Search This Blog

Wednesday, 11 July 2012

Cisco ASA CSC - Access to certain websites is very slow with the Trend Security Module

Problems when you have a Cisco ASA 5510 and the CSC Module for Malware scanning.

Reference http://www.cisco.com/en/US/docs/security/csc/csc60/administration/guide/csc8.html#wp1052642

Slow Website Access

The initial issue is that a website is not loading quickly, this will be slower than normal and if you test the website from another Internet connection the page loads normally within a few seconds. You find that it only loads slowly from your network where you have the Cisco ASA 5510 and the CSC Module.

Change ACL for the CSC Traffic

There are some websites that will not work well through the HTTP scanning in the CSC Module and so it is necessary to exclude them from being scanned. This is controlled by your ACL for the CSC traffic.
So in this example we want to exclude the website hosted on 192.168.1.1 so we have to change our acl to first deny traffic to the site we want to exclude and then allow all other traffic. When we access the site on 192.168.1.1 this triggers the deny rule and so the traffic is not included in the class map my_csc_class and thefore it is not passed to the CSC Module for HTTP scanning.
! exempt http traffic to 192.168.1.1
access-list 101 deny tcp any host 192.168.1.1 eq http
! catch everything else
access-list 101 permit tcp any any eq http
class-map my_csc_class
match access-list 101
policy-map my_csc_policy
class my_csc_class
csc fail-close
service-policy my_csc_policy interface inside

Cisco ASA logs

media_1342024317689.png
Here you can see the command show access-list csc_out which is the acl for matching the traffic to be scanned, I have added a line
access-list csc_out extended deny tcp 10.0.4.0 255.255.255.192 host 91.206.232.220
The IP address 91.206.232.220 is the actual IP of the site I want to exclude in the real world and now you can see that the hitcount for this is 8 in the deny acl and 150 in the permit acl. So what is happening is that when the site loads the first 4 hits on http are denied as per our acl and then the other hits on http are on our permit acl and are allowed. In this instance the site went from a load of over 2 minutes to under 10 seconds so excluding the IP address of the site in DNS has resolved the issue.

No comments:

Post a Comment