cisco csc-ssm module filtering for extension & plugin

i have cisco asa 5510 firewall with csc-ssm 10 module, its filtering http & https url's well, but now user's are installing extension from the  
chrome web store & firefox web store to access the blocked websites, like zenmate. how to block this via csc-ssm module
Rahul Dev SinghAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I was thinking via
(a) URL blocking (there are couple of URL Filtering Categories - see table 4-4)  or
(b) File blocking (chrome web store extension is mostly .CRX and firefox web store extension is mostly .xpi, of course there maybe more like Google apps of .APK etc)

http://www.cisco.com/c/en/us/td/docs/security/csc/csc66/administration/guide/cscssm66/csc4.html

the above features is stated below to have a Plus (instead of Basic) License.
http://www.cisco.com/c/en/us/td/docs/security/csc/csc66/administration/guide/cscssm66/csc1.html#wp1048125
Rahul Dev SinghAuthor Commented:
file blocking is only for http not for https
btanExec ConsultantCommented:
Indeed file does not cover HTTPS and it also applies for URL blocking covers https but is limited since it cannot do deep inspection too.
HTTPS Traffic Issue

Problem

You are unable to block the HTTPS traffic through CSC-SSM. How can the HTTPS traffic be blocked?

Solution

The CSC-SSM cannot block the HTTPS traffic because it cannot deep inspect the packet due to the SSL encryption on it.

Unable to bypass traffic from CSC Inspection

Traffic can be bypassed from CSC Inspection if you add deny statements for the network ranges in question to the ACL used for matching traffic to pass to the module.

Unable to log all the HTTP traffic that passes through CSC-SSM

CSC cannot log all of the traffic but only displays information of block/filtered attempts.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/99141-asa-traffic-csc-ssm-config.html
This feature requires the Plus License.
HTTPS filtering is only supported when the ASA is running Version 8.4(2) or later.
(http://www.cisco.com/c/en/us/td/docs/security/csc/csc66/administration/guide/cscssm66/csc4.html#wp1098125)
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

btanExec ConsultantCommented:
to add though ASA CSC SSM "limited" HTTPS URL blocking is also specific to below (as compared to past it does not support HTTPS at all)
If you use the domain name to perform URL filtering or URL blocking, the browser must support the Server Name Indication (SNI) extension of TLS. As a result, you must make sure that you have enabled TLS and that your browser supports SNI.....

If you use a browser that does not support SNI (for example, IE on the Windows XP series), the IE browser does not send the domain name in the SSL handshake of an HTTPS request. The CCS SSM uses the IP address of the HTTPS site to perform categorization instead of the domain name. As a result, the behavior of the IE browser might be different from that of other browsers that support SNI, such as Firefox, which uses the domain name to perform categorization.
Otherwise, I was even thinking of the CSC-SSM to scan DNS packets, and drop DNS requests for those mentioned domain. There is some sharing of the config in thr forum  - http://www.routerdiscussions.com/viewtopic.php?f=7&t=15556

But overall, such blocking need to look at other alternative like your endpoint for locking down its browser or have another web proxy gateway (or equv network system) doing content inspection with SSL decrypted traffic using Web Capable Proxy like SQuid, Bluecoat or Websense... there is SSL interception involved to do that which is not straightforward.
Rahul Dev SinghAuthor Commented:
btan csc-ssm is filtering https traffic....there is no problem with that
btanExec ConsultantCommented:
Thanks noted that.

For Chrome Web store, it stated the extension such as the CRX file itself can be directly downloaded from the URL (not file extension, so I am wondering by URL blocking will this helps in general
https://clients2.google.com/service/update2/crx?response=redirect&prodversion=[PRODVERSION]&x=id%3D[EXTENSIONID]%26uc

But from this website (http://chrome-extension-downloader.com/), it also can download extension using pre-pended URL of e.g.  https://chrome.google.com/webstore/detail/<some random string ID of extension>, so maybe another URL to try for blocking "https://chrome.google.com/webstore/detail/"


For FF extension, the URL may be for considerations ...

https://addons.mozilla.org/en-US/firefox/extensions/
https://addons.mozilla.org/en-US/firefox/addon/
https://addons.mozilla.org/firefox/downloads/file/
Rahul Dev SinghAuthor Commented:
how to block google play store completely
btanExec ConsultantCommented:
Considering the URL below.
https://play.google.com/
https://play.google.com/store/

Also am thinking of blocking access to ports required by Google Play (TCP and UDP 5228). There should be attempts to Google Cloud Messaging (GCM) HTTP connection server in order for Android devices (in general) to receive messages. The ports to open generally are 5228, 5229, and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. However, it is normally for GCM without any specific IPs, so firewall tends to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. But we cannot them all as it can be false positive...
Rahul Dev SinghAuthor Commented:
i got the solution myself....

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rahul Dev SinghAuthor Commented:
not many people know about the csc-ssm module,all these people who have posted their comment's they have no idea about csc-ssm module, just for show off they have posted the comment's, these people don't even khow how this module works, i did my own research & troubleshooting & got the solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.