Cisco PIX 500 Series Configuration Manual page 424

Managing the CSC SSM
To enable traffic scanning with the CSC SSM, use the csc command, which must be part of a service
policy. Service policies can be applied globally or to specific interfaces; therefore, you can enable the
csc command globally or for specific interfaces.
Adding the csc command to your global policy ensures that all unencrypted connections through the
adaptive security appliance are scanned by the CSC SSM; however, this setting may mean that traffic
from trusted sources is needlessly scanned.
If you enable the csc command in interface-specific service policies, it is bi-directional. Bi-directionality
means that when the adaptive security appliance opens a new connection, if the csc command is active
on either the inbound or the outbound interface of the connection and the class map for the policy
identifies traffic for scanning, the adaptive security appliance diverts this traffic to the CSC SSM.
However, bi-directionality also means that if you divert any of the supported traffic types that cross a
given interface to the CSC SSM, it is probably performing unnecessary scans on traffic from your trusted
inside networks. For example, URLs and files requested from web servers on a DMZ network are
unlikely to pose content security risks to hosts on an inside network, and you probably do not want the
adaptive security appliance to divert this traffic to the CSC SSM.
Therefore, we recommend using access lists to further limit the traffic selected by the class maps of CSC
SSM service policies. Specifically, use access lists that match the following:
HTTP connections to outside networks.
•
FTP connections from clients inside the adaptive security appliance to servers outside the adaptive
•
security appliance.
POP3 connections from clients inside the security appliance to servers outside the adaptive security
•
appliance.
Incoming SMTP connections destined to inside mail servers.
•
In Figure
requests from clients on the inside network for HTTP, FTP, and POP3 connections to the outside network
and incoming SMTP connections from outside hosts to the mail server on the DMZ network. HTTP
requests from the inside network to the web server on the DMZ network should not be scanned.
Figure 22-7
To identify the traffic that you want to scan, you can configure the adaptive security appliance in
different ways. One approach is to define two service policies, one on the inside interface and the other
on the outside interface, each with an access list that matches traffic to be scanned. The following access
list can be used on the policy applied to the inside interface:
Cisco Security Appliance Command Line Configuration Guide
22-14
22-7, the adaptive security appliance should be configured to divert traffic to CSC SSM
Common Network Configuration for CSC SSM Scanning
192.168.10.0
inside
Web server
Chapter 22
Security
appliance
192.168.30.0
outside
192.168.20.0
(dmz)
Mail server
Managing the AIP SSM and CSC SSM
Internet
OL-12172-03