Solved: ASA with CSC SSM (plus license)

mladentsvetkov · ‎07-26-2010

Dear All,

I am new to CSC SSM. Would you please help me find out how to control instant messaging traffic with ASA + CSC SSM (plus license)? Is it correct to say that the only way to do it is by configuring the ASA itself and not the CSC SSM, like it is shown here:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Medium_Enterprise_Design_Profile/chap5.html

...Peer-to-peer file sharing and Internet instant messaging applications can also be blocked using Cisco IPS appliances and modules and the Cisco ASA firewall (using modular policy framework)...

Also, why using ASA with CSC SSM and not using ISR G2 with content filtering for smaller deployments? For example, does ISR G2 with content filtering supports time/user/group filtering settings like ASA with CSC SSM? FYI:

"...

Q. How does Cisco IOS Content Filtering differ from the Content Security and Control module for the ASA platform?

A. Cisco IOS Content Filtering is a subscription based service for Cisco ISRs that provide protection from malicious
websites as well as improve employee productivity using URL filtering techniques. The Cisco Content Security
and Control (CSC-SSM) module is an expansion card for the Cisco ASA 5500 Series of security appliances that
scans Web, e-mail, and ftp traffic to stop content-based threats, including phishing, spyware, spam, and viruses.
The CSC-SSM also controls unwanted mail and Web content. Both products use technology from Trend Micro

..."

Thanks in advance

Mladen

Magnus Mortensen · ‎07-26-2010

Mladen,

Just to piggy-back on what Mike said, you mentioned specifically user/group interaction with the CSC versus the ASR solution. At this point there is no Active directory integration on the ISR platform, but yes they CSC module (As of version 6.3.1172.0 and later) support integrating with AD to map usernames ad groups to IP addresses so that you can make filtering policies based on any of the following:

- IP address

- Username

- AD Group

It also supports policy decision based on time (breaks the day into 14 1-hr segments). You may be able to do something close to this on the ISR using time based ACLs in your filtering policy.

- Magnus

View solution in original post

mirober2 · ‎07-26-2010

Hi Mladen,

As you noted, it is not really possible to fully block all instant messaging applications with the CSC module and you would be better off using ASA rules or an IPS. This is simply because of the way that IM protocols can use multiple ports for communication that the CSC cannot scan (the CSC only scans web/80, ftp/21, smtp/25, and pop/110).

For your second question--As mentioned in the Q&A, the CSC has additional functionality that is not available to the IOS Content Filtering feature (i.e. SMTP and FTP scanning). The CSC is a broader solution, while the IOS Content Filtering is specifically designed to perform URL filtering for the IOS code without the need for a hardware-based module.

Hope that helps.

-Mike

Magnus Mortensen · ‎07-26-2010