deleted.By default, the CSCSSM software specifies that files smaller than 50 MB are scanned. Modify as 75MB. Files that are 75 MB and larger are delivered without scanning to the requesting client.

Deferred Scanning

The deferred scanning feature is not enabled by default. When enabled, this feature allows you tobegin to download data without scanning the entire download. Deferred scanning allows you to beginto view the data without a prolonged wait while the entire body of information is scanned.

Note: If you do not enable the deferred scanning option, then you can face an unsuccessful updatethrough the CSC module.


22/32

Note: When deferred scanning is enabled, the unscanned portion of information can introduce asecurity risk.

Note: Traffic that moves through HTTPS cannot be scanned for viruses and other threats by theCSCSSM software.

If deferred scanning is not enabled, the entire content of the download must be scanned before it ispresented to you. But, some client software can time out because of the time required to collectsufficient network packets in order to compose complete files for scanning. This table summarizes theadvantages and disadvantages of each method.

Scan for Spyware and Grayware

Grayware is a category of software that can be legitimate, unwanted, or malicious. Unlike threats suchas viruses, worms, and Trojans, grayware does not infect, replicate, or destroy data, but it can violateyour privacy. Examples of grayware include spyware, adware, and remote access tools.

Spyware or grayware detection is not enabled by default. You must configure this feature in thesewindows in order to detect spyware and other forms of spyware and other grayware in your Web andfile transfer traffic:

Click Save in order to update your configuration.You can switch to the Scanning Webmail tab in order to scan Webmail sites for Yahoo, AOL, MSN,

and Google.

Note: If you elect to scan only Webmail, HTTP scanning is restricted to the sites specified on theWebmail Scanning tab of the Web (HTTP) > Scanning > HTTP Scanning window. Other HTTPtraffic is not scanned. Configured sites are scanned until you remove them when you click theTrashcan icon.

In the Name field, enter the exact web site name, a URL keyword, and a string in order to define theWebmail site.

Note: Attachments to messages that are managed on Webmail are scanned.

Click Save in order to update your configuration.

3.


23/32

You can switch to the Action tab for the configuration of the Virus/Malware Detection andSpyware/Grayware Detections.

Web (HTTP) downloads for files in which virus/malware is detected Clean the downloadedfile or file in which the malware was detected. If uncleanable, delete the file.

Web (HTTP) downloads and file transfers (FTP) for files in which spyware or grayware isdetected Files are deleted.

4.

Web (HTTP) downloads when malware is detected An inline notification is inserted in the browser,which states that Trend Micro InterScan for CSCSSM has scanned the file that you attempt totransfer, and has detected a security risk.

5.

File Blocking

In the left dropdown menu , click File Blocking .

This feature is enabled by default; however, you must specify the types of files you want blocked. Fileblocking helps you enforce your organization policies for Internet use and other computing resources duringwork time. For example, your company does not allow downloading of music, both because of legal issues aswell as employee productivity issues.


24/32

On the Target tab of the File Blocking window, check the Executable check box in order to block .exe.

You can specify additional file types by file name extension. Check the Block specified fileextensions check box in order to enable this feature.

Then, enter additional file types in the File extensions to block field, and click Add . In the example,.mpg files are blocked.

Click Save when you are finished in order to update the configuration.

Check the Administrator Notification box in order to send the default messages in the text box.

Click the Notification tab for the alert message.

URL Blocking

This section describes the URL blocking feature and includes these topics:

Blocking from the Via Local List Tab

Blocking from the Via Pattern File (PhishTrap) Tab


25/32

Note: This feature requires the Plus License.

The URL blocking feature helps you prevent employees from accessing prohibited web sites. For example, itis possible that you want to block some sites because policies in your organization prohibit access to datingservices, online shopping services, or offensive sites.

You can also block sites that are known to perpetrate fraud, such as phishing. Phishing is a technique used bycriminals who send email messages that appear to be from a legitimate organization, which request you to

reveal private information such as bank account numbers. This image shows an example of an emailmessage used for phishing.

By default, URL blocking is enabled. But, only sites in the TrendMicro PhishTrap pattern file are blockeduntil you specify additional sites for blocking.

Blocking from the Via Local List Tab

Complete these steps in order to configure URL blocking from the Via Local List tab:

Choose Configuration > Trend Micro Content Security > Web in ASDM and click ConfigureURL Blocking in order to display the URL Blocking window.

1.

On the Via Local List tab of the URL Blocking window, type the URLs you want to block in theMatch field. You can specify the exact web site name, a URL keyword, and a string.

2.

Click Block after each entry in order to move the URL to the Block List. Click Do Not Block to addthe entry to Block List Exceptions in order to specify your entry as an exception. Entries remain asblocked or exceptions until you remove them.

Note: You can also import a block and exception list. The imported file must be in a specific format.See the online help for instructions.

3.


26/32

Blocking from the Via Pattern File (PhishTrap) Tab

Complete these steps in order to configure URL file blocking from the Via Pattern File (PhishTrap) Tab:

Choose Configuration > Trend Micro Content Security > Web in ASDM and click the ConfigureURL Blocking link in order to display the URL Blocking window.

1.

Then click the Via Pattern File (PhishTrap) tab.2.By default, the Trend Micro PhishTrap pattern file detects and blocks known phishing sites, spyware

sites, virus accomplice sites that are sites associated with known exploits, and disease vectors, whichare web sites that exist only for malicious purposes. Use the Submit the Potential Phishing URL toTrendLabs fields in order to submit sites that you think should be added to the PhishTrap pattern file.TrendLabs evaluates the site and can add the site to this file if such action is warranted.

3.

Click the Notification tab in order to review the text of the default message that appears in thebrowser when an attempt is made to access a blocked site. The online help shows an example.Highlight and redefine it in order to customize the default message.

4.

Click Save when you are finished in order to update the configuration.5.

URL Filtering

There are two important section to be discussed here.


27/32

Filtering SettingsFiltering Rules

The URLs defined on the URL Blocking windows described previously are either always allowed oralways disallowed. The URL filtering feature, however, allows you to filter URLs in categories,which you can schedule to allow access during certain times, defined as leisure time, and disallowaccess during work time.

Note: This feature requires the Plus License.

These are the six URL filtering categories:

CompanyprohibitedNot work relatedResearch topicsBusiness functionCustomer definedOthers

By default, companyprohibited sites are blocked during both work and leisure times.

Filtering Settings

Complete these steps in order to configure the URL filtering feature:

Choose Configuration > Trend Micro Content Security > Web in ASDM and click ConfigureURL Filtering Settings in order to display the URL Filtering Settings window.

1.

On the URL Categories tab, review the subcategories listed and the default classifications assigned toeach category to see whether the assignments are appropriate for your organization. For example,Illegal Drugs is a subcategory of the Companyprohibited category. If your organization is a financialservices company, it is possible that you want to leave this category classified ascompanyprohibited. Check the Illegal Drugs check box in order to enable filtering for sites relatedto illegal drugs. But, if your organization is a law enforcement agency, you should reclassify theIllegal Drugs subcategory to the Business function category. See the online help for more informationabout reclassification.

2.

After you have reviewed and refined the subcategory classifications, check the associated subcategoryin order to enable all the subcategories for which you want filtering performed.

3.

If there are sites within some of the enabled subcategories that you do not want filtered, click theURL Filtering Exceptions tab.

4.

Type the URLs you want to exclude from filtering in the Match field. You can specify the exact website name, a URL keyword, and a string.

5.

Click Add after each entry in order to move the URL to the Do Not Filter the Following Sites list.Entries remain as exceptions until you remove them.

Note: You can also import an exception list. The imported file must be in a specific format. See theonline help for instructions.

6.

Click the Schedule tab in order to define the days of the week and hours of the day that should beconsidered work time. Time not designated as work time is automatically designated as leisure time.

7.

Click Save in order to update the URL filtering configuration.8.Click the Reclassify URL tab in order to submit suspect URLs to TrendLabs for evaluation.9.


28/32

Filtering Rules

After you have assigned the URL subcategories to the correct categories for your organization, definedexceptions (if any), and created the work and leisure time schedule, assign the filtering rules that determinewhen a category is filtering.

Complete these steps in order to assign the URL filtering rules:

Choose Configuration > Trend Micro Content Security > Web in ASDM and click the ConfigureURL Filtering Rules link in order to display the URL Filtering Rules window.

1.

For each of the six major categories, specify whether the URLs in that category are blocked, and if so,during work time, leisure time, or both. See the online help for more information.

2.

Click Save in order to update the configuration.

Note: For URL Filtering to work correctly, the CSCSSM module must be able to send HTTP

requests to the Trend Micro service. If an HTTP proxy is required, choose Update > Proxy Settingsin order to configure the proxy setting. The URL Filtering component does not support the SOCKS4proxy.

3.

FTP Configuration

Trend Micro FTP Configuration

After installation, by default your FTP traffic is scanned for viruses, worms, and Trojans. Malware such asspyware and other grayware require a configuration change before they are detected.

File transfer (FTP) scanning of file transfers Enabled using All Scannable Files as the scanning method.


29/32

Complete the steps given in the File Blocking page for HTTP Traffic.

Complete the steps given in the File Blocking page for HTTP Traffic.


30/32

Verify

Use this section in order to confirm that your configuration works properly.

The Output Interpreter Tool ( registered customers only ) (OIT) supports certain show commands. Although, theOIT can be used to view an analysis of some show command outputs, these show commands currently are notcompatible with this tool.

show module In order to check the status of an SSM, for example:

ciscoasa# show moduleMod Card Type Model Serial No. 0 ASA 5520 Adaptive Security Appliance ASA5520 JMX090000B7 1 ASA 5500 Series Security Services Module20 ASASSM20 JAF10333331

Mod MAC Address Range Hw Version Fw Version Sw Version 0 0014.c482.5151 to 0014.c482.5155 1.1 1.0(10)0 8.0(2) 1 000b.fcf8.012c to 000b.fcf8.012c 1.0 1.0(10)0 Trend Micro InterSc

Mod SSM Application Name Status SSM Application Version 1 Trend Micro InterScan Security Up Version 6.0

Mod Status Data Plane Status Compatibility 0 Up Sys Not Applicable

1 Up Up

show module 1 details Use the details keyword in order to view additional information for the SSM,for example:

ciscoasa# show module 1 detailsGetting details from the Service Module, please wait...ASA 5500 Series Security Services Module20Model: ASASSM20Hardware version: 1.0Serial Number: JAF10333331Firmware version: 1.0(10)0Software version: Trend Micro InterScan Security Module Version 6.0App. name: Trend Micro InterScan Security ModuleApp. version: Version 6.0


31/32

Data plane Status: UpStatus: UpHTTP Service: UpMail Service: UpFTP Service: UpActivated: YesMgmt IP addr: 172.30.21.235Mgmt web port: 8443

show module slot_num recover Determines if there is a recovery configuration for the SSM. If a

recovery configuration exists for the SSM, the ASA displays it. For example:ciscoasa# show module 1 recoverModule 1 recover parameters. . .Boot Recovery Image: YesImage URL: tftp://10.21.18.1/idsoldimgPort IP Address: 172.30.21.10Port Mask: 255.255.255.0Gateway IP Address: 172.30.21.254

Refer to Verifying Initial Setup for more information on how to verify that Trend Micro InterScan for CiscoCSCSSM operates correctly.

TroubleshootThis section provides information you can use to troubleshoot your configuration.

Internet Access

Problem

The CSC is unable to access the Internet through the ASA management interface or the CSC is unable to getupdates from the Trend server through the Internet. .

Solution

The management interface configures with the managementonly command and makes it only accept trafficto or from the ASA, not through it . So remove the managementonly command and the NAT statement formanagementtooutside traffic then allows the Internet for CSC to update.

License violation errors

Problem

CSC module shows license violation errors and reports more hosts than what is in the network. The Licenseviolation has been detected on the InterScan for CSC SSM error is seen in the CSCmodule. How can this error be resolved?

Solution

Move all interfaces except the OutsideWAN (security level 0) to the higher security levels.

Performance Issue

Problem


32/32

The incoming SMTP traffic has become very slow. The inside mail server sometimes gets response from theserver that takes a couple of minutes or two to receive.

Solution

You possibly run into slow traffic due to outoforder packets . Try this example, which can resolve theissue.

! Creates a new tcp map and allows for 100 out of order packets

tcpmap localmapqueuelimit 100

! This is the class that defines traffic to sent tothe cscmodule. The name you use can be different.Sets the localmap parameters to flow matching the class map.

policymap global_policy class cscclass

set connection advancedoptions localmap

Troubleshooting Commands

The Output Interpreter Tool ( registered customers only ) (OIT) supports certain show commands. Use the OIT inorder to view an analysis of show command output.

Refer to Troubleshooting Trend Micro InterScan for Cisco CSCSSM for more information on how totroubleshoot various issues of the CSCSSM.

Note: Refer to Important Information on Debug Commands before you use debug commands.

debug moduleboot Shows debug messages about the SSM booting process.hwmodule module 1 shutdown Shutdown the SSMhwmodule module 1 reset Reset the SSM

Related Information

Cisco ASA 5500 Series Adaptive Security Appliances Product SupportCisco Content Security and Control SSM Administrator GuideCisco Adaptive Security Device Manager Product SupportTechnical Support & Documentation Cisco Systems

Contacts & Feedback | Help | Site Map 2008 2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc.

Updated: Oct 18, 2007 Document ID: 99141

ASA to CSC-SSM.pdf

Documents

Transcript of ASA to CSC-SSM.pdf