You are on page 1of 87

Advanced Web Security Deployment with

WSA and ASA NGFW (=ASA-CX)


BRKSEC-3771

Tobias Mayer, Consulting Systems Engineer

For Your Reference


There are (many...) slides in your print-outs that will not be presented.
They are there For your Reference

For Your
Reference

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Angel Aloisius
Some slides have this friendly guy in the right corner
Those slides are meant to be non-standard advices or tips & tricks

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Agenda
Introduction
Deploying WSA with WCCP
Troubleshooting WSA with WCCP
Transparent User Authentication
WSA Performance Analysis
Deploying ASA NGFW Web Security
Troubleshooting ASA NGFW Web Security
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Web Security Appliance

Explicit Proxy
Client requests a website
Browser connects first to WSA
WSA connects to website
Firewall usually only allows webtraffic for proxy
DNS Resolution is done by WSA
Web Security Appliance
Internet Web
server

Internet
ASA 5500
Firewall

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Transparent Proxy via WCCP


Client requests a website
Browser tries to connect to Website
Network Device redirects traffic to WSA using WCCP
WSA proxies the request
DNS Resolution is done by the Client
Web Security Appliance
Internet Web
server

Internet
ASA 5500
Firewall

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Agenda
Introduction

Deploying WSA with WCCP


Troubleshooting WSA with WCCP
Transparent User Authentication
WSA Performance Analysis

Deploying ASA NGFW Web Security


Troubleshooting ASA NGFW Web Security

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

How WCCP registration works


1. Registration
2. Here I am
3. I see you

WCCP Server

WCCP Client

The WCCP client registers at the WCCP Server


Both, Server and Client need to use the same WCCP Service Group ID
One WCCP Server usually can server multiple Clients
Server and Client exchange here i am and I see you Packets to
check availability
UDP/2048, unicast
Multicast possible

Traffic is redirected from Server to one or multiple Clients using the


hash or mask algorithm
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

16

WCCP Protocol - Buckets


Hash Based Assignment
Byte level (8 bit) XOR computation divided into 256 buckets (default)
Mask Based Assignment
Bit level AND divided up to 128 buckets (7 bits)
asa# show wccp 90 hash 144.254.1.1
172.16.10.71 80 1024
WCCP hash information for:
Primary Hash:
Dst IP: 144.254.1.1
Bucket: 110
Cache Engine: 172.16.10.45

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

WCCP Protocol Load balancing and Redundancy


When a WCCP client fails, the portion of the load handled by that
client is automatically redistributed to the remaining WCCP clients in
the service group
If no other WCCP clients are available in the service group, the
service group is taken offline and packets are forwarded normally
Buckets 86128
Buckets 185

BRKSEC-3771

Buckets 86170

X
B
2013 Cisco and/or its affiliates. All rights reserved.

Buckets 129170
Buckets 171255

Cisco Public

18

Using WCCP for Traffic Redirection


WCCPv2 support is availible on many Cisco Platforms:
L3 Switches, Routers, ASA 5500 Security Appliance

WSA supports all redirect and assign methods (software implementation)


Method to use will be negotiated
Multiple WSA elect Designated Web Cache (DWC), lowest IP in Cluster, negotiates method

How to force a switch / router to use GRE? Set WSA to Allow GRE

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

19

Using WCCP for Traffic Redirection (2)


Performance Considerations:
MASK (HW) > HASH (SW)
HW has to take TCAM Resources into consideration

L2 (HW) > GRE (SW)


Use GRE if WSA is located in other subnet
Check if Device can do GRE in HW

User L2 if WSA and WCCP Device are in same subnet

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

20

WCCP with L3 Switch (3560/3750)


L2 Redirect
Use template access, routing
or dual-ipv4/ipv6 routing
WCCP shares same TCAM
Region than PBR!

Internet

VLAN10

VLAN10

BRKSEC-3771

sdm prefer routing


ip routing
ip wccp 91 redirect-list wsa
ip access-list extended wsa
permit tcp any any eq www
permit tcp any any eq 443
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
ip wccp 91 redirect in

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

23

WCCP with L3 Switch (3560/3750)


L2 Redirect

Internet

VLAN40

Recommendations:
Assign seperate VLAN for the
connection to the WSA!
Redirect ACL only allows permit
statements on 3560/3750 Series!
12.2(58) added support for permit

VLAN10

If 3560/3750 is stacked, configure


WCCP on the Stack Master!

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

24

WCCP with L3 Switch


Redirect - Verification
munlab-3560X#show ip wccp 91 detail
WCCP Client information:
WCCP Client ID:
172.16.10.100
Protocol Version:
2.0
State:
Usable
Redirection:
L2
Packet Return:
L2
Packets Redirected:
0
Connect Time:
01:02:16
Assignment:
MASK
Mask SrcAddr
DstAddr
SrcPort DstPort
---- ------------------- ------0000: 0x00000000 0x00000526 0x0000 0x0000
Value
----0000:
0001:
0002:

SrcAddr
------0x00000000
0x00000000
0x00000000

BRKSEC-3771

DstAddr
------0x00000000
0x00000002
0x00000004

SrcPort
------0x0000
0x0000
0x0000

DstPort
------0x0000
0x0000
0x0000

2013 Cisco and/or its affiliates. All rights reserved.

Version &
State
Redirect
Method
Assignment
Method
Mask Value
CE-IP
----0xAC100A64 (172.16.10.100)
0xAC100A64 (172.16.10.100)
0xAC100A64 (172.16.10.100)
Cisco Public

25

WCCP with L3 Switch (CAT6500)


L2 or GRE Redirect
WAN

CAT6500 with Sup2T/720/32


and PFC3 allows redirect of L2
and GRE in Hardware

r1

Si

Si

r2

Adjust MTU for GRE


Carefull for bypass list!

Redirect-in and Redirect-out is


supported
Permit and Deny ACE is
allowed
Avoid flags, options & timeranges

WAN

r1

Si

Si

r2

Very scalable and flexible


BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

26

WCCP with L3 Switch (CAT6500)


L2 or GRE Redirect

Ingress - L2 redirection + Hash Assignment (Requires Software Processing)


Ingress - L2 redirection + Mask Assignment (Full Hardware Processing recommended)
Egress - L2 redirection + Hash Assignment (Requires Software Processing)
Egress - L2 redirection + Mask Assignment (Requires Software Processing)
First packet is process switched, creates netflow entry. Subsequent packets are HW
switched
Ingress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing)
Ingress - L3 (GRE) redirection + Mask Assignment (Full HW Processing Sup32/Sup720/2T only)
Egress - L3 (GRE) redirection + Hash Assignment (Requires Software Processing)
Egress - L3 (GRE) redirection + Mask Assignment (Requires Software Processing)

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

WCCP with ASA


ASA allows only redirect in
Client and WSA must be on same interface
No DMZ Deployment possible....

Internet

Inside ACL is checked before redirection


Destination Server must be allowed in ACL

Redirection Method is GRE based


Redirect ACL allows permit and deny
No TCP Intercept, Inspect Engine or internal IPS
is applied to the redirected flow.
IPS HW Module however does inspect traffic
access-list WCCPRedirectionList extended deny ip 172.16.10.0 255.255.255.0
172.16.10.0 255.255.255.0
access-list WCCPRedirectionList extended permit tcp any any eq www
access-list WCCPRedirectionList extended permit tcp any any eq https
!
wccp 90 redirect-list WCCPRedirectionList
wccp interface INSIDE 90 redirect in
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

28

WCCP with Router ISR, ISRG2


Redirect is GRE and Hash

e2
e0

Done in SW

e1

Allows for DMZ-Design


Supports permit and deny Statements
in the redirection ACL
ip cef
ip wccp version 2
ip wccp 91 redirect-list <redirect-ACL>
!
interface e0
ip wccp 91 redirect in

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

31

WCCP with IP Spoofing


Some Designs require that the Client IP is
preserved after beeing proxied

e2
e0

e1

Problem to solve:
Traffic coming back from the Internet needs to be
redirected to the WSA by the network because the
Destination is now the Client Network, no longer the
WSA
IP Spoofing mostly used in transparent mode
Activated on the WSA in the WCCP Config:

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

32

IP Spoofing Design in Transparent Mode


WCCP 92

e2
e0

e1

WCCP 91

145.16.0.0 /16

BRKSEC-3771

ip cef
ip wccp version 2
ip wccp 91 redirect-list Redirect-Client
ip wccp 92 redirect-list Redirect-back
!
interface e0
ip wccp 91 redirect in
!
interface e2
ip wccp 92 redirect in
!
ip access-list extended Redirect-Client
permit tcp 145.16.0.0 0.0.255.255 eq www
permit tcp 145.16.0.0 0.0.255.255 eq 443
!
ip access-list extended Redirect-back
permit tcp any eq www 145.16.0.0 0.0.255.255
permit tcp any eq www 145.16.0.0 0.0.255.255

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

IP Spoofing Design in Transparent Mode


WCCP 92

e2
e0

e1

WCCP 91

145.16.0.0 /16

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

34

Transparent Redirection and HTTPS


Symptoms:
Successfully configured WCCP on the L3 Device
Successfully connect to HTTP sites
Cannot connect to HTTPS Sites
Switching to explicit Proxy works fine for HTTP and HTTPS
Solution:
Activate HTTPS Proxy
Not necessary to decrypt the requests

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

35

Agenda
Introduction

Deploying WSA with WCCP


Troubleshooting WSA with WCCP
Transparent User Authentication
WSA Performance Analysis

Deploying ASA NGFW Web Security


Troubleshooting ASA NGFW Web Security

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

36

WCCP Logs on WSA


Create new Log Subscription for WCCP
Set Level to Debug

Here-I-Am Packet sent (HIA)

I-See-You Packet received (ISY)


BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

37

WCCP Logs on WSA (2)


Check Capabilities of WSA and WCCP Server (Switch,Router,)
Configured
Capabilities of the
WSA, sending them
to the WCCP
Server

WCCP is ok
Parameters are not!

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

38

Debug WCCP Events on ASA / Router / switch


WCCP Group-ID : 90
Here-I-Am

I-See-You

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

WSA behaviour with WCCP


By Default WSA will try to negotiate L2 first
If WCCP Server is on different subnet, you will get an error
Solution: Force WSA to negotiate GRE

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

40

A Word about Hardware


The mask Assignment is handled in Hardware on ASR, Cat6500,
WCCP redirect ACL deny statements dont use mask TCAM
WCCP redirect ACL permit statements use up to the
Number of ACL Permit Entries * Number of Buckets
Example:
For a 7 bit mask, the router / switch is using 4096 TCAM entries for 32
permit statementswasting lot of TCAM resources
Adjusting the Bit-Mask must be done on the WCCP Client
Supported with v7.7 SW Release

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

41

A Word about Hardware (2)

1-2 WSAs
3-4 WSAs
5-8 WSAs
9-16 WSAs
17-32 WSAs

1 bit, 2 slots
2 bits, 4 slots
3 bits, 8 slots
4 bits, 16 slots
5 bits, 32 slots

0x3 = 2 bits
4 slots for up to 4 WSA

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

42

Transparent Deployment - Summary


No client settings necessary
Client resolves hostname of target web server -> improved performance!
Traffic gets redirected by the network
Requires HTTPS Proxy activation for HTTPS requests
Allows for redundancy by defining multiple WSA to redirect
Selection of the right device to redirect is critical.
Try to limit down Permit Entries in Redirect Lists for Mask assignment
or wait until v7.7 is released to adjust mask.
When using IP Spoofing make sure the WSA is not in the path of the
Clients
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

43

SOCKS Proxy with WSA v7.7

Internet

Enable SOCKS Proxy globally

VLAN40
WSA

VLAN10

BRKSEC-3771

SOCKS 5, Port 1080

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

44

SOCKS Proxy with WSA v7.7


SOCKS Proxy supports Socks 5
Can be linked with Identity

Static definition of URLs to be reachable, but no malware scanning or reputation


BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

45

Agenda
Introduction

Deploying WSA with WCCP


Troubleshooting WSA with WCCP
Transparent User Authentication
WSA Performance Analysis

Deploying ASA NGFW Web Security


Troubleshooting ASA NGFW Web Security

47
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

46

Authentication
User

User Directory

Web Security Appliance

Authentication Protocols
Directory:
LDAP or NTLM
Method:
Basic: Credentials are sent unencrypted
NTLMSSP: Challenge-Response
TUI using CDA
Tracking the User
IP based Surrogates
Cookie based Surrogates
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

47
Cisco Public

Authentication in Explicit Deployment


Web Security Appliance

User

User Directory

HTTP response code 407

Proxy sends HTTP response code 407 (proxy auth. request)


Client recognizes the proxy
Client will then accept a http response 407 from the proxy

Works for HTTPS


Client sends a CONNECT request to the proxy
Client will then accept a 407 response from the proxy

48
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Authentication in Transparent Deployment


User
Internet Web
server

Internet

User Directory

Web Security Appliance

Client is not aware of a proxy -> HTTP response code 407 cannot be used
Need to use HTTP response code 401
Client needs to be first redirected to the wsa
Client must trust the redirect hostname when using NTLM to prevent prompting
49
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

Multiple WSA with WCCP and Authentication Loop


Knowledge base article #7623

Scenario:
Multiple WSA , transparent deployment with
authentication
Client requests a Website
Switch redirects request to WSA1
WSA1 needs authentication, redirects Client to WSA1
Client sends request to WSA1, gets redirect through
WCCP
Redirect may end up on WSA1 but can also terminate
at any other WSA in the Cluster
Strange things happen from now on...

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

51

WCCP with L3 Switch and Authentication


L2 Redirect, multiple WSA with Auth, avoiding Auth Loop

Internet

VLAN40
VLAN40

WSA #1

VLAN10

ip routing
ip wccp 91 redirect-list wsa
ip access-list extended wsa
!Do not redirect traffic going DIRECTLY to wsa1/2
deny ip any host <wsa1>
deny ip any host <wsa2>
permit tcp any any eq www
permit tcp any any eq 443
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
ip wccp 91 redirect in

WSA #2

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

53

WSA, Authentication and SSL


In Explicit mode, a https CONNECT request is made and WSA
replies with 407 Proxy auth required
At this time, WSA has the following information:
- destination host
- user agent
- user credentials verified
WSA can decide wether to decrypt based on:
- Destination Host
- User Agent
- Proxy Port
- Subnets
- Time Range

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

56

WSA, Authentication and SSL (2)


In Transparent mode, there is no CONNECT REQUEST
Since Client is not aware of WSA it will start a TCP connection to
remote server
Connection redirected to WSA, client start an HTTPS/SSL connection
directly
At this point WSA only knows destination IP and port
WSA sends HTTPS probe (its own Client Hello) to get Server
Hello and server certificate

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

57

WSA, Authentication and SSL (3)


With the server certificate, WSA has knowledge of:
- Client IP
- Destination IP
- Server Certificate
- Common Name (CN) from server certificate is used as a request URL,
thus used for URL category matching
Based on this information WSA can match Identity and Decryption Policy and
determine whether to DECRYPT or PASS THROUGH the request
All information normally send in the HTTP Header (Cookies, User Agent,
Mime-Type etc) are encrypted in the tunnel and thus not available to the
WSA at this point.

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

58

WSA, Authentication and SSL (4)


Should we decrypt? Very often based on URL Category...(think of finance
websites...)

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

60

WSA, Authentication and SSL (5)


Finding out the correct URL Category....
Solution:
Usage of SNI (Server Name Indication) is required from Proxy side (supported in v7.7)
Most Browser support it since years...
CLIENT HELLO during TLS sends the Host URL:

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

61

Authentication in Secure Mobility Deployment


Authentication

Internet
User Directory

SSO

User
w/ AnyConnect
Internet Web Server

Web Security Appliance

User connects to ASA via AnyConnect


ASA authenticates VPN Connection against User Directory
After successfull authentication, ASA passes user informations to WSA for Single-Sign-On
Not dependant on AD-Membership, works for all devices like tablets, phones, etc.

User can surf via WSA without the need to authenticate again
WSA can be deployed explicit or transparent
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

62

DEMO Secure Mobility on iPad with SSO

5
63

Transparent User Identification (TUI)


1.
2.
3.
4.
5.
6.

Client logs on to the AD Domain, CDA tracks AD audit logs and maps User - IP
Client request a Web Site
Traffic is transparently redirected to the WSA
WSA needs to authenticate and queries the CDA for the User IP mapping
WSA queries AD for User Group
Request is proxied and forwarded to the Internet

WMI

CDA

AD Controller

WSA

6
Internet

1
2
AD User
BRKSEC-3771

Switch w/ WCCP
2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

65

Context Directory Agent

Linux Image, installed on Virtual Machine


Gets User to IP Mapping via WMI from AD Controller
Can be queried from WSA , ASA or ASA-CX via Radius
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66

TUI Summary & Caveats


Uses an Agent (=CDA) running on a Virtual Machine
Same Agent is also used for Identity based Firewalling on the ASA and
ASA-CX
Allow all applications on the client to work with authentication without
starting a browser first
Does support IPv6 for Client registration and RADIUS messages
Does not work if Client is NAT-ed after AD Authentication but before
reaching the WSA
Does not work in Terminal Server Environments
If Client cannot be identified, fallback to previous authentication
mechanism like Basic or NTLM
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

67

Agenda
Introduction

Deploying WSA with WCCP

You will have the right tools


both to deploy our solutions
and to solve problems!

Troubleshooting WSA with WCCP


Transparent User Authentication
WSA Performance Analysis

Deploying ASA NGFW Web Security


Troubleshooting ASA NGFW Web Security

62
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

68

WSA Performance Analysis

WWW Server

Internet

Cisco SIO

DNS Server

Client
BRKSEC-3771

AD Server
2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

69

Debuging Performance issues

Download file prox_track.log from appliance via FTP

File is written every 5 minutes with timestamp


Setting can be changed in advancedproxyconfig on CLI

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

70

Prox_track.log content

Contains various statistical data around proxy performance

Please do NOT consider all number of packets 100% accurate!

Just gives a good hint what problem might be happening

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

71

General Statistics

Traffic Statistics:
If you have numbers increasing on throttled transactions this could indicate that the
appliance can not handle the load

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

72

How to read Prox_track.log

Statistics are snapshots of total number of Packets


Counters are reset after reboot / restart of proxy

Take statistic from time X and time Y, then compare change:

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

73

Important Statistics

Client time:

Total time that the client was waiting


until his request was fullfilled

Hit time:
Time that the WSA is using to fetch
content from the cache

Miss time:
Time that the WSA takes to fetch all
Data from the server

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

74

Important Statistics (2)

Server Transaction time:

Time for the total transaction to the


Server to be finished.

Server wait time:


Time until WSA gets the first byte
from the Server

High Values can mean upstream problems


(firewall, router, ISP, upstream proxy)

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

75

Important Statistics (3)

DNS Time:
Time for the WSA to do a DNS Resolution
High time does indicate a problem with the DNS Server

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

76

Important Statistics (4)

Auth Helper Wait:


Time to wait for an authentication
request until its validated from the AD
/ LDAP
High time indicates a problem with the
connection to the authentication Server

BRKSEC-3771

Auth Helper Service:


Time until an authentication request
is fully validated
Check if IP address is already authenticated,
check surrogates, etc

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

77

Important Statistics (5)

WBRS Service Time:


Time for the WSA to check the
reputation score

AVC Header Scan Service Time:


Time to check the Header of a request
against the AVC Signatures

Webcat Service time:


Time for the WSA to check the URL
Category

AVC Body Scan Service time:


Time to check the body of a request against
the AVC Signatures

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

78

Important Statistics (6)

Sophos, McAfee, Webroot

Service Time:
Time that the Scanner used to scan the object

Service Queue Time:


Time that the object stayed in the queue to be
scanned

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Adaptive Scanning Service Time:


Time for the adaptive scanning
process to scan an object:

Cisco Public

79

Adaptive Scanning

Each type of object gets a RISK Score assigned

Score is based on Type of object, effectiveness of malware scanner for this type and WBRS
(WBRS must be enabled on WSA)

Appliance will scan objects with the Scanner that is most appropriate for this object type

If appliance has a performance problem with the Anti Malware Scanners, it will drop objects
not to be scanned
Example: Dont scan *.jpg files with McAfee when they are coming from Websites with a good reputation.

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

80

Customizing the Access Log

Add custom field like:


%m (=Authentication Method)
to the access_log

Variables can be appended in the Access Logs

Variables are to be found in the GUI, some older Versions of WSA


Software might not have the full list

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

81

Customizing the Access Log - Example


%m AUTH: %:>a DNS: %:>d REP: %:>r

Any Text acting as a


comment for readability

BRKSEC-3771

%m : Authentication Method
%:>a : Authentication Wait time
%:>d : DNS Wait time
%:>r : Reputation Wait time

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

82

Using SPLUNK to extract Data


Definition of Regex to look for the Keywords we defined for
the Accesslog customization

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

84

Using SPLUNK to extract Data (2)


Extraction of the values to be done permanently in SPLUNK

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

85

Using SPLUNK to extract Data(3)

SPLUNK Report on the Average time for REPUTATION and DNS Resolution per Domain

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

86

Using SPLUNK to extract Data (4)


Example for Reputation Time

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

87

Using SPLUNK to extract Data (5)


Example for DNS Time

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

88

Summary for WSA Performance Analysis

WSA has very detailed logs to troubleshoot performance


issues

Use prox_stat.log file for general performance checks

Use customizing the Access Logs for detailed checking of


single requests

SPLUNK is a great tool to help you analyze especially when


combined with customized logs!

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

89

WSA Performance Analysis

WWW Server

Internet

Cisco SIO

DNS Server

Client
BRKSEC-3771

AD Server
2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

90

Agenda
Introduction

Deploying WSA with WCCP


Troubleshooting WSA with WCCP
Transparent User Authentication
WSA Performance Analysis

Deploying ASA NGFW Web Security


Troubleshooting ASA NGFW Web Security

75
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

93

ASA NGFW

ASA NGFW - Overview

ASA NGFW is an add-on module for


ASA

Availible as HW-Module for 5585-X,


soon as SW-Module for 5500-X

Functionalities:

Application Visibility and Control for all


ports

URL Filtering with Reputation

Identity against AD, LDAP or CDA

Decryption of SSL Traffic

Management of ASA-CX done via


Prime Security Manager

Restfull XML
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

95

ASA NGFW - Policies

Access Policies
Filter URL, Mime Type, User Agent
Filter based on Reputation
Filter based on Source, Destination,
Network / Service Objects,...

Identity Policies
Active:
Basic Authentication, NTLM, Kerberos, LDAP
Passive:
CDA - Agent

Decryption Policies
Decrypt SSL Traffic
Decission based on URL, Source, Destination, User Agent,...
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

96

ASA NGFW Deployment


ASA with NGFW module

Inline Deployment
FW

No Client
configuration required
Deactivation of HTTP
Inspection on ASA
necessary

BRKSEC-3771

NGFW

FW

Initial security checks

Access-list checks, connection


matching

NGFW Module Content Filtering

Network Address Translation

Application Protocol Inspection

Output Processing and Transmit

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

97

ASA NGFW Deployment

Traffic is redirected from ASA via MPF


policy-map global_policy
class class-default
cxsc fail-open
Service-policy global_policy global

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

98

Functional Distribution
URL Category/Reputation
HTTP Inspection
AVC
TLS Proxy

Multiple Policy
Decision Points

TCP Proxy

BRKSEC-3771

TCP Normalization

NAT

TCP Intercept

Routing

IP Option Inspection

ACL

IP Fragmentation

VPN Termination

2013 Cisco and/or its affiliates. All rights reserved.

ASA NGFW
ASA

Cisco Public

99

ASA NGFW Functionalities for Web Security


Web Security

ASA with ASA NGFW

WSA

Inline, promiscous mode

Transparent (WCCP) , Explicit

URL Filtering

Yes

Yes

Web Reputation

Yes

Yes

Malware Scanner

No

Yes, up to three concurrent

DLP

No

External Interface

Caching

No

Yes

Bandwidth Control for Video

No

Yes

No (roadmapped)

No (roadmapped)

Yes, all ports

Yes, Web Ports only

Native FTP Proxy

No

Yes

SOCKS Proxy

No

Yes(v7.7)

Deployment

General Bandwidth Control


Application Visibility and Control

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

100

ASA NGFW Functionalities for Web Security (2)


Web Security

ASA with ASA NGFW

WSA

Yes

Yes

No (roadmapped)

Yes

No (roadmapped)

Yes

No

Yes

Basic, NTLM, Kerberos, Passive (CDA)

Basic, NTLM, Kerberos (Roadmapped),


Passive (CDA),

IP Surrogates

IP Surrogates, Cookie Surrogates

No

Yes, up to 10 (v7.7)

Decryption of TLS

Yes

Yes

Decryption with Server Name


Indication Extension

Yes

Yes (v7.7)

IPv6 Traffic

Yes

No (roadmapped)

Customizable End User


Notification (EUN)
Warning page for User
Export Logs to SIEM
Multilanguage EUN
Authentication
Authentication Tracking
Authentication multiple NTLM
Realms

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

101

DEMO ASA with ASA NGFW handling IPv6

102

Summary and Conclusion

ASA NGFW is a HW or SW Module on ASA Platform

Has its own Management system

Has the essential Web Security Features


Including IPv6

For full web proxy functionality and flexibility, take a look at


WSA or Cisco Cloud Web Solution (ex-Scansafe)

Know the limitations and functionalities of each solution!

85
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

110

Angel Aloisius
What happened to the advices to the Bavarian Government???

BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

111

Complete Your Online Session Evaluation


Give us your feedback and
you could win fabulous prizes.
Winners announced daily.
Receive 20 Cisco Daily Challenge
points for each session evaluation
you complete.
Complete your session evaluation
online now through either the mobile
app or internet kiosk stations.
Maximize your Cisco Live experience with your
free Cisco Live 365 account. Download session
PDFs, view sessions on-demand and participate in
live activities throughout the year. Click the Enter
Cisco Live 365 button in your Cisco Live portal to
log in.
BRKSEC-3771

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

112