WEB SECURIY APPLIANCE (WSA)
- Stop threats in downloading security appliance
- Enforing policies
- Acts as a proxy either explicit or transparent
01 Proxy function as transparent
WCCP - Web Cache Communication Protocol v2
TCP:80 and TCP:443
SSL/TLS
Requires to enable WCCP for firewall and router
02 WSA Recieves HTTP Requests
1. Time of Request / Cisco SIO URL Filtering -> Block
2. Time of Request / Cisco SIO Reputation Filter -> Block
3. Time of Response / Cisco SIO Dynamic Content Analysis -> Block
4. Time of Response / Cisco SIO Signiture Anti-Malware Engine - Block
5. Time of Response / Cisco SIO Advance Malware Protection - Block
Options on Decision based rules: Allow | Warn | Partial Block | Block
*SIO - Security Information Operation
03 WSA Baseline Configuration (Ironport)
03.1 Default Startup Wizard at http://192.168.42.42:8080
Admin access config
- allowed to connect
- SSL configuration
03.2 Ifconfig
Where to manage the IP address to connect to your WSA
- to enable gui management capabilities
- enabling https to manage
- enabling ssh to manage
- options for certificate for https
- edit interface
- delete interface
- new interface
- requires "commit" command to apply the changes
default user: admin | default password: ironport
03.3 On Gui
Run the setup wizard under Systems Administration -> System Settings
- Hostname
- NTP
- Time Zone
- Place to downstream the existing proxy
- Configure Managemet IP
- Configure Data (Web Traffic)
- Configre L4 Traffice Monitoring
- Configure Default Gateway
- Configure Static Routes
- Transparent Connection Setting
- Layer 4 Switch or No Device | WCCP v2 Router
- Administration Setting
- Admin Password
- Email System Alerts
- Network Participation
- Security Setting
- Summary then Install the configuration
03.4 System Administration -> System Upgrade
- shows current version
Network - > Transparent Redirection
- Can verify if Transparent configuration
- Adding WCCP devices like ASA
04 Deloying in a Virtual Environment
Requires an OVF file from Cisco to work
Transfer of license xml file via FTP to /configration
04.1 Activating the license
Initiate command load license
show license
05 WSA Traffic Classification and Identities
Categorize via
Subnet | Protocol | Proxy Ports | User Agent | URL Categorization
- Add Identity
- Requirement for policies
06 Access Policies
Capable of URLs to visit | allowed bandwidth | limit of max file size
07 Web Security Manager Options
- Adding Policies [GROUP]
- Protocol and User Agents
- Blocking of ports (need to specify)
- URL Filtering - eg pornography, gaming,
- Adult / Pornography [Monitor/Block]
- Content Filtering
- Applications - block file transfer applications / bandwidth limits
- Blogging / Collaboration / Enterprise Applications / Facebook / [Monitor/Block]
- Filesharing / Media / Messenger / Proxy / Office Suites
- Objects - limits files type (exe, bat) / ftp file size
- FTP and HTTP Max Download
- Executable Codes [Java / Unix / Windows]
- Anti Malware and Reputation
- Cisco DVS - Dynamic Vectoring Streaming Engine - Stop Malware
- Identify Malware Categories
07.1 Adding New Policy
- Policy Setting
- Policy Name
- Description
- Insert Above Policy
- Policy Member Definition
- Identities and User
- Advance (Web Security Manager Options)
07.2 Verify if Policy is working
Systems Administration -> Policy Trace Tool
Destination
- URL indicate
Transaction
- Client IP Address
Find Policy Match
07.3 Results of Verfication after Trace Tool
User Information
URL Checking - WBRS Score
Policy Match
Final Result
08 User Authentication
- Requires integration with Active Directory and/or LDAP
- Explicit and Transparent Proxy Mode
- Transparent Proxy forwards traffic to Router/Firewall
08.1 Network Menu -> Authentication
Add Realm
- Server Type
- LDAP or Active Directory
- Point on the IP Address of the server
- Active Direcotry
Validation
- Test Current Settings
- Start Test
08.2 From Identities Feature
- Identifcation and Authentication
- All Realms [Active Directory | LDAP]
08.3 From Main Panel -> Reporting
- Users
- Reports by User Location
09 Traffic Direction
09.1 Explicit Proxy - Manual | PAC | WPAD
From the Internet Browser
- Manual via Local LAN Setting Proxy Server
- PAC via Local LAN Setting Automatic Configuration - Use Automatic Configuration
- WPAD via LAN Setting Automatically detects settings
Hosting PAC files on WSA
- Security Services -> PAC File Hosting
- Basic Setting
- PAC FIles
- Via Active Directory in group policy
09.2 Transparent Proxy - WCCP | PBR | L4/L7 Capability Switch
WCCP via Firewall and Router
- WCCP Groups
-
0 = Web Cache
- 61-62 = WAAS
-
70 = HTTPS Cache
- 90-97 = User Defined
-
99 = Reverse Proxy
- Enable WCCP for group 0
- Router will identity inbound http request it will direct the traffic to WSA
PBR - Policy Base Routing
Layer 4 Switch - IP and Ports decision making
Layer 7 Switch - Application URL decision making
09.3 Helpful Commands to configure/enable WCCP in a router
[Router]
interface XXXXXX0/0
no shutdown
ip address X.X.X.X Y.Y.Y.Y
exit
ip route 0.0.0.0 0.0.0.0 X.X.X.1
end
debug ip wccp packets
debug ip wccp events
conf t
ip wccp web-cache
interface XXXXX
ip wccp web-cache redirectr in
end
show ip wccp
trace 8.8.8.8
WSA -> AddWCCP v2 Service
- Service Profile Name
- Service
- Standard / Dynamic
- Router IP Address
- Submit
09.4 WCCP Redirection
1. Configure WSA to redirection device
2. Configure ASA
2. Firewall/ASA [ASDM] is ready to accept traffic in WSA
3. Verify
Network -> Transparent Redirection
-> Add Service
- Service Profile Name
- Service
- Dynamic Servce ID
- POrt Numbers
- Router IP Address
- Submit
- Commit Changes
ASDM
- Configuation
- Device Setup
- Interface Setting
- Interfaces
- Configuration
- Device Management
- WCCP
- Service Groups
- Add
- Add Servce Group XX
- Service Dynamic Service Number
- Options
- Redirect
ACL Manager
- Add
- Add ACE (Access Control Entry)
- Action Permit | Source | Destination | Service | Action
- Configuration
- Device Management
- WCCP
- Redirection
- Add
- Service Group XX
10 IPS and IDS Understanding
INLINE: Firewall / ASA -----IPS Inline---- Router
PROMISCOUS: Switch (mirrored port) ----- IDS ---- Router
IPS Implementation - Appliance/Hardware | Module | Software | Virtual
Placing the IPS outside the firewall will have alot of traffic
Placing the IPS inside the firewall will have less of traffic
IPS Device Manager IDM
Configuration
-> Policies
-> Signiture Definitions
-> Sig0
-> Active Signiture
