Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 32-1 Cisco ASA Series Firewall ASDM Configuration Guide 32 Configuring the ASA CSC Module This chapter describes how to configure the Content Security and Control (CSC) application that is installed in a CSC SSM in the ASA. This chapter includes the following sections: Information About the CSC SSM, page 32-1 Licensing Requirements for the CSC SSM, page 32-5 Prerequisites for the CSC SSM, page 32-5 Guidelines and Limitations, page 32-6 Default Settings, page 32-6 Configuring the CSC SSM, page 32-7 CSC SSM Setup Wizard, page 32-10 Using the CSC SSM GUI, page 32-20 Monitoring the CSC SSM, page 32-24 Troubleshooting the CSC Module, page 32-27 Additional References, page 32-31 Feature History for the CSC SSM, page 32-31 Information About the CSC SSM Some ASA models support the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic by scanning the FTP, HTTP/HTTPS, POP3, and SMTP packets that you configure the ASA to send to it. For more information about the CSC SSM, see the following URL: http://www.cisco.com/en/US/products/ps6823/index.html Figure 32-1 shows the flow of traffic through an ASA that has the following: A CSC SSM installed and configured. A service policy that determines what traffic is diverted to the CSC SSM for scanning. In this example, the client could be a network user who is accessing a website, downloading files from an FTP server, or retrieving mail from a POP3 server. SMTP scans differ in that you should configure the ASA to scan traffic sent from the outside to SMTP servers protected by the ASA.
32-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configuring the ASA CSC Module Information About the CSC SSM Figure 32-1 Flow of Scanned Traffic with the CSC SSM You use ASDM for system setup and monitoring of the CSC SSM. For advanced configuration of content security policies in the CSC SSM software, you access the web-based GUI for the CSC SSM by clicking links within ASDM. The CSC SSM GUI appears in a separate web browser window. To access the CSC SSM, you must enter the CSC SSM password. To use the CSC SSM GUI, see the Cisco Content Security and Control SSM Administrator Guide. NoteASDM and the CSC SSM maintain separate passwords. You can configure their passwords to be identical; however, changing one of these two passwords does not affect the other password. The connection between the host running ASDM and the ASA is made through a management port on the ASA. The connection to the CSC SSM GUI is made through the SSM management port. Because these two connections are required to manage the CSC SSM, any host running ASDM must be able to reach the IP address of both the ASA management port and the SSM management port. Figure 32-2 shows an ASA with a CSC SSM that is connected to a dedicated management network. While use of a dedicated management network is not required, we recommend it. In this configuration, the following items are of particular interest: An HTTP proxy server is connected to the inside network and to the management network. This HTTP proxy server enables the CSC SSM to contact the Trend Micro Systems update server. The management port of the ASA is connected to the management network. To allow management of the ASA and the CSC SSM, hosts running ASDM must be connected to the management network. The management network includes an SMTP server for e-mail notifications for the CSC SSM and a syslog server to which the CSC SSM can send syslog messages. 148386 ASA Main System Request sent ClientReply forwardedinsidemodular service policy Request forwarded Reply sent CSC SSMServe rDiverted Traffic content security scan outside
32-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configuring the ASA CSC Module Information About the CSC SSM Figure 32-2 CSC SSM Deployment with a Management Network Determining What Traffic to Scan The CSC SSM can scan FTP, HTTP/HTTPS, POP3, and SMTP traffic only when the destination port of the packet requesting the connection is the well-known port for the specified protocol. The CSC SSM can scan only the following connections: FTP connections opened to TCP port 21. HTTP connections opened to TCP port 80. HTTPS connections opened to TCP port 443. POP3 connections opened to TCP port 110. SMTP connections opened to TCP port 25. You can choose to scan traffic for all of these protocols or any combination of them. For example, if you do not allow network users to receive POP3 e-mail, do not configure the ASA to divert POP3 traffic to the CSC SSM. Instead, block this traffic. To maximize performance of the ASA and the CSC SSM, divert only the traffic to the CSC SSM that you want the CSC SSM to scan. Diverting traffic that you do not want scanned, such as traffic between a trusted source and destination, can adversely affect network performance. NoteWhen traffic is first classified for CSC inspection, it is flow-based. If traffic is part of a pre-existing connection, the traffic goes directly to the service policy set for that connection. You can apply service policies that include CSC scanning globally or to specific interfaces; therefore, you can choose to enable CSC scans globally or for specific interfaces. For more information, see the “Determining Service Policy Rule Actions for CSC Scanning” section on page 32-9. 148387 192.168.100.1 192.168.50.1 Notifications SMTP Server 192.168.50.38SSM management port 10.6.13.67Trend Micro Update Server ASA Main System inside CSC SSMoutside HTTP Proxy management port ASDM Syslog Internet
32-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configuring the ASA CSC Module Information About the CSC SSM Based on the configuration shown in Figure 32-3, configure the ASA to divert to the CSC SSM only requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network, and incoming SMTP connections from outside hosts to the mail server on the DMZ network. Exclude from scanning HTTP requests from the inside network to the web server on the DMZ network. Figure 32-3 Common Network Configuration for CSC SSM Scanning There are many ways you could configure the ASA to identify the traffic that you want to scan. One approach is to define two service policies: one on the inside interface and the other on the outside interface, each with ACLs that match traffic to be scanned. Figure 32-4 shows service policy rules that select only the traffic that the ASA should scan. Figure 32-4 Optimized Traffic Selection for CSC Scans In the inside-policy, the first class, inside-class1, ensures that the ASA does not scan HTTP traffic between the inside network and the DMZ network. The Match column indicates this setting by displaying the “Do not match” icon. This setting does not mean the ASA blocks traffic sent from the 192.168.10.0 network to TCP port 80 on the 192.168.20.0 network. Instead, this setting exempts the traffic from being matched by the service policy applied to the inside interface, which prevents the ASA from sending the traffic to the CSC SSM. The second class of the inside-policy, inside-class matches FTP, HTTP, and POP3 traffic between the inside network and any destination. HTTP connections to the DMZ network are exempted because of the inside-class1 setting. As previously mentioned, policies that apply CSC scanning to a specific interface affect both incoming and outgoing traffic, but by specifying 192.168.10.0 as the source network, inside-class1 matches only connections initiated by the hosts on the inside network. 192.168.30.0 192.168.20.0 (dmz) Web server Mail server 192.168.10.0Internetoutside inside ASA 143800
32-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configuring the ASA CSC Module Licensing Requirements for the CSC SSM In the outside-policy, outside-class matches SMTP traffic from any outside source to the DMZ network. This setting protects the SMTP server and inside users who download e-mail from the SMTP server on the DMZ network, without having to scan connections from SMTP clients to the server. If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you can add a rule to the outside policy that matches HTTP traffic from any source to the DMZ network. Because the policy is applied to the outside interface, the rule would only match connections from HTTP clients outside the ASA. Licensing Requirements for the CSC SSM Prerequisites for the CSC SSM The CSC SSM has the following prerequisites: A CSC SSM card must be installed in the ASA. A Product Authorization Key (PAK) for use in registering the CSC SSM. Activation keys that you receive by e-mail after you register the CSC SSM. The management port of the CSC SSM must be connected to your network to allow management and automatic updates of the CSC SSM software. The CSC SSM management port IP address must be accessible by the hosts used to run ASDM. You must obtain the following information to use in configuring the CSC SSM: –The CSC SSM management port IP address, netmask, and gateway IP address. –DNS server IP address. –HTTP proxy server IP address (needed only if your security policies require the use of a proxy server for HTTP access to the Internet). Model License Requirement ASA 5510 Base License—Supports SMTP virus scanning, POP3 virus scanning and content filtering, web mail virus scanning, HTTP file blocking, FTP virus scanning and file blocking, logging, and automatic updates. Supports two contexts. Optional licenses: 5 contexts. Security Plus License—Supports the Base license features, plus SMTP anti-spam, SMTP content filtering, POP3 anti-spam, URL blocking, and URL filtering. Supports two contexts. Optional license: 5 contexts. ASA 5520 Base License—Supports all features. Supports two contexts. Optional licenses: 5, 10, or 20 contexts. ASA 5540 Base License—Supports all features. Supports two contexts. Optional licenses: 5, 10, 20, or 50 contexts. All other models No support.
32-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configuring the ASA CSC Module Guidelines and Limitations –Domain name and hostname for the CSC SSM. –An e-mail address and an SMTP server IP address and port number for e-mail notifications. –E-mail address(es) for product license renewal notifications. –IP addresses of hosts or networks that are allowed to manage the CSC SSM. The IP addresses for the CSC SSM management port and the ASA management interface can be in different subnets. –Password for the CSC SSM. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context modes. Firewall Mode Guidelines Supported in routed and transparent firewall modes. Failover Guidelines Does not support sessions in Stateful Failover. The CSC SSM does not maintain connection information, and therefore cannot provide the failover unit with the required information. The connections that a CSC SSM is scanning are dropped when the ASA in which the CSC SSM is installed fails. When the standby ASA becomes active, it forwards the scanned traffic to the CSC SSM and the connections are reset. IPv6 Guidelines Does not support IPv6. Model Guidelines Supported on the ASA 5510, ASA 5520, and ASA 5540 only. Not supported on the ASA 5580 and the ASA 5585-X. Additional Guidelines You cannot change the software type installed on the module; if you purchase a CSC module, you cannot later install IPS software on it. Default Settings Table 32-1 lists the default settings for the CSC SSM. Table 32-1 Default CSC SSM Parameters Parameter Default FTP inspection on the ASA Enabled All features included in the license(s) that you have purchasedEnabled
32-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM Configuring the CSC SSM This section describes how to configure the CSC SSM and includes the following topics: Before Configuring the CSC SSM, page 32-7 Connecting to the CSC SSM, page 32-8 Determining Service Policy Rule Actions for CSC Scanning, page 32-9 Before Configuring the CSC SSM Before configuring the ASA and the CSC SSM, perform the following steps: Step 1If the CSC SSM did not come preinstalled in a Cisco ASA, install it and connect a network cable to the management port of the SSM. For assistance with installation and connecting the SSM, see the Cisco ASA 5500 Series Quick Start Guide. The management port of the CSC SSM must be connected to your network to allow management of and automatic updates to the CSC SSM software. Additionally, the CSC SSM uses the management port for e-mail notifications and syslog messages. Step 2You should have received a Product Authorization Key (PAK) with the CSC SSM. Use the PAK to register the CSC SSM at the following URL. http://www.cisco.com/go/license After you register, you receive activation keys by e-mail. The activation keys are required before you can complete Step 6. Step 3Obtain the following information for use in Step 6: Activation keys CSC SSM management port IP address, netmask, and gateway IP address DNS server IP address HTTP proxy server IP address (needed only if your security policies require the use of a proxy server for HTTP access to the Internet) Domain name and hostname for the CSC SSM An e-mail address, and SMTP server IP address and port number for e-mail notifications E-mail address(es) for product license renewal notifications IP addresses of hosts or networks that are allowed to manage the CSC SSM Password for the CSC SSM Step 4In a web browser, access ASDM for the ASA in which the CSC SSM is installed. NoteIf you are accessing ASDM for the first time, see the “Additional References” section on page 32-31. For more information about enabling ASDM access, see the “Configuring ASA Access for ASDM, Telnet, or SSH” section on page 96-1 in the general operations configuration guide. Step 5Verify time settings on the ASA. Time setting accuracy is important for logging of security events and for automatic updates of CSC SSM software. Do one of the following:
32-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM If you manually control time settings, verify the clock settings, including time zone. Choose Configuration > Properties > Device Administration > Clock. If you are using NTP, verify the NTP configuration. Choose Configuration > Properties > Device Administration > NTP. Step 6Open ASDM. Step 7Connect to and log in to the CSC SSM. For instructions, see the “Connecting to the CSC SSM” section on page 32-8. Step 8Run the CSC Setup Wizard. To access the CSC Setup Wizard, choose Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup > Launch Setup Wizard. If you are rerunning the CSC Setup Wizard, perform the same step listed in the previous bullet. The CSC Setup Wizard appears. Step 9Complete the CSC Setup Wizard, which includes configuration of service policies to divert traffic that you want scanned to the CSC SSM. NoteIf you create a global service policy to divert traffic for CSC scans, all traffic (inbound and outbound) for the supported protocols is scanned. To maximize performance of the ASA and the CSC SSM, scan traffic only from untrusted sources. Step 10To reduce the load on the CSC SSM, configure the service policy rules that send packets to the CSC SSM to support only HTTP/HTTPS, SMTP, POP3, or FTP traffic. For instructions, see the “Determining Service Policy Rule Actions for CSC Scanning” section on page 32-9. Step 11(Optional) Review the default content security policies in the CSC SSM GUI, which are suitable for most implementations. You review the content security policies by viewing the enabled features in the CSC SSM GUI. For the availability of features, see the “Licensing Requirements for the CSC SSM” section on page 32-5. For the default settings, see the “Default Settings” section on page 32-6. What to Do Next See the “Connecting to the CSC SSM” section on page 32-8. Connecting to the CSC SSM With each session you start in ASDM, the first time you access features related to the CSC SSM, you must specify the management IP address and provide the password for the CSC SSM. After you successfully connect to the CSC SSM, you are not prompted again for the management IP address and password. If you start a new ASDM session, the connection to the CSC SSM is reset and you must specify the IP address and the CSC SSM password again. The connection to the CSC SSM is also reset if you change the time zone on the ASA. NoteThe CSC SSM has a password that is maintained separately from the ASDM password. You can configure the two passwords to be identical, but changing the CSC SSM password does not affect the ASDM password.
32-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configuring the ASA CSC Module Configuring the CSC SSM To connect to the CSC SSM, perform the following steps: Step 1In the ASDM main application window, click the Content Security tab. Step 2In the Connecting to CSC dialog box, click one of the following radio buttons: To connect to the IP address of the management port on the SSM, click Management IP Address. ASDM automatically detects the IP address for the SSM in the ASA. If this detection fails, you can specify the management IP address manually. To connect to an alternate IP address or hostname on the SSM, click Other IP Address or Hostname. Step 3Enter the port number in the Port field, and then click Continue. Step 4In the CSC Password field, type your CSC password, and then click OK. NoteIf you have not completed the CSC Setup Wizard (choose Configuration > Trend Micro Content Security > CSC Setup > Wizard Setup), complete the configuration in the CSC Setup Wizard, which includes changing the default password, “cisco.” For ten minutes after you have entered the password, you do not need to reenter the CSC SSM password to access other parts of the CSC SSM GUI. Step 5To access the CSC SSM GUI, choose Configuration > Trend Micro Content Security, and then click one of the following tabs: We b, Mail, File Transfer, or Updates. What to Do Next See the “Determining Service Policy Rule Actions for CSC Scanning” section on page 32-9. Determining Service Policy Rule Actions for CSC Scanning The CSC SSM scans only HTTP/HTTPS, SMTP, POP3, and FTP traffic. If your service policy includes traffic that supports other protocols in addition to these four, packets for other protocols are passed through the CSC SSM without being scanned. You should configure the service policy rules that send packets to the CSC SSM to support only HTTP/HTTPS, SMTP, POP3, or FTP traffic. The CSC Scan tab in the Add Service Policy Rule Wizard lets you determine whether or not the CSC SSM scans traffic identified by the current traffic class. This tab appears only if a CSC SSM is installed in the ASA. To configure service policy rules for CSC scanning, perform the following steps: Step 1In the ASDM main application window, choose Configuration > Firewall > Service Policy Rules. Step 2On the toolbar, click Add. The Add Service Policy Rule Wizard screen appears. Step 3Click the Global - applies to all interfaces option, and then click Next. The Traffic Classification Criteria screen appears.
32-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 32 Configuring the ASA CSC Module CSC SSM Setup Wizard Step 4Click the Create a new traffic class option, type a name for the traffic class in the adjacent field, check the Any traffic check box, and then click Next. The Rule Actions screen appears. Step 5Click the CSC Scan tab, and then check the Enable CSC scan for this traffic flow check box. Step 6Choose whether the ASA should permit or deny selected traffic to pass if the CSC SSM is unavailable by making the applicable selection in the area labeled: If CSC card fails, then. When this check box is checked, the other parameters on this tab become active. Step 7In the If CSC card fails area, if the CSC SSM becomes inoperable, choose one of the following actions: To allow traffic, check the Permit traffic check box. To block traffic, check the Close traffic check box. Step 8Click Finish. The new service policy rule appears in the Service Policy Rules pane. Step 9Click Apply. The ASA begins diverting traffic to the CSC SSM, which performs the content security scans that have been enabled according to the license that you purchased. CSC SSM Setup Wizard The CSC Setup Wizard lets you configure basic operational parameters for the CSC SSM. You must complete this wizard at least once before you can configure options in each screen separately. After you complete the CSC Setup Wizard, you can modify each screen individually without using this wizard again. Additionally, you cannot access the panes under Configuration > Trend Micro Content Security > CSC Setup or under Monitoring > Trend Micro Content Security > Content Security until you complete the CSC Setup Wizard. If you try to access these panes before completing this wizard, a dialog box appears and lets you access the wizard directly to complete the configuration. To start the CSC Setup Wizard, click Launch Setup Wizard. This section includes the following topics: Activation/License, page 32-11 IP Configuration, page 32-11 Host/Notification Settings, page 32-12 Management Access Host/Networks, page 32-13 Password, page 32-13 Restoring the Default Password, page 32-14 Wizard Setup, page 32-15