Manuals / Cisco Systems / Household Appliance / Home Security System

Cisco Systems ASA 5500 Limiting Connections Through the CSC SSM, Diverting Traffic to the CSC SSM

Models: ASA 5500

1 16
Download 16 pages 52 Kb
Page 11
Image 11
Example 19-1.

Chapter 19 Managing the AIP SSM and CSC SSM

Managing the CSC SSM

This access list matches inbound SMTP connections from any external host to any host on the DMZ network. The policy applied to the outside interface would therefore ensure that incoming SMTP email would be diverted to the CSC SSM for scanning. It would not match SMTP connections from hosts on the inside network to the mail server on the DMZ network because those connections never use the outside interface.

If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you could add the following ACE to the csc_in access list to use the CSC SSM to protect the web server from infected files:

access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80

For a complete example service policy configuration using the access lists in this section, see

Example 19-1.

Limiting Connections Through the CSC SSM

The adaptive security appliance can prevent the CSC SSM and the destinations of connections it scans from accepting or even receiving requests for more connections than desired. It can do so for embryonic connections or fully established connections. Also, you can specify limits for all clients included in a class-map and per-client limits. The set connection command lets you configure limits for embryonic connections or fully established connections.

Also, you can specify limits for all clients included in a class-map and per-client limits. The per-client-embryonic-maxand per-client-maxparameters limit the maximum number of connections that individual clients can open. If a client uses more network resources simultaneously than is desired, you can use these parameters to limit the number of connections that the adaptive security appliance allows each client.

DoS attacks seek to disrupt networks by overwhelming the capacity of key hosts with connections or requests for connections. You can use the set connection command to thwart DoS attacks. After you configure a per-client maximum that can be supported by hosts likely to be attacked, malicious clients will be unable to overwhelm hosts on protected networks.

Use of the set connection command to protect the CSC SSM and the destinations of connections it scans is included in the “Diverting Traffic to the CSC SSM” section on page 19-11.

Diverting Traffic to the CSC SSM

 

 

You use MPF commands to configure the adaptive security appliance to divert traffic to the CSC SSM.

 

 

Before configuring the adaptive security appliance to do so, read Chapter 18, “Using Modular Policy

 

 

Framework,” which introduces MPF concepts and common commands.

 

 

To identify traffic to divert from the adaptive security appliance to the CSC SSM, perform the following

 

 

steps:

 

 

 

 

Step 1

Create an access list that matches the traffic you want scanned by the CSC SSM. To do so, use the

 

 

access-list extended command. Create as many ACEs as needed to match all the traffic. For example, if

 

 

you want to specify FTP, HTTP, POP3, and SMTP traffic, you would need four ACEs. For guidance on

 

 

identifying the traffic you want to scan, see the “Determining What Traffic to Scan” section on

 

 

page 19-9.

 

Step 2

Create a class map to identify the traffic that should be diverted to the CSC SSM. Use the class-map

 

 

command to do so, as follows.

 

 

Cisco Security Appliance Command Line Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

OL-8629-01

 

 

19-11

 

 

 

 

 

Page 10 Page 12
Page 11
Image 11
Cisco Systems ASA 5500 Limiting Connections Through the CSC SSM, Diverting Traffic to the CSC SSM, Example, page, 19-11
Page 10 Page 12