Chapter 19 Managing the AIP SSM and CSC SSM
Managing the CSC SSM
This access list matches inbound SMTP connections from any external host to any host on the DMZ network. The policy applied to the outside interface would therefore ensure that incoming SMTP email would be diverted to the CSC SSM for scanning. It would not match SMTP connections from hosts on the inside network to the mail server on the DMZ network because those connections never use the outside interface.
If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you could add the following ACE to the csc_in access list to use the CSC SSM to protect the web server from infected files:
For a complete example service policy configuration using the access lists in this section, see
Example 19-1.
Limiting Connections Through the CSC SSM
The adaptive security appliance can prevent the CSC SSM and the destinations of connections it scans from accepting or even receiving requests for more connections than desired. It can do so for embryonic connections or fully established connections. Also, you can specify limits for all clients included in a
Also, you can specify limits for all clients included in a
DoS attacks seek to disrupt networks by overwhelming the capacity of key hosts with connections or requests for connections. You can use the set connection command to thwart DoS attacks. After you configure a
Use of the set connection command to protect the CSC SSM and the destinations of connections it scans is included in the “Diverting Traffic to the CSC SSM” section on page
Diverting Traffic to the CSC SSM
|
| You use MPF commands to configure the adaptive security appliance to divert traffic to the CSC SSM. | |||
|
| Before configuring the adaptive security appliance to do so, read Chapter 18, “Using Modular Policy | |||
|
| Framework,” which introduces MPF concepts and common commands. | |||
|
| To identify traffic to divert from the adaptive security appliance to the CSC SSM, perform the following | |||
|
| steps: | |||
|
|
| |||
| Step 1 | Create an access list that matches the traffic you want scanned by the CSC SSM. To do so, use the | |||
|
| ||||
|
| you want to specify FTP, HTTP, POP3, and SMTP traffic, you would need four ACEs. For guidance on | |||
|
| identifying the traffic you want to scan, see the “Determining What Traffic to Scan” section on | |||
|
| page | |||
| Step 2 | Create a class map to identify the traffic that should be diverted to the CSC SSM. Use the | |||
|
| command to do so, as follows. | |||
|
| Cisco Security Appliance Command Line Configuration Guide |
|
| |
|
|
| |||
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|