Networks Training

You are here: Home / Cisco ASA General / Antivirus and Antispam protection with CSC SSM

Antivirus and Antispam protection with CSC SSM

Written By

The CSC-SSM module of the Cisco ASA 5500 Firewall offers content security inspection for FTP, HTTP, POP3, and SMTP traffic, thus protecting the network from viruses, spyware, worms, spam and phishing, and controls unwanted mail and Web content. In more detail, the capabilities of the CSC-SSM module include the following:

  • Antivirus and Antispyware protection using the Trend Micro technology.
  • URL filtering
  • content filtering
  • email filtering
  • anti-phishing protection in Web and email.
  • Anti-spam protection in email.

After initial installation and configuration of the CSC-SSM module, you need to configure the ASA Firewall to send specific traffic to the module for inspection.

The traffic supported for inspection is FTP, HTTP, POP3 and SMTP as we mentioned above. For SMTP traffic, the inspection works only for inbound traffic from the Internet towards internal SMTP servers protected by the ASA appliance.

The flow of scanned traffic with the CSC-SSM module is shown on the figure below (figure courtesy of Cisco.com):

MORE READING:  Cisco ASA Appliance - Five Functionalities in One Box

csc ssm traffic flow inspection

To configure the Cisco ASA Firewall to send traffic to the content inspection module we need to use the modular policy framework as following:

Configuring the Cisco ASA to work with CSC-SSM:

Assume we have an internal network range of 192.168.1.0/24. We want to configure the CSC-SSM module to inspect outbound HTTP, FTP, and POP3 traffic from our internal hosts towards the Internet.

! First define what traffic to inspect
ASA(config)# access-list inspect_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq 80
ASA(config)# access-list inspect_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq 21
ASA(config)# access-list inspect_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq 110

! Create a class map to identify the traffic that should be diverted to the CSC SSM
ASA(config)# class-map csc_outbound_class
ASA(config-cmap)# match access-list inspect_outbound

! Create a policy map and attach the class-map
ASA(config)# policy-map csc_out_policy
ASA(config-pmap)# class csc_outbound_class
ASA(config-pmap-c)# csc fail-open

! Apply the policy map globally or to a specific interface (inside in our case)
ASA(config-pmap-c)# service-policy csc_out_policy interface inside

MORE READING:  ExtraBacon Cisco ASA Vulnerability

The csc fail-open command under the policy-map controls how the adaptive security appliance handles traffic when the CSC SSM is unavailable. The fail-open keyword specifies that all traffic will be permitted in case the CSC module fails. The other option is fail-close.

Related Posts

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING

BLOGROLL

Tech21Century
Firewall.cx