This presentation provides an overview of web security, web security with Cisco Ironport, web security with Cisco Scansafe, and the road to hybrid security.
2. Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security
– Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe
– Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
– Secure Mobility
6. Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security
– Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe
– Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
7. Cisco Web Security Appliance
Web Proxy incl. Caching (http,https, ftp, ftp over http)
Rich security functionalities
Reputation filtering
Malware scanning
URL Filtering
Application visibility & control
HTTPS inspection
Authentication
Reporting and tracking
L4TM
...more to come!
8. Web Application Control
Many Applications work on top of
HTTP traffic
Applications are detected and
controlled by special Signatures
Those Signatures are
downloaded dynamically via
regular Signature Updates from
Cisco
No reboot or manual installation
required!
9. About Reputation
Cisco SIO gathers statistical informations from Cisco Products and
other resources
Cisco SIO correlates informations
Updated informations are delivered back to appliances
Each IP / URL gets a score, ranging from -10 to +10
External
Outbreak Intelligence
feeds
Web Email ASA IPS
10. About Reputation
Malicious websites are tracked globally through SIO
WSA evaluates each webrequest against the defined
reputation score
Reputation score and action is configured on WSA
11. Network Participation
Admin can define the level of participation
Requested URL with result is sent back
User information and internal networks are not sent
Disabled: No information is sent to Cisco SIO Database
Limited: Server URL of request, hash of path segments
Standard: Server URL and all path segments are sent back
12. Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security
– Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe
– Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
13. Explicit Proxy
Client requests a website
Browser connects first to WSA
WSA connects to website
Firewall usually only allows webtraffic for proxy
Web Security Appliance
Internet Web
server
Internet
ASA 5500
Firewall
14. How does the Browser find the Proxy?
Proxy setting in the browser
Static definition with IP/NAME and PORT
15. How does the Browser find the Proxy?
Automatic Configuration via PAC File
function FindProxyForURL(url, host)
{
return "PROXY 192.168.1.80:3128";
}
function FindProxyForURL(url, host)
{
return "PROXY 192.168.1.80:3128; 192.168.1.81:3128";
}
http://www.findproxyforurl.com/
16. PAC Deployment
Via AD and GPO
Via script
Via manual setting
Via DHCP
DHCP Option 252
Via Wpad Server
17. WPAD Server
WPAD Server hosts PAC file as wpad.dat
File is retrieved via HTTP and Javascript
Automatic Settings creates a lookup on a server
called „wpad“
18. Transparent Proxy via WCCP
Client requests a website
Browser tries to connect to Website
Network Device redirects traffic to WSA using WCCP
WSA proxies the request
Web Security Appliance
Internet Web
server
Internet
ASA 5500
Firewall
19. Background on WCCP
WCCPv1 developed in 1997 by Cisco Systems and publicly
released in July 2000
WCCPv2 published as an IETF draft in July 2000 to make the
specification open and remove the requirement for licensing
– Enhancements
• Configurable WCCP Router ID
• WCCP Variable Timers – Improved Failover
• Improved Interaction between WCCP and NetFlow
WCCPv3 is an internal specification targeted at IPv6 that was
never released
20. Details
Assignment
The WCCP assignment method is used to determine which WCCP traffic
and which WCCP device is chosen for the destination traffic.
WCCP can use two types of Assignment Methods: Hash and Mask.
• Hash Based Assignment
Uses a software based hash algorithm to determine which WCCP
appliance receives traffic. In hardware based platforms the Netflow table
is used to apply hardware assistance.
• Mask Based Assignment
Uses the ACL TCAM to assign WCCP entities. This method is fully
handled by hardware.
21. Details
Redirect and Return
• Redirect Method
– WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client
(WSA, Cache,…)
– Layer 2 - Frame MAC address rewritten to MAC of WCCP Client
• Return Method
The Return method determines how the traffic will be sent back
from the router to the WCCP appliance if the traffic could not be
serviced. Refered to as “Proxy Bypass”
– WCCP GRE – Packet WCCP GRE returned router
– WCCP Layer 2 – Frame rewritten to router MAC
22. Details
Assignment
• The following best practices should be followed for implementing
WCCP on a software-based platform:
– GRE Forwarding (Default)
– Hash Assignment (Default)
– Inbound or Outbound Interception
– "ipwccp redirect exclude in" on WCCP client interface (outbound interception
only)
• The following best practices should be followed for implementing
WCCP on a hardware-based platform:
– L2 Forwarding
– Mask Assignment
– Inbound Interception
– No "ipwccp redirect exclude in"
25. How WCCP registration works
1. Registration
2. „Here I am“
3. „I see you“
WCCP Server WCCP Client
The WCCP client registers at the WCCP Server
Both, Server and Client need to use the same WCCP Service Group ID
One WCCP Server usually can server multiple Clients
Server and Client exchange „here i am“ and „I see you“ Packets to check
availability
UDP/2048, unicast
Multicast possible
Traffic is redirected from Server to one or multiple Clients using the „hash“ or
„mask“ algorithm
26. WCCP Protocol
Failover
When a WCCP client fails, the portion of the load handled by that
client is automatically redistributed to the remaining WCCP clients
in the service group
If no other WCCP clients are available in the service group, the
service group is taken offline and packets are forwarded normally
Buckets 86–128 Buckets 129–170
Buckets 1–85 Buckets 86–170 Buckets 171–255
A
X
B C
27. Using WCCP for Traffic Redirection
WCCPv2 support is availible on many Cisco Platforms:
L3 Switches, Routers, ASA 5500 Security Appliance
Cisco Ironport WSA supports all redirect and assign
methods (software implementation)
Method to use will be negotiated
28. WCCP For Your
Reference
Platform Recommendations
Function Software ASR 1000 Cat 6500 Cat 6500
ASA 5500
Support / ISR & 7200 Sup720 Sup32 Sup2 Cat 4500 Cat 3750
Recommend
Assignment Hash Only Mask Only Mask or Hash / Mask or Hash Mask only Mask only Hash only
Mask / Mask
Forwarding GRE Only L2 or GRE / L2 L2 or GRE / L2 or L2 or GRE / L2 L2 only L2 only GRE Only
or GRE GRE
Forwarding Full extended Full extended Full extended Full extended No Redirect Extended Full
Redirect List ACL ACL ACL ACL List Support ACL (no extended
deny) ACL
Direction In or In only In or Out / In In or In only In only In only
Out / In Out / In
Return IP Forward , IP Forward, L2, GRE, nGRE, L2, IP Forward or IP Forward IP Forward GRE
L2 or GRE WCCP GRE, or & IP Forward / L2 / IP or L2 / IP or L2 / IP
generic GRE No GRE Forward Forward Forward
29. Transparent Redirection and HTTPS
Symptoms:
• Successfully configured WCCP on the L3 Device
• Successfully connect to HTTP sites
• Cannot connect to HTTPS Sites
• Switching to explicit Proxy works fine for HTTP and HTTPS
Solution:
Activate HTTPS Proxy
Not necessary to decrypt the requests
30. Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security
– Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe
– Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
31. Policy - Authentication
Policy objects can be managed from central access policy screen
First step is to define the Identity:
”For whom does this policy apply?”
32. Authentication
User Web Security Appliance User Directory
Authentication Protocols
Directory:
LDAP or AD
Method:
Basic: Credentials are sent unencrypted
NTLMSSP: Challenge-Response
Tracking the User
IP based Surrogates
Cookie based Surrogates
33. NTLM Authentication
NTLM requires Account in the AD Domain
Credentials to create a computer account are used only once, not
stored on appliance
Currently only one domain is supported via NTLM
34. LDAP Authentication
LDAP queries on port 389 or 636 (Secure LDAP),
3268 (AD GC Server)
Need to know the Base DN Name Parameter
Can connect to multiple different domains
36. Authentication in Explicit Deployment
User Web Security Appliance User Directory
http error 407
Proxy sends http response 407 (proxy auth. request)
Client recognizes the proxy
Client will then accept a http response 407 from the proxy
Works for HTTPS
Client sends a CONNECT request to the proxy
Client will then accept a 407 response from the proxy
37. Authentication in Transparent Deployment
User Internet Web
server
Internet
User Directory Web Security Appliance
Client is not aware of a proxy -> http response 407 cannot be used
Need to use http response 401 – basic authentication
Client needs to be first redirected to the wsa
39. IE8/IE9 with Single-Sign On
SSO on WSA correctly configured but Clients still getting prompted
Check if WSA Redirect Name is listed in „Trusted Sites“
Check „Security Settings“ on Trusted Sites and set to
„Automatic Logon with current user name and password“
40. Transparent User Identification (TUI)
Web Security Release 7.5
1. Client logs on to the AD Domain
2. Client request a Web Site
3. Traffic is transparently redirected to the WSA
4. WSA needs to authenticate and queries the AD Agent for the User/Group
5. AD Agent looks up the IP and delivers User/Group
6. Request is proxied and forwarded to the Internet
4
6
AD Controller w/ Agent 5 WSA
Internet
3
1
2
AD User Switch w/ WCCP
41. DEMO – WSA with Transparent User
Identification
42. Cisco Ironport WSA & IPv6 Support
Current version of WSA does not yet support IPv6
Support is planned for Q4CY2012
IPv6 Support for explicit mode
Transparent is depending on implementation on ISR, ASA
and Switches, done in a later release
WSA will listen for connections both on IPv4 and IPv6
Admin can configure, if IPv4 or IPv6 should be prefered
Depending on Configuration, A-record or AAAA-record will be
delivered
IPv6
Internal IPv6
Internet
IPv4
43. Sizing for WSA
• Main Parameter for sizing is “requests per second”
• Rule of thumb:
Each request/s is approx. 80-90 Kbps of HTTP traffic
Each Mbps of HTTP translates to approx. 10 requests/s
100 Mbps of sustained HTTP traffic is approx. 1000 requests/s
• Easy way to find out on a WSA: use the “rate” CLI command
This parameter allows a quite correct sizing depending on features together with the
Cisco SE
45. Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security
– Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe
– Overview and Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
46. Websecurity through Cloudservice
Hosted Websecurity through
Cisco Scansafe Cloud Service
Central reporting and
administration through
Scancenter Portal
47. Data Flow with ScanSafe
Client requests are redirected
to a proxy in the cloud
Internet
Requests are checked and
filtered
Clean requests are directed
back to the client
Web requests
Allowed traffic
Filtered traffic
User
48. Scalability & Reliability
Billions of web requests per day
<50 ms latency
High-Availability Infrastructure
Parallel Processing
See BRKSEC-2346:
Inside the Scansafe Architecture
49. Outbreak Intelligence
SWF
Scanlet
<html> JAVA Phishing
Scanlet Scanlet
Win EXE
<js> Scanlet
Archive Context META
Scanlet Scanlet Scanner
<swf> Multiple
<web> AV
Script MF
Scanlet Scanlet
<pdf> File
Anomaly Parallel Processing in the
PDF Scanlet
<jpg> Scanlet Scantower provides
maximum performance
Scanlets provide scanning for
malware through code
anomaly analysis
50. Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security
– Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe
– Overview and Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
51. Challenge:Branch Office with local Breakout
Corporate Internet
Network
VPN
Webtraffic destined for the central DC is sent via VPN Tunnel
Normal Webtraffic goes directly to the Internet
bandwidth saving in the central site
But how to secure the webtraffic?
52. ISR G2 with integrated Connector
Connector is integrated in the Cisco ISR G2
Router Platforms
No need to install Connector seperatly in branch
networks Internet
Redirect of the webtraffic is happening
transparently for the user on the router
Provides Scantower redundancy
Provides User granularity
Authenticate User via NTLM (transparent
authentication) or Basic (Prompt for
Credentials)
NTLM works without prompting for IE,
Firefox and Google Chrome AD
Server
BRKSEC-3007: Advanced Cisco IOS Security Features
61
53. ISR G2 with Integrated Connector
Simple Config
parameter-map type content-scan global
server scansafe primary name proxy100.scansafe.net port http
8080 https 8080
license 0 68668486389366986986968689698668
source interface FastEthernet8
timeout server 60
timeout session-inactivity 120
user-group munlab username tmayer
server scansafe on-failure block-all
interface FastEthernet8
description $WAN-Interface$
ip address dhcp client-id FastEthernet8
ip nat outside
content-scan out
62
54. Sizing and Scalability for ISR with Connector
Phase 1: Feb 2012 For Your
Reference
Phase 2: May 2012
ScanSafe Users Supported per ISR G2 Platform
3945E 3925E 3945 3925 2951 2921 2911 2901 1941 1921 891
Phase II Phase I
No Auth 5000 5000 1200 900 600 500 400 350 350 300 120
Web Proxy 1200 1200 1200 900 600 500 400 350 350 300 120
HTTP Basic 1200 1200 1200 900 600 500 400 350 350 300 120
NTLM 1200 1200 1200 900 600 500 400 350 350 300 120
55. ASA ScanSafe Integration
Headquarters and Branch office
Internet web traffic scanned by Scansafe
Both Headquarters and Branch
Scansafe Google office web traffic whitelisted
Tower Server
AAA AAA
ASA ASA
Employees Employees
Headquarters Branch Office
56. Browser Redirection via GPO / PAC file
• Proxy Settings are pushed to
browsers via Active Directory
Internet
GPO AD
• Browsers connect through Server
Firewall on port 8080 to Web
Security Service
• Firewall blocks all other GET GPO Update
requests
• Provides Site/External IP
granularity
57. Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security
– Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe
– Overview and Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
58. Easy ID
• Clientless User authentication via webbrowser
• User authenticates via Webportal
• Policies are applied from Scancenter Portal
verifying User Name and Group through AD
Connection
• AD Connection is done via LDAPS query from
Scancenter to the LDAP Directory at customer site
• Scancenter is sending a cookie that is used for
subsequent authentication
59. Standalone Connector
• Proxy Settings are pushed to browsers
via AD,GPO or PAC file to ScanSafe on
port 8080/443 to the Cloud based Tower
• Connector receives Client info and Internet
queries Active Directory Server for Group Connector
Information, then proxies to ScanSafe
upstream
• Set Firewall to block all other GET
requests
• Provides IP/End User/Group granularity
• Scalable up to 10000 Users per AD
Connector, depending on which HW it is Server
installed
60. Roaming Users
• Installs a Network Driver which
binds to all connections (LAN,
Wireless, 3G)
• Automatic Peering Identifies
nearest ScanSafe Datacenter and
whether a connection is possible.
Proxy Firewall Hotspot
• AD information can be
remembered from when the user
was last on the corporate network
using the Gpresult API (group
policy)
Client with
Websecurity
61. Web Security & AnyConnect
Supported on Windows &
MAC OS X
Client settings are controlled
via Profile
Profile can be centrally
distributed via the Scancenter
Portal
71
62. Web Security & AnyConnect
Single and modular client
VPN (SSL, IKEv2, Always-On,...)
802.1x (Wired, Wireless, MACSEC...)
Websecurity
Posture for VPN
Telemetry (SIO)
All modules can be used independently or
all together
If VPN Module is used, profile
management can be done centrally
through ASA 72
63. How Does it Work?
Authenticates and directs your external client Web traffic to our
scanning infrastructure
Automatically connect to nearest Scantower
SSL encryption of all Web traffic sent improves security over public
networks (example: Firesheep Plugin for FF)
73
64. Web Security & AnyConnect
Configuration for Web Security with VPN
Configured through a profile,
downloaded from ASA at connect
VPN is lower in the stack than the
Websecurity Module
Internet
Split tunnel Scansafe gateways in the Corporate
VPN Config (on the ASA) traffic
Exclude Corporate adresses from
beeing forwarded to the scansafe Client with
towers Websecurity
74
65. Web Security & AnyConnect Configuration
Client Profile
For Your
Reference
Scanning Tower
selection
Proxy ports
66. Web Security & AnyConnect Configuration –
Client Profile
Exceptions for
internal networks &
public websites to be
excluded from
scanning
Exceptions for
authorized internal
proxies
Static Exceptions
like VPN
Gateways
67. Web Security & AnyConnect Configuration – For Your
Client Profile Reference
Automatic selection
of nearest Scantower
Activate Beacon
Checking,
Deploy public key
68. Web Security & AnyConnect Configuration – For Your
Client Profile Reference
License Key
Authentication
Settings
69. Web Security & AnyConnect
Configuration for Web Security without VPN
Scancenter Portal provides hosting of PAC file and / or Client Profile
Differentiate Usergroups due to usage of group keys
Upload Client Profile
Specify Client
Profile
Key for
Authentication
70. Beacon Server for the AnyConnect
Web Security Module
Beacon Server runs on an
internal Server
Client gets public key from
Beacon Server during
deployment
If the client has reachability
to the Beacon Server, client
module is deactivated
TND in ASA 9.0
72. Scansafe & IPv6 Support
Current version of Web Security does not yet support IPv6
IPv6 traffic scanning can be excluded by adding “::/0” to Static
Exceptions IPv6
Full IPv6 Support will be added mid CY 2012 in two phases: Internal IPv6
IPv4
Internet
AC 3.1 or Standalone / integrated Connector
Internet
AC 3.1 or Standalone / integrated Connector
73. Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security
– Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe
– Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
74. Secure Mobility Future – Hybrid Security
Internet traffic Remote User
w/
secure through web AnyConnect
security cloud Client 3.0
service
Corporate traffic Internet
secure through Cisco WSA
Cisco ASA
tunnel and WSA
Consistent Policy Corporate
and Monitoring Network
75. Hybrid Security –
what has been done and what lies ahead
Unification of URL Databases
AVC integration
Connector Integration in ISR G2 Router
Unification of features – Q1/Q2 CY2012
Application visibility and control
Web Reputation
Connector Integration in ASA – Q3 CY2012
Connector Integration in WSA
Provide common management
Provide common logging and reporting
76. Summary
Cisco Web Security Solution leverages a comprehensive
architected featurelist to protect the dynamic
environment from the ubiquitios web 2.0 world.....
Or...
Cisco Web Security Solution simply ROCK!
78. We value your feedback.
Please be sure to complete the Evaluation Form for this session.
Access today‟s presentations at cisco.com/ca/plus
Follow @CiscoCanada and join the #CiscoPlusCA conversation