Advanced Web Security Deployment with WSA in IPv4 & IPv6 Networks
|
|
- Sherilyn Terry
- 6 years ago
- Views:
Transcription
1
2 Advanced Web Security Deployment with WSA in IPv4 & IPv6 Networks Tobias Mayer, Consulting Systems Engineer
3 Abstract This Session is about advanced deployment and troubleshooting scenarios of the WSA for Web Security. We will first take a fresh look at some of the deployment methods, focusing on IPv4 and IPv6 deployment in transparent and explicit mode. Second part will be about the usage of TUI (Transparent User Identification) which will leverage the Context Directory Agent (CDA). In the third section we will cover some methods to troubleshoot performance issues and how to find out the root cause of performance problems leveraging analysis based on the SPLUNK Solution. This Session is targeted at Network Administrators and Security Administrators dealing with the WSA who want to learn more about the underlying technology and deployment methods in IPv4 and IPv6 Environments. Related sessions are : BRKSEC-2695 Embrace Cloud Web Security with your Cisco Network and BRKSEC-2699 Deploying ASA Next Generation Firewall 3
4 For Your Reference There are (many...) slides in your print-outs that will not be presented. They are there For your Reference For Your Reference 4
5 Angel Aloisius Some slides have this friendly guy in the right corner Those slides are meant to be non-standard advices or tips & tricks 5
6 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis
7 Web Security Appliance
8 Another Example for Teredo usage Native IPv6 if availible TEREDO Server is used for P2P Communication = Multiplayer Mode UDP/3074 is the prefered port -> different from Teredo port used on Windows Clients (udp/3544)
9 Explicit Proxy Client requests a website Browser connects first to WSA WSA connects to website Firewall usually only allows webtraffic for proxy DNS Resolution is done by WSA Web Security Appliance Internet Web server Internet ASA 5500 Firewall 9
10 Explicit Proxy with IPv4 & IPv6 Client requests a website Browser connects first to WSA using IPv4 or IPv6 WSA does DNS lookup A record returned and/or AAAA record returned Depending on WSA setting, WSA builts outgoing connection either on IPv4 or IPv6 IPv6 IPv4 Web Security Appliance Internet Web server ASA 5500 Firewall Internet 10
11 Explicit Mode with IPv4 & IPv6 Setting IPv6 Adresses on the Interfaces 11
12 Explicit Mode with IPv4 & IPv6 Setting IPv6 Routes 12
13 Explicit Mode with IPv4 & IPv6 Setting DNS Server Which Protocol should be prefered in case of A and AAAA record returned? 13
14 Management Functions Features Support for IPv6 Support over IPv6 WebUI (HTTP, HTTPS) Yes Yes CLI (SSH) Yes Yes FTP No No Logging, Log Push Yes No SNMP Yes No Upgrades / Updates N/A No Reporting, Tracking Yes N/A 14
15 Support functions Features Support for IPv6 Support over IPv6 Support Tunnel N/A No Packet Capture Yes N/A Policy Trace Yes N/A WBNP, Telemetry Yes No 15
16 Packet Capture with IPv6 Packet Capture shows additional interfaces for IPv4 & IPv6 Filter can be applied to IPv6 addresses 16
17 Packet Capture with IPv6 Packet Capture shows additional interfaces for IPv4 & IPv6 Filter can be applied to IPv6 addresses 17
18 CLI Neighbor Cache in IPv6 is equivalent to the arp cache in IPv4 Display the arp-cache Display the neighbor table 18
19 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis
20 Transparent Proxy via WCCP Client requests a website Browser tries to connect to Website Network Device redirects traffic to WSA using WCCP WSA proxies the request DNS Resolution is done by the Client IPv6 IPv4 Web Security Appliance ASA 5500 Firewall Internet Internet Web server 20
21 Details Assignment The WCCP assignment method is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic. WCCP can use two types of Assignment Methods: Hash and Mask. Hash Based Assignment Uses a software based hash algorithm to determine which WCCP appliance receives traffic. In hardware based platforms the Netflow table is used to apply hardware assistance. Mask Based Assignment Uses the ACL TCAM to assign WCCP entities. This method is fully handled by hardware. 21
22 Gory Details for HASH and MASK Hash - Combines packet s src/dest IP addrs and src/dest ports into 8-bit value. Complex function: The first packet must be sent to software, a Netflow entry is then created for subsequent packet rewrite Mask Selects up to 7 bits from src/dest IP addrs and src/dest ports. With this mode, the ACL TCAM can be programmed immediately and the first packet can then be hardware switched. Hash table and Mask/value sets are supplied by the WCCP client to the router HASHING MASKING XOR (IP_DA IP_SA port_da port_sa) Hash index WSA1 WSA2 WSA3 WSA4 IP_DA IP_SA L4_proto port_da port_sa xxxx00 xxxx TCP 80 xxxx WSA1 xxxx01 xxxx TCP 80 xxxx WSA2 xxxx10 xxxx TCP 80 xxxx WSA3 xxxx11 xxxx TCP 80 xxxx WSA4 22
23 Details Redirect and Return Redirect Method WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client (WSA, Cache, ) Layer 2 - Frame MAC address rewritten to MAC of WCCP Client Return Method The Return method determines how the traffic will be sent back from the router to the WCCP appliance if the traffic could not be serviced. Referred to as Proxy Bypass WCCP GRE Packet WCCP GRE returned router WCCP Layer 2 Frame rewritten to router MAC 23
24 WCCP input redirect WCCP Input redirect Ingress Interface Egress Interface 24
25 WCCP output redirect and input exclude WCCP Output redirect Ingress Interface Egress Interface WCCP Exclude-in 25
26 How WCCP registration works 1. Registration WCCP Server 2. Here I am 3. I see you WCCP Client The WCCP client registers at the WCCP Server Both, Server and Client need to use the same WCCP Service Group ID One WCCP Server usually can server multiple Clients Server and Client exchange here i am and I see you Packets to check availability UDP/2048, unicast Multicast possible Traffic is redirected from Server to one or multiple Clients using the hash or mask algorithm 26
27 WCCP Protocol - Buckets Hash Based Assignment Byte level (8 bit) XOR computation divided into 256 buckets (default) Mask Based Assignment Bit level AND divided up to 128 buckets (7 bits) asa# show wccp 90 hash WCCP hash information for: Primary Hash: Dst IP: Bucket: 110 Cache Engine:
28 WCCP Protocol Load balancing and Redundancy When a WCCP client fails, the portion of the load handled by that client is automatically redistributed to the remaining WCCP clients in the service group If no other WCCP clients are available in the service group, the service group is taken offline and packets are forwarded normally Buckets Buckets 1 85 Buckets Buckets Buckets X A B C 28
29 Using WCCP for Traffic Redirection WCCPv2 support is availible on many Cisco Platforms: L3 Switches, Routers, ASA 5500 Security Appliance WSA supports all redirect and assign methods (software implementation) Method to use will be negotiated Multiple WSA elect Designated Web Cache (DWC), lowest IP in Cluster, negotiates method How to force a switch / router to use GRE? Set WSA to Allow GRE 29
30 Using WCCP for Traffic Redirection (2) Performance Considerations: MASK (HW) > HASH (SW) HW has to take TCAM Resources into consideration L2 (HW) > GRE (SW) Use GRE if WSA is located in other subnet Check if Device can do GRE in HW User L2 if WSA and WCCP Device are in same subnet 30
31 WCCP Protocol Service Group The routers/switches and WCCP clients participating in a WCCP service constitute a Service Group Up to 32 routers per service group Up to 32 WCCP clients per service group Each service group is established and maintained using separate protocol message exchanges Service definition must be the same for all members of the service group 31
32 Current (Cisco) Service Groups ID Product Name Protocol Port 0 ACNS web-cache ACNS DNS ACNS ftp WAAS tcp-promiscuous WAAS tcp-promiscuous ACNS https-cache ACNS rtsp /82 ACNS wmt 6 (81), 17(82) ACNS rtspu WAFS cifs-cache 6 139, ACNS custom 6 User Defined 98 ACNS custom-web-cache 6 User Defined 99 ACNS reverse-proxy
33 WCCP with L3 Switch (3560/3750) L2 Redirect VLAN10 VLAN10 Internet Use template access, routing or dual-ipv4/ipv6 routing WCCP shares same TCAM Region than PBR! sdm prefer routing ip routing ip wccp 91 redirect-list wsa ip access-list extended wsa permit tcp any any eq www permit tcp any any eq 443! interface Vlan10 ip address ip wccp 91 redirect in 33
34 WCCP with L3 Switch (3560/3750) L2 Redirect Internet VLAN40 Recommendations: Assign seperate VLAN for the connection to the WSA! VLAN10 Redirect ACL only allows permit statements on 3560/3750 Series! 12.2(58) added support for deny If 3560/3750 is stacked, configure WCCP on the Stack Master! 34
35 WCCP IPv6 Internet VLAN10 VLAN40 ipv6 wccp 91 redirect-list wsav6! interface Vlan10 ip address ipv6 address 2001:db8:1:10::66/64 ipv6 nd ra suppress ipv6 wccp 91 redirect in ipv6 access-list wsav6 permit tcp 2001:DB8:1:10::/64 any eq www permit tcp 2001:DB8:1:10::/64 any eq
36 WCCP IPv6 & IPv4 VLAN10 VLAN40 Internet Different service groups for IPv4 & IPv6 ip wccp 90 redirect-list wsav4 ipv6 wccp 91 redirect-list wsav6! interface Vlan10 ip address ipv6 address 2001:db8:1:10::66/64 ipv6 nd ra suppress ip wccp 90 redirect in ipv6 wccp 91 redirect in ipv6 access-list wsav6 permit tcp 2001:DB8:1:10::/64 any eq www permit tcp 2001:DB8:1:10::/64 any eq 443! ip access-list extended wsav4 permit tcp any any eq 80 permit tcp any any eq
37 WCCP IPv6 & IPv4 WSA Side of things. In Dual-Stack Environments, two WCCP Service Groups are required. 37
38 WCCP IPv6 & IPv4 WSA Side of things. IPv6 Address of the Switch / Router 38
39 WCCP with L3 Switch Redirect - Verification munlab-3560x#show ip wccp 91 detail WCCP Client information: WCCP Client ID: Protocol Version: 2.0 State: Usable Redirection: L2 Packet Return: L2 Packets Redirected: 0 Connect Time: 01:02:16 Assignment: MASK Mask SrcAddr DstAddr SrcPort DstPort : 0x x x0000 0x0000 Version & State Redirect Method Assignment Method Mask Value Value SrcAddr DstAddr SrcPort DstPort CE-IP : 0x x x0000 0x0000 0xAC100A64 ( ) 0001: 0x x x0000 0x0000 0xAC100A64 ( ) 0002: 0x x x0000 0x0000 0xAC100A64 ( ) 39
40 WCCP with L3 Switch IPV6 Redirect - Verification munlab-c6504#sh ipv6 wccp 90 det WCCP Client information: WCCP Client ID: 2001:420:44E6:2013::45 Protocol Version: 2.01 State: Usable Redirection: L2 Packet Return: L2 Assignment: MASK Connect Time: 00:13:25 Redirected Packets: Process: 0 CEF: 0 GRE Bypassed Packets: Process: 0 CEF: 0 Mask Allotment: 4 of 4 (100.00%) Assigned masks/values: 1/4 Mask SrcAddr DstAddr SrcPort DstPort : :: 300:: 0x0000 0x0000 Version & State Redirect Method Assignment Method Mask Value 40
41 WCCP with L3 Switch (CAT6500) L2 or GRE Redirect WAN CAT6500 with Sup2T/720/32 and PFC3 allows redirect of L2 and GRE in Hardware Adjust MTU for GRE Carefull for bypass list! Redirect-in and Redirect-out is supported Permit and Deny ACE is allowed Avoid flags, options & timeranges r1 Si r1 Si WAN Si r2 Si r2 Very scalable and flexible 41
42 WCCP with L3 Switch (CAT6500) L2 or GRE Redirect Ingress - L2 redirection + Hash Assignment (Requires Software Processing) Ingress - L2 redirection + Mask Assignment (Full Hardware Processing - recommended) Egress - L2 redirection + Hash Assignment (Requires Software Processing) Egress - L2 redirection + Mask Assignment (Requires Software Processing) First packet is process switched, creates netflow entry. Subsequent packets are HW switched Ingress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing) Ingress - L3 (GRE) redirection + Mask Assignment (Full HW Processing - Sup32/Sup720/2T only) Egress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing) Egress - L3 (GRE) redirection + Mask Assignment (Requires Software Processing) 42
43 WCCP with ASA Internet ASA allows only redirect in Client and WSA must be on same interface No DMZ Deployment possible... Inside ACL is checked before redirection Destination Server must be allowed in ACL Redirection Method is GRE based Redirect ACL allows permit and deny No TCP Intercept, Inspect Engine or internal IPS is applied to the redirected flow. IPS HW/SW Module however does inspect traffic access-list WCCPRedirectionList extended deny ip access-list WCCPRedirectionList extended permit tcp any any eq www access-list WCCPRedirectionList extended permit tcp any any eq https! wccp 90 redirect-list WCCPRedirectionList wccp interface INSIDE 90 redirect in 43
44 WCCP with ASA in transparent mode Upstream L3 Router VLAN /24 WCCP VLAN /24 firewall transparent hostname munlab-asa2 ip address ! interface Ethernet0/0 description OUTSIDE INTERFACE nameif OUTSIDE security-level 0! interface Ethernet0/1 description INSIDE nameif INSIDE security-level 100! wccp 92 redirect-list WCCPREDIRECTLIST wccp interface INSIDE 92 redirect in Same L3 Network but different VLAN 44
45 WCCP with ASA Virtual Context Virtual Firewalls with shared VLAN Internet VLAN /24 Virtual Firewalls share same VLAN Each Context builds a WCCP connection to the WSA Each Context is using a different Service ID VLAN /24 Single WSA serving multiple Firewall Context 45
46 WCCP with Router ISR, ISRG2 e0 e2 e1 Redirect is GRE and Hash Done in SW Allows for DMZ-Design Supports permit and deny Statements in the redirection ACL ip cef ip wccp version 2 ip wccp 91 redirect-list <redirect-acl>! interface e0 ip wccp 91 redirect in 46
47 WCCP Dual-Stack with Router ISRG2 Lab-Setup with ISR G2 Gi0 Fa0 P1 Internet P2 ip wccp source-interface GigabitEthernet0 ip wccp 91 redirect-list IPv4-WCCP ipv6 unicast-routing ipv6 cef ipv6 wccp source-interface GigabitEthernet0 ipv6 wccp 90 redirect-list IPv6-WCCP! interface GigabitEthernet0 description WCCP-REDIR ip address duplex auto speed auto ipv6 address FD00:ABCD:1:2::1/64 ipv6 nd ra suppress all! 47
48 WCCP Dual-Stack with Router ISRG2 (2) Lab-Setup with ISR G2 Gi0 Fa0 P1 Internet P2 interface Vlan200 description WCCP Inside ip address ip wccp 91 redirect in ipv6 address FE80::1 link-local ipv6 address FD00:ABCD:1:1::1/64 ipv6 nd prefix D00:ABCD:1:1::/64 no-advertise ipv6 wccp 90 redirect in! interface FastEthernet0 switchport mode trunk no ip address 48
49 WCCP with IP Spoofing e2 Some Designs require that the Client IP is preserved after beeing proxied e0 e1 Problem to solve: Traffic coming back from the Internet needs to be redirected to the WSA by the network because the Destination is now the Client Network, no longer the WSA IP Spoofing mostly used in transparent mode Activated on the WSA in the WCCP Config: 49
50 IP Spoofing Design in Transparent Mode e2 e1 e /16 WCCP 92 WCCP 91 ip cef ip wccp version 2 ip wccp 91 redirect-list Redirect-Client ip wccp 92 redirect-list Redirect-back! interface e0 ip wccp 91 redirect in! interface e2 ip wccp 92 redirect in! ip access-list extended Redirect-Client permit tcp eq www permit tcp eq 443! ip access-list extended Redirect-back permit tcp any eq www permit tcp any eq www
51 IP Spoofing Design in Transparent Mode e2 WCCP 92 e0 e1 WCCP /16 51
52 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis
53 WCCP Logs on WSA Create new Log Subscription for WCCP Set Level to Debug Here-I-Am Packet sent (HIA) I-See-You Packet received (ISY) 53
54 WCCP Logs on WSA (2) Check Capabilities of WSA and WCCP Server (Switch,Router, ) Configured Capabilities of the WSA, sending them to the WCCP Server WCCP is ok Parameters are not! 54
55 Debug WCCP Events on ASA / Router / switch WCCP Group-ID : 90 Here-I-Am I-See-You 55
56 WSA behaviour with WCCP By Default WSA will try to negotiate L2 first If WCCP Server is on different subnet, you will get an error Solution: Force WSA to negotiate GRE 56
57 A Word about Hardware The mask Assignment is handled in Hardware on ASR, Cat6500, WCCP redirect ACL deny statements don t use mask TCAM WCCP redirect ACL permit statements use up to the Number of ACL Permit Entries * Number of Buckets Example: For a 7 bit mask, the router / switch is using 4096 TCAM entries for 32 permit statements wasting lot of TCAM resources Adjusting the Bit-Mask must be done on the WCCP Client Supported with v7.7 SW Release 57
58 A Word about Hardware (2) 1-2 WSAs 3-4 WSAs 5-8 WSAs 9-16 WSAs WSAs 1 bit, 2 slots 2 bits, 4 slots 3 bits, 8 slots 4 bits, 16 slots 5 bits, 32 slots 0x3 = 2 bits 4 slots for up to 4 WSA 58
59 Transparent Deployment - Summary No client settings necessary Client resolves hostname of target web server -> improved performance! Traffic gets redirected by the network Requires HTTPS Proxy activation for HTTPS requests Allows for redundancy by defining multiple WSA to redirect Selection of the right device to redirect is critical. Try to limit down Permit Entries in Redirect Lists for Mask assignment, adjust mask in ASYNC-OS 7.7+ When using IP Spoofing make sure the WSA is not in the path of the Clients 59
60 WSA Data Plane & IPv6 Feature IPv6 Support HTTP/ HTTPS / Native FTP / FTP-over-HTTP Proxy SOCKS v5 Proxy Anti-Malware Scanning URL Categorization Upstream Proxies IP Spoofing L4TM Proxy Bypass Yes Yes Yes Yes Yes Yes Yes Yes 60
61 WSA Data Plane & IPv6 Feature IPv6 Support WBRS (Web Reputation) SaaS Authentication Surrogates AVC, Bandwidth Control X-Forwarded-For Headers End User Notification, End User Acknowledgement Ready Yes Yes Yes Yes Yes 61
62 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis 47
63 Authentication User Web Security Appliance User Directory Authentication Protocols Directory: LDAP or NTLM Method: Basic: Credentials are sent unencrypted NTLMSSP: Challenge-Response Kerberos TUI using CDA Tracking the User IP based Surrogates Cookie based Surrogates 63
64 Authentication in Explicit Deployment IPv6 IPv4 User Web Security Appliance User Directory HTTP response code 407 Proxy sends HTTP response code 407 (proxy auth. request) Client recognizes the proxy Client will then accept a http response 407 from the proxy Works for HTTPS Client sends a CONNECT request to the proxy Client will then accept a 407 response from the proxy 64
65 Authentication in Transparent Deployment User Internet Internet Web server User Directory Web Security Appliance Client is not aware of a proxy -> HTTP response code 407 cannot be used Need to use HTTP response code 401 Client needs to be first redirected to the wsa Client must trust the redirect hostname when using NTLM to prevent prompting 65
66 Authentication in Transparent Deployment What the client thinks 1 The client sends a request to the remote HTTP server 2 The client receives a 307 (temp. redirect) from the remote server redirecting the client to the WSA What is really happening The client request is rerouted to the WSA The client receives a 307 (temp. redirect) from the WSA, spoofing the remote server, redirecting the client to the WSA 3 The client establishes a connection to the WSA The client establishes a connection to the WSA 4 The client receive a 401 (authentication request) from the WSA The client receive a 401 (authentication request) from the WSA 5 The client authenticates with the WSA The client authenticates with the WSA 6 The client receive a 307 from WSA, redirecting it back to the remote server The client receive a 307 from WSA, redirecting it back to the remote server 7 The client establishes a new connection to the remote server The client continues to use the WSA as a transparent proxy 66
67 Authentication in Transparent Deployment w/ Dual Stack IPv6 User IPv4 Internet Internet Web server User Directory Web Security Appliance Client initiates IPv4 (or IPv6) connection in the first packet Client is redirected, authenticated and IPv4 (or IPv6) Address stored in wsa Client makes another connection, this time using IPv6 (or IPv4) Client cannot be found in authentication cache -> needs to authenticate again! 67
68 Authentication in Transparent Deployment w/ Dual Stack Using NTLM & IP Surrogates -> Authenticate twice -> but no problem for User Experience as it is happening in the background Using Basic Auth & IP Surrogates -> Authenticate twice Using Cookie Surrogates -> Works for IPv4 & IPv6 but: Beware of issues with SSL Traffic! Cookie is inside the SSL Packet and is encrypted... 68
69 Multiple WSA with WCCP and Authentication Loop Knowledge base article #7623 Scenario: Multiple WSA, transparent deployment with authentication Client requests a Website Switch redirects request to WSA1 WSA1 needs authentication, redirects Client to WSA1 Client sends request to WSA1, gets redirect through WCCP Redirect may end up on WSA1 but can also terminate at any other WSA in the Cluster Strange things happen from now on... 69
70 WCCP with L3 Switch L2 Redirect, multiple WSA with Auth, avoiding Auth Loop, single VLAN VLAN10 Internet VLAN10 VLAN10 WSA #1 WSA #2 ip routing ip wccp 91 redirect-list wsa ip access-list extended wsa!do not redirect traffic from wsa1/2 deny ip host <wsa1> any deny ip host <wsa2> any!do not redirect traffic going DIRECTLY to wsa1/2 deny ip any host <wsa1> deny ip any host <wsa2> permit tcp any any eq www permit tcp any any eq 443! interface Vlan10 ip address ip wccp 91 redirect in 70
71 WCCP with L3 Switch and Authentication L2 Redirect, multiple WSA with Auth, avoiding Auth Loop VLAN10 VLAN40 VLAN40 Internet WSA #1 WSA #2 First Option: ip routing ip wccp 91 redirect-list wsa ip access-list extended wsa!do not redirect traffic going DIRECTLY to wsa1/2 deny ip any host <wsa1> deny ip any host <wsa2> permit tcp any any eq www permit tcp any any eq 443! interface Vlan10 ip address ip wccp 91 redirect in Second Option: 71
72 Upstream Proxy with Authentication WSA can be deployed behind an existing Proxy Depending on the upstream proxy, check connection limits! If upstream proxy requires authentication as well, change setting on CLI in advancedproxyconfig : When would you like to forward authorization request headers to a parent proxy: 1. Always 2. Never 3. Only if not used by the WSA [2]> 1 Internet WSA Proxy 72
73 Authentication against W2008 RODC Network Design might require to use a Read-only- Domain-Controller Symptom: WSA can join the domain and Computer Account get created However, Computer Account is disabled on RODC... Solution: WSA RODC WSA requires Cached Credentials for its Computer account within the AD RODC by default only replicates Credentials for its own account DC Need to replicate also for WSA account 73
74 WSA, Authentication and SSL In Explicit mode, a https CONNECT request is made and WSA replies with 407 Proxy auth required At this time, WSA has the following information: - destination host - user agent - user credentials verified WSA can decide wether to decrypt based on: - Destination Host - User Agent - Proxy Port - Subnets - Time Range 74
75 WSA, Authentication and SSL (2) In Transparent mode, there is no CONNECT REQUEST Since Client is not aware of WSA it will start a TCP connection to remote server Connection redirected to WSA, client start an HTTPS/SSL connection directly At this point WSA only knows destination IP and port WSA sends HTTPS probe (it s own Client Hello) to get Server Hello and server certificate 75
76 WSA, Authentication and SSL (3) With the server certificate, WSA has knowledge of: - Client IP - Destination IP - Server Certificate - Common Name (CN) from server certificate is used as a request URL, thus used for URL category matching Based on this information WSA can match Identity and Decryption Policy and determine whether to DECRYPT or PASS THROUGH the request All information normally send in the HTTP Header (Cookies, User Agent, Mime-Type etc) are encrypted in the tunnel and thus not available to the WSA at this point. 76
77 WSA, Authentication and SSL (4) Should we decrypt? Very often based on URL Category...(think of finance websites...) 77
78 WSA, Authentication and SSL (4) Should we decrypt? Very often based on URL Category...(think of finance websites...) 78
79 WSA, Authentication and SSL (5) Finding out the correct URL Category... Solution: Usage of SNI (Server Name Indication) is required from Proxy side (supported in v7.7) Most Browser support it since years... CLIENT HELLO during TLS sends the Host URL: 79
80 Authentication in Secure Mobility Deployment Internet Authentication User w/ AnyConnect SSO User Directory Internet Web Server User connects to ASA via AnyConnect Web Security Appliance ASA authenticates VPN Connection against User Directory After successfull authentication, ASA passes user informations to WSA for Single-Sign-On Not dependant on AD-Membership, works for all devices like tablets, phones, etc. User can surf via WSA without the need to authenticate again WSA can be deployed explicit or transparent 80
81 DEMO Secure Mobility on ipad with SSO 5 81
82 IE8/IE9 with Single-Sign On SSO on WSA correctly configured but Clients still get prompted Check if WSA Redirect Name is listed in Trusted Sites Check Security Settings on Trusted Sites and set to Automatic Logon with current user name and password 82
83 Transparent User Identification (TUI) 1. Client logs on to the AD Domain, CDA tracks AD audit logs and maps User - IP 2. Client request a Web Site 3. Traffic is transparently redirected to the WSA 4. WSA needs to authenticate and queries the CDA for the User IP mapping 5. WSA queries AD for User Group 6. Request is proxied and forwarded to the Internet WMI 4 AD Controller 1 CDA 2 5 WSA 3 6 Internet AD User Switch w/ WCCP 83
84 Context Directory Agent Linux Image, installed on Virtual Machine Gets User to IP Mapping via WMI from AD Controller Can be queried from WSA, ASA or ASA-CX via Radius 84
85 Context Directory Agent & IPv6 Identity Mapping can be IPv4 or IPv6... Identity Consumers must be via IPv
86 TUI Summary & Caveats Uses an Agent (=CDA) running on a Virtual Machine Same Agent is also used for Identity based Firewalling on the ASA and ASA-CX Allow all applications on the client to work with authentication without starting a browser first Does support IPv6 for Client registration and RADIUS messages Privacy extension can cause trouble on clients -> better to disable Does not work if Client is NAT-ed after AD Authentication but before reaching the WSA Does not work in Terminal Server Environments If Client cannot be identified, fallback to previous authentication mechanism like Basic or NTLM 86
87 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis You will have the right tools both to deploy our solutions and to solve problems! 62
88 WSA Performance Analysis WWW Server Internet Cisco SIO DNS Server Client AD Server 88
89 Getting some General Performance Informations SNMP Query Proxy CPU in Percent, measured every 10 Sec (cachecpuusage) Request Throughput in the last minute (cachethruputnow) Enable SNMP on Appliance via CLI: 89
90 Getting some General Performance Informations(2) Proxystat - CLI Command, availible on ASYNC-OS
91 Debuging Performance issues Download file prox_track.log from appliance via FTP File is written every 5 minutes with timestamp Setting can be changed in advancedproxyconfig on CLI 91
92 Prox_track.log content Contains various statistical data around proxy performance Please do NOT consider all number of packets 100% accurate! Just gives a good hint what problem might be happening 92
93 General Statistics Traffic Statistics: If you have numbers increasing on throttled transactions this could indicate that the appliance can not handle the load 93
94 How to read Prox_track.log Statistics are snapshots of total number of Packets Counters are reset after reboot / restart of proxy Take statistic from time X and time Y, then compare change: 94
95 Important Statistics Client time: Total time that the client was waiting until his request was fullfilled Hit time: Time that the WSA is using to fetch content from the cache Miss time: Time that the WSA takes to fetch all Data from the server 95
96 Important Statistics (2) Server Transaction time: Time for the total transaction to the Server to be finished. Server wait time: Time until WSA gets the first byte from the Server High Values can mean upstream problems (firewall, router, ISP, upstream proxy) 96
97 Important Statistics (3) DNS Time: Time for the WSA to do a DNS Resolution High time does indicate a problem with the DNS Server 97
98 Important Statistics (4) Auth Helper Wait: Time to wait for an authentication request until its validated from the AD / LDAP High time indicates a problem with the connection to the authentication Server Auth Helper Service: Time until an authentication request is fully validated Check if IP address is already authenticated, check surrogates, etc 98
99 Important Statistics (5) WBRS Service Time: Time for the WSA to check the reputation score Webcat Service time: Time for the WSA to check the URL Category AVC Header Scan Service Time: Time to check the Header of a request against the AVC Signatures AVC Body Scan Service time: Time to check the body of a request against the AVC Signatures 99
100 Important Statistics (6) Sophos, McAfee, Webroot Service Time: Time that the Scanner used to scan the object Adaptive Scanning Service Time: Time for the adaptive scanning process to scan an object: Service Queue Time: Time that the object stayed in the queue to be scanned 100
101 Adaptive Scanning Each type of object gets a RISK Score assigned Score is based on Type of object, effectiveness of malware scanner for this type and WBRS (WBRS must be enabled on WSA) Appliance will scan objects with the Scanner that is most appropriate for this object type If appliance has a performance problem with the Anti Malware Scanners, it will drop objects not to be scanned Example: Don t scan *.jpg files with McAfee when they are coming from Websites with a good reputation. 101
102 Customizing the Access Log Add custom field like: %m (=Authentication Method) to the access_log Variables can be appended in the Access Logs Variables are to be found in the GUI, some older Versions of WSA Software might not have the full list 102
103 Customizing the Access Log - Example %m AUTH: %:>a DNS: %:>d REP: %:>r %m : Authentication Method %:>a : Authentication Wait time Any Text acting as a comment for readability %:>d : DNS Wait time %:>r : Reputation Wait time 103
104 Customizing the Access Log Example(2) Destination IP %k Extremly usefull in Dual-Stack Environments to find out wether WSA makes the outgoing connection on IPv4 or IPv6! Destination IP = v4 Source IP from Client = IPv6 104
105 Customizing the Access Log Example (3) For Your Reference Other usefull Parameters: %L <- human readable local time %k <- Destination IP %g <- group memberships %u <- User Agent Example for detailed Performance logs: Request Details: ID = %I, User Agent = %u, AD Group Memberships = ( %m ) %g ] [ Tx Wait Times (in ms): 1st byte to server = %:<1, Request Header = %:<h, Request to Server = %:<b, 1st byte to client = %:1>, Response Header = %:h>, Client Body = %:b> ] [ Rx Wait Times (in ms): 1st request byte = %:1<, Request Header = %:h<, Client Body = %:b<, 1st response byte = %:>1, Response header = %:>h, Server response = %:>b, Disk Cache = %:>c; Auth response = %:<a, Auth total = %:>a; DNS response = %:<d, DNS total = %:>d, WBRS response = %:<r, WBRS total = %:>r, AVC response = %:A>, AVC total = %:A<, DCA response = %:C>, DCA total = %:C<, McAfee response = %:m>, McAfee total = %:m<, Sophos response = %:p>, Sophos total = %:p<, Webroot response = %:w>, Webroot total = %:w<, Anti-Spyware response = %:<s, Anti-Spyware total = %:>s; Latency = %x; %L 105
106 Using SPLUNK to extract Data Definition of Regex to look for the Keywords we defined for the Accesslog customization 106
107 Using SPLUNK to extract Data (2) Extraction of the values to be done permanently in SPLUNK 107
108 Using SPLUNK to extract Data(3) SPLUNK Report on the Average time for REPUTATION and DNS Resolution per Domain 108
109 Using SPLUNK to extract Data (4) Example for Reputation Time 109
110 Using SPLUNK to extract Data (5) Example for DNS Time 110
111 Summary for WSA Performance Analysis WSA has very detailed logs to troubleshoot performance issues Use prox_stat.log file for general performance checks Use customizing the Access Logs for detailed checking of single requests SPLUNK is a great tool to help you analyze especially when combined with customized logs! 111
112 WSA Performance Analysis WWW Server Internet Cisco SIO DNS Server Client AD Server 112
113 Call to Action Visit the World of Solutions:- Cisco Campus Web Security Appliance Walk-in Labs Technical Solutions Clinics Meet the Engineer Tobias Mayer, Hrvoje Dogan, Jonny Noble Lunch Time Table Topics, held in the main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit 113
114 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 114
115
Web Security Deployment. Ryan Wager Technical Marketing Engineer
Web Security Deployment Ryan Wager Technical Marketing Engineer Agenda Overview Web Security Web Security with Cisco Ironport Web Security Critical Functionalities Places in the Network Authentication
More informationConfiguring Cache Services Using the Web Cache Communication Protocol
Configuring Cache Services Using the Web Cache Communication Protocol Finding Feature Information, page 1 Prerequisites for WCCP, page 1 Restrictions for WCCP, page 2 Information About WCCP, page 3 How
More informationConfiguring Web Cache Services By Using WCCP
CHAPTER 44 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3560 switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine
More informationSelftestengine q
Selftestengine 700-281 49q Number: 700-281 Passing Score: 800 Time Limit: 120 min File Version: 18.5 http://www.gratisexam.com/ 700-281 Web Security for Field Engineers Still Valid in Egypt, Passed today
More informationConfiguring Traffic Interception
4 CHAPTER This chapter describes the WAAS software support for intercepting all TCP traffic in an IP-based network, based on the IP and TCP header information, and redirecting the traffic to wide area
More informationCisco Next Generation Firewall Services
Toronto,. CA May 30 th, 2013 Cisco Next Generation Firewall Services Eric Kostlan Cisco Technical Marketing 2011 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 Objectives At the
More informationConfiguring Transparent Redirection for Standalone Content Engines
CHAPTER 6 Configuring Transparent Redirection for Standalone Content Engines This chapter discusses the following methods for transparently redirecting content requests to standalone Content Engines: Web
More informationIntercepting Web Requests
This chapter contains the following sections: Overview of, on page 1 Tasks for, on page 1 Best Practices for, on page 2 Web Proxy Options for, on page 3 Client Options for Redirecting Web Requests, on
More informationPolicing The Borderless Network: Integrating Web Security
Policing The Borderless Network: Integrating Web Security Hrvoje Dogan Consulting Systems Engineer, Security March 16, 2012 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 About Cisco
More informationConfiguring WCCPv2. Information About WCCPv2. Send document comments to CHAPTER
CHAPTER 5 This chapter describes how to configure the Web Cache Communication Protocol version 2 (WCCPv2) on Cisco NX-OS devices. This chapter includes the following sections: Information About WCCPv2,
More informationBIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0
BIG-IP Access Policy Manager : Secure Web Gateway Version 13.0 Table of Contents Table of Contents BIG-IP APM Secure Web Gateway Overview...9 About APM Secure Web Gateway... 9 About APM benefits for web
More informationConfiguring WCCP. Finding Feature Information
The Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing technology that intercepts IP packets and redirects those packets to a destination other than that specified in the IP packet.
More informationConfiguring WCCP. Finding Feature Information. Last Updated: August 04, 2011
Configuring WCCP Finding Feature Information Configuring WCCP Last Updated: August 04, 2011 The Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing technology that intercepts IP
More informationCisco AnyConnect Secure Mobility Solution. György Ács Regional Security Consultant
Cisco AnyConnect Secure Mobility Solution György Ács Regional Security Consultant Mobile User Challenges Mobile and Security Services Web Security Deployment Methods Live Q&A 2011 Cisco and/or its affiliates.
More informationCISCO WAAS DEPLOYMENT USING WEB CACHE COMMUNICATION PROTOCOL VERSION 2 (WCCPV2)
CISCO PUBLIC WHITE PAPER CISCO WAAS DEPLOYMENT USING WEB CACHE COMMUNICATION PROTOCOL VERSION 2 (WCCPV2) Cisco Wide Area Application Services (WAAS) relies on network interception to be integrated into
More informationRelease Notes for Cisco IronPort AsyncOS for Web
Release Notes for Cisco IronPort AsyncOS 7.0.1 for Web Published: January 20, 2011 Contents This document contains release information for running Cisco IronPort AsyncOS AsyncOS 7.0.1 for the Web Security
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 642-618 EXAM QUESTIONS & ANSWERS Number: 642-618 Passing Score: 800 Time Limit: 120 min File Version: 39.6 http://www.gratisexam.com/ CISCO 642-618 EXAM QUESTIONS & ANSWERS Exam Name: Deploying Cisco
More informationDeployment Scenarios for Standalone Content Engines
CHAPTER 3 Deployment Scenarios for Standalone Content Engines This chapter introduces some sample scenarios for deploying standalone Content Engines in enterprise and service provider environments. This
More informationCisco - ASA Lab Camp v9.0
Cisco - ASA Lab Camp v9.0 Code: 0007 Lengt h: 5 days URL: View Online Based on our enhanced SASAC v1.0 and SASAA v1.2 courses, this exclusive, lab-based course, provides you with your own set of equipment
More informationWCCP Network Integration with Cisco Catalyst 6500: Best Practice Recommendations for Successful Deployments
WCCP Network Integration with Cisco Catalyst 6500: Best Practice Recommendations for Successful Deployments What You Will Learn This document is intended for network engineers deploying the Cisco Catalyst
More informationConfiguring IPv6 First-Hop Security
This chapter describes the IPv6 First-Hop Security features. This chapter includes the following sections: Finding Feature Information, on page 1 Introduction to First-Hop Security, on page 1 RA Guard,
More informationConfiguring Caching Services
CHAPTER 8 This chapter describes how to configure conventional caching services (HTTP, FTP [FTP-over-HTTP caching and native FTP caching], HTTPS, and DNS caching) for centrally managed Content Engines.
More informationWCCPv2 and WCCP Enhancements
WCCPv2 and WCCP Enhancements Release 12.0(11)S June 20, 2000 This feature module describes the Web Cache Communication Protocol (WCCP) Enhancements feature and includes information on the benefits of the
More informationRelease Notes for Cisco IronPort AsyncOS for Web
Release Notes for Cisco IronPort AsyncOS 7.1.1 for Web Published: May 11, 2011 Contents This document contains release information for running Cisco IronPort AsyncOS AsyncOS 7.1.1 for the Web Security
More informationIdentity Firewall. About the Identity Firewall
This chapter describes how to configure the ASA for the. About the, on page 1 Guidelines for the, on page 7 Prerequisites for the, on page 9 Configure the, on page 10 Monitoring the, on page 16 History
More informationConfiguring Request Authentication and Authorization
CHAPTER 15 Configuring Request Authentication and Authorization Request authentication and authorization is a means to manage employee use of the Internet and restrict access to online content. This chapter
More informationConnect the Appliance to a Cisco Cloud Web Security Proxy
Connect the Appliance to a Cisco Cloud Web Security Proxy This chapter contains the following sections: How to Configure and Use Features in Cloud Connector Mode, on page 1 Deployment in Cloud Connector
More informationConfiguring Content Authentication and Authorization on Standalone Content Engines
CHAPTER 10 Configuring Content Authentication and Authorization on Standalone Content Engines This chapter describes how to configure content authentication and authorization on standalone Content Engines
More informationImplementing DHCP for IPv6
This module describes how to configure Dynamic Host Configuration Protocol (DHCP) for IPv6. DHCPv6 Prefix Delegation, page 1 How to Implement DHCP for IPv6, page 6 DHCPv6 Prefix Delegation The IPv6 Access
More informationConfiguring F5 for SSL Intercept
Configuring F5 for Welcome to the F5 deployment guide for configuring the BIG-IP system for SSL intercept (formerly called with Air Gap Egress Inspection). This document contains guidance on configuring
More informationHigh Availability Synchronization PAN-OS 5.0.3
High Availability Synchronization PAN-OS 5.0.3 Revision B 2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Device Configuration... 4 Network Configuration... 9 Objects Configuration...
More information2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Cisco AnyConnect as a Service György Ács Regional Security Consultant Mobile User Challenges Mobile and Security Services Web Security
More informationNetwork Management Commands
Network Management Commands ip wccp, page 3 monitor capture (interface/control plane), page 5 monitor capture buffer, page 9 monitor capture clear, page 10 monitor capture export, page 11 monitor capture
More informationConfiguring Private VLANs
Finding Feature Information, on page 1 Prerequisites for Private VLANs, on page 1 Restrictions for Private VLANs, on page 1 Information About Private VLANs, on page 2 How to Configure Private VLANs, on
More informationChapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM
Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2015 Cisco and/or its affiliates. All rights
More informationNew Features for ASA Version 9.0(2)
FIREWALL Features New Features for ASA Version 9.0(2) Cisco Adaptive Security Appliance (ASA) Software Release 9.0 is the latest release of the software that powers the Cisco ASA family. The same core
More informationRelease Notes for Cisco IronPort AsyncOS 7.0 for Web
Release Notes for Cisco IronPort AsyncOS 7.0 for Web Published: December 01, 2010 Contents This document contains release information for running Cisco IronPort AsyncOS AsyncOS 7.0 for the Web Security
More informationVendor: Cisco. Exam Code: Exam Name: Implementing Cisco Threat Control Solutions. Version: Demo
Vendor: Cisco Exam Code: 300-207 Exam Name: Implementing Cisco Threat Control Solutions Version: Demo DEMO QUESTION 1 When learning accept mode is set to auto, and the action is set to rotate, when is
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More informationImplementing Traffic Filters for IPv6 Security
Implementing Traffic Filters for IPv6 Security Last Updated: November 14, 2011 This module describes how to configure Cisco IOS XE IPv6 traffic filter and firewall features for your Cisco networking devices.
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 300-206 EXAM QUESTIONS & ANSWERS Number: 300-206 Passing Score: 800 Time Limit: 120 min File Version: 35.2 http://www.gratisexam.com/ Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network
More informationCertifyMe. CertifyMe
CertifyMe Number: 642-652 Passing Score: 800 Time Limit: 120 min File Version: 8.9 http://www.gratisexam.com/ CertifyMe 642-652 Exam A QUESTION 1 Exhibit: You work as an engineer at Certkiller.com. Study
More informationRelease Notes for Cisco IronPort AsyncOS for Web
Release Notes for Cisco IronPort AsyncOS 7.1.4-101 for Web Published: June 25, 2013 Contents This document contains release information for running Cisco IronPort AsyncOS AsyncOS 7.1.4 for the Web Security
More informationContents. Introduction. WSA WebBase Network Participation
Contents Introduction WSA WebBase Network Participation ESA SenderBase Network Participation General Security Concerns FAQ Operation SenderBase (Email) Network Participation Statistics shared per Emailappliance
More informationUser Guide TL-R470T+/TL-R480T REV9.0.2
User Guide TL-R470T+/TL-R480T+ 1910012468 REV9.0.2 September 2018 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Accessing the Router Overview... 3 Web Interface
More informationUniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL
UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL Contents: UniNets CCNA Security LAB MANUAL Section 1 Securing Layer 2 Lab 1-1 Configuring Native VLAN on a Trunk Links Lab 1-2 Disabling
More informationSymbols INDEX > 12-14
INDEX Symbols > 12-14 A AAA accounting configuring 6-32 AAA-based management systems 2-25, 6-2 acceleration about 1-6, 12-1 features 1-6 TCP settings 12-17 accounts creating 7-3 creation process 7-2 deleting
More informationIdentity Firewall. About the Identity Firewall. This chapter describes how to configure the ASA for the Identity Firewall.
This chapter describes how to configure the ASA for the. About the, page 1 Guidelines for the, page 7 Prerequisites for the, page 9 Configure the, page 10 Collect User Statistics, page 19 Examples for
More informationContents. Introduction
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance
More informationCisco Passguide Exam Questions & Answers
Cisco Passguide 642-648 Exam Questions & Answers Number: 642-648 Passing Score: 800 Time Limit: 120 min File Version: 61.8 http://www.gratisexam.com/ Cisco 642-648 Exam Questions & Answers Exam Name: Deploying
More informationExam : Cisco Title : Update : Demo. Composite Exam
Exam : Cisco 642-892 Title : Composite Exam Update : Demo 1. Refer to the exhibit. EIGRP is configured on all routers in the network. On the basis of the output provided, which statement is true? A. Because
More informationMonitoring WAAS Using WAAS Central Manager. Monitoring WAAS Network Health. Using the WAAS Dashboard CHAPTER
CHAPTER 1 This chapter describes how to use WAAS Central Manager to monitor network health, device health, and traffic interception of the WAAS environment. This chapter contains the following sections:
More informationTable of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example
Table of Contents IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example...1 Document ID: 63881...1 Introduction...1 Prerequisites...2 Requirements...2 Components Used...2 Conventions...2
More informationCreate Decryption Policies to Control HTTPS Traffic
Create Decryption Policies to Control HTTPS Traffic This chapter contains the following sections: Overview of Create Decryption Policies to Control HTTPS Traffic, page 1 Managing HTTPS Traffic through
More informationConfiguring Transparent and Proxy Media Redirection Using ACNS Software 4.x
Configuring Transparent and Proxy Media Redirection Using ACNS Software 4.x Document ID: 4717 Contents Introduction Before You Begin Conventions Prerequisites Requirements Components Used Configure Network
More informationManaging Authentication and Identity Services
You can create access policies based on user identity rather than IP addresses. To enable identity-based services, you configure policies and options to obtain user identity, and then use identity objects
More informationChapter 10 - Configure ASA Basic Settings and Firewall using ASDM
Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces.
More informationConfiguring Virtual Servers
3 CHAPTER This section provides an overview of server load balancing and procedures for configuring virtual servers for load balancing on an ACE appliance. Note When you use the ACE CLI to configure named
More informationRelease Notes for Cisco IronPort AsyncOS for Web
Release Notes for Cisco IronPort AsyncOS for Web Published: January 30, 2013 Contents This document contains release information for running Cisco IronPort AsyncOS for the Web Security appliance, and includes
More informationServicing ACNS Devices and Origin Servers
CHAPTER 13 This chapter explains how you can minimize the impact upon content delivery services when you perform maintenance on your ACNS network devices, such as replacing failed hardware or adding or
More informationConfigure WSA to Upload Log Files to CTA System
Configure WSA to Upload Log Files to CTA System Last updated: January 30, 2018 Contents Conventions Introduction Prerequisites Requirements Components Used Configure Configure the Proxy Connect to Active
More informationNew methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall
New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall Claudiu Onisoru, Senior Network Specialist Cisco Connect - 15 May 2014 1 Agenda Frontal Communication: Who
More informationDOWNLOAD PDF CISCO IRONPORT CONFIGURATION GUIDE
Chapter 1 : Cisco IronPort E-mail Security Appliance Best Practices : Part 3 - emtunc's Blog Cisco IronPort AsyncOS for Email Security Advanced Configuration Guide (PDF - 9 MB) Cisco IronPort AsyncOS for
More informationConfiguration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0
Configuration Guide TL-ER5120/TL-ER6020/TL-ER6120 1910012186 REV3.0.0 June 2017 CONTENTS About This Guide Intended Readers... 1 Conventions... 1 More Information... 1 Viewing Status Information... 2 System
More informationCompleting Interface Configuration (Transparent Mode)
CHAPTER 9 Completing Interface Configuration (Transparent Mode) This chapter includes tasks to complete the interface configuration for all models in transparent firewall mode. This chapter includes the
More informationUsing Diagnostic Tools
Using Diagnostic Tools The Tools System Diagnostics page on the INVESTIGATE view provides several diagnostic tools that help troubleshoot various kinds of network problems and process monitors. Tech Support
More informationConfigure WSA to Upload Log Files to CTA System
Configure WSA to Upload Log Files to CTA System Last updated: April 19, 2018 Conventions Introduction Prerequisites Requirements Components Used Configure Configure the Proxy Connect to Active Directory
More informationFundamentals of Network Security v1.1 Scope and Sequence
Fundamentals of Network Security v1.1 Scope and Sequence Last Updated: September 9, 2003 This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document
More informationCisco s Appliance-based Content Security: IronPort and Web Security
Cisco s Appliance-based Content Security: IronPort E-mail and Web Security Hrvoje Dogan Consulting Systems Engineer, Security, Emerging Markets East 2010 Cisco and/or its affiliates. All rights reserved.
More informationConfiguring WMT Streaming Media Services on Standalone Content Engines
CHAPTER 9 Configuring WMT Streaming Media Services on Standalone Content Engines This chapter provides an overview of the Windows Media Technologies (WMT) streaming and caching services, and describes
More informationPrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps
PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : 642-618 Title : Deploying Cisco ASA Firewall Solutions (FIREWALL v2.0) Vendors : Cisco
More informationRequest for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )
Appendix 1 1st Tier Firewall The Solution shall be rack-mountable into standard 19-inch (482.6-mm) EIA rack. The firewall shall minimally support the following technologies and features: (a) Stateful inspection;
More informationRemote Access VPN. Remote Access VPN Overview. Licensing Requirements for Remote Access VPN
Remote Access virtual private network (VPN) allows individual users to connect to your network from a remote location using a laptop or desktop computer connected to the Internet. This allows mobile workers
More informationINTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4
TESTING & INTEGRATION GROUP TECHNICAL DOCUMENT DefensePro out of path with Cisco router INTRODUCTION...2 SOLUTION DETAILS...3 NOTES...3 HOW IT WORKS...4 CONFIGURATION... 4 TRAFFIC FLOW... 4 SOFTWARE AND
More informationIPv6 Commands: ipv6 su to m
ipv6 summary-address eigrp, on page 3 ipv6 tacacs source-interface, on page 4 ipv6 traffic interface-statistics, on page 5 ipv6 traffic-filter, on page 6 ipv6 unicast-routing, on page 8 ipv6 unnumbered,
More informationNAT Examples and Reference
The following topics provide examples for configuring NAT, plus information on advanced configuration and troubleshooting. Examples for Network Object NAT, page 1 Examples for Twice NAT, page 7 NAT in
More informationFireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.
Fireware-Essentials Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.0 http://www.gratisexam.com/ Fireware Essentials Fireware Essentials Exam Exam A QUESTION 1 Which
More informationConfiguring the Catena Solution
This chapter describes how to configure Catena on a Cisco NX-OS device. This chapter includes the following sections: About the Catena Solution, page 1 Licensing Requirements for Catena, page 2 Guidelines
More informationNAT Examples and Reference
The following topics provide examples for configuring NAT, plus information on advanced configuration and troubleshooting. Examples for Network Object NAT, on page 1 Examples for Twice NAT, on page 6 NAT
More informationAccess Rules. Controlling Network Access
This chapter describes how to control network access through or to the ASA using access rules. You use access rules to control network access in both routed and transparent firewall modes. In transparent
More informationCatalyst 4500 Series IOS Commands
CHAPTER Catalyst 4500 Series IOS Commands New Commands call-home (global configuration) call-home request call-home send call-home send alert-group call-home test clear energywise neighbors clear errdisable
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationChapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces. 2016 Cisco and/or its affiliates. All
More informationChapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM
Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM This lab has been updated for use on NETLAB+ Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet Interfaces.
More informationBIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1
BIG-IP Access Policy Manager : Visual Policy Editor Version 12.1 Table of Contents Table of Contents Visual Policy Editor...7 About the visual policy editor...7 Visual policy editor conventions...7 About
More informationDOWNLOAD PDF CISCO ASA 5505 CONFIGURATION GUIDE
Chapter 1 : Cisco ASA DMZ Configuration Example â Speak Network Solutions Cisco ASA Quick Start Guide. Step 1 Connect the power supply adaptor to the power cable.. Step 2 Connect the rectangular connector
More informationPlanning Your WAAS Network
2 CHAPTER Before you set up your Wide Area Application Services (WAAS) network, there are general guidelines to consider and some restrictions and limitations you should be aware of if you are migrating
More informationInstalling and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.
Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on
More informationSupport for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.
Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only. Transparently Routing Web Traffic to the Barracuda Web Security Gateway This article demonstrates
More informationPIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example
PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example Document ID: 68815 Contents Introduction Prerequisites Requirements
More informationCCNP TSHOOT. Quick Reference Sheet Exam
CCNP TSHOOT Quick Reference Sheet Exam 300-135 Chapter 1. Network Principles Troubleshooting Steps Problem Identification Collection of Information Examination and Action Plan Verification Basic Troubleshooting
More informationRelease Notes for Cisco IronPort AsyncOS for Web
Release Notes for Cisco IronPort AsyncOS 7.1.3 for Web Published: November 21, 2011 Contents This document contains release information for running Cisco IronPort AsyncOS AsyncOS 7.1.3 for the Web Security
More informationBi-directional ADN Deployment Using WCCP with Reflect Client IP [Configuration Sample] Ken Fritz (PSS)
Bi-directional ADN Deployment Using WCCP with Reflect Client IP [Configuration Sample] February 17, 2011 Ken Fritz (PSS) Copyright 2011 Blue Coat Systems, Inc. All rights reserved worldwide. No part of
More informationIM and Presence Service Network Setup
Configuration changes and service restart notifications, page 1 DNS Domain Configuration, page 2 IM and Presence Service Default Domain Configuration, page 6 IM Address Configuration, page 7 Domain Management
More informationConfiguring IPv4. Finding Feature Information. This chapter contains the following sections:
This chapter contains the following sections: Finding Feature Information, page 1 Information About IPv4, page 2 Virtualization Support for IPv4, page 6 Licensing Requirements for IPv4, page 6 Prerequisites
More informationConfiguring IP Unicast Layer 3 Switching on Supervisor Engine 1
CHAPTER 19 Configuring IP Unicast Layer 3 Switching on Supervisor Engine 1 The features described in this chapter are supported only on Supervisor Engine 1, the policy feature card (PFC), and the Multilayer
More informationASA/PIX Security Appliance
I N D E X A AAA, implementing, 27 28 access to ASA/PIX Security Appliance monitoring, 150 151 securing, 147 150 to websites, blocking, 153 155 access control, 30 access policies, creating for web and mail
More informationIPv6 Client IP Address Learning
Prerequisites for IPv6 Client Address Learning, on page 1 Information About IPv6 Client Address Learning, on page 1 Configuring IPv6 Unicast, on page 6 Configuring RA Guard Policy, on page 7 Applying RA
More informationASA with CX/FirePower Module and CWS Connector Configuration Example
ASA with CX/FirePower Module and CWS Connector Configuration Example Document ID: 118687 Contributed by Jennifer Halim, Ashok Sakthivel, and Chirag Saxena, Cisco TAC Engineers. Dec 23, 2014 Contents Introduction
More informationConfiguring Traffic Policies
CHAPTER 11 Date: 4/23/09 Cisco Application Networking Manager helps you configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through
More information