Professional Documents
Culture Documents
BRKSEC-2101
BRKSEC-2101
Cisco Public
For Your
Reference
BRKSEC-2101
Cisco Public
Angel Aloisius
Some slides have this friendly guy in the right corner
Those slides are meant to be non-standard advices
BRKSEC-2101
Cisco Public
Agenda
Overview Web Security
Cisco Public
1996
BRKSEC-2101
Cisco Public
Todays Websites...
BRKSEC-2101
Cisco Public
Appliance or Cloud?
BRKSEC-2101
Cisco Public
Agenda
Overview Web Security
Cisco Public
Cisco Public
10
BRKSEC-2101
Cisco Public
11
About Reputation
Cisco SIO gathers statistical informations from Cisco Products and other resources
Cisco SIO correlates informations
Updated informations are delivered back to appliances
Each IP / URL gets a score, ranging from -10 to +10
External
feeds
Outbreak Intelligence
Web
BRKSEC-2101
Email
2012 Cisco and/or its affiliates. All rights reserved.
IPS
ASA
Cisco Public
12
About Reputation
Malicious websites are tracked globally through SIO
WSA evaluates each webrequest against the defined reputation score
Reputation score and action is configured on WSA
BRKSEC-2101
Cisco Public
13
Agressive Advertising
BRKSEC-2101
Cisco Public
14
BRKSEC-2101
Cisco Public
15
Network Participation
Admin can define the level of participation
Requested URL with result is sent back
User information and internal networks are not sent
BRKSEC-2101
Cisco Public
16
Agenda
Overview Web Security
Cisco Public
17
Explicit Proxy
Client requests a website
Browser connects first to WSA
WSA connects to website
Firewall usually only allows webtraffic for proxy
Internet
ASA 5500
Firewall
BRKSEC-2101
Cisco Public
18
BRKSEC-2101
Cisco Public
19
http://www.findproxyforurl.com/
BRKSEC-2101
Cisco Public
20
PAC Deployment
Via AD and GPO
Via script
Via manual setting
Via DHCP
DHCP Option 252
Via Wpad Server
BRKSEC-2101
Cisco Public
21
WPAD Server
WPAD Server hosts PAC file as wpad.dat
File is retrieved via HTTP and Javascript
Automatic Settings creates a lookup on a server called wpad
BRKSEC-2101
Cisco Public
22
http://technet.microsoft.com/en-us/library/cc441517.aspx
BRKSEC-2101
Cisco Public
23
BRKSEC-2101
Cisco Public
24
Internet
ASA 5500
Firewall
BRKSEC-2101
Cisco Public
25
Background on WCCP
WCCPv1 developed in 1997 by Cisco Systems and publicly released
in July 2000
WCCPv2 published as an IETF draft in July 2000 to make the
specification open and remove the requirement for licensing
Enhancements
Configurable WCCP Router ID
WCCP Variable Timers Improved Failover
BRKSEC-2101
Cisco Public
26
Details
Assignment
The WCCP assignment method is used to determine which WCCP traffic and
which WCCP device is chosen for the destination traffic.
WCCP can use two types of Assignment Methods: Hash and Mask.
Hash Based Assignment
Uses a software based hash algorithm to determine which WCCP appliance
receives traffic. In hardware based platforms the Netflow table is used to apply
hardware assistance.
BRKSEC-2101
Cisco Public
27
For Your
Reference
Hash - Combines packets src/dest IP addrs and src/dest ports into 8-bit value.
Complex function: The first packet must be sent to software, a Netflow entry is
then created for subsequent packet rewrite
Mask Selects up to 7 bits from src/dest IP addrs and src/dest ports. With this
mode, the ACL TCAM can be programmed immediately and the first packet can
then be hardware switched.
Hash table and Mask/value sets are supplied by the WCCP client to the router
MASKING
HASHING
XOR (IP_DA
IP_SA
port_DA
port_SA)
BRKSEC-2101
Hash
index
WSA1
WSA2
WSA3
WSA4
WSA1
WSA2
WSA3
WSA4
28
Details
Redirect and Return
Redirect Method
WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client
(WSA, Cache,)
Layer 2 - Frame MAC address rewritten to MAC of WCCP Client
Return Method
The Return method determines how the traffic will be sent back from the
router to the WCCP appliance if the traffic could not be serviced. Referred
to as Proxy Bypass
WCCP GRE Packet WCCP GRE returned router
Cisco Public
29
BRKSEC-2101
Egress
Interface
Cisco Public
30
Egress
Interface
WCCP Exclude-in
BRKSEC-2101
Cisco Public
31
3. I see you
WCCP Server
WCCP Client
Traffic is redirected from Server to one or multiple Clients using the hash or mask
algorithm
BRKSEC-2101
Cisco Public
32
WCCP Protocol
When a WCCP client fails, the portion of the load handled by that client is
automatically redistributed to the remaining WCCP clients in the service group
If no other WCCP clients are available in the service group, the service group is
taken offline and packets are forwarded normally
Buckets 86128
Buckets 185
BRKSEC-2101
Buckets 86170
Buckets 129170
Buckets 171255
Cisco Public
33
BRKSEC-2101
Cisco Public
34
BRKSEC-2101
Cisco Public
35
WCCP Protocol
Service Group
BRKSEC-2101
Cisco Public
36
Product
Name
Protocol
Port
ACNS
web-cache
80
53
ACNS
DNS
17
53
60
ACNS
ftp
21
61
WAAS
tcp-promiscuous
62
WAAS
tcp-promiscuous
70
ACNS
https-cache
443
80
ACNS
rtsp
554
81/82
ACNS
wmt
6 (81), 17(82)
1755
83
ACNS
rtspu
554
89
WAFS
cifs-cache
139, 445
90-97
ACNS
custom
User Defined
98
ACNS
custom-web-cache
User Defined
99
ACNS
reverse-proxy
80
BRKSEC-2101
Cisco Public
37
VLAN10
VLAN10
BRKSEC-2101
Cisco Public
38
VLAN40
Recommendations:
Assign seperate VLAN for the
connection to the WSA!
Redirect ACL only allows permit
statements on 3560/3750 Series!
No easy way to exclude WSA from
redirect looping...
VLAN10
BRKSEC-2101
Cisco Public
39
Mask SrcAddr
DstAddr
SrcPort DstPort
---- ------------------- ------0000: 0x00000000 0x00000526 0x0000 0x0000
Value
----0000:
0001:
0002:
SrcAddr
------0x00000000
0x00000000
0x00000000
BRKSEC-2101
DstAddr
------0x00000000
0x00000002
0x00000004
SrcPort
------0x0000
0x0000
0x0000
DstPort
------0x0000
0x0000
0x0000
CE-IP
----0xAC100A64 (172.16.10.100)
0xAC100A64 (172.16.10.100)
0xAC100A64 (172.16.10.100)
Cisco Public
40
WAN
r1
Si
Si
r2
WAN
r1
BRKSEC-2101
Cisco Public
Si
Si
r2
41
BRKSEC-2101
Cisco Public
42
Cisco Public
43
firewall transparent
hostname munlab-asa2
ip address 172.16.10.33 255.255.255.0
!
interface Ethernet0/0
description OUTSIDE INTERFACE
nameif OUTSIDE security-level 0
!
interface Ethernet0/1
description INSIDE
nameif INSIDE security-level 100
!
wccp 92 redirect-list WCCPREDIRECTLIST
wccp interface INSIDE 92 redirect in
BRKSEC-2101
Cisco Public
44
BRKSEC-2101
Cisco Public
45
e2
BRKSEC-2101
Cisco Public
46
WCCP
Router Redirect and Return Support
WCCP GRE Redirect
For Your
Reference
WCCP L2 Redirect
IP
Forward
Return
Software: None
WCCP
GRE
Return
Not supported
WCCP L2
Return
Hardware: ASR
Native
GRE
Return
Not supported
BRKSEC-2101
Cisco Public
47
WCCP
For Your
Reference
Platform Recommendations
Function
Software
Support /
Recommend
ASR 1000
Cat 6500
Cat 6500
Sup720 Sup32
Sup2
Cat 4500
Cat 3750
ASA 5500
Assignment
Hash Only
Mask Only
Mask or Hash /
Mask
Mask or Hash
/ Mask
Mask only
Mask only
Hash only
Forwarding
GRE Only
L2 or GRE / L2
or GRE
L2 or GRE / L2
or GRE
L2 or GRE /
L2
L2 only
L2 only
GRE Only
Forwarding
Redirect List
Full extended
ACL
Full extended
ACL
Full extended
ACL
Full extended
ACL
No Redirect
List Support
Extended
ACL (no
deny)
Full
extended
ACL
Direction
In or
Out / In
In only
In or Out / In
In or
Out / In
In only
In only
In only
Return
IP Forward ,
L2 or GRE
IP Forward, L2,
WCCP GRE, or
generic GRE
IP Forward or
L2 / IP
Forward
IP Forward
or L2 / IP
Forward
IP Forward
or L2 / IP
Forward
GRE
BRKSEC-2101
Cisco Public
48
BRKSEC-2101
Cisco Public
49
BRKSEC-2101
Cisco Public
50
Internet
PBR
Cisco Public
51
Internet
BRKSEC-2101
Proxy
WSA
Cisco Public
52
Agenda
Overview Web Security
Cisco Public
53
Policy - Authentication
BRKSEC-2101
Cisco Public
54
Authentication
User
User Directory
Authentication Protocols
Directory:
LDAP or NTLM
Method:
Basic: Credentials are sent unencrypted
NTLMSSP: Challenge-Response
Tracking the User
IP based Surrogates
Cookie based Surrogates
BRKSEC-2101
Cisco Public
55
Surrogates
For Your
Reference
Surrogates define how Users are tracked once the have authenticated
IP Address
Tracks user by IP
Can cause problems if clients change ip frequently or in virtual environments (Citrix)
Authentication stays with WSA
Works well with decryption
Cookie
Recommended in terminalserver environments
Authentication stays with the client
Does not work when using decryption based on authentication
Can be a problem with transparent deployment
BRKSEC-2101
Cisco Public
56
Explicit
For Your
Reference
Authentication
Browser to WSA
Basic
LDAP
(or NTLM Basic)
Transparent
Basic
LDAP
(or NTLM Basic)
Explicit
NTLM
NTLMSSP
(Active Directory)
Transparent
NTLM
NTLMSSP
(Active Directory)
BRKSEC-2101
Cisco Public
57
For Your
Reference
200 OK
Request was sent successfully
301 Moved Permanently
The Resource has permanently moved to a different URI
401 Unauthorized
Web Server requires Authentication
403 Forbidden
Access denied
404 not found
The Server cannot find the requested URI
407 Proxy Authentication required
The request first requires authentication with the proxy
BRKSEC-2101
Cisco Public
58
NTLM Authentication
Cisco Public
59
LDAP Authentication
Cisco Public
60
BRKSEC-2101
Cisco Public
61
BRKSEC-2101
Cisco Public
62
For Your
Reference
BRKSEC-2101
Cisco Public
63
User
User Directory
Client will then accept a http response 407 from the proxy
Cisco Public
64
Internet Web
server
Internet
User Directory
Client is not aware of a proxy -> http response 407 cannot be used
Need to use http response 401 basic authentication
Client needs to be first redirected to the wsa
BRKSEC-2101
Cisco Public
65
BRKSEC-2101
Cisco Public
66
BRKSEC-2101
Cisco Public
67
AD Controller w/ Agent
BRKSEC-2101
6
Internet
1
AD User
WSA
3
2
Switch w/ WCCP
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
68
For Your
Reference
Cisco Public
69
For Your
Reference
BRKSEC-2101
Cisco Public
70
In the Access_logs:
Check for SSO_TUI
BRKSEC-2101
Cisco Public
71
BRKSEC-2101
Cisco Public
72
Allow all applications on the client to work with authentication without starting a browser
first
Does support IPv6 for Client registration and RADIUS messages
Does not work if Client is NATed after AD Authentication but before reaching the WSA
If Client cannot be identified, fallback to previous authentication
mechanism like Basic or NTLM
BRKSEC-2101
Cisco Public
74
IPv6
Internal IPv6
Internet
IPv4
BRKSEC-2101
Cisco Public
75
To find out the request rate on a WSA: use the rate CLI command
Cisco Public
76
Features
S670
S370
S170
Proxy
1200
(3500)
650
(3300)
150
(310)
800
(3100)
650
(2100)
150
(310)
800
(3100)
650
(2100)
150
(310)
700
(1050)
400
(490)
100
(230)
700
(940)
400
(440)
100
(210)
600
(850)
290
(300)
90
(100)
600
(770)
290
(270)
90b
(90)
BRKSEC-2101
Cisco Public
P2
P1
Cisco Public
78
Cisco Public
79
Agenda
Overview Web Security
Cisco Public
80
BRKSEC-2101
Cisco Public
81
Internet
Web requests
Allowed traffic
User
Filtered traffic
BRKSEC-2101
Cisco Public
82
BRKSEC-2101
Cisco Public
83
Outbreak Intelligence
SWF
Scanlet
<html>
Phishing
Scanlet
JAVA
Scanlet
Win EXE
Scanlet
<js>
Context
Scanlet
Archive
Scanlet
<web>
<swf>
Script
Scanlet
<pdf>
PDF
Scanlet
Multiple
AV
MF
Scanlet
File
Anomaly
Scanlet
<jpg>
BRKSEC-2101
META
Scanner
84
Agenda
Overview Web Security
Cisco Public
85
Challenge:
Branch Office with local Breakout
Corporate
Network
Internet
VPN
Cisco Public
86
Internet
BRKSEC-2101
Cisco Public
87
For Your
Reference
BRKSEC-2101
Cisco Public
88
Port Forwarding
Known limitations
HTTP only
Internet
BRKSEC-2101
Cisco Public
89
AD Server
BRKSEC-2101
GPO Update
Cisco Public
90
Agenda
Overview Web Security
Cisco Public
91
Cisco Public
92
For Your
Reference
Included in this string is a unique hash that identifies the user in our Scanning
tower
This detail is encrypted
Upon logon, PIM sends an out-of-bound request to the scanning tower and
uploads the group information for that user
These groups are automatically created in ScanCenter
Following registration, each time a request to the Web is made, only the hash is
sent to us along with the request and we can indentify the user and apply the
correct policy according to the relevant group/s
BRKSEC-2101
Cisco Public
93
Standalone Connector
Proxy Settings are pushed to browsers via
AD,GPO or PAC file
Forwards web traffic to ScanSafe on port
8080/443 to the Cloud based Tower
Connector receives Client info and queries
Active Directory Server for Group
Information, then proxies to ScanSafe
upstream
Internet
Connector
Cisco Public
94
Internet
AD Server
Cisco Public
95
95
BRKSEC-2101
Cisco Public
96
96
For Your
Reference
Solution Guide
www.cisco.com/en/US/docs/security/web_security/ISR_SS/ISR_ScanSafe_SolutionGuide.pdf
BRKSEC-2101
Cisco Public
97
97
For Your
Reference
Phase II Phase I
3945E
3925E
3945
3925
2951
2921
2911
2901
1941
1921
891
No Auth
5000
5000
1200
900
600
500
400
350
350
300
120
Web Proxy
1200
1200
1200
900
600
500
400
350
350
300
120
HTTP Basic
1200
1200
1200
900
600
500
400
350
350
300
120
NTLM
1200
1200
1200
900
600
500
400
350
350
300
120
BRKSEC-2101
Cisco Public
98
Roaming User
Installs a Network Driver which binds to all
connections (LAN, Wireless , 3G)
Automatic Peering Identifies nearest
ScanSafe Datacenter and whether a
connection is possible.
AD information can be remembered from
when the user was last on the corporate
network using the
GPRESULT API (group policy)
Proxy
Firewall
Hotspot
Cisco Public
99
BRKSEC-2101
Cisco Public
100
Websecurity
Posture for VPN
Telemetry (SIO)
Cisco Public
101
BRKSEC-2101
Cisco Public
102
Internet
Corporate
traffic
BRKSEC-2101
Cisco Public
103
For Your
Reference
Scanning Tower
selection
Proxy ports
BRKSEC-2101
Cisco Public
104
For Your
Reference
Exceptions for
authorized internal
proxies
BRKSEC-2101
Cisco Public
105
For Your
Reference
Automatic selection of
nearest Scantower
Activate Beacon
Checking,
Deploy public key
BRKSEC-2101
Cisco Public
106
For Your
Reference
License Key
Authentication
Settings
BRKSEC-2101
Cisco Public
107
For Your
Reference
Define Module to
download
Assign Profile
BRKSEC-2101
Cisco Public
108
For Your
Reference
BRKSEC-2101
Cisco Public
109
BRKSEC-2101
Cisco Public
110
IPv6
Internal IPv6
IPv4
Internet
AC 3.1 or Standalone / integrated Connector
Internet
AC 3.1 or Standalone / integrated Connector
BRKSEC-2101
Cisco Public
112
Easy ID
Clientless User authentication via webbrowser
User authenticates via Webportal
Policies are applied from Scancenter Portal verifying User Name and
Group through AD Connection
AD Connection is done via LDAPS query from Scancenter to the
LDAP Directory at customer site
Scancenter is sending a cookie that is used for subsequent
authentication
BRKSEC-2101
Cisco Public
113
Agenda
Overview Web Security
Cisco Public
114
Remote User w/
AnyConnect
Client 3.0
Internet
Cisco WSA
Cisco ASA
Corporate
Network
BRKSEC-2101
Cisco Public
115
Hybrid Security
what has been done and what lies ahead
Unification of URL Databases
Connector Integration in ISR G2 Router
Unification of features Q1/Q2 CY2012
Application visibility and control
BRKSEC-2101
Cisco Public
116
Summary
Cisco Web Security Solution leverages a comprehensive architected
featurelist to protect the dynamic environment from the ubiquitios
web 2.0 world.....
Or...
Cisco Web Security Solution simply ROCK!
BRKSEC-2101
Cisco Public
118
Cisco Public
119
Final Thoughts
Get hands-on experience with the Walk-in Labs located in World of
Solutions, booth 1042
Come see demos of many key solutions and products in the main Cisco
booth 2924
Visit www.ciscoLive365.com after the event for updated PDFs, ondemand session videos, networking, and more!
Follow Cisco Live! using social media:
Facebook: https://www.facebook.com/ciscoliveus
Twitter: https://twitter.com/#!/CiscoLive
LinkedIn Group: http://linkd.in/CiscoLI
BRKSEC-2101
Cisco Public
120
BRKSEC-2101
Cisco Public