As we mentioned in previous posts, the Cisco ASA 5500 appliance supports an Intrusion Detection/Intrusion Prevention plug-in module (AIP-SSM). However not all models support this. Specifically only the middle-range models support it. The lowest-end model (5505) and the highest-end models (5550, 5580) does not support the AIP-SSM IPS module.

ASA Models that support IPS Module:

• Cisco ASA 5510
• Cisco ASA 5520
• Cisco ASA 5540

Basically the ASA 5505 can not support the AIP-SSM because of its small size. Also, the 5550 can not support the module because its hardware is occupied with much more integrated network ports compared with other models (it has 8-10/100/1000 and 4 gigabit SFP ports). The highest-end 5580 does not support the module because an IPS inline module in the 5580 would decrease its packet forwarding performance (remember that the 5580 is usually used in high traffic environments).

The CSC-SSM module of the Cisco ASA 5500 Firewall offers content security inspection for FTP, HTTP, POP3, and SMTP traffic, thus protecting the network from viruses, spyware, worms, spam and phishing, and controls unwanted mail and Web content. In more detail, the capabilities of the CSC-SSM module include the following:

• Antivirus and Antispyware protection using the Trend Micro technology.
• URL filtering
• content filtering
• email filtering
• anti-phishing protection in Web and email.
• Anti-spam protection in email.

After initial installation and configuration of the CSC-SSM module, you need to configure the ASA Firewall to send specific traffic to the module for inspection. The traffic supported for inspection is FTP, HTTP, POP3 and SMTP as we mentioned above. For SMTP traffic, the inspection works only for inbound traffic from the Internet towards internal SMTP servers protected by the ASA appliance. The flow of scanned traffic with the CSC-SSM module is shown on the figure below (figure courtesy of Cisco.com):

To configure the Cisco ASA Firewall to send traffic to the content inspection module we need to use the modular policy framework as following:

Configuring the Cisco ASA to work with CSC-SSM:

Assume we have an internal network range of 192.168.1.0/24. We want to configure the CSC-SSM module to inspect outbound HTTP, FTP, and POP3 traffic from our internal hosts towards the Internet.

! First define what traffic to inspect
ASA(config)# access-list inspect_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq 80
ASA(config)# access-list inspect_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq 21
ASA(config)# access-list inspect_outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq 110

! Create a class map to identify the traffic that should be diverted to the CSC SSM
ASA(config)# class-map csc_outbound_class
ASA(config-cmap)# match access-list inspect_outbound

! Create a policy map and attach the class-map
ASA(config)# policy-map csc_out_policy
ASA(config-pmap)# class csc_outbound_class
ASA(config-pmap-c)# csc fail-open

! Apply the policy map globally or to a specific interface (inside in our case)
ASA(config-pmap-c)# service-policy csc_out_policy interface inside

The csc fail-open command under the policy-map controls how the adaptive security appliance handles traffic when the CSC SSM is unavailable. The fail-open keyword specifies that all traffic will be permitted in case the CSC module fails. The other option is fail-close.

The Cisco ASA 5500 security appliance is not just a plain firewall. With an add-on security module (AIP-SSM), you can transform the ASA 5500 into an IDS/IPS sensor as well. The AIP-SSM (Advanced Inspection and Prevention – Security Services Module) is a full-blown IDS/IPS sensor with the same software and functionality like the external standalone IPS-4200 series appliance. Read the rest of this entry

The figure below (taken from Cisco) illustrates the back panel of the Cisco ASA 5505 appliance, showing the network interfaces and other important hardware points.

 Starting from right to left, we have Ethernet0/0 up to Ethernet0/7. The last two Ports 6 and 7 are also Power over Ethernet Ports (PoE), which means that in addition to normal computers, you can also connect IP Phones which will be powered by the firewall PoE ports. The eight network interfaces of the ASA 5505 work only as Layer 2 ports, which is the difference of the 5505 model from the other ASA models. This means that you can not configure a Layer 3 IP address directly on each interface. Also, port Ethernet0/0 is used as the Outside untrusted interface (connecting to Internet), and the rest interfaces 0/1 to 0/7 are used as the trusted Inside interfaces connecting to internal hosts. By default, Vlan 2 is assigned to Ethernet0/0 and the native Vlan 1 is assigned to the rest of the interfaces. Two Switch Vlan Interfaces (SVI) exist by default (Interface Vlan 1 and Interface Vlan 2) which can be used to assign the Layer 3 IP addresses for the Outside interface (Ethernet 0/0) and for the inside zone (Ethernet0/1 to 0/7).

Implementing security in layers is the recommended network security design for protecting information assets. This approach is achieved by segmenting your network into various security zones with an ASA Firewall and applying access policies between them according to their security levels. By default Cisco ASA firewalls come with at least four 10/100/1000 network interfaces which are sometimes not enough. Considering that we need one physical interface dedicated for failover configuration (if used) and that usually one dedicated interface is used for Internet connectivity, then we are left with only two physical interfaces for further network segmentation.

By using the Cisco ASA 4-Port Gigabit Ethernet Security Services Module (4GE SSM) (shown above) you instantly expand your firewall interfaces to a total of three Fast Ethernet and six Gigabit Ethernet ports on the Cisco ASA 5510 Security Plus, and eight Gigabit Ethernet ports and one Fast Ethernet port on Cisco ASA 5520 and 5540 appliances. This gives you plenty of physical interfaces to work with and apply your security design without hardware limitations.