CISCO VALIDATED DESIGN

Internet Edge
Design Summary
October 2015

REFERENCE
NETWORK
ARCHITECTURE
 

Table of Contents
Introduction...................................................................................................................................... 1
Sub-Architectures for Specific Capabilities...................................................................................... 8
Edge Connectivity ............................................................................................................................................................8

Firewall Segmentation & Intrusion Prevention....................................................................................................................9

Remote Access VPN...................................................................................................................................................... 10

Email Security Using ESA............................................................................................................................................... 11

Web Security.................................................................................................................................................................. 13

Cisco Web Security Appliance........................................................................................................................ 15

Cisco Cloud Web Security.............................................................................................................................. 16

Cisco CWS Using the Connector for Cisco ASA............................................................................................. 16

Cisco CWS Using Cisco AnyConnect............................................................................................................. 18

Guest Wireless Termination............................................................................................................................................ 20

Future Releases of Internet Edge ................................................................................................... 21

Summary........................................................................................................................................ 22

Cisco Validated Design

 Introduction

Introduction
This guide describes architectural best practices for organizations with up to 10,000 connected users.
An important segment of an enterprise network is the Internet edge, where the corporate network meets the pub-
lic Internet. As your network users reach out to websites and use email and other collaboration tools for business-
to-business communication, the resources of the corporate network must remain both accessible and secure.
The Secure Architectural Framework Example (SAFE) for business networks locates the Internet edge as one of
the places in the network (PINs). SAFE simplifies complexity across the enterprise by implementing a model that
focuses on the areas that a company must secure. This model treats each area holistically, focusing on today’s
threats and the capabilities needed to secure each area against those threats. Cisco has deployed, tested, and
validated critical challenges. These solutions provide guidance, complete with configuration steps that ensure ef-
fective, secure deployments for our customers.

The Internet edge is the highest-risk PIN because it is the primary Ingress for public traffic and the primary egress
point to the Internet. Simultaneously, it is the critical resource that businesses need in today’s Internet-based
economy. SAFE matches up defensive capabilities against the categories of threats today.

Cisco Validated Design page 1


The capabilities and architectures for the Internet edge provide users with the secure network access they re-
quire, from a wide variety of locations and devices. The following table describes the functional security capabili-
ties of Internet edge.
Table 1  SAFE defenses against specific Internet edge threats
Threat
Use of malformed packets and
abnormal protocol processes
to gain access to the public
and private networks
Infiltration via worms, viruses
and various types of attacks
to gain access to the internal
servers by using Layer 4-7
traffic
Monitoring of unencrypted
network traffic allows thieves to
easily steal data and creden-
tials
Access to critical resources by
impersonating trusted users
with basic authentication
Distribution of viruses, malware
files or compromised web links
by email. Exfiltration of private
data via email
Infected ads and bogus web
sites lure in users to access the
malicious content by redirec-
tion and service insertion
Single or multiple files which
form a malware package and
distributes itself throughout the
entire network of servers and
devices
Zero-day attacks and new
forms of malware can initially
bypass protections imple-
mented through learned threat
intelligence.
table continued on next page
Cisco Validated Design
Introduction
Defense
Firewall segmentation—Protects the network
infrastructure and data resources through stateful
packet filtering, protocol inspection, and network
address translation
Intrusion detection & prevention—Protects the
network infrastructure and data resources from
Internet-based threats such as worms, viruses,
and targeted attacks by performing application
and user-aware security inspection of Layer 4-7
traffic coordinated with global threat prevention
information
Remote access VPN—Provides secure encrypted
access to resources inside the organization from
remote locations and mobile devices
Access control + TrustSec—Selective restriction
of access, based on context, to a place or other
resource
Email security—Provides encryption, anti-spam,
anti-malware, anti-virus inspection and message
filtering services that protect against data loss and
exfiltration
Web security—Provides inspection and filtering for
web reputation, anti-malware, anti-virus. Protects
against data loss and data exfiltration. Enforces
acceptable-use controls and user monitoring
Anti-malware—Files are securely analyzed and
correlated against hundreds of millions of other
analyzed malware artifacts to provide a global view
of malware attacks, campaigns, and their distribu-
tion on current and historical malware artifacts,
indicators, and samples
Threat intelligence—Threat intelligence is ev-
idence-based knowledge, including context,
mechanisms, indicators, implications, and action-
able advice about an existing or emerging menace
or hazard to assets that can be used to inform
decisions regarding the subject’s response to that
menace or hazard
page 2

table continued from previous page
Threat
New command & control traffic,
telemetry and data exfiltration
from successful attacks
Downloaded viruses and
malware compromise devices,
which take over systems and
replicate
Unencrypted traffic being
copied and stolen from the in-
frastructure via monitoring and
malware
Application-specific attacks
that take advantage of poor
application-development tech-
niques and insecure modules
Massively scaled attacks that
overwhelm the capacity of
the network bandwidth, de-
vice throughput, or process-
ing capabilities of the network
devices and/or servers
Infected ads and bogus web
sites lure in users to access the
malicious content by redirec-
tion and service insertion
Accessing valuable network
data through the deployment
of rogue wireless devices and
interception attacks
Compromised or infected
devices allowed onto a network
proliferate the distribution of
malware and viruses to adja-
cent network users
Cisco Validated Design
Introduction
Defense
Flow analytics—Network data flow behavior is
analyzed to identify security incidents
Host-based security—Security software to protect
the host consisting of anti-virus, anti-malware,
host firewall and VPN encryption.
TLS encryption offload—This capability represents
the ability to decrypt an encrypted data flow to
and from a set of services. This hardware accel-
erated offloading reduces the general computing
load on the end servers, thereby improving scal-
ability
Web application firewalling—Advanced, special-
ized web application inspection and monitoring
for inbound and outbound service calls meeting a
specifically tuned and configured policy
DDOS protection—Protection against network,
session and application attacks such as: SYN
floods, connection floods, ICMP fragmentation,
DNS, SSL and the growing number of Layer 7 at-
tacks
Cisco Cloud Web Security—Web Security servic-
es that are based off-premise and in the cloud for
lean enterprise deployments and roaming/remote
user protection.
Guest wireless WIPS—Coordinated infrastructure
to detect, locate, mitigate, and contain wireless
rogues and threats at Layers 1 through 3
Guest network mobile device management—
Control over endpoint access based on defined
policies such as disallowing jail-broken devices,
devices without anti-virus software, or prevent-
ing corporate managed devices from using less
secure guest networks
page 3
 Introduction

Table 2  SAFE non-security-specific network capabilities

L2 / L3 Network——Routing and switching equipment that enables communication across an

enterprise infrastructure and the Internet

Load balancing—Systems that distribute workloads across multiple computing resources to

optimize resource use, maximize throughput, minimize response time, and avoid overload of
any single resource

Wireless—Controllers and access points enabling the network connectivity necessary for mo-
bile devices to communicate with the enterprise infrastructure.

LAN segment—Physical or virtual network segment

Table 3  SAFE management capabilities supporting the Internet edge

Identity/authorization—AAA provides the method of identifying users and authorizing their ac-
cess to services and resources and tracking their use

Policy/configuration—Centralized and unified network management to provide consistent, se-

cure access to end users, however they connect

Analysis/correlation---SIEM technology provides real-time reporting and long-term analysis

of security events. The technology can also provide log collection, normalization, correlation,
aggregation and reporting

Monitoring—Collection of network flows or traffic from specific infrastructure segments.

Vulnerability management— System tools that continually scan and test devices attached to
the infrastructure, document them, and prompt for remediation on an ongoing basis

Logging/reporting—Centralized repository that collects syslog, SNMP, and other event infor-
mation from all devices to ensure the integrity and enable the correlation of events.

Time synchronization—NTP is used to synchronize clocks among devices. This synchronization

allows all events to be correlated when system logs are created and when other time-specific
events occur.

Cisco Validated Design page 4

 Introduction

These security capabilities address the top threats and risks facing organizations today.
When developing individual designs, you should also take into consideration such non-security considerations as:
•• Load-balancing routing protocols (e.g., eBGP, EIGRP, OSPF)

•• VLANs for segmentation

•• High-availability protocols such as HSRP & VRRP

•• Common platform services such as network time protocol (NTP) and authentication, authorization, and ac-
counting (AAA)

These topics will be covered in additional SAFE guides.

Figure 1 depicts the deployment and distribution of capabilities for building an Internet edge by using Cisco best
practices. Capabilities are grouped into different security zones in order to more easily define policies for these
areas (Untrusted, VPN, Perimeter, DMZ and Trusted). The dotted lines illustrate combined capabilities that you
may implement in a single device. This further simplifies the connectivity and linking of the necessary capabilities
in order to achieve the goals of the proposed architecture.
The Untrusted zone contains the edge routing capability as well as both the on-premise and off-premise distrib-
uted denial-of-service (DDOS) capabilities. Cloud web services are included for illustration proposes at this time.
The remote access virtual private network (RA VPN) zone implements dedicated resources to connect remote
users and sites.
The perimeter zone has the all of the core security and inspection capabilities necessary to protect the enterprise
and segments the connections of the other zones.
The demilitarized zone (DMZ) is a restricted zone containing both internal and public facing services.
The trusted enterprise contains core services in order to securely implement, manage, monitor and operate the
Internet edge.

Cisco Validated Design page 5

 Introduction

Figure 1  Internet edge capabilities

Untrusted

RA VPN Perimeter DMZ

1350F
Trusted Enterprise

After defining the desired capabilities of the Internet edge, you can transition from a capability view to an archi-
tecture view. The architecture enables the selection of product classes and models aligning the needs of the
enterprise and to the available features unique to each platform.
The Internet edge architecture includes segmentation capabilities, such as LANs and VLANs separating services
from each other. Several capabilities are duplicated in various areas in order to provide the best protection pos-
sible (e.g., NGIPS at both the perimeter and after TLS decryption in the DMZ). Implementing dedicated resources
in several areas ensures acceptable performance across the entire architecture.

Cisco Validated Design page 6

 Introduction

Figure 2  Internet edge architecture

Untrusted
Web
CWS ISP DDOS Cisco Load Application
WLC Balancer Firewall

Cisco ASR

Cisco
AMP on
Endpoint

Cisco Cisco Security

Security Appliance
Appliance

Cisco Cisco Cisco Cisco

WSA ESA Security Security
Cisco Security Appliance Appliance
Appliance

RA VPN Perimeter DMZ

Trusted
Enterprise

1351F
Figure 2 does not depict how high-availability requirements can be met through the deployment of redundant
paired devices. This design assumes that you would deploy all capabilities as such when creating the detailed
designs.

Cisco Validated Design page 7

 Sub-Architectures for Specific Capabilities

Sub-Architectures for Specific Capabilities

The following sections provide greater detail and guidance for deploying security capabilities in the Internet edge.
Several have been fully validated using Cisco’s Validated Design program. For more information, see Cisco’s
Design Zone:
http://www.cisco.com/go/designzone

EDGE CONNECTIVITY
Two deployment options can address Internet edge capabilities with high availability and meet operational re-
quirements for device-level separation between the remote access VPN and the firewall. The design shown in
the following figure uses a single Internet connection and integrates the remote-access VPN function in the same
Cisco Adaptive Security Appliance (ASA) pair that provides the firewall functionality.

Figure 3  Single ISP topology

Untrusted
Web
CWS ISP DDOS Cisco Load Application
WLC Balancer Firewall

Cisco ASR

Cisco
AMP on
Endpoint

Cisco Cisco Security

Security Appliance
Appliance

Cisco Cisco Cisco Cisco

WSA ESA Security Security
Cisco Security Appliance Appliance
Appliance

RA VPN Perimeter DMZ

Trusted
Enterprise
1352F

Cisco Validated Design page 8

 Sub-Architectures for Specific Capabilities

The following figure shows a dual ISP design that provides highly resilient Internet access. This design uses a
separate pair of Cisco ASA appliances in order to provide a remote access VPN, which offers additional scalability
and operational flexibility.

Figure 4  Dual ISP topology

Untrusted
Web
ISP A ISP B Cisco Load Application
WLC Balancer Firewall

Cisco ASR

Cisco
AMP on
Endpoint

Cisco Cisco Security

Security Appliance
Appliance

Cisco Cisco Cisco Cisco

WSA ESA Security Security
Cisco Security Appliance Appliance
Appliance

RA VPN Perimeter DMZ

Trusted
Enterprise

1353F

FIREWALL SEGMENTATION & INTRUSION PREVENTION

Firewalls and intrusion prevention systems (IPSs) provide vital security at the Internet edge. Firewalls control ac-
cess into and out of the different segments of the Internet edge to filter unwanted and malicious traffic. Many
firewalls also provide a suite of additional services such as network address translation (NAT) and multiple secu-
rity zones. Support for policy-based operation can enhance firewall effectiveness by providing security without
interfering with access to Internet-based applications or hindering connectivity to business partners’ data via
extranet VPN connections.

Cisco Validated Design page 9

 Sub-Architectures for Specific Capabilities

Intrusion prevention systems complement firewalls by inspecting the traffic traversing the Internet edge in order to
identify malicious behaviors and prevent proliferation of the malicious traffic.
Architectures for the Internet edge address firewall and IPS capabilities with the Cisco ASA family. Cisco ASA
platforms provide advanced firewall and IPS capabilities with enterprise-class performance and security in a
scalable design that can readily adapt to changing needs. They are situated between the organization’s internal
network and the Internet in order to minimize the impact of network intrusions while maintaining worker productiv-
ity, business communications and information integrity..
Designs for the Internet edge use the Cisco ASA 5500-X Series, configured in routing mode in active/standby
pairs for high availability. They apply NAT and firewall policy and support FirePOWER next generation intrusion
prevention software (NGIPS) that detects and mitigates malicious or harmful traffic. FirePOWER NGIPS delivers
complete contextual awareness, full visibility, and control of users, devices and content in order to provide indus-
try-leading threat prevention.
For more information about firewall and IPS solution deployment, see the Firewall and IPS Technology Design Guide.
This guide covers the creation and use of demilitarized zone (DMZ) segments for Internet-facing services such as
a web presence. The NGIPS content covers Internet edge inline deployments and internal distribution layer intru-
sion detection system (IDS) deployments.

REMOTE ACCESS VPN

Employees, contractors, and partners often need to access the network when traveling or working from home or
from other off-site locations. Many organizations therefore need to provide users in remote locations with network
connectivity to data resources.
A secure connectivity solution for the Internet edge should support:
•• A wide variety of endpoint devices.

•• Seamless access to networked data resources.

•• Authentication and policy control that integrates with the authentication resources used by the organization.

•• Cryptographic security to prevent sensitive data from exposure to unauthorized parties who accidentally or
intentionally intercept the data.

Designs for the Internet edge address these needs with the Cisco ASA Family and Cisco AnyConnect Secure
Mobility Client.
The Cisco AnyConnect Secure Mobility Client is recommended for remote users who require full network con-
nectivity. The Cisco AnyConnect client uses SSL and is designed for automated download and installation. SSL
access can be more flexible and is likely to be accessible from more locations than IPsec, as few companies
block HTTPS access out of their networks. The AnyConnect client may be configured as an always-on VPN.
The Trusted Network Detection capability of the Cisco AnyConnect client determines if a laptop is on a trusted
internal network or an untrusted external network. If on an untrusted network, the client automatically tries to
establish a VPN connection to the primary site. The user needs to provide credentials for authentication, but no
other intervention is required. If the user disconnects the connection, no other network access is permitted.

Cisco Validated Design page 10

 Sub-Architectures for Specific Capabilities

Designs for the Internet edge offer two remote-access VPN design models:
•• Remote access VPN integrated with Cisco ASA Series firewall (integrated design module)—This option is
available with a lower capital investment and reduces the number of devices the network engineering staff
must manage.

•• Remote access VPN deployed on a pair of standalone Cisco ASA appliances (standalone design mod-
ule)—This design offers greater operational flexibility and scalability while providing a simple migration path
from an existing RA VPN installation.

For detailed design and configuration information about implementing a remote access VPN via Cisco AnyCon-
nect for SSL connections, see the Remote Access VPN Technology Design Guide.

EMAIL SECURITY USING ESA

Email is a critical business service used by virtually everyone, every day, which makes it an attractive target for
hackers. The two major threats to email systems are spam and malicious email.
If spam is not properly filtered, its sheer volume can consume valuable resources such as bandwidth and stor-
age, and require network users to waste time manually filtering through messages. Legitimate messages may
be discarded, potentially disrupting business operations. Failing to protect an email service against spam and
malicious attacks can result in a loss of data and network-user productivity. Malicious email most often consists of
embedded or phishing attacks. Embedded attacks contain viruses and malware that perform actions on the end
device when clicked. Phishing attacks attempt to mislead network users into releasing sensitive information such
as credit card numbers, social security numbers, or intellectual property.
Cisco Email Security Appliance (ESA) protects the email infrastructure and network users who use email at work
by filtering unsolicited and malicious email before it reaches the user. The goal of the solution is to filter out posi-
tively identified spam and quarantine or discard email sent from untrusted or potentially hostile locations. Antivirus
scanning is applied to emails and attachments from all servers in order to remove known malware.
Cisco ESA easily integrates into existing email infrastructures by acting as a mail transfer agent (MTA), or mail
relay, within the email-delivery chain. A normal email exchange, in which an organization is using an MTA, might
look like the message flows shown in Figure 5 and Figure 6.

Cisco Validated Design page 11

 Sub-Architectures for Specific Capabilities

Figure 5  Inbound email message flow

1 Sender sends email to

xyz@companyX.com
2 What is IP for CompanyX mail server
(MX and A record DNS lookup)?

3 IP address for CompanyX email is

a.b.c.d (Cisco ESA at CompanyX)

Internet DNS
4 Email is sent Server

Cisco Email
Security Appliance

5 After inspection,
the email is sent to the
central email server

Email
Server

1071F
6 Employee retrieves cleaned email

Figure 6  Outbound email message flow

6 Recipient retrieves email

3 Cisco ESA inspects outbound email

4 Cisco ESA performs DNS lookup

5 Email is sent for recipient domain and retrieves
MX and A records

Cisco Email
Security Appliance

2 Central email server forwards

all non-local messages to
Cisco ESA smart host

Email
Server
1078F

1 Employee sends email to

xyz@companyY.com

Cisco Validated Design page 12

 Sub-Architectures for Specific Capabilities

Cisco ESA can be deployed with a single physical interface to filter email to and from an organization’s mail
server. A second, two-interface configuration option transfers email to and from the Internet by using one inter-
face, and to and from internal servers by using the second interface. The Internet edge design uses the single-
interface model for simplicity.
For more information about email security and Cisco ESA, see the Email Security Using ESA Technology Design
Guide.

WEB SECURITY
Web access is a requirement for the day-to-day functions of most organizations, but a challenge exists to main-
tain appropriate web access for everyone in the organization while minimizing unacceptable or risky use. A solu-
tion is needed to control policy-based web access in order to ensure that users work effectively and ensure that
personal web activity does not waste bandwidth, affect productivity, or expose the organization to undue risk.
Another risk associated with Internet access for the organization is the pervasive threat that exists from accessing
sites and content. Other threats include the still popular and very broad threats of viruses and Trojans, in which a
user receives a file in some manner and is tricked into running it, and the file then executes malicious code. The
third variant uses directed attacks over the network. These types of risks are depicted in the figure below.

Figure 7  Business reasons for deploying Cisco Cloud Web Security

Bandwidth
waste Internet Edge
Firewall
User
Internet
Community

Malicious software worms,

viruses, phishing attacks, etc.

2292F
Non-work-related
web browsing

Two options address the need for a corporate web security policy by offering a combination of web usage con-
trols with category and reputation-based control, malware filtering, and data protection:
•• Cisco Web Security Appliance (WSA), which is deployed on premise

•• Cisco Cloud Web Security (CWS), which is accessed by using the Cloud Web Security Connector for Cisco
ASA or by using Cisco AnyConnect Secure Mobility Client.

Cisco Validated Design page 13

 Sub-Architectures for Specific Capabilities

Some key differences between Cisco CWS and Cisco WSA include the items listed in the following table.

Table 4  Cisco Web Security solution comparison

Cisco CWS Cisco WSA

Web/URL filtering Yes Yes
Supported protocols HTTP/HTTPS HTTP/HTTPS, FTP
Yes Yes
(Multiple scanners for malware) (URL/IP reputation filter-
Outbreak Intelligence ing, multiple scanners for
(Zero Day Malware) malware)
VPN backhaul or direct to cloud using VPN backhaul
Remote user security Cisco AnyConnect1
Deployment Redirect to cloud service On Premise Redirect
Policy and reporting Web portal (cloud) On Premise

Note:
1. Windows and Mac OS Only

Cisco Validated Design page 14

 Sub-Architectures for Specific Capabilities

Cisco Web Security Appliance

Cisco WSA is a web proxy that works with other Cisco network components such as firewalls, routers, or switch-
es in order to monitor and control web content requests from within the organization. It also scrubs the return
traffic for malicious content, as shown in the following figure.

Figure 8  Cisco WSA traffic flows

RA VPN Client
or
RA VPN Web Site
Mobile Client

RA VPN Client
or
Web Site RA VPN Web Site
Mobile Client

Internet

Internet
Cisco
WSA Internet
Internal
Network

Internal
Network
Cisco
WSA
Cisco
User Internal WSA
Community Network
3027F

Cisco WSA is connected by one interface to the inside network of Cisco ASA. In the Internet edge design, Cisco
WSA connects to the same LAN switch as the ASA appliance and on the same VLAN as the inside interface of
the ASA appliance. Cisco ASA redirects HTTP and HTTPS connections by using the Web Cache Communication
Protocol (WCCP) to Cisco WSA.
For more information about how to deploy this solution, see the Web Security Using Cisco WSA Technology Design
Guide. This guide focuses on using Cisco WSA in an Internet edge solution. It covers the mechanisms used to
apply web security and content control, as well as the use of transparent -proxy mode and explicit-proxy mode
deployments for redirecting web traffic to Cisco WSA.

Cisco Validated Design page 15

 Sub-Architectures for Specific Capabilities

Cisco Cloud Web Security

Through the use of multiple techniques, Cisco CWS provides granular control over all web content that is ac-
cessed. These techniques include real-time dynamic web content classification, a URL-filtering database, and
file-type and content filters. The policies enforced by Cisco CWS provide strong web security and control for an
organization. Cisco CWS policies apply to all users regardless of their location and device type.

Figure 9  Cisco CWS Internet edge design

Web Sites

Approved
Web Requests

Blocked
Cisco Cloud Content
Web Security
Blocked
Internet Files

Blocked
URLs

Approved
Content
Internet
DMZ Switches Servers

Cisco ASA

Distribution
Switches
Traffic Redirected to
2293F

User Cisco Web Security

Community

Cisco CWS Using the Connector for Cisco ASA

Internal users at both the primary site and remote sites access the Internet by using the primary site’s Internet-
edge Cisco ASA, which provides stateful firewall and intrusion prevention capabilities. It is simple and straightfor-
ward to add Cisco CWS to a Cisco ASA appliance that is already configured and operational. This integration uses
the Cloud Web Security Connector for Cisco ASA and requires no additional hardware.

Cisco Validated Design page 16

 Sub-Architectures for Specific Capabilities

Cloud Web Security using Cisco ASA enables the following security capabilities:
•• Transparent redirection of user web traffic—Through seamless integration with the Cisco ASA firewall, web
traffic is transparently redirected to the Cisco CWS service. No additional hardware or software is required,
and no configuration changes are required on user devices.

•• Web filtering—Cisco CWS supports filters based on predefined content categories and it also supports more
detailed custom filters that can specify application, domain, and content type or file type. The filtering rules
can be configured to block or warn based on the specific web-usage policies of an organization.

•• Malware protection—Cisco CWS analyzes every web request in order to determine if content is malicious.
CWS is powered by the Cisco Security Intelligence Operations (SIO) whose primary role is to help organi-
zations secure business applications and processes through identification, prevention, and remediation of
threats.

•• Differentiated policies—The Cisco CWS web portal applies policies on a per-group basis. Group member-
ship is determined by the group authentication key of the forwarding firewall, source IP address of the web
request, or the Microsoft Active Directory user and domain information of the requestor.

The Cisco ASA firewall family sits between the organization’s internal network and the Internet and is a funda-
mental infrastructural component that minimizes the impact of network intrusions while maintaining worker pro-
ductivity and data security. The design uses Cisco ASA to implement a service policy that matches specified traf-
fic and redirects the traffic to the Cisco CWS cloud for inspection. This method is considered a transparent proxy,
and no configuration changes are required to web browsers on user devices.
The various traffic flows for each of these user types are shown in the following figures.

Figure 10  Cisco CWS with internal and guest users

Cisco Cloud Cisco Cloud

Web Security Web Site Web Security Web Site

Internet Internet

Guest
Internal Network
Network
3028F

Internal Guest
User User

Cisco Validated Design page 17

 Sub-Architectures for Specific Capabilities

Figure 11  Cisco CWS for mobile devices using remote-access VPN

Cisco Cloud Cisco Cloud

Web Security Web Security

RA VPN RA VPN
Mobile Device Web Site Mobile Device Web Site

Internet Internet

Internal Internal

3029F
Network Network

Certain source and destination pairs should be exempted from the service policy, such as remote-access VPN
users accessing internal networks or internal users accessing DMZ networks.
For information about how to deploy this solution, see the Cloud Web Security Using Cisco ASA Technology Design
Guide. This guide discussed the configurations required to implement a Cisco ASA service policy that matches
specified traffic and redirects the traffic to the Cisco CWS cloud for inspection. This method is considered a
transparent proxy, and no configuration changes are required to web browsers on user devices..

Cisco CWS Using Cisco AnyConnect

Mobile remote users connect to their organization’s network by using devices that generally fall into two catego-
ries:
•• Laptops

•• Mobile devices such as smartphones and tablets

When provisioned with the Cisco AnyConnect Secure Mobility Client with Cisco CWS module, laptops are not
required to send web traffic to the primary site. The CWS module gives the Cisco AnyConnect client the abil-
ity to let Internet web traffic go out through a Cisco CWS proxy directly to the destination, without forcing traffic
through the organization’s headend. Without Cisco CWS, the traffic must be routed down the VPN tunnel, in-
spected at the campus Internet edge, and then redirected to the original destination.

Cisco Validated Design page 18

 Sub-Architectures for Specific Capabilities

This process consumes bandwidth and potentially increases latency. With Cisco CWS, the connection can be
proxied through the Cisco ScanSafe cloud and never has to traverse the VPN tunnel, as shown in the following
figure.

Figure 12  Web traffic flow for CWS with Windows and Mac OS X clients

RA VPN
Client Web Site

Cisco Cloud
Web Security

Internal Traffic
(Static Exceptions) Internet

Internal

1115F
Network

For the web security of Microsoft Windows and Apple Mac OS laptops, Cloud Web Security using Cisco AnyCon-
nect enables the following security capabilities:
•• Redirect web traffic—The Cisco CWS module can be integrated into the Cisco AnyConnect client, allowing
web traffic to be transparently redirected to the Cisco CWS service. The CWS module is administered cen-
trally on the RAVPN firewall and requires no additional hardware. Once installed, the CWS module continues
to provide web security even when disconnected from the RAVPN firewall.

•• Filter web content—Cisco CWS supports filters based on predefined content categories, as well as custom
filters that can specify application, domain, content type, or file type. The filtering rules can be configured to
block or warn based on the specific web usage policies of an organization.

•• Protect against malware—Cisco CWS analyzes every web request to determine if the content is malicious.
CWS is powered by the Cisco Security Intelligence Operations, the primary role of which is to help organi-
zations secure business applications and processes through identification, prevention, and remediation of
threats.

•• Apply differentiated policies—The Cisco CWS web portal applies policies on a per-group basis. Group mem-
bership is determined by the group authentication key assigned within the Cisco AnyConnect CWS profile on
the RAVPN firewall.

Cisco Validated Design page 19

 Sub-Architectures for Specific Capabilities

Cloud Web Security using Cisco AnyConnect enables the following network capabilities:
•• User authentication—The AnyConnect client requires all remote access users to authenticate before negoti-
ating a secure connection. Both centralized authentication and local authentication options are supported.

•• Differentiated access—The remote access VPN is configured to provide different access policies depending
on assigned user roles.

•• Strong encryption for data privacy—The Advanced Encryption Standard cipher with a key length of 256 bits
is used for encrypting user data. Additional ciphers are also supported.

•• Hashing for data integrity—The Secure Hash Standard 1 cryptographic hash function with a 160-bit message
digest is used to ensure that data has not been modified during transit.

For more information about how to deploy this solution, see the Cloud Web Security Using Cisco AnyConnect Tech-
nology Design Guide.

GUEST WIRELESS TERMINATION

Guest wireless termination within the Internet edge is detailed in the Campus Wireless LAN Technology Design
Guide. The designs contained within the Campus Wireless LAN Technology Design Guide provide ubiquitous
data and voice connectivity for employees and provides wireless Internet access for guests. Regardless of their
location within the organization—on large campuses or at remote sites—wireless users have the same experience
when connecting to voice, video, and data.

Cisco Validated Design page 20

 Future Releases of Internet Edge

Future Releases of Internet Edge

This architecture document and its associated design guides describe only a portion of Internet edge’s many
capabilities. Future releases will describe some of the following capabilities:
•• Threat intelligence

•• Anti-malware

•• Host-based security

•• Web application firewalling

•• DDOS prevention

•• TLS encryption offload

•• Flow analytics

•• Load-balancing considerations

•• Management and policy

Cisco Validated Design page 21

 Summary

Summary
Today’s networks extend to wherever employees are, wherever data is, and wherever data can be accessed.
The Internet edge is often the first line of attack and is subsequently the first line of defense against these at-
tacks. As a result, technologies must be applied that focus on detecting, understanding, and stopping these
threats. These attacks can render an enterprise inaccessible from the Internet and prevent employees from doing
productive work locally and remotely.
Cisco’s Internet edge solutions work to mitigate these threats and minimize the impact of the enterprise’s pro-
ductivity.

Cisco Validated Design page 22

 Please use the feedback form to send comments and
suggestions about this guide.

Europe Headquarters
Americas Headquarters Asia Pacific Headquarters
Cisco Systems International BV Amsterdam,
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd.
The Netherlands
San Jose, CA Singapore

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS
IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT
SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION,
LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR
THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS
OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON
FACTORS NOT TESTED BY CISCO.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included
in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2015 Cisco Systems, Inc. All rights reserved.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go
to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not
imply a partnership relationship between Cisco and any other company. (1110R)

Cisco Validated Design B-000145c-2 10/15