CCNP Security FIREWALL 642-618 Official Cert Guide (2012)

Chapter 15. Integrating ASA Service Modules

This chapter covers the following topics:

• Cisco ASA Security Services Modules Overview: This section provides an overview of the various Security Services Modules (SSM) and Security Services Cards (SSC) available for the Cisco ASA.

• Installing the ASA AIP-SSM and AIP-SSC: This section describes the installation of the AIP-SSM and AIP-SSC.

• Integrating the ASA CSC-SSM: This section details how to install and integrate the CSC-SSM.

The Cisco Adaptive Security Appliance (ASA) can be extended even further to secure an organization. These additional capabilities are possible thanks to modules and cards that can be added to the modular chassis of the Cisco ASAs. To equip the device with intrusion prevention services, the ASA features support for the Advanced Inspection and Prevention Security Services Module (AIP-SSM) and the AIP Security Services Card (AIP-SSC). For content security and filtering services, the ASA can integrate with the Content Security and Control SSM (CSC-SSM).

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 15-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”

Table 15-1. “Do I Know This Already?” Section-to-Question Mapping

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which is not a form of traffic that you can control with the Cisco CSC-SSM?

a. HTTP

b. IPsec

c. SMTP

d. FTP

2. Which device does not feature an out-of-band management port?

a. SSM-40

b. SSM-20

c. SSC-5

d. SSM-10

3. Which management software package might you use with your CSC-SSM?

a. Trend Micro Control Manager

b. Cisco Security MARS

c. Cisco IME

d. Cisco SDM

4. Which type of license for the SSM-10 allows 50 users?

a. Standard license

b. Optional license

c. Extended license

d. Base license

5. Which mode of operation for the AIP-SSM ensures that the device inspects traffic while the module participates in the actual path of data?

a. IPS-mode

b. Inline

c. In-band

d. Promiscuous

6. Which mode of operation is often used with IDS implementations?

a. Inline

b. In-band

c. Promiscuous

d. Detect-mode

7. Which of the following is a Cisco IPS Software feature supported on all of the AIP-SSMs and AIP-SSCs?

a. Virtualization

b. Anomaly detection

c. Risk Rating System

d. External management interface

8. What does a flashing green LED on your AIP-SSM indicate?

a. The module is broken.

b. The module is passing traffic.

c. The module is healthy.

d. The module is booting.

9. Which interface on the CSC-SSM is most commonly used to access the module’s CLI from the CLI of the Cisco ASA?

a. Internal data channel

b. Out-of-band management channel

c. Internal IOS channel

d. Internal control channel

Foundation Topics

This chapter explores the various options for additional security services on the Cisco ASA, specifically intrusion prevention and content security services. The various Security Services Modules (SSM) and Security Services Cards (SSC) that make these additional services possible are explored in detail. The primary function of the Cisco ASA Advanced Inspection and Prevention SSM (AIP-SSM) is to protect the network from attacks and misuse. The primary function of the Cisco ASA Content Security and Control SSM (CSC-SSM) is to protect your network clients from malicious content.

Cisco ASA Security Services Modules Overview

There are many different options for adding sophisticated and efficient intrusion prevention and content security services on the Cisco ASA thanks to a wide variety of modules and cards. For intrusion prevention and, in some cases, content security services, the following modules are available:

• SSC-5

• SSM-10

• SSM-20

• SSM-40

• IPS SSP-10

• IPS SSP-20

• IPS SSP-40

• IPS SSP-60

Note

SSP stands for Security Services Processor.

For modules that support content security and control, services that are secured include secure HTTP, POP3, SMTP, and FTP traffic. The modules that can perform content security and control are the SSM-10 and SSM-20.

Module Components

One of the most exciting aspects of the modules is that they are able to offload much of the CPU- and memory-intensive features of intrusion prevention and content security onto devices that are connected to the ASA. These connected modules possess their own hardware that can be dedicated to the important security jobs. Each module boasts the following:

• A dedicated CPU for intrusion prevention or content security

• Dedicated RAM for the security services

• Dedicated flash memory and a separate file system for the software image

• Out-of-band port for management (SSMs only)

Note

The amount of dedicated resources and the specific hardware characteristics will vary from module to module.

Admittedly, the Cisco IPS SSP line of modules, while exciting, is not without its limitations. For example,

• The IPS SSP devices require the installation of the Firewall/VPN SSP.

• All traffic must flow through the firewall/VPN SSP, which must be installed in the bottom slot of your Cisco ASA. After traffic passes through this device, it can be redirected to the Cisco IPS SSP installed in the top slot.

• Cisco IPS SSP interfaces are down during resets of the module.

• Cisco IPS SSPs cannot be hot swapped. To replace the module, you must issue the hw-module shutdown command.

General Deployment Guidelines

Although you will need to master specific details about each SSC and SSM for the FIREWALL exam, there are some general deployment guidelines that you should understand. For example, you should connect to the management port of an SSM from a management network. This will allow you to configure the module using the Cisco Adaptive Security Device Manager (ASDM) or the Cisco IPS Device Manager (IDM) Software. In the case of the Cisco CSC-SSM, connecting to this management interface from the management network allows you to use the Cisco ASDM or theTrend Micro InterScan GUI.

You should also consider integrating your SSMs with management and reporting tools. You can add the CSC-SSM to the Trend Micro Control Manager. This permits you to manage multiple Trend Micro devices and monitor various activities such as security violations and virus events. You can integrate the AIP-SSM with the Cisco IPS Manager Express (IME) or with the Cisco Security Monitoring, Analysis, and Response System (MARS).

Overview of the Cisco ASA Content Security and Control SSM

This powerful module runs the popular and powerful Trend Micro InterScan for CSCSSM software. The CSC-SSM provides protection against malware through its antivirus, antispyware, and antispam features. It performs content control by engaging in URL blocking and filtering, antiphishing, HTTP and FTP file blocking, and email content filtering. The CSC-SSM also features a management interface that is simple to use, and a system of automatic updates to ensure proper operation and the best rate of true positives.

Cisco Content Security and Control SSM Licensing

The SSM-10 and SSM-20 modules are options for Cisco CSC-SSM functionality. The key difference between the two modules is scalability. For example, the Base license for the SSM-10 allows 50 users, whereas the Base license for the SSM-20 allows 500 users.

There are two types of licenses for the Cisco CSC-SSM: the Base license and optional licenses. The optional licenses come in several varieties and can be used to add more features to the module or to upgrade the number of users supported. For example, the SSM-20 can use an optional upgrade license to raise the number of supported users from 500 users to 1000 users. This license is often called a Plus license.

With a Base license, users can take advantage of antivirus, antispyware, and file blocking capabilities. With a feature upgrade license, users can take advantage of antispam, e-mail content control, URL filtering, URL blocking, and antiphishing capabilities.

Overview of the Cisco ASA Advanced Inspection and Prevention SSM and SSC

These powerful modules and cards can offload the processing and memory requirements for either Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). Intrusion Detection can notify an administrator that an attack against the network is taking place, whereas Intrusion Prevention can actually stop the attack. The Cisco Intrusion Prevention System (IPS) Software used in the modules and cards permits the intrusion detection or prevention to use signature-, anomaly-, and reputation-based prevention algorithms. This makes for an extremely robust and more foolproof implementation.

With the signature-based approach, network traffic is compared to a database of well-known attacks. With the anomaly-based approach, network traffic is compared to a statistical profile of normal baseline usage. Finally, with the reputation-based approach, the source of network traffic is compared to a reputation database that determines the reputation of the source of traffic. Reputation analysis is facilitated by a global correlation feature that Cisco uses. This allows the Cisco IPS device to participate in a centralized threat database called SensorBase.

Inline Operation

Typically, you configure the AIP-SSM or AIP-SSC in inline mode of operation. This means that the original packets that a source on the network is sending travel through the IPS device. In this configuration, the module or card is in the data forwarding path, allowing intrusion prevention to take place in the system. If a malicious packet is detected, the system can drop the packet before it is permitted to reach the intended target. After the drop, the system can alert management through various alarm configurations. Figure 15-1 illustrates this inline placement.

Figure 15-1. Inline Mode

Promiscuous Operation

The promiscuous mode of operation copies the packets moving through the ASA and sends them to the module or card for analysis. Under this deployment, the original packets still flow through the ASA and reach their target. This mode is used for intrusion detection as opposed to intrusion prevention. Figure 15-2 illustrates this configuration.

Figure 15-2. Promiscuous Mode

Supported Cisco IPS Software Features

The AIP-SSC-5 can support the following Cisco IPS Software features:

• Passive operating system fingerprinting

• Risk Rating System

• Enhanced password recovery

The AIP-SSMs support the aforementioned features and more, including

• Sensor virtualization

• Cisco Global Correlation support

• Custom signature support

• Anomaly detection

• External management interface

Installing the ASA AIP-SSM and AIP-SSC

This section details the steps you take to implement the various modules and cards.

Installing the Cisco ASA AIP-SSC or AIP-SSM involves completing the following steps:

Step 1. Power down the Cisco ASA.

Step 2. Remove the slot cover.

Step 3. Insert the Cisco AIP-SSC or the AIP-SSM into the appropriate slot.

Step 4. Attach the screws.

Step 5. Power up the Cisco ASA.

Step 6. Check the LEDs on the card for status information. The LED on the card will flash green when the card is booting and then turn solid green when the system passes its diagnostics. An amber color for the status LED indicates that there is a problem with the device’s initialization process.

The Cisco AIP-SSM and AIP-SSC Ethernet Connections

The AIP-SSM features the following Ethernet connections:

• Internal control channel: This Fast Ethernet interface is used to access the module CLI via the ASA CLI.

• Internal data channel: This Gigabit Ethernet interface is used to redirect packets that need to be inspected by the module.

• Out-of-band management channel: This Gigabit Ethernet interface is used for management access and for downloading the appropriate ASA AIP-SSM software.

The AIP-SSC features the following Ethernet connections:

• Internal control channel: This Fast Ethernet interface is used for management access and downloading the AIP-SSC software.

• Internal data channel: This Fast Ethernet interface is used to redirect packets that are to be inspected by the module.

Failure Management Modes

When you are deploying your AIP-SSM or your AIP-SSCs, you will need to decide on your failure mode. These modes are available in the inline and promiscuous modes of operation. In the Fail Open mode, if the card or module fails, traffic is permitted to flow through the Cisco ASA as normal. In the Fail Closed mode, traffic will no longer flow if that traffic is to be inspected by the module or card.

Managing Basic Features

To manage the modules and cards, you need to perform the following steps:

Step 1. On the AIP-SSC only, configure a VLAN management interface.

Step 2. Upload the Cisco IPS software to the module.

Step 3. Administer the module.

Example 15-1 demonstrates configuring the management interface for the AIP-SSC.

Example 15-1. Configuring the Management Interface for the AIP-SSC

ASA# show run
interface vlan 1
no allow-ssc-mgmt
!
interface vlan 5
allow-ssc-mgmt
ip address 192.168.1.100 255.255.255.0
nameif inside
!
interface Ethernet 0/5
switchport access vlan 5
no shutdown

To upload the software to the module (Step 2), use the hw-module 1 recover configure command followed by the hw-module 1 recover boot command.

You can use the following commands to administer the module:

• hw-module module 1 password-reset: Resets the module password to “cisco”

• hw-module module 1 reload: Reloads the module software

• hw-module module 1 reset: Performs a hardware reset and then reloads the module

• hw-module module 1 shutdown: Shuts down the module

• show module 1: Allows you to verify the module; use the details keyword to get even more information

Initializing the AIP-SSM and AIP-SSC

To initialize the modules or cards, you need to complete the following steps:

Step 1. Open a CLI session to the module.

Step 2. Configure the basic module settings with the interactive setup dialog.

Step 3. Access the Cisco IDM to configure the Cisco IPS Software on the module.

To open the session, use the session 1 command. The default username and password are “cisco” and “cisco.” You will be prompted to change the password after your first login using the default username and password.

To run the interactive setup wizard for the initial configuration of the module or card, use the setup command.

Configuring the AIP-SSM and AIP-SSC

Configuration of the AIP-SSM or AIP-SSC involves three steps:

Step 1. Create a new IPS service policy rule.

Step 2. Identify traffic to redirect using a class map.

Step 3. Apply IPS redirection to the identified traffic using a policy map.

This can be accomplished either in the GUI application for the module or at the command line, as follows:

policy-map OUTSIDE_POLICY
class class-default
ips inline fail-open
!
service-policy OUTSIDE_POLICY interface outside

Integrating the ASA CSC-SSM

This section details how to install, manage, initialize, and operate the Content Security and Control SSM with the Cisco ASA. Just like the AIP-SSM and AIP-SSC, the ASA CSC-SSM must be configured for Fail Open or Fail Closed operation.

Installing the CSC-SSM

To install the CSC-SSM, follow these steps:

Step 1. Power down the Cisco ASA.

Step 2. Remove the slot cover.

Step 3. Insert the CSC-SSM into the appropriate slot.

Step 4. Attach the screws.

Step 5. Power on the Cisco ASA.

Step 6. Check the LEDs for status.

Ethernet Connections

The CSC-SSM has the following Ethernet connections:

• Internal control channel: This Fast Ethernet interface is used to access the module CLI from the ASA CLI.

• Internal data channel: This Gigabit Ethernet interface is used to internally redirect packets that should be scanned by the module.

• Out-of-band management channel: This Gigabit Ethernet interface is used for management access and for downloading the CSC-SSM software and updates.

Managing the Basic Features

To upload the software to the module, use the hw-module 1 recover configure command followed by the hw-module 1 recover boot command.

You can use the following commands to administer the module:

• hw-module module 1 password-reset: Resets the module password to “cisco”

• hw-module module 1 reload: Reloads the module software

• hw-module module 1 reset: Performs a hardware reset and then reloads the module

• hw-module module 1 shutdown: Shuts down the module

• show module 1: Enables you to verify the module; use the details keyword to get even more information

Initializing the Cisco CSC-SSM

To initialize the device, follow these steps:

Step 1. Open a CLI session to the module.

Step 2. Configure basic settings with the Setup Wizard.

Step 3. (Optional) Configure basic module settings using the Cisco ASDM.

Step 4. Access the Trend Micro InterScan GUI.

To run the interactive Setup Wizard for the initial configuration of the module or card, use the setup command.

After changing the password, the Trend Micro InterScan for Cisco CSC-SSM Setup Wizard. starts. Follow the onscreen prompts to complete the wizard and initialize the device.

To access the Trend Micro InterScan GUI, point your web browser to https://<module_IP_address>:8443.

Configuring the CSC-SSM

Configuration of the ASA CSC-SSM involves a three-step process:

Step 1. Create a new service policy rule.

Step 2. Identify traffic to redirect (class map).

Step 3. Apply a CSC-SSM action to the identified traffic (policy map).

Exam Preparation Tasks

As mentioned in the section, “How to Use This Book,” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 17, “Final Preparation,” and the exam simulation questions on the CD-ROM.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 15-2 lists a reference of these key topics and the page numbers on which each is found.

Table 15-2. Key Topics for Chapter 15

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

AIP-SSM

CSC-SSM

Trend Micro InterScan GUI

Base license

optional licenses

intrusion detection

intrusion prevention

inline operation

promiscuous operation

Fail Open

Fail Closed

Command Reference to Check Your Memory

This section includes the most important configuration and EXEC commands covered in this chapter. It might not be necessary to memorize the complete syntax of every command, but you should be able to remember the basic keywords that are needed.

To test your memory of the commands, cover the right side of Table 15-3 with a piece of paper, read the description on the left side, and then see how much of the command you can remember.

Table 15-3. Commands Related to Installing and Integrating SSMs

The FIREWALL exam focuses on practical, hands-on skills that are used by a networking professional. Therefore, you should be able to identify the commands needed to configure and test an ASA feature.