Streszczenie treści zawartej na stronie nr. 1
CHAPTER19
Managing the AIP SSM and CSC SSM
The Cisco ASA 5500 series adaptive security appliance supports a variety of SSMs. This chapter
describes how to configure the adaptive security appliance to support an AIP SSM or a CSC SSM,
including how to send traffic to these SSMs.
For information about the 4GE SSM for the ASA 5000 series adaptive security appliance, see Chapter 4,
“Configuring Ethernet Settings and Subinterfaces”.
Note The Cisco PIX 500 series security appliances does not suppo
Streszczenie treści zawartej na stronie nr. 2
Chapter 19 Managing the AIP SSM and CSC SSM Managing the AIP SSM The AIP SSM can operate in one of two modes, as follows: � Inline mode—Places the AIP SSM directly in the traffic flow. No traffic can continue through the adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This mode is the most secure because every packet is analyzed before being allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet basis.
Streszczenie treści zawartej na stronie nr. 3
Chapter 19 Managing the AIP SSM and CSC SSM Managing the AIP SSM Step 2 Create a class map to identify the traffic that should be diverted to the AIP SSM. Use the class-map command to do so, as follows: hostname(config)# class-map class_map_name hostname(config-cmap)# where class_map_name is the name of the traffic class. When you enter the class-map command, the CLI enters class map configuration mode. Step 3 With the access list you created in Step 1, use a match access-list command
Streszczenie treści zawartej na stronie nr. 4
Chapter 19 Managing the AIP SSM and CSC SSM Managing the AIP SSM hostname(config-cmap)# match access-list IPS hostname(config-cmap)# policy-map my-ids-policy hostname(config-pmap)# class my-ips-class hostname(config-pmap-c)# ips promiscuous fail-close hostname(config-pmap-c)# service-policy my-ips-policy global Sessioning to the AIP SSM and Running Setup After you have completed configuration of the ASA 5500 series adaptive security appliance to divert traffic to the AIP SSM, session t
Streszczenie treści zawartej na stronie nr. 5
Chapter 19 Managing the AIP SSM and CSC SSM Managing the CSC SSM Note If you see the preceding license notice (which displays only in some versions of software), you can ignore the message until you need to upgrade the signature files on the AIP SSM. The AIP SSM continues to operate at the current signature level until a valid license key is installed. You can install the license key at a later time. The license key does not affect the current functionality of the AIP SSM. Step 3 Ent
Streszczenie treści zawartej na stronie nr. 6
Chapter 19 Managing the AIP SSM and CSC SSM Managing the CSC SSM Figure 19-1 Flow of Scanned Traffic with CSC SSM Security Appliance Main System modular service policy Request sent Request forwarded inside outside Reply forwarded Reply sent Server Diverted Traffic Client content security scan CSC SSM You use ASDM for system setup and monitoring of the CSC SSM. For advanced configuration of content security policies in the CSC SSM software, you access the web-based GUI for the CSC SSM b
Streszczenie treści zawartej na stronie nr. 7
Chapter 19 Managing the AIP SSM and CSC SSM Managing the CSC SSM Figure 19-2 CSC SSM Deployment with a Management Network Security Appliance Trend Micro inside Update Server 192.168.100.1 Main System outside HTTP Internet 10.6.13.67 Proxy management port 192.168.50.1 CSC SSM ASDM SSM 192.168.50.38 management port Syslog Notifications SMTP Server CSC SSM cannot suport stateful failover, because the CSC SSM does not maintain connection information and therefore cannot provide the failove
Streszczenie treści zawartej na stronie nr. 8
Chapter 19 Managing the AIP SSM and CSC SSM Managing the CSC SSM Note The SSM management port IP address must be accessible by the hosts used to run ASDM. The IP addresses for the SSM management port and the adaptive security appliance management interface can be in different subnets. � DNS server IP address. � HTTP proxy server IP address (required only if your security policies require use of a proxy server for HTTP access to the Internet). � Domain name and hostname for the SSM. �
Streszczenie treści zawartej na stronie nr. 9
Chapter 19 Managing the AIP SSM and CSC SSM Managing the CSC SSM With a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering. To access the CSC SSM GUI, in ASDM choose Configuration > Trend Micro Content Security, and then select one of the following: Web, Mail, File Transfer, or Updates. The blue links on these panes, beginning with the word “Configure”, open the CSC SSM GUI. Determining
Streszczenie treści zawartej na stronie nr. 10
Chapter 19 Managing the AIP SSM and CSC SSM Managing the CSC SSM � Incoming SMTP connections destined to inside mail servers. In Figure 19-3, the adaptive security appliance should be configured to divert traffic to CSC SSM requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network and incoming SMTP connections from outside hosts to the mail server on the DMZ network. HTTP requests from the inside network to the web server on the DMZ networ
Streszczenie treści zawartej na stronie nr. 11
Chapter 19 Managing the AIP SSM and CSC SSM Managing the CSC SSM This access list matches inbound SMTP connections from any external host to any host on the DMZ network. The policy applied to the outside interface would therefore ensure that incoming SMTP email would be diverted to the CSC SSM for scanning. It would not match SMTP connections from hosts on the inside network to the mail server on the DMZ network because those connections never use the outside interface. If the web s
Streszczenie treści zawartej na stronie nr. 12
Chapter 19 Managing the AIP SSM and CSC SSM Managing the CSC SSM hostname(config)# class-map class_map_name hostname(config-cmap)# where class_map_name is the name of the traffic class. When you enter the class-map command, the CLI enters class map configuration mode. Step 3 With the access list you created in Step 1, use a match access-list command to identify the traffic to be scanned: hostname(config-cmap)# match access-list acl-name Step 4 Create a policy map or modify an existing
Streszczenie treści zawartej na stronie nr. 13
Chapter 19 Managing the AIP SSM and CSC SSM Checking SSM Status Example 19-1 is based on the network shown in Figure 19-3. It creates two service policies. The first policy, csc_out_policy, is applied to the inside interface and uses the csc_out access list to ensure that all outbound requests for FTP and POP3 are scanned. The csc_out access list also ensures that HTTP connections from inside to networks on the outside interface are scanned but it includes a deny ACE to exclude HTTP
Streszczenie treści zawartej na stronie nr. 14
Chapter 19 Managing the AIP SSM and CSC SSM Transferring an Image onto an SSM hostname# show module 1 Mod Card Type Model Serial No. --- -------------------------------------------- ------------------ ----------- 1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAB100301NE Mod MAC Address Range Hw Version Fw Version Sw Version --- --------------------------------- ------------ ------------ -----
Streszczenie treści zawartej na stronie nr. 15
Chapter 19 Managing the AIP SSM and CSC SSM Transferring an Image onto an SSM To transfer an image onto an intelligent SSM, perform the following steps: Step 1 Create or modify a recovery configuration for the SSM. To do so, perform the following steps: a. Determine if there is a recovery configuration for the SSM. To do so, use the show module command with the recover keyword, as follows. hostname# show module slot recover where slot is the slot number occupied by the SSM. If the reco
Streszczenie treści zawartej na stronie nr. 16
Chapter 19 Managing the AIP SSM and CSC SSM Transferring an Image onto an SSM Step 3 Check the progress of the image transfer and SSM restart process. To do so, use the show module command. For details, see the “Checking SSM Status” section on page 19-13. When the adaptive security appliance completes the image transfer and restart of the SSM, the SSM is running the newly transferred image. Note If your SSM supports configuration backups and you want to restore the configuration of th