Common Problems in Content Securityd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKSEC-2655.pdf ·...
Transcript of Common Problems in Content Securityd2zmdbbm9feqrf.cloudfront.net/2016/anz/pdf/BRKSEC-2655.pdf ·...
• Name - Namit Agarwal
• TAC Engineer for almost 7 years
• Mostly focused on Security ( Firewall , IPS and Cloud Web Security )
• Passions – Travel and Food
Your Speaker This Morning
• Introduction
• Ever Changing Content ?
• Do we need Content Security?
• Evolution of Content Security
• Choosing the right deployment
• Deploying ESA
• Deploying CWS
• Deploying WSA
• Comparing Web Filtering Offerings
• Conclusion
Agenda
• Hold questions and comments - plenty of Question Time at the end
• Keep your gadgets in silent mode
• Take any calls outside
• Will re-post slides and distribute via email
HouseKeeping
Why do we need Content Security ?Three Major Needs
LEGAL PROTECTION
NETWORK SECURITY
ENHANCED PRODUCTIVITY
Why do we need Content Security ?Legal Protection
• CIPA (Childrens’ Internet Protection Act) - 2001
• requires that K-12 schools and libraries in the United States use Internet filters and implement other measures to protect children from harmful online content
• The following content must be filtered or blocked:• Obscenity, Child pornography, Harmful to minors
• DMCA (Digital Millennium Copyright Act)
• Companies can be liable for employee actions
• Limit possibility of copyright infringement
• Breaches cost more than data/money loss
• PR debacle
• Senior Leadership Restructuring
Why do we need Content Security ?Network Security
• Website pages are now much more complex – a fairly simple page loads upto10 – 50 requests easily > More attack vectors
• Adware/Spyware from 3rd parties
• Pages render content from different domains
• Can open up the organization to internal/external breaches
• A recent report showed that the average web page size has increased to almost 2Mb
• Cisco.com homepage = 32 domains / 3413kB of data over 148 requests
Why do we need Content Security ?Enhanced Productivity
• Social Networking Sites
• According to new data, the average user logs 1.72 hours per day on social platforms, which represents about 28 percent of all online activity.
• A recent survey showed that over 64% of users spend company time on non work related sites
• Media Streaming websites take a major chunk of bandwidth
• File Sharing Websites
Evolution of Content Security
IP• Who ?
Port• Who/Somewhat ?
Protocol• Somewhat ?
Traditional Filtering Vs Content Filtering Model
Who
• Identity
• Authentication
What
• Application
• URL Category/Reputation
Where
• Remote
• Local
How
• Device
• OS, User-Agent
Evolution of Content Security Application Level Granularity
• One site – Many applications
• Facebook as an example :
• Granular Application Control
• Can block users from uploading photos or posting status updates about “not liking their work”
• E.g. HR team might need access to read and post updates but not to play Candy Crush
• Micro-applications can be blocked
ESA – Message Filters“Message filters allow you to create special rules describing how to handle messages as they are received by the Cisco IronPort appliance. A message filter specifies that a certain kind of email message should be given special treatment. Cisco IronPort message filters also allow you to enforce corporate email policy by scanning the content of messages for words you specify.”
Message Filters
• High-performance scriptable filtering capability
• Accessible from the CLI only (filters command)
• Working on entire mail flow
• Allowing complex logical operators between conditions
• Executed serially • If enabled, always executed
Message Filters vs Content Filters
• Message Filters
• Executed before the Policy Engine
• Applies to the entire mail flow
• More flexible in both capabilities and scriptability
• Content Filters
• Executed after the Policy Engine
• Executed after security engines
• Nice, easy-to-use GUI
• Limited scope of conditions/actions
• Either “AND” or “OR” logical operators between all conditions
• Separate set of filters for Incoming and Outgoing mail
The Danger of Message Filters
• Different recipients may have different mail policies
• A message is splintered into multiple policies after Message Filters
• Message Filters can only apply one policy
Mail Policies cause message splintering
• What happens if a message is sent to two: Sales and Development?
• What happens if they are in Development and Management?
The Message Filter Death Trap
More Coolness: Action Variables
• Action Variables are expressions that are dynamically expanded based on the content/context of the message
• Can be used in Text Resources (notifications, headers, footers, and Content Filters too!
Sender Policy Framework
• Specified in RFC7208, obsoletes RFC4408(bis) as of April 2014
• In a nutshell: Allows recipients to verify sender IP addresses by looking up DNS records listing authorized Mail Gateways for a particular domain
• Uses DNS TXT(16) (previously also SPF (Type 99)) Resource Records – SPF RR was obsoleted in RFC7208 due to low use and potential confusion
• Can verify HELO and MAIL FROM identity (FQDN)
Limitations of SPF
• Primary purpose of SPF is to validate whether a message sender comes from a legitimate host
• Only checks Envelope From – headers can still be faked
• Does not ensure message integrity
• Does not prevent intra-domain forgery
SPF Best Practices
• Plan to include “-all” in your SPF records
• Consider all legitimate servers sending e-mail on your behalf
• Make it part of security policy for roaming users to use authenticated SMTP on your gateways for sending outgoing mail
• Add your relay hosts’ HELO/EHLO identity to SPF records
• Create SPF records for all of your subdomains too
• Publish null SPF records for domains/hosts that don’t send mail! nomail.domain.com. IN TXT "v=spf1 -all”
• Only include “MX” mechanism if your incoming mail servers also send outgoing mail
Configuring SPF on ESA
• Publish your SPF records, configure verification in MPF, and use Message Filters or Content Filters to enforce (spf-status or spf-passed rules)
Implementing SPF
• Figure out your outgoing SMTP sending hosts
• Create your SPF record
• Publish it for the world!
• Biggest challenge: Figuring out your outgoing SMTP sending hosts
• There’s always a rouge PC with no SMTP gateway configured
• Internal applications might send e-mail directly
• Servers/services from DMZ might send alerts/notifications
URL Filtering
• Checks for reputation and category of URL’s in messages (in/out)
• Used now in Anti-Spam and Outbreak filters
• URL Actions
• Block based on category
• Rewrite (send to Infosec Web site)
• Defang (BLOCKEDwww.ihaveabadreputation.comBLOCKED)
• Replace URL with a TEXT Message
AMP – Advanced Malware Protection
• File reputation
• Preventive blocking of suspicious files
• File sandboxing (unknown reputation)
• Analysis of Unseen Files
• Retrospective verdicts
• Alerts after an attack
• Only sends the SHA256 Hash value of the file
CISCO CLOUD WEB SECURITY
• Formerly known as ScanSafe
• Off load content scanning and policy enforcement to ‘The Cloud’
• CWS is a full web proxy hosted by Cisco
• Traffic is sent to a CWS Tower for processing, and the CWS Tower connects to the destination web service - Towers run multiple levels of policy checks, and content filters on requests and responses
• Content is filtered and malware scanned prior to being returned to the user
• Geographically distributed Cloud service offering
• Leverages ‘Connectors’ for redirecting traffic transparently
CWS Connector
• Traffic redirection to CWS proxy
• Failover between primary and backup proxies
• User authentication using device’s built-in mechanism
• Whitelisting of traffic (requests will go direct to destination website)
• Adding of CWS encrypted headers to requests
• Important also for identifying and authenticating company (company/group key)
• When no connector, companies are identified by their registered egress IP address
ASA Connector
• The ASA Connector is available from v9.0, and runs on all ASA models
• Can be used for transparent deployment in HQ and branch offices
• Single and Multiple Context Modes are supported for HTTP and HTTPS traffic
• No need for special license on ASA (K8 > K9 free upgrade)
• User authorisation provided from AD via IDFW(with Context Directly Agent) to get “group and username” and AAA rules to get “username”
• Supported in routed firewall mode only.
• Automated fail-over to secondary data centre
• No need to install software on dedicated hardware, or make any browser changes/install a client on end users’ machines
• CWS licensing on a per-user basis, so not tied to number of devices
ASA Connector – Config Example
• CWS integration is done with the inspect scansafe command in MPF
• Requires ASA Code version 9.0 or later (9.1.5+ code recommended)
• Note: HTTP and HTTPS traffic require separate class-maps and scansafeinspection maps
• Configured in system context when the ASA is running in multiple context mode
ASA Connector – Identity Policies
Unless you use AD Groups in ACLs on
the ASA, the ASA won’t cache group info.
Use the ‘user-identity monitor user-
group ’ command to download group info
to the ASA!
ISR Connector
• Connector is integrated into Cisco ISR G2 Router Platforms
• No need to install Connector separately in branch networks
• Redirect of the webtraffic is happening transparently for the user on the router
• Provides Tower redundancy
• Provides User granularity
• Authenticate User via NTLM (transparent authentication) or Basic (Prompt for Credentials)
• NTLM works without prompting for IE, Firefox and Google Chrome
ISR Connector – Configuration Walkthrough
• CWS integration is done with the parameter-map type content-scan global command in global configuration
• Applied to egress interface with content-scan out
• Whitelist based on IP or regex match on domain name
• Requires 15.2(1)T1 or 15.2(4)M
CISCO FIREPOWER APPLIANCE AND SERVICES
• Cisco acquired SourceFire and the suite of FirePOWER appliances, management systems, and software in late 2013
• FirePOWER appliances have Content Filtering functions
• Requires ‘SourceFire Control License’ and annual subscription to ‘URL filtering’ • Configured and managed by Defense Center (VM or appliance)
• Monitors and manages multiple appliances
• Target any application, even custom applications. Control ingress/egress
• Applications can be subjected to custom scanning, IPS, and malware detection policies
ASA with Firepower Services
• Minimum Version of the ASA required is 9.2.2
• Supported on only the Next Gen ASA Hardware
• Works in Clustering / Failover scenarios
• Supported in Multi Context mode as well - different FirePOWER policies can be assigned to each context
• Do not configure ASA inspection on HTTP traffic.
• Do not configure Cloud Web Security Inspection
ASA with Firepower Services
• Uses the MPF Framework of the ASA to redirect traffic to the Firepower Services
• ASA FirePOWER policy configuration is done using FireSIGHT Management Center.
• Day to day operations managed through FireSIGHT Management Center!
• Next Generation Firewall (NGFW) – to be released in March
• Integrated data plane
• Integrated management
ASA with Firepower Services - ASDM ConfigurationConfigure -> Firewall -> Service Policy Rules -> Global Policy
ASA with Firepower Services – User Identification
• Network discovery
• Understands AIM, IMAP, LDAP, Oracle, POP3 and SIP
• Will only provide limited information when deployed at the Internet edge
Note: This solution does not use the Cisco Context Directory Agent (CDA)
User identification uses two distinct mechanisms
• Sourcefire User Agent (SFUA)
• Installed on a Windows Platform
• Windows server does not have to be a domain member
• Communicates with the AD using WMI – starts on port 136 then switches to random TCP ports
• Communicates with FMC through a persistent connection to TCP port 3306 on the FMC
• Endpoints must be domain members
• Well-suited for Internet edge firewalls
CISCO WEB SECURITY APPLIANCE - WSA
• Policy groups: Create groups of users and apply different levels of category based access control to each group.
• URL Filtering Categories: Control access based on URL categories/Hostnames
• Applications: Granular control using the AVC engine.
• Web Reputation Filters: Reputation filters analyze web server behavior and characteristics.
• Anti-Malware Services: The Cisco IronPort DVS™, Webroot™, AMP, and McAfee scanning engines identify and stop malware threats
Explicit Deployment
• Client requests a website
• Browser connects first to WSA using IPv4 or IPv6
• WSA does DNS lookup - A record returned and/or AAAA record returned
• Depending on WSA setting, it builds outgoing connection on IPv4 or IPv6
WCCP Deployment
• Client requests a website
• Browser tries to connect to Website
• Network Device redirects traffic to WSA using WCCP
• WSA proxies the request
• DNS Resolution is done by the Client
WSA with AMP
• AMP is a separate License consisting of: – File Reputation – File Analysis
• After it is enabled, include it in the access policies just like any other scanner
WSA with AMP
• File Reputation
• Ability to create a SHA-256 Hash of the file and check against the cloud database
• Cloud delivers back a Verdict consisting of “malicious”, “unknown” or “clean”
• File Reputation is available for high risk file types such as “.EXE”, “.ZIP”, “.PDF”, etc
• File Analysis –
• Optional upload of Files into the cloud for dynamic analysis
• Delivers back a Verdict Score (0-100)
• Score above 60 is considered “malicious” •
• Ports required from WSA to AMP Cloud: tcp/443 and tcp/32137 (over M1)
WCCP with Transparent Authentication
• Client logs on to the AD Domain, CDA tracks AD audit logs and maps User -> IP
• Client request a Web Site
• Traffic is transparently redirected to the WSA
• WSA needs to authenticate and queries the CDA for the User – IP mapping
• WSA queries AD for User Group
• Request is proxied and forwarded to the Internet
CDA
• Linux Image, installed on Virtual Machine
• Getting User-to-IP Mapping (IPv4 & IPv6) via WMI from AD Controller
• Can be queried from WSA , ASA or ASA-CX via Radius
General Guidelines
User Authentication of Mobile users using ISE
• ISE authenticates the mobile User and gathers information via profiling
• ISE queries AD-Server for Group membership & applies policy
• ISE sends Radius Authentication & Accounting Records to CDA
• Records can be sent via SYSLOG over UDP / SYSLOG over TCP
• CDA adds the mobile User into his USER-IP-Mapping Table
WCCP with Active Authentication
• Un-authenticated user browses through WSA
• WSA redirects user via HTTP Redirect to WSA IP
• Browser connects direct to WSA
• WSA requests credentials
• User authenticates
• WSA redirects browsers to original URL
• Authenticated user browses through WSA
Configuration on WSA
• If you upgraded from 7.x to 8.x, re-join the domain
• After re-join, the Kerberos Scheme is available
Configuration on WSA
• Edit your Identities to use Kerberos as an authentication Scheme
• WSA can only use one NTLM Realm within one Authentication Sequence
• WSA can use multiple Kerberos Realms in one Authentication Sequence
• Create each Realm on the WSA
• Create a sequence on all the Realms
• Create Identity
Configuration on WSA
• Strongly recommended to add %m to the accesslog (=Authentication Method)
– BASIC. The user name was authenticated using the Basic authentication scheme.
– NTLMSSP. The user name was authenticated using the NTLMSSP authentication scheme.
– NEGOTIATE. The user name was authenticated using the KERBEROS authentication scheme.
– SSO_TUI. The user name was obtained by matching the client IP address to an authenticated user name using transparent user identification.
– SSO_ASA. The user is a remote user and the user name was obtained from a Cisco ASA using the Secure Mobility.
– FORM_AUTH. The user entered authentication credentials in a form in the web browser when accessing a application.
– GUEST. The user failed authentication and instead was granted guest access.
WSA – Remote User Authentication
• Part of Cisco’s “Borderless Network” solution
• Works with Always-On Anyconnect VPN to increase security for mobile workers
• Forwards internet-bound traffic to Web Security Appliance (WSA) for scrubbing and security checks
• ASA communicates with WSA to enable user/group policies on WSA
• Easy security administration - Security policy is the same if user is on corporate network or working remotely
• Requires Anyconnect version 2.5+
• ASA shares VPN username-to-IP mapping information to WSA
• Any Connect user attempts to access internet server via always-on VPN
• Traffic routed to inside router
• URL Request redirected to WSA. Traffic authenticated and scrubbed
• “Cleaned” request forwarded to internet webserver
WSA – Remote User Authentication
Scalability
• Determine Minimum Bandwidth
• Use NetFlow or other network analytics to estimate your bandwidth
• Monitor over the course of the day (Non-business hours vs Business Hours)
• Plan for growth
• Some solutions are easily scaled for added capacity, while others are not.
• Account for growth
• Even if the business doesn’t grow, traffic ( data ) will
General Guidelines
Scalability - Summary
• WSA
• Add capacity through adding more WSAs and load balancing traffic to them
• Use WCCP or external Load balancer
• CWS
• Scalability based on connector used and your bandwidth
• FirePOWER
• FirePOWER appliances are ‘stackable’ allowing growth with the business
• ASA Clustering allows for growth of ASA based deployments
Determining the “Who”
• Applying the same policy to all users limits what you can block
• Some users need access to content/sites others should not
• Improves value of reports
• Gives visibility into who was blocked, not just an IP
• Improve granularity of policies
• Determining the mapping between IPs and users is done via varying methods that can be summed up into the following major categories
• Active Authentication
• Passive Authentication
• PIM and SAML ( CWS )
User Identification – General Considerations
• Not everything can authentication – software updates / applicatiosn such as Skype
• Exclude by IP or User Agent
• IP makes sense with static IPs
• User-agent is easily forged!
• Just about every browser can change User-Agents on the fly
wget --user-agent=“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36”
-c http://www.cisco.com
User Identification - Summary
• WSA
• Passive Authentication with CDA
• Active Authentication through cut-through like feature
• CWS
• Passive Authentication with CDA, PIM application
• Active Authentication through cut-through like feature and SAML options as well
• FirePOWER
• Passive Authentication with User Agent – installed on DC or other domain member (just like CDA)
• Protocol based user detection (requires FireSight) • Watches protocol events to determine logged in user
How to send Traffic – General ConsiderationsCWS WSA Firepower
Inline
Explicit Proxy
Connector Redirection
WCCP Redirection
Anyconnect
How to send Traffic to the Filter
• WSA
• Explicit Proxy deployment
• Transparent deployment with WCCP redirection.
• CWS
• Direct Proxy or software based connectors
• Multiple edge devices may act as a connector
• • FirePOWER
• Requires in-line deployment
• Deployable on existing ASA infrastructure
• Passive/Monitor-only deployment cannot ‘block’ content, only alert.
Summary
Handling Remote Users
• Remote Users
• Remote/Branch Offices with .L2L VPN Tunnels
• Users with Remote Access VPN
• Tunnel all Traffic to HQ Vs Tunnel only HQ bound traffic to HQ\
• How to Secure Web Traffic
General Considerations
Handling Remote Users
• WSA
• Mobile User Security improves integration with VPN Headend ASA
• Client web traffic must be tunneled back to HQ
• CWS
• Remote sites can utilize CWS directly. No VPN Backhaul!
• On-the-Go users are filtered and secured direct to CWS infrastructure
• Consistent policy applied whether in the office or on the go
• FirePOWER
• Remote traffic must be sent back to HQ for scanning
Summary
SSL Content Filtering
• Difficult to Filter - SSL hides the content we wish to filter
• HTTP protocol messages completely encrypted
• Content and payload hidden as well
• What can we use for filtering ?
• SNI ( Server Name Indication ) : Optional TLS extension in the Client HELLO that indicates the HOSTNAME of the server
• Subject and Subject Alternate Names : Fields in the Certificate that identify the hostname of the server
• User-agent - ?
General Considerations
no
SSL Content FilteringSSL Man in the Middle
• Client Sends HELLO ( SNI )
• Server provides ( Subject NAME )
• The Security Solution proxies the SSL connection and intercepts this cert, providing its own certificate
• Doing this it is able to look inside the SSL tunnel
• Causes the SSL cert error on the browsers
SSL Content Filtering
• Breaking trust
• The user experience
• Decrypting only what is necessary
• Not every Application/Device has a
• modifiable trust store
General Considerations
SSL Content Filtering
• WSA
• On box SSL decryption based on reputation level
• CWS
• Can use both the SNI/Subject name if HTTPS inspection is disabled
• SSL decryption in the cloud. Known as ‘HTTPS Inspection’
• FirePOWER
• Off-box decryption provided by separate appliance
• On-box decryption only available in newer code on certain platforms.
Summary
Filtering Non-HTTP/HTTPS Traffic
• Content filtering might be necessary on non-standard web ports as well
• Certain Applications that we wish to block might not use well-defined ports
• Peer-to-Peer File Sharing
• Streaming content
• Audio/Video Calls
General Considerations
FirePOWER identifies applications and
threats on any port
FirePOWER harnesses the power of
FireSight and NAVL engine
Filtering Non-HTTP/HTTPS Traffic
• WSA
• Limited to HTTP, HTTPS and FTP
• CWS
• Limited to HTTP and HTTPS
• FirePOWER
• Appliances running NGFW features like “Application Control” Provide visibility and control beyond HTTP/HTTPS.
Summary
AntiVirus and Malware Scanning
• WSA
• AV filtering done on-box with McAfee, Spohos, Webroot
• Support AMP also
• CWS
• Multiple layers of Scanning performed on each piece of content
• Purpose built ‘scanlets’ for certain types of content
• FirePOWER
• Low latency AMP Malware detection
General Considerations
Approaching a Content Security Problem
• Enable optimum level of logging/messaging on the security appliance/solution
• Reproduce the problem
• Read/Analyze the logs / messages from the security appliance / solution
• Dig Deeper into the headers
• For web pages use the browser inspection functionality
• For mails use the SMTP header analyzer
• Capture your traffic (Wireshark/Span/Capture on the security solution)
• Does the problem happen on bypassing the security solution – This might not be needed always
All troubleshooting involves a few basic steps
Troubleshooting
• WSA
• Verbose logging can be enabled - the logs can be viewed on-box or off-box
• Easy to use TCP dump like capture functionality in GUI and CLI
• CWS
• Once traffic leaves the enterprise network and enters the cloud, there is no visibility
• No capture ability outside your enterprise
• Very Detailed analysis and reporting available in the Scancenter GUI
• FirePower
• Event Logging from dashboard ( ASDM/FMC ), Capture functionality from the CLI
• Firewall Engine Debug similar to packet tracer. Show hits, rules, and why
Summary
Complete Your Online Session Evaluation
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco 2016 T-Shirt by completing the
Overall Event Survey and 5 Session
Evaluations.– Directly from your mobile device on the Cisco Live
Mobile App
– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/
– Visit any Cisco Live Internet Station located
throughout the venue
T-Shirts can be collected Friday 11 March
at Registration