web security deployment
Post on 08-May-2015
5.563 Views
Preview:
DESCRIPTION
TRANSCRIPT
Web Security
Deployment
Ryan Wager Technical Marketing
Engineer
Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security – Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe – Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security – Secure Mobility
1996
Today„s Websites...
Appliance or Cloud?
Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security – Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe – Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
Cisco Web Security Appliance
Web Proxy incl. Caching (http,https, ftp, ftp over http)
Rich security functionalities
Reputation filtering
Malware scanning
URL Filtering
Application visibility & control
HTTPS inspection
Authentication
Reporting and tracking
L4TM
...more to come!
Web Application Control
Many Applications work on top of
HTTP traffic
Applications are detected and
controlled by special Signatures
Those Signatures are
downloaded dynamically via
regular Signature Updates from
Cisco
No reboot or manual installation
required!
About Reputation
Cisco SIO gathers statistical informations from Cisco Products and
other resources
Cisco SIO correlates informations
Updated informations are delivered back to appliances
Each IP / URL gets a score, ranging from -10 to +10
Web Email ASA IPS
Outbreak Intelligence
External
feeds
About Reputation
Malicious websites are tracked globally through SIO
WSA evaluates each webrequest against the defined
reputation score
Reputation score and action is configured on WSA
Network Participation
Admin can define the level of participation
Requested URL with result is sent back
User information and internal networks are not sent
Disabled: No information is sent to Cisco SIO Database
Limited: Server URL of request, hash of path segments
Standard: Server URL and all path segments are sent back
Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security – Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe – Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
Explicit Proxy
Internet
Internet Web
server
Web Security Appliance
ASA 5500
Firewall
Client requests a website
Browser connects first to WSA
WSA connects to website
Firewall usually only allows webtraffic for proxy
How does the Browser find the Proxy?
Proxy setting in the browser
Static definition with IP/NAME and PORT
How does the Browser find the Proxy?
Automatic Configuration via PAC File
function FindProxyForURL(url, host)
{
return "PROXY 192.168.1.80:3128; 192.168.1.81:3128";
}
function FindProxyForURL(url, host)
{
return "PROXY 192.168.1.80:3128";
}
http://www.findproxyforurl.com/
PAC Deployment
Via AD and GPO
Via script
Via manual setting
Via DHCP
DHCP Option 252
Via Wpad Server
WPAD Server WPAD Server hosts PAC file as wpad.dat
File is retrieved via HTTP and Javascript
Automatic Settings creates a lookup on a server
called „wpad“
Transparent Proxy via WCCP
Internet
Internet Web
server
Web Security Appliance
ASA 5500
Firewall
Client requests a website
Browser tries to connect to Website
Network Device redirects traffic to WSA using WCCP
WSA proxies the request
Background on WCCP
WCCPv1 developed in 1997 by Cisco Systems and publicly
released in July 2000
WCCPv2 published as an IETF draft in July 2000 to make the
specification open and remove the requirement for licensing
– Enhancements
• Configurable WCCP Router ID
• WCCP Variable Timers – Improved Failover
• Improved Interaction between WCCP and NetFlow
WCCPv3 is an internal specification targeted at IPv6 that was
never released
Details Assignment
The WCCP assignment method is used to determine which WCCP traffic
and which WCCP device is chosen for the destination traffic.
WCCP can use two types of Assignment Methods: Hash and Mask.
• Hash Based Assignment
Uses a software based hash algorithm to determine which WCCP
appliance receives traffic. In hardware based platforms the Netflow table
is used to apply hardware assistance.
• Mask Based Assignment
Uses the ACL TCAM to assign WCCP entities. This method is fully
handled by hardware.
Details Redirect and Return
• Redirect Method – WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client
(WSA, Cache,…)
– Layer 2 - Frame MAC address rewritten to MAC of WCCP Client
• Return Method The Return method determines how the traffic will be sent back from the router to the WCCP appliance if the traffic could not be serviced. Refered to as “Proxy Bypass”
– WCCP GRE – Packet WCCP GRE returned router
– WCCP Layer 2 – Frame rewritten to router MAC
Details Assignment
• The following best practices should be followed for implementing
WCCP on a software-based platform:
– GRE Forwarding (Default)
– Hash Assignment (Default)
– Inbound or Outbound Interception
– "ipwccp redirect exclude in" on WCCP client interface (outbound interception
only)
• The following best practices should be followed for implementing
WCCP on a hardware-based platform:
– L2 Forwarding
– Mask Assignment
– Inbound Interception
– No "ipwccp redirect exclude in"
WCCP input redirect
Ingress
Interface
Egress
Interface
WCCP Input redirect
WCCP output redirect and input exclude
Ingress
Interface Egress
Interface
WCCP Output redirect
WCCP Exclude-in
How WCCP registration works
WCCP Client WCCP Server
1. Registration
The WCCP client registers at the WCCP Server
Both, Server and Client need to use the same WCCP Service Group ID
One WCCP Server usually can server multiple Clients
Server and Client exchange „here i am“ and „I see you“ Packets to check
availability UDP/2048, unicast
Multicast possible
Traffic is redirected from Server to one or multiple Clients using the „hash“ or
„mask“ algorithm
3. „I see you“
2. „Here I am“
Buckets 86–170 Buckets 86–128
Buckets 1–85
Buckets 129–170
Buckets 171–255
A B C X
WCCP Protocol Failover
When a WCCP client fails, the portion of the load handled by that client is automatically redistributed to the remaining WCCP clients in the service group
If no other WCCP clients are available in the service group, the service group is taken offline and packets are forwarded normally
Using WCCP for Traffic Redirection
WCCPv2 support is availible on many Cisco Platforms:
L3 Switches, Routers, ASA 5500 Security Appliance
Cisco Ironport WSA supports all redirect and assign
methods (software implementation)
Method to use will be negotiated
WCCP
Platform Recommendations Function
Support / Recommend
Software
ISR & 7200
ASR 1000 Cat 6500
Sup720 Sup32
Cat 6500
Sup2
Cat 4500
Cat 3750
ASA 5500
Assignment Hash Only Mask Only Mask or Hash / Mask
Mask or Hash / Mask
Mask only Mask only Hash only
Forwarding GRE Only L2 or GRE / L2 or GRE
L2 or GRE / L2 or GRE
L2 or GRE / L2 L2 only L2 only GRE Only
Forwarding Redirect List
Full extended ACL
Full extended ACL
Full extended ACL
Full extended ACL
No Redirect List Support
Extended ACL (no deny)
Full extended ACL
Direction In or Out / In
In only In or Out / In In or Out / In
In only In only In only
Return IP Forward , L2 or GRE
IP Forward, L2, WCCP GRE, or generic GRE
GRE, nGRE, L2, & IP Forward / No GRE
IP Forward or L2 / IP Forward
IP Forward or L2 / IP Forward
IP Forward or L2 / IP Forward
GRE
For Your Reference
Transparent Redirection and HTTPS
Symptoms:
• Successfully configured WCCP on the L3 Device
• Successfully connect to HTTP sites
• Cannot connect to HTTPS Sites
• Switching to explicit Proxy works fine for HTTP and HTTPS
Solution:
Activate HTTPS Proxy
Not necessary to decrypt the requests
Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security – Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe – Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
Policy - Authentication
Policy objects can be managed from central access policy screen
First step is to define the Identity:
”For whom does this policy apply?”
Authentication
User Directory Web Security Appliance
Authentication Protocols
Directory:
LDAP or AD
Method:
Basic: Credentials are sent unencrypted
NTLMSSP: Challenge-Response
Tracking the User
IP based Surrogates
Cookie based Surrogates
User
NTLM Authentication
NTLM requires Account in the AD Domain
Credentials to create a computer account are used only once, not
stored on appliance
Currently only one domain is supported via NTLM
LDAP Authentication
LDAP queries on port 389 or 636 (Secure LDAP),
3268 (AD GC Server)
Need to know the Base DN Name Parameter
Can connect to multiple different domains
Authentication against LDAP
• Knowing the LDAP Base DN is fundamental
• Or check with „DSQUERY“ command on a MS AD
Authentication in Explicit Deployment
Web Security Appliance User Directory User
Proxy sends http response 407 (proxy auth. request)
Client recognizes the proxy
Client will then accept a http response 407 from the proxy
Works for HTTPS
Client sends a CONNECT request to the proxy
Client will then accept a 407 response from the proxy
http error 407
Authentication in Transparent Deployment
Web Security Appliance
User
User Directory
Client is not aware of a proxy -> http response 407 cannot be used
Need to use http response 401 – basic authentication
Client needs to be first redirected to the wsa
Internet
Internet Web
server
DEMO – WSA with transparent redirection
IE8/IE9 with Single-Sign On SSO on WSA correctly configured but Clients still getting prompted
Check if WSA Redirect Name is listed in „Trusted Sites“
Check „Security Settings“ on Trusted Sites and set to
„Automatic Logon with current user name and password“
Transparent User Identification (TUI) Web Security Release 7.5
Internet AD Controller w/ Agent
WSA
Switch w/ WCCP AD User
1 2
3
4
5 6
1. Client logs on to the AD Domain
2. Client request a Web Site
3. Traffic is transparently redirected to the WSA
4. WSA needs to authenticate and queries the AD Agent for the User/Group
5. AD Agent looks up the IP and delivers User/Group
6. Request is proxied and forwarded to the Internet
DEMO – WSA with Transparent User
Identification
Cisco Ironport WSA & IPv6 Support Current version of WSA does not yet support IPv6
Support is planned for Q4CY2012 IPv6 Support for explicit mode Transparent is depending on implementation on ISR, ASA and Switches, done in a later release
WSA will listen for connections both on IPv4 and IPv6
Admin can configure, if IPv4 or IPv6 should be prefered
Depending on Configuration, A-record or AAAA-record will be delivered
IPv6
IPv4
Internal IPv6
Internet
Sizing for WSA
• Main Parameter for sizing is “requests per second”
• Rule of thumb:
Each request/s is approx. 80-90 Kbps of HTTP traffic
Each Mbps of HTTP translates to approx. 10 requests/s
100 Mbps of sustained HTTP traffic is approx. 1000 requests/s
• Easy way to find out on a WSA: use the “rate” CLI command
This parameter allows a quite correct sizing depending on features together with the
Cisco SE
Sizing Table Example S370 Appliance
Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security – Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe – Overview and Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
Websecurity through Cloudservice
Hosted Websecurity through
Cisco Scansafe Cloud Service
Central reporting and
administration through
Scancenter Portal
Data Flow with ScanSafe
Web requests
Allowed traffic
Filtered traffic
Internet
User
Client requests are redirected
to a proxy in the cloud
Requests are checked and
filtered
Clean requests are directed
back to the client
Scalability & Reliability
See BRKSEC-2346:
Inside the Scansafe Architecture
Billions of web requests per day
<50 ms latency
High-Availability Infrastructure
Parallel Processing
Outbreak Intelligence
<html>
<js>
<swf>
<pdf>
<jpg>
<web>
JAVA
Scanlet
Archive
Scanlet
Script
Scanlet
Scanlet
SWF
Scanlet
Win EXE
Scanlet
Multiple
AV
File
Anomaly
Scanlet
Phishing
Scanlet
Context
Scanlet
MF
Scanlet
META
Scanner
Parallel Processing in the
Scantower provides
maximum performance
Scanlets provide scanning for
malware through code
anomaly analysis
Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security – Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe – Overview and Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
Corporate
Network
Challenge:Branch Office with local Breakout
Internet
VPN
Webtraffic destined for the central DC is sent via VPN Tunnel
Normal Webtraffic goes directly to the Internet
bandwidth saving in the central site
But how to secure the webtraffic?
ISR G2 with integrated Connector
61
Connector is integrated in the Cisco ISR G2 Router Platforms
No need to install Connector seperatly in branch networks
Redirect of the webtraffic is happening transparently for the user on the router
Provides Scantower redundancy
Provides User granularity
Authenticate User via NTLM (transparent authentication) or Basic (Prompt for Credentials)
NTLM works without prompting for IE, Firefox and Google Chrome
Internet
AD
Server BRKSEC-3007: Advanced Cisco IOS Security Features
ISR G2 with Integrated Connector
Simple Config
62
parameter-map type content-scan global
server scansafe primary name proxy100.scansafe.net port http
8080 https 8080
license 0 68668486389366986986968689698668
source interface FastEthernet8
timeout server 60
timeout session-inactivity 120
user-group munlab username tmayer
server scansafe on-failure block-all
interface FastEthernet8
description $WAN-Interface$
ip address dhcp client-id FastEthernet8
ip nat outside
content-scan out
Sizing and Scalability for ISR with Connector
3945E 3925E 3945 3925 2951 2921 2911 2901 1941 1921 891
No Auth 5000 5000 1200 900 600 500 400 350 350 300 120
Web Proxy 1200 1200 1200 900 600 500 400 350 350 300 120
HTTP Basic 1200 1200 1200 900 600 500 400 350 350 300 120
NTLM 1200 1200 1200 900 600 500 400 350 350 300 120 Ph
ase
II P
ha
se
I
ScanSafe Users Supported per ISR G2 Platform
For Your Reference
Phase 1: Feb 2012
Phase 2: May 2012
ASA ScanSafe Integration
AAA
Employees
ASA
AAA
Employees
ASA
Scansafe
Tower
Server
Internet
Headquarters Branch Office
Headquarters and Branch office
web traffic scanned by Scansafe
Both Headquarters and Branch
office web traffic whitelisted
• Proxy Settings are pushed to
browsers via Active Directory
GPO
• Browsers connect through
Firewall on port 8080 to Web
Security Service
• Firewall blocks all other GET
requests
• Provides Site/External IP
granularity
Browser Redirection via GPO / PAC file
Internet AD
Server
GPO Update
Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security – Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe – Overview and Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
Easy ID
• Clientless User authentication via webbrowser
• User authenticates via Webportal
• Policies are applied from Scancenter Portal verifying User Name and Group through AD Connection
• AD Connection is done via LDAPS query from Scancenter to the LDAP Directory at customer site
• Scancenter is sending a cookie that is used for subsequent authentication
• Proxy Settings are pushed to browsers
via AD,GPO or PAC file to ScanSafe on
port 8080/443 to the Cloud based Tower
• Connector receives Client info and
queries Active Directory Server for Group
Information, then proxies to ScanSafe
upstream
• Set Firewall to block all other GET
requests
• Provides IP/End User/Group granularity
• Scalable up to 10000 Users per
Connector, depending on which HW it is
installed
Standalone Connector
Internet
AD
Server
Connector
• Installs a Network Driver which
binds to all connections (LAN,
Wireless, 3G)
• Automatic Peering Identifies
nearest ScanSafe Datacenter and
whether a connection is possible.
• AD information can be
remembered from when the user
was last on the corporate network
using the Gpresult API (group
policy)
Roaming Users
Proxy Firewall Hotspot
Client with
Websecurity
Web Security & AnyConnect
71
Supported on Windows &
MAC OS X
Client settings are controlled
via Profile
Profile can be centrally
distributed via the Scancenter
Portal
Web Security & AnyConnect
72
Single and modular client
VPN (SSL, IKEv2, Always-On,...)
802.1x (Wired, Wireless, MACSEC...)
Websecurity
Posture for VPN
Telemetry (SIO)
All modules can be used independently or
all together
If VPN Module is used, profile
management can be done centrally
through ASA
How Does it Work? Authenticates and directs your external client Web traffic to our
scanning infrastructure
Automatically connect to nearest Scantower
SSL encryption of all Web traffic sent improves security over public
networks (example: Firesheep Plugin for FF)
73
Web Security & AnyConnect Configuration for Web Security with VPN
74
Configured through a profile,
downloaded from ASA at connect
VPN is lower in the stack than the
Websecurity Module
Split tunnel Scansafe gateways in the
VPN Config (on the ASA)
Exclude Corporate adresses from
beeing forwarded to the scansafe
towers
Client with
Websecurity
Corporate
traffic
Internet
Web Security & AnyConnect Configuration Client Profile
Scanning Tower
selection
Proxy ports
For Your Reference
Web Security & AnyConnect Configuration – Client Profile
Exceptions for
authorized internal
proxies
Static Exceptions
like VPN
Gateways
Exceptions for
internal networks &
public websites to be
excluded from
scanning
Web Security & AnyConnect Configuration – Client Profile
Activate Beacon
Checking,
Deploy public key
Automatic selection
of nearest Scantower
For Your Reference
Web Security & AnyConnect Configuration – Client Profile
Authentication
Settings
License Key
For Your Reference
Web Security & AnyConnect Configuration for Web Security without VPN
Specify Client
Profile
Upload Client Profile
Scancenter Portal provides hosting of PAC file and / or Client Profile
Differentiate Usergroups due to usage of group keys
Key for
Authentication
Beacon Server for the AnyConnect
Web Security Module Beacon Server runs on an
internal Server
Client gets public key from
Beacon Server during
deployment
If the client has reachability
to the Beacon Server, client
module is deactivated
TND in ASA 9.0
DEMO – AnyConnect with Web Security
Scansafe & IPv6 Support
Current version of Web Security does not yet support IPv6
IPv6 traffic scanning can be excluded by adding “::/0” to Static
Exceptions
Full IPv6 Support will be added mid CY 2012 in two phases:
IPv6
IPv4
Internal IPv6
Internet
Internet
AC 3.1 or Standalone / integrated Connector
AC 3.1 or Standalone / integrated Connector
Agenda
• Overview Web Security
• Web Security with Cisco Ironport Web Security – Critical Functionalities
– Places in the Network
– Authentication
• Web Security with Cisco Scansafe – Critical Functionalities
– Places in the Network
– Authentication
• The Road to Hybrid Security
Secure Mobility Future – Hybrid Security
Internet
Remote User
w/
AnyConnect
Client 3.0
Corporate
Network
Cisco ASA Cisco WSA
Internet traffic
secure through web
security cloud
service
Corporate traffic
secure through
tunnel and WSA
Consistent Policy
and Monitoring
Hybrid Security – what has been done and what lies ahead
Unification of URL Databases
AVC integration
Connector Integration in ISR G2 Router
Unification of features – Q1/Q2 CY2012 Application visibility and control
Web Reputation
Connector Integration in ASA – Q3 CY2012
Connector Integration in WSA
Provide common management
Provide common logging and reporting
Summary
Cisco Web Security Solution leverages a comprehensive
architected featurelist to protect the dynamic
environment from the ubiquitios web 2.0 world.....
Or...
Cisco Web Security Solution simply ROCK!
Q&A
#CiscoPlusCA
Follow @CiscoCanada and join the #CiscoPlusCA conversation
Access today‟s presentations at cisco.com/ca/plus
We value your feedback. Please be sure to complete the Evaluation Form for this session.
Thank you.
top related