I have a ASA 5510 with a CSC-SSM and i have special question concerning the CSC features.
I would like to use a different set of CSC features for two types of traffic.
--> Standard Workplaces (Source Subnet 1), URL blocking, threath/virus protection
--> Management Workplaces (Source Subnet 2), only threath/virus protection
Can that configured like that?
I didn't find any possibility. Because the CSC is like a blackbox in that the the features can enabled/disaled only globally. I pass the traffic to the CSC based on a ACL.
Does anybody know if there is a solution for that?
Thanks Patrik Bolt
If you purchased the Plus level of the CSC SSM license in addition to the Base License, you can also:
Reduce spam and protect against phishing fraud in your SMTP and POP3 traffic
Set up content filters that enable you to allow or prohibit email traffic containing key words or phrases
Block URLs that you do not want employees to access, or URLs that are known to have hidden or malicious purposes
Filter URL traffic according to predefined categories that you allow/disallow, such as adult/mature content, games, chat/instant messaging, or gambling sites.
With Trend Micro InterScan for Cisco CSC SSM, you do not have to install separate applications for virus protection, spyware blocking, spam detection, or content filtering?all of these functions are available in a single package. Trend Micro InterScan for Cisco CSC SSM provides protection for major traffic protocols?SMTP, HTTP, and FTP, as well as POP3 traffic, to ensure that employees don't accidentally introduce viruses from their personal email accounts. And, the application is easy to maintain.
Thanks. But that was not my question. I know the features of CSC-SSM with plus license. The goal is to differentiate between different source traffic types and apply a URL blocker or not.
After intense reading of the technical references i know that Websense / N2H2 is the solution for my goal.
I am currently working on a ASA5520 with CSC SSM on it. Im trying to test URL blocking, but Im not sucessful. Is it absolutely necessary to have Websense or N2H2 to successfully filter or block URLs? I want to know if ASA CSC SSM can to the URL blocking by itself.
There are different things to configure when using CSC-SSM. first the CSC module must have a LAN connection with a dedicated cable and a own IP Adddress. Second you have to define the traffic which must be passed to the CSC. Third you must configure the CSC itself (webfrontend on the CSC IP).
Below you can see my CSC config. I pass only traffic defined in the ACL's to the CSC module. You can althoug use the default-class if you like.
The key part used is the modular policy framework.
If you read that, you have a real understanding of the stuff http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_book09186a008054c15c.html
access-list csc_out extended permit tcp LAN 255.255.252.0 any eq www
access-list csc_out extended permit tcp LAN 255.255.252.0 any eq smtp
access-list csc_out extended permit tcp LAN 255.255.252.0 any eq ftp
access-list csc_in extended permit tcp any PUBLIC 255.255.255.192 eq www
access-list csc_in extended permit tcp any PUBLIC 255.255.255.192 eq smtp inactive
access-list csc_in extended permit tcp any PUBLIC 255.255.255.192 eq pop3 inactive
access-list csc_in extended permit tcp any PUBLIC 255.255.255.192 eq ftp
' which traffic
match access-list csc_in
match access-list csc_out
' what happens to the traffic
description Outbound Traffic Policy
inspect icmp error
description Inbound Traffic Policy
' bind the policy to an interface
service-policy global-policy global
service-policy csc_in_policy interface outside
service-policy csc_out_policy interface inside
service-policy csc_out_policy interface dmz
Thank you for the CLI configuration hints. Have you configured URL blocking without the use of N2H2 or Websense? I know blocking URL one by one is a quite cumbersome task, but for simplicity I want to know if it can be done on the ASA box alone. Were you successful in doing the blocking by the ASA?
You responses are greatly appreciated.
Yes, the ASA does the URL blocking alone without any Websense or N2H2 Server. And it works well in my network since some months.
The license needs to be updated and hence the CSC to be activated. I will get back when there are results probably after Dec.26. we will have our vacation quite long weekend here.
Thanks for your time.
If it helps. I have the ASA with a CSC-SSM and these additional licenses.
- CSC-SSM User Upgrade
- CSC-SSM Plus License (URL blocking, Anti phisihing ...)
- ASA Security Plus (if you need multiple contexts or failover ..)
Greets from Switzerland Patrik
Happy New Year 2007!
Im still waiting for one of our group responsible for communicating license matters to Cisco. If I can get the CSC-SSM Plus activated, I can get back to you as soon as possible, and hopefully get same results as you have. For the mean time, im also working on other features of the ASA.
I did not answer your question.
You can filter and block URLs using the CSC-SSM. But the blocking feature is only globally for all traffic which will be passed into the CSC using the modular policy framework on the ASA like described in my other post. Websense/N2H2 is a step more than the filtering using a CSC module. It provides a possibility to filter user based. Example: a standard user has no rights to open a website like ebay.com but the managers can open it. That config is not possible using CSC.
If you can live with a globally defined filtering rule for all users the CSC is right for you. If you use a more complex filtering you should use Websense/N2H2.
But in the Websense/N2H2 case you have to use a Server in conjunction with your ASA.
But there are although the other nice features of a CSC-SSM.
I hope i could help you.
Looks like our email missed each other. I will try again to reconfigure the ASA and set the modular policies carefully. By the way, Im using 7.2.1 for the Main System and CSC-SSM-10 for the CSC. my ASDM is 5.2.1. I will let you know immediately the result of my tests. Maybe within an hour.