Web Security Deployment

Web SecurityDeployment Ryan Wager Technical Marketing Engineer

Agenda• Overview Web Security• Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication• Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication• The Road to Hybrid Security – Secure Mobility

Today„s Websites...

Appliance or Cloud?

Agenda• Overview Web Security• Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication• Web Security with Cisco Scansafe – Critical Functionalities – Places in the Network – Authentication• The Road to Hybrid Security

Cisco Web Security Appliance Web Proxy incl. Caching (http,https, ftp, ftp over http) Rich security functionalities Reputation filtering Malware scanning URL Filtering Application visibility & control HTTPS inspection Authentication Reporting and tracking L4TM ...more to come!

Web Application Control Many Applications work on top of HTTP traffic Applications are detected and controlled by special Signatures Those Signatures are downloaded dynamically via regular Signature Updates from Cisco No reboot or manual installation required!

About Reputation Cisco SIO gathers statistical informations from Cisco Products and other resources Cisco SIO correlates informations Updated informations are delivered back to appliances Each IP / URL gets a score, ranging from -10 to +10 External Outbreak Intelligence feeds Web Email ASA IPS

About Reputation Malicious websites are tracked globally through SIO WSA evaluates each webrequest against the defined reputation score Reputation score and action is configured on WSA

Network Participation Admin can define the level of participation Requested URL with result is sent back User information and internal networks are not sent Disabled: No information is sent to Cisco SIO Database Limited: Server URL of request, hash of path segments Standard: Server URL and all path segments are sent back

Explicit Proxy  Client requests a website  Browser connects first to WSA  WSA connects to website  Firewall usually only allows webtraffic for proxy Web Security Appliance Internet Web server Internet ASA 5500 Firewall

How does the Browser find the Proxy?  Proxy setting in the browser  Static definition with IP/NAME and PORT

How does the Browser find the Proxy? Automatic Configuration via PAC File function FindProxyForURL(url, host) { return "PROXY 192.168.1.80:3128"; } function FindProxyForURL(url, host) { return "PROXY 192.168.1.80:3128; 192.168.1.81:3128"; } http://www.findproxyforurl.com/

PAC Deployment  Via AD and GPO  Via script  Via manual setting  Via DHCP DHCP Option 252  Via Wpad Server

WPAD Server  WPAD Server hosts PAC file as wpad.dat  File is retrieved via HTTP and Javascript  Automatic Settings creates a lookup on a server called „wpad“

Transparent Proxy via WCCP  Client requests a website  Browser tries to connect to Website  Network Device redirects traffic to WSA using WCCP  WSA proxies the request Web Security Appliance Internet Web server Internet ASA 5500 Firewall

Background on WCCP WCCPv1 developed in 1997 by Cisco Systems and publicly released in July 2000 WCCPv2 published as an IETF draft in July 2000 to make the specification open and remove the requirement for licensing – Enhancements • Configurable WCCP Router ID • WCCP Variable Timers – Improved Failover • Improved Interaction between WCCP and NetFlow WCCPv3 is an internal specification targeted at IPv6 that was never released

DetailsAssignmentThe WCCP assignment method is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic.WCCP can use two types of Assignment Methods: Hash and Mask.• Hash Based Assignment Uses a software based hash algorithm to determine which WCCP appliance receives traffic. In hardware based platforms the Netflow table is used to apply hardware assistance.• Mask Based Assignment Uses the ACL TCAM to assign WCCP entities. This method is fully handled by hardware.

DetailsRedirect and Return• Redirect Method – WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client (WSA, Cache,…) – Layer 2 - Frame MAC address rewritten to MAC of WCCP Client• Return Method The Return method determines how the traffic will be sent back from the router to the WCCP appliance if the traffic could not be serviced. Refered to as “Proxy Bypass” – WCCP GRE – Packet WCCP GRE returned router – WCCP Layer 2 – Frame rewritten to router MAC

Details Assignment• The following best practices should be followed for implementing WCCP on a software-based platform: – GRE Forwarding (Default) – Hash Assignment (Default) – Inbound or Outbound Interception – "ipwccp redirect exclude in" on WCCP client interface (outbound interception only)• The following best practices should be followed for implementing WCCP on a hardware-based platform: – L2 Forwarding – Mask Assignment – Inbound Interception – No "ipwccp redirect exclude in"

WCCP input redirect WCCP Input redirect Ingress Egress Interface Interface

WCCP output redirect and input exclude WCCP Output redirect Ingress Egress Interface Interface WCCP Exclude-in

How WCCP registration works 1. Registration 2. „Here I am“ 3. „I see you“ WCCP Server WCCP Client The WCCP client registers at the WCCP Server Both, Server and Client need to use the same WCCP Service Group ID One WCCP Server usually can server multiple Clients Server and Client exchange „here i am“ and „I see you“ Packets to check availability  UDP/2048, unicast  Multicast possible Traffic is redirected from Server to one or multiple Clients using the „hash“ or „mask“ algorithm

WCCP ProtocolFailover When a WCCP client fails, the portion of the load handled by that client is automatically redistributed to the remaining WCCP clients in the service group If no other WCCP clients are available in the service group, the service group is taken offline and packets are forwarded normally Buckets 86–128 Buckets 129–170 Buckets 1–85 Buckets 86–170 Buckets 171–255 A X B C

Using WCCP for Traffic Redirection  WCCPv2 support is availible on many Cisco Platforms: L3 Switches, Routers, ASA 5500 Security Appliance  Cisco Ironport WSA supports all redirect and assign methods (software implementation)  Method to use will be negotiated

WCCP For Your Reference Platform Recommendations Function Software ASR 1000 Cat 6500 Cat 6500 ASA 5500 Support / ISR & 7200 Sup720 Sup32 Sup2 Cat 4500 Cat 3750 RecommendAssignment Hash Only Mask Only Mask or Hash / Mask or Hash Mask only Mask only Hash only Mask / MaskForwarding GRE Only L2 or GRE / L2 L2 or GRE / L2 or L2 or GRE / L2 L2 only L2 only GRE Only or GRE GREForwarding Full extended Full extended Full extended Full extended No Redirect Extended FullRedirect List ACL ACL ACL ACL List Support ACL (no extended deny) ACLDirection In or In only In or Out / In In or In only In only In only Out / In Out / InReturn IP Forward , IP Forward, L2, GRE, nGRE, L2, IP Forward or IP Forward IP Forward GRE L2 or GRE WCCP GRE, or & IP Forward / L2 / IP or L2 / IP or L2 / IP generic GRE No GRE Forward Forward Forward

Transparent Redirection and HTTPSSymptoms:• Successfully configured WCCP on the L3 Device• Successfully connect to HTTP sites• Cannot connect to HTTPS Sites• Switching to explicit Proxy works fine for HTTP and HTTPSSolution: Activate HTTPS Proxy Not necessary to decrypt the requests

Policy - Authentication Policy objects can be managed from central access policy screen First step is to define the Identity: ”For whom does this policy apply?”

Authentication User Web Security Appliance User Directory Authentication Protocols Directory: LDAP or AD Method: Basic: Credentials are sent unencrypted NTLMSSP: Challenge-Response Tracking the User IP based Surrogates Cookie based Surrogates

NTLM Authentication  NTLM requires Account in the AD Domain  Credentials to create a computer account are used only once, not stored on appliance  Currently only one domain is supported via NTLM

LDAP Authentication LDAP queries on port 389 or 636 (Secure LDAP), 3268 (AD GC Server) Need to know the Base DN Name Parameter Can connect to multiple different domains

Authentication against LDAP• Knowing the LDAP Base DN is fundamental• Or check with „DSQUERY“ command on a MS AD

Authentication in Explicit Deployment User Web Security Appliance User Directory http error 407 Proxy sends http response 407 (proxy auth. request) Client recognizes the proxy Client will then accept a http response 407 from the proxy Works for HTTPS Client sends a CONNECT request to the proxy Client will then accept a 407 response from the proxy

Authentication in Transparent Deployment User Internet Web server Internet User Directory Web Security Appliance Client is not aware of a proxy -> http response 407 cannot be used Need to use http response 401 – basic authentication Client needs to be first redirected to the wsa

DEMO – WSA with transparent redirection

IE8/IE9 with Single-Sign On SSO on WSA correctly configured but Clients still getting prompted Check if WSA Redirect Name is listed in „Trusted Sites“ Check „Security Settings“ on Trusted Sites and set to „Automatic Logon with current user name and password“

Transparent User Identification (TUI) Web Security Release 7.51. Client logs on to the AD Domain2. Client request a Web Site3. Traffic is transparently redirected to the WSA4. WSA needs to authenticate and queries the AD Agent for the User/Group5. AD Agent looks up the IP and delivers User/Group6. Request is proxied and forwarded to the Internet 4 6 AD Controller w/ Agent 5 WSA Internet 3 1 2 AD User Switch w/ WCCP

DEMO – WSA with Transparent UserIdentification

Cisco Ironport WSA & IPv6 Support Current version of WSA does not yet support IPv6 Support is planned for Q4CY2012 IPv6 Support for explicit mode Transparent is depending on implementation on ISR, ASA and Switches, done in a later release WSA will listen for connections both on IPv4 and IPv6 Admin can configure, if IPv4 or IPv6 should be prefered Depending on Configuration, A-record or AAAA-record will be delivered IPv6 Internal IPv6 Internet IPv4

Sizing for WSA• Main Parameter for sizing is “requests per second”• Rule of thumb: Each request/s is approx. 80-90 Kbps of HTTP traffic Each Mbps of HTTP translates to approx. 10 requests/s 100 Mbps of sustained HTTP traffic is approx. 1000 requests/s• Easy way to find out on a WSA: use the “rate” CLI command This parameter allows a quite correct sizing depending on features together with the Cisco SE

Sizing Table ExampleS370 Appliance

Agenda• Overview Web Security• Web Security with Cisco Ironport Web Security – Critical Functionalities – Places in the Network – Authentication• Web Security with Cisco Scansafe – Overview and Critical Functionalities – Places in the Network – Authentication• The Road to Hybrid Security

Websecurity through Cloudservice Hosted Websecurity through Cisco Scansafe Cloud Service Central reporting and administration through Scancenter Portal

Data Flow with ScanSafe Client requests are redirected to a proxy in the cloud Internet Requests are checked and filtered Clean requests are directed back to the client Web requests Allowed traffic Filtered traffic User

Scalability & Reliability Billions of web requests per day <50 ms latency High-Availability Infrastructure Parallel ProcessingSee BRKSEC-2346:Inside the Scansafe Architecture

Outbreak Intelligence SWF Scanlet <html> JAVA Phishing Scanlet Scanlet Win EXE <js> Scanlet Archive Context META Scanlet Scanlet Scanner <swf> Multiple<web> AV Script MF Scanlet Scanlet <pdf> File Anomaly  Parallel Processing in the PDF Scanlet <jpg> Scanlet Scantower provides maximum performance  Scanlets provide scanning for malware through code anomaly analysis

Challenge:Branch Office with local Breakout Corporate Internet Network VPN Webtraffic destined for the central DC is sent via VPN Tunnel Normal Webtraffic goes directly to the Internet bandwidth saving in the central site But how to secure the webtraffic?

ISR G2 with integrated Connector Connector is integrated in the Cisco ISR G2 Router Platforms No need to install Connector seperatly in branch networks Internet Redirect of the webtraffic is happening transparently for the user on the router Provides Scantower redundancy Provides User granularity  Authenticate User via NTLM (transparent authentication) or Basic (Prompt for Credentials)  NTLM works without prompting for IE, Firefox and Google Chrome AD ServerBRKSEC-3007: Advanced Cisco IOS Security Features 61

ISR G2 with Integrated ConnectorSimple Configparameter-map type content-scan global server scansafe primary name proxy100.scansafe.net port http8080 https 8080 license 0 68668486389366986986968689698668 source interface FastEthernet8 timeout server 60 timeout session-inactivity 120 user-group munlab username tmayer server scansafe on-failure block-allinterface FastEthernet8 description $WAN-Interface$ ip address dhcp client-id FastEthernet8 ip nat outside content-scan out 62

Sizing and Scalability for ISR with Connector  Phase 1: Feb 2012 For Your Reference  Phase 2: May 2012 ScanSafe Users Supported per ISR G2 Platform 3945E 3925E 3945 3925 2951 2921 2911 2901 1941 1921 891Phase II Phase I No Auth 5000 5000 1200 900 600 500 400 350 350 300 120 Web Proxy 1200 1200 1200 900 600 500 400 350 350 300 120 HTTP Basic 1200 1200 1200 900 600 500 400 350 350 300 120 NTLM 1200 1200 1200 900 600 500 400 350 350 300 120

ASA ScanSafe Integration Headquarters and Branch office Internet web traffic scanned by Scansafe Both Headquarters and Branch Scansafe Google office web traffic whitelisted Tower Server AAA AAA ASA ASA Employees Employees Headquarters Branch Office

Browser Redirection via GPO / PAC file• Proxy Settings are pushed to browsers via Active Directory Internet GPO AD• Browsers connect through Server Firewall on port 8080 to Web Security Service• Firewall blocks all other GET GPO Update requests• Provides Site/External IP granularity

Easy ID • Clientless User authentication via webbrowser • User authenticates via Webportal • Policies are applied from Scancenter Portal verifying User Name and Group through AD Connection • AD Connection is done via LDAPS query from Scancenter to the LDAP Directory at customer site • Scancenter is sending a cookie that is used for subsequent authentication

Standalone Connector• Proxy Settings are pushed to browsers via AD,GPO or PAC file to ScanSafe on port 8080/443 to the Cloud based Tower• Connector receives Client info and Internet queries Active Directory Server for Group Connector Information, then proxies to ScanSafe upstream• Set Firewall to block all other GET requests• Provides IP/End User/Group granularity• Scalable up to 10000 Users per AD Connector, depending on which HW it is Server installed

Roaming Users• Installs a Network Driver which binds to all connections (LAN, Wireless, 3G)• Automatic Peering Identifies nearest ScanSafe Datacenter and whether a connection is possible. Proxy Firewall Hotspot• AD information can be remembered from when the user was last on the corporate network using the Gpresult API (group policy) Client with Websecurity

Web Security & AnyConnect Supported on Windows & MAC OS X Client settings are controlled via Profile Profile can be centrally distributed via the Scancenter Portal 71

Web Security & AnyConnect Single and modular client VPN (SSL, IKEv2, Always-On,...) 802.1x (Wired, Wireless, MACSEC...) Websecurity Posture for VPN Telemetry (SIO) All modules can be used independently or all together If VPN Module is used, profile management can be done centrally through ASA 72

How Does it Work? Authenticates and directs your external client Web traffic to our scanning infrastructure Automatically connect to nearest Scantower SSL encryption of all Web traffic sent improves security over public networks (example: Firesheep Plugin for FF) 73

Web Security & AnyConnect Configuration for Web Security with VPN Configured through a profile, downloaded from ASA at connect VPN is lower in the stack than the Websecurity Module Internet Split tunnel Scansafe gateways in the Corporate VPN Config (on the ASA) traffic Exclude Corporate adresses from beeing forwarded to the scansafe Client with towers Websecurity 74

Web Security & AnyConnect ConfigurationClient Profile For Your Reference Scanning Tower selection Proxy ports

Web Security & AnyConnect Configuration –Client Profile Exceptions for internal networks & public websites to be excluded from scanning Exceptions for authorized internal proxies Static Exceptions like VPN Gateways

Web Security & AnyConnect Configuration – For YourClient Profile Reference Automatic selection of nearest Scantower Activate Beacon Checking, Deploy public key

Web Security & AnyConnect Configuration – For YourClient Profile Reference License Key Authentication Settings

Web Security & AnyConnectConfiguration for Web Security without VPN Scancenter Portal provides hosting of PAC file and / or Client Profile Differentiate Usergroups due to usage of group keys Upload Client Profile Specify Client Profile Key for Authentication

Beacon Server for the AnyConnectWeb Security Module Beacon Server runs on an internal Server Client gets public key from Beacon Server during deployment If the client has reachability to the Beacon Server, client module is deactivated TND in ASA 9.0

DEMO – AnyConnect with Web Security

Scansafe & IPv6 Support Current version of Web Security does not yet support IPv6 IPv6 traffic scanning can be excluded by adding “::/0” to Static Exceptions IPv6 Full IPv6 Support will be added mid CY 2012 in two phases: Internal IPv6 IPv4 Internet AC 3.1 or Standalone / integrated Connector Internet AC 3.1 or Standalone / integrated Connector

Secure Mobility Future – Hybrid Security Internet traffic Remote User w/ secure through web AnyConnect security cloud Client 3.0 service Corporate traffic Internet secure through Cisco WSA Cisco ASA tunnel and WSA Consistent Policy Corporate and Monitoring Network

Hybrid Security –what has been done and what lies ahead  Unification of URL Databases  AVC integration  Connector Integration in ISR G2 Router  Unification of features – Q1/Q2 CY2012 Application visibility and control Web Reputation  Connector Integration in ASA – Q3 CY2012  Connector Integration in WSA  Provide common management  Provide common logging and reporting

Summary  Cisco Web Security Solution leverages a comprehensive architected featurelist to protect the dynamic environment from the ubiquitios web 2.0 world..... Or...  Cisco Web Security Solution simply ROCK! 

Q&A #CiscoPlusCA

We value your feedback.Please be sure to complete the Evaluation Form for this session. Access today‟s presentations at cisco.com/ca/plus Follow @CiscoCanada and join the #CiscoPlusCA conversation

Thank you.

Web Security Deployment

by Cisco Canada on Jun 01, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Web Security Deployment Presentation Transcript