BRKSEC-3771 - WSA with wccp.pdf

#CLUS
Bill Yazji – Consulting Security Engineer
BRKSEC-3771
Advanced Web Security:
Deployment, Troubleshooting and
Advanced Threat with WSA

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
#CLUS
Agenda
• Introduction
• WSA Deployment Considerations
• Troubleshooting Performance
• AMP & Threat Grid on the WSA
• Cognitive Threat Analytics on the WSA
• Conclusion / Q&A
BRKSEC-3771 3

#CLUS
About Your Speaker
• Consulting Security Engineer for Enterprise Accounts – Central US
• 18 years of security and networking experience (8 with Cisco)
• Lead for Advanced Threat Technical Advisory Group
• Prior to Cisco…
• Cisco Competitor in Web Security Space
• Network and Security Consultant
• Large Design, Deployments, Integrations, and Troubleshooting
• Lives in Kenosha, WI (in between Chicago and Milwaukee)
BRKSEC-3771 4

#CLUS
Important: Hidden Slide Alert
Look for this “For Your Reference”
Symbol in your PDF’s
There is a tremendous amount of
hidden content for you to use later!
For Your
Reference
For Your
Reference
BRKSEC-3771 5

#CLUS
Complete your Online Session Evaluation
BRKSEC-3771 6

#CLUS
Cisco WebEx Teams
Questions?
Use Cisco WebEx Teams (formerly Cisco Spark)
to chat with the speaker after the session
Find this session in the Cisco Live Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
WebEx Teams will be moderated
by the speaker until June 18, 2018.
cs.co/ciscolivebot#BRKSEC-3771
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
1
2
3
4
BRKSEC-3771 7

Questions you’ll be
able to answer
after this section:
• How do explicit and
transparent proxy
redirections function?
• What redirection methods
does the WSA support?
• What is IP spoofing and
when do I use it?
BRKSEC-3771 9

#CLUS
Explicit Proxy At-A-Glance
• Pro’s
• Most web-enabled applications support NTLM
enabled proxy-style authentication
• Easier for Network/Security admin to
troubleshoot, as the traffic flow is easy to review
via packet capture
• Ability to offer load balancing without any
external hardware (via proxy.pac)
• “AutoDetect” proxy setting will work simply with
DNS and DHCP (Option 252) settings
• May be able to remove default route on
network, which can help with security by
keeping rogue applications from finding their
way out
• Easy to test during pre-deployment
• Con’s
• Requires a solid AD architecture design to
facilitate an easy staged deployment
• More interaction with server team for GPO
rollouts
• Deployment back-out dependent on
AD/GPO update policy/frequency
• Manual configuration required for non-
domain controlled workstations
• Easier to circumvent
BRKSEC-3771 10

#CLUS
Explicit Proxy with IPv4 & IPv6
• Client requests a website
• Browser connects first to WSA using IPv4 or IPv6
• WSA does DNS lookup – A and/or AAAA record returned
• Depending on WSA setting, WSA builds outgoing connection either on
IPv4 or IPv6
• Firewall usually only allows web traffic for proxy
Internet
Internet Web
server
Web Security Appliance
ASA Firewall
IPv6
IPv4
BRKSEC-3771 11

#CLUS
Explicit Mode with IPv4 & IPv6
Setting IPv6 Addresses on Interface
BRKSEC-3771 12

#CLUS
Setting Routes
BRKSEC-3771 13

#CLUS
Setting DNS Server
Which Protocol should be
prefered in case of A and
AAAA record returned?
Can add IPv4
and IPv6 DNS
Servers
BRKSEC-3771 14

#CLUS
Redundancy using CARP
Common Address Redundancy Protocol
Internet
L2 Network
Virtual IP
• CARP provides virtual IP
• Works with IPv4 and IPv6
• Requires L2 Connectivity
• Communication done via
Multicast
• One Master, multiple Slaves
• Useful when no hardware load
balancer exists for explicit
deployments
BRKSEC-3771 15

#CLUS
Redundancy using CARP (2)
Redundancy Group for IPv4 &
IPv6
BRKSEC-3771 16

#CLUS
Higher Value = Master
BRKSEC-3771 17

#CLUS
Testing via CLI – “FAILOVERCONFIG”
BRKSEC-3771 18

#CLUS
Testing via CLI – “TESTFAILOVERGROUP”
CARP using mcast for
keepalive
BRKSEC-3771 19

#CLUS
PAC File Configuration
• Plain text file written in JavaScript language
• Capitalization usage within file not required
• Generally served via HTTP from a server
• Example 1: Simplest Example
• PROXY wsa.customer.com:3128
• Use proxy wsa.customer.com over port 3128
BRKSEC-3771 20

#CLUS
• Example 2: Fail Over
PROXY wsa1.customer.com:3128;
PROXY wsa2.customer.com:3128; DIRECT
• Use wsa1, if wsa1 is unresponsive use wsa2, if wsa2 is unresponsive do
not use a proxy and go direct
Failover with PAC
BRKSEC-3771 21

#CLUS
Load Balancing with PAC
function FindProxyForURL(url,host)
{ ret = URLhash(url);
if ( (ret % 2) == 0 )
return "PROXY wsa1:3128";
} else {
}
}
• Example 4: Three Proxies
function FindProxyForURL(url,host)
{ ret = URLhash(url);
if ( (ret % 3 )==0 )
} else {
if ( (ret % 2) == 0 ) {
} else {
}
}
}
• Example 3: Two Proxies
BRKSEC-3771 22

#CLUS
Transparent Proxy At-A-Glance
• Pro’s
• Generally no need to touch end user
device for authentication (possibly may
need to edit Intranet zone security settings)
• Able to force all traffic to proxy if desired,
without end user interaction
• Staggered/Staged deployment easy with
the usage of WCCP ACLs
• May reduce the need for usage of SOCKS
Client
• Load balancing inherent without usage of
hardware load balancers/pac file
• Easy to back-out during deployment
(simply remove redirection)
• Con’s
• Auth, auth, auth!!!. Generally, only web
browsers are able to handle the style of
authentication required for transparent
connections. Requires heavier use of IP
surrogates, which may not be
favorable/possible due to network
configuration – and cookie surrogates
aren’t shared between
browsers/applications.
• WCCP can sometimes be cumbersome to
enable, requires review into
routing/switching code.
• Did I mention authentication?
BRKSEC-3771 23

#CLUS
Transparent Proxy via WCCP
• Client requests a website
• DNS Resolution is done by the client
• Browser tries to connect to Website (follows default route)
• Network Device redirects traffic to WSA using WCCP
• WSA proxies the request (and does its own DNS query)
Internet
Internet Web
server
ASA Firewall
IPv6
IPv4
BRKSEC-3771 24

#CLUS
WCCP Details
Assignment
• The WCCP assignment method is used to determine which WCCP
traffic and which WCCP device is chosen for the destination traffic.
• WCCP can use two types of Assignment Methods: Hash and Mask.
• Hash Based Assignment
Uses a software based hash algorithm to determine which WCCP
appliance receives traffic. In hardware based platforms the Netflow
table is used to apply hardware assistance.
• Mask Based Assignment
Uses the ACL TCAM to assign WCCP entities. This method is fully
handled by hardware.
BRKSEC-3771 25

#CLUS
WCCP input redirect (wccp-in)
Ingress
Interface
Egress
Interface
WCCP Input redirect
BRKSEC-3771 28

#CLUS
WCCP output redirect and input exclude
Ingress
Interface
Egress
Interface
WCCP Output redirect
WCCP Exclude-in
BRKSEC-3771 29

#CLUS
How WCCP registration works
• The WCCP client registers at the WCCP Server
• Both, Server and Client need to use the same WCCP Service Group ID
• One WCCP Server usually can server multiple Clients
• Server and Client exchange Here I Am and I See You Packets to check availability
• UDP/2048, unicast
• Multicast possible
• Traffic is redirected from Server to one or multiple Clients using the hash or mask algorithm
WCCP Client
(WSA/Proxy)
WCCP
Server
1. Registration
3. I see you
2. Here I am
BRKSEC-3771 30

#CLUS
Buckets 86–170
Buckets 86–128
Buckets 1–85
Buckets 129–170
Buckets 171–255
A B C
X
WCCP Protocol
Load balancing and Redundancy
• When a WCCP client fails, the portion of the load handled by that
client is automatically redistributed to the remaining WCCP clients
in the service group
• If no other WCCP clients are available in the service group, the
service group is taken offline and packets are forwarded normally
BRKSEC-3771 32

#CLUS
Using WCCP for Traffic Redirection
• WCCPv2 support is available on many Cisco Platforms, WCCPv2.01
is IPv6 Capable
• WSA supports & negotiates all redirect and assign methods
(software implementation)
• Multiple WSAs elect a “Designated Web Cache” (DWC), lowest IP
in Cluster, negotiates method
• WCCP Weighting **new** in v10.5
BRKSEC-3771 33

#CLUS
WCCP Weighted Load Balancing - Solution
• WCCP- WLB: WCCP deployment is capable of differential load
balancing based on customer needs i.e., WCCP head-end device
can now redirect a larger percentage of traffic to higher end
models of WSA when compared to lower end models.
• The WCCP protocol allows Web-Caches (i.e., WSAs) to advertise
their “Assignment Weight” which can be used for load balancing.
By configuring the appropriate “Assignment Weight” on the WSA,
an administrator should be able to redirect higher traffic load
towards higher capacity boxes and vice versa.
BRKSEC-3771 34

#CLUS
WCCP weight on WSA Description
Assignment weight 8-bit number which can take a value between 0 and
255.
Default Assignment
weight
1 which means that the traffic will be uniformly
redirected to all the WSA’s in the WCCP service
group.
Older release
compatibility*
To ensure complatibility with older releases, WebUI
reflects an assignment weight of “1” as a default
value.
WCCP WLB
What various weights means?
BRKSEC-3771 35

#CLUS
How does Weighted Load Balancing Work?
Assume that there are 4 WSA's participating in the service group:
WSA - Weights
WSA1- 1
WSA2- 2
WSA3- 3
WSA4- 4
The designated WSA should first calculate the total = 1+2+3+4 = 10
Then should assign 1/10th of the load to WSA1, 2/10th of the load to WSA2, 3/10th of the
load to WSA3 and 4/10th of the load to WSA4.
In case Hash bucket algorithm is being used to balance load:
WSA1 should get 1/10th of the available hash buckets - (1/10) X 255
BRKSEC-3771 36

#CLUS
Assume that WSA4 went down in this example. Currently there will only be 3
WSA's participating in the service group:
WSA - Weights
WSA1- 1
WSA2- 2
WSA3- 3
WSA4- 4
Total of weights = 6
The designated WSA should recalculate the load distribution pattern for the service
group as follows:
In case Hash bucket algorithm is being used to balance load:
WCCP Weighted Load Balancing
Failure Handling
BRKSEC-3771 37

#CLUS
Using WCCP for Traffic Redirection
• Load Balance based on CLIENT address for best performance
BRKSEC-3771 38

#CLUS
Using WCCP for Traffic Redirection (2)
• Performance Considerations:
• MASK (HW) > HASH (SW)
• HW has to take TCAM Resources into consideration
• L2 (HW) > GRE (SW)
• Use GRE if WSA is located in other subnet
• Check if Device can do GRE in HW
• Use L2 if WSA and WCCP Device are in same subnet
BRKSEC-3771 39

#CLUS
WCCP Protocol - Service Group
• The routers/switches and WCCP clients participating in a WCCP
service constitute a Service Group
• Up to 32 routers per service group
• Up to 32 WCCP clients per service group
• Each service group is established and maintained using separate
protocol message exchanges
• Service definition must be the same for all members of the service
group
BRKSEC-3771 40

#CLUS
VLAN10
WCCP with L3 Switch
L2 Redirect
VLAN11
Internet
sdm prefer routing
ip routing
ip wccp 91 redirect-list wsa
ip access-list extended wsa
permit tcp any any eq www
permit tcp any any eq 443
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
ip wccp 91 redirect in
Use template “access”, “routing”
or “dual-ipv4/ipv6 routing”
WCCP shares same TCAM Region
than PBR!
BRKSEC-3771 41

#CLUS
WCCP with L3 Switch
L2 Redirect
 Recommendations:
Assign seperate VLAN for the
connection to the WSA!
 Redirect ACL only allows „permit“
statements on 3560/3750 Series!
12.2(58) added support for
„deny“
 If 3560/3750 is stacked, configure
WCCP on the Stack Master!
VLAN40
VLAN10
Internet
BRKSEC-3771 42

#CLUS
WCCP IPv6
43
VLAN10
Internet
ipv6 wccp 91 redirect-list wsav6
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
ipv6 address 2001:db8:1:10::66/64
ipv6 nd ra suppress
ipv6 wccp 91 redirect in
ipv6 access-list wsav6
permit tcp 2001:DB8:1:10::/64 any eq www
permit tcp 2001:DB8:1:10::/64 any eq 443
VLAN40
BRKSEC-3771 43

#CLUS
WCCP IPv6 & IPv4
VLAN10
Internet ip wccp 90 redirect-list wsav4
ipv6 wccp 91 redirect-list wsav6
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
ipv6 address 2001:db8:1:10::66/64
ipv6 nd ra suppress
ipv6 wccp 91 redirect in
ipv6 access-list wsav6
permit tcp 2001:DB8:1:10::/64 any eq www
permit tcp 2001:DB8:1:10::/64 any eq 443
!
ip access-list extended wsav4
VLAN40
Different service groups for IPv4 & IPv6
BRKSEC-3771 44

#CLUS
WCCP IPv6 & IPv4 – WSA Side of things….
In Dual-Stack Environments, two WCCP Service Groups are required.
BRKSEC-3771 45

#CLUS
WCCP IPv6 & IPv4 – WSA Side of things….
IPv6 Address of the Switch / Router
BRKSEC-3771 46

#CLUS
WCCP with L3 Switch – IPv4
munlab-3560X#show ip wccp 91 detail
WCCP Client information:
WCCP Client ID: 172.16.10.100
Protocol Version: 2.0
State: Usable
Redirection: L2
Packet Return: L2
Packets Redirected: 0
Connect Time: 01:02:16
Assignment: MASK
Mask SrcAddr DstAddr SrcPort DstPort
---- ------- ------- ------- -------
0000: 0x00000000 0x00000526 0x0000 0x0000
Value SrcAddr DstAddr SrcPort DstPort CE-IP
----- ------- ------- ------- ------- -----
0000: 0x00000000 0x00000000 0x0000 0x0000 0xAC100A64 (172.16.10.100)
0001: 0x00000000 0x00000002 0x0000 0x0000 0xAC100A64 (172.16.10.100)
0002: 0x00000000 0x00000004 0x0000 0x0000 0xAC100A64 (172.16.10.100)
Assignment
Method
Version &
State
Redirect
Method
Mask Value
BRKSEC-3771 47

#CLUS
WCCP with L3 Switch – IPv6
ol;k,iedirect - Verification
munlab-c6504#sh ipv6 wccp 90 det
WCCP Client information:
WCCP Client ID: 2001:420:44E6:2013::45
Protocol Version: 2.01
State: Usable
Redirection: L2
Packet Return: L2
Assignment: MASK
Connect Time: 00:13:25
Redirected Packets:
Process: 0
CEF: 0
GRE Bypassed Packets:
Process: 0
CEF: 0
Mask Allotment: 4 of 4 (100.00%)
Assigned masks/values: 1/4
Mask SrcAddr DstAddr SrcPort DstPort
---- ------- ------- ------- -------
0000: :: 300:: 0x0000 0x0000
Assignment
Method
Version &
State
Redirect
Method
Mask Value
BRKSEC-3771 48

#CLUS
WCCP with ASA
access-list WCCPRedirectionList extended deny ip 172.16.10.0 255.255.255.0
172.16.10.0 255.255.255.0
access-list WCCPRedirectionList extended permit tcp any any eq www
access-list WCCPRedirectionList extended permit tcp any any eq https
!
wccp 90 redirect-list WCCPRedirectionList
wccp interface INSIDE 90 redirect in
Internet
 ASA allows only redirect-in
 Client and WSA must be on same interface - No DMZ Deployment
possible....
 Inside ACL is checked before redirection
Destination Server must be allowed in ACL
 Redirection Method is GRE based
 Redirect ACL allows permit and deny
 No TCP Intercept, Inspect Engine or internal IPS is applied to the
redirected flow.
 IPS HW/SW Module however does inspect traffic
BRKSEC-3771 49

#CLUS
WCCP with IP Spoofing
 Some Designs require that the Client IP is
preserved after being proxied
 Problem to solve:
Traffic coming back from the Internet needs to be
redirected to the WSA by the network because
the Destination is now the Client Network, no
longer the WSA
 IP Spoofing mostly used in transparent mode
 Caution – adds complexity in troubleshooting
 Activated on the WSA in the WCCP Config:
e0
e1
e2
BRKSEC-3771 55

#CLUS
IP Spoofing Design in Transparent Mode
ip cef
ip wccp version 2
ip wccp 91 redirect-list Redirect-Client
ip wccp 92 redirect-list Redirect-back
!
interface e0
!
interface e2
!
ip access-list extended Redirect-Client
permit tcp 145.16.0.0 0.0.255.255 eq www
permit tcp 145.16.0.0 0.0.255.255 eq 443
!
ip access-list extended Redirect-back
permit tcp any eq www 145.16.0.0 0.0.255.255
permit tcp any eq www 145.16.0.0 0.0.255.255
e0
e1
e2
145.16.0.0 /16
WCCP 92
WCCP 91
BRKSEC-3771 56

#CLUS
IP Spoofing Design in Transparent Mode
e0
e1
e2
145.16.0.0 /16
WCCP 92
WCCP 91
BRKSEC-3771 57

Performance Troubleshooting and
Optimization

able to answer
after this section:
• When things get slow,
where do I look?
• What performance
monitoring does WSA
provide?
• What are policy best
practices I can use to help
with performance?
• Is code level really that
important?
BRKSEC-3771 60

#CLUS
WSA Performance Analysis
Where can problems occur?
AD1AD2 DNS
Client
WSA1
R1
ASA/FW
1. Client to WSA Request
HTTP/HTTPS/FTP
Server
4. WSA -> Internet HTTP/S/FTP request:
WSA <–> Destination Server
Communication
2. WSA -> External Services
ISE
Internet
3. WSA
Processes
DLP
BRKSEC-3771 61

#CLUS
“Our Internet is slow”
What questions do I need to ask?
• WHO is affected?
• One user / Group of users vs All users
• Example: IP/subnet/username(s) of users
• WHAT are users searching for?
• Specific URL / vs All URLs
• HTTP / HTTPS / FTP? Upload/download?
• WHEN is this happening?
• All the time?
• Specific time (morning/noon/peak-traffic time)?
• SINCE WHEN & did something change?
So, your Internet is SLOW?
Tell me more about it!
BRKSEC-3771 62

#CLUS
Troubleshooting Slowness
Architecture Information
• Other information to gather
• Proxy deployment (Transparent vs Explicit)?
• Authentication being used (NTLM, CDA/TUI, Kerberos, LDAP, No
authentication)?
• HTTPS Proxy enabled?
• Features enabled on the WSA (AVC, AMP, AV Engines, Adaptive
Scanning, etc…)?
• Policy Construct
BRKSEC-3771 63

#CLUS
Gathering Information
• Identify Issues
• Easy to identify using CLI commands:
• proxystat : Easy to get CPU Utilization and corresponding
RPS – instantaneous
• status detail: Number of active connections & response times.
Active connections, not above 40k
• trackstats: Files stored with useful stats of WSA proxy and
other engines
• Typically prox CPU utilization above 80% will start to
impact performance (most noticeable above 90%)
• Proxy Connection Backlog – Ideally 0 or near 0
• Response time – variable – BUT consistency is key
BRKSEC-3771 64

#CLUS
Gathering Information
• Packet Capture
• Need to get a capture that contains the client -> wsa
socket as well as the wsa -> destination server socket
• If not a lot of traffic, run the capture unfiltered
• If too much traffic, run the capture filtered based on
the client IP address and the destination server IP
address
• If possible, run a capture on the client machine as well
• When running a capture using a custom filter and the
traffic contains GRE, it will not capture the client side
traffic
• Using the predefined filter is better for this scenario
BRKSEC-3771 65

#CLUS
Common Scenarios
• Slowness occurs only during peak hours
• Typically a capacity issue on WSA
• Requests per second are too high for the
configuration, causing prox process to spend a
high percentage of time using CPU
BRKSEC-3771 66

#CLUS
Troubleshooting Process
• If issue is occurring at the time of troubleshooting:
• See if it is possible to test by bypassing the WSA to see if the issue still occurs. If the issue still
occurs when bypassing the WSA, then in most scenarios you can rule out the WSA being the
cause.
• If going transparent and issue is occurring, try explicit to see if the issue still occurs. Load
balancer? DNS? WCCP Issue? PBR or L4 redirection issue?
• Check to see if there is a capacity issue by looking at the rate command or by checking
trackstats/shd_logs.
BRKSEC-3771 67

#CLUS
Troubleshooting Process
• If issue is occurring at the time of troubleshooting:
• Run a packet capture on the WSA and a grep on the access logs while reproducing the issue.
If issue occurs for all websites, use a basic website like example.com or purple.com.
• If the delay appears to be coming from the WSA, either by packet capture verification or being
unable to rule out the WSA as the source, check trackstats to see if any features may be
causing a delay.
• Check logs on the WSA to see if there are any warning/critical alerts that stand out.
• If possible, set up an access log subscription with latency custom fields to see where the
delay is occurring.
BRKSEC-3771 68

#CLUS
Troubleshooting Performance
SNMP Monitoring
• Enable by CLI command snmpconfig
• SNMPv1, v2 and v3 supported
• SNMPv3 username is v3get
• MIBs available on cisco.com
• http://www.cisco.com/c/en/us/support/security/web-
security-appliance/tsd-products-support-series-
home.html
• AsyncOS Web MIB
• AsyncOS SMI MIB for WSA
• AsyncOS Mail MIB for WSA (not a mistype!)
BRKSEC-3771 69

#CLUS
• OID’s that are the most useful
• Proxy CPU in Percent
• 1.3.6.1.4.1.15497.1.2.3.1.2 (cacheCPUUsage)
• Request Throughput
• 1.3.6.1.4.1.15497.1.2.3.7.1.1 (cacheThruputNow)
• Although both the OID’s have the keyword cache, it has nothing to
do with the WSA ‘cache,’ other than that the values are always
stored in cache.
SNMP Monitoring
BRKSEC-3771 70

#CLUS
SNMP Monitoring
• SNMPwalk example (other options too!)
• snmpwalk -v3 -l authNoPriv -a MD5 -A <passphrase> -Os -u v3get <IP_of_WSA> <OID>
BRKSEC-3771 71

#CLUS
The WSA is showing a higher than expected CPU load either via the
CLI proxystat command or SNMP polls. As the WSA reaches its
maximum capacity, administrators may experience sluggish
response to the GUI and most notably latency will increase for traffic
being proxied through the appliance.
BRKSEC-3771 72

#CLUS
WSA Policy Types
Refresher
• Identification Policy (Who? / How? / How do we recognize/categorize the end-user?
What groups do we auth?)
• Access Policy (Actions for HTTP / HTTPS decrypted traffic)
• Decryption Policy (HTTPS traffic handling / what do we decrypt?)
• Routing Policy (Upstream Proxy Handling)
• Outbound Malware Policy (Do we permit upload of Malware content)
• Data Security Policy (What content type can we upload)
• Other Policy Types: SaaS/SOCKS Policies
BRKSEC-3771 73

#CLUS
Web Security Appliance Pipeline
HTTP Client Request
Identification Profiles
(Who?)
Proxy Bypass List
WBRS Score
Calculation
Authentication
Authorization
Guest Access?
Custom URL
Category Match
Protocols/User-
Agent
Pre-Defined URL
Category
AVC
Objects
MIME File-Type Filter
Anti-Virus/Anti-
Malware Scanning
Per Policy Matching
HTTPS Client Request
Identification Profiles
(Who?)
Proxy Bypass List
WBRS Score
Calculation
Custom URL
Category Match
Decryption
Pre-Defined URL
Category
AVC
Objects
MIME File-Type Filter
Anti-Virus/Anti-
Malware Scanning
Authentication
Authorization
Guest Access?
Encryption
Per Policy Matching
BRKSEC-3771 74

#CLUS
Policy Best Practices
Identity Usage
• Keep Identity Usage To A Minimum
• The primary goal of identities is to specify which traffic should be
authenticated on the appliance (or to specify individual appliances when
deploying with an SMA). If creating policies for membership groups or
specific subnets, it is best to define these in the access policy itself –
especially when the access policies make use of the “All Identities” selection.
BRKSEC-3771 75

#CLUS
Access Policies
• Use “All Identities” Sparingly
• Whenever a policy specifies “All Identities” it is actually replicated in the policy flow for every defined identity. For
example, if there are 5 identities, what appears to be a single access policy would actually equal 5 policies if “All
Identities” is selected.
• Place Most Used / Least Complex policies near top of list
• Since the WSA stops executing policy decision after the first match, attempt to keep the most generic and most
used policies at the top of the access policy list.
• Place most taxing rules near end of list
• Keep the most granular/least used rules near the bottom of the access policy list. These items include
authentication policies or policies with custom categories or especially custom categories that contain regular
expressions.
• User Policies
• Avoid defining multiple policies specifying individual users. When possible, create a group for these users on the
authorization server and consolidate the policies into a single (or a simpler) policy set.
BRKSEC-3771 76

#CLUS
• Keep custom categories to a minimum
• Utilize the predefined URL categories on the appliance
• Avoid creating a custom categories for URLs that are already properly
categorized in the filtering databases.
• Seeing lots of uncategorized sites? Turn on WBNP participation!!!!! BEST
PRACTICE!!!
• Did someone say regex?
Custom Categories
BRKSEC-3771 77

#CLUS
Custom URL Categories
Regular Expressions – sure, go ahead, only if you really have to… but beware
• Avoid large amount of Custom URL Categories
• Avoid using regular expressions (especially ”match any” regex)
• Try not to use “match any” .* - be more specific
• Whenever possible use rather Sites field than ”Advanced->Regular Expressions”
BRKSEC-3771 78

#CLUS
Custom URL Categories
Cisco External & 3rd Party Feeds (Microsoft Office Format)
• Cisco External & 3rd Party Feeds are new way of automatically obtain custom URL category
list from external server, using HTTP/HTTPS protocol
• The same recommendation apply for creating Cisco External Feeds:
• Use feed entry type “site” as much as possible vs Using “regex” entries
• Try avoiding having more than 1000 lines in per External Feed File
External Feed File
GET Feed File (HTTP/HTTPS)
External-Feed-File response
WSA .xyz,regex
www.facebook.com,site
ad2.*.com,regex
mds.rs,site
BRKSEC-3771 79

#CLUS
Decryption Policy Considerations
• Decrypt only traffic needed by company security policy & rely on WBRS!
• What do I need to decrypt, and what not?
• Decrypt only categories that would need further fine-grained control / access policy
processing & AV/AM scanning
• Decrypt for:
• Authentication
• End-User-Notification display
• End-User-Acknowledgements display
• Pass-through traffic that might be confidential (i.e Financial / Banking sites)
• Drop the traffic that would have action Block by the corresponding Access Policy
• Drop Categories matching: Illegal, forbidden, and business inappropriate content
BRKSEC-3771 80

#CLUS
Debugging Performance Issues
• Download file “prox_track.log” from appliance via FTP
• File is written every 5 minutes with timestamp
• Setting can be changed in advancedproxyconfig in CLI
BRKSEC-3771 81

#CLUS
prox_track.log content
• Contains various statistical data around proxy performance
• Please do NOT consider all number of packets 100% accurate!
• Just gives a good hint what problem might be happening
BRKSEC-3771 82

#CLUS
General Statistics
 Traffic Statistics:
If you have numbers increasing on “throttled transactions” this could indicate that the
appliance can not handle the load
BRKSEC-3771 83

#CLUS
How to read Prox_track.log
 Statistics are snapshots of total number of Packets Counters are
reset after reboot / restart of proxy
 Take statistic from time X and time Y, then compare change:
BRKSEC-3771 84

#CLUS
Important Statistics
 Client time:
Total time that the client was
waiting until his request was fulfilled
 Hit time:
Time that the WSA is using to fetch
content from the local cache
 Miss time:
Time that the WSA takes to fetch all
Data from the server
BRKSEC-3771 85

#CLUS
Important Statistics (2)
 Server Transaction time:
Time for the total transaction to the
Server to be finished.
High Values can mean “upstream” problems
(firewall, router, ISP, upstream proxy)
 Server wait time:
Time until WSA gets the first
byte from the Server
BRKSEC-3771 86

#CLUS
 DNS Time:
Time for the WSA to do a DNS Resolution
High time does indicate a problem with the DNS
Server
BRKSEC-3771 87

#CLUS
 Auth Helper Wait:
Time to wait for an authentication
request until its validated from the
AD / LDAP
High time indicates a problem with the
connection to the authentication Server
 Auth Helper Service:
Time until an authentication request
is fully validated
Check if IP address is already authenticated,
check surrogates, etc…
BRKSEC-3771 88

#CLUS
 WBRS Service Time:
Time for the WSA to check the
reputation score
 Webcat Service time:
Time for the WSA to check the URL
Category
 AVC Header Scan Service Time:
Time to check the Header of a request
against the AVC Signatures
 AVC Body Scan Service time:
Time to check the body of a request against
the AVC Signatures
BRKSEC-3771 89

#CLUS
 Sophos/McAfee/Webroot Service Time:
Time that the Scanner used to scan the object
 Service Queue Time:
Time that the object stayed in the queue to be
scanned
 Adaptive Scanning Service Time:
Time for the adaptive scanning
process to scan an object:
BRKSEC-3771 90

#CLUS
Adaptive Scanning
 Each type of object gets a RISK Score assigned
 Score is based on Type of object, effectiveness of malware scanner for this type and
WBRS (WBRS must be enabled on WSA)
 Appliance will scan objects with the Scanner that is most appropriate for this object type
 If appliance has a performance problem with the Anti Malware Scanners, it will drop
objects not to be scanned
Example: Don’t scan *.jpg files with McAfee when they are coming from Websites with a good reputation.
BRKSEC-3771 91

#CLUS
Customizing the Access Log
Add custom field like:
“%m” (=Authentication
Method) to the access_log
 Variables can be appended in the Access Logs
 Variables are to be found in the GUI, some older Versions of WSA
Software might not have the full list
BRKSEC-3771 92

#CLUS
Customizing the Access Log - Example
%m AUTH: %:>a DNS: %:>d REP: %:>r %m : Authentication Method
%:>a : Authentication Wait time
%:>d : DNS Wait time
%:>r : Reputation Wait time
Any Text acting as a
comment for readability
BRKSEC-3771 93

#CLUS
Customizing the Access Log – Example(2)
Destination IP %k Extremely useful in Dual-Stack
Environments to find out whether
WSA makes the outgoing
connection on IPv4 or IPv6!
Source IP from Client = IPv6
Destination IP = v4
BRKSEC-3771 94

#CLUS
Customizing the Access Log – Example (3)
Other useful Parameters:
%L <- human readable local time
%k <- Destination IP
%g <- group memberships
%u <- User Agent
Request Details: ID = %I, User Agent = %u, AD Group Memberships = ( %m ) %g ] [ Tx Wait Times
(in ms): 1st byte to server = %:<1, Request Header = %:<h, Request to Server = %:<b, 1st byte to
client = %:1>, Response Header = %:h>, Client Body = %:b> ] [ Rx Wait Times (in ms): 1st request
byte = %:1<, Request Header = %:h<, Client Body = %:b<, 1st response byte = %:>1, Response
header = %:>h, Server response = %:>b, Disk Cache = %:>c; Auth response = %:<a, Auth total =
%:>a; DNS response = %:<d, DNS total = %:>d, WBRS response = %:<r, WBRS total = %:>r, AVC
response = %:A>, AVC total = %:A<, DCA response = %:C>, DCA total = %:C<, McAfee response
= %:m>, McAfee total = %:m<, Sophos response = %:p>, Sophos total = %:p<, Webroot response
= %:w>, Webroot total = %:w<, Anti-Spyware response = %:<s, Anti-Spyware total = %:>s;
Latency = %x; %L
Example for detailed Performance logs:
BRKSEC-3771 95

#CLUS
Summary for WSA Performance Analysis
 WSA has very detailed logs/GUI to troubleshoot
performance issues
 Use prox_stat.log file for general performance checks
 Use customizing the Access Logs for detailed checking of
single requests
 Always able to add more processing power either with
hardware or virtual appliances
 And stay current on code….
BRKSEC-3771 96

#CLUS
10.0
Referrer
Header
Live (Third
Party) Feeds
AMP Private
cloud
AMP
Advanced
Reporting
Intermediate
Certificate
Updated
User Agent
List
10.1
Archive
Inspection
S600v
Centralized
Upgrade
10.5
WCCP
Weighted LB
Certification
FIPS, CC,
UP-ACL
11.0
CDO
Integration
Enhanced
DNS
Hyper –V
Support
CTA
Template
Support
11.5
WSAv in
AWS
Schedule
Policy Expiry
User Usage
Count
Cloudlock
Integration
CTA
Integration
Phase 2
AMP Unity
Integration
Web Security Software 10.x ,11.0 and 11.5
x70 Platform last code v10.1
– consider hardware
upgrades for new features
and significant performance
increases.
LD
GA
GA
GA LD
BRKSEC-3771 98

Hardware / Virtual Appliance
Update & Sizing

able to answer
after this section:
• How do I appropriately size
my environment?
• What options are available
for physical hardware and
virtual?
BRKSEC-3771 100

#CLUS
• Free of charge for customers with
Security Bundle Licensing/Contract ID
• Offered for all Content Security
Products – WSA, SMA, and ESA
• KVM, ESXi, Hyper-V & AWS support
Cisco Content Security Virtual Appliance
• Licensing handled via license file vs.
cloud keys as physical
• No perpetual licensing options, VM
expires when security features expire
• Full appliance import – no underlying
OS requirements
• http://www.cisco.com/c/dam/en/us/td/docs/security/content_security/virtual_
appliances/Cisco_Content_Security_Virtual_Appliance_Install_Guide.pdf
• http://www.cisco.com/c/en/us/support/docs/security/email-security-virtual-
appliance/118301-technote-esa-00.html
BRKSEC-3771 101

#CLUS
WSA Virtual Hardware Specs for
Corporate
Headquarters
Model S600v S300v S100v
Family Type ComputeOptimized ComputeOptimized GeneralPurpose
Instance Type C4.4xlarge C4.xlarge M4.Large
CPUs 16 Cores 4 Cores 2 Cores
Speed(minimum) 2.7 Ghz 2.7 Ghz 2.7 Ghz
Memory 30 GB 7.5 GB 8 GB
Disk Space 2.4 TB (10K RPM SAS) 1024 GB (10k RPM SAS) 250 GB (10k RPM SAS)
Disk Types
• ProvisionedIOPS SSD (IO1)
• GeneralPurposeSSD (GP2)
• Magnetic
• Magnetic
• Magnetic
Small Office
Branch Offices
BRKSEC-3771 102

#CLUS
WSAv Sizing & Performance
Model Disk Space Memory
Processor
Cores
Sustained RPS*
S000v** 250 GB 4 GB 1 65-180
S100v 250 GB 6 GB 2 130-300
S300v 1024 GB 8 GB 4 200-580
S600v*** 1024 GB 24 GB 12 550-1170
*Sustained RPS variant on security features enabled, and policy complexity.
** Only consider the S000v for lab/very small environments
*** Only supported for AsyncOS v10.1 and higher
Minimum specs: Two 64-bit x86 processors of at least 1.5 GHz each, 10k RPM SAS hard drive disk
BRKSEC-3771 103

#CLUS
WSAv vs. WSA Appliance
Model Disk Space Memory
Processor
Cores
Sustained RPS*
S000v 250 GB 4 GB 1 65-180
S100v 250 GB 6 GB 2 120-340
S300v 1024 GB 8 GB 4 170-480
S600v 1024 GB 24 GB 12 550-1170
S190 1200 – 2400 GB 8 GB 6, 1.9GHz 340-450
S390 2400 – 4000 GB 32 GB 8, 2.4GHz 500-1220
S690 4800 – 9600 GB 64 GB
24,
2.5GHz
910-1900
* Sustained RPS variant on security features enabled, and policy complexity
BRKSEC-3771 104

#CLUS
Virtual Installation Considerations
• Do not clone the VM, Do not alter the hardware configuration
• No snapshots older than 72 hours (save disk!)
• Local disk is recommended
• Thin provisioning sounds great, but don’t use outside of a lab.
• Cisco UCS Hardware is supported end-to-end. Other hardware platforms are
supported on a “Best Effort” basis: Cisco will try to help you, but it may not be
possible to reproduce all problems, and we cannot guarantee a solution.
• Oh, and do not clone or alter the HW config on the VM  - and – LOCAL DISK!
BRKSEC-3771 105

able to answer
after this section:
• What is AMP?
• What is Threat Grid?
• How do they interact?
• What’s in the cloud vs.
on-premise?
• How would I configure WSA
and a Threat Grid Appliance?
• What is AMP Unity?
BRKSEC-3771 107

#CLUS
What are the AMP Components?
• AMP Public Cloud – A big data cloud that drives File Reputation
and provides Dispositions of files
• AMP Private Cloud – Think AMP Public cloud, but on premise
• AMP-Enabled Integration – A Cisco device that queries data from
AMP Cloud, and submits files to Threat Grid
• AMP for Endpoint – A client, on an endpoint ;)
• ….and Threat Grid too!
BRKSEC-3771 108

#CLUS
Service
Function
Powered
by
Blocking of known
malicious files
Behavior analysis of
unknown files
Retrospective alerting
upon disposition change
File
Reputation
File
Analysis
File
Retrospection
Cisco Advanced Malware Protection Recap
What are we actually providing with the solution?
AMP
Cloud
Threat Grid
Cloud
AMP
Cloud
or
BRKSEC-3771 109

#CLUS
SPERO Static Analysis
Threat Grid File Analysis
Cisco Talos Cloud
Tetra AV Engine
MAP Behavioral Analysis
ETHOS Fuzzy Fingerprinting
Exploit Prevention
ALL INTEGRATIONS
AMP FOR ENDPOINT
Observes behavior of all
clean/unknown files on a system
Can quarantine malicious files
(CES/ESA)
Observes interaction between files
to determine suspicious activity
Watches network traffic to isolate C2
or data exfiltration
CONTINUOUS PROTECTION
File Rep – SHA256 Matching
Finds the low hanging fruit, fast. Tracks Clean,
Malicious and Unknown hashes
Retrospective Detection
ExaminesPE headers, looks at DLL imports,
compile location and ~400 factors. Heuristic
engine
Dynamic analysis performed on unknown files in
virtual environment
Cisco’s Threat Team and Cloud Intelligence
source
Randomize memorystructures to protect against
memory attacks and file-less malware
Rules engine that looks at behaviors locally on
the machine
Signature based AV protection
Pack/unpack/repack files to attempt to match
polymorphic malware to known hashes
Behavior-based analysisto uncover known and
unknown malware
Cloud IOCs
Protects system processes from exploitation or
process injection to AMP
System Protection
Monitors network traffic for malicious
destinations
Device Flow Correlation (DFC)
Additional Protection available in AMP for Endpoints
How does AMP protect our systems?
AMP-Enabled Integration Protection
BRKSEC-3771 110

#CLUS
What is Threat Grid?
Threat Grid is a unified malware analysis and threat intelligence platform. It performs automated static
and dynamic analysis, producing human readable behavioral indicators for each file submitted. Threat
Grid’s global scalability drives context rich information, that can be consumed directly or via content
rich threat intelligence feeds.
Behavioral
indicators
Advanced
static and
dynamic
analysis
Threat
Intelligence
Unified
malware
analysis
platform
Scalability &
Global
Correlation
BRKSEC-3771 111

#CLUS
Cisco Web Security
Complete Inbound Protection
Block
Block/Warn
Block/Warn
Block
Block
Allow Warn Filter Block
URL
Filtering
Reputation
Filtering
Dynamic
Content
Analysis
Anti Virus
Engines
AMP
Anti
Malware
Engine
Cisco
TALOS
WWW
BRKSEC-3771 112

#CLUS
SHA256
Communication Flow
AMP & Threat Grid on WSA
File Hash is automatically
marked in AMP Database
AMP
Database Threat Grid
File Reputation
File Reputation Check
(includes SHA256, SPERO)
Disposition
(unknown,
malicious,
clean)
Threat
Score
File Analysis
Analysis Request
(includes the file)
BRKSEC-3771 113

#CLUS
Configuring AMP for WSA
Enable AMP Services
• Security Services > Anti-Malware and Reputation Settings
• You can choose whether to enable or disable two services:
• File Reputation (SHA-256)
• File Analysis (Analyze the file in Threat Grid)
Enables File Analysis
globally
Enables File Reputation
globally
Enables specific
File Types globally
BRKSEC-3771 114

#CLUS
AMP Services Advanced Settings
Select Data Center and register
WSA at your AMP for Endpoints
Console, more details in a sec ...
Configure Upstream Proxy for
File Reputation checks
AMP Client ID
File Analysis Client ID
BRKSEC-3771 115

#CLUS
Access Policy
• Web Security Manager > Access Policies
• Click on the link to change AMP-related policy settings
Select the action to take
for malicious objects
Turns on File Reputation for
traffic matching this Access
Policy
BRKSEC-3771 116

#CLUS
WSA Public Cloud
THREAT GRID
BRAIN AND
LOGS
*-
AMP Public Cloud
AMP on WSA
1. File 1-1 and SPERO SHAs are generated by WSA and queries AMP
Cloud for a reputation lookup
2. File Reputation returned:
• If Clean – File Download Completed
• If Malicious – File download monitored or dropped as per
policy
• If Unknown – File Copied for preclassification (ClamAV) and
download completes
3. If file-type is supported, File is sent to Threat Grid for File Analysis
4. WSA polls Threat Grid. If Threat Score is >=95 WSA alerts as a
retrospective
5. Threat Score passed to AMP Cloud (Poke)
6. AMP Cloud uses this intelligence to generate a disposition for the file.
AMP connectors obtain updated disposition the next time the AMP
Cloud is contacted for a retrospection update (PING2)
2
1
1
3
5
6 4
4
BRKSEC-3771 119

#CLUS
WSA Public Cloud Hybrid
With Local Threat Grid Appliance THREAT GRID
BRAIN AND
LOGS
*-
AMP Public Cloud
AMP on WSA
THREAT GRID
APPLIANCE
1. File 1-1 and SPERO SHAs are generated by AMP Connector and
queries AMP Cloud for a reputation lookup. Threat Grid Appliance is
also checked incase the file has been previously analyzed. If so, go to
step 5.
2. File Reputation returned:
policy
download completes
3. If file-type is supported, File is sent to Threat Grid Appliance for File
Analysis
4. WSA polls Threat Grid Appliance
5. WSA polls Threat Grid. If Threat Score is >=95 WSA alerts as a
retrospective (no poke to AMP Cloud)
6. This verdict can be overruled by retrospection from Public Cloud if the
AMP connector obtains updated disposition the next time the AMP
Cloud is contacted for a retrospection update (PING2)
1
1
2
3
4
5
6
BRKSEC-3771 120

#CLUS
WSA Private Cloud
(Proxy Mode)
BRAIN AND
LOGS
*-
AMP Public Cloud
AMP on ESA
AMP PRIVATE
CLOUD (PC)
THREAT GRID
APPLIANCE
1. File 1-1 and SPERA SHAs are generated by AMP Connector and
queries AMP PC for a reputation lookup. Threat Grid Appliance is also
checked incase the file has been previously analysied. If so, go to
step 6.
2. If AMP PC has no reputation ask Public Cloud
3. AMP PC returns reputation:
policy
download completes
Analysis
5. WSA polls the Threat Grid Appliance
6. If Threat Score is >=95 ESA convicts the file as malicious and alerts as
a retrospective event
7. Threat Score passed to AMP PC (Poke)
8. AMP PC uses this intelligence to generate a disposition for the file and
sends this to the AMP Connector (PING2)
9. This verdict can be overruled by retrospection from Public Cloud
(PING2)
1
1
2
3 4
9
9
5
6
7
8
BRKSEC-3771 121

#CLUS
WSA Private Cloud (Air gap)
BRAIN AND
LOGS
*-
AMP Public Cloud
AMP on ESA
AMP PRIVATE
CLOUD (PC)
THREAT GRID
APPLIANCE
1. File 1-1 and SPERA SHAs are generated by AMP Connector and
queries AMP PC for a reputation lookup. Threat Grid Appliance is also
checked incase the file has been previously analysied. If so, go to
step 5.
2. AMP PC returns reputation:
policy
download completes
Analysis
4. WSA polls the Threat Grid Appliance
5. If Threat Score is >=95 ESA convicts the file as malicious and alerts as
a retrospective event
6. Threat Score passed to AMP PC (Poke)
7. AMP PC uses this intelligence to generate a disposition for the file and
sends this to the AMP Connector (PING2) 1
1 2 3
4
5
6
7
BRKSEC-3771 122

#CLUS
Threat Grid Appliance (TGA)
Integration with WSA
• Requirements
• Cisco Threat Grid v2.1 or newer (v2.4.3.2 strongly recommended)
• Cisco Web Security Appliance AsyncOS v9 or newer (v10.5.2-061 strongly
recommended)
• Before You Begin
• Ensure code levels appropriate
• Ensure WSA can reach the TGA CLEAN interface over network
• WSA requires feature keys for “File Reputation” and “File Analysis”
• Configure Threat Grid appliance first, then WSA
• If you will deploy a self-signed certificate: Generate a self-signed SSL certificate
from the Cisco AMP Threat Grid appliance to be used on your WSA. Be sure to
generate a certificate that has the hostname of your Threat Grid appliance as CN.
The default certificate from the Threat Grid appliance does NOT work
BRKSEC-3771 123

#CLUS
Threat Grid Integration – Step 1
• Click Regenerate
• Download SSL Certificate
• ThreatGRID Application
• “Clean Interface”
• Administration Portal
• “Admin Interface”
• Supports
• TLSv1.0, TLSv1.1, TLSv1.2
BRKSEC-3771 124

#CLUS
• Security Services / Anti-Malware
and Reputation
• Edit Global Settings
• Advanced
• Select Private Cloud
• Enter DNS of Threat Grid Server
• Select Use Uploaded CA
• Upload the .cert file downloaded from TG
BRKSEC-3771 125

#CLUS
• When the WSA connects and registers itself with the Threat Grid Appliance,
a new Threat Grid user is created automatically. The initial status of this
account "de-activated“
• Login will match Client ID from WSA
• Click Re-Activate User
BRKSEC-3771 126

#CLUS
Troubleshooting Integration
• Ensure you have appropriate Feature Keys on WSA
• Check if the port 443 communication to TG server (clean interface)
over TCP is healthy
• Check if there is any "API Key Error" printed in the AMP debugs
logs
• Invalid API Key
• Check if the account is re-activated, if not – re-activate the account
• Account Inactive
• Check if the account is re-activated, if not re-activate the account
BRKSEC-3771 127

#CLUS
AMP Console: Unity Support
AMP Cloud
NGIPS NGFW
Network Appliances
Endpoints Content Appliances
WWW
WSA ESA
Global File Trajectory
Whitelists Blacklists
Global Outbreak Control
BRKSEC-3771 128

#CLUS
AMP Unity Functionality with Releases
NGIPS NGFW
Network Appliances
Content Appliances
WWW
WSA ESA
AMP
Appliances
FMC 6.2
Firepower
Appliances
FMC 6.2
Email
Security
AsyncOS
11.1
Web Security AsyncOS
11.5
Global Trajectory
* See File & Device trajectory from all your AMP-enabled devices
Simple Custom Detection
(Blacklisting)
Whitelisting
Global Outbreak Control
BRKSEC-3771 129

#CLUS
Steps for Integration of WSA with AMP Unity
Step 1
• Web Security Registration with AMP Console
Step 2
• Create AMP Policies, Blacklist and Whitelist
Step 3
• Blacklist & Whitelist validation on WSA
Step 4
• Device and File Trajectory views
BRKSEC-3771 130

#CLUS
WSA Registration with AMP Unity Console
Configuration & Registration
Redirects to regional AMP for
Endpoint console for
authorization (based on the
selected File Reputation Server)
Log into AMP for endpoints
console and authorize WSA
S/N or WSAv VLN number.
Step 1
Initial Registration
Authorization
BRKSEC-3771 131

#CLUS
WSA Registration with AMP Unity Console
Registration Success and Validation
Redirect back to the WSA GUI
with a note about successful
registration.
Step 2
Registration Complete
Search for the Hostname of
WSA using S/N or VLN
number.
Select your WSA
BRKSEC-3771 132

#CLUS
AMP Unity Policy Creation Step 3
BRKSEC-3771 133

#CLUS
Device and File Trajectory views Step 4
BRKSEC-3771 134

Cognitive Threat Analytics & WSA

able to answer
after this section:
• What is CTA and where
does it fit in the WSA
security stack?
• How do I configure it?
BRKSEC-3771 136

#CLUS
Web
Reputation
Web
Filtering Application
Visibility &
Control
CTA on Cisco Web Security (CWS / WSA)
Talos
Reporting
Management
Allow Warn Block
Partial
Block
Admin
STIX / TAXII (APIs)
CTA
Cognitive
Threat Analytics
Anti-
Malware
File
Reputation
Webpage
Outbreak
Intelligence
After
www.website.co
m
Dynamic
Malware
Analysis
File
Retrospection
CTA Licensing is included
with AMP licensing on
WSA, or standalone for 3rd
party proxies
BRKSEC-3771 137

#CLUS
CTA enhances web security with layers of breach detection
and analytics to identify difficult-to-find threats
Cognitive Threat Analytics (CTA)
Anomalous
Web requests
Threat
Incidents
Malicious
Events
Anomaly
detection
Trust
modeling
Event
classification
Relationship
modeling
10B
requests
per day
20K
incidents
per day
BRKSEC-3771 138

#CLUS
Cisco WSA (Web Security
Appliance)
3rd Party Proxy (Blue Coat, McAfee, zScaler)
Cisco CWS (Cloud Web Security)
Cisco
Cognitive Threat
Analytics (CTA)
Confirmed Threats
Detected Threats
Threat Alerts
Incident
Response
HQ
STIX / TAXII API
CTA
CTA
CTA
SIEMs:
Splunk, ArcSight,
Q1 Radar, ...
HQ
Web Security
Gateways
Cloud
Web Security
Gateways
Web Access Logs (input telemetry)
Breach Detection &
Advanced Threat Visibility
Cognitive Threat Analytics
For CWS, WSA and External Telemetry
BRKSEC-3771 140

#CLUS
Configuration Notes
• CTA Analytics are run in the cloud
• Proxy logs are ingested on regular basis by setting up regular proxy upload
over HTTPS or SCP (the only thing required on customer side)
• Latest code recommended
BRKSEC-3771 141

#CLUS
Enabling CTA on WSA
BRKSEC-3771 142

#CLUS
Enabling CTA on WSA
BRKSEC-3771 143

#CLUS
Adding and Managing WSA Device List in CTA UI
BRKSEC-3771 144

#CLUS
Enabling Anonymization (optional)
OR
BRKSEC-3771 145

#CLUS
De-Anonymization of Logs
BRKSEC-3771 146

#CLUS
Peek a booooo….
• Check the hidden slides about here for pre-11.5 CTA config…
BRKSEC-3771 147

#CLUS
Adding and Managing WSA Device List in CTA UI
• Maximum file size is 1GB, recommend smaller uploads incase of
failure
• Recommended upload frequency (10-60 minutes)
• Log upload happens from the WSA M1 interface so it may be
necessary to allow traffic from the management interface to the
internet (or to the cloud service).
• Log upload activity is visible in the WSA system log & CTA Console
• Warning: When committing the configuration change, the WSA
proxy process restarts, so users connected via the proxy may be
temporarily disconnected. If WSAs are not operating in high-
availability (HA) mode, we recommended you configure the WSA
during an off-hour maintenance window to avoid impacting users
during production hours.
BRKSEC-3771 151

#CLUS
Confirm Device Log Upload
BRKSEC-3771 152

#CLUS
CTA Reporting
BRKSEC-3771 153

#CLUS
CTA Reporting
BRKSEC-3771 154

#CLUS
Supporting Documentation
• AMP Best Practices Guide for Content Security
• https://supportforums.cisco.com/document/13229856/enabling-amp-content-security-products-best-practices
• Threat Grid Appliance Install Guides
• http://www.cisco.com/c/en/us/support/security/amp-threat-grid-appliances/products-installation-guides-list.html
• Connecting Cisco ESA/WSA Appliances to Threat Grid Appliances
• http://www.cisco.com/c/dam/en/us/td/docs/security/amp_threatgrid/connecting-with-a-threat-grid-appliance-2-1-4.pdf
• Cisco Web Security Appliance (WSA) End User Guides
• http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-user-guide-list.html
• Cognitive Threat Analytics
• https://www.cisco.com/c/en/us/products/security/cognitive-threat-analytics/index.html
BRKSEC-3771 155

Complete your online session evaluation
#CLUS
Give us your feedback to be entered
into a Daily Survey Drawing.
Complete your session surveys through
the Cisco Live mobile app or on
www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be available for viewing
on demand after the event at www.CiscoLive.com/Online.
BRKSEC-3771 156

#CLUS
Demos in
the Cisco
campus
Walk-in
self-paced
labs
Meet the
engineer
1:1
meetings
Related
sessions
Continue
your
education
BRKSEC-3771 157

#CLUS
Cybersecurity Cisco education offerings
Course Description Cisco Certification
Understanding Cisco Cybersecurity
Fundamentals (SFUND)
The SECFND course provides understanding of
cybersecurity’s basic principles, foundational knowledge,
and core skills needed to build a foundation for
understanding more advanced cybersecurity material &
skills.
CCNA® Cyber Ops
Implementing Cisco Cybersecurity
Operations (SECOPS)
This course prepares candidates to begin a career within a
Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
CCNA® Cyber Ops
Cisco Security Product Training
Courses
Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and much more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
BRKSEC-3771 160

#CLUS
Cybersecurity Cisco education offerings
Course Description Cisco Certification
CCIE Security 5.0 CCIE® Security
Implementing Cisco Edge Network
Security Solutions (SENSS)
Implementing Cisco Threat Control
Solutions (SITCS) v1.5
Implementing Cisco Secure Access
Solutions (SISAS)
Implementing Cisco Secure Mobility
Solutions (SIMOS)
Configure Cisco perimeter edge security solutions utilizing Cisco
Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure
network access
Protect data traversing a public or shared infrastructure such as
the Internet by implementing and maintaining Cisco VPN
solutions
CCNP® Security
Implementing Cisco Network Security
(IINS 3.0)
Focuses on the design, implementation, and monitoring of a
comprehensive security policy, using Cisco IOS security features
CCNA® Security
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
BRKSEC-3771 161

BRKSEC-3771 - WSA with wccp.pdf

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to BRKSEC-3771 - WSA with wccp.pdf

Similar to BRKSEC-3771 - WSA with wccp.pdf (20)

Recently uploaded

Recently uploaded (20)

BRKSEC-3771 - WSA with wccp.pdf