2052

Securing the Web 2.
0 with Cisco Ironport Websecurity

BRKSEC-2052
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions
Please remember this is a 'non-smoking' venue!

Please switch off your mobile phones Please make use of the recycling bins provided
Please remember to wear your badge at all times
BRKSEC_2052 Tobias Mayer
2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
For Reference Slides

There are (far) more slides in the hand-outs than presented during the class Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide)
For Your Reference
Cisco Confidential
Agenda
Basic Overview on the Websecurity Appliance Deployment Scenarios Building the Policy Secure Mobility IPv6 Troubleshooting
Cisco Confidential
1996
Cisco Confidential
Todays Websites...
Cisco Confidential
Web 2.0 Anywhere & Anytime
People and Applications are meshed with each other Communication is no longer just from server to client New communication methods bring in new attack angles
BRKSEC_2052 Tobias Mayer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Criminals targeting Facebook
Cisco Confidential
Basic Overview
Presentation_ID
Cisco Confidential
Cisco Websecurity Appliance

Web Proxy incl. caching
Rich security functionalities Reputation filtering Malware scanning Application visibility & control HTTPS inspection Authentication Reporting and tracking
Cisco Confidential
10
Multi-Layer Websecurity
Web Usage Controls
Reputation Filtering
Malware Filtering
L4TM
Cisco Confidential
11
Filtering the URLs

Filtering the URLs based on predefined Categories Possible Actions : Block, Monitor, Warn, Time-Based
Cisco Confidential
12
Looking deeper: Web Application Control
Increasing Number of Application use HTTP as a transport protocol Websecurity needs to detect and control those applications
Cisco Confidential
13
Web Application Control

Different Applications are detected by special Signatures Those Signatures are downloaded dynamically via regular Signature Updates from Cisco No reboot or manual installation required!
Cisco Confidential
14
Web Application Controls Examples

Control Bandwidth for Mediastreams
Cisco Confidential
16

Granular Control and Reporting for Facebook
Cisco Confidential
17

What is Facebook REALLY about
Cisco Confidential
18
Example #1: Flash Media streams

Applications using http only
Must Block Ports
-
App
Behavior
Desired Action
Recomm ended Block Ports

-
Traffic Breakdown
Decrypt Required
Function
Video
Block
Watching a video is blocked Video transactions are counted in the WSA application traffic counters Video transactions are bandwidth limited.
19
Video Flash Video
Monitor
1935
initial access:HTT P:80 or HTTPS:443; video traffic may use these same ports or RTMP:1935
Video
Bandwidth
1935
Cisco Confidential
Example #2: Windows Media streams

Applications using http and non-http ports
Must Block Ports Recomm ended Block Ports
554, 1755, 2869 initial access: HTTP:80 or HTTPS:443; video traffic uses 554, 1755, RTSP:554, 2869 MMS:1755; some claims of 2869 usage, but we do not see
App
Behavior
Desired Action
Traffic Breakdown
Decrypt Required
Function
Video
Block
Windows Media
Video
Monitor
AVC can control access. Access to http links for ASF content will get counted in the WSA application traffic counters however the actual video content will not.
Video
Bandwidth
554, 1755, 2869

Cisco Confidential
Not currently supported.

20
Site Content Ratings

Enforcing safe search
Block inappropriate content from content sharing sites like Google,YouTube, Flickr
Based on metadata in the site User cannot change safe search or strict search settings
Cisco Confidential
21
DEMO Web Usage Controls
Cisco Confidential
22
Web Usage Controls
Malware Filtering
L4TM
Cisco Confidential
23
About Reputation
Cisco SIO gathers statistical informations from Cisco Products and other resources Cisco SIO correlates informations Updated informations are delivered back to appliances Each IP / URL gets a score, ranging from -10 to +10
External feeds
Outbreak Intelligence
Web
Email
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ASA
IPS
24
About Reputation
Malicious websites are tracked globally through SIO WSA evaluates each webrequest against the defined reputation score Reputation score and action is configured on WSA
Cisco Confidential
25
Examples: Reputation Values

Known Botnet or Phising Site
Agressive Advertising
Cisco Confidential
26
Examples: Reputation Values (2)

Neutral Site
Site with good history
Cisco Confidential
27
Network Participation
Admin can define the level of participation Requested URL with result is sent back User information and internal networks are not sent Disabled: No information is sent to Cisco SIO Database Limited: Server URL of request, hash of path segments Standard: Server URL and all path segments are sent back
Cisco Confidential
28
DEMO Web Reputation Filtering
Cisco Confidential
29
Web Usage Controls
Malware Filtering
L4TM
Cisco Confidential
30
Activating Anti-Malware Engines

Supported Engines: Webroot, Sophos, McAfee Anti-Malware Engines can be activated by policy Up to two Engines running are supported
Webroot + Sophos, Webroot + McAfee
All updates are handled automatically via SIO updates
Cisco Confidential
31
What things are scanned

Focused on Malware & Adware HTML body scanning Response Body scanning URL Scanning Phishing Links Browser Help Objects Tracking Cookies
Focused on Virus & Trojans

HTML body scanning File Scanning
Cisco Confidential
32
Web Usage Controls
Malware Filtering
L4TM
Cisco Confidential
33
Layer 4 Traffic Monitor

WSA monitors all Network traffic via SPAN or TAP Evaluates DNS Requests done by clients against list of malware sites Malware list distributed from Cisco SIO
Web Security Appliance
Botnet Master SPAN PORT
Internet
ASA 5500 Firewall Infected Client
Cisco Confidential
34
Example for L4TM
Cisco Confidential
35
L4TM Blocking infected Clients

Potentially infected clients can be identified L4TM can be put in monitoring or blocking mode Send TCP Reset for TCP Sessions Send ICMP unreachables for UDP Sessions Blocking packets are sent out through the proxy port, not the L4TM Port! Check your routing tables!
36
Deployment Scenarios
Presentation_ID
Cisco Confidential
37
Explicit Proxy
Client requests a website Browser connects first to WSA WSA connects to website Firewall usually only allows webtraffic for proxy
Web Security Appliance Internet Web server
Internet
ASA 5500 Firewall
38
How does the Browser find the Proxy?

Proxy setting in the browser Static definition with IP/NAME and PORT
Cisco Confidential
39
How does the Browser find the Proxy?

Automatic Configuration via PAC File
function FindProxyForURL(url, host) { return "PROXY 192.168.1.80:3128"; } function FindProxyForURL(url, host) { return "PROXY 192.168.1.80:3128; 192.168.1.81:3128"; }
http://www.findproxyforurl.com/
40
PAC Deployment
Via AD and GPO Via script Via manual setting Via DHCP DHCP Option 252 Via Wpad Server
Cisco Confidential
43
WPAD Server
WPAD Server hosts PAC file as wpad.dat File is retrieved via HTTP and Javascript Automatic Settings creates a lookup on a server called wpad
Cisco Confidential
44
WPAD and Windows 2008

Starting with W2008 DNS Server, its no longer availible to name a specific Server to WPAD Locked down via Registry More details found here:
http://technet.microsoft.com/en-us/library/cc441517.aspx
Cisco Confidential
45
PAC file deployment - Summary

DHCP
Higher Priority than DNS If DHCP provides the WPAD URL, no DNS lookup is performed Passed as option number 252 in the DHCP lease
DNS search (Ex.:if domain of client is: pc.department.branch.com)

Browser will try URLs in the following order: http://wpad.department.branch.com/wpad.dat http://wpad.branch.com/wpad.dat http://wpad.com/wpad.dat
Microsoft GPO
Cisco Confidential
46
Explicit Deployment - Summary

Requires Client Settings in the Browser
Proxy resolves hostname of target web server

Redundancy can be achieved via PAC files
WSA can host PAC files
No involvement of network equipment necessary
Cisco Confidential
47
Transparent Proxy via WCCP

Client requests a website Browser tries to connect to Website Network Device redirects traffic to WSA using WCCP WSA proxies the request
Internet
ASA 5500 Firewall
48
Background on WCCP
WCCPv1 developed in 1997 by Cisco Systems and publicly released in July 2000 WCCPv2 published as an IETF draft in July 2000 to make the specification open and remove the requirement for licensing
Enhancements
Configurable WCCP Router ID WCCP Variable Timers Improved FailOver Improved Interaction between WCCP and NetFlow
WCCPv3 is an internal specification targeted at IPv6 that was never released
Cisco Confidential
49
Details Assignment
The WCCP assignment method is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic. WCCP can use two types of Assignment Methods: Hash and Mask.
Hash Based Assignment

Uses a software based hash algorithm to determine which WCCP appliance receives traffic. In hardware based platforms the Netflow table is used to apply hardware assistance.
Mask Based Assignment

Uses the ACL TCAM to assign WCCP entities. This method is fully handled by hardware.
Cisco Confidential
50
Details Redirect and Return

Redirect Method
WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client (WSA, Cache,) Layer 2 - Frame MAC address rewritten to MAC of WCCP Client
Return Method
The Return method determines how the traffic will be sent back from the router to from the WCCP appliance if the traffic could not be serviced. WCCP GRE Packet WCCP GRE returned router WCCP Layer 2 Frame rewritten to router MAC
Cisco Confidential
51
Using WCCP for Traffic Redirection

WCCPv2 support is availible on many Cisco Platforms: L3 Switches, Routers, ASA 5500 Security Appliance Ironport WSA supports all redirect and assign methods (software implementation) Method to use will be negotiated
Cisco Confidential
52
Using WCCP for Traffic Redirection (2)

Performance Considerations:
MASK (HW) > HASH (SW)

L2 (HW) > GRE (SW) Use GRE if WSA is located in other subnet
Check if Device can do GRE in HW

User L2 if WSA and WCCP Device are in same subnet
Cisco Confidential
53
Planning and Design Platform Recommendations

Function Nexus 7000 Software ISR & 7200 Assign Redirect
Mask Only L2 Hash or Mask GRE or L2 Mask Only GRE or L2
For Your Reference

Cat 6500 Sup2
Mask L2 or GRE / L2
ASR 1000
Cat 6500 Sup720/32 7600

Mask GRE or L2
Cat 4500
Mask only L2 only
Cat 3750
Mask only L2 only
Redirect List
L3/L4 ACL
Extended ACL
Extended ACL
Extended ACL
Extended ACL
No Redirect List Support In only L2 only
Extended ACL (no deny) In only L2 only
Direction Return
In or Out L2 only
In or Out GRE or L2
In only GRE or L2
In L2
In L2
VRFs
Supported
Supported
Planned
Planned
NA
NA
NA
IOS
4.2(1)
12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8;1 5.0(1)M
2.4(2)
6500 12.2(18)SXF14 12.2(33)SXH4 12.2(33)SXI2a 7600 12.2(18)SXD1

Cisco Confidential
12.1(27)E; 12.2(18)SXF14
12.2(50)SG 1
12.2(46)SE
54
Transparent Deployment - Summary

No client settings necessary
Client resolves hostname of target web server Traffic gets redirected by the network Requires involvement of the network departement Allows for redundancy by defining multiple wsa to redirect
Cisco Confidential
58
DEMO Transparent Deployment
Cisco Confidential
59
Upstream Proxy
WSA can be deployed behind an existing Proxy
To get the value of webreputation, WSA should be placed behind an existing proxy (close to the client...) Depending on the upstream proxy, check connection limits!
Internet
Proxy
WSA
Cisco Confidential
60
Special Case...not yet validated

Using CLIENTLESS SSL on ASA5500 User can surf to internal and external webpages URLs can be checked and secured through WSA WSA supports OUTBOUND and INBOUND Malware scanning! Server Upload can be protected! Drawback: All Clientless Requests from ASA to WSA are coming from ASA internal IP, so no user visibility
Corporate Network
ASA 5500 Firewall with Clientless SSL
Internet
61
Clientless SSL with WSA - Example
Cisco Confidential
62
Building the Policy
Presentation_ID
Cisco Confidential
63
Elements of the Security Policy

Is user permitted to make the request? Authentication Is request within acceptable time range? Time-based Is this type of client permitted? User Agent check
Is this protocol permitted? Protocol blocking

Is the site trustworthy? Web Reputation Do we permit access to this site/category? URL Categorization (Predefined and Custom) Is the request suspicious? Anti Malware, L4TM If HTTPS, decrypt and check? Decryption Policy Is response of appropriate type & size? Object filtering
64
Does the response contain malware? Anti-Malware

64
Policy - Authentication
Policy objects can be managed from central access policy screen First step is to define the Identity: For whom does this policy apply?
Cisco Confidential
65
Authentication
User Web Security Appliance User Directory
Authentication Protocols Directory: LDAP or NTLM Method: Basic: Credentials are sent unencrypted NTLMSSP: Challenge-Response Tracking the User IP based Surrogates Cookie based Surrogates
66
Proxy and Authentication Types
Proxy Type
Authentication Browser to WSA to Auth WSA Server

Basic Basic NTLM NTLM LDAP
(or NTLM Basic)
Explicit Transparent Explicit Transparent

LDAP
(or NTLM Basic)
NTLMSSP
(Active Directory)
NTLMSSP
(Active Directory)
Cisco Confidential
67
HTTP Response Codes

200 OK Request was sent successfully 301 Moved Permanently The Resource has permanently to a different URI 401 Unauthorized Web Server requires Authentication 403 Forbidden Access denied 404 not found The Server cannot find the requested URI 407 Proxy Authentication required The request first requires authentication with the proxy
For Your Reference
68
NTLM Authentication
NTLM requires Account in the AD Domain Credentials to create a computer account are used only once, not stored on appliance Currently only one domain is supported via NTLM
69
LDAP Authentication
LDAP queries on port 389 or 636 (Secure LDAP), 3268 (AD GC Server) Need to know the Base DN Name Parameter Can connect to multiple different domains
70
Authentication vs. LDAP

Knowing the LDAP Base DN is fundamental
Use an LDAP Browser to find out

Recommendation: Apache Directory Studio
Cisco Confidential
71
Authentication vs. LDAP
Knowing the LDAP Base DN is fundamental

Or check with DSQUERY command on a MS AD
Cisco Confidential
72
Testing the query

After defining the query, check result!
Cisco Confidential
73
Authentication in Explicit Deployment

User Web Security Appliance User Directory
http error 407
Proxy sends http response 407 (proxy auth. request)

Client recognizes the proxy
Client will then accept a http response 407 from the proxy
Works for HTTPS

Client sends a CONNECT request to the proxy Client will then accept a 407 response from the proxy
Cisco Confidential
74
Authentication in Transparent Deployment

User Internet Web server
Internet
User Directory
Client is not aware of a proxy -> http response 407 cannot be used Need to use http response 401 basic authentication
Client needs to be first redirected to the wsa
75
Authentication in Transparent Deployment

What the client thinks 1 2 The client sends a request to the remote HTTP server The client receives a 307 from the remote server redirecting the client to the WSA The client connects to the WSA The client receive a 401 authentication request from the WSA The client authenticates with the WSA The client receive a 307 from WSA, redirecting it back to the remote server The client connects back to the remote server What is really happening The client request is rerouted to the WSA The client receives a 307 from the WSA, spoofing the remote server, redirecting the client to the WSA The client connects to the WSA The client receive a 401 authentication request from the WSA The client authenticates with the WSA The client receive a 307 from WSA, redirecting it back to the remote server The client continues to use the WSA as a transparent proxy
3 4
5 6
Cisco Confidential
76
Internet Explorer and Redirect for Authentication

When client receives redirect, it checks the name in the redirect request If client cannot resolve the name of the WSA, it automatically maps the wsa to the INTERNET ZONE
Internet Zone never allows NTLM authentication

In transparent mode with NTLMSSP (SingleSignOn), this would retrigger authentication prompts despite SSO configured. (thats anoying...)
Cisco Confidential
77
Internet Explorer and Redirect for Authentication (2)

Solution: Enter not the FQDN in the redirect host name but only the simple name!
Cisco Confidential
78
Surrogates
Surrogates define how Users are tracked once the have authenticated
IP Address
Tracks user by IP Can cause problems if clients change ip frequently or in virtual environments (Citrix) Authentication stays with WSA Works well with decryption
Cookie
Recommended in terminalserver environments Authentication stays with the client Does not work when using decryption based on authentication
Cisco Confidential
79
Identities
Identities consist of one or more criterias Criteria can be Usernames, Groups, Networks, User Strings,.... Surrogate Settings can also be applied per Identity
Identities are used to choose the appropriate accesspolicy

80
HTTPS decryption
Decryption of HTTPS is similar of a man-in-themiddle attack WSA can use a self-signed cert or an imported cert from any CA WSA generates a new cert for the client request, using the values from the original webserver
This Cert is presented to the client, signed with the cert from the WSA
Cisco Confidential
81
HTTPS decryption
WSA Cert must be trusted by all clients
Either use an already rolled-out CA Cert or distribute Cert to the clients
Microsoft GPO allows for easy rollout
Cert MUST be a CA or Subordinate CA certificate! No server certificate!
Cisco Confidential
82
HTTPS decryption
HTTPS decryption Policy can be based on URL Category or on Reputation Reputation allows to selectively decryption of potential malicious web requests
Cisco Confidential
84
DEMO HTTPS Decryption
Cisco Confidential
85
Policy Selection
1. Check Identity
2. Assign Accesspolicy based on the chosen identity
3. Execute the policy

4. If nothing special is defined in certain fields, default values from the Global Policy are used
Cisco Confidential
86
Secure Mobility
Presentation_ID
Cisco Confidential
87
Secure Mobility
Functional Description Works with Cisco ASA and Cisco AnyConnect Client Cisco ASA authorizes the user at WSA WSA can use different policies for local and remote users
WSA can use SAML 2.0 for authentication and Single Sign On to Webservices
SSO with SAML 2.0 Authorization at WSA
AnyConnect
Cisco Confidential
88
Secure Mobility
Functional Description
Corporate Network
Internet Web server

Cleaned URL Request
Internet
Always-on VPN tunnel
Tunnel default Gateway
ASA
Anyconnect VPN User
URL Request
ASA sends userinformation to WSA for authorization Anyconnect user attempts to access internet webserver via always-on VPN
Traffic routed to inside router

URL Request redirected to Web Security Appliance (WSA) via WCCP. Traffic is checked by WSA against policy Cleaned traffic forwarded to internet webserver
89
SaaS Access Control In Action
Identity
Cisco Confidential
90
SaaS Access Control In Action
Verified
Cisco Confidential
91
SaaS Access Control - Benefits

Clients are only getting access to Cloudresources if authenticated through the WSA Single Point for Authentication If Employee leaves the company, lock down his account in Directory
-> All cloudservices are locked down as well!
Cisco Confidential
92
Example from iPhone Protection through WSA

Good Website
Bad Website
Cisco Confidential
97
AnyConnect on iphone
Webtraffic from the iphone is checked and filtered iPhone is protected from Malware and malicious connections
Cisco Confidential
98
Summary of Secure Mobility
Different policies for local and remote Users

Example: Block high bandwidth sites for remote users
Single Sign-On for users on WSA for authentication

Works for non-AD Users and AD User
Usage of SAML 2.0 for SSO to Cloudservices

Example: Webex, Salesforce.com, Google Apps,...
Cisco Confidential
99
DEMO Secure Mobility
Cisco Confidential
100
IPv6
Presentation_ID
Cisco Confidential
101
IPv6 and WSA

End CY 2011 Explicit proxy support for IPv6 IPv6 Rules via SIO published, IPv6 reputation IPv6 management CY 2012 Transparent proxy with WCCP, but: WCCP today has no IPv6 Support! ASA and IOS need to develop IPv6 Support for WCCP
Cisco Confidential
102
Troubleshooting
Presentation_ID
Cisco Confidential
103
Usefull Tools Policy Trace
Cisco Confidential
104
Usefull Tools Packet Capture

Record packet flows Download capture files for analysis and troubleshooting
Cisco Confidential
105
Web Security Management

Detailed Tracking of Data
Cisco Confidential
106
Working with CLI and Logfiles....

Logdata is W3C Format
Can be downloaded by FTP or via CLI
Cisco Confidential
107
Working with CLI and Logfiles....

1289045462.223 563 172.16.18.16 TCP_MISS/304 319 GET http://www.cisco.com/assets/home/spotlight/sp_20101011/swf/expansionmodule. swf tmayer@munlabipcom DEFAULT_PARENT/proxy.esl.cisco.com DEFAULT_CASE_11-MunlabIP_Policy_VPN-ID.MunlabIPVPN-DefaultGroupNONE-NONE-DefaultGroup <IW_comp,6.5,"0","-",0,0,0,"-","-",-,-,-,"-","-",-,"-","-",,-,IW_comp,-,"Unknown","-","Unknown","Unknown","-","-",4.53,0,[Remote],"-","-"> Transaction Result Code Client IP Reputation Score
Authenticated User
Cache hierarchy Retrieval Policy choosen Location
108
List of Codes use the Online Help!
For Your Reference
Cisco Confidential
109
And if everything goes wrong....
Cisco Confidential
110
Opening a Support Tunnel

From WSA, the administrator can allow the Cisco Support team direct access
SSL Tunnel with password is built on demand and terminated at Cisco Support
Support tunnel is built directly from WSA, can be a problem if upstream proxy is used!
Cisco Confidential
111
The Future of Web Security
Presentation_ID
Cisco Confidential
112
Websecurity through Cloudservice

Hosted Web Security through Cisco Scansafe Cloud Service Central reporting and administration through Scancenter Portal
Cisco Confidential
113
Secure Mobility Future Hybrid Security

Internet traffic secure through websecurity cloud service Corporate traffic secure through tunnel and WSA Consistent Policy and Monitoring
Remote User w/ AnyConnect Client 3.0
Internet
Cisco ASA
Cisco WSA
Corporate Network
Cisco Confidential
114
Summary
Cisco Ironport Web Security Appliance leverages a comprehensive architected featurelist to protect the dynamic environment from the ubiquitios web 2.0 world..... Or... Cisco Ironport Web Security Appliance ROCKS!
Cisco Confidential
115
Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Preferred Access points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
Cisco Confidential
116
BRKSEC-2052
Recommended Reading
Cisco Confidential
117

2052

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2052

Uploaded by

Copyright:

Available Formats

Securing the Web 2.

0 with Cisco Ironport Websecurity

Please remember this is a 'non-smoking' venue!

Please remember to wear your badge at all times

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

For Reference Slides

For Your Reference

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Web 2.0 Anywhere & Anytime

Criminals targeting Facebook

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Websecurity Appliance

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Web Usage Controls

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Filtering the URLs

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Looking deeper: Web Application Control

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Web Application Control

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Web Application Controls Examples

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Web Application Controls Examples

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Web Application Controls Examples

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Example #1: Flash Media streams

Recomm ended Block Ports

Video Flash Video

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Example #2: Windows Media streams

554, 1755, 2869

Not currently supported.

2010 Cisco and/or its affiliates. All rights reserved.

Site Content Ratings

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

DEMO Web Usage Controls

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

Web Usage Controls

BRKSEC_2052 Tobias Mayer

2010 Cisco and/or its affiliates. All rights reserved.

BRKSEC_2052 Tobias Mayer