Policing The Borderless Network: Integrating Web Security

Transcription

1 Policing The Borderless Network: Integrating Web Security Hrvoje Dogan Consulting Systems Engineer, Security March 16, Cisco and/or its affiliates. All rights reserved. Cisco Public 1

2 About Cisco Web Security Products How To Integrate the Web Security Appliance How To Integrate ScanSafe 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

3 Web Security Appliance (WSA) THREAT DEFENSE Block Malware Prevent Data Loss ACCEPTABLE USE ENFORCEMENT Application Control visibility URL Filtering Centralized Management and Reporting Coffee Shop Home Office Mobile User AnyConnect Secure Mobility 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 Gartner Magic Quadrant for Secure Web Gateway, 2011 The Magic Quadrant is copyrighted 2011 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Explicit Mode Client directs traffic to proxy server Requires no network infrastructure to redirect client request Proxy resolves hostname of target web server Authentication is straight-forward Client config must change (several options available) Transparent Mode Client directs traffic to target web server Network infrastructure (such as WCCP) redirects client request to proxy server Client resolves hostname of target web-server Authentication is problematic 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Three methods to configure a client: Automatically Detect Settings WPAD Protocol Use automatic configuration script Proxy Auto-Configuration (PAC) Files Enter the Address of a Proxy Server Use Microsoft Group Policy Objects for central control of these settings Microsoft Internet Explorer 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Deployment of Explicit Forward Proxy uniformly on many clients Avoid Configuration at the Desktop Failover and/or Load Balancing Performance Solution: Proxy Auto-configuration (PAC) files The S-Series can host the PAC files Internet Explorer 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 DHCP Higher priority than DNS If DHCP provides the WPAD URL, no DNS lookup is performed Passed as option number 252 in the DHCP lease DNS search Example, the FQDN of the client is pc.department.branch.com the browser will try the following URLs in order: Microsoft Group Policy Objects Central control of Internet Explorer settings 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Example 1: Single Proxy function FindProxyForURL(url,host){ return "PROXY alpha.wsa.train:3128 ; } Example 2: Failover Example function FindProxyForURL(url,host){ return "PROXY alpha.wsa.train:3128; PROXY bravo.wsa.train:3128; DIRECT"; } 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Web Cache Control Protocol (WCCP) Available on many switches, routers and firewalls Will be the redirection mechanism used in this course Policy Based Routing (PBR) Resource intensive for the router (performed in software) Not available on Cisco ASA firewalls Layer 4 Switch Redirects traffic based on port numbers and IP addresses Can do simple load balancing and failover Layer 7 Switch Like Layer 4 switch, but can also redirect traffic based on URL Can do sophisticated load balancing and failover 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Introduced by Cisco in 1997 WCCP Version 2 integrated into Cisco IOS 12.0(3)T Transparently redirects UDP/TCP packets Supports flows being returned to original traffic path (bypass) Supports up to 32 routers and 32 caches per service Enforces connection stickiness by source or destination address Optional MD5 authentication to secure engine registration Egress and ingress interface intercept 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 1. Connection initiated from web-browser or other service Internet 2. Router intercepts flow and redirects it to new location (L2: the router rewrites the destination ethernet address with the S-Series address. GRE: the original packet is encapsulated unchanged within a GRE frame.) Router running WCCP Web server 3. Device that flow is redirected to can choose what to do with flow: A. send somewhere else B. masquerade as real server 4. Cache Engine will serve flow (in case of hit), will initiate second flow if a miss 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 HIA: Here-I-Am ISY: I-See-You RA: Redirect Assignment 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Identify traffic Ingress redirection (preferred) Egress redirection Routers and S-Series send heartbeats every 30 seconds HIA (Here I am) ISY (I see you) S-Series failure results in redistribution of load in 30 sec WCCP load balances based on a source or destination IP address If no remaining S-Series, service group is taken offline and packets are not redirected ( Fail Open ) 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Web Server IP: WCCP is used to redirect traffic leaving the client Internet S: D: S: D: S-Series IP: S & D IP depend on the redirect method: L2: changes ethernet address only GRE: original packet encapsulated, GRE packet has S & D of router S: D: Client IP: Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Web Server IP: WCCP is not involved in the downstream traffic Internet S: D: S: D: S-Series IP: S: D: S: D: Client IP: Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 GRE: Redirected packet is returned to the router, unchanged, in a GRE tunnel. This tells the Router Send this packet out, I m not dealing with it! S: S: D: D: <WCCP Router IP> Internet Web Server IP: S: D: S-Series IP: S & D IP depend on L2 or GRE redirect method S: D: L2: Packet sent on, unchanged, to next hop Client IP: Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Web Server IP: Return traffic bypasses the S-Series Internet S: D: S-Series IP: S: D: Client IP: Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 S-Series spoofs the client IP address Sometimes used by Enterprise customers if upstream devices need the client IP (for example, to do accounting) Used by ISPs who need to show customer IP on HTTP requests Requires more complex WCCP configuration Difficult to troubleshoot 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Web Server IP: WCCP is used to redirect traffic leaving the client Internet Router must distinguish S-Series and client traffic S: D: S: D: S-Series IP: S & D IP depend on the L2 or GRE redirect method S: D: Client IP: Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Web Server IP: A separate WCCP service group must redirect downstream traffic to the S-Series (based on source port) Internet S & D IP depend on the redirect method S: D: S-Series IP: S: D: S: D: Client IP: Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Select Network Transparent Redirection Add Service 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 ip wccp 91 int g0/0 ip wccp 91 redirect in 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Secure Mobility Client Appliance Integration Integrated Login Script Software Connector 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Workplace Portability Insecure Wi-Fi Mobile Device Proliferation Employee Demand Consistent User Experience Public Wi-Fi Security Issues Data Snooping & Theft Device Choice Explosion Security & Policy must be maintained 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Web Security installs a Network Driver which binds to all connections (LAN, Wireless, 3G) Websecurity Service Automatic Peering Identifies nearest ScanSafe Datacenter and whether a connection is possible AD information can be remembered from when the user was last on the corporate network using the Gpresult API (group policy) Hotspot 3 rd Party Firewall 3 rd Party Proxy Anywhere Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Authenticates and directs the user s external web traffic to ScanSafe s scanning infrastructure Numerous datacenters are located all over the world ensuring that users are never too far from ScanSafe s scanning services All web traffic is SSL encrypted for improved security over public networks Works with Full or Split Tunnel VPN clients (AnyConnect, or others) 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 29

30 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Full support for Windows (XP, Vista, 7) and Mac OS X (10.5, 10.6, 10.7) - 32 and 64 bit versions Support for all WWAN (3G modem) network interfaces Control of direct access to native IPv6 websites (e.g. IPv6.Google.com) Lockdown to prevent local Admin users from altering the service in any way Hosted configuration to allow the organization to make changes to their AnyConnect profile and push it to all their roaming clients 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Secure Mobility Client Appliance Integration Integrated Login Script Software Connector 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Integrate cloud security services at many points in the network Utilize existing Cisco appliances to advance security posture Simple deployment Simple management Allow new methods of securing infrastructure 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Enterprise branches using split tunneling, also interfacing directly to Internet Cisco ISR G2 with ScanSafe VPN Cisco IOS Firewall Secure Split Tunneling Head Office Local LAN POS Wired Security Zone Cisco IOS IPS Guest Users Wireless Security Zone Flexible and simplified deployment options capitalize on network footprint, local, premise, and split services enforcement Internet 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 The Connector is available in IOS (universal) images with security feature set (K9) licenses Supported on the 880, 890, 19xx, 29xx & 39xx/E ISR G2 platforms Supports re-direction of HTTP/HTTPS traffic No need to install Connector on dedicated hardware, or make any browser changes/install AnyConnect on end users machines 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Supports Single Sign-on based identity with LDAP and AD sync All ScanSafe admin, web filtering, and reporting performed in ScanCenter Web Portal as with other deployment methods ISR Connector is able to work independently with or without IOS Security services such as IOS FW, IPS, VPN CSM (Cisco Security Manager) and CCP (Cisco Configuration Professional) will be supported in the future 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 1. Enable the Content Scan feature in IOS CLI 2. Configure primary IP address for ScanSafe infrastructure on any router interface 3. Configure secondary (Backup) ScanSafe infrastructure on any router interface 4. Configure the DNS/Proxy address to access the ScanSafe infrastructure 5. Configure ScanSafe license key via IOS CLI Notes: The license key is not bound to the serial number of a router, so it can be used on multiple routers within an organization The license key is included in all HTTP/HTTPS requests, in order to verify ScanSafe entitlement (not by the ISR s public IP addresses) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 ISR integration is also useful for retail & commercial enterprises who provide WiFi access to customers, guests and casual users, preventing inappropriate content and risk of malware Guest Access Retailers Hotels Airports Cafés Restaurants 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 ScanSafe Users Supported per ISR G2 Platform 3945E 3925E No Auth Phase II Phase I Web Proxy HTTP Basic NTLM Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Global config: parameter-map type content-scan global server scansafe primary name proxyxxx.scansafe.net port http 8080 https 8080 server scansafe secondary name proxyxxx.scansafe.net port http 8080 https 8080 license 0 abcdef source interface GigabitEthernet0/0 timeout server 30 server scansafe on-failure block-all Interface config int g0/0 content-scan out 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Whitelisting: parameter-map type regex foo pattern exit content-scan whitelisting whitelist header host regex foo 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 LDAP integration: aaa new-model aaa group server ldap scansafe server ss ldap server ss ipv transport port 3268 bind authenticate root-dn CN=ldap,CN=Users,DC=isrvlab,DC=com password cisco123 base-dn CN=Users,DC=isrvlab,DC=com authentication bind-first search-filter user-object-type top 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 aaa authentication login ss-aaa group scansafe aaa authorization network ss-aaa group scansafe aaa accounting network ss-aaa none ip admission virtual-ip virtual-host proxy ip admission name ssauth http-basic inactivity-time 2 ip admission name ssauth order http-basic ip admission name ssauth method-list authentication ss-aaa authorization ss-aaa accounting ss-aaa ip http server int g0/1 ip admission ssauth 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 ip admission name ssntlm ntlm passive inactivity-time 60 ip admission name ssntlm order ntlm ip admission name ssntlm method-list authentication ss-aaa authorization ss-aaa accounting ss-aaa aaa authentication login default group scansafe aaa authentication login noaaa none aaa authorization network default group scansafe ip http server int g0/1 ip admission ssntlm 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Thank you.