How it Works
Cisco Systems
Loading...
ASA 5500
User Manual
49 pgs4.03 Mb0
User Manual 3
144 pgs3.37 Mb0
User Manual 2
16 pgs315.39 Kb0
User Manual
16 pgs508 Kb0
User Manual
1994 pgs14.85 Mb0
User Manual
62 pgs2.51 Mb0
Table of contents
Loading...

Cisco Systems ASA 5500 User Manual 2

CHAPTER
Managing the AIP SSM and CSC SSM
The Cisco ASA 5500 series adaptive security appliance supports a variety of SSMs. This chapter describes how to configure the adaptive security appliance to support an AIP SSM or a CSC SSM, including how to send traffic to these SSMs.
For information about the 4GE SSM for th e ASA 5000 series adaptiv e security appliance, see Chapter 4,
“Configuring Ethernet Settings and Subinterfaces”.
Note The Cisco PIX 500 series security appliances does not support SSMs.
This chapter includes the following sections:
Managing the AIP SSM, page 19-1
Managing the CSC SSM, page 19-5
Checking SSM Status, page 19-13
Transferring an Image onto an SSM, page 19-14
19

Managing the AIP SSM

This section contains the following topics:
About the AIP SSM, page 19-1
Getting Started with the AIP SSM, page 19-2
Diverting Traffic to the AIP SSM, page 19-2
Sessioning to the AIP SSM and Running Setup, page 19-4

About the AIP SSM

The ASA 5500 series adaptive security appliance supports the AIP SSM, which runs advanced IPS software that provides further security inspection. The adaptive security appliance diverts packets to the AIP SSM just before the packet exits the egress interface (or before VPN encryption occurs, if configured) and after other firewall policies are applied. For example, packets that are blocked by an access list are not forwarded to the AIP SSM.
OL-8629-01
Cisco Security Appliance Command Line Configuration Guide
19-1
Managing the AIP SSM
Chapter 19 Managing the AIP SSM and CSC SSM
The AIP SSM can operate in one of two modes, as follows:
Inline mode—Places the AIP SSM directly in the traffic flow. No traffic can continue through the
adaptive security appliance without first passing through, and being inspected b y , the AIP SSM. This mode is the most secure because every packet is analyzed before being allowed through. Also, the AIP SSM can implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput. You specify this mode with the inline keyword of the ips command.
Promiscuous mode—Sends a duplicate stream of traffic to the AIP SSM. This mode is less secure,
but has little impact on traffic throughput. Unlike operation in inline mode, the SSM operating in promiscuous mode can only block traffic by instructing the adaptive security appliance to shun th e traffic or by resetting a connection on the adaptive security appliance. Also, while the AIP SSM is analyzing the traffic, a small amount of traffic might pass through the adaptive security appliance before the AIP SSM can block it. You specify this mode with the inline keyword of the ips command.
You can specify how the adaptive security appliance treats traffic when the AIP SSM is unavailable due to hardware failure or other causes. Two keywords of the ips command control this behavior. The fail-close keyword sets the adapti v e security appliance to block all traff ic if the AIP SSM is unav ailable. The fail-open keyword sets the adaptive security appliance to allow all traffic through, uninspected, if the AIP SSM is unavailable.
For more information about configuring the operating mode of the AIP SSM and how the adaptive security appliance treats traffic during an AIP SSM failure, see the “Diverting Traffic to the AIP SSM”
section on page 19-2.

Getting Started with the AIP SSM

Configuring the AIP SSM is a two-part process that involves configuration of the ASA 5500 series adaptive security appliance first, and then configuration of the AIP SSM:
1. On the ASA 5500 series adaptive security appliance, identify traffic to divert to the AIP SSM (as
described in the “Diverting Traffic to the AIP SSM” section on page 19-2).
2. On the AIP SSM, configure the inspection and protection policy, which determines how to inspect
traffic and what to do when an intrusion is detected. Because the IPS software that runs on the AIP SSM is very robust and beyond the scope of this document, detailed configuration information is available in the following separate documentation:
Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.
Command Reference for Cisco Intrusion Prevention System

Diverting Traffic to the AIP SSM

You use MPF commands to configure the adaptive security appliance to divert traffic to the AIP SSM. Before configuring the adaptive security appliance to do so, read Chapter 18, “Using Modular Policy
Framework,” which introduces MPF concepts and common commands.
To identify traf fic to divert from the adaptive security appliance to the AIP SSM, perform the following steps:
19-2
Step 1 Create an access list that matches all traffic:
hostname(config)# access-list acl-name permit ip any any
Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
Chapter 19 Managing the AIP SSM and CSC SSM
Step 2 Create a class map to identify the traffic that should be diverted to the AIP SSM. Use the class-map
command to do so, as follows:
hostname(config)# class-map class_map_name hostname(config-cmap)#
where class_map_name is the name of the traffic class. When you enter the class-map command, the CLI enters class map configuration mode.
Step 3 With the access list you created in Step 1, use a match access-list command to identify the traffic to be
scanned:
hostname(config-cmap)# match access-list acl-name
Step 4 Create a policy map or modify an existing policy map that you want to use to send traffic to the AIP
SSM. To do so, use the policy-map command, as follows.
hostname(config-cmap)# policy-map policy_map_name hostname(config-pmap)#
where policy_map_name is the name of the policy map. The CLI enters the policy map configuration mode and the prompt changes accordingly.
Step 5 Specify the class map, created in Step 2, that identifies the traf f ic t o be scanned. Use the class command
to do so, as follows.
hostname(config-pmap)# class class_map_name hostname(config-pmap-c)#
Managing the AIP SSM
where class_map_name is the name of the class map you created in Step 2. The CLI enters the poli cy map class configuration mode and the prompt changes accordingly.
Step 6 Assign the traffic identified by the class map as traffic to be sent to the AIP SSM. Use the ips command
to do so, as follows.
hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close | fail-open}
The inline and promiscuous keywords control the operating mode of the AIP SSM. The fail-close and fail-open keywords control how the adaptive security appliance treats traffic when the AIP SSM is
unavailable. For more information about the operating modes and failure behavior, see the “About the
AIP SSM” section on page 19-1.
Step 7 Use the service-policy command to apply the policy map globally or to a specific interface, as follows:
hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID] hostname(config)#
where policy_map_name is the policy map you co nfigured in Step 4. If you want to apply the polic y map to traffic on all the interfaces, use the global keyword. If you want to apply the policy map to traffic on a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command.
Only one global policy is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface.
The adaptive security appliance begins diverting traffic to the AIP SSM as specified.
OL-8629-01
The following example diverts all IP traffic to the AIP SSM in promiscuous mode, and blocks all IP traffic should the AIP SSM card fail for any reason:
hostname(config)# access-list IPS permit ip any any hostname(config)# class-map my-ips-class
Cisco Security Appliance Command Line Configuration Guide
19-3
Managing the AIP SSM
hostname(config-cmap)# match access-list IPS hostname(config-cmap)# policy-map my-ids-policy hostname(config-pmap)# class my-ips-class hostname(config-pmap-c)# ips promiscuous fail-close hostname(config-pmap-c)# service-policy my-ips-policy global

Sessioning to the AIP SSM and Running Setup

After you have completed configuration of the ASA 5500 series adaptive security appliance to divert traffic to the AIP SSM, session to the AIP SSM and run the setup utility for initial configuration.
Note You can either session to the SSM from the adaptive security appliance (by using the session 1
command) or you can connect directly to the SSM using SSH or Telnet on its management interface. Alternatively, you can use ASDM.
To session to the AIP SSM from the adaptive security appliance, perform the following steps:
Chapter 19 Managing the AIP SSM and CSC SSM
Step 1 Enter the session 1 command to session from the ASA 5500 series adapt iv e security applianc e to the AIP
SSM:
hostname# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 2 Enter the username an d password. The defaul t username and password a re both cisco.
Note The first time you log in to the AIP SSM you are prompted to change the default password.
Passwords must be at least eight characters long and not a dictionary word.
login: cisco Password: Last login: Fri Sep 2 06:21:20 from xxx.xxx.xxx.xxx ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
19-4
If you require further assistance please contact us by sending email to export@cisco.com.
***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. AIP SSM#
Cisco Security Appliance Command Line Configuration Guide
OL-8629-01
Chapter 19 Managing the AIP SSM and CSC SSM
Note If you see the preceding license notice (which displays only in some versio ns of software), yo u can
ignore the message until you need to upgrade the signature files on the AIP SSM. The AIP SSM continues to operate at the current signature level until a valid license key is installed. You can install the license key at a later time. The license key does not affect the current functionality of the AIP SSM.
Step 3 Enter the setup command to run the setup utility for initial configuration of the AIP SSM:
AIP SSM# setup
You are now ready to configure the AIP SSM for intrusion pre v entio n. See the following guides for AIP SSM configuration information
Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface.
Command Reference for Cisco Intrusion Prevention System

Managing the CSC SSM

Managing the CSC SSM
This section contains the following topics:
About the CSC SSM, page 19-5
Getting Started with the CSC SSM, page 19-7
Determining What Traffic to Scan, page 19-9
Limiting Connections Through the CSC SSM, page 19-11
Diverting Traffic to the CSC SSM, page 19-11

About the CSC SSM

The ASA 5500 series adaptive security appliance supports the CSC SSM, which runs Content Security and Control software. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic. It accomplishes this by scanning the FTP, HTTP, POP3, and SMTP traffic that you configure the adaptive security appliance to send to it.
Figure 19-1 illustrates the flow of traffic through an adaptive security appliance that has the following:
A CSC SSM installed and setup.
A service policy that determines what traffic is diverted to the SSM for scans.
In this example, the client could be a network user who is accessing a website, downloading files from an FTP server, or retrieving mail from a POP3 server. SMTP scans differ in that you should configure the adaptive security appliance to scan traffic sent from outside to SMTP servers protected by the adaptive security appliance.
OL-8629-01
Note The CSC SSM can scan FTP file transfers only when FTP inspection is enabled on the adaptive security
appliance. By default, FTP inspection is enabled.
Cisco Security Appliance Command Line Configuration Guide
19-5
Loading...
+ 11 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use