Securing Your Web World A Trend Micro TrendEdge Solution Advanced Technologies and Techniques to enhance your product. Integrating Trend Micro IWSVA with. Cisco ASA Using WCCP I A TrendEdge Solution Contents Executive summary.
Securing Your Web World A Trend Micro TrendEdge Solution Advanced Technologies and Techniques to enhance your product. Integrating Trend Micro IWSVA with. Cisco ASA Using WCCP I A TrendEdge Solution Contents Executive summary.
Securing Your Web World A Trend Micro TrendEdge Solution Advanced Technologies and Techniques to enhance your product. Integrating Trend Micro IWSVA with. Cisco ASA Using WCCP I A TrendEdge Solution Contents Executive summary.
Advanced Technologies and Techniques to Enhance Your Product Eumir Nogales Senior Product Specialist Trend Micro, Inc. Vernon Lee Senior Enterprise Sales Engineer Trend Micro, Inc. Jody Butler Senior Corporate Sales Engineer Trend Micro, Inc. Peter Wei Senior Software Architect Trend Micro, Inc. TREND MICRO INC. 10101 N. De Anza Blvd. Cupertino, CA, 95014 www.trendmicro.com Toll free: +1 800.228.5651 Fax: +1 408.257.2003 Phone: +1 408.257.1500 Integrating Trend Micro IWSVA with Cisco ASA Using WCCP June 2010 Integrating Trend Micro IWSVA with Cisco ASA Using WCCP
i A TrendEdge Solution Contents
Executive Summary ......................................................................................................................... 1 Suggested Network Architecture................................................................................................... 1 Requirements .................................................................................................................................. 2 Procedure ........................................................................................................................................ 3 Logging WCCP Traffic Using IWSVA and Cisco ASA Features ................................................... 3 To log WCCP traffic using the IWSVA: .................................................................................... 3 To log WCCP traffic using the ASA: ........................................................................................ 4 Verifying that WCCP is Working Correctly................................................................................... 4 References ...................................................................................................................................... 5 About the Authors .......................................................................................................................... 6 Eumir Nogales ........................................................................................................................... 6 Vernon Lee ................................................................................................................................ 6 Jody Butler ................................................................................................................................ 6 Peter Wei ................................................................................................................................... 6 About Trend Micro Incorporated .................................................................................................. 7 Contacting TrendEdge Publications ............................................................................................. 8
Trend Micro, the Trend Micro t-ball logo, and InterScan are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.
Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice, and the information contained in this document is provided as-is. This document is for informational purposes only, and is not supported by Trend Micro or its partners.
TREND MICRO MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.
Copyright 2010 Trend Micro Incorporated. All rights reserved.
Document Part No. TE07WSVA50_100602US
Integrating Trend Micro IWSVA with Cisco ASA Using WCCP
1 A TrendEdge Solution Executive Summary This document describes how to set up Trend Micro InterScan Web Security Virtual Appliance 5.0 (IWSVA) to work with a Cisco Adaptive Security Appliance (ASA) and the Cisco-developed Web Cache Communication Protocol (WCCP). Note: Trend Micro provides this document "as-is" as a courtesy to interested parties. The accuracy of the information is solely the authors responsibility. Neither Trend Micro nor its partners support this document. Cisco Adaptive Security Appliances (ASA) are Layer 3 devices that can redirect traffic to one or more transparent proxy web cache servers. Web caches reduce network latency by enabling end users to retrieve web pages that they have accessed previously from a memory buffer or cache instead of from a web server. Cisco created the Web Cache Communication Protocol (WCCP) to control the interaction of external web cache devices with Adaptive Security Appliances. WCCP not only reduces the load on web cache devices, but it also provides load balancing and support for multiple routers and protocols. WCCP is transparent to the end user. Suggested Network Architecture This document describes how to configure IWSVA to run in WCCP mode and communicate with a Cisco ASA in an N-tier environment. When an IWSVA is running in WCCP mode and is integrated with a Cisco ASA, it becomes a web cache even though it does not specifically serve cached content. Instead it serves as a cache engine for the ASA, which scans the requested content for malicious code. Figure 1 below shows traffic moving into and out of a network with a Cisco ASA and an IWSVA. Since an ASA operates as a router, an external firewall can function as a gateway out of the network if you configure it to do so. The ASA uses WCCP during the initial request when HTTP packets arrive at the device from the internal network. Once an outbound packet reaches the internal network port on the ASA, the ASA encapsulates it and hands it off to the IWSVA. The IWSVA, in turn, then requests the content from the external web server, scans it, and permits or denies the request. If the IWSVA approves the request, it then delivers the web content to the client. Note: This document was written using IWSVA 5.0, a Cisco ASA 5510 running version 8.2(1) of Cisco IOS, and WCCP Version 2.0. Trend Micro customers should be aware that Cisco can make changes at anytime to IOS, and the ability of an ASA to work with WCCP, without notice.
Integrating Trend Micro IWSVA with Cisco ASA Using WCCP
2 A TrendEdge Solution
Figure 1. Flow of Traffic between a Cisco ASA and an IWSVA in an N-Tier Environment Requirements ! The client (browser) and IWSVA cache engine(s) must be on the same Cisco Adaptive Security Appliance (ASA) internal interface. ! The Cisco ASA and IWSVA must be configured to use WCCPv2. Note: For additional hardware and software requirements, consult to the relevant Cisco and Trend Micro product documentation. Trend Micro IWSVA documentation is available at the following location:
See the Reference section for links to the relevant Cisco documentation. Integrating Trend Micro IWSVA with Cisco ASA Using WCCP
3 A TrendEdge Solution Procedure Follow the steps below to configure the Cisco ASA and IWSVA to work with WCCP: 1. Log into the CLI of the Cisco ASA and create two access control lists (ACLs): one for the web cache and another for the redirect list:
Router#configure terminal Router(config)#access-list wccp extended permit tcp any any eq www Router(config)#access-list mycache-wccp extended permit tcp host <IWSVA-IP Address> any Router(config)#wccp 80 redirect-list wccp password novirus Router(config)#wccp interface internal 80 redirect in
2. Log into the IWSVA Web Console and do the following: a. Configure IWSVA to use WCCPv2 and enter the router address. b. Enter a password. Use novirus c. Save the changes. 3. Open a terminal session to the IWSVA shell. 4. Change the directory to /var/iwss/ 5. Open the IWSSPIProtocolHttpProxy.pni file. 6. Look for the string wccp_service and then change the parameters in Table 1 below:
Table 1. IWSVA wccp_service Parameters for the Cisco ASA
7. Access the IWSVA CLI. Restart the IWSS daemon by typing the following commands:
/usr/iwss/S99ISWCCPd stop /usr/iwss/S99ISWCCPd start Logging WCCP Traffic Using IWSVA and Cisco ASA Features To log IWSVA and Cisco ASA WCCP traffic, follow the steps below. To log WCCP traffic using the IWSVA: 1. Open a terminal session to the IWSVA shell. 2. Navigate to the /var/iwss directory. 3. Open the IWSSPIProtocolHttProxy.pni file. 4. Look for the string wccp_logging. Change the value from 0 to 1.
Note: IWSVA saves WCCP debug output in its HTTP logs. Integrating Trend Micro IWSVA with Cisco ASA Using WCCP
4 A TrendEdge Solution To log WCCP traffic using the ASA: 1. Log into the ASA shell then go into configure mode. 2. Type the command:
Router(config)#debug wccp event
Note: Once you have configured the Cisco ASA server, you have the option to route the WCCP debug information through a Syslog server or to display the events on the router console. Verifying that WCCP is Working Correctly
1. Check the IWSVA HTTP logs. You should see the following string(s):
<date> <time><zone> <id> WCCP: Sending WCCPv2 HERE_I_AM for service ID <serviceid> <date> <time><zone> <id> WCCP: Received WCCPv2 I_SEE_YOU from <router ip> <date> <time><zone> <id> WCCP: Good Received WCCPv2 I_SEE_YOU
2. Log into the Cisco ASA shell and type show wccp to view the WCCP information on the router. Here is an example of what you should see:
WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, change # 0000000A WCCP-EVNT: Web Cache 192.168.25.3 added WCCP-EVNT: Built I_See_You msg body w/2 usable web caches, change # 0000000B WCCP-EVNT: Built I_See_You msg body w/2 usable web caches, change # 0000000C
The IP address should be the IP address of the IWSVA. Refer to the below link for more information on debugging Cisco ASA WCCPv2:
http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_ex ample09186a00801854c4.shtml Integrating Trend Micro IWSVA with Cisco ASA Using WCCP
5 A TrendEdge Solution References How to configure web cache services using WCCP on Cisco ASA 5500 Series Adaptive Security Appliances
https://supportforums.cisco.com/docs/DOC-3006 Cisco Security Appliance Command Line Configuration Enabling WCCP Redirection
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.htm l#wp1094628 Configuring WCCP Version 2 on a Cisco Content Engine and Router
Integrating Trend Micro IWSVA with Cisco ASA Using WCCP
6 A TrendEdge Solution About the Authors Eumir Nogales Eumir Nogales has been with Trend Micro for 7 years and is currently a Senior Product Specialist with the Philippine Core Team. Before joining this group, Eumir was a member of a 24/7 team where he supported the Cisco ASA CSC product, which contains Trend Micro technology. Mr. Nogales has 15 years of IT experience, which includes positions in network/system administration, software development, project management, consulting, and system support. Vernon Lee Vernon Lee currently serves as a Senior Enterprise Sales Engineer for Trend Micro. Prior to working for Trend Micro, he was employed as a Security Solutions Engineer at another well-known provider of best-of-breed security solutions. Vernon has a total of 11 years experience in the network security arena. Jody Butler Jody Butler is currently serving as a Senior Corporate Sales Engineer for Trend Micro. Prior to joining Trend Micro, he was a Senior Security Engineer for the State of Texas, served as a network administrator for a healthcare organization, and worked in field sales engineering for a local reseller. He brings a total of 12 years network security, systems administration, and virtualization experience to Trend Micro. He also holds a Bachelors degree in Computer Information Systems Management and Networking. Peter Wei Peter Wei works as a Senior Software Architect for the Trend Micro Web gateway product line where he is responsible for product architecture, road maps, customer support activities and other technical roles. Peter has more than 15 years of experience in networking and network security, and has served in system architect and management roles at several Silicon Valley companies. Integrating Trend Micro IWSVA with Cisco ASA Using WCCP
7 A TrendEdge Solution About Trend Micro Incorporated Trend Micro Incorporated, a global leader in Internet content security, focuses on securing the exchange of digital information for businesses and consumers. A pioneer and industry vanguard, Trend Micro is advancing integrated threat management technology to protect operational continuity, personal information, and property from malware, spam, data leaks and the newest Web threats. Trend Micros flexible solutions, available in multiple form factors, are supported 24/7 by threat intelligence experts around the globe. A transnational company, with headquarters in Tokyo, Trend Micros trusted security solutions are sold through its business partners worldwide. For more information, please visit www.trendmicro.com. Integrating Trend Micro IWSVA with Cisco ASA Using WCCP
8 A TrendEdge Solution Contacting TrendEdge Publications The Trend Micro TrendEdge team is always seeking to provide better solutions. Have a question or comment about this document? We would like to hear from you. Contact us at: sav@trendmicro.com