Securing Your Web World

A Trend Micro TrendEdge SolutionAdvanced Technologies and Techniques to Enhance Your Product

Eumir NogalesSenior Product Specialist

Trend Micro, Inc.

Vernon LeeSenior Enterprise Sales Engineer

Trend Micro, Inc.

Jody ButlerSenior Corporate Sales Engineer

Trend Micro, Inc.

Peter WeiSenior Software Architect

Trend Micro, Inc.

TREND MICRO INC.

10101 N. De Anza Blvd. Cupertino, CA, 95014 www.trendmicro.com Toll free: +1 800.228.5651 Fax: +1 408.257.2003 Phone: +1 408.257.1500

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

June 2010

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

i A TrendEdge Solution

Contents

Executive Summary ......................................................................................................................... 1 Suggested Network Architecture................................................................................................... 1 Requirements .................................................................................................................................. 2 Procedure ........................................................................................................................................ 3 Logging WCCP Traffic Using IWSVA and Cisco ASA Features ................................................... 3

To log WCCP traffic using the IWSVA: .................................................................................... 3 To log WCCP traffic using the ASA: ........................................................................................ 4

Verifying that WCCP is Working Correctly................................................................................... 4 References ...................................................................................................................................... 5 About the Authors .......................................................................................................................... 6

Eumir Nogales ........................................................................................................................... 6 Vernon Lee ................................................................................................................................ 6 Jody Butler ................................................................................................................................ 6 Peter Wei ................................................................................................................................... 6

About Trend Micro Incorporated .................................................................................................. 7 Contacting TrendEdge Publications ............................................................................................. 8

Trend Micro, the Trend Micro t-ball logo, and InterScan are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice, and the information contained in this document is provided as-is. This document is for informational purposes only, and is not supported by Trend Micro or its partners. TREND MICRO MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Copyright 2010 Trend Micro Incorporated. All rights reserved. Document Part No. TE07WSVA50_100602US

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

1 A TrendEdge Solution

Executive Summary This document describes how to set up Trend Micro InterScan Web Security Virtual Appliance 5.0 (IWSVA) to work with a Cisco Adaptive Security Appliance (ASA) and the Cisco-developed Web Cache Communication Protocol (WCCP).

Note: Trend Micro provides this document "as-is" as a courtesy to interested parties. The accuracy of the information is solely the authors responsibility. Neither Trend Micro nor its partners support this

document.

Cisco Adaptive Security Appliances (ASA) are Layer 3 devices that can redirect traffic to one or more transparent proxy web cache servers. Web caches reduce network latency by enabling end users to retrieve web pages that they have accessed previously from a memory buffer or cache instead of from a web server.

Cisco created the Web Cache Communication Protocol (WCCP) to control the interaction of external web cache devices with Adaptive Security Appliances. WCCP not only reduces the load on web cache devices, but it also provides load balancing and support for multiple routers and protocols. WCCP is transparent to the end user.

Suggested Network Architecture This document describes how to configure IWSVA to run in WCCP mode and communicate with a Cisco ASA in an N-tier environment. When an IWSVA is running in WCCP mode and is integrated with a Cisco ASA, it becomes a web cache even though it does not specifically serve cached content. Instead it serves as a cache engine for the ASA, which scans the requested content for malicious code.

Figure 1 below shows traffic moving into and out of a network with a Cisco ASA and an IWSVA. Since an ASA operates as a router, an external firewall can function as a gateway out of the network if you configure it to do so. The ASA uses WCCP during the initial request when HTTP packets arrive at the device from the internal network. Once an outbound packet reaches the internal network port on the ASA, the ASA encapsulates it and hands it off to the IWSVA. The IWSVA, in turn, then requests the content from the external web server, scans it, and permits or denies the request. If the IWSVA approves the request, it then delivers the web content to the client.

Note: This document was written using IWSVA 5.0, a Cisco ASA 5510 running version 8.2(1) of Cisco IOS, and WCCP Version 2.0. Trend Micro customers should be aware that Cisco can make changes at

anytime to IOS, and the ability of an ASA to work with WCCP, without notice.

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

2 A TrendEdge Solution

Figure 1. Flow of Traffic between a Cisco ASA and an IWSVA in an N-Tier Environment

Requirements The client (browser) and IWSVA cache engine(s) must be on the same Cisco Adaptive Security Appliance

(ASA) internal interface.

The Cisco ASA and IWSVA must be configured to use WCCPv2.

Note: For additional hardware and software requirements, consult to the relevant Cisco and Trend Micro product documentation. Trend Micro IWSVA documentation is available at the following location:

http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=249&regs=NABU&lang_loc=1

See the Reference section for links to the relevant Cisco documentation.

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

3 A TrendEdge Solution

Procedure Follow the steps below to configure the Cisco ASA and IWSVA to work with WCCP:

1. Log into the CLI of the Cisco ASA and create two access control lists (ACLs): one for the web cache and another for the redirect list: Router#configure terminal Router(config)#access-list wccp extended permit tcp any any eq www Router(config)#access-list mycache-wccp extended permit tcp host any Router(config)#wccp 80 redirect-list wccp password novirus Router(config)#wccp interface internal 80 redirect in

2. Log into the IWSVA Web Console and do the following:

a. Configure IWSVA to use WCCPv2 and enter the router address.

b. Enter a password. Use novirus

c. Save the changes.

3. Open a terminal session to the IWSVA shell.

4. Change the directory to /var/iwss/ 5. Open the IWSSPIProtocolHttpProxy.pni file. 6. Look for the string wccp_service and then change the parameters in Table 1 below:

Table 1. IWSVA wccp_service Parameters for the Cisco ASA

Existing Parameter New Parameter

wccp_assignment_method=2 wccp_assignment_method=1 wccp_service=dynamic 80 protocol=tcp wccp_service=dynamic 80 protocol=tcp flags=src_ip_hash priority=120 ports=80,21,443

flags=src_ip_hash,dst_ip_hash,source_port_hash priority=120 ports=80,21,443

7. Access the IWSVA CLI. Restart the IWSS daemon by typing the following commands: /usr/iwss/S99ISWCCPd stop /usr/iwss/S99ISWCCPd start

Logging WCCP Traffic Using IWSVA and Cisco ASA Features To log IWSVA and Cisco ASA WCCP traffic, follow the steps below.

To log WCCP traffic using the IWSVA: 1. Open a terminal session to the IWSVA shell.

2. Navigate to the /var/iwss directory. 3. Open the IWSSPIProtocolHttProxy.pni file. 4. Look for the string wccp_logging. Change the value from 0 to 1.

Note: IWSVA saves WCCP debug output in its HTTP logs.

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

4 A TrendEdge Solution

To log WCCP traffic using the ASA: 1. Log into the ASA shell then go into configure mode.

2. Type the command: Router(config)#debug wccp event

Note: Once you have configured the Cisco ASA server, you have the option to route the WCCP debug information through a Syslog server or to display the events on the router console.

Verifying that WCCP is Working Correctly

1. Check the IWSVA HTTP logs. You should see the following string(s):

WCCP: Sending WCCPv2 HERE_I_AM for service ID WCCP: Received WCCPv2 I_SEE_YOU from WCCP: Good Received WCCPv2 I_SEE_YOU

2. Log into the Cisco ASA shell and type show wccp to view the WCCP information on the router. Here is

an example of what you should see:

WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, change # 0000000A WCCP-EVNT: Web Cache 192.168.25.3 added WCCP-EVNT: Built I_See_You msg body w/2 usable web caches, change # 0000000B WCCP-EVNT: Built I_See_You msg body w/2 usable web caches, change # 0000000C

The IP address should be the IP address of the IWSVA. Refer to the below link for more information on debugging Cisco ASA WCCPv2:

http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_example09186a00801854c4.shtml

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

5 A TrendEdge Solution

References

How to configure web cache services using WCCP on Cisco ASA 5500 Series Adaptive Security Appliances

https://supportforums.cisco.com/docs/DOC-3006

Cisco Security Appliance Command Line Configuration Enabling WCCP Redirection

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1094628

Configuring WCCP Version 2 on a Cisco Content Engine and Router

http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_example09186a00800a6a72.shtml

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

6 A TrendEdge Solution

About the Authors

Eumir Nogales Eumir Nogales has been with Trend Micro for 7 years and is currently a Senior Product Specialist with the Philippine Core Team. Before joining this group, Eumir was a member of a 24/7 team where he supported the Cisco ASA CSC product, which contains Trend Micro technology.

Mr. Nogales has 15 years of IT experience, which includes positions in network/system administration, software development, project management, consulting, and system support.

Vernon Lee Vernon Lee currently serves as a Senior Enterprise Sales Engineer for Trend Micro. Prior to working for Trend Micro, he was employed as a Security Solutions Engineer at another well-known provider of best-of-breed security solutions. Vernon has a total of 11 years experience in the network security arena.

Jody Butler Jody Butler is currently serving as a Senior Corporate Sales Engineer for Trend Micro. Prior to joining Trend Micro, he was a Senior Security Engineer for the State of Texas, served as a network administrator for a healthcare organization, and worked in field sales engineering for a local reseller. He brings a total of 12 years network security, systems administration, and virtualization experience to Trend Micro. He also holds a Bachelors degree in Computer Information Systems Management and Networking.

Peter Wei Peter Wei works as a Senior Software Architect for the Trend Micro Web gateway product line where he is responsible for product architecture, road maps, customer support activities and other technical roles. Peter has more than 15 years of experience in networking and network security, and has served in system architect and management roles at several Silicon Valley companies.

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

7 A TrendEdge Solution

About Trend Micro Incorporated Trend Micro Incorporated, a global leader in Internet content security, focuses on securing the exchange of digital information for businesses and consumers. A pioneer and industry vanguard, Trend Micro is advancing integrated threat management technology to protect operational continuity, personal information, and property from malware, spam, data leaks and the newest Web threats. Trend Micros flexible solutions, available in multiple form factors, are supported 24/7 by threat intelligence experts around the globe. A transnational company, with headquarters in Tokyo, Trend Micros trusted security solutions are sold through its business partners worldwide.

For more information, please visit www.trendmicro.com.

Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

8 A TrendEdge Solution

Contacting TrendEdge Publications The Trend Micro TrendEdge team is always seeking to provide better solutions. Have a question or comment about this document? We would like to hear from you. Contact us at:

sav@trendmicro.com