Advanced Web Security Deployment with WSA in IPv4 & IPv6 Networks

Transcription

1

2 Advanced Web Security Deployment with WSA in IPv4 & IPv6 Networks Tobias Mayer, Consulting Systems Engineer

3 Abstract This Session is about advanced deployment and troubleshooting scenarios of the WSA for Web Security. We will first take a fresh look at some of the deployment methods, focusing on IPv4 and IPv6 deployment in transparent and explicit mode. Second part will be about the usage of TUI (Transparent User Identification) which will leverage the Context Directory Agent (CDA). In the third section we will cover some methods to troubleshoot performance issues and how to find out the root cause of performance problems leveraging analysis based on the SPLUNK Solution. This Session is targeted at Network Administrators and Security Administrators dealing with the WSA who want to learn more about the underlying technology and deployment methods in IPv4 and IPv6 Environments. Related sessions are : BRKSEC-2695 Embrace Cloud Web Security with your Cisco Network and BRKSEC-2699 Deploying ASA Next Generation Firewall 3

4 For Your Reference There are (many...) slides in your print-outs that will not be presented. They are there For your Reference For Your Reference 4

5 Angel Aloisius Some slides have this friendly guy in the right corner Those slides are meant to be non-standard advices or tips & tricks 5

6 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis

7 Web Security Appliance

8 Another Example for Teredo usage Native IPv6 if availible TEREDO Server is used for P2P Communication = Multiplayer Mode UDP/3074 is the prefered port -> different from Teredo port used on Windows Clients (udp/3544)

9 Explicit Proxy Client requests a website Browser connects first to WSA WSA connects to website Firewall usually only allows webtraffic for proxy DNS Resolution is done by WSA Web Security Appliance Internet Web server Internet ASA 5500 Firewall 9

10 Explicit Proxy with IPv4 & IPv6 Client requests a website Browser connects first to WSA using IPv4 or IPv6 WSA does DNS lookup A record returned and/or AAAA record returned Depending on WSA setting, WSA builts outgoing connection either on IPv4 or IPv6 IPv6 IPv4 Web Security Appliance Internet Web server ASA 5500 Firewall Internet 10

11 Explicit Mode with IPv4 & IPv6 Setting IPv6 Adresses on the Interfaces 11

12 Explicit Mode with IPv4 & IPv6 Setting IPv6 Routes 12

13 Explicit Mode with IPv4 & IPv6 Setting DNS Server Which Protocol should be prefered in case of A and AAAA record returned? 13

14 Management Functions Features Support for IPv6 Support over IPv6 WebUI (HTTP, HTTPS) Yes Yes CLI (SSH) Yes Yes FTP No No Logging, Log Push Yes No SNMP Yes No Upgrades / Updates N/A No Reporting, Tracking Yes N/A 14

15 Support functions Features Support for IPv6 Support over IPv6 Support Tunnel N/A No Packet Capture Yes N/A Policy Trace Yes N/A WBNP, Telemetry Yes No 15

16 Packet Capture with IPv6 Packet Capture shows additional interfaces for IPv4 & IPv6 Filter can be applied to IPv6 addresses 16

17 Packet Capture with IPv6 Packet Capture shows additional interfaces for IPv4 & IPv6 Filter can be applied to IPv6 addresses 17

18 CLI Neighbor Cache in IPv6 is equivalent to the arp cache in IPv4 Display the arp-cache Display the neighbor table 18

19 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis

20 Transparent Proxy via WCCP Client requests a website Browser tries to connect to Website Network Device redirects traffic to WSA using WCCP WSA proxies the request DNS Resolution is done by the Client IPv6 IPv4 Web Security Appliance ASA 5500 Firewall Internet Internet Web server 20

21 Details Assignment The WCCP assignment method is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic. WCCP can use two types of Assignment Methods: Hash and Mask. Hash Based Assignment Uses a software based hash algorithm to determine which WCCP appliance receives traffic. In hardware based platforms the Netflow table is used to apply hardware assistance. Mask Based Assignment Uses the ACL TCAM to assign WCCP entities. This method is fully handled by hardware. 21

22 Gory Details for HASH and MASK Hash - Combines packet s src/dest IP addrs and src/dest ports into 8-bit value. Complex function: The first packet must be sent to software, a Netflow entry is then created for subsequent packet rewrite Mask Selects up to 7 bits from src/dest IP addrs and src/dest ports. With this mode, the ACL TCAM can be programmed immediately and the first packet can then be hardware switched. Hash table and Mask/value sets are supplied by the WCCP client to the router HASHING MASKING XOR (IP_DA IP_SA port_da port_sa) Hash index WSA1 WSA2 WSA3 WSA4 IP_DA IP_SA L4_proto port_da port_sa xxxx00 xxxx TCP 80 xxxx WSA1 xxxx01 xxxx TCP 80 xxxx WSA2 xxxx10 xxxx TCP 80 xxxx WSA3 xxxx11 xxxx TCP 80 xxxx WSA4 22

23 Details Redirect and Return Redirect Method WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client (WSA, Cache, ) Layer 2 - Frame MAC address rewritten to MAC of WCCP Client Return Method The Return method determines how the traffic will be sent back from the router to the WCCP appliance if the traffic could not be serviced. Referred to as Proxy Bypass WCCP GRE Packet WCCP GRE returned router WCCP Layer 2 Frame rewritten to router MAC 23

24 WCCP input redirect WCCP Input redirect Ingress Interface Egress Interface 24

25 WCCP output redirect and input exclude WCCP Output redirect Ingress Interface Egress Interface WCCP Exclude-in 25

26 How WCCP registration works 1. Registration WCCP Server 2. Here I am 3. I see you WCCP Client The WCCP client registers at the WCCP Server Both, Server and Client need to use the same WCCP Service Group ID One WCCP Server usually can server multiple Clients Server and Client exchange here i am and I see you Packets to check availability UDP/2048, unicast Multicast possible Traffic is redirected from Server to one or multiple Clients using the hash or mask algorithm 26

27 WCCP Protocol - Buckets Hash Based Assignment Byte level (8 bit) XOR computation divided into 256 buckets (default) Mask Based Assignment Bit level AND divided up to 128 buckets (7 bits) asa# show wccp 90 hash WCCP hash information for: Primary Hash: Dst IP: Bucket: 110 Cache Engine:

28 WCCP Protocol Load balancing and Redundancy When a WCCP client fails, the portion of the load handled by that client is automatically redistributed to the remaining WCCP clients in the service group If no other WCCP clients are available in the service group, the service group is taken offline and packets are forwarded normally Buckets Buckets 1 85 Buckets Buckets Buckets X A B C 28

29 Using WCCP for Traffic Redirection WCCPv2 support is availible on many Cisco Platforms: L3 Switches, Routers, ASA 5500 Security Appliance WSA supports all redirect and assign methods (software implementation) Method to use will be negotiated Multiple WSA elect Designated Web Cache (DWC), lowest IP in Cluster, negotiates method How to force a switch / router to use GRE? Set WSA to Allow GRE 29

30 Using WCCP for Traffic Redirection (2) Performance Considerations: MASK (HW) > HASH (SW) HW has to take TCAM Resources into consideration L2 (HW) > GRE (SW) Use GRE if WSA is located in other subnet Check if Device can do GRE in HW User L2 if WSA and WCCP Device are in same subnet 30

31 WCCP Protocol Service Group The routers/switches and WCCP clients participating in a WCCP service constitute a Service Group Up to 32 routers per service group Up to 32 WCCP clients per service group Each service group is established and maintained using separate protocol message exchanges Service definition must be the same for all members of the service group 31

32 Current (Cisco) Service Groups ID Product Name Protocol Port 0 ACNS web-cache ACNS DNS ACNS ftp WAAS tcp-promiscuous WAAS tcp-promiscuous ACNS https-cache ACNS rtsp /82 ACNS wmt 6 (81), 17(82) ACNS rtspu WAFS cifs-cache 6 139, ACNS custom 6 User Defined 98 ACNS custom-web-cache 6 User Defined 99 ACNS reverse-proxy

33 WCCP with L3 Switch (3560/3750) L2 Redirect VLAN10 VLAN10 Internet Use template access, routing or dual-ipv4/ipv6 routing WCCP shares same TCAM Region than PBR! sdm prefer routing ip routing ip wccp 91 redirect-list wsa ip access-list extended wsa permit tcp any any eq www permit tcp any any eq 443! interface Vlan10 ip address ip wccp 91 redirect in 33

34 WCCP with L3 Switch (3560/3750) L2 Redirect Internet VLAN40 Recommendations: Assign seperate VLAN for the connection to the WSA! VLAN10 Redirect ACL only allows permit statements on 3560/3750 Series! 12.2(58) added support for deny If 3560/3750 is stacked, configure WCCP on the Stack Master! 34

35 WCCP IPv6 Internet VLAN10 VLAN40 ipv6 wccp 91 redirect-list wsav6! interface Vlan10 ip address ipv6 address 2001:db8:1:10::66/64 ipv6 nd ra suppress ipv6 wccp 91 redirect in ipv6 access-list wsav6 permit tcp 2001:DB8:1:10::/64 any eq www permit tcp 2001:DB8:1:10::/64 any eq

36 WCCP IPv6 & IPv4 VLAN10 VLAN40 Internet Different service groups for IPv4 & IPv6 ip wccp 90 redirect-list wsav4 ipv6 wccp 91 redirect-list wsav6! interface Vlan10 ip address ipv6 address 2001:db8:1:10::66/64 ipv6 nd ra suppress ip wccp 90 redirect in ipv6 wccp 91 redirect in ipv6 access-list wsav6 permit tcp 2001:DB8:1:10::/64 any eq www permit tcp 2001:DB8:1:10::/64 any eq 443! ip access-list extended wsav4 permit tcp any any eq 80 permit tcp any any eq

37 WCCP IPv6 & IPv4 WSA Side of things. In Dual-Stack Environments, two WCCP Service Groups are required. 37

38 WCCP IPv6 & IPv4 WSA Side of things. IPv6 Address of the Switch / Router 38

39 WCCP with L3 Switch Redirect - Verification munlab-3560x#show ip wccp 91 detail WCCP Client information: WCCP Client ID: Protocol Version: 2.0 State: Usable Redirection: L2 Packet Return: L2 Packets Redirected: 0 Connect Time: 01:02:16 Assignment: MASK Mask SrcAddr DstAddr SrcPort DstPort : 0x x x0000 0x0000 Version & State Redirect Method Assignment Method Mask Value Value SrcAddr DstAddr SrcPort DstPort CE-IP : 0x x x0000 0x0000 0xAC100A64 ( ) 0001: 0x x x0000 0x0000 0xAC100A64 ( ) 0002: 0x x x0000 0x0000 0xAC100A64 ( ) 39

40 WCCP with L3 Switch IPV6 Redirect - Verification munlab-c6504#sh ipv6 wccp 90 det WCCP Client information: WCCP Client ID: 2001:420:44E6:2013::45 Protocol Version: 2.01 State: Usable Redirection: L2 Packet Return: L2 Assignment: MASK Connect Time: 00:13:25 Redirected Packets: Process: 0 CEF: 0 GRE Bypassed Packets: Process: 0 CEF: 0 Mask Allotment: 4 of 4 (100.00%) Assigned masks/values: 1/4 Mask SrcAddr DstAddr SrcPort DstPort : :: 300:: 0x0000 0x0000 Version & State Redirect Method Assignment Method Mask Value 40

41 WCCP with L3 Switch (CAT6500) L2 or GRE Redirect WAN CAT6500 with Sup2T/720/32 and PFC3 allows redirect of L2 and GRE in Hardware Adjust MTU for GRE Carefull for bypass list! Redirect-in and Redirect-out is supported Permit and Deny ACE is allowed Avoid flags, options & timeranges r1 Si r1 Si WAN Si r2 Si r2 Very scalable and flexible 41

42 WCCP with L3 Switch (CAT6500) L2 or GRE Redirect Ingress - L2 redirection + Hash Assignment (Requires Software Processing) Ingress - L2 redirection + Mask Assignment (Full Hardware Processing - recommended) Egress - L2 redirection + Hash Assignment (Requires Software Processing) Egress - L2 redirection + Mask Assignment (Requires Software Processing) First packet is process switched, creates netflow entry. Subsequent packets are HW switched Ingress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing) Ingress - L3 (GRE) redirection + Mask Assignment (Full HW Processing - Sup32/Sup720/2T only) Egress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing) Egress - L3 (GRE) redirection + Mask Assignment (Requires Software Processing) 42

43 WCCP with ASA Internet ASA allows only redirect in Client and WSA must be on same interface No DMZ Deployment possible... Inside ACL is checked before redirection Destination Server must be allowed in ACL Redirection Method is GRE based Redirect ACL allows permit and deny No TCP Intercept, Inspect Engine or internal IPS is applied to the redirected flow. IPS HW/SW Module however does inspect traffic access-list WCCPRedirectionList extended deny ip access-list WCCPRedirectionList extended permit tcp any any eq www access-list WCCPRedirectionList extended permit tcp any any eq https! wccp 90 redirect-list WCCPRedirectionList wccp interface INSIDE 90 redirect in 43

44 WCCP with ASA in transparent mode Upstream L3 Router VLAN /24 WCCP VLAN /24 firewall transparent hostname munlab-asa2 ip address ! interface Ethernet0/0 description OUTSIDE INTERFACE nameif OUTSIDE security-level 0! interface Ethernet0/1 description INSIDE nameif INSIDE security-level 100! wccp 92 redirect-list WCCPREDIRECTLIST wccp interface INSIDE 92 redirect in Same L3 Network but different VLAN 44

45 WCCP with ASA Virtual Context Virtual Firewalls with shared VLAN Internet VLAN /24 Virtual Firewalls share same VLAN Each Context builds a WCCP connection to the WSA Each Context is using a different Service ID VLAN /24 Single WSA serving multiple Firewall Context 45

46 WCCP with Router ISR, ISRG2 e0 e2 e1 Redirect is GRE and Hash Done in SW Allows for DMZ-Design Supports permit and deny Statements in the redirection ACL ip cef ip wccp version 2 ip wccp 91 redirect-list <redirect-acl>! interface e0 ip wccp 91 redirect in 46

47 WCCP Dual-Stack with Router ISRG2 Lab-Setup with ISR G2 Gi0 Fa0 P1 Internet P2 ip wccp source-interface GigabitEthernet0 ip wccp 91 redirect-list IPv4-WCCP ipv6 unicast-routing ipv6 cef ipv6 wccp source-interface GigabitEthernet0 ipv6 wccp 90 redirect-list IPv6-WCCP! interface GigabitEthernet0 description WCCP-REDIR ip address duplex auto speed auto ipv6 address FD00:ABCD:1:2::1/64 ipv6 nd ra suppress all! 47

48 WCCP Dual-Stack with Router ISRG2 (2) Lab-Setup with ISR G2 Gi0 Fa0 P1 Internet P2 interface Vlan200 description WCCP Inside ip address ip wccp 91 redirect in ipv6 address FE80::1 link-local ipv6 address FD00:ABCD:1:1::1/64 ipv6 nd prefix D00:ABCD:1:1::/64 no-advertise ipv6 wccp 90 redirect in! interface FastEthernet0 switchport mode trunk no ip address 48

49 WCCP with IP Spoofing e2 Some Designs require that the Client IP is preserved after beeing proxied e0 e1 Problem to solve: Traffic coming back from the Internet needs to be redirected to the WSA by the network because the Destination is now the Client Network, no longer the WSA IP Spoofing mostly used in transparent mode Activated on the WSA in the WCCP Config: 49

50 IP Spoofing Design in Transparent Mode e2 e1 e /16 WCCP 92 WCCP 91 ip cef ip wccp version 2 ip wccp 91 redirect-list Redirect-Client ip wccp 92 redirect-list Redirect-back! interface e0 ip wccp 91 redirect in! interface e2 ip wccp 92 redirect in! ip access-list extended Redirect-Client permit tcp eq www permit tcp eq 443! ip access-list extended Redirect-back permit tcp any eq www permit tcp any eq www

51 IP Spoofing Design in Transparent Mode e2 WCCP 92 e0 e1 WCCP /16 51

52 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis

53 WCCP Logs on WSA Create new Log Subscription for WCCP Set Level to Debug Here-I-Am Packet sent (HIA) I-See-You Packet received (ISY) 53

54 WCCP Logs on WSA (2) Check Capabilities of WSA and WCCP Server (Switch,Router, ) Configured Capabilities of the WSA, sending them to the WCCP Server WCCP is ok Parameters are not! 54

55 Debug WCCP Events on ASA / Router / switch WCCP Group-ID : 90 Here-I-Am I-See-You 55

56 WSA behaviour with WCCP By Default WSA will try to negotiate L2 first If WCCP Server is on different subnet, you will get an error Solution: Force WSA to negotiate GRE 56

57 A Word about Hardware The mask Assignment is handled in Hardware on ASR, Cat6500, WCCP redirect ACL deny statements don t use mask TCAM WCCP redirect ACL permit statements use up to the Number of ACL Permit Entries * Number of Buckets Example: For a 7 bit mask, the router / switch is using 4096 TCAM entries for 32 permit statements wasting lot of TCAM resources Adjusting the Bit-Mask must be done on the WCCP Client Supported with v7.7 SW Release 57

58 A Word about Hardware (2) 1-2 WSAs 3-4 WSAs 5-8 WSAs 9-16 WSAs WSAs 1 bit, 2 slots 2 bits, 4 slots 3 bits, 8 slots 4 bits, 16 slots 5 bits, 32 slots 0x3 = 2 bits 4 slots for up to 4 WSA 58

59 Transparent Deployment - Summary No client settings necessary Client resolves hostname of target web server -> improved performance! Traffic gets redirected by the network Requires HTTPS Proxy activation for HTTPS requests Allows for redundancy by defining multiple WSA to redirect Selection of the right device to redirect is critical. Try to limit down Permit Entries in Redirect Lists for Mask assignment, adjust mask in ASYNC-OS 7.7+ When using IP Spoofing make sure the WSA is not in the path of the Clients 59

60 WSA Data Plane & IPv6 Feature IPv6 Support HTTP/ HTTPS / Native FTP / FTP-over-HTTP Proxy SOCKS v5 Proxy Anti-Malware Scanning URL Categorization Upstream Proxies IP Spoofing L4TM Proxy Bypass Yes Yes Yes Yes Yes Yes Yes Yes 60

61 WSA Data Plane & IPv6 Feature IPv6 Support WBRS (Web Reputation) SaaS Authentication Surrogates AVC, Bandwidth Control X-Forwarded-For Headers End User Notification, End User Acknowledgement Ready Yes Yes Yes Yes Yes 61

62 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis 47

63 Authentication User Web Security Appliance User Directory Authentication Protocols Directory: LDAP or NTLM Method: Basic: Credentials are sent unencrypted NTLMSSP: Challenge-Response Kerberos TUI using CDA Tracking the User IP based Surrogates Cookie based Surrogates 63

64 Authentication in Explicit Deployment IPv6 IPv4 User Web Security Appliance User Directory HTTP response code 407 Proxy sends HTTP response code 407 (proxy auth. request) Client recognizes the proxy Client will then accept a http response 407 from the proxy Works for HTTPS Client sends a CONNECT request to the proxy Client will then accept a 407 response from the proxy 64

65 Authentication in Transparent Deployment User Internet Internet Web server User Directory Web Security Appliance Client is not aware of a proxy -> HTTP response code 407 cannot be used Need to use HTTP response code 401 Client needs to be first redirected to the wsa Client must trust the redirect hostname when using NTLM to prevent prompting 65

66 Authentication in Transparent Deployment What the client thinks 1 The client sends a request to the remote HTTP server 2 The client receives a 307 (temp. redirect) from the remote server redirecting the client to the WSA What is really happening The client request is rerouted to the WSA The client receives a 307 (temp. redirect) from the WSA, spoofing the remote server, redirecting the client to the WSA 3 The client establishes a connection to the WSA The client establishes a connection to the WSA 4 The client receive a 401 (authentication request) from the WSA The client receive a 401 (authentication request) from the WSA 5 The client authenticates with the WSA The client authenticates with the WSA 6 The client receive a 307 from WSA, redirecting it back to the remote server The client receive a 307 from WSA, redirecting it back to the remote server 7 The client establishes a new connection to the remote server The client continues to use the WSA as a transparent proxy 66

67 Authentication in Transparent Deployment w/ Dual Stack IPv6 User IPv4 Internet Internet Web server User Directory Web Security Appliance Client initiates IPv4 (or IPv6) connection in the first packet Client is redirected, authenticated and IPv4 (or IPv6) Address stored in wsa Client makes another connection, this time using IPv6 (or IPv4) Client cannot be found in authentication cache -> needs to authenticate again! 67

68 Authentication in Transparent Deployment w/ Dual Stack Using NTLM & IP Surrogates -> Authenticate twice -> but no problem for User Experience as it is happening in the background Using Basic Auth & IP Surrogates -> Authenticate twice Using Cookie Surrogates -> Works for IPv4 & IPv6 but: Beware of issues with SSL Traffic! Cookie is inside the SSL Packet and is encrypted... 68

69 Multiple WSA with WCCP and Authentication Loop Knowledge base article #7623 Scenario: Multiple WSA, transparent deployment with authentication Client requests a Website Switch redirects request to WSA1 WSA1 needs authentication, redirects Client to WSA1 Client sends request to WSA1, gets redirect through WCCP Redirect may end up on WSA1 but can also terminate at any other WSA in the Cluster Strange things happen from now on... 69

70 WCCP with L3 Switch L2 Redirect, multiple WSA with Auth, avoiding Auth Loop, single VLAN VLAN10 Internet VLAN10 VLAN10 WSA #1 WSA #2 ip routing ip wccp 91 redirect-list wsa ip access-list extended wsa!do not redirect traffic from wsa1/2 deny ip host <wsa1> any deny ip host <wsa2> any!do not redirect traffic going DIRECTLY to wsa1/2 deny ip any host <wsa1> deny ip any host <wsa2> permit tcp any any eq www permit tcp any any eq 443! interface Vlan10 ip address ip wccp 91 redirect in 70

71 WCCP with L3 Switch and Authentication L2 Redirect, multiple WSA with Auth, avoiding Auth Loop VLAN10 VLAN40 VLAN40 Internet WSA #1 WSA #2 First Option: ip routing ip wccp 91 redirect-list wsa ip access-list extended wsa!do not redirect traffic going DIRECTLY to wsa1/2 deny ip any host <wsa1> deny ip any host <wsa2> permit tcp any any eq www permit tcp any any eq 443! interface Vlan10 ip address ip wccp 91 redirect in Second Option: 71

72 Upstream Proxy with Authentication WSA can be deployed behind an existing Proxy Depending on the upstream proxy, check connection limits! If upstream proxy requires authentication as well, change setting on CLI in advancedproxyconfig : When would you like to forward authorization request headers to a parent proxy: 1. Always 2. Never 3. Only if not used by the WSA [2]> 1 Internet WSA Proxy 72

73 Authentication against W2008 RODC Network Design might require to use a Read-only- Domain-Controller Symptom: WSA can join the domain and Computer Account get created However, Computer Account is disabled on RODC... Solution: WSA RODC WSA requires Cached Credentials for its Computer account within the AD RODC by default only replicates Credentials for its own account DC Need to replicate also for WSA account 73

74 WSA, Authentication and SSL In Explicit mode, a https CONNECT request is made and WSA replies with 407 Proxy auth required At this time, WSA has the following information: - destination host - user agent - user credentials verified WSA can decide wether to decrypt based on: - Destination Host - User Agent - Proxy Port - Subnets - Time Range 74

75 WSA, Authentication and SSL (2) In Transparent mode, there is no CONNECT REQUEST Since Client is not aware of WSA it will start a TCP connection to remote server Connection redirected to WSA, client start an HTTPS/SSL connection directly At this point WSA only knows destination IP and port WSA sends HTTPS probe (it s own Client Hello) to get Server Hello and server certificate 75

76 WSA, Authentication and SSL (3) With the server certificate, WSA has knowledge of: - Client IP - Destination IP - Server Certificate - Common Name (CN) from server certificate is used as a request URL, thus used for URL category matching Based on this information WSA can match Identity and Decryption Policy and determine whether to DECRYPT or PASS THROUGH the request All information normally send in the HTTP Header (Cookies, User Agent, Mime-Type etc) are encrypted in the tunnel and thus not available to the WSA at this point. 76

77 WSA, Authentication and SSL (4) Should we decrypt? Very often based on URL Category...(think of finance websites...) 77

78 WSA, Authentication and SSL (4) Should we decrypt? Very often based on URL Category...(think of finance websites...) 78

79 WSA, Authentication and SSL (5) Finding out the correct URL Category... Solution: Usage of SNI (Server Name Indication) is required from Proxy side (supported in v7.7) Most Browser support it since years... CLIENT HELLO during TLS sends the Host URL: 79

80 Authentication in Secure Mobility Deployment Internet Authentication User w/ AnyConnect SSO User Directory Internet Web Server User connects to ASA via AnyConnect Web Security Appliance ASA authenticates VPN Connection against User Directory After successfull authentication, ASA passes user informations to WSA for Single-Sign-On Not dependant on AD-Membership, works for all devices like tablets, phones, etc. User can surf via WSA without the need to authenticate again WSA can be deployed explicit or transparent 80

81 DEMO Secure Mobility on ipad with SSO 5 81

82 IE8/IE9 with Single-Sign On SSO on WSA correctly configured but Clients still get prompted Check if WSA Redirect Name is listed in Trusted Sites Check Security Settings on Trusted Sites and set to Automatic Logon with current user name and password 82

83 Transparent User Identification (TUI) 1. Client logs on to the AD Domain, CDA tracks AD audit logs and maps User - IP 2. Client request a Web Site 3. Traffic is transparently redirected to the WSA 4. WSA needs to authenticate and queries the CDA for the User IP mapping 5. WSA queries AD for User Group 6. Request is proxied and forwarded to the Internet WMI 4 AD Controller 1 CDA 2 5 WSA 3 6 Internet AD User Switch w/ WCCP 83

84 Context Directory Agent Linux Image, installed on Virtual Machine Gets User to IP Mapping via WMI from AD Controller Can be queried from WSA, ASA or ASA-CX via Radius 84

85 Context Directory Agent & IPv6 Identity Mapping can be IPv4 or IPv6... Identity Consumers must be via IPv

86 TUI Summary & Caveats Uses an Agent (=CDA) running on a Virtual Machine Same Agent is also used for Identity based Firewalling on the ASA and ASA-CX Allow all applications on the client to work with authentication without starting a browser first Does support IPv6 for Client registration and RADIUS messages Privacy extension can cause trouble on clients -> better to disable Does not work if Client is NAT-ed after AD Authentication but before reaching the WSA Does not work in Terminal Server Environments If Client cannot be identified, fallback to previous authentication mechanism like Basic or NTLM 86

87 Agenda Introduction Deploying WSA with WCCP Troubleshooting WSA with WCCP Transparent User Authentication WSA Performance Analysis You will have the right tools both to deploy our solutions and to solve problems! 62

88 WSA Performance Analysis WWW Server Internet Cisco SIO DNS Server Client AD Server 88

89 Getting some General Performance Informations SNMP Query Proxy CPU in Percent, measured every 10 Sec (cachecpuusage) Request Throughput in the last minute (cachethruputnow) Enable SNMP on Appliance via CLI: 89

90 Getting some General Performance Informations(2) Proxystat - CLI Command, availible on ASYNC-OS

91 Debuging Performance issues Download file prox_track.log from appliance via FTP File is written every 5 minutes with timestamp Setting can be changed in advancedproxyconfig on CLI 91

92 Prox_track.log content Contains various statistical data around proxy performance Please do NOT consider all number of packets 100% accurate! Just gives a good hint what problem might be happening 92

93 General Statistics Traffic Statistics: If you have numbers increasing on throttled transactions this could indicate that the appliance can not handle the load 93

94 How to read Prox_track.log Statistics are snapshots of total number of Packets Counters are reset after reboot / restart of proxy Take statistic from time X and time Y, then compare change: 94

95 Important Statistics Client time: Total time that the client was waiting until his request was fullfilled Hit time: Time that the WSA is using to fetch content from the cache Miss time: Time that the WSA takes to fetch all Data from the server 95

96 Important Statistics (2) Server Transaction time: Time for the total transaction to the Server to be finished. Server wait time: Time until WSA gets the first byte from the Server High Values can mean upstream problems (firewall, router, ISP, upstream proxy) 96

97 Important Statistics (3) DNS Time: Time for the WSA to do a DNS Resolution High time does indicate a problem with the DNS Server 97

98 Important Statistics (4) Auth Helper Wait: Time to wait for an authentication request until its validated from the AD / LDAP High time indicates a problem with the connection to the authentication Server Auth Helper Service: Time until an authentication request is fully validated Check if IP address is already authenticated, check surrogates, etc 98

99 Important Statistics (5) WBRS Service Time: Time for the WSA to check the reputation score Webcat Service time: Time for the WSA to check the URL Category AVC Header Scan Service Time: Time to check the Header of a request against the AVC Signatures AVC Body Scan Service time: Time to check the body of a request against the AVC Signatures 99

100 Important Statistics (6) Sophos, McAfee, Webroot Service Time: Time that the Scanner used to scan the object Adaptive Scanning Service Time: Time for the adaptive scanning process to scan an object: Service Queue Time: Time that the object stayed in the queue to be scanned 100

101 Adaptive Scanning Each type of object gets a RISK Score assigned Score is based on Type of object, effectiveness of malware scanner for this type and WBRS (WBRS must be enabled on WSA) Appliance will scan objects with the Scanner that is most appropriate for this object type If appliance has a performance problem with the Anti Malware Scanners, it will drop objects not to be scanned Example: Don t scan *.jpg files with McAfee when they are coming from Websites with a good reputation. 101

102 Customizing the Access Log Add custom field like: %m (=Authentication Method) to the access_log Variables can be appended in the Access Logs Variables are to be found in the GUI, some older Versions of WSA Software might not have the full list 102

103 Customizing the Access Log - Example %m AUTH: %:>a DNS: %:>d REP: %:>r %m : Authentication Method %:>a : Authentication Wait time Any Text acting as a comment for readability %:>d : DNS Wait time %:>r : Reputation Wait time 103

104 Customizing the Access Log Example(2) Destination IP %k Extremly usefull in Dual-Stack Environments to find out wether WSA makes the outgoing connection on IPv4 or IPv6! Destination IP = v4 Source IP from Client = IPv6 104

105 Customizing the Access Log Example (3) For Your Reference Other usefull Parameters: %L <- human readable local time %k <- Destination IP %g <- group memberships %u <- User Agent Example for detailed Performance logs: Request Details: ID = %I, User Agent = %u, AD Group Memberships = ( %m ) %g ] [ Tx Wait Times (in ms): 1st byte to server = %:<1, Request Header = %:<h, Request to Server = %:<b, 1st byte to client = %:1>, Response Header = %:h>, Client Body = %:b> ] [ Rx Wait Times (in ms): 1st request byte = %:1<, Request Header = %:h<, Client Body = %:b<, 1st response byte = %:>1, Response header = %:>h, Server response = %:>b, Disk Cache = %:>c; Auth response = %:<a, Auth total = %:>a; DNS response = %:<d, DNS total = %:>d, WBRS response = %:<r, WBRS total = %:>r, AVC response = %:A>, AVC total = %:A<, DCA response = %:C>, DCA total = %:C<, McAfee response = %:m>, McAfee total = %:m<, Sophos response = %:p>, Sophos total = %:p<, Webroot response = %:w>, Webroot total = %:w<, Anti-Spyware response = %:<s, Anti-Spyware total = %:>s; Latency = %x; %L 105

106 Using SPLUNK to extract Data Definition of Regex to look for the Keywords we defined for the Accesslog customization 106

107 Using SPLUNK to extract Data (2) Extraction of the values to be done permanently in SPLUNK 107

108 Using SPLUNK to extract Data(3) SPLUNK Report on the Average time for REPUTATION and DNS Resolution per Domain 108

109 Using SPLUNK to extract Data (4) Example for Reputation Time 109

110 Using SPLUNK to extract Data (5) Example for DNS Time 110

111 Summary for WSA Performance Analysis WSA has very detailed logs to troubleshoot performance issues Use prox_stat.log file for general performance checks Use customizing the Access Logs for detailed checking of single requests SPLUNK is a great tool to help you analyze especially when combined with customized logs! 111

112 WSA Performance Analysis WWW Server Internet Cisco SIO DNS Server Client AD Server 112

113 Call to Action Visit the World of Solutions:- Cisco Campus Web Security Appliance Walk-in Labs Technical Solutions Clinics Meet the Engineer Tobias Mayer, Hrvoje Dogan, Jonny Noble Lunch Time Table Topics, held in the main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit 113

114 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 114

115