Cisco Canada, profile picture
Uploaded byCisco Canada
PDF, PPTX15,976 views

Web Security Deployment

The document discusses the deployment of web security solutions with Cisco IronPort and Cisco ScanSafe, outlining critical functionalities, authentication methods, and network placement. It covers hybrid security trends, the integration of proxy systems, and WCCP (Web Cache Communication Protocol) for traffic redirection, including best practices for configuration. Additionally, it highlights challenges in securing web traffic in branch offices and the enhancements available through ScanSafe's cloud services and integration with Active Directory for user authentication.

Embed presentation

Download as PDF, PPTX
Web Security Deployment Ryan Wager Technical Marketing Engineer
Agenda • Overview Web Security • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security – Secure Mobility
1996
Today„s Websites...
Appliance or Cloud?
Agenda • Overview Web Security • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
Cisco Web Security Appliance  Web Proxy incl. Caching (http,https, ftp, ftp over http)  Rich security functionalities Reputation filtering Malware scanning URL Filtering Application visibility & control HTTPS inspection Authentication Reporting and tracking L4TM ...more to come!
Web Application Control  Many Applications work on top of HTTP traffic  Applications are detected and controlled by special Signatures  Those Signatures are downloaded dynamically via regular Signature Updates from Cisco  No reboot or manual installation required!
About Reputation  Cisco SIO gathers statistical informations from Cisco Products and other resources  Cisco SIO correlates informations  Updated informations are delivered back to appliances  Each IP / URL gets a score, ranging from -10 to +10 External Outbreak Intelligence feeds Web Email ASA IPS
About Reputation  Malicious websites are tracked globally through SIO  WSA evaluates each webrequest against the defined reputation score  Reputation score and action is configured on WSA
Network Participation  Admin can define the level of participation  Requested URL with result is sent back  User information and internal networks are not sent Disabled: No information is sent to Cisco SIO Database Limited: Server URL of request, hash of path segments Standard: Server URL and all path segments are sent back
Agenda • Overview Web Security • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
Explicit Proxy  Client requests a website  Browser connects first to WSA  WSA connects to website  Firewall usually only allows webtraffic for proxy Web Security Appliance Internet Web server Internet ASA 5500 Firewall
How does the Browser find the Proxy?  Proxy setting in the browser  Static definition with IP/NAME and PORT
How does the Browser find the Proxy?  Automatic Configuration via PAC File function FindProxyForURL(url, host) { return "PROXY 192.168.1.80:3128"; } function FindProxyForURL(url, host) { return "PROXY 192.168.1.80:3128; 192.168.1.81:3128"; } http://www.findproxyforurl.com/
PAC Deployment  Via AD and GPO  Via script  Via manual setting  Via DHCP DHCP Option 252  Via Wpad Server
WPAD Server  WPAD Server hosts PAC file as wpad.dat  File is retrieved via HTTP and Javascript  Automatic Settings creates a lookup on a server called „wpad“
Transparent Proxy via WCCP  Client requests a website  Browser tries to connect to Website  Network Device redirects traffic to WSA using WCCP  WSA proxies the request Web Security Appliance Internet Web server Internet ASA 5500 Firewall
Background on WCCP  WCCPv1 developed in 1997 by Cisco Systems and publicly released in July 2000  WCCPv2 published as an IETF draft in July 2000 to make the specification open and remove the requirement for licensing – Enhancements • Configurable WCCP Router ID • WCCP Variable Timers – Improved Failover • Improved Interaction between WCCP and NetFlow  WCCPv3 is an internal specification targeted at IPv6 that was never released
Details Assignment The WCCP assignment method is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic. WCCP can use two types of Assignment Methods: Hash and Mask. • Hash Based Assignment Uses a software based hash algorithm to determine which WCCP appliance receives traffic. In hardware based platforms the Netflow table is used to apply hardware assistance. • Mask Based Assignment Uses the ACL TCAM to assign WCCP entities. This method is fully handled by hardware.
Details Redirect and Return • Redirect Method – WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client (WSA, Cache,…) – Layer 2 - Frame MAC address rewritten to MAC of WCCP Client • Return Method The Return method determines how the traffic will be sent back from the router to the WCCP appliance if the traffic could not be serviced. Refered to as “Proxy Bypass” – WCCP GRE – Packet WCCP GRE returned router – WCCP Layer 2 – Frame rewritten to router MAC
Details Assignment • The following best practices should be followed for implementing WCCP on a software-based platform: – GRE Forwarding (Default) – Hash Assignment (Default) – Inbound or Outbound Interception – "ipwccp redirect exclude in" on WCCP client interface (outbound interception only) • The following best practices should be followed for implementing WCCP on a hardware-based platform: – L2 Forwarding – Mask Assignment – Inbound Interception – No "ipwccp redirect exclude in"
WCCP input redirect WCCP Input redirect Ingress Egress Interface Interface
WCCP output redirect and input exclude WCCP Output redirect Ingress Egress Interface Interface WCCP Exclude-in
How WCCP registration works 1. Registration 2. „Here I am“ 3. „I see you“ WCCP Server WCCP Client  The WCCP client registers at the WCCP Server  Both, Server and Client need to use the same WCCP Service Group ID  One WCCP Server usually can server multiple Clients  Server and Client exchange „here i am“ and „I see you“ Packets to check availability  UDP/2048, unicast  Multicast possible  Traffic is redirected from Server to one or multiple Clients using the „hash“ or „mask“ algorithm
WCCP Protocol Failover  When a WCCP client fails, the portion of the load handled by that client is automatically redistributed to the remaining WCCP clients in the service group  If no other WCCP clients are available in the service group, the service group is taken offline and packets are forwarded normally Buckets 86–128 Buckets 129–170 Buckets 1–85 Buckets 86–170 Buckets 171–255 A X B C
Using WCCP for Traffic Redirection  WCCPv2 support is availible on many Cisco Platforms: L3 Switches, Routers, ASA 5500 Security Appliance  Cisco Ironport WSA supports all redirect and assign methods (software implementation)  Method to use will be negotiated
WCCP For Your Reference Platform Recommendations Function Software ASR 1000 Cat 6500 Cat 6500 ASA 5500 Support / ISR & 7200 Sup720 Sup32 Sup2 Cat 4500 Cat 3750 Recommend Assignment Hash Only Mask Only Mask or Hash / Mask or Hash Mask only Mask only Hash only Mask / Mask Forwarding GRE Only L2 or GRE / L2 L2 or GRE / L2 or L2 or GRE / L2 L2 only L2 only GRE Only or GRE GRE Forwarding Full extended Full extended Full extended Full extended No Redirect Extended Full Redirect List ACL ACL ACL ACL List Support ACL (no extended deny) ACL Direction In or In only In or Out / In In or In only In only In only Out / In Out / In Return IP Forward , IP Forward, L2, GRE, nGRE, L2, IP Forward or IP Forward IP Forward GRE L2 or GRE WCCP GRE, or & IP Forward / L2 / IP or L2 / IP or L2 / IP generic GRE No GRE Forward Forward Forward
Transparent Redirection and HTTPS Symptoms: • Successfully configured WCCP on the L3 Device • Successfully connect to HTTP sites • Cannot connect to HTTPS Sites • Switching to explicit Proxy works fine for HTTP and HTTPS Solution:  Activate HTTPS Proxy  Not necessary to decrypt the requests
Agenda • Overview Web Security • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
Policy - Authentication  Policy objects can be managed from central access policy screen  First step is to define the Identity: ”For whom does this policy apply?”
Authentication User Web Security Appliance User Directory  Authentication Protocols Directory: LDAP or AD Method: Basic: Credentials are sent unencrypted NTLMSSP: Challenge-Response  Tracking the User IP based Surrogates Cookie based Surrogates
NTLM Authentication  NTLM requires Account in the AD Domain  Credentials to create a computer account are used only once, not stored on appliance  Currently only one domain is supported via NTLM
LDAP Authentication  LDAP queries on port 389 or 636 (Secure LDAP), 3268 (AD GC Server)  Need to know the Base DN Name Parameter  Can connect to multiple different domains
Authentication against LDAP • Knowing the LDAP Base DN is fundamental • Or check with „DSQUERY“ command on a MS AD
Authentication in Explicit Deployment User Web Security Appliance User Directory http error 407  Proxy sends http response 407 (proxy auth. request) Client recognizes the proxy Client will then accept a http response 407 from the proxy  Works for HTTPS Client sends a CONNECT request to the proxy Client will then accept a 407 response from the proxy
Authentication in Transparent Deployment User Internet Web server Internet User Directory Web Security Appliance  Client is not aware of a proxy -> http response 407 cannot be used  Need to use http response 401 – basic authentication Client needs to be first redirected to the wsa
DEMO – WSA with transparent redirection
IE8/IE9 with Single-Sign On  SSO on WSA correctly configured but Clients still getting prompted  Check if WSA Redirect Name is listed in „Trusted Sites“  Check „Security Settings“ on Trusted Sites and set to „Automatic Logon with current user name and password“
Transparent User Identification (TUI) Web Security Release 7.5 1. Client logs on to the AD Domain 2. Client request a Web Site 3. Traffic is transparently redirected to the WSA 4. WSA needs to authenticate and queries the AD Agent for the User/Group 5. AD Agent looks up the IP and delivers User/Group 6. Request is proxied and forwarded to the Internet 4 6 AD Controller w/ Agent 5 WSA Internet 3 1 2 AD User Switch w/ WCCP
DEMO – WSA with Transparent User Identification
Cisco Ironport WSA & IPv6 Support  Current version of WSA does not yet support IPv6  Support is planned for Q4CY2012 IPv6 Support for explicit mode Transparent is depending on implementation on ISR, ASA and Switches, done in a later release  WSA will listen for connections both on IPv4 and IPv6  Admin can configure, if IPv4 or IPv6 should be prefered  Depending on Configuration, A-record or AAAA-record will be delivered IPv6 Internal IPv6 Internet IPv4
Sizing for WSA • Main Parameter for sizing is “requests per second” • Rule of thumb: Each request/s is approx. 80-90 Kbps of HTTP traffic Each Mbps of HTTP translates to approx. 10 requests/s 100 Mbps of sustained HTTP traffic is approx. 1000 requests/s • Easy way to find out on a WSA: use the “rate” CLI command This parameter allows a quite correct sizing depending on features together with the Cisco SE
Sizing Table Example S370 Appliance
Agenda • Overview Web Security • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Overview and Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
Websecurity through Cloudservice  Hosted Websecurity through Cisco Scansafe Cloud Service  Central reporting and administration through Scancenter Portal
Data Flow with ScanSafe  Client requests are redirected to a proxy in the cloud Internet  Requests are checked and filtered  Clean requests are directed back to the client Web requests Allowed traffic Filtered traffic User
Scalability & Reliability  Billions of web requests per day  <50 ms latency  High-Availability Infrastructure  Parallel Processing See BRKSEC-2346: Inside the Scansafe Architecture
Outbreak Intelligence SWF Scanlet <html> JAVA Phishing Scanlet Scanlet Win EXE <js> Scanlet Archive Context META Scanlet Scanlet Scanner <swf> Multiple <web> AV Script MF Scanlet Scanlet <pdf> File Anomaly  Parallel Processing in the PDF Scanlet <jpg> Scanlet Scantower provides maximum performance  Scanlets provide scanning for malware through code anomaly analysis
Agenda • Overview Web Security • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Overview and Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
Challenge:Branch Office with local Breakout Corporate Internet Network VPN  Webtraffic destined for the central DC is sent via VPN Tunnel  Normal Webtraffic goes directly to the Internet bandwidth saving in the central site  But how to secure the webtraffic?
ISR G2 with integrated Connector  Connector is integrated in the Cisco ISR G2 Router Platforms  No need to install Connector seperatly in branch networks Internet  Redirect of the webtraffic is happening transparently for the user on the router  Provides Scantower redundancy  Provides User granularity  Authenticate User via NTLM (transparent authentication) or Basic (Prompt for Credentials)  NTLM works without prompting for IE, Firefox and Google Chrome AD Server BRKSEC-3007: Advanced Cisco IOS Security Features 61
ISR G2 with Integrated Connector Simple Config parameter-map type content-scan global server scansafe primary name proxy100.scansafe.net port http 8080 https 8080 license 0 68668486389366986986968689698668 source interface FastEthernet8 timeout server 60 timeout session-inactivity 120 user-group munlab username tmayer server scansafe on-failure block-all interface FastEthernet8 description $WAN-Interface$ ip address dhcp client-id FastEthernet8 ip nat outside content-scan out 62
Sizing and Scalability for ISR with Connector  Phase 1: Feb 2012 For Your Reference  Phase 2: May 2012 ScanSafe Users Supported per ISR G2 Platform 3945E 3925E 3945 3925 2951 2921 2911 2901 1941 1921 891 Phase II Phase I No Auth 5000 5000 1200 900 600 500 400 350 350 300 120 Web Proxy 1200 1200 1200 900 600 500 400 350 350 300 120 HTTP Basic 1200 1200 1200 900 600 500 400 350 350 300 120 NTLM 1200 1200 1200 900 600 500 400 350 350 300 120
ASA ScanSafe Integration Headquarters and Branch office Internet web traffic scanned by Scansafe Both Headquarters and Branch Scansafe Google office web traffic whitelisted Tower Server AAA AAA ASA ASA Employees Employees Headquarters Branch Office
Browser Redirection via GPO / PAC file • Proxy Settings are pushed to browsers via Active Directory Internet GPO AD • Browsers connect through Server Firewall on port 8080 to Web Security Service • Firewall blocks all other GET GPO Update requests • Provides Site/External IP granularity
Agenda • Overview Web Security • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Overview and Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
Easy ID • Clientless User authentication via webbrowser • User authenticates via Webportal • Policies are applied from Scancenter Portal verifying User Name and Group through AD Connection • AD Connection is done via LDAPS query from Scancenter to the LDAP Directory at customer site • Scancenter is sending a cookie that is used for subsequent authentication
Standalone Connector • Proxy Settings are pushed to browsers via AD,GPO or PAC file to ScanSafe on port 8080/443 to the Cloud based Tower • Connector receives Client info and Internet queries Active Directory Server for Group Connector Information, then proxies to ScanSafe upstream • Set Firewall to block all other GET requests • Provides IP/End User/Group granularity • Scalable up to 10000 Users per AD Connector, depending on which HW it is Server installed
Roaming Users • Installs a Network Driver which binds to all connections (LAN, Wireless, 3G) • Automatic Peering Identifies nearest ScanSafe Datacenter and whether a connection is possible. Proxy Firewall Hotspot • AD information can be remembered from when the user was last on the corporate network using the Gpresult API (group policy) Client with Websecurity
Web Security & AnyConnect  Supported on Windows & MAC OS X  Client settings are controlled via Profile  Profile can be centrally distributed via the Scancenter Portal 71
Web Security & AnyConnect  Single and modular client VPN (SSL, IKEv2, Always-On,...) 802.1x (Wired, Wireless, MACSEC...) Websecurity Posture for VPN Telemetry (SIO)  All modules can be used independently or all together  If VPN Module is used, profile management can be done centrally through ASA 72
How Does it Work?  Authenticates and directs your external client Web traffic to our scanning infrastructure  Automatically connect to nearest Scantower  SSL encryption of all Web traffic sent improves security over public networks (example: Firesheep Plugin for FF) 73
Web Security & AnyConnect Configuration for Web Security with VPN  Configured through a profile, downloaded from ASA at connect  VPN is lower in the stack than the Websecurity Module Internet  Split tunnel Scansafe gateways in the Corporate VPN Config (on the ASA) traffic  Exclude Corporate adresses from beeing forwarded to the scansafe Client with towers Websecurity 74
Web Security & AnyConnect Configuration Client Profile For Your Reference Scanning Tower selection Proxy ports
Web Security & AnyConnect Configuration – Client Profile Exceptions for internal networks & public websites to be excluded from scanning Exceptions for authorized internal proxies Static Exceptions like VPN Gateways
Web Security & AnyConnect Configuration – For Your Client Profile Reference Automatic selection of nearest Scantower Activate Beacon Checking, Deploy public key
Web Security & AnyConnect Configuration – For Your Client Profile Reference License Key Authentication Settings
Web Security & AnyConnect Configuration for Web Security without VPN  Scancenter Portal provides hosting of PAC file and / or Client Profile  Differentiate Usergroups due to usage of group keys Upload Client Profile Specify Client Profile Key for Authentication
Beacon Server for the AnyConnect Web Security Module  Beacon Server runs on an internal Server  Client gets public key from Beacon Server during deployment  If the client has reachability to the Beacon Server, client module is deactivated  TND in ASA 9.0
DEMO – AnyConnect with Web Security
Scansafe & IPv6 Support  Current version of Web Security does not yet support IPv6  IPv6 traffic scanning can be excluded by adding “::/0” to Static Exceptions IPv6  Full IPv6 Support will be added mid CY 2012 in two phases: Internal IPv6 IPv4 Internet AC 3.1 or Standalone / integrated Connector Internet AC 3.1 or Standalone / integrated Connector
Agenda • Overview Web Security • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
Secure Mobility Future – Hybrid Security  Internet traffic Remote User w/ secure through web AnyConnect security cloud Client 3.0 service  Corporate traffic Internet secure through Cisco WSA Cisco ASA tunnel and WSA  Consistent Policy Corporate and Monitoring Network
Hybrid Security – what has been done and what lies ahead  Unification of URL Databases  AVC integration  Connector Integration in ISR G2 Router  Unification of features – Q1/Q2 CY2012 Application visibility and control Web Reputation  Connector Integration in ASA – Q3 CY2012  Connector Integration in WSA  Provide common management  Provide common logging and reporting
Summary  Cisco Web Security Solution leverages a comprehensive architected featurelist to protect the dynamic environment from the ubiquitios web 2.0 world..... Or...  Cisco Web Security Solution simply ROCK! 
Q&A #CiscoPlusCA
We value your feedback. Please be sure to complete the Evaluation Form for this session. Access today‟s presentations at cisco.com/ca/plus Follow @CiscoCanada and join the #CiscoPlusCA conversation
Thank you.

More Related Content

PPTX
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
byDhruv Sharma
 
PPTX
Cisco Ironport WSA- Introduction and Guide in Short
byPriyank Sharma
 
PDF
Pentesting RESTful webservices
byMohammed A. Imran
 
PPTX
F5 - BigIP ASM introduction
byJimmy Saigon
 
PPTX
Thick client pentesting_the-hackers_meetup_version1.0pptx
byAnurag Srivastava
 
PPTX
Rest API
byRohana K Amarakoon
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPTX
Optimizing MySQL queries
byGMO-Z.com Vietnam Lab Center
 
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
byDhruv Sharma
 
Cisco Ironport WSA- Introduction and Guide in Short
byPriyank Sharma
 
Pentesting RESTful webservices
byMohammed A. Imran
 
F5 - BigIP ASM introduction
byJimmy Saigon
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
byAnurag Srivastava
 
Rest API
byRohana K Amarakoon
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Optimizing MySQL queries
byGMO-Z.com Vietnam Lab Center
 

What's hot

PDF
pcnsa-study-guide_PAN-OS_v11.0-1__01.pdf
byAzzeddine Salem
 
PPT
L4교육자료
byguesta6ecae
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
Best Practice for Achieving High Availability in MariaDB
byMariaDB plc
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPT
CCNA Security - Chapter 2
byIrsandi Hasan
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
PPTX
REST API Design & Development
byAshok Pundit
 
PPTX
Rest API Security
byStormpath
 
PDF
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
PPTX
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
byLior Rotkovitch
 
PPTX
API Security : Patterns and Practices
byPrabath Siriwardena
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
PDF
무선침입방지시스템 WIPS
by시온시큐리티
 
PPTX
security misconfigurations
byMegha Sahu
 
PDF
How can the ISO 27701 help to design, implement, operate and improve a privac...
byHernan Huwyler, MBA CPA
 
PDF
Web application security & Testing
byDeepu S Nath
 
PPT
LDAP
byKhemnath Chauhan
 
PPTX
Introduction vulnérabilité web
bydavystoffel
 
pcnsa-study-guide_PAN-OS_v11.0-1__01.pdf
byAzzeddine Salem
 
L4교육자료
byguesta6ecae
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Best Practice for Achieving High Availability in MariaDB
byMariaDB plc
 
OWASP Top 10 2021 What's New
byMichael Furman
 
CCNA Security - Chapter 2
byIrsandi Hasan
 
Waf bypassing Techniques
byAvinash Thapa
 
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
REST API Design & Development
byAshok Pundit
 
Rest API Security
byStormpath
 
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
WAF ASM / Advance WAF - Brute force lior rotkovitch f5 sirt v5 clean
byLior Rotkovitch
 
API Security : Patterns and Practices
byPrabath Siriwardena
 
Secure coding practices
byMohammed Danish Amber
 
무선침입방지시스템 WIPS
by시온시큐리티
 
security misconfigurations
byMegha Sahu
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
byHernan Huwyler, MBA CPA
 
Web application security & Testing
byDeepu S Nath
 
LDAP
byKhemnath Chauhan
 
Introduction vulnérabilité web
bydavystoffel
 

Viewers also liked

PPTX
Checkpoint Firewall for Dummies
bysushmil123
 
PDF
Cisco ASA Firewall Lab WorkBook
byRHC Technologies
 
PDF
Presentation cisco iron port email & web security
byxKinAnx
 
PPTX
Cisco Web and Email Security Overview
byCisco Security
 
PPTX
Check Point sizing security
byGroup of company MUK
 
PDF
Presentation cisco iron port e-mail security solution
byxKinAnx
 
PPT
checkpoint
byMayank Dhingra
 
PPTX
Check Point Virtual Systems
byGroup of company MUK
 
PPT
Network security
byسودان وب لأمن المعلومات
 
PPTX
Check Point NGFW
byGroup of company MUK
 
PDF
Brksec 2101 deploying web security
byAlfredo Boiero Sanders
 
PDF
Cisco Web セキュリティ アプライアンス(WSA)
byシスコシステムズ合同会社
 
PDF
Deployment of cisco_iron_portweb_security_appliance
byAlfredo Boiero Sanders
 
PDF
Postgre sql +python
byMarcos Thomaz
 
PDF
Bascs nutshell
bymsaleh1234
 
PDF
Check point presentation june 2014
byDavid Berkelmans
 
PPTX
cyber Forensics
byMuzzammil Wani
 
PDF
Cp r75 firewall_admin_guide
byAnh Thảo
 
PPTX
Fundamentos de Banco de Dados Relacionais
byÁlvaro Farias Pinheiro
 
PPTX
Checkpoint r77
byMinh Dương
 
Checkpoint Firewall for Dummies
bysushmil123
 
Cisco ASA Firewall Lab WorkBook
byRHC Technologies
 
Presentation cisco iron port email & web security
byxKinAnx
 
Cisco Web and Email Security Overview
byCisco Security
 
Check Point sizing security
byGroup of company MUK
 
Presentation cisco iron port e-mail security solution
byxKinAnx
 
checkpoint
byMayank Dhingra
 
Check Point Virtual Systems
byGroup of company MUK
 
Network security
byسودان وب لأمن المعلومات
 
Check Point NGFW
byGroup of company MUK
 
Brksec 2101 deploying web security
byAlfredo Boiero Sanders
 
Cisco Web セキュリティ アプライアンス(WSA)
byシスコシステムズ合同会社
 
Deployment of cisco_iron_portweb_security_appliance
byAlfredo Boiero Sanders
 
Postgre sql +python
byMarcos Thomaz
 
Bascs nutshell
bymsaleh1234
 
Check point presentation june 2014
byDavid Berkelmans
 
cyber Forensics
byMuzzammil Wani
 
Cp r75 firewall_admin_guide
byAnh Thảo
 
Fundamentos de Banco de Dados Relacionais
byÁlvaro Farias Pinheiro
 
Checkpoint r77
byMinh Dương
 

Similar to Web Security Deployment

PPTX
System and network administration network services
byUc Man
 
PDF
BRKSEC-3771 - WSA with wccp.pdf
byMenakaDevi14
 
PDF
Ch 2: TCP/IP Concepts Review
bySam Bowne
 
PPTX
Wireshark
bybtohara
 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
bySam Bowne
 
PDF
Cisco ccna-security note
byjihad nader
 
PPTX
Basic ip traffic management with access control lists
bySourabh Badve
 
PPT
Firewall
byManikyala Rao
 
PPT
Np unit1
byvamsitricks
 
PPT
Tcp ip
byAkshay Nagpurkar
 
PDF
4. Communication and Network Security
bySam Bowne
 
PPT
Fundamentals of Networking
byIsrael Marcus
 
PDF
E firewalls
byAbhiroop Ghatak
 
PPSX
Network &amp; security startup
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPT
Firewalls
byhemantag
 
PPTX
Guide to protecting networks - Eric Vanderburg
byEric Vanderburg
 
PPT
Ride the Light
byMichelle Davies (Hryvnak)
 
PDF
Designing.and.implementing.linux
bygavin shaw
 
PPTX
Lync 2010 Voice Deployment
byHarold Wong
 
PPTX
INFT132 093 02 Internet Concepts
byMichael Rees
 
System and network administration network services
byUc Man
 
BRKSEC-3771 - WSA with wccp.pdf
byMenakaDevi14
 
Ch 2: TCP/IP Concepts Review
bySam Bowne
 
Wireshark
bybtohara
 
CISSP Prep: Ch 5. Communication and Network Security (Part 1)
bySam Bowne
 
Cisco ccna-security note
byjihad nader
 
Basic ip traffic management with access control lists
bySourabh Badve
 
Firewall
byManikyala Rao
 
Np unit1
byvamsitricks
 
Tcp ip
byAkshay Nagpurkar
 
4. Communication and Network Security
bySam Bowne
 
Fundamentals of Networking
byIsrael Marcus
 
E firewalls
byAbhiroop Ghatak
 
Network &amp; security startup
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Firewalls
byhemantag
 
Guide to protecting networks - Eric Vanderburg
byEric Vanderburg
 
Ride the Light
byMichelle Davies (Hryvnak)
 
Designing.and.implementing.linux
bygavin shaw
 
Lync 2010 Voice Deployment
byHarold Wong
 
INFT132 093 02 Internet Concepts
byMichael Rees
 

More from Cisco Canada

PDF
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
byCisco Canada
 
PPTX
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
byCisco Canada
 
PDF
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
byCisco Canada
 
PDF
Cisco connect montreal 2018 saalvare md-program-xr-v2
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 network-slicing
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 DNA assurance
byCisco Canada
 
PDF
Cisco connect montreal 2018 collaboration les services webex hybrides
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 DevNet Overview
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 sixty to zero
byCisco Canada
 
PDF
Cisco connect montreal 2018 net devops
byCisco Canada
 
PDF
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
byCisco Canada
 
PDF
Cisco connect montreal 2018 secure dc
byCisco Canada
 
PDF
Cisco connect montreal 2018 compute v final
byCisco Canada
 
PDF
Cisco connect montreal 2018 vision mondiale analyse locale
byCisco Canada
 
PDF
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
byCisco Canada
 
PDF
Integration cisco et microsoft connect montreal 2018
byCisco Canada
 
PDF
Cisco connect montreal 2018 iot demo kinetic fr
byCisco Canada
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
byCisco Canada
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
byCisco Canada
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
byCisco Canada
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
byCisco Canada
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
byCisco Canada
 
Cisco Connect Toronto 2018 network-slicing
byCisco Canada
 
Cisco Connect Toronto 2018 DNA assurance
byCisco Canada
 
Cisco connect montreal 2018 collaboration les services webex hybrides
byCisco Canada
 
Cisco Connect Toronto 2018 DevNet Overview
byCisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
byCisco Canada
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
byCisco Canada
 
Cisco Connect Toronto 2018 sixty to zero
byCisco Canada
 
Cisco connect montreal 2018 net devops
byCisco Canada
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
byCisco Canada
 
Cisco connect montreal 2018 secure dc
byCisco Canada
 
Cisco connect montreal 2018 compute v final
byCisco Canada
 
Cisco connect montreal 2018 vision mondiale analyse locale
byCisco Canada
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
byCisco Canada
 
Integration cisco et microsoft connect montreal 2018
byCisco Canada
 
Cisco connect montreal 2018 iot demo kinetic fr
byCisco Canada
 

Recently uploaded

PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PPTX
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
PPTX
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
PPTX
Neo4j Fraud GraphTalk Singapore Nov 2025
bygourisachdeva2
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
PDF
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
PDF
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PPTX
Agentic AI presentation with Python Exercises
byParth Mane
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
Neo4j Fraud GraphTalk Singapore Nov 2025
bygourisachdeva2
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
Agentic AI presentation with Python Exercises
byParth Mane
 
In this document
Powered by AI

An overview of the presentation by Ryan Wager, focused on web security including agenda items.

An introduction to the timeline of web security and the debate between appliance vs. cloud solutions.

Features of Cisco's Web Security Appliance: web proxy, filtering, scanning, and reputation management.

Methods and settings for proxy participation, both explicit and automatic configuration methods.

Detailed functionality of WCCP for traffic redirection, methods of assignment, and failover mechanisms.Utilizing WCCP for traffic redirection; addressing challenges with HTTPS traffic.

Establishing authentication policies, protocols used, and LDAP integration for user directory.

Processes of authentication in explicit vs. transparent deployment scenarios.

Methods for transparent user identification using AD for authentication and user tracking.

Plans for IPv6 support in WSA and parameters for sizing based on requests per second.

Overview of Scansafe service, including client redirection and data flow through the cloud.Scalability metrics and outbreak intelligence features offered by Scansafe cloud services.

Addressing web traffic security challenges in a hybrid environment with local breakout strategies.

Integration methods for Scansafe, including GPO, AD settings, and browser configurations.

Clientless user authentication and how the standalone connector interfaces with directory services.

Solutions to maintain web security for roaming users, including automatic connection identification.

Overview of AnyConnect integration with web security, settings and configurations.

Future vision for hybrid security, integration efforts towards seamless secure mobility solutions.Final summary of Cisco Web Security Solution and encouragement for audience feedback on the session.

Web Security Deployment

  • 1.
    Web Security Deployment Ryan Wager Technical Marketing Engineer
  • 2.
    Agenda • Overview WebSecurity • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security – Secure Mobility
  • 3.
  • 4.
  • 5.
  • 6.
    Agenda • Overview WebSecurity • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
  • 7.
    Cisco Web SecurityAppliance  Web Proxy incl. Caching (http,https, ftp, ftp over http)  Rich security functionalities Reputation filtering Malware scanning URL Filtering Application visibility & control HTTPS inspection Authentication Reporting and tracking L4TM ...more to come!
  • 8.
    Web Application Control Many Applications work on top of HTTP traffic  Applications are detected and controlled by special Signatures  Those Signatures are downloaded dynamically via regular Signature Updates from Cisco  No reboot or manual installation required!
  • 9.
    About Reputation  CiscoSIO gathers statistical informations from Cisco Products and other resources  Cisco SIO correlates informations  Updated informations are delivered back to appliances  Each IP / URL gets a score, ranging from -10 to +10 External Outbreak Intelligence feeds Web Email ASA IPS
  • 10.
    About Reputation  Maliciouswebsites are tracked globally through SIO  WSA evaluates each webrequest against the defined reputation score  Reputation score and action is configured on WSA
  • 11.
    Network Participation  Admincan define the level of participation  Requested URL with result is sent back  User information and internal networks are not sent Disabled: No information is sent to Cisco SIO Database Limited: Server URL of request, hash of path segments Standard: Server URL and all path segments are sent back
  • 12.
    Agenda • Overview WebSecurity • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
  • 13.
    Explicit Proxy  Client requests a website  Browser connects first to WSA  WSA connects to website  Firewall usually only allows webtraffic for proxy Web Security Appliance Internet Web server Internet ASA 5500 Firewall
  • 14.
    How does theBrowser find the Proxy?  Proxy setting in the browser  Static definition with IP/NAME and PORT
  • 15.
    How does theBrowser find the Proxy?  Automatic Configuration via PAC File function FindProxyForURL(url, host) { return "PROXY 192.168.1.80:3128"; } function FindProxyForURL(url, host) { return "PROXY 192.168.1.80:3128; 192.168.1.81:3128"; } http://www.findproxyforurl.com/
  • 16.
    PAC Deployment  Via AD and GPO  Via script  Via manual setting  Via DHCP DHCP Option 252  Via Wpad Server
  • 17.
    WPAD Server  WPAD Server hosts PAC file as wpad.dat  File is retrieved via HTTP and Javascript  Automatic Settings creates a lookup on a server called „wpad“
  • 18.
    Transparent Proxy viaWCCP  Client requests a website  Browser tries to connect to Website  Network Device redirects traffic to WSA using WCCP  WSA proxies the request Web Security Appliance Internet Web server Internet ASA 5500 Firewall
  • 19.
    Background on WCCP WCCPv1 developed in 1997 by Cisco Systems and publicly released in July 2000  WCCPv2 published as an IETF draft in July 2000 to make the specification open and remove the requirement for licensing – Enhancements • Configurable WCCP Router ID • WCCP Variable Timers – Improved Failover • Improved Interaction between WCCP and NetFlow  WCCPv3 is an internal specification targeted at IPv6 that was never released
  • 20.
    Details Assignment The WCCP assignmentmethod is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic. WCCP can use two types of Assignment Methods: Hash and Mask. • Hash Based Assignment Uses a software based hash algorithm to determine which WCCP appliance receives traffic. In hardware based platforms the Netflow table is used to apply hardware assistance. • Mask Based Assignment Uses the ACL TCAM to assign WCCP entities. This method is fully handled by hardware.
  • 21.
    Details Redirect and Return •Redirect Method – WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client (WSA, Cache,…) – Layer 2 - Frame MAC address rewritten to MAC of WCCP Client • Return Method The Return method determines how the traffic will be sent back from the router to the WCCP appliance if the traffic could not be serviced. Refered to as “Proxy Bypass” – WCCP GRE – Packet WCCP GRE returned router – WCCP Layer 2 – Frame rewritten to router MAC
  • 22.
    Details Assignment •The following best practices should be followed for implementing WCCP on a software-based platform: – GRE Forwarding (Default) – Hash Assignment (Default) – Inbound or Outbound Interception – "ipwccp redirect exclude in" on WCCP client interface (outbound interception only) • The following best practices should be followed for implementing WCCP on a hardware-based platform: – L2 Forwarding – Mask Assignment – Inbound Interception – No "ipwccp redirect exclude in"
  • 23.
    WCCP input redirect WCCP Input redirect Ingress Egress Interface Interface
  • 24.
    WCCP output redirectand input exclude WCCP Output redirect Ingress Egress Interface Interface WCCP Exclude-in
  • 25.
    How WCCP registrationworks 1. Registration 2. „Here I am“ 3. „I see you“ WCCP Server WCCP Client  The WCCP client registers at the WCCP Server  Both, Server and Client need to use the same WCCP Service Group ID  One WCCP Server usually can server multiple Clients  Server and Client exchange „here i am“ and „I see you“ Packets to check availability  UDP/2048, unicast  Multicast possible  Traffic is redirected from Server to one or multiple Clients using the „hash“ or „mask“ algorithm
  • 26.
    WCCP Protocol Failover  Whena WCCP client fails, the portion of the load handled by that client is automatically redistributed to the remaining WCCP clients in the service group  If no other WCCP clients are available in the service group, the service group is taken offline and packets are forwarded normally Buckets 86–128 Buckets 129–170 Buckets 1–85 Buckets 86–170 Buckets 171–255 A X B C
  • 27.
    Using WCCP forTraffic Redirection  WCCPv2 support is availible on many Cisco Platforms: L3 Switches, Routers, ASA 5500 Security Appliance  Cisco Ironport WSA supports all redirect and assign methods (software implementation)  Method to use will be negotiated
  • 28.
    WCCP For Your Reference Platform Recommendations Function Software ASR 1000 Cat 6500 Cat 6500 ASA 5500 Support / ISR & 7200 Sup720 Sup32 Sup2 Cat 4500 Cat 3750 Recommend Assignment Hash Only Mask Only Mask or Hash / Mask or Hash Mask only Mask only Hash only Mask / Mask Forwarding GRE Only L2 or GRE / L2 L2 or GRE / L2 or L2 or GRE / L2 L2 only L2 only GRE Only or GRE GRE Forwarding Full extended Full extended Full extended Full extended No Redirect Extended Full Redirect List ACL ACL ACL ACL List Support ACL (no extended deny) ACL Direction In or In only In or Out / In In or In only In only In only Out / In Out / In Return IP Forward , IP Forward, L2, GRE, nGRE, L2, IP Forward or IP Forward IP Forward GRE L2 or GRE WCCP GRE, or & IP Forward / L2 / IP or L2 / IP or L2 / IP generic GRE No GRE Forward Forward Forward
  • 29.
    Transparent Redirection andHTTPS Symptoms: • Successfully configured WCCP on the L3 Device • Successfully connect to HTTP sites • Cannot connect to HTTPS Sites • Switching to explicit Proxy works fine for HTTP and HTTPS Solution:  Activate HTTPS Proxy  Not necessary to decrypt the requests
  • 30.
    Agenda • Overview WebSecurity • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
  • 31.
    Policy - Authentication Policy objects can be managed from central access policy screen  First step is to define the Identity: ”For whom does this policy apply?”
  • 32.
    Authentication User Web Security Appliance User Directory  Authentication Protocols Directory: LDAP or AD Method: Basic: Credentials are sent unencrypted NTLMSSP: Challenge-Response  Tracking the User IP based Surrogates Cookie based Surrogates
  • 33.
    NTLM Authentication NTLM requires Account in the AD Domain  Credentials to create a computer account are used only once, not stored on appliance  Currently only one domain is supported via NTLM
  • 34.
    LDAP Authentication  LDAPqueries on port 389 or 636 (Secure LDAP), 3268 (AD GC Server)  Need to know the Base DN Name Parameter  Can connect to multiple different domains
  • 35.
    Authentication against LDAP •Knowing the LDAP Base DN is fundamental • Or check with „DSQUERY“ command on a MS AD
  • 36.
    Authentication in ExplicitDeployment User Web Security Appliance User Directory http error 407  Proxy sends http response 407 (proxy auth. request) Client recognizes the proxy Client will then accept a http response 407 from the proxy  Works for HTTPS Client sends a CONNECT request to the proxy Client will then accept a 407 response from the proxy
  • 37.
    Authentication in TransparentDeployment User Internet Web server Internet User Directory Web Security Appliance  Client is not aware of a proxy -> http response 407 cannot be used  Need to use http response 401 – basic authentication Client needs to be first redirected to the wsa
  • 38.
    DEMO – WSAwith transparent redirection
  • 39.
    IE8/IE9 with Single-SignOn  SSO on WSA correctly configured but Clients still getting prompted  Check if WSA Redirect Name is listed in „Trusted Sites“  Check „Security Settings“ on Trusted Sites and set to „Automatic Logon with current user name and password“
  • 40.
    Transparent User Identification(TUI) Web Security Release 7.5 1. Client logs on to the AD Domain 2. Client request a Web Site 3. Traffic is transparently redirected to the WSA 4. WSA needs to authenticate and queries the AD Agent for the User/Group 5. AD Agent looks up the IP and delivers User/Group 6. Request is proxied and forwarded to the Internet 4 6 AD Controller w/ Agent 5 WSA Internet 3 1 2 AD User Switch w/ WCCP
  • 41.
    DEMO – WSAwith Transparent User Identification
  • 42.
    Cisco Ironport WSA& IPv6 Support  Current version of WSA does not yet support IPv6  Support is planned for Q4CY2012 IPv6 Support for explicit mode Transparent is depending on implementation on ISR, ASA and Switches, done in a later release  WSA will listen for connections both on IPv4 and IPv6  Admin can configure, if IPv4 or IPv6 should be prefered  Depending on Configuration, A-record or AAAA-record will be delivered IPv6 Internal IPv6 Internet IPv4
  • 43.
    Sizing for WSA •Main Parameter for sizing is “requests per second” • Rule of thumb: Each request/s is approx. 80-90 Kbps of HTTP traffic Each Mbps of HTTP translates to approx. 10 requests/s 100 Mbps of sustained HTTP traffic is approx. 1000 requests/s • Easy way to find out on a WSA: use the “rate” CLI command This parameter allows a quite correct sizing depending on features together with the Cisco SE
  • 44.
  • 45.
    Agenda • Overview WebSecurity • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Overview and Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
  • 46.
    Websecurity through Cloudservice Hosted Websecurity through Cisco Scansafe Cloud Service  Central reporting and administration through Scancenter Portal
  • 47.
    Data Flow withScanSafe  Client requests are redirected to a proxy in the cloud Internet  Requests are checked and filtered  Clean requests are directed back to the client Web requests Allowed traffic Filtered traffic User
  • 48.
    Scalability & Reliability Billions of web requests per day  <50 ms latency  High-Availability Infrastructure  Parallel Processing See BRKSEC-2346: Inside the Scansafe Architecture
  • 49.
    Outbreak Intelligence SWF Scanlet <html> JAVA Phishing Scanlet Scanlet Win EXE <js> Scanlet Archive Context META Scanlet Scanlet Scanner <swf> Multiple <web> AV Script MF Scanlet Scanlet <pdf> File Anomaly  Parallel Processing in the PDF Scanlet <jpg> Scanlet Scantower provides maximum performance  Scanlets provide scanning for malware through code anomaly analysis
  • 50.
    Agenda • Overview WebSecurity • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Overview and Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
  • 51.
    Challenge:Branch Office withlocal Breakout Corporate Internet Network VPN  Webtraffic destined for the central DC is sent via VPN Tunnel  Normal Webtraffic goes directly to the Internet bandwidth saving in the central site  But how to secure the webtraffic?
  • 52.
    ISR G2 withintegrated Connector  Connector is integrated in the Cisco ISR G2 Router Platforms  No need to install Connector seperatly in branch networks Internet  Redirect of the webtraffic is happening transparently for the user on the router  Provides Scantower redundancy  Provides User granularity  Authenticate User via NTLM (transparent authentication) or Basic (Prompt for Credentials)  NTLM works without prompting for IE, Firefox and Google Chrome AD Server BRKSEC-3007: Advanced Cisco IOS Security Features 61
  • 53.
    ISR G2 withIntegrated Connector Simple Config parameter-map type content-scan global server scansafe primary name proxy100.scansafe.net port http 8080 https 8080 license 0 68668486389366986986968689698668 source interface FastEthernet8 timeout server 60 timeout session-inactivity 120 user-group munlab username tmayer server scansafe on-failure block-all interface FastEthernet8 description $WAN-Interface$ ip address dhcp client-id FastEthernet8 ip nat outside content-scan out 62
  • 54.
    Sizing and Scalabilityfor ISR with Connector  Phase 1: Feb 2012 For Your Reference  Phase 2: May 2012 ScanSafe Users Supported per ISR G2 Platform 3945E 3925E 3945 3925 2951 2921 2911 2901 1941 1921 891 Phase II Phase I No Auth 5000 5000 1200 900 600 500 400 350 350 300 120 Web Proxy 1200 1200 1200 900 600 500 400 350 350 300 120 HTTP Basic 1200 1200 1200 900 600 500 400 350 350 300 120 NTLM 1200 1200 1200 900 600 500 400 350 350 300 120
  • 55.
    ASA ScanSafe Integration Headquarters and Branch office Internet web traffic scanned by Scansafe Both Headquarters and Branch Scansafe Google office web traffic whitelisted Tower Server AAA AAA ASA ASA Employees Employees Headquarters Branch Office
  • 56.
    Browser Redirection viaGPO / PAC file • Proxy Settings are pushed to browsers via Active Directory Internet GPO AD • Browsers connect through Server Firewall on port 8080 to Web Security Service • Firewall blocks all other GET GPO Update requests • Provides Site/External IP granularity
  • 57.
    Agenda • Overview WebSecurity • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Overview and Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
  • 58.
    Easy ID •Clientless User authentication via webbrowser • User authenticates via Webportal • Policies are applied from Scancenter Portal verifying User Name and Group through AD Connection • AD Connection is done via LDAPS query from Scancenter to the LDAP Directory at customer site • Scancenter is sending a cookie that is used for subsequent authentication
  • 59.
    Standalone Connector • ProxySettings are pushed to browsers via AD,GPO or PAC file to ScanSafe on port 8080/443 to the Cloud based Tower • Connector receives Client info and Internet queries Active Directory Server for Group Connector Information, then proxies to ScanSafe upstream • Set Firewall to block all other GET requests • Provides IP/End User/Group granularity • Scalable up to 10000 Users per AD Connector, depending on which HW it is Server installed
  • 60.
    Roaming Users • Installsa Network Driver which binds to all connections (LAN, Wireless, 3G) • Automatic Peering Identifies nearest ScanSafe Datacenter and whether a connection is possible. Proxy Firewall Hotspot • AD information can be remembered from when the user was last on the corporate network using the Gpresult API (group policy) Client with Websecurity
  • 61.
    Web Security &AnyConnect  Supported on Windows & MAC OS X  Client settings are controlled via Profile  Profile can be centrally distributed via the Scancenter Portal 71
  • 62.
    Web Security &AnyConnect  Single and modular client VPN (SSL, IKEv2, Always-On,...) 802.1x (Wired, Wireless, MACSEC...) Websecurity Posture for VPN Telemetry (SIO)  All modules can be used independently or all together  If VPN Module is used, profile management can be done centrally through ASA 72
  • 63.
    How Does itWork?  Authenticates and directs your external client Web traffic to our scanning infrastructure  Automatically connect to nearest Scantower  SSL encryption of all Web traffic sent improves security over public networks (example: Firesheep Plugin for FF) 73
  • 64.
    Web Security &AnyConnect Configuration for Web Security with VPN  Configured through a profile, downloaded from ASA at connect  VPN is lower in the stack than the Websecurity Module Internet  Split tunnel Scansafe gateways in the Corporate VPN Config (on the ASA) traffic  Exclude Corporate adresses from beeing forwarded to the scansafe Client with towers Websecurity 74
  • 65.
    Web Security &AnyConnect Configuration Client Profile For Your Reference Scanning Tower selection Proxy ports
  • 66.
    Web Security &AnyConnect Configuration – Client Profile Exceptions for internal networks & public websites to be excluded from scanning Exceptions for authorized internal proxies Static Exceptions like VPN Gateways
  • 67.
    Web Security &AnyConnect Configuration – For Your Client Profile Reference Automatic selection of nearest Scantower Activate Beacon Checking, Deploy public key
  • 68.
    Web Security &AnyConnect Configuration – For Your Client Profile Reference License Key Authentication Settings
  • 69.
    Web Security &AnyConnect Configuration for Web Security without VPN  Scancenter Portal provides hosting of PAC file and / or Client Profile  Differentiate Usergroups due to usage of group keys Upload Client Profile Specify Client Profile Key for Authentication
  • 70.
    Beacon Server forthe AnyConnect Web Security Module  Beacon Server runs on an internal Server  Client gets public key from Beacon Server during deployment  If the client has reachability to the Beacon Server, client module is deactivated  TND in ASA 9.0
  • 71.
    DEMO – AnyConnectwith Web Security
  • 72.
    Scansafe & IPv6Support  Current version of Web Security does not yet support IPv6  IPv6 traffic scanning can be excluded by adding “::/0” to Static Exceptions IPv6  Full IPv6 Support will be added mid CY 2012 in two phases: Internal IPv6 IPv4 Internet AC 3.1 or Standalone / integrated Connector Internet AC 3.1 or Standalone / integrated Connector
  • 73.
    Agenda • Overview WebSecurity • Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication • Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication • The Road to Hybrid Security
  • 74.
    Secure Mobility Future– Hybrid Security  Internet traffic Remote User w/ secure through web AnyConnect security cloud Client 3.0 service  Corporate traffic Internet secure through Cisco WSA Cisco ASA tunnel and WSA  Consistent Policy Corporate and Monitoring Network
  • 75.
    Hybrid Security – whathas been done and what lies ahead  Unification of URL Databases  AVC integration  Connector Integration in ISR G2 Router  Unification of features – Q1/Q2 CY2012 Application visibility and control Web Reputation  Connector Integration in ASA – Q3 CY2012  Connector Integration in WSA  Provide common management  Provide common logging and reporting
  • 76.
    Summary  CiscoWeb Security Solution leverages a comprehensive architected featurelist to protect the dynamic environment from the ubiquitios web 2.0 world..... Or...  Cisco Web Security Solution simply ROCK! 
  • 77.
    Q&A #CiscoPlusCA
  • 78.
    We value yourfeedback. Please be sure to complete the Evaluation Form for this session. Access today‟s presentations at cisco.com/ca/plus Follow @CiscoCanada and join the #CiscoPlusCA conversation
  • 79.