Upload
vkrishna-soladm
View
16
Download
3
Tags:
Embed Size (px)
DESCRIPTION
2052
Citation preview
BRKSEC-2052
Securing the Web 2.0 with Cisco IronportWebsecurity
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 2
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions
Please remember this is a 'non-smoking' venue!
Please switch off your mobile phones
Please make use of the recycling bins provided
Please remember to wear your badge at all times
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 3
For Reference Slides
There are (far) more slides in the hand-outs than presented during the class
Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide)
For YourReference
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 4
Agenda
Basic Overview on the Websecurity Appliance
Deployment Scenarios
Building the Policy
Secure Mobility
IPv6
Troubleshooting
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 5
1996
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 6
Todays Websites...
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 7
Web 2.0 Anywhere & Anytime
People and Applications are meshed with each other Communication is no longer just from server to client New communication methods bring in new attack angles
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 8
Criminals targeting Facebook
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 9
Basic Overview
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 10
Cisco Websecurity Appliance
Web Proxy incl. caching
Rich security functionalitiesReputation filtering
Malware scanning
Application visibility & control
HTTPS inspection
Authentication
Reporting and tracking
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 11
Multi-Layer Websecurity
Reputation
Filtering
Web Usage
Controls
Malware
Filtering
L4TM
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 12
Filtering the URLs
Filtering the URLs based on predefined Categories Possible Actions : Block, Monitor, Warn, Time-Based
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 13
Looking deeper: Web Application Control
Increasing Number of Application use HTTP as a
transport protocol
Websecurity needs to detect and control those
applications
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 14
Web Application Control
Different Applications are detected by special
Signatures
Those Signatures are downloaded dynamically
via regular Signature
Updates from Cisco
No reboot or manual installation required!
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 16
Web Application Controls ExamplesControl Bandwidth for Mediastreams
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 17
Web Application Controls ExamplesGranular Control and Reporting for Facebook
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 18
Web Application Controls ExamplesWhat is Facebook REALLY about
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 19
Example #1: Flash Media streamsApplications using http only
App BehaviorDesired
Action
Must
Block
Ports
Recomm
ended
Block
Ports
Traffic
Break-
down
Decrypt
RequiredFunction
Flash Video
Video Block - -
initial
access:HTT
P:80 or
HTTPS:443;
video traffic
may use
these same
ports or
RTMP:1935
-
Watching a
video is
blocked
Video Monitor 1935 - -
Video
transactions
are counted
in the WSA
application
traffic
counters
Video Bandwidth 1935 - -
Video
transactions
are
bandwidth
limited.
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 20
Example #2: Windows Media streamsApplications using http and non-http ports
Windows
Media
Video Block -554, 1755,
2869
initial
access:
HTTP:80 or
HTTPS:443;
video traffic
uses
RTSP:554,
MMS:1755;
some claims
of 2869
usage, but
we do not
see
-
AVC can
control
access.
Video Monitor -554, 1755,
2869-
Access to
http links for
ASF content
will get
counted in
the WSA
application
traffic
counters
however the
actual video
content will
not.
Video Bandwidth -554, 1755,
2869-
Not currently
supported.
App BehaviorDesired
Action
Must
Block
Ports
Recomm
ended
Block
Ports
Traffic
Break-
down
Decrypt
RequiredFunction
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 21
Site Content RatingsEnforcing safe search
Block inappropriate content from content sharing sites like Google,YouTube, Flickr
Based on metadata in the site
User cannot change safe search or strict search settings
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 22
DEMO Web Usage Controls
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 23
Multi-Layer Websecurity
Reputation
Filtering
Web Usage
Controls
Malware
Filtering
L4TM
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 24
About Reputation
Cisco SIO gathers statistical informations from Cisco Products and other resources
Cisco SIO correlates informations Updated informations are delivered back to appliances Each IP / URL gets a score, ranging from -10 to +10
Web Email ASA IPS
Outbreak Intelligence
External
feeds
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 25
About Reputation
Malicious websites are tracked globally through SIO WSA evaluates each webrequest against the defined
reputation score
Reputation score and action is configured on WSA
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 26
Examples: Reputation Values
Known Botnet or Phising Site
Agressive Advertising
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 27
Examples: Reputation Values (2)
Neutral Site
Site with good history
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 28
Network Participation
Admin can define the level of participation Requested URL with result is sent back User information and internal networks are not sent
Disabled: No information is sent to Cisco SIO Database
Limited: Server URL of request, hash of path segments
Standard: Server URL and all path segments are sent back
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 29
DEMO Web Reputation Filtering
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 30
Multi-Layer Websecurity
Reputation
Filtering
Web Usage
Controls
Malware
Filtering
L4TM
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 31
Activating Anti-Malware Engines
Supported Engines: Webroot, Sophos, McAfee Anti-Malware Engines can be activated by policy Up to two Engines running are supported
Webroot + Sophos, Webroot + McAfee
All updates are handled automatically via SIO updates
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 32
What things are scanned
HTML body scanning Response Body scanning URL Scanning Phishing Links Browser Help Objects Tracking Cookies
Focused on Malware & Adware
HTML body scanning File Scanning
Focused on Virus & Trojans
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 33
Multi-Layer Websecurity
Reputation
Filtering
Web Usage
Controls
Malware
Filtering
L4TM
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 34
Layer 4 Traffic Monitor
Internet
Botnet
Master
Web Security Appliance
ASA 5500
Firewall
SPAN PORT
Infected Client
WSA monitors all Network traffic via SPAN or TAP Evaluates DNS Requests done by clients against list of
malware sites
Malware list distributed from Cisco SIO
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 35
Example for L4TM
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 36
L4TM Blocking infected Clients
Potentially infected clients can be identified
L4TM can be put in monitoring or blocking mode
Send TCP Reset for TCP Sessions
Send ICMP unreachables for UDP Sessions
Blocking packets are sent out through the proxy port,
not the L4TM Port! Check
your routing tables!
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 37
Deployment Scenarios
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 38
Explicit Proxy
Internet
Internet Web
server
Web Security Appliance
ASA 5500
Firewall
Client requests a website Browser connects first to WSA WSA connects to website Firewall usually only allows webtraffic for proxy
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 39
How does the Browser find the Proxy?
Proxy setting in the browser Static definition with IP/NAME and PORT
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 40
How does the Browser find the Proxy?
Automatic Configuration via PAC File
function FindProxyForURL(url, host)
{
return "PROXY 192.168.1.80:3128; 192.168.1.81:3128";
}
function FindProxyForURL(url, host)
{
return "PROXY 192.168.1.80:3128";
}
http://www.findproxyforurl.com/
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 43
PAC Deployment
Via AD and GPO Via script Via manual setting Via DHCP
DHCP Option 252
Via Wpad Server
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 44
WPAD Server
WPAD Server hosts PAC file as wpad.dat File is retrieved via HTTP and Javascript Automatic Settings creates a lookup on a server
called wpad
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 45
WPAD and Windows 2008
Starting with W2008 DNS Server, its no longer availible to name a specific Server to WPAD
Locked down via Registry
More details found here:http://technet.microsoft.com/en-us/library/cc441517.aspx
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 46
PAC file deployment - Summary
DHCP
Higher Priority than DNS
If DHCP provides the WPAD URL, no DNS lookup is performed
Passed as option number 252 in the DHCP lease
DNS search (Ex.:if domain of client is: pc.department.branch.com)
Browser will try URLs in the following order:
http://wpad.department.branch.com/wpad.dat
http://wpad.branch.com/wpad.dat
http://wpad.com/wpad.dat
Microsoft GPO
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 47
Explicit Deployment - Summary
Requires Client Settings in the Browser
Proxy resolves hostname of target web server
Redundancy can be achieved via PAC files
WSA can host PAC files
No involvement of network equipment necessary
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 48
Transparent Proxy via WCCP
Internet
Internet Web
server
Web Security Appliance
ASA 5500
Firewall
Client requests a website Browser tries to connect to Website Network Device redirects traffic to WSA using WCCP WSA proxies the request
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 49
Background on WCCP
WCCPv1 developed in 1997 by Cisco Systems and publicly released in July 2000
WCCPv2 published as an IETF draft in July 2000 to make the specification open and remove the requirement for licensing
Enhancements
Configurable WCCP Router ID
WCCP Variable Timers Improved FailOver
Improved Interaction between WCCP and NetFlow
WCCPv3 is an internal specification targeted at IPv6 that was never released
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 50
DetailsAssignment
The WCCP assignment method is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic.
WCCP can use two types of Assignment Methods: Hash and Mask.
Hash Based Assignment Uses a software based hash algorithm to determine which WCCP appliance receives traffic. In hardware based platforms the Netflow table is used to apply hardware assistance.
Mask Based Assignment Uses the ACL TCAM to assign WCCP entities. This method is fully handled by hardware.
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 51
DetailsRedirect and Return
Redirect Method
WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client (WSA, Cache,)
Layer 2 - Frame MAC address rewritten to MAC of WCCPClient
Return Method
The Return method determines how the traffic will be sent back from the router to from the WCCP appliance if the traffic could not be serviced.
WCCP GRE Packet WCCP GRE returned router
WCCP Layer 2 Frame rewritten to router MAC
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 52
Using WCCP for Traffic Redirection
WCCPv2 support is availible on many Cisco Platforms:L3 Switches, Routers, ASA 5500 Security Appliance
Ironport WSA supports all redirect and assign methods (software implementation)
Method to use will be negotiated
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 53
Using WCCP for Traffic Redirection (2)
Performance Considerations:
MASK (HW) > HASH (SW)
L2 (HW) > GRE (SW)
Use GRE if WSA is located in other subnet
Check if Device can do GRE in HW
User L2 if WSA and WCCP Device are in same subnet
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 54
Planning and DesignPlatform Recommendations
Function Nexus 7000 Software
ISR & 7200
ASR 1000 Cat 6500 Sup720/32
7600
Cat 6500
Sup2 Cat 4500 Cat 3750
Assign Mask Only Hash or Mask
Mask Only Mask Mask Mask only Mask only
Redirect L2 GRE or L2 GRE or L2 GRE or L2 L2 or GRE / L2 L2 only L2 only
Redirect List L3/L4 ACL Extended ACL
Extended ACL
Extended ACL Extended ACL No Redirect List Support
Extended ACL (no deny)
Direction In or Out In or Out In only In In In only In only
Return L2 only GRE or L2 GRE or L2 L2 L2 L2 only L2 only
VRFs Supported Supported Planned Planned NA NA NA
IOS 4.2(1) 12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8;15.0(1)M
2.4(2) 6500
12.2(18)SXF14
12.2(33)SXH4
12.2(33)SXI2a
7600
12.2(18)SXD1
12.1(27)E; 12.2(18)SXF14
12.2(50)SG1
12.2(46)SE
For YourReferenceFor YourReference
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 58
Transparent Deployment - Summary
No client settings necessary
Client resolves hostname of target web server
Traffic gets redirected by the network
Requires involvement of the network departement
Allows for redundancy by defining multiple wsa to redirect
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 59
DEMO Transparent Deployment
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 60
Upstream Proxy
WSA can be deployed behind an existing Proxy
To get the value of webreputation, WSA should be placed behind an existing proxy (close to the client...)
Depending on the upstream proxy, check connection limits!
Internet
Proxy
WSA
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 61
Special Case...not yet validated
Internet
Internet Web
server
Web Security Appliance
ASA 5500
Firewall with
Clientless SSL
Using CLIENTLESS SSL on ASA5500 User can surf to internal and external webpages URLs can be checked and secured through WSA WSA supports OUTBOUND and INBOUND Malware
scanning! Server Upload can be protected!
Drawback: All Clientless Requests from ASA to WSA are coming from ASA internal IP, so no user visibility
Corporate Network
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 62
Clientless SSL with WSA - Example
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 63
Building the Policy
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 64
Elements of the Security Policy
Is user permitted to make the request? Authentication
Is request within acceptable time range? Time-based
Is this type of client permitted? User Agent check
Is this protocol permitted? Protocol blocking
Is the site trustworthy? Web Reputation
Do we permit access to this site/category? URL Categorization (Predefined and Custom)
Is the request suspicious? Anti Malware, L4TM
If HTTPS, decrypt and check? Decryption Policy
Is response of appropriate type & size? Object filtering
Does the response contain malware? Anti-Malware64
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 65
Policy - Authentication
Policy objects can be managed from central access policy screen
First step is to define the Identity:For whom does this policy apply?
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 66
Authentication
User DirectoryWeb Security Appliance
Authentication ProtocolsDirectory:
LDAP or NTLM
Method:
Basic: Credentials are sent unencrypted
NTLMSSP: Challenge-Response
Tracking the UserIP based Surrogates
Cookie based Surrogates
User
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 67
Proxy and Authentication Types
Proxy Type Authentication
Browser to WSA
WSA to Auth Server
Explicit Basic LDAP(or NTLM Basic)
Transparent Basic LDAP(or NTLM Basic)
Explicit NTLM NTLMSSP(Active Directory)
Transparent NTLM NTLMSSP(Active Directory)
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 68
HTTP Response Codes
200 OKRequest was sent successfully
301 Moved PermanentlyThe Resource has permanently to a different URI
401 UnauthorizedWeb Server requires Authentication
403 ForbiddenAccess denied
404 not foundThe Server cannot find the requested URI
407 Proxy Authentication requiredThe request first requires authentication with the
proxy
For YourReference
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 69
NTLM Authentication
NTLM requires Account in the AD Domain Credentials to create a computer account are used only
once, not stored on appliance
Currently only one domain is supported via NTLM
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 70
LDAP Authentication
LDAP queries on port 389 or 636 (Secure LDAP), 3268 (AD GC Server)
Need to know the Base DN Name Parameter Can connect to multiple different domains
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 71
Authentication vs. LDAP
Knowing the LDAP Base DN is fundamental
Use an LDAP Browser to find out
Recommendation: Apache Directory Studio
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 72
Authentication vs. LDAP
Knowing the LDAP Base DN is fundamental
Or check with DSQUERY command on a MS AD
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 73
Testing the query
After defining the query, check result!
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 74
Authentication in Explicit Deployment
Web Security Appliance User DirectoryUser
Proxy sends http response 407 (proxy auth. request)
Client recognizes the proxy
Client will then accept a http response 407 from the proxy
Works for HTTPS
Client sends a CONNECT request to the proxy
Client will then accept a 407 response from the proxy
http error 407
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 75
Authentication in Transparent Deployment
Web Security Appliance
User
User Directory
Client is not aware of a proxy -> http response 407 cannot be used
Need to use http response 401 basic authentication
Client needs to be first redirected to the wsa
Internet
Internet Web
server
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 76
Authentication in Transparent Deployment
What the client thinks What is really happening
1 The client sends a request to the remote
HTTP server
The client request is rerouted to the
WSA
2 The client receives a 307 from the remote server redirecting the client to
the WSA
The client receives a 307 from the WSA, spoofing the remote server, redirecting
the client to the WSA
3 The client connects to the WSA The client connects to
the WSA
4 The client receive a 401 authentication request from the WSA
The client receive a 401 authentication request
from the WSA
5 The client authenticates with the WSA The client authenticates with the WSA
6 The client receive a 307 from WSA,
redirecting it back to the remote server
The client receive a 307 from WSA,
redirecting it back to the remote server
7 The client connects back to the remote
server
The client continues to use the WSA as
a transparent proxy
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 77
Internet Explorer and Redirect for Authentication
When client receives redirect, it checks the name in the redirect request
If client cannot resolve the name of the WSA, it automatically maps the wsa to the INTERNET ZONE
Internet Zone never allows NTLM authentication
In transparent mode with NTLMSSP (SingleSignOn), this would retrigger authentication prompts despite SSO configured. (thats anoying...)
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 78
Internet Explorer and Redirect for Authentication (2)
Solution: Enter not the FQDN in the redirect host name but only the simple name!
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 79
Surrogates
Surrogates define how Users are tracked once the have authenticated
IP AddressTracks user by IP
Can cause problems if clients change ip frequently or in virtual environments (Citrix)Authentication stays with WSAWorks well with decryption
CookieRecommended in terminalserver environments
Authentication stays with the clientDoes not work when using decryption based on authentication
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 80
Identities
Identities consist of one or more criterias
Criteria can be Usernames, Groups, Networks, User Strings,....
Surrogate Settings can also be applied per Identity
Identities are used to choose the appropriate accesspolicy
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 81
HTTPS decryption
Decryption of HTTPS is similar of a man-in-the-middle attack
WSA can use a self-signed cert or an imported cert from any CA
WSA generates a new cert for the client request, using the values from the original webserver
This Cert is presented to the client, signed with the cert from the WSA
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 82
HTTPS decryption
WSA Cert must be trusted by all clients
Either use an already rolled-out CA Cert or distribute Cert to the clients
Microsoft GPO allows
for easy rollout
Cert MUST be a CA or Subordinate CA certificate!No server certificate!
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 84
HTTPS decryption
HTTPS decryption Policy can be based on URL Category or on Reputation
Reputation allows to selectively decryption of potential malicious web requests
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 85
DEMO HTTPS Decryption
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 86
Policy Selection
1. Check Identity
2. Assign Accesspolicy based on the chosen identity
3. Execute the policy
4. If nothing special is defined in certain fields, default values from the Global Policy are used
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 87
Secure Mobility
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 88
Secure Mobility
Works with Cisco ASA and Cisco AnyConnect Client
Cisco ASA authorizes the user at WSA
WSA can use different policies for local and remote users
WSA can use SAML 2.0 for authentication and Single Sign On to Webservices
Functional Description
AnyConnect
SSO with SAML 2.0 Authorization at WSA
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 89
Secure Mobility
Functional Description
ASATunnel default Gateway
Web Security
Appliance
Internet Web
server
Anyconnect
VPN User
Traffic routed to inside router
URL Request redirected to Web Security Appliance (WSA) via WCCP. Traffic is checked by WSA against policy
Internet
ASA sends userinformation to WSA for authorization
Corporate Network
Always-on VPN tunnel
Anyconnect user attempts to access internet webserver via always-on VPN
URL Request
Cleaned traffic forwarded to internet webserver
Cleaned URL Request
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 90
Identity
SaaS Access Control In Action
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 91
SaaS Access Control In Action
Verified
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 92
SaaS Access Control - Benefits
Clients are only getting access to Cloudresources if authenticated through the WSA
Single Point for Authentication
If Employee leaves the company, lock down his account in Directory
-> All cloudservices are locked down as well!
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 97
Example from iPhone -Protection through WSA
Good Website
Bad Website
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 98
AnyConnect on iphone
Webtraffic from the iphone is checked and filtered iPhone is protected from Malware and malicious
connections
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 99
Summary of Secure Mobility
Different policies for local and remote Users
Example: Block high bandwidth sites for remote users
Single Sign-On for users on WSA for authentication
Works for non-AD Users and AD User
Usage of SAML 2.0 for SSO to Cloudservices
Example: Webex, Salesforce.com, Google Apps,...
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 100
DEMO Secure Mobility
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 101
IPv6
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 102
IPv6 and WSA
End CY 2011
Explicit proxy support for IPv6 IPv6 Rules via SIO published, IPv6 reputation IPv6 management
CY 2012
Transparent proxy with WCCP, but: WCCP today has no IPv6 Support!
ASA and IOS need to develop IPv6 Support for
WCCP
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 103
Troubleshooting
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 104
Usefull Tools Policy Trace
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 105
Usefull Tools Packet Capture
Record packet flows Download capture files for analysis and troubleshooting
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 106
Web Security Management Detailed Tracking of Data
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 107
Working with CLI and Logfiles....
Logdata is W3C Format
Can be downloaded by FTP or via CLI
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 108
Working with CLI and Logfiles....
1289045462.223 563 172.16.18.16 TCP_MISS/304 319 GET
http://www.cisco.com/assets/home/spotlight/sp_20101011/swf/expansionmodule.
swf tmayer@munlabipcom DEFAULT_PARENT/proxy.esl.cisco.com -
DEFAULT_CASE_11-MunlabIP_Policy_VPN-ID.MunlabIPVPN-DefaultGroup-
NONE-NONE-DefaultGroup
-
Transaction Result Code
Client IP
Authenticated User
Cache hierarchy Retrieval
Policy choosen
Location
Reputation Score
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 109
List of Codes use the Online Help!For YourReferenceFor YourReference
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 110
And if everything goes wrong....
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 111
Opening a Support Tunnel
From WSA, the administrator can allow the Cisco Support team direct access
SSL Tunnel with password is built on demand and terminated at Cisco Support
Support tunnel is built directly from WSA, can be a problem if upstream proxy is used!
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 112
The Future of Web Security
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 113
Websecurity through Cloudservice
Hosted Web Security through Cisco Scansafe
Cloud Service
Central reporting and administration through
Scancenter Portal
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 114
Secure Mobility Future Hybrid Security
Internet
Remote User
w/
AnyConnect
Client 3.0
Corporate
Network
Cisco ASA Cisco WSA
Internet traffic secure through
websecurity cloud
service
Corporate traffic secure through
tunnel and WSA
Consistent Policy and Monitoring
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 115
Summary
Cisco Ironport Web Security Appliance leverages a comprehensive architected featurelist to protect the
dynamic environment from the ubiquitios web 2.0
world.....
Or...
Cisco Ironport Web Security Appliance ROCKS!
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 116
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Preferred Access points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live and Networkers Virtual
account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.
2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 117
BRKSEC-2052 Recommended Reading