Chapter 19 Managing the AIP SSM and CSC SSM

Managing the CSC SSM

This access list matches inbound SMTP connections from any external host to any host on the DMZ network. The policy applied to the outside interface would therefore ensure that incoming SMTP email would be diverted to the CSC SSM for scanning. It would not match SMTP connections from hosts on the inside network to the mail server on the DMZ network because those connections never use the outside interface.

If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you could add the following ACE to the csc_in access list to use the CSC SSM to protect the web server from infected files:

access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80

For a complete example service policy configuration using the access lists in this section, see

Example 19-1.

Limiting Connections Through the CSC SSM

The adaptive security appliance can prevent the CSC SSM and the destinations of connections it scans from accepting or even receiving requests for more connections than desired. It can do so for embryonic connections or fully established connections. Also, you can specify limits for all clients included in a class-map and per-client limits. The set connection command lets you configure limits for embryonic connections or fully established connections.

Also, you can specify limits for all clients included in a class-map and per-client limits. The per-client-embryonic-maxand per-client-maxparameters limit the maximum number of connections that individual clients can open. If a client uses more network resources simultaneously than is desired, you can use these parameters to limit the number of connections that the adaptive security appliance allows each client.

DoS attacks seek to disrupt networks by overwhelming the capacity of key hosts with connections or requests for connections. You can use the set connection command to thwart DoS attacks. After you configure a per-client maximum that can be supported by hosts likely to be attacked, malicious clients will be unable to overwhelm hosts on protected networks.

Use of the set connection command to protect the CSC SSM and the destinations of connections it scans is included in the “Diverting Traffic to the CSC SSM” section on page 19-11.

Diverting Traffic to the CSC SSM

 

 

You use MPF commands to configure the adaptive security appliance to divert traffic to the CSC SSM.

 

 

Before configuring the adaptive security appliance to do so, read Chapter 18, “Using Modular Policy

 

 

Framework,” which introduces MPF concepts and common commands.

 

 

To identify traffic to divert from the adaptive security appliance to the CSC SSM, perform the following

 

 

steps:

 

 

 

 

Step 1

Create an access list that matches the traffic you want scanned by the CSC SSM. To do so, use the

 

 

access-list extended command. Create as many ACEs as needed to match all the traffic. For example, if

 

 

you want to specify FTP, HTTP, POP3, and SMTP traffic, you would need four ACEs. For guidance on

 

 

identifying the traffic you want to scan, see the “Determining What Traffic to Scan” section on

 

 

page 19-9.

 

Step 2

Create a class map to identify the traffic that should be diverted to the CSC SSM. Use the class-map

 

 

command to do so, as follows.

 

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

OL-8629-01

 

 

19-11

 

 

 

 

 

Page 10 Page 12
Page 11
Image 11
Cisco Systems ASA 5500 manual Limiting Connections Through the CSC SSM, Diverting Traffic to the CSC SSM, 19-11
Page 10 Page 12

ASA 5500 specifications

Cisco Systems ASA 5500 is a robust security appliance designed to provide advanced network security and protection against both internal and external threats. Ideal for organizations of various sizes, the ASA 5500 series offers a wide range of features that combine firewall capabilities with intrusion prevention, VPN support, and application control, among others.

One of the key features of the ASA 5500 is its stateful firewall technology. This allows the device to monitor active connections and enforce security policies based on the state of the traffic. By maintaining the context of network sessions, the firewall can make informed decisions on whether to allow or deny traffic based on established rules.

In addition to traditional firewall functionalities, the ASA 5500 series integrates advanced intrusion prevention capabilities. By analyzing traffic patterns and identifying known threats, the IPS functionality helps organizations defend against a variety of malicious activities, such as DDoS attacks, malware, and unauthorized access attempts. The ASA 5500 continuously updates its threat intelligence through Cisco's global threat database, enhancing its ability to detect emerging threats in real-time.

Virtual Private Network (VPN) support is another significant aspect of the ASA 5500 series. The device offers secure, encrypted connections for remote users and branch offices, ensuring safe access to corporate resources over the Internet. It supports both IPsec and SSL VPN protocols, allowing organizations to choose the best option for their specific needs. This capability is crucial for businesses that require a secure environment for remote work.

The ASA 5500 series also features extensive application control and visibility tools. These tools enable organizations to manage and control the applications running on their network, ensuring that only authorized applications can communicate through the firewall. This level of control helps to mitigate risks associated with unauthorized applications, which can lead to data breaches or reduced productivity.

Moreover, the ASA 5500 is designed with high availability and scalability in mind. Its clustering support ensures that multiple units can work together to provide redundancy and load balancing, enhancing both performance and reliability. This characteristic is especially important for organizations looking to maintain continuous operation during traffic spikes or hardware failures.

In summary, Cisco Systems ASA 5500 is an all-in-one security solution that combines stateful firewall protection, intrusion prevention, VPN capabilities, and application control. With its robust feature set and focus on security, it is well-suited for organizations seeking to protect their networks from an ever-evolving landscape of cyber threats. Whether for small businesses or large enterprises, the ASA 5500 provides the necessary tools to create a secure networking environment.
Top Page Image Contents