2013 Usa PDF BRKSEC-3771 PDF

Advanced Web Security Deployment with
WSA and ASA NGFW (=ASA-CX)

BRKSEC-3771
Tobias Mayer, Consulting Systems Engineer
For Your Reference

There are (many...) slides in your print-outs that will not be presented.
They are there For your Reference
For Your
Reference
BRKSEC-3771
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Angel Aloisius
Some slides have this friendly guy in the right corner
Those slides are meant to be non-standard advices or tips & tricks
BRKSEC-3771
Cisco Public
Agenda
Introduction
Deploying WSA with WCCP
Troubleshooting WSA with WCCP
Transparent User Authentication
WSA Performance Analysis
Deploying ASA NGFW Web Security
Troubleshooting ASA NGFW Web Security
BRKSEC-3771
Cisco Public
Web Security Appliance
Explicit Proxy
Client requests a website
Browser connects first to WSA
WSA connects to website
Firewall usually only allows webtraffic for proxy
DNS Resolution is done by WSA
Internet Web
server
Internet
ASA 5500
Firewall
BRKSEC-3771
Cisco Public
Transparent Proxy via WCCP

Client requests a website
Browser tries to connect to Website
Network Device redirects traffic to WSA using WCCP
WSA proxies the request
DNS Resolution is done by the Client
Internet Web
server
Internet
ASA 5500
Firewall
BRKSEC-3771
Cisco Public
Agenda
Introduction


BRKSEC-3771
Cisco Public
10
How WCCP registration works

1. Registration
2. Here I am
3. I see you
WCCP Server
WCCP Client
The WCCP client registers at the WCCP Server

Both, Server and Client need to use the same WCCP Service Group ID
One WCCP Server usually can server multiple Clients
Server and Client exchange here i am and I see you Packets to
check availability
UDP/2048, unicast
Multicast possible
Traffic is redirected from Server to one or multiple Clients using the

hash or mask algorithm
BRKSEC-3771
Cisco Public
16
WCCP Protocol - Buckets

Hash Based Assignment
Byte level (8 bit) XOR computation divided into 256 buckets (default)
Mask Based Assignment
Bit level AND divided up to 128 buckets (7 bits)
asa# show wccp 90 hash 144.254.1.1
172.16.10.71 80 1024
WCCP hash information for:
Primary Hash:
Dst IP: 144.254.1.1
Bucket: 110
Cache Engine: 172.16.10.45
BRKSEC-3771
Cisco Public
17
WCCP Protocol Load balancing and Redundancy

When a WCCP client fails, the portion of the load handled by that
client is automatically redistributed to the remaining WCCP clients in
the service group
If no other WCCP clients are available in the service group, the
service group is taken offline and packets are forwarded normally
Buckets 86128
Buckets 185
BRKSEC-3771
Buckets 86170
X
B
Buckets 129170
Buckets 171255
Cisco Public
18
Using WCCP for Traffic Redirection

WCCPv2 support is availible on many Cisco Platforms:
L3 Switches, Routers, ASA 5500 Security Appliance
WSA supports all redirect and assign methods (software implementation)

Method to use will be negotiated
Multiple WSA elect Designated Web Cache (DWC), lowest IP in Cluster, negotiates method
How to force a switch / router to use GRE? Set WSA to Allow GRE
BRKSEC-3771
Cisco Public
19
Using WCCP for Traffic Redirection (2)

Performance Considerations:
MASK (HW) > HASH (SW)
HW has to take TCAM Resources into consideration
L2 (HW) > GRE (SW)

Use GRE if WSA is located in other subnet
Check if Device can do GRE in HW
User L2 if WSA and WCCP Device are in same subnet
BRKSEC-3771
Cisco Public
20
WCCP with L3 Switch (3560/3750)

L2 Redirect
Use template access, routing
or dual-ipv4/ipv6 routing
WCCP shares same TCAM
Region than PBR!
Internet
VLAN10
VLAN10
BRKSEC-3771
sdm prefer routing

ip routing
ip wccp 91 redirect-list wsa
ip access-list extended wsa
permit tcp any any eq www
permit tcp any any eq 443
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
ip wccp 91 redirect in
Cisco Public
23
WCCP with L3 Switch (3560/3750)

L2 Redirect
Internet
VLAN40
Recommendations:
Assign seperate VLAN for the
connection to the WSA!
Redirect ACL only allows permit
statements on 3560/3750 Series!
12.2(58) added support for permit
VLAN10
If 3560/3750 is stacked, configure

WCCP on the Stack Master!
BRKSEC-3771
Cisco Public
24
WCCP with L3 Switch

Redirect - Verification
munlab-3560X#show ip wccp 91 detail
WCCP Client information:
WCCP Client ID:
172.16.10.100
Protocol Version:
2.0
State:
Usable
Redirection:
L2
Packet Return:
L2
Packets Redirected:
0
Connect Time:
01:02:16
Assignment:
MASK
Mask SrcAddr
DstAddr
SrcPort DstPort
---- ------------------- ------0000: 0x00000000 0x00000526 0x0000 0x0000
Value
----0000:
0001:
0002:
SrcAddr
------0x00000000
0x00000000
0x00000000
BRKSEC-3771
DstAddr
------0x00000000
0x00000002
0x00000004
SrcPort
------0x0000
0x0000
0x0000
DstPort
------0x0000
0x0000
0x0000
Version &
State
Redirect
Method
Assignment
Method
Mask Value
CE-IP
----0xAC100A64 (172.16.10.100)
0xAC100A64 (172.16.10.100)
0xAC100A64 (172.16.10.100)
Cisco Public
25
WCCP with L3 Switch (CAT6500)

L2 or GRE Redirect
WAN
CAT6500 with Sup2T/720/32

and PFC3 allows redirect of L2
and GRE in Hardware
r1
Si
Si
r2
Adjust MTU for GRE

Carefull for bypass list!
Redirect-in and Redirect-out is

supported
Permit and Deny ACE is
allowed
Avoid flags, options & timeranges
WAN
r1
Si
Si
r2
Very scalable and flexible

BRKSEC-3771
Cisco Public
26
WCCP with L3 Switch (CAT6500)

L2 or GRE Redirect
Ingress - L2 redirection + Hash Assignment (Requires Software Processing)

Ingress - L2 redirection + Mask Assignment (Full Hardware Processing recommended)
Egress - L2 redirection + Hash Assignment (Requires Software Processing)
Egress - L2 redirection + Mask Assignment (Requires Software Processing)
First packet is process switched, creates netflow entry. Subsequent packets are HW
switched
Ingress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing)
Ingress - L3 (GRE) redirection + Mask Assignment (Full HW Processing Sup32/Sup720/2T only)
Egress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing)
Egress - L3 (GRE) redirection + Mask Assignment (Requires Software Processing)
BRKSEC-3771
Cisco Public
27
WCCP with ASA

ASA allows only redirect in
Client and WSA must be on same interface
No DMZ Deployment possible....
Internet
Inside ACL is checked before redirection

Destination Server must be allowed in ACL
Redirection Method is GRE based

Redirect ACL allows permit and deny
No TCP Intercept, Inspect Engine or internal IPS
is applied to the redirected flow.
IPS HW Module however does inspect traffic
access-list WCCPRedirectionList extended deny ip 172.16.10.0 255.255.255.0
172.16.10.0 255.255.255.0
access-list WCCPRedirectionList extended permit tcp any any eq www
access-list WCCPRedirectionList extended permit tcp any any eq https
!
wccp 90 redirect-list WCCPRedirectionList
wccp interface INSIDE 90 redirect in
BRKSEC-3771
Cisco Public
28
WCCP with Router ISR, ISRG2

Redirect is GRE and Hash
e2
e0
Done in SW
e1
Allows for DMZ-Design

Supports permit and deny Statements
in the redirection ACL
ip cef
ip wccp version 2
ip wccp 91 redirect-list <redirect-ACL>
!
interface e0
BRKSEC-3771
Cisco Public
31
WCCP with IP Spoofing

Some Designs require that the Client IP is
preserved after beeing proxied
e2
e0
e1
Problem to solve:
Traffic coming back from the Internet needs to be
redirected to the WSA by the network because the
Destination is now the Client Network, no longer the
WSA
IP Spoofing mostly used in transparent mode
Activated on the WSA in the WCCP Config:
BRKSEC-3771
Cisco Public
32
IP Spoofing Design in Transparent Mode

WCCP 92
e2
e0
e1
WCCP 91
145.16.0.0 /16
BRKSEC-3771
ip cef
ip wccp version 2
ip wccp 91 redirect-list Redirect-Client
ip wccp 92 redirect-list Redirect-back
!
interface e0
!
interface e2
!
ip access-list extended Redirect-Client
permit tcp 145.16.0.0 0.0.255.255 eq www
permit tcp 145.16.0.0 0.0.255.255 eq 443
!
ip access-list extended Redirect-back
permit tcp any eq www 145.16.0.0 0.0.255.255
permit tcp any eq www 145.16.0.0 0.0.255.255
Cisco Public
33
IP Spoofing Design in Transparent Mode

WCCP 92
e2
e0
e1
WCCP 91
145.16.0.0 /16
BRKSEC-3771
Cisco Public
34
Transparent Redirection and HTTPS

Symptoms:
Successfully configured WCCP on the L3 Device
Successfully connect to HTTP sites
Cannot connect to HTTPS Sites
Switching to explicit Proxy works fine for HTTP and HTTPS
Solution:
Activate HTTPS Proxy
Not necessary to decrypt the requests
BRKSEC-3771
Cisco Public
35
Agenda
Introduction


BRKSEC-3771
Cisco Public
36
WCCP Logs on WSA

Create new Log Subscription for WCCP
Set Level to Debug
Here-I-Am Packet sent (HIA)
I-See-You Packet received (ISY)

BRKSEC-3771
Cisco Public
37
WCCP Logs on WSA (2)

Check Capabilities of WSA and WCCP Server (Switch,Router,)
Configured
Capabilities of the
WSA, sending them
to the WCCP
Server
WCCP is ok
Parameters are not!
BRKSEC-3771
Cisco Public
38
Debug WCCP Events on ASA / Router / switch

WCCP Group-ID : 90
Here-I-Am
I-See-You
BRKSEC-3771
Cisco Public
39
WSA behaviour with WCCP

By Default WSA will try to negotiate L2 first
If WCCP Server is on different subnet, you will get an error
Solution: Force WSA to negotiate GRE
BRKSEC-3771
Cisco Public
40
A Word about Hardware

The mask Assignment is handled in Hardware on ASR, Cat6500,
WCCP redirect ACL deny statements dont use mask TCAM
WCCP redirect ACL permit statements use up to the
Number of ACL Permit Entries * Number of Buckets
Example:
For a 7 bit mask, the router / switch is using 4096 TCAM entries for 32
permit statementswasting lot of TCAM resources
Adjusting the Bit-Mask must be done on the WCCP Client
Supported with v7.7 SW Release
BRKSEC-3771
Cisco Public
41
A Word about Hardware (2)
1-2 WSAs
3-4 WSAs
5-8 WSAs
9-16 WSAs
17-32 WSAs
1 bit, 2 slots
2 bits, 4 slots
3 bits, 8 slots
4 bits, 16 slots
5 bits, 32 slots
0x3 = 2 bits
4 slots for up to 4 WSA
BRKSEC-3771
Cisco Public
42
Transparent Deployment - Summary

No client settings necessary
Client resolves hostname of target web server -> improved performance!
Traffic gets redirected by the network
Requires HTTPS Proxy activation for HTTPS requests
Allows for redundancy by defining multiple WSA to redirect
Selection of the right device to redirect is critical.
Try to limit down Permit Entries in Redirect Lists for Mask assignment
or wait until v7.7 is released to adjust mask.
When using IP Spoofing make sure the WSA is not in the path of the
Clients
BRKSEC-3771
Cisco Public
43
SOCKS Proxy with WSA v7.7
Internet
Enable SOCKS Proxy globally
VLAN40
WSA
VLAN10
BRKSEC-3771
SOCKS 5, Port 1080
Cisco Public
44
SOCKS Proxy with WSA v7.7

SOCKS Proxy supports Socks 5
Can be linked with Identity
Static definition of URLs to be reachable, but no malware scanning or reputation

BRKSEC-3771
Cisco Public
45
Agenda
Introduction


47
BRKSEC-3771
Cisco Public
46
Authentication
User
User Directory
Authentication Protocols
Directory:
LDAP or NTLM
Method:
Basic: Credentials are sent unencrypted
NTLMSSP: Challenge-Response
TUI using CDA
Tracking the User
IP based Surrogates
Cookie based Surrogates
BRKSEC-3771
47
Cisco Public
Authentication in Explicit Deployment

User
User Directory
HTTP response code 407
Proxy sends HTTP response code 407 (proxy auth. request)

Client recognizes the proxy
Client will then accept a http response 407 from the proxy
Works for HTTPS

Client sends a CONNECT request to the proxy
Client will then accept a 407 response from the proxy
48
BRKSEC-3771
Cisco Public
Authentication in Transparent Deployment

User
Internet Web
server
Internet
User Directory
Client is not aware of a proxy -> HTTP response code 407 cannot be used
Need to use HTTP response code 401
Client needs to be first redirected to the wsa
Client must trust the redirect hostname when using NTLM to prevent prompting
49
BRKSEC-3771
Cisco Public
Multiple WSA with WCCP and Authentication Loop

Knowledge base article #7623
Scenario:
Multiple WSA , transparent deployment with
authentication
Client requests a Website
Switch redirects request to WSA1
WSA1 needs authentication, redirects Client to WSA1
Client sends request to WSA1, gets redirect through
WCCP
Redirect may end up on WSA1 but can also terminate
at any other WSA in the Cluster
Strange things happen from now on...
BRKSEC-3771
Cisco Public
51
WCCP with L3 Switch and Authentication

L2 Redirect, multiple WSA with Auth, avoiding Auth Loop
Internet
VLAN40
VLAN40
WSA #1
VLAN10
ip routing
ip wccp 91 redirect-list wsa
ip access-list extended wsa
!Do not redirect traffic going DIRECTLY to wsa1/2
deny ip any host <wsa1>
deny ip any host <wsa2>
permit tcp any any eq www
permit tcp any any eq 443
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
WSA #2
BRKSEC-3771
Cisco Public
53
WSA, Authentication and SSL

In Explicit mode, a https CONNECT request is made and WSA
replies with 407 Proxy auth required
At this time, WSA has the following information:
- destination host
- user agent
- user credentials verified
WSA can decide wether to decrypt based on:
- Destination Host
- User Agent
- Proxy Port
- Subnets
- Time Range
BRKSEC-3771
Cisco Public
56
WSA, Authentication and SSL (2)

In Transparent mode, there is no CONNECT REQUEST
Since Client is not aware of WSA it will start a TCP connection to
remote server
Connection redirected to WSA, client start an HTTPS/SSL connection
directly
At this point WSA only knows destination IP and port
WSA sends HTTPS probe (its own Client Hello) to get Server
Hello and server certificate
BRKSEC-3771
Cisco Public
57

With the server certificate, WSA has knowledge of:
- Client IP
- Destination IP
- Server Certificate
- Common Name (CN) from server certificate is used as a request URL,
thus used for URL category matching
Based on this information WSA can match Identity and Decryption Policy and
determine whether to DECRYPT or PASS THROUGH the request
All information normally send in the HTTP Header (Cookies, User Agent,
Mime-Type etc) are encrypted in the tunnel and thus not available to the
WSA at this point.
BRKSEC-3771
Cisco Public
58

Should we decrypt? Very often based on URL Category...(think of finance
websites...)
BRKSEC-3771
Cisco Public
60

Finding out the correct URL Category....
Solution:
Usage of SNI (Server Name Indication) is required from Proxy side (supported in v7.7)
Most Browser support it since years...
CLIENT HELLO during TLS sends the Host URL:
BRKSEC-3771
Cisco Public
61
Authentication in Secure Mobility Deployment

Authentication
Internet
User Directory
SSO
User
w/ AnyConnect
Internet Web Server
User connects to ASA via AnyConnect

ASA authenticates VPN Connection against User Directory
After successfull authentication, ASA passes user informations to WSA for Single-Sign-On
Not dependant on AD-Membership, works for all devices like tablets, phones, etc.
User can surf via WSA without the need to authenticate again
WSA can be deployed explicit or transparent
BRKSEC-3771
Cisco Public
62
DEMO Secure Mobility on iPad with SSO
5
63
Transparent User Identification (TUI)

1.
2.
3.
4.
5.
6.
Client logs on to the AD Domain, CDA tracks AD audit logs and maps User - IP
Client request a Web Site
Traffic is transparently redirected to the WSA
WSA needs to authenticate and queries the CDA for the User IP mapping
WSA queries AD for User Group
Request is proxied and forwarded to the Internet
WMI
CDA
AD Controller
WSA
6
Internet
1
2
AD User
BRKSEC-3771
Switch w/ WCCP
Cisco Public
65
Context Directory Agent
Linux Image, installed on Virtual Machine

Gets User to IP Mapping via WMI from AD Controller
Can be queried from WSA , ASA or ASA-CX via Radius
BRKSEC-3771
Cisco Public
66
TUI Summary & Caveats

Uses an Agent (=CDA) running on a Virtual Machine
Same Agent is also used for Identity based Firewalling on the ASA and
ASA-CX
Allow all applications on the client to work with authentication without
starting a browser first
Does support IPv6 for Client registration and RADIUS messages
Does not work if Client is NAT-ed after AD Authentication but before
reaching the WSA
Does not work in Terminal Server Environments
If Client cannot be identified, fallback to previous authentication
mechanism like Basic or NTLM
BRKSEC-3771
Cisco Public
67
Agenda
Introduction
You will have the right tools

both to deploy our solutions
and to solve problems!


62
BRKSEC-3771
Cisco Public
68
WWW Server
Internet
Cisco SIO
DNS Server
Client
BRKSEC-3771
AD Server
Cisco Public
69
Debuging Performance issues
Download file prox_track.log from appliance via FTP
File is written every 5 minutes with timestamp

Setting can be changed in advancedproxyconfig on CLI
BRKSEC-3771
Cisco Public
70
Prox_track.log content
Contains various statistical data around proxy performance
Please do NOT consider all number of packets 100% accurate!
Just gives a good hint what problem might be happening
BRKSEC-3771
Cisco Public
71
General Statistics
Traffic Statistics:
If you have numbers increasing on throttled transactions this could indicate that the
appliance can not handle the load
BRKSEC-3771
Cisco Public
72
How to read Prox_track.log
Statistics are snapshots of total number of Packets

Counters are reset after reboot / restart of proxy
Take statistic from time X and time Y, then compare change:
BRKSEC-3771
Cisco Public
73
Important Statistics
Client time:
Total time that the client was waiting

until his request was fullfilled
Hit time:
Time that the WSA is using to fetch
content from the cache
Miss time:
Time that the WSA takes to fetch all
Data from the server
BRKSEC-3771
Cisco Public
74
Important Statistics (2)
Server Transaction time:
Time for the total transaction to the

Server to be finished.
Server wait time:

Time until WSA gets the first byte
from the Server
High Values can mean upstream problems

(firewall, router, ISP, upstream proxy)
BRKSEC-3771
Cisco Public
75
DNS Time:
Time for the WSA to do a DNS Resolution
High time does indicate a problem with the DNS Server
BRKSEC-3771
Cisco Public
76
Auth Helper Wait:

Time to wait for an authentication
request until its validated from the AD
/ LDAP
High time indicates a problem with the
connection to the authentication Server
BRKSEC-3771
Auth Helper Service:

Time until an authentication request
is fully validated
Check if IP address is already authenticated,
check surrogates, etc
Cisco Public
77
WBRS Service Time:

Time for the WSA to check the
reputation score
AVC Header Scan Service Time:

Time to check the Header of a request
against the AVC Signatures
Webcat Service time:

Time for the WSA to check the URL
Category
AVC Body Scan Service time:

Time to check the body of a request against
the AVC Signatures
BRKSEC-3771
Cisco Public
78
Sophos, McAfee, Webroot
Service Time:
Time that the Scanner used to scan the object
Service Queue Time:

Time that the object stayed in the queue to be
scanned
BRKSEC-3771
Adaptive Scanning Service Time:

Time for the adaptive scanning
process to scan an object:
Cisco Public
79
Adaptive Scanning
Each type of object gets a RISK Score assigned
Score is based on Type of object, effectiveness of malware scanner for this type and WBRS
(WBRS must be enabled on WSA)
Appliance will scan objects with the Scanner that is most appropriate for this object type
If appliance has a performance problem with the Anti Malware Scanners, it will drop objects
not to be scanned
Example: Dont scan *.jpg files with McAfee when they are coming from Websites with a good reputation.
BRKSEC-3771
Cisco Public
80
Customizing the Access Log
Add custom field like:

%m (=Authentication Method)
to the access_log
Variables can be appended in the Access Logs
Variables are to be found in the GUI, some older Versions of WSA

Software might not have the full list
BRKSEC-3771
Cisco Public
81
Customizing the Access Log - Example

%m AUTH: %:>a DNS: %:>d REP: %:>r
Any Text acting as a

comment for readability
BRKSEC-3771
%m : Authentication Method
%:>a : Authentication Wait time
%:>d : DNS Wait time
%:>r : Reputation Wait time
Cisco Public
82
Using SPLUNK to extract Data

Definition of Regex to look for the Keywords we defined for
the Accesslog customization
BRKSEC-3771
Cisco Public
84
Using SPLUNK to extract Data (2)

Extraction of the values to be done permanently in SPLUNK
BRKSEC-3771
Cisco Public
85
Using SPLUNK to extract Data(3)
SPLUNK Report on the Average time for REPUTATION and DNS Resolution per Domain
BRKSEC-3771
Cisco Public
86

Example for Reputation Time
BRKSEC-3771
Cisco Public
87

Example for DNS Time
BRKSEC-3771
Cisco Public
88
Summary for WSA Performance Analysis
WSA has very detailed logs to troubleshoot performance

issues
Use prox_stat.log file for general performance checks
Use customizing the Access Logs for detailed checking of

single requests
SPLUNK is a great tool to help you analyze especially when

combined with customized logs!
BRKSEC-3771
Cisco Public
89
WWW Server
Internet
Cisco SIO
DNS Server
Client
BRKSEC-3771
AD Server
Cisco Public
90
Agenda
Introduction


75
BRKSEC-3771
Cisco Public
93
ASA NGFW
ASA NGFW - Overview
ASA NGFW is an add-on module for

ASA
Availible as HW-Module for 5585-X,

soon as SW-Module for 5500-X
Functionalities:
Application Visibility and Control for all

ports
URL Filtering with Reputation
Identity against AD, LDAP or CDA
Decryption of SSL Traffic
Management of ASA-CX done via

Prime Security Manager
Restfull XML
BRKSEC-3771
Cisco Public
95
ASA NGFW - Policies
Access Policies
Filter URL, Mime Type, User Agent
Filter based on Reputation
Filter based on Source, Destination,
Network / Service Objects,...
Identity Policies
Active:
Basic Authentication, NTLM, Kerberos, LDAP
Passive:
CDA - Agent
Decryption Policies
Decrypt SSL Traffic
Decission based on URL, Source, Destination, User Agent,...
BRKSEC-3771
Cisco Public
96
ASA NGFW Deployment

ASA with NGFW module
Inline Deployment
FW
No Client
configuration required
Deactivation of HTTP
Inspection on ASA
necessary
BRKSEC-3771
NGFW
FW
Initial security checks
Access-list checks, connection

matching
NGFW Module Content Filtering
Network Address Translation
Application Protocol Inspection
Output Processing and Transmit
Cisco Public
97
ASA NGFW Deployment
Traffic is redirected from ASA via MPF

policy-map global_policy
class class-default
cxsc fail-open
Service-policy global_policy global
BRKSEC-3771
Cisco Public
98
Functional Distribution
URL Category/Reputation
HTTP Inspection
AVC
TLS Proxy
Multiple Policy
Decision Points
TCP Proxy
BRKSEC-3771
TCP Normalization
NAT
TCP Intercept
Routing
IP Option Inspection
ACL
IP Fragmentation
VPN Termination
ASA NGFW
ASA
Cisco Public
99
ASA NGFW Functionalities for Web Security

Web Security
ASA with ASA NGFW
WSA
Inline, promiscous mode
Transparent (WCCP) , Explicit
URL Filtering
Yes
Yes
Web Reputation
Yes
Yes
Malware Scanner
No
Yes, up to three concurrent
DLP
No
External Interface
Caching
No
Yes
Bandwidth Control for Video
No
Yes
No (roadmapped)
No (roadmapped)
Yes, all ports
Yes, Web Ports only
Native FTP Proxy
No
Yes
SOCKS Proxy
No
Yes(v7.7)
Deployment
General Bandwidth Control

Application Visibility and Control
BRKSEC-3771
Cisco Public
100
ASA NGFW Functionalities for Web Security (2)

Web Security
ASA with ASA NGFW
WSA
Yes
Yes
No (roadmapped)
Yes
No (roadmapped)
Yes
No
Yes
Basic, NTLM, Kerberos, Passive (CDA)
Basic, NTLM, Kerberos (Roadmapped),

Passive (CDA),
IP Surrogates
IP Surrogates, Cookie Surrogates
No
Yes, up to 10 (v7.7)
Decryption of TLS
Yes
Yes
Decryption with Server Name

Indication Extension
Yes
Yes (v7.7)
IPv6 Traffic
Yes
No (roadmapped)
Customizable End User

Notification (EUN)
Warning page for User
Export Logs to SIEM
Multilanguage EUN
Authentication
Authentication Tracking
Authentication multiple NTLM
Realms
BRKSEC-3771
Cisco Public
101
DEMO ASA with ASA NGFW handling IPv6
102
Summary and Conclusion
ASA NGFW is a HW or SW Module on ASA Platform
Has its own Management system
Has the essential Web Security Features

Including IPv6
For full web proxy functionality and flexibility, take a look at

WSA or Cisco Cloud Web Solution (ex-Scansafe)
Know the limitations and functionalities of each solution!
85
BRKSEC-3771
Cisco Public
110
Angel Aloisius
What happened to the advices to the Bavarian Government???
BRKSEC-3771
Cisco Public
111
Complete Your Online Session Evaluation

Give us your feedback and
you could win fabulous prizes.
Winners announced daily.
Receive 20 Cisco Daily Challenge
points for each session evaluation
you complete.
Complete your session evaluation
online now through either the mobile
app or internet kiosk stations.
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
BRKSEC-3771
Cisco Public
112

2013 Usa PDF BRKSEC-3771 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2013 Usa PDF BRKSEC-3771 PDF

Uploaded by

Copyright:

Available Formats

Advanced Web Security Deployment with

WSA and ASA NGFW (=ASA-CX)

Tobias Mayer, Consulting Systems Engineer

For Your Reference

2013 Cisco and/or its affiliates. All rights reserved.

2013 Cisco and/or its affiliates. All rights reserved.

2013 Cisco and/or its affiliates. All rights reserved.

Web Security Appliance

2013 Cisco and/or its affiliates. All rights reserved.

Transparent Proxy via WCCP

2013 Cisco and/or its affiliates. All rights reserved.

Deploying WSA with WCCP

Deploying ASA NGFW Web Security

2013 Cisco and/or its affiliates. All rights reserved.

How WCCP registration works

The WCCP client registers at the WCCP Server

Traffic is redirected from Server to one or multiple Clients using the

2013 Cisco and/or its affiliates. All rights reserved.

WCCP Protocol - Buckets

2013 Cisco and/or its affiliates. All rights reserved.

WCCP Protocol Load balancing and Redundancy

Using WCCP for Traffic Redirection

WSA supports all redirect and assign methods (software implementation)

2013 Cisco and/or its affiliates. All rights reserved.

Using WCCP for Traffic Redirection (2)

L2 (HW) > GRE (SW)

User L2 if WSA and WCCP Device are in same subnet

2013 Cisco and/or its affiliates. All rights reserved.

WCCP with L3 Switch (3560/3750)

sdm prefer routing

2013 Cisco and/or its affiliates. All rights reserved.

WCCP with L3 Switch (3560/3750)

If 3560/3750 is stacked, configure

2013 Cisco and/or its affiliates. All rights reserved.

WCCP with L3 Switch

2013 Cisco and/or its affiliates. All rights reserved.

WCCP with L3 Switch (CAT6500)

CAT6500 with Sup2T/720/32

Adjust MTU for GRE

Redirect-in and Redirect-out is

Very scalable and flexible

2013 Cisco and/or its affiliates. All rights reserved.

WCCP with L3 Switch (CAT6500)

Ingress - L2 redirection + Hash Assignment (Requires Software Processing)

2013 Cisco and/or its affiliates. All rights reserved.

WCCP with ASA

Inside ACL is checked before redirection

Redirection Method is GRE based

2013 Cisco and/or its affiliates. All rights reserved.

WCCP with Router ISR, ISRG2

Allows for DMZ-Design

2013 Cisco and/or its affiliates. All rights reserved.

WCCP with IP Spoofing

2013 Cisco and/or its affiliates. All rights reserved.

IP Spoofing Design in Transparent Mode

2013 Cisco and/or its affiliates. All rights reserved.

IP Spoofing Design in Transparent Mode

2013 Cisco and/or its affiliates. All rights reserved.

Transparent Redirection and HTTPS

2013 Cisco and/or its affiliates. All rights reserved.

Deploying WSA with WCCP

Deploying ASA NGFW Web Security

2013 Cisco and/or its affiliates. All rights reserved.