Chapter 19 Managing the AIP SSM and CSC SSM

Managing the CSC SSM

hostname(config)# class-mapclass_map_name hostname(config-cmap)#

where class_map_name is the name of the traffic class. When you enter the class-mapcommand, the CLI enters class map configuration mode.

Step 3 With the access list you created in Step 1, use a match access-listcommand to identify the traffic to be scanned:

hostname(config-cmap)# match access-listacl-name

Step 4 Create a policy map or modify an existing policy map that you want to use to send traffic to the CSC SSM. To do so, use the policy-mapcommand, as follows.

hostname(config-cmap)# policy-mappolicy_map_name hostname(config-pmap)#

where policy_map_name is the name of the policy map. The CLI enters the policy map configuration mode and the prompt changes accordingly.

Step 5 Specify the class map, created in Step 2, that identifies the traffic to be scanned. Use the class command to do so, as follows.

hostname(config-pmap)# class class_map_name hostname(config-pmap-c)#

where class_map_name is the name of the class map you created in Step 2. The CLI enters the policy map class configuration mode and the prompt changes accordingly.

Step 6 If you want to enforce a per-client limit for simultaneous connections that the adaptive security appliance diverts to the CSC SSM, use the set connection command, as follows:

hostname(config-pmap-c)#set connection per-client-max n

where n is the maximum simultaneous connections the adaptive security appliance will allow per client. This prevents a single client from abusing the services of the CSC SSM or any server protected by the SSM, including prevention of attempts at DoS attacks on HTTP, FTP, POP3, or SMTP servers that the CSC SSM protects.

Step 7 Assign the traffic identified by the class map as traffic to be sent to the CSC SSM. Use the csc command to do so, as follows.

hostname(config-pmap-c)# csc {fail-close fail-open}

The fail-closeand fail-openkeywords control how the adaptive security appliance treats traffic when the CSC SSM is unavailable. For more information about the operating modes and failure behavior, see the “About the CSC SSM” section on page 19-5.

Step 8 Use the service-policycommand to apply the policy map globally or to a specific interface, as follows:

hostname(config-pmap-c)#service-policy policy_map_name [global interface interface_ID]

hostname(config)#

where policy_map_name is the policy map you configured in Step 4. If you want to apply the policy map to traffic on all the interfaces, use the global keyword. If you want to apply the policy map to traffic on

aspecific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command.

Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.

The adaptive security appliance begins diverting traffic to the CSC SSM as specified.

 

Cisco Security Appliance Command Line Configuration Guide

19-12

OL-8629-01

Page 12
Image 12
Cisco Systems ASA 5500 manual 19-12

ASA 5500 specifications

Cisco Systems ASA 5500 is a robust security appliance designed to provide advanced network security and protection against both internal and external threats. Ideal for organizations of various sizes, the ASA 5500 series offers a wide range of features that combine firewall capabilities with intrusion prevention, VPN support, and application control, among others.

One of the key features of the ASA 5500 is its stateful firewall technology. This allows the device to monitor active connections and enforce security policies based on the state of the traffic. By maintaining the context of network sessions, the firewall can make informed decisions on whether to allow or deny traffic based on established rules.

In addition to traditional firewall functionalities, the ASA 5500 series integrates advanced intrusion prevention capabilities. By analyzing traffic patterns and identifying known threats, the IPS functionality helps organizations defend against a variety of malicious activities, such as DDoS attacks, malware, and unauthorized access attempts. The ASA 5500 continuously updates its threat intelligence through Cisco's global threat database, enhancing its ability to detect emerging threats in real-time.

Virtual Private Network (VPN) support is another significant aspect of the ASA 5500 series. The device offers secure, encrypted connections for remote users and branch offices, ensuring safe access to corporate resources over the Internet. It supports both IPsec and SSL VPN protocols, allowing organizations to choose the best option for their specific needs. This capability is crucial for businesses that require a secure environment for remote work.

The ASA 5500 series also features extensive application control and visibility tools. These tools enable organizations to manage and control the applications running on their network, ensuring that only authorized applications can communicate through the firewall. This level of control helps to mitigate risks associated with unauthorized applications, which can lead to data breaches or reduced productivity.

Moreover, the ASA 5500 is designed with high availability and scalability in mind. Its clustering support ensures that multiple units can work together to provide redundancy and load balancing, enhancing both performance and reliability. This characteristic is especially important for organizations looking to maintain continuous operation during traffic spikes or hardware failures.

In summary, Cisco Systems ASA 5500 is an all-in-one security solution that combines stateful firewall protection, intrusion prevention, VPN capabilities, and application control. With its robust feature set and focus on security, it is well-suited for organizations seeking to protect their networks from an ever-evolving landscape of cyber threats. Whether for small businesses or large enterprises, the ASA 5500 provides the necessary tools to create a secure networking environment.