Limiting Connections Through The Csc Ssm - Cisco PIX 500 Series Configuration Manual

Chapter 22 Managing the AIP SSM and CSC SSM
Managing the CSC SSM
access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21
access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80
access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80
access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110
As previously mentioned, policies applying the csc command to a specific interface are effective on both
ingress and egress traffic. However, by specifying 192.168.10.0 as the source network in the csc_out
access list, the policy applied to the inside interface matches only connections initiated by the hosts on
the inside network. Notice also that the second ACE of the access list contains the deny keyword. This
ACE does not mean the adaptive security appliance blocks traffic sent from the 192.168.10.0 network to
TCP port 80 on the 192.168.20.0 network. Instead, the ACE exempts the traffic from being matched by
the policy map and thus prevents the adaptive security appliance from sending the traffic to the CSC
SSM.
You can use deny keywords in an access list to exempt connections with trusted external hosts from
being scanned. For example, to reduce the load on the CSC SSM, you might want to exempt HTTP traffic
to a well-known, trusted site. If the web server at this site has the IP address 209.165.201.7, you could
add the following ACE to the csc_out access list to exclude HTTP connections between the trusted
external web server and inside hosts from being scanned by the CSC SSM:
access-list csc_out deny tcp 192.168.10.0 255.255.255.0 209.165.201.7 255.255.255.255 eq 80
The second policy in this example, applied to the outside interface, could use the following access list:
access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25
This access list matches inbound SMTP connections from any external host to any host on the DMZ
network. The policy applied to the outside interface would therefore ensure that incoming SMTP e-mail
would be diverted to the CSC SSM for scanning. However, the policy would not match SMTP
connections from hosts on the inside network to the mail server on the DMZ network, because those
connections never use the outside interface.
If the web server on the DMZ network receives files uploaded by HTTP from external hosts, you could
add the following ACE to the csc_in access list to use the CSC SSM to protect the web server from
infected files:
access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80
For a service policy configuration using the access lists in this section, see Example 22-1.

Limiting Connections Through the CSC SSM

The adaptive security appliance can prevent the CSC SSM and the destinations of connections it scans
from accepting or even receiving requests for more connections than desired. It can do so for embryonic
connections or fully established connections. Also, you can specify limits for all clients included in a
class-map and per-client limits. The set connection command lets you configure limits for embryonic
connections or fully established connections.
Also, you can specify limits for all clients included in a class-map and per-client limits. The
per-client-embryonic-max and per-client-max parameters limit the maximum number of connections
that individual clients can open. If a client uses more network resources simultaneously than is desired,
you can use these parameters to limit the number of connections that the adaptive security appliance
allows for each client.
DoS attacks seek to disrupt networks by overwhelming the capacity of key hosts with connections or
requests for connections. You can use the set connection command to thwart DoS attacks. After you
configure a per-client maximum that can be supported by hosts likely to be attacked, malicious clients
will be unable to overwhelm hosts on protected networks.
Cisco Security Appliance Command Line Configuration Guide
22-15
OL-12172-03