web security deployment

Web Security

Deployment

Ryan Wager Technical Marketing

Engineer

Agenda

• Overview Web Security

• Web Security with Cisco Ironport Web Security – Critical Functionalities

– Places in the Network

– Authentication

• Web Security with Cisco Scansafe – Critical Functionalities


– Authentication

• The Road to Hybrid Security – Secure Mobility

Today„s Websites...

Appliance or Cloud?

Agenda




– Authentication



– Authentication

• The Road to Hybrid Security

Cisco Web Security Appliance

Web Proxy incl. Caching (http,https, ftp, ftp over http)

Rich security functionalities

Reputation filtering

Malware scanning

URL Filtering

Application visibility & control

HTTPS inspection

Authentication

Reporting and tracking

L4TM

...more to come!

Web Application Control

Many Applications work on top of

HTTP traffic

Applications are detected and

controlled by special Signatures

Those Signatures are

downloaded dynamically via

regular Signature Updates from

Cisco

No reboot or manual installation

required!

About Reputation

Cisco SIO gathers statistical informations from Cisco Products and

other resources

Cisco SIO correlates informations

Updated informations are delivered back to appliances

Each IP / URL gets a score, ranging from -10 to +10

Web Email ASA IPS

Outbreak Intelligence

External

feeds

About Reputation

Malicious websites are tracked globally through SIO

WSA evaluates each webrequest against the defined

reputation score

Reputation score and action is configured on WSA

Network Participation

Admin can define the level of participation

Requested URL with result is sent back

User information and internal networks are not sent

Disabled: No information is sent to Cisco SIO Database

Limited: Server URL of request, hash of path segments

Standard: Server URL and all path segments are sent back

Agenda




– Authentication



– Authentication


Explicit Proxy

Internet

Internet Web

server

Web Security Appliance

ASA 5500

Firewall

Client requests a website

Browser connects first to WSA

WSA connects to website

Firewall usually only allows webtraffic for proxy

How does the Browser find the Proxy?

Proxy setting in the browser

Static definition with IP/NAME and PORT

How does the Browser find the Proxy?

Automatic Configuration via PAC File

function FindProxyForURL(url, host)

{

return "PROXY 192.168.1.80:3128; 192.168.1.81:3128";

}

function FindProxyForURL(url, host)

{

return "PROXY 192.168.1.80:3128";

}

http://www.findproxyforurl.com/

PAC Deployment

Via AD and GPO

Via script

Via manual setting

Via DHCP

DHCP Option 252

Via Wpad Server

WPAD Server WPAD Server hosts PAC file as wpad.dat

File is retrieved via HTTP and Javascript

Automatic Settings creates a lookup on a server

called „wpad“

Transparent Proxy via WCCP

Internet

Internet Web

server


ASA 5500

Firewall

Client requests a website

Browser tries to connect to Website

Network Device redirects traffic to WSA using WCCP

WSA proxies the request

Background on WCCP

WCCPv1 developed in 1997 by Cisco Systems and publicly

released in July 2000

WCCPv2 published as an IETF draft in July 2000 to make the

specification open and remove the requirement for licensing

– Enhancements

• Configurable WCCP Router ID

• WCCP Variable Timers – Improved Failover

• Improved Interaction between WCCP and NetFlow

WCCPv3 is an internal specification targeted at IPv6 that was

never released

Details Assignment

The WCCP assignment method is used to determine which WCCP traffic

and which WCCP device is chosen for the destination traffic.

WCCP can use two types of Assignment Methods: Hash and Mask.

• Hash Based Assignment

Uses a software based hash algorithm to determine which WCCP

appliance receives traffic. In hardware based platforms the Netflow table

is used to apply hardware assistance.

• Mask Based Assignment

Uses the ACL TCAM to assign WCCP entities. This method is fully

handled by hardware.

Details Redirect and Return

• Redirect Method – WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client

(WSA, Cache,…)

– Layer 2 - Frame MAC address rewritten to MAC of WCCP Client

• Return Method The Return method determines how the traffic will be sent back from the router to the WCCP appliance if the traffic could not be serviced. Refered to as “Proxy Bypass”

– WCCP GRE – Packet WCCP GRE returned router

– WCCP Layer 2 – Frame rewritten to router MAC

Details Assignment

• The following best practices should be followed for implementing

WCCP on a software-based platform:

– GRE Forwarding (Default)

– Hash Assignment (Default)

– Inbound or Outbound Interception

– "ipwccp redirect exclude in" on WCCP client interface (outbound interception

only)

• The following best practices should be followed for implementing

WCCP on a hardware-based platform:

– L2 Forwarding

– Mask Assignment

– Inbound Interception

– No "ipwccp redirect exclude in"

WCCP input redirect

Ingress

Interface

Egress

Interface

WCCP Input redirect

WCCP output redirect and input exclude

Ingress

Interface Egress

Interface

WCCP Output redirect

WCCP Exclude-in

How WCCP registration works

WCCP Client WCCP Server

1. Registration

The WCCP client registers at the WCCP Server

Both, Server and Client need to use the same WCCP Service Group ID

One WCCP Server usually can server multiple Clients

Server and Client exchange „here i am“ and „I see you“ Packets to check

availability UDP/2048, unicast

Multicast possible

Traffic is redirected from Server to one or multiple Clients using the „hash“ or

„mask“ algorithm

3. „I see you“

2. „Here I am“

Buckets 86–170 Buckets 86–128

Buckets 1–85

Buckets 129–170

Buckets 171–255

A B C X

WCCP Protocol Failover

When a WCCP client fails, the portion of the load handled by that client is automatically redistributed to the remaining WCCP clients in the service group

If no other WCCP clients are available in the service group, the service group is taken offline and packets are forwarded normally

Using WCCP for Traffic Redirection

WCCPv2 support is availible on many Cisco Platforms:

L3 Switches, Routers, ASA 5500 Security Appliance

Cisco Ironport WSA supports all redirect and assign

methods (software implementation)

Method to use will be negotiated

WCCP

Platform Recommendations Function

Support / Recommend

Software

ISR & 7200

ASR 1000 Cat 6500

Sup720 Sup32

Cat 6500

Sup2

Cat 4500

Cat 3750

ASA 5500

Assignment Hash Only Mask Only Mask or Hash / Mask

Mask or Hash / Mask

Mask only Mask only Hash only

Forwarding GRE Only L2 or GRE / L2 or GRE

L2 or GRE / L2 or GRE

L2 or GRE / L2 L2 only L2 only GRE Only

Forwarding Redirect List

Full extended ACL

Full extended ACL

Full extended ACL

Full extended ACL

No Redirect List Support

Extended ACL (no deny)

Full extended ACL

Direction In or Out / In

In only In or Out / In In or Out / In

In only In only In only

Return IP Forward , L2 or GRE

IP Forward, L2, WCCP GRE, or generic GRE

GRE, nGRE, L2, & IP Forward / No GRE

IP Forward or L2 / IP Forward



GRE

For Your Reference

Transparent Redirection and HTTPS

Symptoms:

• Successfully configured WCCP on the L3 Device

• Successfully connect to HTTP sites

• Cannot connect to HTTPS Sites

• Switching to explicit Proxy works fine for HTTP and HTTPS

Solution:

Activate HTTPS Proxy

Not necessary to decrypt the requests

Agenda




– Authentication



– Authentication


Policy - Authentication

Policy objects can be managed from central access policy screen

First step is to define the Identity:

”For whom does this policy apply?”

Authentication

User Directory Web Security Appliance

Authentication Protocols

Directory:

LDAP or AD

Method:

Basic: Credentials are sent unencrypted

NTLMSSP: Challenge-Response

Tracking the User

IP based Surrogates

Cookie based Surrogates

User

NTLM Authentication

NTLM requires Account in the AD Domain

Credentials to create a computer account are used only once, not

stored on appliance

Currently only one domain is supported via NTLM

LDAP Authentication

LDAP queries on port 389 or 636 (Secure LDAP),

3268 (AD GC Server)

Need to know the Base DN Name Parameter

Can connect to multiple different domains

Authentication against LDAP

• Knowing the LDAP Base DN is fundamental

• Or check with „DSQUERY“ command on a MS AD

Authentication in Explicit Deployment

Web Security Appliance User Directory User

Proxy sends http response 407 (proxy auth. request)

Client recognizes the proxy

Client will then accept a http response 407 from the proxy

Works for HTTPS

Client sends a CONNECT request to the proxy

Client will then accept a 407 response from the proxy

http error 407

Authentication in Transparent Deployment


User

User Directory

Client is not aware of a proxy -> http response 407 cannot be used

Need to use http response 401 – basic authentication

Client needs to be first redirected to the wsa

Internet

Internet Web

server

DEMO – WSA with transparent redirection

IE8/IE9 with Single-Sign On SSO on WSA correctly configured but Clients still getting prompted

Check if WSA Redirect Name is listed in „Trusted Sites“

Check „Security Settings“ on Trusted Sites and set to

„Automatic Logon with current user name and password“

Transparent User Identification (TUI) Web Security Release 7.5

Internet AD Controller w/ Agent

WSA

Switch w/ WCCP AD User

1 2

3

4

5 6

1. Client logs on to the AD Domain

2. Client request a Web Site

3. Traffic is transparently redirected to the WSA

4. WSA needs to authenticate and queries the AD Agent for the User/Group

5. AD Agent looks up the IP and delivers User/Group

6. Request is proxied and forwarded to the Internet

DEMO – WSA with Transparent User

Identification

Cisco Ironport WSA & IPv6 Support Current version of WSA does not yet support IPv6

Support is planned for Q4CY2012 IPv6 Support for explicit mode Transparent is depending on implementation on ISR, ASA and Switches, done in a later release

WSA will listen for connections both on IPv4 and IPv6

Admin can configure, if IPv4 or IPv6 should be prefered

Depending on Configuration, A-record or AAAA-record will be delivered

IPv6

IPv4

Internal IPv6

Internet

Sizing for WSA

• Main Parameter for sizing is “requests per second”

• Rule of thumb:

Each request/s is approx. 80-90 Kbps of HTTP traffic

Each Mbps of HTTP translates to approx. 10 requests/s

100 Mbps of sustained HTTP traffic is approx. 1000 requests/s

• Easy way to find out on a WSA: use the “rate” CLI command

This parameter allows a quite correct sizing depending on features together with the

Cisco SE

Sizing Table Example S370 Appliance

Agenda




– Authentication

• Web Security with Cisco Scansafe – Overview and Critical Functionalities


– Authentication


Websecurity through Cloudservice

Hosted Websecurity through

Cisco Scansafe Cloud Service

Central reporting and

administration through

Scancenter Portal

Data Flow with ScanSafe

Web requests

Allowed traffic

Filtered traffic

Internet

User

Client requests are redirected

to a proxy in the cloud

Requests are checked and

filtered

Clean requests are directed

back to the client

Scalability & Reliability

See BRKSEC-2346:

Inside the Scansafe Architecture

Billions of web requests per day

<50 ms latency

High-Availability Infrastructure

Parallel Processing

Outbreak Intelligence

<html>

<js>

<swf>

<pdf>

<jpg>

<web>

JAVA

Scanlet

Archive

Scanlet

Script

Scanlet

PDF

Scanlet

SWF

Scanlet

Win EXE

Scanlet

Multiple

AV

File

Anomaly

Scanlet

Phishing

Scanlet

Context

Scanlet

MF

Scanlet

META

Scanner

Parallel Processing in the

Scantower provides

maximum performance

Scanlets provide scanning for

malware through code

anomaly analysis

Agenda




– Authentication



– Authentication


Corporate

Network

Challenge:Branch Office with local Breakout

Internet

VPN

Webtraffic destined for the central DC is sent via VPN Tunnel

Normal Webtraffic goes directly to the Internet

bandwidth saving in the central site

But how to secure the webtraffic?

ISR G2 with integrated Connector

61

Connector is integrated in the Cisco ISR G2 Router Platforms

No need to install Connector seperatly in branch networks

Redirect of the webtraffic is happening transparently for the user on the router

Provides Scantower redundancy

Provides User granularity

Authenticate User via NTLM (transparent authentication) or Basic (Prompt for Credentials)

NTLM works without prompting for IE, Firefox and Google Chrome

Internet

AD

Server BRKSEC-3007: Advanced Cisco IOS Security Features

ISR G2 with Integrated Connector

Simple Config

62

parameter-map type content-scan global

server scansafe primary name proxy100.scansafe.net port http

8080 https 8080

license 0 68668486389366986986968689698668

source interface FastEthernet8

timeout server 60

timeout session-inactivity 120

user-group munlab username tmayer

server scansafe on-failure block-all

interface FastEthernet8

description $WAN-Interface$

ip address dhcp client-id FastEthernet8

ip nat outside

content-scan out

Sizing and Scalability for ISR with Connector

3945E 3925E 3945 3925 2951 2921 2911 2901 1941 1921 891

No Auth 5000 5000 1200 900 600 500 400 350 350 300 120

Web Proxy 1200 1200 1200 900 600 500 400 350 350 300 120

HTTP Basic 1200 1200 1200 900 600 500 400 350 350 300 120

NTLM 1200 1200 1200 900 600 500 400 350 350 300 120 Ph

ase

II P

ha

se

I

ScanSafe Users Supported per ISR G2 Platform

For Your Reference

Phase 1: Feb 2012

Phase 2: May 2012

ASA ScanSafe Integration

AAA

Employees

ASA

AAA

Employees

ASA

Scansafe

Tower

Google

Server

Internet

Headquarters Branch Office

Headquarters and Branch office

web traffic scanned by Scansafe

Both Headquarters and Branch

office web traffic whitelisted

• Proxy Settings are pushed to

browsers via Active Directory

GPO

• Browsers connect through

Firewall on port 8080 to Web

Security Service

• Firewall blocks all other GET

requests

• Provides Site/External IP

granularity

Browser Redirection via GPO / PAC file

Internet AD

Server

GPO Update

Agenda




– Authentication



– Authentication


Easy ID

• Clientless User authentication via webbrowser

• User authenticates via Webportal

• Policies are applied from Scancenter Portal verifying User Name and Group through AD Connection

• AD Connection is done via LDAPS query from Scancenter to the LDAP Directory at customer site

• Scancenter is sending a cookie that is used for subsequent authentication

• Proxy Settings are pushed to browsers

via AD,GPO or PAC file to ScanSafe on

port 8080/443 to the Cloud based Tower

• Connector receives Client info and

queries Active Directory Server for Group

Information, then proxies to ScanSafe

upstream

• Set Firewall to block all other GET

requests

• Provides IP/End User/Group granularity

• Scalable up to 10000 Users per

Connector, depending on which HW it is

installed

Standalone Connector

Internet

AD

Server

Connector

• Installs a Network Driver which

binds to all connections (LAN,

Wireless, 3G)

• Automatic Peering Identifies

nearest ScanSafe Datacenter and

whether a connection is possible.

• AD information can be

remembered from when the user

was last on the corporate network

using the Gpresult API (group

policy)

Roaming Users

Proxy Firewall Hotspot

Client with

Websecurity

Web Security & AnyConnect

71

Supported on Windows &

MAC OS X

Client settings are controlled

via Profile

Profile can be centrally

distributed via the Scancenter

Portal

Web Security & AnyConnect

72

Single and modular client

VPN (SSL, IKEv2, Always-On,...)

802.1x (Wired, Wireless, MACSEC...)

Websecurity

Posture for VPN

Telemetry (SIO)

All modules can be used independently or

all together

If VPN Module is used, profile

management can be done centrally

through ASA

How Does it Work? Authenticates and directs your external client Web traffic to our

scanning infrastructure

Automatically connect to nearest Scantower

SSL encryption of all Web traffic sent improves security over public

networks (example: Firesheep Plugin for FF)

73

Web Security & AnyConnect Configuration for Web Security with VPN

74

Configured through a profile,

downloaded from ASA at connect

VPN is lower in the stack than the

Websecurity Module

Split tunnel Scansafe gateways in the

VPN Config (on the ASA)

Exclude Corporate adresses from

beeing forwarded to the scansafe

towers

Client with

Websecurity

Corporate

traffic

Internet

Web Security & AnyConnect Configuration Client Profile

Scanning Tower

selection

Proxy ports

For Your Reference

Web Security & AnyConnect Configuration – Client Profile

Exceptions for

authorized internal

proxies

Static Exceptions

like VPN

Gateways

Exceptions for

internal networks &

public websites to be

excluded from

scanning


Activate Beacon

Checking,

Deploy public key

Automatic selection

of nearest Scantower

For Your Reference


Authentication

Settings

License Key

For Your Reference

Web Security & AnyConnect Configuration for Web Security without VPN

Specify Client

Profile

Upload Client Profile

Scancenter Portal provides hosting of PAC file and / or Client Profile

Differentiate Usergroups due to usage of group keys

Key for

Authentication

Beacon Server for the AnyConnect

Web Security Module Beacon Server runs on an

internal Server

Client gets public key from

Beacon Server during

deployment

If the client has reachability

to the Beacon Server, client

module is deactivated

TND in ASA 9.0

DEMO – AnyConnect with Web Security

Scansafe & IPv6 Support

Current version of Web Security does not yet support IPv6

IPv6 traffic scanning can be excluded by adding “::/0” to Static

Exceptions

Full IPv6 Support will be added mid CY 2012 in two phases:

IPv6

IPv4

Internal IPv6

Internet

Internet

AC 3.1 or Standalone / integrated Connector

AC 3.1 or Standalone / integrated Connector

Agenda




– Authentication



– Authentication


Secure Mobility Future – Hybrid Security

Internet

Remote User

w/

AnyConnect

Client 3.0

Corporate

Network

Cisco ASA Cisco WSA

Internet traffic

secure through web

security cloud

service

Corporate traffic

secure through

tunnel and WSA

Consistent Policy

and Monitoring

Hybrid Security – what has been done and what lies ahead

Unification of URL Databases

AVC integration

Connector Integration in ISR G2 Router

Unification of features – Q1/Q2 CY2012 Application visibility and control

Web Reputation

Connector Integration in ASA – Q3 CY2012

Connector Integration in WSA

Provide common management

Provide common logging and reporting

Summary

Cisco Web Security Solution leverages a comprehensive

architected featurelist to protect the dynamic

environment from the ubiquitios web 2.0 world.....

Or...

Cisco Web Security Solution simply ROCK!

Q&A

#CiscoPlusCA

Follow @CiscoCanada and join the #CiscoPlusCA conversation

Access today‟s presentations at cisco.com/ca/plus

We value your feedback. Please be sure to complete the Evaluation Form for this session.

Thank you.

web security deployment

Technology