Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
This document provides a sample configuration for how to send network traffic from the Cisco ASA 5500
Series Adaptive Security Appliance (ASA) to the Content Security and Control Security Services Module
(CSCSSM).
The CSCSSM provides protection against viruses, spyware, spam, and other unwanted traffic. It
accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that is diverted to it by the adaptive
security appliance. In order to force the ASA to divert the traffic to the CSCSSM, you need to use Modular
Policy Framework.
Refer to ASA: Send Network Traffic from the ASA to the AIP SSM Configuration Example in order to send
network traffic that passes through the Cisco ASA 5500 Series Adaptive Security Appliance (ASA) to the
Advanced Inspection and Prevention Security Services Module (AIPSSM) (IPS) module.
Note: The CSCSSM can scan FTP, HTTP, POP3, and SMTP traffic only when the destination port of the
packet that requests the connection is the wellknown port for the specified protocol. The CSCSSM can scan
only these connections:
FTP connections opened to TCP port 21
HTTP connections opened to TCP port 80
POP3 connections opened to TCP port 110
SMTP connections opened to TCP port 25
Prerequisites
Requirements
Ensure that you meet these requirements before you attempt this configuration:
A basic understanding of how to configure Cisco ASA 5500 Series runs software version 7.1 and
later.
The CSCSSM has been installed.
Components Used
The information in this document is based on these software and hardware versions:
ASA 5520 with software version 7.1 and later
CSCSSM10 with software version 6.1
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Background Information
The CSCSSM maintains a file that contains signature profiles of suspicious content, updated regularly from
an update server at Trend Micro. The CSCSSM scans traffic it receives from the adaptive security appliance
and compares it to the content profiles it obtains from Trend Micro. It then forwards legitimate content on to
the adaptive security appliance for routing, or blocks and reports content that is suspicious.
By default, CSCSSM comes with a base license that provides these features:
Detects and takes action on viruses and malware in the network traffic
Blocks compressed or very large files that exceed specified parameters
Scans for and remove spyware, adware, and other types of grayware
Additionally, if it is equipped with a Plus License, it also performs these tasks:
Reduces spam and protect against phishing fraud in your SMTP and POP3 traffic
Sets up content filters that enable you to allow or prohibit email traffic that contain key words or
phrases
Filters/Blocks URLs that you do not want users to access, or URLs that are known to have hidden or
malicious purposes
Note: The CSCSSM can scan FTP file transfers only when FTP inspection is enabled on the ASA. By
default, FTP inspection is enabled.
Note: The CSCSSM cannot support Stateful Failover because the CSCSSM does not maintain connection
information, and therefore cannot provide the failover unit with the required information for Stateful Failover.
The connections that a CSCSSM is scanning are dropped when the security appliance in which the
CSCSSM is installed fails. When the standby adaptive security appliance becomes active, it forwards the
scanned traffic to the CSCSSM and the connections are reset.
Configure
In a network in which the adaptive security appliance is deployed with the CSCSSM, you configure the
adaptive security appliance to send to the CSCSSM only the types of traffic that you want to be scanned.
Note: Use the Command Lookup Tool ( registered customers only) to obtain more information on the commands
used in this section.
In this example, clients can be network users who access a web site, download files from an FTP server, or
retrieve mail from a POP3 server.
In this configuration, this is how the traffic flows:
1. The client initiates a request.
2. The adaptive security appliance receives the request and forwards it to the Internet.
3. When the requested content is retrieved, the adaptive security appliance determines whether its
service policies define this content type as one that should be diverted to the CSCSSM for scanning,
and does so if appropriate.
4. The CSCSSM receives the content from the adaptive security appliance, scans it and compares it to
its latest update of the Trend Micro content filters.
5. If the content is suspicious, the CSCSSM blocks the content and reports the event. If the content is
not suspicious, the CSCSSM forwards the requested content back to the adaptive security appliance
for routing.
2. Activation key:
The first step to obtain the activation key is to identify the Product Authorization Key (PAK) shipped
along with the product. It contains a barcode and 11 hexadecimal characters. For example, a sample
PAK can be 120106C7D4A.
Use the PAK to register the CSCSSM at Product License Registration ( registered customers only)
webpage. After you register, you receive activation keys by email.
4. Hostname and Domain name of the CSCSSMSpecify a host name as well as the domain name of
the CSCSSM.
Incoming domainDomain name used by the local mail server as the incoming email domain.
Note: AntiSPAM policies are applied only to email traffic that come into this domain.
Notification settingsAdministrator email address and the email server IP address and port to be
used for notifications.
7. In step 6 of the CSC Setup Wizard, specify the type of traffic to be scanned.
The adaptive security appliance diverts packets to the CSCSSM after firewall policies are applied
but before the packets exit the egress interface. For example, packets that are blocked by an access list
are not forwarded to the CSCSSM.
Configure service policies to specify which traffic the adaptive security appliance should divert to the
CSCSSM. The CSCSSM can scan HTTP, POP3, FTP, and SMTP traffic sent to the wellknown
ports for those protocols.
In order to simplify the initial configuration process, this procedure creates a global service policy that
diverts all traffic for the supported protocols to the CSCSSM, both inbound and outbound. Because
scanning all traffic that comes through the adaptive security appliance can reduce the performance of
the adaptive security appliance and the CSCSSM, you want to revise this security policy later. For
example, it is not usually necessary to scan all traffic that comes from your inside network because it
comes from a trusted source. If you refine the service policies so that the CSCSSM scans only traffic
from untrusted sources, you can achieve your security goals and maximize the performance of the
adaptive security appliance and the CSCSSM.
Complete these steps in order to create a global service policy that identifies traffic to be scanned:
2. Create a class map in order to identify the traffic that should be diverted to the CSCSSM with the
classmap command:
hostname(config)#classmap class_map_name
3. Once in class map configuration mode, use the match accesslist command in order to identify the
traffic with the use of the accesslist previously specified:
4. Create a policy map in order to send traffic to the CSCSSM with the policymap command:
hostname(config)#policymap policy_map_name
5. Once in the policy map configuration mode, use the class command in order to specify the class map,
previously created, that identifies the traffic to be scanned:
hostname(configpmap)#class class_map_name
6. Once in policy map class configuration mode, you can configure these:
If you want to enforce a perclient limit for simultaneous connections that the adaptive
security appliance diverts to the CSCSSM, use the set connection command, as follows:
hostname(configpmapc)#set connection perclientmax n
where n is the maximum simultaneous connections the adaptive security appliance allows for
each client. This command prevents a single client from abusing the services of the
CSCSSM or any server protected by the SSM, which includes the prevention of attempts at
DoS attacks on HTTP, FTP, POP3, or SMTP servers that the CSCSSM protects.
Use the csc command in order to control how the ASA handles traffic when the CSCSSM is
unavailable:
hostname(configpmapc)#csc {failclose | failopen}
where failclose specifies that the ASA should block traffic if the CSCSSM fails and in
contrast, failopen specifies that the ASA should allow traffic if the CSCSSM fails.
Note: This applies to the traffic selected by the class map only. Other traffic not sent to the
CSCSSM is not affected by a CSCSSM failure.
7. Lastly, apply the policy map globally or to a specific interface with the servicepolicy command:
where interface_ID is the name assigned to the interface with the nameif command.
Note: Only one global policy is allowed. You can override the global policy on an interface with the
application of a service policy to that interface. You can only apply one policy map to each interface.
Network Diagram
This diagram is an example of an ASA 5500 configured for these parameters:
ASA Configuration
ASA5520
ciscoasa(config)#show runningconfig
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domainname Security.lab.com
enable password 2kxsYuz/BehvglCF encrypted
no names
dnsguard
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
securitylevel 0
ip address 172.30.21.222 255.255.255.0
!
interface GigabitEthernet0/1
description INSIDE
nameif inside
securitylevel 100
ip address 192.168.5.1 255.255.255.0
!
! Output suppressed
accesslist cscacl remark Exclude CSC module traffic from being scanned
accesslist cscacl deny ip host 10.89.130.241 any
! In order to improve the performance of the ASA and CSC Module.
! Any traffic from CSC Module is excluded from the scanning.
accesslist cscacl remark Scan Web & Mail traffic
! Output suppressed
CSC SetupLaunches the Setup Wizard to install and configure the CSCSSM
WebConfigures Web scanning, file blocking, URL filtering, and URL blocking
MailConfigures scanning, content filtering, and spam prevention for incoming and outgoing SMTP
and POP3 email
File TransferConfigures file scanning and blocking
UpdatesSchedules updates for content security scanning components, for example, virus pattern
file, scan engine, and so forth
The Web, Mail, File Transfer, and Updates options are described in more detail in these chapters:
MailConfiguring SMTP and POP3 Mail Traffic
Web and File TransferConfiguring Web (HTTP) and File Transfer (FTP) Traffic
UpdatesManaging Updates and Log Queries
This example shows how to configure a CSCSSM to scan the incoming SMTP message to the internal
network network.
The incoming SMTP messages are diverted to the CSCSSM for scanning. In this example, all the traffic
from outside to access the inside mail server (192.168.5.2/24) for SMTP services are diverted to the
CSCSSM.
accesslist csc_inbound extended permit tcp any host 192.168.5.2 eq smtp
These default settings give you some protection for your email traffic after you install Trend Micro
InterScan for Cisco CSCSSM.
SMTP Configuration
Trend Micro SMTP Configuration
Complete these steps in order to configure the CSCSSM to scan the incoming SMTP message using ASDM:
1. Choose Configuration > Trend Micro Content Security > Mail in ASDM and click Configure
Incoming Scan in order to display the SMTP Incoming Message Scan/Target window.
2. The window takes you to the Trend Micro InterScan for Cisco CSCSSM Login prompt. Enter the
CSCSSM Password.
3. The SMTP Incoming Message Scan window has these three views:
Target
Action
Notification
You can switch among views if you click the appropriate tab for the information you want. The active
tab name appears in brown text; inactive tab names appear in black text. Use all three tabs in order to
configure virus scanning of incoming SMTP traffic.
Click Target in order to allow you to define the scope of activity upon which is acted.
The SMTP Incoming message scan is enabled by default.
4. In the Default Scanning section, All scannable files is selected by default. It scans regardless of the
file name extensions.
6. In the Scan for Spyware/Grayware section of these windows, which was shown in step 5, choose
the types of grayware you want detected by Trend Micro InterScan for Cisco CSCSSM. See the
online help for a description of each type of grayware listed.
These values are default action taken for the incoming mails.
For Messages with Virus/Malware Detection sectionClean the message or attachment in
which the malware was detected, and if the message or attachment is uncleanable, delete it.
If you are satisfied with the default notification setup, no further action is required. But, you can
review the notification options and decide whether you want to change the defaults. For example, you
can send a notification to the administrator when a security risk has been detected in an email
message. For SMTP, you can also notify the sender or recipient.
Check the Administrator and Recipient boxes for email notification. You can also tailor the default
text in the notification message to something more appropriate for your organization such as in this
screen shot.
9. In the Inline Notifications section of the window, choose one of the listed options, neither, or both.
In our example, choose Risk free message and type your own message in the field provided.
HTTP Configuration
Scanning
After installation, by default your HTTP and FTP traffic is scanned for viruses, worms, and Trojans. Malware
such as spyware and other grayware require a configuration change before they are detected.
These default settings give you some protection for your Web and FTP traffic after you install Trend Micro
InterScan for Cisco CSCSSM. You can change these settings. For example, you can prefer to use the Scan
by specified file extensions option rather than All Scannable Files for malware detection. Before you make
changes, review the online help for more information about these selections.
After installation, it is possible that you want to update additional configuration settings in order to obtain the
maximum protection for your Web and FTP traffic. If you purchased the Plus License, which entitles you to
receive URL blocking, antiphishing, and URL filtering functionality, you must configure these additional
features.
Complete these steps in order to configure the CSCSSM to scan the HTTP message with ASDM:
1. Click the Web (HTTP) in the Trend Micro page, and this Web Message Scan window has four views:
Target
Webmail Scanning
Action
Notification
Click the appropriate tab for the information you want in order to switch among views. The active tab
name appears in brown text; inactive tab names appear in black text. Use all tabs in order to configure
virus scanning of Web traffic.
Click the Target in order to allow you to define the scope of activity upon which is to be acted.
The HTTP message scan is enabled by default.
Enabled with the use of All Scannable Files as the scanning method.
Web (HTTP) compressed file handling for downloading from the WebConfigured to skip
scanning of compressed files when one of these is true:
Decompressed file count is greater than 200.
Decompressed file size exceeds 30 MB.
Number of compression layers exceeds three.
Decompressed or compressed file size ratio is greater than 100 to 1.
For Webmail scanningConfigured to scan Webmail sites for Yahoo, AOL, MSN, and Google.
2. Large File handling
The Target tabs on the HTTP Scanning and FTP Scanning windows allow you to define the size of
the largest download you want scanned. For example, you can specify that a download under 20 MB
is scanned, but a download larger than 20 MB is not scanned.
In addition, you can:
Specify large downloads to be delivered without scanning, which can introduce a security
risk.
Specify that downloads greater than the specified limit are deleted.
By default, the CSCSSM software specifies that files smaller than 50 MB are scanned. Modify as 75
MB. Files that are 75 MB and larger are delivered without scanning to the requesting client.
Deferred Scanning
The deferred scanning feature is not enabled by default. When enabled, this feature allows you to
begin to download data without scanning the entire download. Deferred scanning allows you to begin
to view the data without a prolonged wait while the entire body of information is scanned.
Note: If you do not enable the deferred scanning option, then you can face an unsuccessful update
through the CSC module.
Note: When deferred scanning is enabled, the unscanned portion of information can introduce a
security risk.
Note: Traffic that moves through HTTPS cannot be scanned for viruses and other threats by the
CSCSSM software.
If deferred scanning is not enabled, the entire content of the download must be scanned before it is
presented to you. But, some client software can time out because of the time required to collect
sufficient network packets in order to compose complete files for scanning. This table summarizes the
advantages and disadvantages of each method.
Scan for Spyware and Grayware
Grayware is a category of software that can be legitimate, unwanted, or malicious. Unlike threats such
as viruses, worms, and Trojans, grayware does not infect, replicate, or destroy data, but it can violate
your privacy. Examples of grayware include spyware, adware, and remote access tools.
Spyware or grayware detection is not enabled by default. You must configure this feature in these
windows in order to detect spyware and other forms of spyware and other grayware in your Web and
file transfer traffic:
Click Save in order to update your configuration.
3. You can switch to the Scanning Webmail tab in order to scan Webmail sites for Yahoo, AOL, MSN,
and Google.
Note: If you elect to scan only Webmail, HTTP scanning is restricted to the sites specified on the
Webmail Scanning tab of the Web (HTTP) > Scanning > HTTP Scanning window. Other HTTP
traffic is not scanned. Configured sites are scanned until you remove them when you click the
Trashcan icon.
In the Name field, enter the exact web site name, a URL keyword, and a string in order to define the
Webmail site.
Note: Attachments to messages that are managed on Webmail are scanned.
Click Save in order to update your configuration.
4. You can switch to the Action tab for the configuration of the Virus/Malware Detection and
Spyware/Grayware Detections.
Web (HTTP) downloads for files in which virus/malware is detectedClean the downloaded
file or file in which the malware was detected. If uncleanable, delete the file.
Web (HTTP) downloads and file transfers (FTP) for files in which spyware or grayware is
detectedFiles are deleted.
5. Web (HTTP) downloads when malware is detectedAn inline notification is inserted in the browser,
which states that Trend Micro InterScan for CSCSSM has scanned the file that you attempt to
transfer, and has detected a security risk.
File Blocking
In the left dropdown menu , click File Blocking.
This feature is enabled by default; however, you must specify the types of files you want blocked. File
blocking helps you enforce your organization policies for Internet use and other computing resources during
work time. For example, your company does not allow downloading of music, both because of legal issues as
well as employee productivity issues.
On the Target tab of the File Blocking window, check the Executable check box in order to block
.exe.
You can specify additional file types by file name extension. Check the Block specified file
extensions check box in order to enable this feature.
Then, enter additional file types in the File extensions to block field, and click Add. In the example,
.mpg files are blocked.
Click Save when you are finished in order to update the configuration.
Check the Administrator Notification box in order to send the default messages in the text box.
Click the Notification tab for the alert message.
URL Blocking
This section describes the URL blocking feature and includes these topics:
Blocking from the Via Local List Tab
Blocking from the Via Pattern File (PhishTrap) Tab
By default, URL blocking is enabled. But, only sites in the TrendMicro PhishTrap pattern file are blocked
until you specify additional sites for blocking.
Blocking from the Via Local List Tab
Complete these steps in order to configure URL blocking from the Via Local List tab:
1. Choose Configuration > Trend Micro Content Security > Web in ASDM and click Configure
URL Blocking in order to display the URL Blocking window.
2. On the Via Local List tab of the URL Blocking window, type the URLs you want to block in the
Match field. You can specify the exact web site name, a URL keyword, and a string.
3. Click Block after each entry in order to move the URL to the Block List. Click Do Not Block to add
the entry to Block List Exceptions in order to specify your entry as an exception. Entries remain as
blocked or exceptions until you remove them.
Note: You can also import a block and exception list. The imported file must be in a specific format.
See the online help for instructions.
URL Filtering
There are two important section to be discussed here.
Filtering Settings
Filtering Rules
The URLs defined on the URL Blocking windows described previously are either always allowed or
always disallowed. The URL filtering feature, however, allows you to filter URLs in categories,
which you can schedule to allow access during certain times, defined as leisure time, and disallow
access during work time.
Note: This feature requires the Plus License.
These are the six URL filtering categories:
Companyprohibited
Not work related
Research topics
Business function
Customer defined
Others
By default, companyprohibited sites are blocked during both work and leisure times.
Filtering Settings
Complete these steps in order to configure the URL filtering feature:
1. Choose Configuration > Trend Micro Content Security > Web in ASDM and click Configure
URL Filtering Settings in order to display the URL Filtering Settings window.
2. On the URL Categories tab, review the subcategories listed and the default classifications assigned to
each category to see whether the assignments are appropriate for your organization. For example,
Illegal Drugs is a subcategory of the Companyprohibited category. If your organization is a financial
services company, it is possible that you want to leave this category classified as
companyprohibited. Check the Illegal Drugs check box in order to enable filtering for sites related
to illegal drugs. But, if your organization is a law enforcement agency, you should reclassify the
Illegal Drugs subcategory to the Business function category. See the online help for more information
about reclassification.
3. After you have reviewed and refined the subcategory classifications, check the associated subcategory
in order to enable all the subcategories for which you want filtering performed.
4. If there are sites within some of the enabled subcategories that you do not want filtered, click the
URL Filtering Exceptions tab.
5. Type the URLs you want to exclude from filtering in the Match field. You can specify the exact web
site name, a URL keyword, and a string.
6. Click Add after each entry in order to move the URL to the Do Not Filter the Following Sites list.
Entries remain as exceptions until you remove them.
Note: You can also import an exception list. The imported file must be in a specific format. See the
online help for instructions.
7. Click the Schedule tab in order to define the days of the week and hours of the day that should be
considered work time. Time not designated as work time is automatically designated as leisure time.
8. Click Save in order to update the URL filtering configuration.
9. Click the Reclassify URL tab in order to submit suspect URLs to TrendLabs for evaluation.
Filtering Rules
After you have assigned the URL subcategories to the correct categories for your organization, defined
exceptions (if any), and created the work and leisure time schedule, assign the filtering rules that determine
when a category is filtering.
Complete these steps in order to assign the URL filtering rules:
1. Choose Configuration > Trend Micro Content Security > Web in ASDM and click the Configure
URL Filtering Rules link in order to display the URL Filtering Rules window.
2. For each of the six major categories, specify whether the URLs in that category are blocked, and if so,
during work time, leisure time, or both. See the online help for more information.
FTP Configuration
Trend Micro FTP Configuration
After installation, by default your FTP traffic is scanned for viruses, worms, and Trojans. Malware such as
spyware and other grayware require a configuration change before they are detected.
File transfer (FTP) scanning of file transfersEnabled using All Scannable Files as the scanning method.
Complete the steps given in the File Blocking page for HTTP Traffic.
Complete the steps given in the File Blocking page for HTTP Traffic.
Verify
Use this section in order to confirm that your configuration works properly.
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Although, the
OIT can be used to view an analysis of some show command outputs, these show commands currently are not
compatible with this tool.
show moduleIn order to check the status of an SSM, for example:
ciscoasa#show module
Mod Card Type
0 ASA 5520 Adaptive Security Appliance
1 ASA 5500 Series Security Services Module20
Mod
0
1
0014.c482.5151 to 0014.c482.5155
000b.fcf8.012c to 000b.fcf8.012c
Model
ASA5520
ASASSM20
Hw Version
1.1
1.0
Fw Version
1.0(10)0
1.0(10)0
Serial No.
JMX090000B7
JAF10333331
Sw Version
8.0(2)
Trend Micro InterSca
0
1
Status
Up Sys
Up
show module 1 detailsUse the details keyword in order to view additional information for the SSM,
for example:
ciscoasa#show module 1 details
Getting details from the Service Module, please wait...
ASA 5500 Series Security Services Module20
Model:
ASASSM20
Hardware version:
1.0
Serial Number:
JAF10333331
Firmware version:
1.0(10)0
Software version:
Trend Micro InterScan Security Module Version 6.0
App. name:
Trend Micro InterScan Security Module
App. version:
Version 6.0
Up
Up
Up
Up
Up
Yes
172.30.21.235
8443
show module slot_num recoverDetermines if there is a recovery configuration for the SSM. If a
recovery configuration exists for the SSM, the ASA displays it. For example:
ciscoasa#show module 1 recover
Module 1 recover parameters. . .
Boot Recovery Image: Yes
Image URL:
tftp://10.21.18.1/idsoldimg
Port IP Address:
172.30.21.10
Port Mask:
255.255.255.0
Gateway IP Address: 172.30.21.254
Refer to Verifying Initial Setup for more information on how to verify that Trend Micro InterScan for Cisco
CSCSSM operates correctly.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Internet Access
Problem
The CSC is unable to access the Internet through the ASA management interface or the CSC is unable to get
updates from the Trend server through the Internet. .
Solution
The management interface configures with the managementonly command and makes it only accept traffic
to or from the ASA, not through it. So remove the managementonly command and the NAT statement for
managementtooutside traffic then allows the Internet for CSC to update.
Performance Issue
Problem
The incoming SMTP traffic has become very slow. The inside mail server sometimes gets response from the
server that takes a couple of minutes or two to receive.
Solution
You possibly run into slow traffic due to outoforder packets. Try this example, which can resolve the
issue.
! Creates a new tcp map and allows for 100 out
of order packets
tcpmap localmap
queuelimit 100
! This is the class that defines traffic to sent to
the cscmodule. The name you use can be different.
Sets the localmap parameters to flow matching the class map.
policymap global_policy
class cscclass
set connection advancedoptions localmap
Troubleshooting Commands
The Output Interpreter Tool ( registered customers only) (OIT) supports certain show commands. Use the OIT in
order to view an analysis of show command output.
Refer to Troubleshooting Trend Micro InterScan for Cisco CSCSSM for more information on how to
troubleshoot various issues of the CSCSSM.
Note: Refer to Important Information on Debug Commands before you use debug commands.
debug modulebootShows debug messages about the SSM booting process.
hwmodule module 1 shutdownShutdown the SSM
hwmodule module 1 resetReset the SSM
Related Information
Cisco ASA 5500 Series Adaptive Security Appliances Product Support
Cisco Content Security and Control SSM Administrator Guide
Cisco Adaptive Security Device Manager Product Support
Technical Support & Documentation Cisco Systems