Web Security Deployment

Web Security
Deployment
Ryan Wager
Technical Marketing
Engineer

Agenda

• Overview Web Security
• Web Security with Cisco Ironport Web Security
– Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe
– Authentication
• The Road to Hybrid Security
– Secure Mobility

Agenda

– Authentication
– Authentication

Cisco Web Security Appliance
 Web Proxy incl. Caching (http,https, ftp, ftp over http)

 Rich security functionalities
Reputation filtering
Malware scanning
URL Filtering
Application visibility & control
HTTPS inspection
Authentication
Reporting and tracking
L4TM
...more to come!

Web Application Control
 Many Applications work on top of
HTTP traffic

 Applications are detected and
controlled by special Signatures

 Those Signatures are
downloaded dynamically via
regular Signature Updates from
Cisco

 No reboot or manual installation
required!

About Reputation
 Cisco SIO gathers statistical informations from Cisco Products and
other resources
 Cisco SIO correlates informations
 Updated informations are delivered back to appliances
 Each IP / URL gets a score, ranging from -10 to +10
External
Outbreak Intelligence
feeds

Web Email ASA IPS

About Reputation
 Malicious websites are tracked globally through SIO
 WSA evaluates each webrequest against the defined
reputation score
 Reputation score and action is configured on WSA

Network Participation
 Admin can define the level of participation
 Requested URL with result is sent back
 User information and internal networks are not sent

Disabled: No information is sent to Cisco SIO Database
Limited: Server URL of request, hash of path segments
Standard: Server URL and all path segments are sent back

Explicit Proxy
 Client requests a website
 Browser connects first to WSA
 WSA connects to website
 Firewall usually only allows webtraffic for proxy
Web Security Appliance

Internet Web
server

Internet
ASA 5500
Firewall

How does the Browser find the Proxy?
 Proxy setting in the browser
 Static definition with IP/NAME and PORT

How does the Browser find the Proxy?
 Automatic Configuration via PAC File
function FindProxyForURL(url, host)
{
return "PROXY 192.168.1.80:3128";
}
function FindProxyForURL(url, host)
{
return "PROXY 192.168.1.80:3128; 192.168.1.81:3128";
}

http://www.findproxyforurl.com/

PAC Deployment
 Via AD and GPO
 Via script
 Via manual setting
 Via DHCP
DHCP Option 252
 Via Wpad Server

WPAD Server
 WPAD Server hosts PAC file as wpad.dat
 File is retrieved via HTTP and Javascript
 Automatic Settings creates a lookup on a server
called „wpad“

Transparent Proxy via WCCP
 Client requests a website
 Browser tries to connect to Website
 Network Device redirects traffic to WSA using WCCP
 WSA proxies the request
Web Security Appliance

Internet Web
server

Internet
ASA 5500
Firewall

Background on WCCP
 WCCPv1 developed in 1997 by Cisco Systems and publicly
released in July 2000
 WCCPv2 published as an IETF draft in July 2000 to make the
specification open and remove the requirement for licensing
– Enhancements
• Configurable WCCP Router ID
• WCCP Variable Timers – Improved Failover
• Improved Interaction between WCCP and NetFlow
 WCCPv3 is an internal specification targeted at IPv6 that was
never released

Details
Assignment

The WCCP assignment method is used to determine which WCCP traffic
and which WCCP device is chosen for the destination traffic.
WCCP can use two types of Assignment Methods: Hash and Mask.
• Hash Based Assignment
Uses a software based hash algorithm to determine which WCCP
appliance receives traffic. In hardware based platforms the Netflow table
is used to apply hardware assistance.
• Mask Based Assignment
Uses the ACL TCAM to assign WCCP entities. This method is fully
handled by hardware.

Details
Redirect and Return

• Redirect Method
– WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client
(WSA, Cache,…)
– Layer 2 - Frame MAC address rewritten to MAC of WCCP Client
• Return Method
The Return method determines how the traffic will be sent back
from the router to the WCCP appliance if the traffic could not be
serviced. Refered to as “Proxy Bypass”
– WCCP GRE – Packet WCCP GRE returned router
– WCCP Layer 2 – Frame rewritten to router MAC

Details
Assignment
• The following best practices should be followed for implementing
WCCP on a software-based platform:
– GRE Forwarding (Default)
– Hash Assignment (Default)
– Inbound or Outbound Interception
– "ipwccp redirect exclude in" on WCCP client interface (outbound interception
only)
• The following best practices should be followed for implementing
WCCP on a hardware-based platform:
– L2 Forwarding
– Mask Assignment
– Inbound Interception
– No "ipwccp redirect exclude in"

WCCP input redirect
WCCP Input redirect

Ingress Egress
Interface Interface

WCCP output redirect and input exclude
WCCP Output redirect

Ingress Egress
Interface Interface

WCCP Exclude-in

How WCCP registration works
1. Registration

2. „Here I am“
3. „I see you“
WCCP Server WCCP Client
 The WCCP client registers at the WCCP Server
 Both, Server and Client need to use the same WCCP Service Group ID
 One WCCP Server usually can server multiple Clients
 Server and Client exchange „here i am“ and „I see you“ Packets to check
availability
 UDP/2048, unicast
 Multicast possible
 Traffic is redirected from Server to one or multiple Clients using the „hash“ or
„mask“ algorithm

WCCP Protocol
Failover

 When a WCCP client fails, the portion of the load handled by that
client is automatically redistributed to the remaining WCCP clients
in the service group
 If no other WCCP clients are available in the service group, the
service group is taken offline and packets are forwarded normally

Buckets 86–128 Buckets 129–170
Buckets 1–85 Buckets 86–170 Buckets 171–255

A
X
B C

Using WCCP for Traffic Redirection
 WCCPv2 support is availible on many Cisco Platforms:
L3 Switches, Routers, ASA 5500 Security Appliance
 Cisco Ironport WSA supports all redirect and assign
methods (software implementation)
 Method to use will be negotiated

WCCP For Your
Reference
Platform Recommendations
Function Software ASR 1000 Cat 6500 Cat 6500
ASA 5500
Support / ISR & 7200 Sup720 Sup32 Sup2 Cat 4500 Cat 3750
Recommend

Assignment Hash Only Mask Only Mask or Hash / Mask or Hash Mask only Mask only Hash only
Mask / Mask

Forwarding GRE Only L2 or GRE / L2 L2 or GRE / L2 or L2 or GRE / L2 L2 only L2 only GRE Only
or GRE GRE
Forwarding Full extended Full extended Full extended Full extended No Redirect Extended Full
Redirect List ACL ACL ACL ACL List Support ACL (no extended
deny) ACL

Direction In or In only In or Out / In In or In only In only In only
Out / In Out / In
Return IP Forward , IP Forward, L2, GRE, nGRE, L2, IP Forward or IP Forward IP Forward GRE
L2 or GRE WCCP GRE, or & IP Forward / L2 / IP or L2 / IP or L2 / IP
generic GRE No GRE Forward Forward Forward

Transparent Redirection and HTTPS

Symptoms:
• Successfully configured WCCP on the L3 Device
• Successfully connect to HTTP sites
• Cannot connect to HTTPS Sites
• Switching to explicit Proxy works fine for HTTP and HTTPS
Solution:
 Activate HTTPS Proxy
 Not necessary to decrypt the requests

Policy - Authentication

 Policy objects can be managed from central access policy screen
 First step is to define the Identity:
”For whom does this policy apply?”

Authentication
User Web Security Appliance User Directory

 Authentication Protocols
Directory:
LDAP or AD
Method:
Basic: Credentials are sent unencrypted
NTLMSSP: Challenge-Response
 Tracking the User
IP based Surrogates
Cookie based Surrogates

NTLM Authentication

 NTLM requires Account in the AD Domain
 Credentials to create a computer account are used only once, not
stored on appliance
 Currently only one domain is supported via NTLM

LDAP Authentication

 LDAP queries on port 389 or 636 (Secure LDAP),
3268 (AD GC Server)
 Need to know the Base DN Name Parameter
 Can connect to multiple different domains

Authentication against LDAP

• Knowing the LDAP Base DN is fundamental
• Or check with „DSQUERY“ command on a MS AD

Authentication in Explicit Deployment
User Web Security Appliance User Directory

http error 407

 Proxy sends http response 407 (proxy auth. request)
Client recognizes the proxy
Client will then accept a http response 407 from the proxy

 Works for HTTPS
Client sends a CONNECT request to the proxy
Client will then accept a 407 response from the proxy

Authentication in Transparent Deployment
User Internet Web
server

Internet

User Directory Web Security Appliance

 Client is not aware of a proxy -> http response 407 cannot be used
 Need to use http response 401 – basic authentication
Client needs to be first redirected to the wsa

DEMO – WSA with transparent redirection

IE8/IE9 with Single-Sign On
 SSO on WSA correctly configured but Clients still getting prompted
 Check if WSA Redirect Name is listed in „Trusted Sites“
 Check „Security Settings“ on Trusted Sites and set to
„Automatic Logon with current user name and password“

Transparent User Identification (TUI)
Web Security Release 7.5
1. Client logs on to the AD Domain
2. Client request a Web Site
3. Traffic is transparently redirected to the WSA
4. WSA needs to authenticate and queries the AD Agent for the User/Group
5. AD Agent looks up the IP and delivers User/Group
6. Request is proxied and forwarded to the Internet
4

6
AD Controller w/ Agent 5 WSA
Internet
3
1
2
AD User Switch w/ WCCP

DEMO – WSA with Transparent User
Identification

Cisco Ironport WSA & IPv6 Support
 Current version of WSA does not yet support IPv6
 Support is planned for Q4CY2012
IPv6 Support for explicit mode
Transparent is depending on implementation on ISR, ASA
and Switches, done in a later release
 WSA will listen for connections both on IPv4 and IPv6
 Admin can configure, if IPv4 or IPv6 should be prefered
 Depending on Configuration, A-record or AAAA-record will be
delivered

IPv6
Internal IPv6
Internet
IPv4

Sizing for WSA
• Main Parameter for sizing is “requests per second”
• Rule of thumb:
Each request/s is approx. 80-90 Kbps of HTTP traffic
Each Mbps of HTTP translates to approx. 10 requests/s
100 Mbps of sustained HTTP traffic is approx. 1000 requests/s
• Easy way to find out on a WSA: use the “rate” CLI command

This parameter allows a quite correct sizing depending on features together with the
Cisco SE

Sizing Table Example
S370 Appliance

Agenda

– Authentication
– Overview and Critical Functionalities
– Authentication

Websecurity through Cloudservice
 Hosted Websecurity through
Cisco Scansafe Cloud Service
 Central reporting and
administration through
Scancenter Portal

Data Flow with ScanSafe

 Client requests are redirected
to a proxy in the cloud
Internet

 Requests are checked and
filtered

 Clean requests are directed
back to the client

Web requests
Allowed traffic
Filtered traffic
User

Scalability & Reliability

 Billions of web requests per day
 <50 ms latency
 High-Availability Infrastructure
 Parallel Processing
See BRKSEC-2346:
Inside the Scansafe Architecture

Outbreak Intelligence
SWF
Scanlet
<html> JAVA Phishing
Scanlet Scanlet
Win EXE
<js> Scanlet
Archive Context META
Scanlet Scanlet Scanner
<swf> Multiple
<web> AV
Script MF
Scanlet Scanlet
<pdf> File
Anomaly  Parallel Processing in the
PDF Scanlet
<jpg> Scanlet Scantower provides
maximum performance
 Scanlets provide scanning for
malware through code
anomaly analysis

Challenge:Branch Office with local Breakout

Corporate Internet
Network
VPN

 Webtraffic destined for the central DC is sent via VPN Tunnel
 Normal Webtraffic goes directly to the Internet
bandwidth saving in the central site
 But how to secure the webtraffic?

ISR G2 with integrated Connector
 Connector is integrated in the Cisco ISR G2
Router Platforms
 No need to install Connector seperatly in branch
networks Internet
 Redirect of the webtraffic is happening
transparently for the user on the router
 Provides Scantower redundancy
 Provides User granularity
 Authenticate User via NTLM (transparent
authentication) or Basic (Prompt for
Credentials)
 NTLM works without prompting for IE,
Firefox and Google Chrome AD
Server
BRKSEC-3007: Advanced Cisco IOS Security Features
61

ISR G2 with Integrated Connector
Simple Config
parameter-map type content-scan global
server scansafe primary name proxy100.scansafe.net port http
8080 https 8080
license 0 68668486389366986986968689698668
source interface FastEthernet8
timeout server 60
timeout session-inactivity 120
user-group munlab username tmayer
server scansafe on-failure block-all

interface FastEthernet8
description $WAN-Interface$
ip address dhcp client-id FastEthernet8
ip nat outside
content-scan out
62

Sizing and Scalability for ISR with Connector
 Phase 1: Feb 2012 For Your
Reference
 Phase 2: May 2012
ScanSafe Users Supported per ISR G2 Platform
3945E 3925E 3945 3925 2951 2921 2911 2901 1941 1921 891
Phase II Phase I

No Auth 5000 5000 1200 900 600 500 400 350 350 300 120

Web Proxy 1200 1200 1200 900 600 500 400 350 350 300 120

HTTP Basic 1200 1200 1200 900 600 500 400 350 350 300 120

NTLM 1200 1200 1200 900 600 500 400 350 350 300 120

ASA ScanSafe Integration
Headquarters and Branch office
Internet web traffic scanned by Scansafe
Both Headquarters and Branch
Scansafe Google office web traffic whitelisted
Tower Server

AAA AAA

ASA ASA

Employees Employees

Headquarters Branch Office

Browser Redirection via GPO / PAC file
• Proxy Settings are pushed to
browsers via Active Directory
Internet
GPO AD
• Browsers connect through Server
Firewall on port 8080 to Web
Security Service
• Firewall blocks all other GET GPO Update
requests
• Provides Site/External IP
granularity

Easy ID
• Clientless User authentication via webbrowser
• User authenticates via Webportal
• Policies are applied from Scancenter Portal
verifying User Name and Group through AD
Connection
• AD Connection is done via LDAPS query from
Scancenter to the LDAP Directory at customer site
• Scancenter is sending a cookie that is used for
subsequent authentication

Standalone Connector
• Proxy Settings are pushed to browsers
via AD,GPO or PAC file to ScanSafe on
port 8080/443 to the Cloud based Tower
• Connector receives Client info and Internet
queries Active Directory Server for Group Connector
Information, then proxies to ScanSafe
upstream
• Set Firewall to block all other GET
requests
• Provides IP/End User/Group granularity
• Scalable up to 10000 Users per AD
Connector, depending on which HW it is Server
installed

Roaming Users
• Installs a Network Driver which
binds to all connections (LAN,
Wireless, 3G)
• Automatic Peering Identifies
nearest ScanSafe Datacenter and
whether a connection is possible.
Proxy Firewall Hotspot
• AD information can be
remembered from when the user
was last on the corporate network
using the Gpresult API (group
policy)
Client with
Websecurity

Web Security & AnyConnect
 Supported on Windows &
MAC OS X
 Client settings are controlled
via Profile
 Profile can be centrally
distributed via the Scancenter
Portal

71

 Single and modular client
VPN (SSL, IKEv2, Always-On,...)
802.1x (Wired, Wireless, MACSEC...)
Websecurity
Posture for VPN
Telemetry (SIO)
 All modules can be used independently or
all together
 If VPN Module is used, profile
management can be done centrally
through ASA 72

How Does it Work?
 Authenticates and directs your external client Web traffic to our
scanning infrastructure
 Automatically connect to nearest Scantower
 SSL encryption of all Web traffic sent improves security over public
networks (example: Firesheep Plugin for FF)

73

Configuration for Web Security with VPN

 Configured through a profile,
downloaded from ASA at connect
 VPN is lower in the stack than the
Websecurity Module
Internet
 Split tunnel Scansafe gateways in the Corporate
VPN Config (on the ASA) traffic
 Exclude Corporate adresses from
beeing forwarded to the scansafe Client with
towers Websecurity

74

Web Security & AnyConnect Configuration
Client Profile
For Your
Reference

Scanning Tower
selection

Proxy ports

Web Security & AnyConnect Configuration –
Client Profile
Exceptions for
internal networks &
public websites to be
excluded from
scanning

Exceptions for
authorized internal
proxies

Static Exceptions
like VPN
Gateways

Web Security & AnyConnect Configuration – For Your
Client Profile Reference

Automatic selection
of nearest Scantower

Activate Beacon
Checking,
Deploy public key

Web Security & AnyConnect Configuration – For Your
Client Profile Reference

License Key

Authentication
Settings

Configuration for Web Security without VPN

 Scancenter Portal provides hosting of PAC file and / or Client Profile
 Differentiate Usergroups due to usage of group keys

Upload Client Profile

Specify Client
Profile
Key for
Authentication

Beacon Server for the AnyConnect
Web Security Module
 Beacon Server runs on an
internal Server
 Client gets public key from
Beacon Server during
deployment
 If the client has reachability
to the Beacon Server, client
module is deactivated
 TND in ASA 9.0

DEMO – AnyConnect with Web Security

Scansafe & IPv6 Support
 Current version of Web Security does not yet support IPv6
 IPv6 traffic scanning can be excluded by adding “::/0” to Static
Exceptions IPv6
 Full IPv6 Support will be added mid CY 2012 in two phases: Internal IPv6

IPv4

Internet
AC 3.1 or Standalone / integrated Connector

Internet
AC 3.1 or Standalone / integrated Connector

Secure Mobility Future – Hybrid Security
 Internet traffic Remote User
w/
secure through web AnyConnect
security cloud Client 3.0
service
 Corporate traffic Internet
secure through Cisco WSA
Cisco ASA
tunnel and WSA
 Consistent Policy Corporate
and Monitoring Network

Hybrid Security –
what has been done and what lies ahead
 Unification of URL Databases
 AVC integration
 Connector Integration in ISR G2 Router
 Unification of features – Q1/Q2 CY2012
Application visibility and control
Web Reputation
 Connector Integration in ASA – Q3 CY2012
 Connector Integration in WSA
 Provide common management
 Provide common logging and reporting

Summary
 Cisco Web Security Solution leverages a comprehensive
architected featurelist to protect the dynamic
environment from the ubiquitios web 2.0 world.....
Or...
 Cisco Web Security Solution simply ROCK! 

We value your feedback.
Please be sure to complete the Evaluation Form for this session.

Access today‟s presentations at cisco.com/ca/plus

Follow @CiscoCanada and join the #CiscoPlusCA conversation

Web Security Deployment

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Web Security Deployment

Similar to Web Security Deployment (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Web Security Deployment