ASA Content Security

Similar Messages

• Numbers of users for ASA Content Security module

  Hi,
  Can someone tell me how the ASA Content Security module recognize the maxi number of users ?
  eg. :  ASA-SSM-CSC-20-K9= is for 500 users. What will happen if I exceed to 560 users ?  Does the module recognize that there are more users than expected ?
  Best regards

  You will get similar message
  License violation has been detected on the InterScan for CSC SSM. There are currently 560 active nodes while you only have 500 seats of license. 60 more seats of license is required.
  Please upgrade your license to resolve the violation.

• ASA Content Security Module (Anti-X) issue

  Is there a way to configure the Anti-X module such as I can filter the web content based on source VLAN or subnet? I need to implement something like that and can?t find how to do it.

  Traffic for CSC inspection is done using the Modular Policy Framework commands to create a service-policy
  General modular policy info is here
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mpc.html
  The service policy you create sends traffic to the CSC for inspection
  The service policy identifies traffic using one or more class-maps
  Class-maps can use an access-list to match interesting traffic
  So it's up to how creative you can get with your access-list really.
  Info here should be of some help
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html#wp1058664
  Here's an extremely basic example to hopefully get you going that inspects only http traffic initiated from the 10.1.1.0/24 subnet
  access-list MATCH_CSC extended permit ip 10.1.1.0 255.255.255.0 any eq http
  class-map MATCH_CSC_CLASS
  match access-list MATCH_CSC
  policy-map CSC_POLICY
  class MATCH_CSC_CLASS
  csc fail-close
  service-policy CSC_POLICY global
  Hope this helps

• Cisco ASA 5510 Content Security bundle

  Hello,
  please help me  to understand if i buy  the    Cisco ASA 5510 Content Security bundle  for  my  network   found  there is   1 yr subscription for the content
  security features.  what are  services included in it.  Does   URL blocking and filtering  includ  in this subscription  or  its a seperate features.
  Thanks,
  Saroj Pradhan

  Here is the license for CSC module and it lists what is included in Basic and Plus CSC license:
  http://www.cisco.com/en/US/docs/security/csc/csc66/administration/guide/csc1.html#wp1045405
  One year subscription is providing you the ability to upgrade the virus scan engine, spyware pattern file, anti spam, etc

• Content Security Licensing on Cisco ASA

  Hi Guys,
  Need help on licensing of content security on Cisco ASAs. Hope someone would be able to help.
  Our customer has a ASA5520-CSC20-K9 (default 500 users) appliance. When the appliance was first bought, they upgraded it to 750 user license and PLUS feature license. They want to renew these licenses. Kindly advise the following:
  1. In order to do so, is it right that the customer has to purchase both the following (to cater to the 750 users and PLUS features)?
  • L-ASACSC20-500UP1Y     ASA 5500 CSC-SSM-20 500-User w/ Plus Lic. Renewal (1-year)
  • L-ASACSC20-250UP1Y     ASA 5500 CSC-SSM-20 250-User w/ Plus Lic. Renewal (1-year)
  2. Do the renewal licenses above include BASE features (Anti-Virus, Anti-Spyware, File-Blocking)?
  Thanks!
  Citra

  That unfortunate.  It seems like with the VPN licensing they realized if you were in an active/standby configuration then you should only have to pay for one license, thus the license change in 8.3+ only requires you to purchase one license.  I thought this would have carried over into IPS. 
  Beings we haven't failed over to the standby unit in 2 years, would it be possible to install the IPS module in both the active and standby appliances, but just license the one in the active mode?  I don't care if we are running without IPS on the standby if we did have to failover for some amount of time.  Or does having it licensed on one and not the other mess with being in active/standby failover mode?

• Can I have both IPS and Content security on ASA5510?

  Hi expert
  We want to have a ASA5510 with both IPS function and Content Security feature, while I checked on Cisco website, looks like ASA5510 or 5520 only have one SSM slot, so I can only use either AIP module or CSC module, does it mean I can not get both features at the same time.
  Right now I want to have IPS function and anti-spam, anti-virus, antiphishing, content filtering, URL blocking such feature, so what do I need to buy to have all of these function in one device?
  Thanks

  Dear Echo Chan .
             You can go with CSC module for your requirement , most of your requirement could be satisified by CSC module except IPS functionality
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_qas0900aecd8040397e_ps9774_Products_Q_and_A_Item.html
  The Cisco ASA 5500 Series CSC-SSM is an add-on services module for Cisco ASA 5500 Series appliances. It delivers industry-leading threat protection and content control at the Internet edge, providing comprehensive antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking and filtering, and content filtering services.
  HTH
  Thks
  Santhosh Sarav

• Content security policy not being respected

  The following (seemingly valid) Content Security Policy does not work in Safari:
  script-src 'unsafe-eval' 'self' by.uservoice.com widget.uservoice.com www.google.com use.typekit.net js.stripe.com  localhost:35739
  Errors occur for a number of requests to the permitted services, including e.g.:
  Refused to load the script 'https://js.stripe.com/v1/?_=1398952171104' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'self' by.uservoice.com widget.uservoice.com www.google.com use.typekit.net js.stripe.com  localhost:35739".

  Thanks for your reply gdgmac.
  Is there no easier way to do this?
  I understand I could backup, reset, then restore, but I was hoping there was some easier way.
  Out of curiosity, is this as-per-design?
  Many thanks for your help again,
  Chris

• Cisco ASA ( Adaptiv Security Algorithm )?

  Hello,
  Im french so sorry for my english , i will do my best to explain my question.
  Im actually working on Cisco PIX 501 ( for school ).
  I have to do some test on it , search what is able to do and how to proove it...
  My question is about Cisco ASA ( Adaptiv Security Algorithm ) , what is it doing? i mean it just simply stop every information coming from outside to inside(security 0 to 100) or is it doing more? is it searching wrong/good packets or just stop everything?and if it's doing that , how it's done?
  My question could be : what cisco ASA doing more than ACL?
  I hope im clear enough in my questions,i search a lot on internet but didnt find an answer.
  Thank you!
  Amaury

  if i understand good what you mean , ASA/algorithm is a part of different processes which are part of stateful inspection
  not really,  I would say that stateful inspection is part of the adaptive security algorithm.  The algroithm goes through processes such as ACL check, NAT..etc. and based on these check makes entries in the state table.
  ( by the way stateful inspection = stateful firewalling , right?)
  Kind of.  Stateful inspection is what the stateful firewall does and not what it is if you can understand that.  A stateful firewall performs stateful inspection.  So stateful inspection is not a firewall.
  when you said "showing tcp  connections and NAT xlate table entries at  the firewall CLI before and  after" , iam ok with that but what are the  command to check table entries? i cant find it.
  show conn protocol tcp will show you the TCP connections through the firewall and show xlate will show you the NAT translation that are currently active.
  Aswell i will need the commands to configure ( if possible ) stateful  inspection and traffic inspection , but i will try search by myself  because i didnt start yet
  Again, stateful inspection is not something you configure but is what the ASA does based on configured rules.  so all you need to do is configure ACLs and NAT rules and routing and the ASA does all the stateful inspection stuff on its own.
  Please remember to rate and select a correct answer

• Get Content Security Role using PCS tags in Presentation Template

  I'm trying to determine what content security access(role) a user has in Publisher using PCS tags in the Presentation Template. Basically I need to check whether a user has access or not to a content item in Publisher and before an action. I've looked through all documentation can't find anything related to this, I know I could do this using remote API but I'd rather use PCS tags if possible.
  thanks

  Vince,
  I don't think this is possible directly, however we have enabled this in publisher by checking if the user is in a specific group, or content manager and doing a check with the following code if it helps.
  <pt:standard.choose xmlns:pt='http://www.plumtree.com/xmlschemas/ptui/'>
  <pt:standard.when pt:test="stringToACLGroup('group=1,<pcs:value expr="groups"></pcs:value>;').isMember($currentuser)" xmlns:pt='http://www.plumtree.com/xmlschemas/ptui/'>
  </pt:standard.when>
  </pt:standard.choose>
  You could do the same with users. We added a select tree to choose the users and groups within publisher.
  Hope this helps.

• Trouble with Content Security Policy (CSP)

  In the latest Firefox 33 there seem to be an issue with Content Security Policy (CSP) and how it handles url that are url encoded.
  For instance when some CSP directive is set to like https://mywebsite.com/application/do;jsessiond=1234 - it will get URL encoded so the ; gets replaced by %3B.
  In Firefox 32 and earlier this worked, but not in this new solution.

  It may be that it needs a header application/x-www-form-urlencoded is this included in your url request as well as charset UTF-8?
  If you select a different encoding via web dev [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI]
  This sounds like what it did before? [http://www.justarrangingbits.org/firefox-magic-decoding-address-bar/index.html]

• LSO- offline player-Is the content secure?

  Hi
  Is it possible to record the content in a PC or write the content in a CD from offline player? meaning is the content is secure?

  We have a concern that if we allow offline player, it may allow employees to record the course on a CD and is there any possibility to restrict this.

• ArchiveLink and Contents Security

  Hi,
  This is in reference to ArchiveLink HTTP interface 4.5
  From what I have read so far in ArchiveLink related documentation is that although the communication between SAP and and external content server is secure, the content that is exchanged between SAP and external content server is not secured. Is that correct? What can we do to make sure that the content exchanged is also secure and no body can read it (support for encryption, https etc.?)
  -Y

  Hi,
  if you work with the content server or a R3 database you use the HTTP interface. SAP Content Server and R3 Database repository don't support the OLE archiveLink scenario. What you could do is the following:
  1. Early archiving: you scan into the file system. You write a report that is archiving the documents via the SCMS API of Kpro. Then you start the workflow.
  2. Late archiving: you scan into the file system with a list barcode -> filename. Then you write a report which is calling BAPI_BARCODE_SENDLIST and the images are linked with the BO object.
  The reports have to be planned as jobs.
  Best regards
  Torsten

• What's with the new edition of Pages using Maverick?  Google rejects the files  with the following message attached "The reason for the problem: 5.3.0 - Other mail system problem 552-'5.7.0 This message was blocked as its content security threat?

  I recently upgraded both Pages 09 (I believe) and went to OSX 10.9 Maverick .... now I am unable to send a pages document to a friend on gmail.  Google rejects the message and attachment with the following explanation -
  The reason for the problem:
  5.3.0 - Other mail system problem 552-'5.7.0 This message was blocked because its content presents a potential\n5.7.0 security issue.

  Same Problem here
  IWORKS 09    pages, keynote, numbers does not send in MAIL (mac) because of "This message was blocked because its content presents a potentialsecurity issue"
  its a problem not only on GMAIL but also Live, Hotmail, Yahoo, and other services...
  The problem is that gmail and others haved yet accepted the latest iworks 09 files. its a problem that apple can ask then to fix but its up to the gmail and others to fix it.
  Solution!!!:
  1 - Send it by exporting to office files
  2 - Saving the files as old iwork documents
  3 - Command P and save as PDF
  4 - Save in icloud and send the URL
  So you can still send them but have to take a bit more of your time
  i hope you understand my english is not optimal
  And if you have any questions feel free to ask me

• Disable mixed content security warning in IE?

  The following security warning is displayed when I try to access an eLearning course in SumTotal using Internet Explorer 8:
  My content is an AICC package published from Captivate 8. My project does not reference any external links, so why am I getting this warning? Is there a way to disable it?

  Perhaps the external links are in the Adobe codebase where you cannot see them.

• Secure Area - Is content secure & how to best implement.

  I have a secure area on a web site that works fine (user is directed to secure area on successful login).  My question pertains to copying the URL of the secure  area and pasting in to a new browser.  Even after a logout the secure information is displaying.  Is there any way of preventing this?  Is this how a secure area is designed to work?

  Make sure that whatever page you end up on is set to be a secure page--- you have to login to BC and goto Site Manager > Pages and find your page that is the homepage for your secure zone and edit it.  When editing your page, click the Actions button and select "Add Page to Secure Zone" and choose the secure zone you've setup.
  The only way that your page will show if you paste the URL when you are logged out is if that page is not setup to be in a secure zone.  If you set it up properly and logout, when you visit that page again it should tell you that the content is blocked off and you need to login.