Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT SECURITY

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on how the Adaptive Security Appliances (ASA) 5500 Content Security edition protects against threats and content at the Internet gateway with Cisco expert Jonathan Hogue. Jonathan Hogue is a product manager for the Cisco Adaptive Security Appliances (ASA) 5500 Series content security and control security services module. Previously at Cisco, Jonathan has been a system engineer and technical marketing engineer. Jonathan is the coauthor of "Intrusion Prevention Fundamentals" and has presented on that topic at Cisco Networkers. He has more than 12 years experience in the network security industry and is the holder of a CISSP certification.

Remember to use the rating system to let Jonathan know if you have received an adequate response.

Jonathan might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 14, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

56 REPLIES

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hi Johnathan,

I understand the CSC-SSM modules are only supported on ASA5510 and higher ASA models. Would the ASA5505 model ever support similar content security solution.

Rgds

Jorge

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hi Johnathan,

I've a couple of questions,

what are the vendor(s) supported by CSC for anti-spam/virus and content filtering !!

is it a CPU consumer from ASA prospective !!

as per my moderate knowledge, CSC deals with IP addresses (normal ACL) to filter the concerned traffic; is it support FQDN ?!

Regards,

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hello,

The anti-spam, anti-virus, and content filtering in the CSC module is powered by Trend micro.

The CPU on the ASA is not consumed at all by the CSC module. One of the advantages of the modular approach is that resources such as CPU, memory, storage, etc. are be dedicated to the content security service without having any impact on the ASA itself.

As for your last question, I'm not completely sure I understand but I'll do my best. Traffic is directed to the CSC using the ASA's modular policy framework. The CSC itself can use FQDN as appropriate for the protocol. For example, URL's can be blocked based on domain and emails can be filtered based on sender domain.

Best regards,

Jonathan

Anonymous
N/A

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hello Jorge,

You are correct, the CSC-SSM is only supported on ASA 5510, 5520, and 5540. We certainly do have plans to deliver content security on the ASA 5505 although it is too early to comment on form factor or time frame.

Best,

Jonathan

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hello Jorge,

You are correct, the CSC-SSM is only supported on ASA 5510, 5520, and 5540. We certainly do have plans to deliver content security on the ASA 5505 although it is too early to comment on form factor or time frame.

Best,

Jonathan

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hello, we are connecting client from inside zone (high security) to out side zone server(low security)by 3rd party (different vendor)ipsec in transport mode by routed mode in ASA 5520. how can the client be connected to server by the same ipsec in transport mode by NAT in ASA 5520 even if everything is allowed in the security rule? please keep in mind that the ipsec transport is between client and server.

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hi there,

I know about ASA content security and can't claim to be an ASA VPN expert. However, I sought advice from someone who is and his response was:

Typically transport mode IPSEC can't handle an intermediate NAT device.

This is not a limitation in the NAT implementation but as a result of the way transport mode IPSEC operates. For this to work you must change the IPSEC connection to a tunnel mode connection then it is possible to ASA NAT the connection. You will need to enable IPSEC inspection for this to work.

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

I have been asked this question by others in regards to the CSC. There is the web url filtering section. Under the filtering exceptions, that pretty much is used to bypass the restrictions imposed by the filtering rules for specific IP's. The question I have been asked is if it can be used similar to how Auth-Proxy is used with an ACS and router.

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

You've got it exactly right, the filtering exceptions are to exempt IP ranges from URL filtering entirely. At this point, the CSC SSM does not support user or group-based URL filtering policies which is what I think you're after with the auth-proxy / ACS / router solution. We have that feature slated for the next release (no timeframe as yet).

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

You've got it exactly right, the filtering exceptions are to exempt IP ranges from URL filtering entirely. At this point, the CSC SSM does not support user or group-based URL filtering policies which is what I think you're after with the auth-proxy / ACS / router solution. We have that feature slated for the next release (no timeframe as yet).

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Jonathan,

Can an IPSEC VPN and SSL VPN (using SVC0) be terminated on the same interface?

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

My understanding is that this is possible.

Regards,

Jonathan

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Jonathan-

Most of our customers want the ability to see what emails have been dropped (addressed to them) and whitelist them if they are acceptable. Is this a possibility now or in the future?

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hello Collin,

Great question. Currently, the module will log certain information about messages categorized as spam (sender, recipient, subject, etc.). However, due to storage limitations it cannot store the messages for future review. Once we have user and group-based URL filtering policies, the next high priority feature is an ability to "quarantine" spam messages which is what I believe you're looking for.

One possible work around is to implement message tagging which will "tag" the message as spam and pass it on to the end user. The end user should have a mailbox rule to transfer tagged messages to a spam folder of some kind. The spam folder acts as a personal quarantine where the end user can periodically review the messages.

Regards,

Jonathan

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hi Jonathan,

I am looking at implementing ASA 5510's in a brach office environment (17 branch offices actually).

I am looking at placing the 5510's at the ingress point into the branch office where it will act as a IPSEC VPN point back to a head office and perform firewall and IPS duties for traffic going into the brach office.

Now, I want to also monitor the traffic within the branch office. I was hoping to use RSPAN on the switches located in 4 seperate closets to mirror traffic on the sensitive VLAN back to the ASA where it will scan traffic in a promiscious mode.

Is this scenario possible? Can the ASA act as a gateway UTM and be able to monitor the traffic within the office via RSPAN using a mirrored port?

Thanks.

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hi,

We have just installed 2x ASA 5510 to handle remote users access to our intranet.

We are using Active/Standby failover.

We neeed to provide client certificate and the local CA Authority seems to be the perfect feature for our needs but we discover that Local CA Authority cannot be enabled when failover is enabled !!

How to use the Local CA Authority and to provide failover across the 2 ASA 5510 ?

Thanks in advance

Nicoals Scheffer

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hello Nicolas,

The Local CA is not available in a A/S HA pair, since the CA is not replicated via the A/S protocol. Running the two ASA's as a RA VPN cluster and an having one be the CA and the other a member might be a possibility.

Jonathan

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hi Jonathan,

Following your suggestion :

- does the VPN SLB support AnyConnect Client and Clientless mode or it's only IPSEC and L2TP/IPSEC VPN Tunnel ?

- is there any plan to improve this behavior in a near future ?

In fact may i should wait with 2 ASA running failover to have the LOCAL CA in the future or should i rethink our design to use now the LOCAL CA and provide later better failover ?

Thanks in adavance

Regards

Nicolas Scheffer

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hello,

This is NOT possible since the ASA needs to be inline to the traffic flow. It can't take a span from a switch and perform IDS on that. You will need a stand alone IDS/IPS appliance for this to work.

Jonathan

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

I have installed the CSC SSM on my ASA and was told it will filter on IP internal address and can setup lists of allowable websites by department.

I know the IP addresses of the PC's by department but can find no information on doing this.

I am also wondering why in The trend micro software it has a customer defined category but no where to define actual url's for adding to a category.

Rich olson

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hi Rich,

The CSC SSM is able to make exceptions to URL filtering for IP addresses or IP address ranges. In other words, it can NOT filter URL's for IP's that you don't want it to. This is a global policy that is not granular enough to have lists of allowable websites by department. We do have plans to add user and group-based filtering to our next release, but don't have a time frame for shipment as yet.

The "Customer Defined" category is a catch-all group for sub-categories that don't clearly fall into some other group. I agree that the name is a bit misleading since, as a customer, you don't have the ability to add sites to the list. However, the URL blocking configuration page allows you to do this.

Best regards,

Jonathan

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Jonathan,

Thanks this explains what I needed to know.

I did not think that it had group or individual based filtering.

Thanks

Rich

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

So I am not the only one who noticed this, hence my question in regards to this same issue.

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

I know wrong post but if possible could you point me in the right direction we are unable to locate the PAK code that came with an ASA 5505 to upgrade to the Security Plus feature set, how can I obtain a new one is that even possible?

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Sure, no problem. Just send an email to licensing@cisco.com and they should be able to get the PAK for you. They may ask for a Cisco sales order number so you might want to be prepared for that.

Jonathan

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Everyone,

We are having a bit of an issue with Jonathan's user ID so he's been unable to respond to your questions. Please continue to post them and he will respond as soon as we get the problem resolved. I apologize for the inconvenience.

Cheers,

Dan Bruhn

NetPro Community Manager

Cheers, Dan
New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

As you may have noticed, the technical difficulties have been resolved! Many thanks to the IT support folks who helped fix things.

Jonathan

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Johnathan,

I am also interested in any advice you can give on using the logs and getting some reporting for the Higher-ups.

Any third party software is fine I just need something to look at the logs and make some reporting.

I setup logging and I am using KIWI Sys daemon for catching the log stream.

Thanks

Rich

New Member

Re: ASK THE EXPERT - ADAPTIVE SECURITY APPLIANCES (ASA) CONTENT

Hey Rich,

Likely the best bet is to take a look at Trend Micro Control Manager which will capture the logs from the CSC SSM (or multiple SSMs), consolidate them, and allow for some rich report generation. If you'd prefer to stick with something more home grown, you could probably generate some reports from the syslogs you capture. I don't know how Kiwi stores the logs but if it's in a database of some kind you could set up a few "top 10" queries. For example, top 10 viruses captured, top 10 urls blocked, etc. I find that the higher-ups like that sort of thing.

Jonathan

295
Views
10
Helpful
56
Replies