Determining What Traffic To Scan - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 22 Managing AIP SSM and CSC SSM
With a Plus License, the additional features enabled by default are SMTP anti-spam, SMTP content
filtering, POP3 anti-spam, URL blocking, and URL filtering.
To access the CSC SSM GUI, in ASDM choose Configuration > Trend Micro Content Security, and
then select one of the following: Web, Mail, File Transfer, or Updates. The blue links on these panes,
beginning with the word "Configure", open the CSC SSM GUI.

Determining What Traffic to Scan

The CSC SSM can scan FTP, HTTP, POP3, and SMTP traffic. It supports these protocols only when the
destination port of the packet requesting the connection is the well known port for the protocol, that is,
CSC SSM can scan only the following connections:
•
•
•
•
You can choose to scan traffic for all of these protocols or any combination of them. For example, if you
do not allow network users to receive POP3 email, you would not want to configure the adaptive security
appliance to divert POP3 traffic to the CSC SSM (you would want to block it instead).
To maximize performance of the adaptive security appliance and the CSC SSM, divert to the CSC SSM
only the traffic that you want the CSC SSM to scan. Needlessly diverting traffic that you do not want to
scan, such as traffic between a trusted source and destination, can adversely affect network performance.
The action of scanning traffic with the CSC SSM is enabled with the csc command, which must be part
of a service policy. Service policies can be applied globally or to specific interfaces; therefore, you can
choose to enable the csc command globally or for specific interfaces.
Adding the csc command to your global policy ensures that all unencrypted connections through the
adaptive security appliance are scanned by the CSC SSM; however, this may mean that traffic from
trusted sources is needlessly scanned.
If you enable the csc command in interface-specific service policies, it is bi-directional. This means that
when the adaptive security appliance opens a new connection, if the csc command is active on either the
inbound or the outbound interface of the connection and if the class map for the policy identifies traffic
for scanning, the adaptive security appliance diverts it to the CSC SSM.
However, bi-directionality means that if you divert to the CSC SSM any of the supported traffic types
that cross a given interface, the CSC SSM is likely performing needless scans on traffic from your trusted
inside networks. For example, URLs and files requested from web servers on a DMZ network are
unlikely to pose content security risks to hosts on an inside network and you probably do not want the
adaptive security appliance to divert such traffic to the CSC SSM.
Therefore, we highly recommend using access lists to further limit the traffic selected by the class maps
of CSC SSM service policies. Specifically, use access lists that match the following:
•
•
•
OL-10088-01
FTP connections opened to TCP port 21.
HTTP connections opened to TCP port 80.
POP3 connections opened to TCP port 110.
SMTP connections opened to TCP port 25.
HTTP connections to outside networks.
FTP connections from clients inside the adaptive security appliance to servers outside the adaptive
security appliance.
POP3 connections from clients inside the security appliance to servers outside the adaptive security
appliance.
Cisco Security Appliance Command Line Configuration Guide
Managing the CSC SSM
22-9