SSP-S410-40 (ISG) Best Practice
search cancel

SSP-S410-40 (ISG) Best Practice


Article ID: 248330


Updated On:


ISG Proxy


Do we need dedicated interface for internet access or should we use connection to the internet via Proxy or via some other interface to get applications licensed etc.?


Best practices, for the ISG's physical location and networking, with the customer.

Physical Location and Networking

  • Secure the physical location where ISG is deployed.
    Make sure that access is limited to a few top-level administrators. Wherever possible, monitor their access.
  • Configure management access to the appliance.
    Secure the setup console via serial connection to the appliance. The serial console password must be at least eight characters in length and contain at least three character types (upper-case letters, lower-case letters, numeric characters, and special characters).
  • Secure any serial console servers attached to ISG.
    If the ISG appliance is connected to a serial console server, be aware of who can remotely connect to the server and the CLI, and treat those types of remote management tools with the same or greater care as you do for other methods of connecting to the appliance.
  • Avoid deploying ISG with a direct connection to the Internet.
    Wherever possible, ISG should be behind a firewall, proxy, and or other security appliance to protect it from Internet based attacks.
  • Configure the management interfaces on the appliance in unique, non-congruent subnets.
    Configuring the interfaces in this way reduces the vectors available to an attacker.
  • Ensure that your network infrastructure is prepared for the connections to and from your ISG appliance.
    See ISG Required Ports, Protocols, and Services for a list of URLs and ports used by ISG.
  • Use the ssl-context CLI command to configure device connection security.
    An SSL context is a collection of ciphers, protocol versions, trusted certificates, and other TLS options. The ssl-context CLI command enables you to configure a global SSL context that applies to all devices, or to assign a context on a per-device basis.
  • Use only high-strength security ciphers and protocols.
    Regardless of the default values, Symantec encourages ISG administrators to be aware of the security landscape, and only use ciphers and protocols that are known to be highly secure.
  • Do not rely on the self-signed certificate.
    Replace the built-in self-signed certificate with one signed by a public Certificate Authority (CA) or your organization’s private CAB, before deploying your ISG appliance. This certificate

From the above, the highlighted portion, it is recommended to not connect the ISG appliance directly to the Internet. It's recommended to connect it through a WAN device, like a WAN router or a firewall, as shown in the snippet below.

The network traffic for license update, and other internet-based updates on the SSP-S410 would go through LAN port 2:0 to the Internet, as seen in the snippet above.

Concerning licensing, licensing for applications on SSP is managed by ISG (the host) rather than the application itself. Licenses for applications are managed solely via the ISG command line interface (CLI). License management from within the application (such as the ProxySG CLI) is disabled

The SSP appliance is shipped with an on-board network interface (0:0) and one or more additional Network Interface Cards (NIC). All applications that are created and started on the ISG by the applications commands share these physical interfaces. The following depicts an ISG shipped with a 4-port NIC that has one ProxySG and one Content Analysis application running.


The MAC addresses used by the applications for 1-1 virtually-mapped interfaces use the Broadcom registered OUI 00D083. You can find the MAC addresses for the physical interfaces by using the ISG CLI show hardware configuration command.

Since all interfaces (physical and virtually-mapped) have a unique L2 endpoint identifier (MAC address), you should use general networking approaches along with the following notes to work with applications deployed on ISG:

  • The physical link state of the SSP appliance is not mirrored to the running applications. Specifically, applications running on ISG always show every interface as being UP, even if the physical interface is DOWN, and the applications' reporting of link speed is independent of the physically-set link speed on the SSP appliance.
  • Interface 0:0 is 1 Gbps.
  • It is not recommended to use interface 0:0 for inter-application networking as it is limited to 1Gbps.
  • It is not recommended to configure two or more of the physical interfaces on the same sub-network.
  • It is not recommended to configure two or more of the virtual interfaces on a single application on the same subnetwork.
  • It is not possible to use the ISG CLI ping command to test connectivity between the ISG host and an application over the same shared physical interface unless hair-pinning mode is enabled in the upstream switch.
  • Applications receive broadcast, unicast, and Layer 2 multicast traffic.
  • LACP is supported and is configured from the ISG CLI.

For more on Networking on ISG, including inter-application networking on ISG, please refer to the Tech. doc. with the URL below.