Professional Documents
Culture Documents
2052
2052
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions
Cisco Confidential
Cisco Confidential
Agenda
Basic Overview on the Websecurity Appliance Deployment Scenarios Building the Policy Secure Mobility IPv6 Troubleshooting
Cisco Confidential
1996
Cisco Confidential
Todays Websites...
Cisco Confidential
People and Applications are meshed with each other Communication is no longer just from server to client New communication methods bring in new attack angles
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Confidential
Basic Overview
Presentation_ID
Cisco Confidential
Rich security functionalities Reputation filtering Malware scanning Application visibility & control HTTPS inspection Authentication Reporting and tracking
Cisco Confidential
10
Multi-Layer Websecurity
Reputation Filtering
Malware Filtering
L4TM
Cisco Confidential
11
Cisco Confidential
12
Increasing Number of Application use HTTP as a transport protocol Websecurity needs to detect and control those applications
Cisco Confidential
13
Cisco Confidential
14
Cisco Confidential
16
Cisco Confidential
17
Cisco Confidential
18
App
Behavior
Desired Action
Traffic Breakdown
Decrypt Required
Function
Video
Block
Watching a video is blocked Video transactions are counted in the WSA application traffic counters Video transactions are bandwidth limited.
19
Monitor
1935
initial access:HTT P:80 or HTTPS:443; video traffic may use these same ports or RTMP:1935
Video
Bandwidth
1935
Cisco Confidential
App
Behavior
Desired Action
Traffic Breakdown
Decrypt Required
Function
Video
Block
Windows Media
Video
Monitor
AVC can control access. Access to http links for ASF content will get counted in the WSA application traffic counters however the actual video content will not.
Video
BRKSEC_2052 Tobias Mayer
Bandwidth
Block inappropriate content from content sharing sites like Google,YouTube, Flickr
Based on metadata in the site User cannot change safe search or strict search settings
Cisco Confidential
21
Cisco Confidential
22
Multi-Layer Websecurity
Reputation Filtering
Malware Filtering
L4TM
Cisco Confidential
23
About Reputation
Cisco SIO gathers statistical informations from Cisco Products and other resources Cisco SIO correlates informations Updated informations are delivered back to appliances Each IP / URL gets a score, ranging from -10 to +10
External feeds
Outbreak Intelligence
Web
BRKSEC_2052 Tobias Mayer
Email
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ASA
IPS
24
About Reputation
Malicious websites are tracked globally through SIO WSA evaluates each webrequest against the defined reputation score Reputation score and action is configured on WSA
Cisco Confidential
25
Agressive Advertising
Cisco Confidential
26
Cisco Confidential
27
Network Participation
Admin can define the level of participation Requested URL with result is sent back User information and internal networks are not sent Disabled: No information is sent to Cisco SIO Database Limited: Server URL of request, hash of path segments Standard: Server URL and all path segments are sent back
Cisco Confidential
28
Cisco Confidential
29
Multi-Layer Websecurity
Reputation Filtering
Malware Filtering
L4TM
Cisco Confidential
30
Cisco Confidential
31
Cisco Confidential
32
Multi-Layer Websecurity
Reputation Filtering
Malware Filtering
L4TM
Cisco Confidential
33
Internet
ASA 5500 Firewall Infected Client
Cisco Confidential
34
Cisco Confidential
35
36
Deployment Scenarios
Presentation_ID
Cisco Confidential
37
Explicit Proxy
Client requests a website Browser connects first to WSA WSA connects to website Firewall usually only allows webtraffic for proxy
Internet
ASA 5500 Firewall
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
38
Cisco Confidential
39
http://www.findproxyforurl.com/
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
40
PAC Deployment
Via AD and GPO Via script Via manual setting Via DHCP DHCP Option 252 Via Wpad Server
Cisco Confidential
43
WPAD Server
WPAD Server hosts PAC file as wpad.dat File is retrieved via HTTP and Javascript Automatic Settings creates a lookup on a server called wpad
Cisco Confidential
44
Cisco Confidential
45
Microsoft GPO
Cisco Confidential
46
Cisco Confidential
47
Internet
ASA 5500 Firewall
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
48
Background on WCCP
WCCPv1 developed in 1997 by Cisco Systems and publicly released in July 2000 WCCPv2 published as an IETF draft in July 2000 to make the specification open and remove the requirement for licensing
Enhancements
Configurable WCCP Router ID WCCP Variable Timers Improved FailOver Improved Interaction between WCCP and NetFlow
Cisco Confidential
49
Details Assignment
The WCCP assignment method is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic. WCCP can use two types of Assignment Methods: Hash and Mask.
Cisco Confidential
50
Return Method
The Return method determines how the traffic will be sent back from the router to from the WCCP appliance if the traffic could not be serviced. WCCP GRE Packet WCCP GRE returned router WCCP Layer 2 Frame rewritten to router MAC
Cisco Confidential
51
Cisco Confidential
52
Cisco Confidential
53
ASR 1000
Cat 4500
Mask only L2 only
Cat 3750
Mask only L2 only
Redirect List
L3/L4 ACL
Extended ACL
Extended ACL
Extended ACL
Extended ACL
Direction Return
In or Out L2 only
In or Out GRE or L2
In only GRE or L2
In L2
In L2
VRFs
Supported
Supported
Planned
Planned
NA
NA
NA
IOS
4.2(1)
2.4(2)
12.1(27)E; 12.2(18)SXF14
12.2(50)SG 1
12.2(46)SE
54
Cisco Confidential
58
Cisco Confidential
59
Upstream Proxy
WSA can be deployed behind an existing Proxy
To get the value of webreputation, WSA should be placed behind an existing proxy (close to the client...) Depending on the upstream proxy, check connection limits!
Internet
Proxy
WSA
Cisco Confidential
60
Corporate Network
ASA 5500 Firewall with Clientless SSL
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Internet
61
Cisco Confidential
62
Presentation_ID
Cisco Confidential
63
64
Policy - Authentication
Policy objects can be managed from central access policy screen First step is to define the Identity: For whom does this policy apply?
Cisco Confidential
65
Authentication
User Web Security Appliance User Directory
Authentication Protocols Directory: LDAP or NTLM Method: Basic: Credentials are sent unencrypted NTLMSSP: Challenge-Response Tracking the User IP based Surrogates Cookie based Surrogates
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
66
Proxy Type
LDAP
(or NTLM Basic)
NTLMSSP
(Active Directory)
NTLMSSP
(Active Directory)
Cisco Confidential
67
68
NTLM Authentication
NTLM requires Account in the AD Domain Credentials to create a computer account are used only once, not stored on appliance Currently only one domain is supported via NTLM
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
69
LDAP Authentication
LDAP queries on port 389 or 636 (Secure LDAP), 3268 (AD GC Server) Need to know the Base DN Name Parameter Can connect to multiple different domains
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
70
Cisco Confidential
71
Cisco Confidential
72
Cisco Confidential
73
Client will then accept a http response 407 from the proxy
Cisco Confidential
74
Internet
User Directory
Client is not aware of a proxy -> http response 407 cannot be used Need to use http response 401 basic authentication
Client needs to be first redirected to the wsa
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
75
3 4
5 6
Cisco Confidential
76
Cisco Confidential
77
Cisco Confidential
78
Surrogates
Surrogates define how Users are tracked once the have authenticated
IP Address
Tracks user by IP Can cause problems if clients change ip frequently or in virtual environments (Citrix) Authentication stays with WSA Works well with decryption
Cookie
Recommended in terminalserver environments Authentication stays with the client Does not work when using decryption based on authentication
Cisco Confidential
79
Identities
Identities consist of one or more criterias Criteria can be Usernames, Groups, Networks, User Strings,.... Surrogate Settings can also be applied per Identity
80
HTTPS decryption
Decryption of HTTPS is similar of a man-in-themiddle attack WSA can use a self-signed cert or an imported cert from any CA WSA generates a new cert for the client request, using the values from the original webserver
This Cert is presented to the client, signed with the cert from the WSA
Cisco Confidential
81
HTTPS decryption
WSA Cert must be trusted by all clients
Either use an already rolled-out CA Cert or distribute Cert to the clients
Microsoft GPO allows for easy rollout
Cisco Confidential
82
HTTPS decryption
HTTPS decryption Policy can be based on URL Category or on Reputation Reputation allows to selectively decryption of potential malicious web requests
Cisco Confidential
84
Cisco Confidential
85
Policy Selection
1. Check Identity
2. Assign Accesspolicy based on the chosen identity
Cisco Confidential
86
Secure Mobility
Presentation_ID
Cisco Confidential
87
Secure Mobility
Functional Description Works with Cisco ASA and Cisco AnyConnect Client Cisco ASA authorizes the user at WSA WSA can use different policies for local and remote users
WSA can use SAML 2.0 for authentication and Single Sign On to Webservices
SSO with SAML 2.0 Authorization at WSA
AnyConnect
Cisco Confidential
88
Secure Mobility
Functional Description
Corporate Network
Internet
ASA
URL Request
ASA sends userinformation to WSA for authorization Anyconnect user attempts to access internet webserver via always-on VPN
89
Identity
Cisco Confidential
90
Verified
Cisco Confidential
91
Cisco Confidential
92
Bad Website
Cisco Confidential
97
AnyConnect on iphone
Webtraffic from the iphone is checked and filtered iPhone is protected from Malware and malicious connections
Cisco Confidential
98
Cisco Confidential
99
Cisco Confidential
100
IPv6
Presentation_ID
Cisco Confidential
101
Cisco Confidential
102
Troubleshooting
Presentation_ID
Cisco Confidential
103
Cisco Confidential
104
Cisco Confidential
105
Cisco Confidential
106
Cisco Confidential
107
Authenticated User
Cache hierarchy Retrieval Policy choosen Location
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
108
Cisco Confidential
109
Cisco Confidential
110
SSL Tunnel with password is built on demand and terminated at Cisco Support
Support tunnel is built directly from WSA, can be a problem if upstream proxy is used!
Cisco Confidential
111
Presentation_ID
Cisco Confidential
112
Cisco Confidential
113
Internet
Cisco ASA
Cisco WSA
Corporate Network
Cisco Confidential
114
Summary
Cisco Ironport Web Security Appliance leverages a comprehensive architected featurelist to protect the dynamic environment from the ubiquitios web 2.0 world..... Or... Cisco Ironport Web Security Appliance ROCKS!
Cisco Confidential
115
Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
Cisco Confidential
116
BRKSEC-2052
Recommended Reading
Cisco Confidential
117