ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT SECURITY

Unanswered Question
Oct 31st, 2008
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on how the Adaptive Security Appliances (ASA) 5500 Content Security edition protects against threats and content at the Internet gateway with Cisco expert Jonathan Hogue. Jonathan Hogue is a product manager for the Cisco Adaptive Security Appliances (ASA) 5500 Series content security and control security services module. Previously at Cisco, Jonathan has been a system engineer and technical marketing engineer. Jonathan is the coauthor of "Intrusion Prevention Fundamentals" and has presented on that topic at Cisco Networkers. He has more than 12 years experience in the network security industry and is the holder of a CISSP certification.


Remember to use the rating system to let Jonathan know if you have received an adequate response.


Jonathan might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 14, 2008. Visit this forum often to view responses to your questions and the questions of other community members.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JORGE RODRIGUEZ Fri, 10/31/2008 - 14:02
User Badges:
  • Green, 3000 points or more

Hi Johnathan,


I understand the CSC-SSM modules are only supported on ASA5510 and higher ASA models. Would the ASA5505 model ever support similar content security solution.



Rgds

Jorge

Abu-Mahmoud Sun, 11/02/2008 - 04:43
User Badges:

Hi Johnathan,


I've a couple of questions,


what are the vendor(s) supported by CSC for anti-spam/virus and content filtering !!


is it a CPU consumer from ASA prospective !!


as per my moderate knowledge, CSC deals with IP addresses (normal ACL) to filter the concerned traffic; is it support FQDN ?!


Regards,

jhogue Tue, 11/04/2008 - 10:27
User Badges:

Hello,


The anti-spam, anti-virus, and content filtering in the CSC module is powered by Trend micro.


The CPU on the ASA is not consumed at all by the CSC module. One of the advantages of the modular approach is that resources such as CPU, memory, storage, etc. are be dedicated to the content security service without having any impact on the ASA itself.


As for your last question, I'm not completely sure I understand but I'll do my best. Traffic is directed to the CSC using the ASA's modular policy framework. The CSC itself can use FQDN as appropriate for the protocol. For example, URL's can be blocked based on domain and emails can be filtered based on sender domain.


Best regards,


Jonathan

Anonymous (not verified) Mon, 11/03/2008 - 08:09
User Badges:

Hello Jorge,


You are correct, the CSC-SSM is only supported on ASA 5510, 5520, and 5540. We certainly do have plans to deliver content security on the ASA 5505 although it is too early to comment on form factor or time frame.


Best,


Jonathan

jhogue Tue, 11/04/2008 - 10:22
User Badges:

Hello Jorge,


You are correct, the CSC-SSM is only supported on ASA 5510, 5520, and 5540. We certainly do have plans to deliver content security on the ASA 5505 although it is too early to comment on form factor or time frame.


Best,


Jonathan

kb.choudhury Sun, 11/02/2008 - 08:14
User Badges:

Hello, we are connecting client from inside zone (high security) to out side zone server(low security)by 3rd party (different vendor)ipsec in transport mode by routed mode in ASA 5520. how can the client be connected to server by the same ipsec in transport mode by NAT in ASA 5520 even if everything is allowed in the security rule? please keep in mind that the ipsec transport is between client and server.

jhogue Tue, 11/04/2008 - 13:52
User Badges:

Hi there,


I know about ASA content security and can't claim to be an ASA VPN expert. However, I sought advice from someone who is and his response was:


Typically transport mode IPSEC can't handle an intermediate NAT device.

This is not a limitation in the NAT implementation but as a result of the way transport mode IPSEC operates. For this to work you must change the IPSEC connection to a tunnel mode connection then it is possible to ASA NAT the connection. You will need to enable IPSEC inspection for this to work.

tahequivoice Mon, 11/03/2008 - 09:03
User Badges:

I have been asked this question by others in regards to the CSC. There is the web url filtering section. Under the filtering exceptions, that pretty much is used to bypass the restrictions imposed by the filtering rules for specific IP's. The question I have been asked is if it can be used similar to how Auth-Proxy is used with an ACS and router.

jhogue Tue, 11/04/2008 - 11:28
User Badges:

You've got it exactly right, the filtering exceptions are to exempt IP ranges from URL filtering entirely. At this point, the CSC SSM does not support user or group-based URL filtering policies which is what I think you're after with the auth-proxy / ACS / router solution. We have that feature slated for the next release (no timeframe as yet).

jhogue Tue, 11/04/2008 - 11:29
User Badges:

You've got it exactly right, the filtering exceptions are to exempt IP ranges from URL filtering entirely. At this point, the CSC SSM does not support user or group-based URL filtering policies which is what I think you're after with the auth-proxy / ACS / router solution. We have that feature slated for the next release (no timeframe as yet).

jhogue Tue, 11/04/2008 - 13:53
User Badges:

My understanding is that this is possible.


Regards,


Jonathan

Collin Clark Mon, 11/03/2008 - 10:53
User Badges:
  • Purple, 4500 points or more

Jonathan-


Most of our customers want the ability to see what emails have been dropped (addressed to them) and whitelist them if they are acceptable. Is this a possibility now or in the future?

jhogue Tue, 11/04/2008 - 10:46
User Badges:

Hello Collin,


Great question. Currently, the module will log certain information about messages categorized as spam (sender, recipient, subject, etc.). However, due to storage limitations it cannot store the messages for future review. Once we have user and group-based URL filtering policies, the next high priority feature is an ability to "quarantine" spam messages which is what I believe you're looking for.


One possible work around is to implement message tagging which will "tag" the message as spam and pass it on to the end user. The end user should have a mailbox rule to transfer tagged messages to a spam folder of some kind. The spam folder acts as a personal quarantine where the end user can periodically review the messages.


Regards,


Jonathan

MIWConsulting Mon, 11/03/2008 - 11:47
User Badges:

Hi Jonathan,


I am looking at implementing ASA 5510's in a brach office environment (17 branch offices actually).


I am looking at placing the 5510's at the ingress point into the branch office where it will act as a IPSEC VPN point back to a head office and perform firewall and IPS duties for traffic going into the brach office.


Now, I want to also monitor the traffic within the branch office. I was hoping to use RSPAN on the switches located in 4 seperate closets to mirror traffic on the sensitive VLAN back to the ASA where it will scan traffic in a promiscious mode.


Is this scenario possible? Can the ASA act as a gateway UTM and be able to monitor the traffic within the office via RSPAN using a mirrored port?


Thanks.

nicolas.scheffer Mon, 11/03/2008 - 14:56
User Badges:

Hi,


We have just installed 2x ASA 5510 to handle remote users access to our intranet.

We are using Active/Standby failover.

We neeed to provide client certificate and the local CA Authority seems to be the perfect feature for our needs but we discover that Local CA Authority cannot be enabled when failover is enabled !!

How to use the Local CA Authority and to provide failover across the 2 ASA 5510 ?


Thanks in advance


Nicoals Scheffer

jhogue Tue, 11/04/2008 - 13:54
User Badges:

Hello Nicolas,


The Local CA is not available in a A/S HA pair, since the CA is not replicated via the A/S protocol. Running the two ASA's as a RA VPN cluster and an having one be the CA and the other a member might be a possibility.


Jonathan

nicolas.scheffer Tue, 11/04/2008 - 14:27
User Badges:

Hi Jonathan,


Following your suggestion :

- does the VPN SLB support AnyConnect Client and Clientless mode or it's only IPSEC and L2TP/IPSEC VPN Tunnel ?

- is there any plan to improve this behavior in a near future ?


In fact may i should wait with 2 ASA running failover to have the LOCAL CA in the future or should i rethink our design to use now the LOCAL CA and provide later better failover ?


Thanks in adavance


Regards


Nicolas Scheffer



jhogue Tue, 11/04/2008 - 13:54
User Badges:

Hello,


This is NOT possible since the ASA needs to be inline to the traffic flow. It can't take a span from a switch and perform IDS on that. You will need a stand alone IDS/IPS appliance for this to work.


Jonathan

geedunkrojo Tue, 11/04/2008 - 09:32
User Badges:

I have installed the CSC SSM on my ASA and was told it will filter on IP internal address and can setup lists of allowable websites by department.

I know the IP addresses of the PC's by department but can find no information on doing this.

I am also wondering why in The trend micro software it has a customer defined category but no where to define actual url's for adding to a category.


Rich olson

jhogue Tue, 11/04/2008 - 10:41
User Badges:

Hi Rich,


The CSC SSM is able to make exceptions to URL filtering for IP addresses or IP address ranges. In other words, it can NOT filter URL's for IP's that you don't want it to. This is a global policy that is not granular enough to have lists of allowable websites by department. We do have plans to add user and group-based filtering to our next release, but don't have a time frame for shipment as yet.


The "Customer Defined" category is a catch-all group for sub-categories that don't clearly fall into some other group. I agree that the name is a bit misleading since, as a customer, you don't have the ability to add sites to the list. However, the URL blocking configuration page allows you to do this.


Best regards,


Jonathan

geedunkrojo Tue, 11/04/2008 - 11:01
User Badges:

Jonathan,

Thanks this explains what I needed to know.

I did not think that it had group or individual based filtering.


Thanks

Rich

tahequivoice Tue, 11/04/2008 - 11:18
User Badges:

So I am not the only one who noticed this, hence my question in regards to this same issue.

kwillacey Tue, 11/11/2008 - 14:01
User Badges:
  • Bronze, 100 points or more

I know wrong post but if possible could you point me in the right direction we are unable to locate the PAK code that came with an ASA 5505 to upgrade to the Security Plus feature set, how can I obtain a new one is that even possible?

Daniel Bruhn Tue, 11/04/2008 - 09:36
User Badges:
  • Blue, 1500 points or more

Everyone,


We are having a bit of an issue with Jonathan's user ID so he's been unable to respond to your questions. Please continue to post them and he will respond as soon as we get the problem resolved. I apologize for the inconvenience.


Cheers,


Dan Bruhn

NetPro Community Manager


jhogue Tue, 11/04/2008 - 10:28
User Badges:

As you may have noticed, the technical difficulties have been resolved! Many thanks to the IT support folks who helped fix things.


Jonathan

geedunkrojo Tue, 11/04/2008 - 14:04
User Badges:

Johnathan,

I am also interested in any advice you can give on using the logs and getting some reporting for the Higher-ups.

Any third party software is fine I just need something to look at the logs and make some reporting.

I setup logging and I am using KIWI Sys daemon for catching the log stream.


Thanks

Rich

jhogue Wed, 11/05/2008 - 09:37
User Badges:

Hey Rich,


Likely the best bet is to take a look at Trend Micro Control Manager which will capture the logs from the CSC SSM (or multiple SSMs), consolidate them, and allow for some rich report generation. If you'd prefer to stick with something more home grown, you could probably generate some reports from the syslogs you capture. I don't know how Kiwi stores the logs but if it's in a database of some kind you could set up a few "top 10" queries. For example, top 10 viruses captured, top 10 urls blocked, etc. I find that the higher-ups like that sort of thing.


Jonathan

geedunkrojo Wed, 11/05/2008 - 09:39
User Badges:

Johnathan,

Was wondering what your reccommendations for reporting from the logs that are generated by the CSC SSM.

I really need to get some reporting going soon.


Thanks

Rich

tahequivoice Tue, 11/04/2008 - 14:10
User Badges:

I think one of the biggest improvements would be licensing! We placed an order for a 100 user 1Y renewal two months ago, and have yet to see it. That was after spending a boatload of time just trying to locate the correct part #, even Cisco Licensing couldnt get the part number correct. I needed a 100 user & Plus renewal, and they gave me the Plus renewal, which I received after a 3 week wait, only to find I also needed the user renewal. Not very good when you get the 90 day notice and it takes 120 just to get the renewal.

jhogue Wed, 11/05/2008 - 09:43
User Badges:

I agree completely! The current licensing structure is pretty complicated and leads to delays like the one you experienced. My apologies for that. We have plans to greatly simply the licensing. Stay tuned.

c-clemons Tue, 11/04/2008 - 19:58
User Badges:

I am configuring an ASA 5520 with EIGRP to exchange routes with a 6509 layer 3 switch. I configured an ip pool of addresses for VPN clients. We are trying to redistribute the VPN network to the 6509 switch. The network doesn't redistribute the VPN network to the switch. This is the configuration I am using:

router eigrp 129

no auto-summary

eigrp router-id 172.17.64.1

network 172.17.64.0 255.255.255.0

redistribute static metric 1000 2200 255 1 1500 route-map eigrp-route


route-map eigrp-route permit 10

match interface internet

sanjay.sangwan Wed, 11/05/2008 - 04:11
User Badges:

I am using ASA 520 with CSC SSM-20 mudule.

My customer requirement is to block all URL for internet and open only a list of company specific urls which are about 10 websites in no.

I didn't find any option to block all urls in url blocking so that after that I can define exceptions.


Sanjay


tahequivoice Wed, 11/05/2008 - 05:39
User Badges:

That would be AUTH-Proxy that you need to use. See my previous question in regards.

jhogue Wed, 11/05/2008 - 10:31
User Badges:

Hi Sanjay,


I believe this is possible within the URL blocking configuration which allows for a list of blocked URL's and exceptions. You should be able to configure a wildcard block of all URL's (*) and then put your 10 websites in the exception area.


Best,


Jonathan

sanjay.sangwan Wed, 11/05/2008 - 21:09
User Badges:

Hi Jonathan ,


Are you sure , As I opened the TAC case for this and they refused to have that kind of feature.Please see the case: SR 609982891

Can you tell me the right wildcard to enter?

Have you ever tested it?


regards


Sanjay


jhogue Thu, 11/06/2008 - 13:33
User Badges:

Hi Sanjay,


We have tested this and appears that using *.* in the URL block list will, indeed, block all URLs. The TAC engineer should confirm this for you as well.


Regards,


Jonathan

abdel.bidar Wed, 11/05/2008 - 08:38
User Badges:

Hi Jonathan,

I am looking at monitoring an ASA 5540 7.2

Is there any recommended KPIs for the ASA 5500 ?


Thanks

rgds

abdel


Jonathan,


Over the last few days we have been experiencing odd traffic patterns between our DMZ interface and the Inside interface. We are trying to determine what devices are talking to each other on these interfaces but have had no luck. We could put a packet sniffer on the network but we should be able to see the traffic patterns from the ASA 5510 firewall. Any suggestions?

cisco24x7 Sat, 11/08/2008 - 13:01
User Badges:
  • Silver, 250 points or more

When will Cisco start supporting asymetric route

on ASA appliance, like the situation described

below:


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc23977


In other words, Checkpoint supports asymetric

route on the firewalls. When will ASA start

doing the same thing?

jhogue Mon, 11/10/2008 - 09:19
User Badges:

Hello there! What sort of problem are you having? I'm not an ASA expert (only a CSC SSM expert) but I'll be glad to forward your question to those who are.


Jonathan

aumi Mon, 11/10/2008 - 03:18
User Badges:

Hi all,


I have some basic questions regarding the CSC:


- You wrote: "Traffic is directed to the CSC using the ASA's modular policy framework". I've read the "Cisco Content Security and Control SSM Administrator Guide" several times, but didn't find anything how to configure the ASA itself to route the traffic to the module. Or is this made automatically as soon the module is up and running?


- Licensing: The CSC ships with included one-year subscription. What date exactly does this subscription start? I belief I will have to register the CSC at Trend, but where and how?


Many thanks and regards

Christoph

jhogue Mon, 11/10/2008 - 09:18
User Badges:

Hello Christoph,


There is some configuration required to direct traffic to the CSC SSM. I found this guide to be the most straightforward: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808dea62.shtml.


As for the subscription, it starts when the license is registered on cisco.com and goes for one year from that date.


Best regards,


Jonathan

aumi Mon, 11/10/2008 - 09:42
User Badges:

Hi Jonathan,


thx a lot for that link. This was exactly I was looking for.

MIWConsulting Mon, 11/10/2008 - 12:28
User Badges:

Hi Jonathan,


Hoping you can answer another question. I am setting up zoned protection (for a restricted zone, or RZ for short) with branch offices using VLANs. These branch offices will also have restricted servers. We are setting up ASA 5510's at all branch offices and 5520's at the main office. A site-site vpn will also be created between the branch offices and the main offices.


One question came up today asking if we could have traffic from the operational zone (workstations and such) at the branch office directly access the RZ within the branch, using the ASA to perform FW, IPS.


From a best practice perspective, is there any benefit of having the OZ traffic in the branch go back to the head office to be checked by the 5520? Also, can the 5510 manage and secure access from one VLAN to another in the same branch office?


Thanks!

new_networker Tue, 11/11/2008 - 13:28
User Badges:

hi Jonathan,


With regards to management of CSC-SSM please advise if the below mentioned is possible.


- PC host IP: Subnet 1

- ASA Management Interface IP: Subnet 2

- ASA CSC-SSM Management Interface IP: Subnet 3


In this case, would the host we able to connect to ASA and from ASA to CSC-SSM correctly. Or does the PC need to be be in the same subnet as ASA.


Please highlight if it would be any different for AIP-SSM as well.


Laatly, can the CSC-SSM and AIP-SSM modules be accessed via the ASA backplane i.e. without any physical connectivity from ASA to SSM.


Thanks.

Actions

This Discussion