TrendMicro Interscan on ASA - block https??

Answered Question
Jun 16th, 2009
User Badges:

Is it possible to block urls that link to an https site? I've configured ASA to redirect to it this type of traffic, but it doesn't block it...

Thanks

Daniele

http://www.cisco.com/en/US/docs/security/csc/csc60/administration/guide/csc1.html


..."Trend Micro InterScan for Cisco CSC SSM (Content Security and Control Security Services Module) provides an all-in-one antivirus and spyware management solution for your network. This guide provides a conceptual explanation of how to manage the CSC SSM, which is resident in your Cisco appliance to do the following:

•Detect and take action on viruses, worms, Trojans, and other threats in your SMTP, POP3, HTTP, and FTP network traffic


Note Traffic utilizing other protocols, such as HTTPS, is not scanned by CSC SSM.


•Block compressed or very large files that exceed specified parameters


•Scan for and remove spyware, adware, and other types of grayware ..."

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Tue, 06/16/2009 - 23:57
User Badges:
  • Red, 2250 points or more

Different web servers implement redirection in different ways, it would be very difficult to block all of these on the ASA).


You want to block HTTPS websites or redirection? This redirection is actually a security enhancement feature, why do you want to block it?


Regards


Farrukh

dimensyssrl Thu, 06/25/2009 - 02:21
User Badges:

I want to block certain sites/urls, like for example:


https://www.facebook.com/


Now I've configured InterScan to block this domain, but if I try to connect in https it doesn't block this connection (while if I try in http it block connection properly).


Thanks

Daniele

Farrukh Haroon Thu, 06/25/2009 - 02:24
User Badges:
  • Red, 2250 points or more

Are you using Cisco ASA CSC module or a standalone TrendMicro IWSS?


Btw what string hvae you configured in the blocking? Have you used wildcards?


Regards


Farrukh

dimensyssrl Thu, 06/25/2009 - 02:31
User Badges:

I'm using ASA CSC module.


I've configured:


Web (HTTP) --> URL Blocking --> URL keyword (example: 'yyy' string matches all URLs containing 'yyy')


and inserted there facebook.


So, CSC insert *facebook* into Block List.


But then it blocks only http connection and not https ones.


Into ASA configuration, I've configured http and https traffic to be redirected to CSC...

Farrukh Haroon Fri, 07/24/2009 - 22:52
User Badges:
  • Red, 2250 points or more

It works perfectly fine on our Trendmicro IWSS server, here is a sample block message:


IWSS Security Event

Access to this URL is currently restricted due to a blocking rule.


URL: www.apple.com:443

Rule: Block URLs of type Administrator-defined

If you feel you have reached this message in error, please contact your network administrator.


Please can you send me the screenshot of the page where you configured the block URLS in the CSC module?


Regards


Farrukh


dimensyssrl Thu, 07/30/2009 - 02:52
User Badges:

I can't understand why this happens... Configuration is the same for http or https traffic...

Is there anybody out there that can explain me why?

kwillacey Fri, 07/31/2009 - 13:50
User Badges:
  • Bronze, 100 points or more

As far as I know the csc trenmicro module does not do https, only http. Maybe you can confirm this with TAC.

Correct Answer

http://www.cisco.com/en/US/docs/security/csc/csc60/administration/guide/csc1.html


..."Trend Micro InterScan for Cisco CSC SSM (Content Security and Control Security Services Module) provides an all-in-one antivirus and spyware management solution for your network. This guide provides a conceptual explanation of how to manage the CSC SSM, which is resident in your Cisco appliance to do the following:

•Detect and take action on viruses, worms, Trojans, and other threats in your SMTP, POP3, HTTP, and FTP network traffic


Note Traffic utilizing other protocols, such as HTTPS, is not scanned by CSC SSM.


•Block compressed or very large files that exceed specified parameters


•Scan for and remove spyware, adware, and other types of grayware ..."

Farrukh Haroon Wed, 08/05/2009 - 00:25
User Badges:
  • Red, 2250 points or more

Dear Daniele


I mentioned in my post that it works on a standalone Trendmicro IWSS server, meaning we have the IWSS software running on our proxy servers (via proxy chaining). HTTPS filtering works on the Standalone IWSS software.


(As it appears from the documentation) Cisco/Trend Micro have disabled this HTTPS filtering capability in the CSC Module's IWSS software. Only Cisco/TM can comment on this, but it could be due to performance issues, CSC topology (traffic via back plane) etc.


Regards


Farrukh

Actions

This Discussion