Web Security Deployment. Ryan Wager Technical Marketing Engineer

Transcription

1 Web Security Deployment Ryan Wager Technical Marketing Engineer

2 Agenda Overview Web Security Web Security with Cisco Ironport Web Security Critical Functionalities Places in the Network Authentication Web Security with Cisco Scansafe Critical Functionalities Places in the Network Authentication The Road to Hybrid Security Secure Mobility

3 1996

4 Today s Websites...

5 Appliance or Cloud?

6 Agenda Overview Web Security Web Security with Cisco Ironport Web Security Critical Functionalities Places in the Network Authentication Web Security with Cisco Scansafe Critical Functionalities Places in the Network Authentication The Road to Hybrid Security

7 Rich security functionalities Reputation filtering Malware scanning URL Filtering Application visibility & control HTTPS inspection Authentication Reporting and tracking L4TM...more to come! Cisco Web Security Appliance Web Proxy incl. Caching (http,https, ftp, ftp over http)

8 Web Application Control Many Applications work on top of HTTP traffic Applications are detected and controlled by special Signatures Those Signatures are downloaded dynamically via regular Signature Updates from Cisco No reboot or manual installation required!

9 About Reputation Cisco SIO gathers statistical informations from Cisco Products and other resources Cisco SIO correlates informations Updated informations are delivered back to appliances Each IP / URL gets a score, ranging from -10 to +10 Outbreak Intelligence External feeds Web ASA IPS

10 About Reputation Malicious websites are tracked globally through SIO WSA evaluates each webrequest against the defined reputation score Reputation score and action is configured on WSA

11 Network Participation Admin can define the level of participation Requested URL with result is sent back User information and internal networks are not sent Disabled: No information is sent to Cisco SIO Database Limited: Server URL of request, hash of path segments Standard: Server URL and all path segments are sent back

12 Agenda Overview Web Security Web Security with Cisco Ironport Web Security Critical Functionalities Places in the Network Authentication Web Security with Cisco Scansafe Critical Functionalities Places in the Network Authentication The Road to Hybrid Security

13 Explicit Proxy Client requests a website Browser connects first to WSA WSA connects to website Firewall usually only allows webtraffic for proxy Web Security Appliance ASA 5500 Firewall Internet Internet Web server

14 How does the Browser find the Proxy? Proxy setting in the browser Static definition with IP/NAME and PORT

15 How does the Browser find the Proxy? Automatic Configuration via PAC File function FindProxyForURL(url, host) { return "PROXY :3128"; } function FindProxyForURL(url, host) { return "PROXY :3128; :3128"; }

16 PAC Deployment Via AD and GPO Via script Via manual setting Via DHCP DHCP Option 252 Via Wpad Server

17 WPAD Server WPAD Server hosts PAC file as wpad.dat File is retrieved via HTTP and Javascript Automatic Settings creates a lookup on a server called wpad

18 Transparent Proxy via WCCP Client requests a website Browser tries to connect to Website Network Device redirects traffic to WSA using WCCP WSA proxies the request Web Security Appliance ASA 5500 Firewall Internet Internet Web server

19 Background on WCCP WCCPv1 developed in 1997 by Cisco Systems and publicly released in July 2000 WCCPv2 published as an IETF draft in July 2000 to make the specification open and remove the requirement for licensing Enhancements Configurable WCCP Router ID WCCP Variable Timers Improved Failover Improved Interaction between WCCP and NetFlow WCCPv3 is an internal specification targeted at IPv6 that was never released

20 Details Assignment The WCCP assignment method is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic. WCCP can use two types of Assignment Methods: Hash and Mask. Hash Based Assignment Uses a software based hash algorithm to determine which WCCP appliance receives traffic. In hardware based platforms the Netflow table is used to apply hardware assistance. Mask Based Assignment Uses the ACL TCAM to assign WCCP entities. This method is fully handled by hardware.

21 Details Redirect and Return Redirect Method WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client (WSA, Cache, ) Layer 2 - Frame MAC address rewritten to MAC of WCCP Client Return Method The Return method determines how the traffic will be sent back from the router to the WCCP appliance if the traffic could not be serviced. Refered to as Proxy Bypass WCCP GRE Packet WCCP GRE returned router WCCP Layer 2 Frame rewritten to router MAC

22 Details Assignment The following best practices should be followed for implementing WCCP on a software-based platform: GRE Forwarding (Default) Hash Assignment (Default) Inbound or Outbound Interception "ipwccp redirect exclude in" on WCCP client interface (outbound interception only) The following best practices should be followed for implementing WCCP on a hardware-based platform: L2 Forwarding Mask Assignment Inbound Interception No "ipwccp redirect exclude in"

23 WCCP input redirect WCCP Input redirect Ingress Interface Egress Interface

24 WCCP output redirect and input exclude WCCP Output redirect Ingress Interface Egress Interface WCCP Exclude-in

25 How WCCP registration works 1. Registration WCCP Server 2. Here I am 3. I see you WCCP Client The WCCP client registers at the WCCP Server Both, Server and Client need to use the same WCCP Service Group ID One WCCP Server usually can server multiple Clients Server and Client exchange here i am and I see you Packets to check availability UDP/2048, unicast Multicast possible Traffic is redirected from Server to one or multiple Clients using the hash or mask algorithm

26 WCCP Protocol Failover When a WCCP client fails, the portion of the load handled by that client is automatically redistributed to the remaining WCCP clients in the service group If no other WCCP clients are available in the service group, the service group is taken offline and packets are forwarded normally Buckets Buckets 1 85 Buckets X A B C Buckets Buckets

27 Using WCCP for Traffic Redirection WCCPv2 support is availible on many Cisco Platforms: L3 Switches, Routers, ASA 5500 Security Appliance Cisco Ironport WSA supports all redirect and assign methods (software implementation) Method to use will be negotiated

28 WCCP Platform Recommendations Function Support / Recommend Software ISR & 7200 ASR 1000 Cat 6500 Sup720 Sup32 Cat 6500 Sup2 Cat 4500 Cat 3750 For Your Reference ASA 5500 Assignment Hash Only Mask Only Mask or Hash / Mask Mask or Hash / Mask Mask only Mask only Hash only Forwarding GRE Only L2 or GRE / L2 or GRE L2 or GRE / L2 or GRE L2 or GRE / L2 L2 only L2 only GRE Only Forwarding Redirect List Full extended ACL Full extended ACL Full extended ACL Full extended ACL No Redirect List Support Extended ACL (no deny) Full extended ACL Direction In or Out / In Return IP Forward, L2 or GRE In only In or Out / In In or Out / In IP Forward, L2, WCCP GRE, or generic GRE GRE, ngre, L2, & IP Forward / No GRE IP Forward or L2 / IP Forward In only In only In only IP Forward or L2 / IP Forward IP Forward or L2 / IP Forward GRE

29 Transparent Redirection and HTTPS Symptoms: Successfully configured WCCP on the L3 Device Successfully connect to HTTP sites Cannot connect to HTTPS Sites Switching to explicit Proxy works fine for HTTP and HTTPS Solution: Activate HTTPS Proxy Not necessary to decrypt the requests

30 Agenda Overview Web Security Web Security with Cisco Ironport Web Security Critical Functionalities Places in the Network Authentication Web Security with Cisco Scansafe Critical Functionalities Places in the Network Authentication The Road to Hybrid Security

31 Policy - Authentication Policy objects can be managed from central access policy screen First step is to define the Identity: For whom does this policy apply?

32 Authentication Protocols Directory: LDAP or AD Method: Basic: Credentials are sent unencrypted NTLMSSP: Challenge-Response Tracking the User IP based Surrogates Cookie based Surrogates Authentication User Web Security Appliance User Directory

33 NTLM Authentication NTLM requires Account in the AD Domain Credentials to create a computer account are used only once, not stored on appliance Currently only one domain is supported via NTLM

34 LDAP Authentication LDAP queries on port 389 or 636 (Secure LDAP), 3268 (AD GC Server) Need to know the Base DN Name Parameter Can connect to multiple different domains

35 Authentication against LDAP Knowing the LDAP Base DN is fundamental Or check with DSQUERY command on a MS AD

36 Authentication in Explicit Deployment User Web Security Appliance User Directory http error 407 Proxy sends http response 407 (proxy auth. request) Client recognizes the proxy Client will then accept a http response 407 from the proxy Works for HTTPS Client sends a CONNECT request to the proxy Client will then accept a 407 response from the proxy

37 Authentication in Transparent Deployment User Internet Web server Internet User Directory Web Security Appliance Client is not aware of a proxy -> http response 407 cannot be used Need to use http response 401 basic authentication Client needs to be first redirected to the wsa

38 DEMO WSA with transparent redirection

39 IE8/IE9 with Single-Sign On SSO on WSA correctly configured but Clients still getting prompted Check if WSA Redirect Name is listed in Trusted Sites Check Security Settings on Trusted Sites and set to Automatic Logon with current user name and password

40 Transparent User Identification (TUI) Web Security Release Client logs on to the AD Domain 2. Client request a Web Site 3. Traffic is transparently redirected to the WSA 4. WSA needs to authenticate and queries the AD Agent for the User/Group 5. AD Agent looks up the IP and delivers User/Group 6. Request is proxied and forwarded to the Internet 4 AD Controller w/ Agent WSA 3 6 Internet AD User Switch w/ WCCP

41 DEMO WSA with Transparent User Identification

42 Cisco Ironport WSA & IPv6 Support Current version of WSA does not yet support IPv6 Support is planned for Q4CY2012 IPv6 Support for explicit mode Transparent is depending on implementation on ISR, ASA and Switches, done in a later release WSA will listen for connections both on IPv4 and IPv6 Admin can configure, if IPv4 or IPv6 should be prefered Depending on Configuration, A-record or AAAA-record will be delivered IPv6 Internet Internal IPv6 IPv4

43 Sizing for WSA Main Parameter for sizing is requests per second Rule of thumb: Each request/s is approx Kbps of HTTP traffic Each Mbps of HTTP translates to approx. 10 requests/s 100 Mbps of sustained HTTP traffic is approx requests/s Easy way to find out on a WSA: use the rate CLI command This parameter allows a quite correct sizing depending on features together with the Cisco SE

44 Sizing Table Example S370 Appliance

45 Agenda Overview Web Security Web Security with Cisco Ironport Web Security Critical Functionalities Places in the Network Authentication Web Security with Cisco Scansafe Overview and Critical Functionalities Places in the Network Authentication The Road to Hybrid Security

46 Websecurity through Cloudservice Hosted Websecurity through Cisco Scansafe Cloud Service Central reporting and administration through Scancenter Portal

47 Data Flow with ScanSafe Client requests are redirected to a proxy in the cloud Requests are checked and filtered Internet Clean requests are directed back to the client Web requests Allowed traffic Filtered traffic User

48 Scalability & Reliability Billions of web requests per day <50 ms latency High-Availability Infrastructure Parallel Processing See BRKSEC-2346: Inside the Scansafe Architecture

49 Outbreak Intelligence <web> <html> <js> <swf> <pdf> <jpg> JAVA Scanlet Archive Scanlet Script Scanlet PDF Scanlet SWF Scanlet Win EXE Scanlet Multiple AV File Anomaly Scanlet Phishing Scanlet Context Scanlet MF Scanlet META Scanner Parallel Processing in the Scantower provides maximum performance Scanlets provide scanning for malware through code anomaly analysis

50 Agenda Overview Web Security Web Security with Cisco Ironport Web Security Critical Functionalities Places in the Network Authentication Web Security with Cisco Scansafe Overview and Critical Functionalities Places in the Network Authentication The Road to Hybrid Security

51 Challenge:Branch Office with local Breakout Corporate Network Internet VPN Webtraffic destined for the central DC is sent via VPN Tunnel Normal Webtraffic goes directly to the Internet bandwidth saving in the central site But how to secure the webtraffic?

52 ISR G2 with integrated Connector Connector is integrated in the Cisco ISR G2 Router Platforms No need to install Connector seperatly in branch networks Redirect of the webtraffic is happening transparently for the user on the router Provides Scantower redundancy Provides User granularity Authenticate User via NTLM (transparent authentication) or Basic (Prompt for Credentials) NTLM works without prompting for IE, Firefox and Google Chrome Internet AD Server BRKSEC-3007: Advanced Cisco IOS Security Features 61

53 ISR G2 with Integrated Connector Simple Config parameter-map type content-scan global server scansafe primary name proxy100.scansafe.net port http 8080 https 8080 license source interface FastEthernet8 timeout server 60 timeout session-inactivity 120 user-group munlab username tmayer server scansafe on-failure block-all interface FastEthernet8 description $WAN-Interface$ ip address dhcp client-id FastEthernet8 ip nat outside content-scan out 62

54 Sizing and Scalability for ISR with Connector Phase 1: Feb 2012 Phase 2: May 2012 ScanSafe Users Supported per ISR G2 Platform For Your Reference 3945E 3925E Phase II Phase I No Auth Web Proxy HTTP Basic NTLM

55 ASA ScanSafe Integration Internet Scansafe Tower Google Server Headquarters and Branch office web traffic scanned by Scansafe Both Headquarters and Branch office web traffic whitelisted AAA AAA ASA ASA Employees Employees Headquarters Branch Office

56 Browser Redirection via GPO / PAC file Proxy Settings are pushed to browsers via Active Directory GPO Browsers connect through Firewall on port 8080 to Web Security Service Firewall blocks all other GET requests Provides Site/External IP granularity AD Server GPO Update Internet

57 Agenda Overview Web Security Web Security with Cisco Ironport Web Security Critical Functionalities Places in the Network Authentication Web Security with Cisco Scansafe Overview and Critical Functionalities Places in the Network Authentication The Road to Hybrid Security

58 Easy ID Clientless User authentication via webbrowser User authenticates via Webportal Policies are applied from Scancenter Portal verifying User Name and Group through AD Connection AD Connection is done via LDAPS query from Scancenter to the LDAP Directory at customer site Scancenter is sending a cookie that is used for subsequent authentication

59 Standalone Connector Proxy Settings are pushed to browsers via AD,GPO or PAC file to ScanSafe on port 8080/443 to the Cloud based Tower Connector receives Client info and queries Active Directory Server for Group Information, then proxies to ScanSafe upstream Set Firewall to block all other GET requests Provides IP/End User/Group granularity Scalable up to Users per Connector, depending on which HW it is installed Connector AD Server Internet

60 Roaming Users Installs a Network Driver which binds to all connections (LAN, Wireless, 3G) Automatic Peering Identifies nearest ScanSafe Datacenter and whether a connection is possible. AD information can be remembered from when the user was last on the corporate network using the Gpresult API (group policy) Proxy Firewall Hotspot Client with Websecurity

61 Web Security & AnyConnect Supported on Windows & MAC OS X Client settings are controlled via Profile Profile can be centrally distributed via the Scancenter Portal 71

62 Web Security & AnyConnect Single and modular client VPN (SSL, IKEv2, Always-On,...) 802.1x (Wired, Wireless, MACSEC...) Websecurity Posture for VPN Telemetry (SIO) All modules can be used independently or all together If VPN Module is used, profile management can be done centrally through ASA 72

63 How Does it Work? Authenticates and directs your external client Web traffic to our scanning infrastructure Automatically connect to nearest Scantower SSL encryption of all Web traffic sent improves security over public networks (example: Firesheep Plugin for FF) 73

64 Web Security & AnyConnect Configuration for Web Security with VPN Configured through a profile, downloaded from ASA at connect VPN is lower in the stack than the Websecurity Module Split tunnel Scansafe gateways in the VPN Config (on the ASA) Exclude Corporate adresses from beeing forwarded to the scansafe towers Internet Client with Websecurity Corporate traffic 74

65 Web Security & AnyConnect Configuration Client Profile For Your Reference Scanning Tower selection Proxy ports

66 Web Security & AnyConnect Configuration Client Profile Exceptions for internal networks & public websites to be excluded from scanning Exceptions for authorized internal proxies Static Exceptions like VPN Gateways

67 Web Security & AnyConnect Configuration Client Profile For Your Reference Automatic selection of nearest Scantower Activate Beacon Checking, Deploy public key

68 Web Security & AnyConnect Configuration Client Profile For Your Reference License Key Authentication Settings

69 Web Security & AnyConnect Configuration for Web Security without VPN Scancenter Portal provides hosting of PAC file and / or Client Profile Differentiate Usergroups due to usage of group keys Upload Client Profile Specify Client Profile Key for Authentication

70 Beacon Server for the AnyConnect Web Security Module Beacon Server runs on an internal Server Client gets public key from Beacon Server during deployment If the client has reachability to the Beacon Server, client module is deactivated TND in ASA 9.0

71 DEMO AnyConnect with Web Security

72 Scansafe & IPv6 Support Current version of Web Security does not yet support IPv6 IPv6 traffic scanning can be excluded by adding ::/0 to Static Exceptions Full IPv6 Support will be added mid CY 2012 in two phases: IPv6 Internal IPv6 IPv4 Internet AC 3.1 or Standalone / integrated Connector Internet AC 3.1 or Standalone / integrated Connector

73 Agenda Overview Web Security Web Security with Cisco Ironport Web Security Critical Functionalities Places in the Network Authentication Web Security with Cisco Scansafe Critical Functionalities Places in the Network Authentication The Road to Hybrid Security

74 Secure Mobility Future Hybrid Security Internet traffic secure through web security cloud service Corporate traffic secure through tunnel and WSA Consistent Policy and Monitoring Cisco ASA Internet Corporate Network Cisco WSA Remote User w/ AnyConnect Client 3.0

75 Hybrid Security what has been done and what lies ahead Unification of URL Databases AVC integration Connector Integration in ISR G2 Router Unification of features Q1/Q2 CY2012 Application visibility and control Web Reputation Connector Integration in ASA Q3 CY2012 Connector Integration in WSA Provide common management Provide common logging and reporting

76 Summary Cisco Web Security Solution leverages a comprehensive architected featurelist to protect the dynamic environment from the ubiquitios web 2.0 world... Or... Cisco Web Security Solution simply ROCK!

77 Q&A #CiscoPlusCA

78 We value your feedback. Please be sure to complete the Evaluation Form for this session. Access today s presentations at cisco.com/ca/plus and join the #CiscoPlusCA conversation

79 Thank you.