2052

BRKSEC-2052

Securing the Web 2.0 with Cisco IronportWebsecurity

2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialBRKSEC_2052 Tobias Mayer 2

Housekeeping

We value your feedback- don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday

Visit the World of Solutions

Please remember this is a 'non-smoking' venue!

Please switch off your mobile phones

Please make use of the recycling bins provided

Please remember to wear your badge at all times


For Reference Slides

There are (far) more slides in the hand-outs than presented during the class

Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide)

For YourReference


Agenda

Basic Overview on the Websecurity Appliance

Deployment Scenarios

Building the Policy

Secure Mobility

IPv6

Troubleshooting


1996


Todays Websites...


Web 2.0 Anywhere & Anytime

People and Applications are meshed with each other Communication is no longer just from server to client New communication methods bring in new attack angles


Criminals targeting Facebook

2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 9

Basic Overview


Cisco Websecurity Appliance

Web Proxy incl. caching

Rich security functionalitiesReputation filtering

Malware scanning

Application visibility & control

HTTPS inspection

Authentication

Reporting and tracking


Multi-Layer Websecurity

Reputation

Filtering

Web Usage

Controls

Malware

Filtering

L4TM


Filtering the URLs

Filtering the URLs based on predefined Categories Possible Actions : Block, Monitor, Warn, Time-Based


Looking deeper: Web Application Control

Increasing Number of Application use HTTP as a

transport protocol

Websecurity needs to detect and control those

applications


Web Application Control

Different Applications are detected by special

Signatures

Those Signatures are downloaded dynamically

via regular Signature

Updates from Cisco

No reboot or manual installation required!


Web Application Controls ExamplesControl Bandwidth for Mediastreams


Web Application Controls ExamplesGranular Control and Reporting for Facebook


Web Application Controls ExamplesWhat is Facebook REALLY about


Example #1: Flash Media streamsApplications using http only

App BehaviorDesired

Action

Must

Block

Ports

Recomm

ended

Block

Ports

Traffic

Break-

down

Decrypt

RequiredFunction

Flash Video

Video Block - -

initial

access:HTT

P:80 or

HTTPS:443;

video traffic

may use

these same

ports or

RTMP:1935

-

Watching a

video is

blocked

Video Monitor 1935 - -

Video

transactions

are counted

in the WSA

application

traffic

counters

Video Bandwidth 1935 - -

Video

transactions

are

bandwidth

limited.


Example #2: Windows Media streamsApplications using http and non-http ports

Windows

Media

Video Block -554, 1755,

2869

initial

access:

HTTP:80 or

HTTPS:443;

video traffic

uses

RTSP:554,

MMS:1755;

some claims

of 2869

usage, but

we do not

see

-

AVC can

control

access.

Video Monitor -554, 1755,

2869-

Access to

http links for

ASF content

will get

counted in

the WSA

application

traffic

counters

however the

actual video

content will

not.

Video Bandwidth -554, 1755,

2869-

Not currently

supported.

App BehaviorDesired

Action

Must

Block

Ports

Recomm

ended

Block

Ports

Traffic

Break-

down

Decrypt

RequiredFunction


Site Content RatingsEnforcing safe search

Block inappropriate content from content sharing sites like Google,YouTube, Flickr

Based on metadata in the site

User cannot change safe search or strict search settings


DEMO Web Usage Controls



Reputation

Filtering

Web Usage

Controls

Malware

Filtering

L4TM


About Reputation

Cisco SIO gathers statistical informations from Cisco Products and other resources

Cisco SIO correlates informations Updated informations are delivered back to appliances Each IP / URL gets a score, ranging from -10 to +10

Web Email ASA IPS

Outbreak Intelligence

External

feeds


About Reputation

Malicious websites are tracked globally through SIO WSA evaluates each webrequest against the defined

reputation score

Reputation score and action is configured on WSA


Examples: Reputation Values

Known Botnet or Phising Site

Agressive Advertising


Examples: Reputation Values (2)

Neutral Site

Site with good history


Network Participation

Admin can define the level of participation Requested URL with result is sent back User information and internal networks are not sent

Disabled: No information is sent to Cisco SIO Database

Limited: Server URL of request, hash of path segments

Standard: Server URL and all path segments are sent back


DEMO Web Reputation Filtering



Reputation

Filtering

Web Usage

Controls

Malware

Filtering

L4TM


Activating Anti-Malware Engines

Supported Engines: Webroot, Sophos, McAfee Anti-Malware Engines can be activated by policy Up to two Engines running are supported

Webroot + Sophos, Webroot + McAfee

All updates are handled automatically via SIO updates


What things are scanned

HTML body scanning Response Body scanning URL Scanning Phishing Links Browser Help Objects Tracking Cookies

Focused on Malware & Adware

HTML body scanning File Scanning

Focused on Virus & Trojans



Reputation

Filtering

Web Usage

Controls

Malware

Filtering

L4TM


Layer 4 Traffic Monitor

Internet

Botnet

Master

Web Security Appliance

ASA 5500

Firewall

SPAN PORT

Infected Client

WSA monitors all Network traffic via SPAN or TAP Evaluates DNS Requests done by clients against list of

malware sites

Malware list distributed from Cisco SIO


Example for L4TM


L4TM Blocking infected Clients

Potentially infected clients can be identified

L4TM can be put in monitoring or blocking mode

Send TCP Reset for TCP Sessions

Send ICMP unreachables for UDP Sessions

Blocking packets are sent out through the proxy port,

not the L4TM Port! Check

your routing tables!


Deployment Scenarios


Explicit Proxy

Internet

Internet Web

server


ASA 5500

Firewall

Client requests a website Browser connects first to WSA WSA connects to website Firewall usually only allows webtraffic for proxy


How does the Browser find the Proxy?

Proxy setting in the browser Static definition with IP/NAME and PORT


How does the Browser find the Proxy?

Automatic Configuration via PAC File

function FindProxyForURL(url, host)

{

return "PROXY 192.168.1.80:3128; 192.168.1.81:3128";

}

function FindProxyForURL(url, host)

{

return "PROXY 192.168.1.80:3128";

}

http://www.findproxyforurl.com/


PAC Deployment

Via AD and GPO Via script Via manual setting Via DHCP

DHCP Option 252

Via Wpad Server


WPAD Server

WPAD Server hosts PAC file as wpad.dat File is retrieved via HTTP and Javascript Automatic Settings creates a lookup on a server

called wpad


WPAD and Windows 2008

Starting with W2008 DNS Server, its no longer availible to name a specific Server to WPAD

Locked down via Registry

More details found here:http://technet.microsoft.com/en-us/library/cc441517.aspx


PAC file deployment - Summary

DHCP

Higher Priority than DNS

If DHCP provides the WPAD URL, no DNS lookup is performed

Passed as option number 252 in the DHCP lease

DNS search (Ex.:if domain of client is: pc.department.branch.com)

Browser will try URLs in the following order:

http://wpad.department.branch.com/wpad.dat

http://wpad.branch.com/wpad.dat

http://wpad.com/wpad.dat

Microsoft GPO


Explicit Deployment - Summary

Requires Client Settings in the Browser

Proxy resolves hostname of target web server

Redundancy can be achieved via PAC files

WSA can host PAC files

No involvement of network equipment necessary


Transparent Proxy via WCCP

Internet

Internet Web

server


ASA 5500

Firewall

Client requests a website Browser tries to connect to Website Network Device redirects traffic to WSA using WCCP WSA proxies the request


Background on WCCP

WCCPv1 developed in 1997 by Cisco Systems and publicly released in July 2000

WCCPv2 published as an IETF draft in July 2000 to make the specification open and remove the requirement for licensing

Enhancements

Configurable WCCP Router ID

WCCP Variable Timers Improved FailOver

Improved Interaction between WCCP and NetFlow

WCCPv3 is an internal specification targeted at IPv6 that was never released


DetailsAssignment

The WCCP assignment method is used to determine which WCCP traffic and which WCCP device is chosen for the destination traffic.

WCCP can use two types of Assignment Methods: Hash and Mask.

Hash Based Assignment Uses a software based hash algorithm to determine which WCCP appliance receives traffic. In hardware based platforms the Netflow table is used to apply hardware assistance.

Mask Based Assignment Uses the ACL TCAM to assign WCCP entities. This method is fully handled by hardware.


DetailsRedirect and Return

Redirect Method

WCCP GRE - Entire packet WCCP GRE tunneled to the WCCP Client (WSA, Cache,)

Layer 2 - Frame MAC address rewritten to MAC of WCCPClient

Return Method

The Return method determines how the traffic will be sent back from the router to from the WCCP appliance if the traffic could not be serviced.

WCCP GRE Packet WCCP GRE returned router

WCCP Layer 2 Frame rewritten to router MAC


Using WCCP for Traffic Redirection

WCCPv2 support is availible on many Cisco Platforms:L3 Switches, Routers, ASA 5500 Security Appliance

Ironport WSA supports all redirect and assign methods (software implementation)

Method to use will be negotiated


Using WCCP for Traffic Redirection (2)

Performance Considerations:

MASK (HW) > HASH (SW)

L2 (HW) > GRE (SW)

Use GRE if WSA is located in other subnet

Check if Device can do GRE in HW

User L2 if WSA and WCCP Device are in same subnet


Planning and DesignPlatform Recommendations

Function Nexus 7000 Software

ISR & 7200

ASR 1000 Cat 6500 Sup720/32

7600

Cat 6500

Sup2 Cat 4500 Cat 3750

Assign Mask Only Hash or Mask

Mask Only Mask Mask Mask only Mask only

Redirect L2 GRE or L2 GRE or L2 GRE or L2 L2 or GRE / L2 L2 only L2 only

Redirect List L3/L4 ACL Extended ACL

Extended ACL

Extended ACL Extended ACL No Redirect List Support

Extended ACL (no deny)

Direction In or Out In or Out In only In In In only In only

Return L2 only GRE or L2 GRE or L2 L2 L2 L2 only L2 only

VRFs Supported Supported Planned Planned NA NA NA

IOS 4.2(1) 12.1(14); 12.2(26); 12.3(13); 12.4(10); 12.1(3)T; 12.2(14)T; 12.3(14)T5; 12.4(15)T8;15.0(1)M

2.4(2) 6500

12.2(18)SXF14

12.2(33)SXH4

12.2(33)SXI2a

7600

12.2(18)SXD1

12.1(27)E; 12.2(18)SXF14

12.2(50)SG1

12.2(46)SE

For YourReferenceFor YourReference


Transparent Deployment - Summary

No client settings necessary

Client resolves hostname of target web server

Traffic gets redirected by the network

Requires involvement of the network departement

Allows for redundancy by defining multiple wsa to redirect


DEMO Transparent Deployment


Upstream Proxy

WSA can be deployed behind an existing Proxy

To get the value of webreputation, WSA should be placed behind an existing proxy (close to the client...)

Depending on the upstream proxy, check connection limits!

Internet

Proxy

WSA


Special Case...not yet validated

Internet

Internet Web

server


ASA 5500

Firewall with

Clientless SSL

Using CLIENTLESS SSL on ASA5500 User can surf to internal and external webpages URLs can be checked and secured through WSA WSA supports OUTBOUND and INBOUND Malware

scanning! Server Upload can be protected!

Drawback: All Clientless Requests from ASA to WSA are coming from ASA internal IP, so no user visibility

Corporate Network


Clientless SSL with WSA - Example


Building the Policy


Elements of the Security Policy

Is user permitted to make the request? Authentication

Is request within acceptable time range? Time-based

Is this type of client permitted? User Agent check

Is this protocol permitted? Protocol blocking

Is the site trustworthy? Web Reputation

Do we permit access to this site/category? URL Categorization (Predefined and Custom)

Is the request suspicious? Anti Malware, L4TM

If HTTPS, decrypt and check? Decryption Policy

Is response of appropriate type & size? Object filtering

Does the response contain malware? Anti-Malware64


Policy - Authentication

Policy objects can be managed from central access policy screen

First step is to define the Identity:For whom does this policy apply?


Authentication

User DirectoryWeb Security Appliance

Authentication ProtocolsDirectory:

LDAP or NTLM

Method:

Basic: Credentials are sent unencrypted

NTLMSSP: Challenge-Response

Tracking the UserIP based Surrogates

Cookie based Surrogates

User


Proxy and Authentication Types

Proxy Type Authentication

Browser to WSA

WSA to Auth Server

Explicit Basic LDAP(or NTLM Basic)

Transparent Basic LDAP(or NTLM Basic)

Explicit NTLM NTLMSSP(Active Directory)

Transparent NTLM NTLMSSP(Active Directory)


HTTP Response Codes

200 OKRequest was sent successfully

301 Moved PermanentlyThe Resource has permanently to a different URI

401 UnauthorizedWeb Server requires Authentication

403 ForbiddenAccess denied

404 not foundThe Server cannot find the requested URI

407 Proxy Authentication requiredThe request first requires authentication with the

proxy

For YourReference


NTLM Authentication

NTLM requires Account in the AD Domain Credentials to create a computer account are used only

once, not stored on appliance

Currently only one domain is supported via NTLM


LDAP Authentication

LDAP queries on port 389 or 636 (Secure LDAP), 3268 (AD GC Server)

Need to know the Base DN Name Parameter Can connect to multiple different domains


Authentication vs. LDAP

Knowing the LDAP Base DN is fundamental

Use an LDAP Browser to find out

Recommendation: Apache Directory Studio


Authentication vs. LDAP

Knowing the LDAP Base DN is fundamental

Or check with DSQUERY command on a MS AD


Testing the query

After defining the query, check result!


Authentication in Explicit Deployment

Web Security Appliance User DirectoryUser

Proxy sends http response 407 (proxy auth. request)

Client recognizes the proxy

Client will then accept a http response 407 from the proxy

Works for HTTPS

Client sends a CONNECT request to the proxy

Client will then accept a 407 response from the proxy

http error 407


Authentication in Transparent Deployment


User

User Directory

Client is not aware of a proxy -> http response 407 cannot be used

Need to use http response 401 basic authentication

Client needs to be first redirected to the wsa

Internet

Internet Web

server


Authentication in Transparent Deployment

What the client thinks What is really happening

1 The client sends a request to the remote

HTTP server

The client request is rerouted to the

WSA

2 The client receives a 307 from the remote server redirecting the client to

the WSA

The client receives a 307 from the WSA, spoofing the remote server, redirecting

the client to the WSA

3 The client connects to the WSA The client connects to

the WSA

4 The client receive a 401 authentication request from the WSA

The client receive a 401 authentication request

from the WSA

5 The client authenticates with the WSA The client authenticates with the WSA

6 The client receive a 307 from WSA,

redirecting it back to the remote server

The client receive a 307 from WSA,

redirecting it back to the remote server

7 The client connects back to the remote

server

The client continues to use the WSA as

a transparent proxy


Internet Explorer and Redirect for Authentication

When client receives redirect, it checks the name in the redirect request

If client cannot resolve the name of the WSA, it automatically maps the wsa to the INTERNET ZONE

Internet Zone never allows NTLM authentication

In transparent mode with NTLMSSP (SingleSignOn), this would retrigger authentication prompts despite SSO configured. (thats anoying...)


Internet Explorer and Redirect for Authentication (2)

Solution: Enter not the FQDN in the redirect host name but only the simple name!


Surrogates

Surrogates define how Users are tracked once the have authenticated

IP AddressTracks user by IP

Can cause problems if clients change ip frequently or in virtual environments (Citrix)Authentication stays with WSAWorks well with decryption

CookieRecommended in terminalserver environments

Authentication stays with the clientDoes not work when using decryption based on authentication


Identities

Identities consist of one or more criterias

Criteria can be Usernames, Groups, Networks, User Strings,....

Surrogate Settings can also be applied per Identity

Identities are used to choose the appropriate accesspolicy


HTTPS decryption

Decryption of HTTPS is similar of a man-in-the-middle attack

WSA can use a self-signed cert or an imported cert from any CA

WSA generates a new cert for the client request, using the values from the original webserver

This Cert is presented to the client, signed with the cert from the WSA


HTTPS decryption

WSA Cert must be trusted by all clients

Either use an already rolled-out CA Cert or distribute Cert to the clients

Microsoft GPO allows

for easy rollout

Cert MUST be a CA or Subordinate CA certificate!No server certificate!


HTTPS decryption

HTTPS decryption Policy can be based on URL Category or on Reputation

Reputation allows to selectively decryption of potential malicious web requests


DEMO HTTPS Decryption


Policy Selection

1. Check Identity

2. Assign Accesspolicy based on the chosen identity

3. Execute the policy

4. If nothing special is defined in certain fields, default values from the Global Policy are used


Secure Mobility


Secure Mobility

Works with Cisco ASA and Cisco AnyConnect Client

Cisco ASA authorizes the user at WSA

WSA can use different policies for local and remote users

WSA can use SAML 2.0 for authentication and Single Sign On to Webservices

Functional Description

AnyConnect

SSO with SAML 2.0 Authorization at WSA


Secure Mobility

Functional Description

ASATunnel default Gateway

Web Security

Appliance

Internet Web

server

Anyconnect

VPN User

Traffic routed to inside router

URL Request redirected to Web Security Appliance (WSA) via WCCP. Traffic is checked by WSA against policy

Internet

ASA sends userinformation to WSA for authorization

Corporate Network

Always-on VPN tunnel

Anyconnect user attempts to access internet webserver via always-on VPN

URL Request

Cleaned traffic forwarded to internet webserver

Cleaned URL Request


Identity

SaaS Access Control In Action


SaaS Access Control In Action

Verified


SaaS Access Control - Benefits

Clients are only getting access to Cloudresources if authenticated through the WSA

Single Point for Authentication

If Employee leaves the company, lock down his account in Directory

-> All cloudservices are locked down as well!


Example from iPhone -Protection through WSA

Good Website

Bad Website


AnyConnect on iphone

Webtraffic from the iphone is checked and filtered iPhone is protected from Malware and malicious

connections


Summary of Secure Mobility

Different policies for local and remote Users

Example: Block high bandwidth sites for remote users

Single Sign-On for users on WSA for authentication

Works for non-AD Users and AD User

Usage of SAML 2.0 for SSO to Cloudservices

Example: Webex, Salesforce.com, Google Apps,...


DEMO Secure Mobility


IPv6


IPv6 and WSA

End CY 2011

Explicit proxy support for IPv6 IPv6 Rules via SIO published, IPv6 reputation IPv6 management

CY 2012

Transparent proxy with WCCP, but: WCCP today has no IPv6 Support!

ASA and IOS need to develop IPv6 Support for

WCCP


Troubleshooting


Usefull Tools Policy Trace


Usefull Tools Packet Capture

Record packet flows Download capture files for analysis and troubleshooting


Web Security Management Detailed Tracking of Data


Working with CLI and Logfiles....

Logdata is W3C Format

Can be downloaded by FTP or via CLI


Working with CLI and Logfiles....

1289045462.223 563 172.16.18.16 TCP_MISS/304 319 GET

http://www.cisco.com/assets/home/spotlight/sp_20101011/swf/expansionmodule.

swf tmayer@munlabipcom DEFAULT_PARENT/proxy.esl.cisco.com -

DEFAULT_CASE_11-MunlabIP_Policy_VPN-ID.MunlabIPVPN-DefaultGroup-

NONE-NONE-DefaultGroup

-

Transaction Result Code

Client IP

Authenticated User

Cache hierarchy Retrieval

Policy choosen

Location

Reputation Score


List of Codes use the Online Help!For YourReferenceFor YourReference


And if everything goes wrong....


Opening a Support Tunnel

From WSA, the administrator can allow the Cisco Support team direct access

SSL Tunnel with password is built on demand and terminated at Cisco Support

Support tunnel is built directly from WSA, can be a problem if upstream proxy is used!


The Future of Web Security


Websecurity through Cloudservice

Hosted Web Security through Cisco Scansafe

Cloud Service

Central reporting and administration through

Scancenter Portal


Secure Mobility Future Hybrid Security

Internet

Remote User

w/

AnyConnect

Client 3.0

Corporate

Network

Cisco ASA Cisco WSA

Internet traffic secure through

websecurity cloud

service

Corporate traffic secure through

tunnel and WSA

Consistent Policy and Monitoring


Summary

Cisco Ironport Web Security Appliance leverages a comprehensive architected featurelist to protect the

dynamic environment from the ubiquitios web 2.0

world.....

Or...

Cisco Ironport Web Security Appliance ROCKS!


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Preferred Access points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Dont forget to activate your Cisco Live and Networkers Virtual

account for access to all session

materials, communities, and on-demand

and live activities throughout the year.

Activate your account at any internet

station or visit www.ciscolivevirtual.com.


BRKSEC-2052 Recommended Reading

2052

Documents

Transcript of 2052