Академический Документы
Профессиональный Документы
Культура Документы
For Your
Reference
BRKSEC-3771
Cisco Public
Angel Aloisius
Some slides have this friendly guy in the right corner
Those slides are meant to be non-standard advices or tips & tricks
BRKSEC-3771
Cisco Public
Agenda
Introduction
Deploying WSA with WCCP
Troubleshooting WSA with WCCP
Transparent User Authentication
WSA Performance Analysis
Deploying ASA NGFW Web Security
Troubleshooting ASA NGFW Web Security
BRKSEC-3771
Cisco Public
Explicit Proxy
Client requests a website
Browser connects first to WSA
WSA connects to website
Firewall usually only allows webtraffic for proxy
DNS Resolution is done by WSA
Web Security Appliance
Internet Web
server
Internet
ASA 5500
Firewall
BRKSEC-3771
Cisco Public
Internet
ASA 5500
Firewall
BRKSEC-3771
Cisco Public
Agenda
Introduction
BRKSEC-3771
Cisco Public
10
WCCP Server
WCCP Client
Cisco Public
16
BRKSEC-3771
Cisco Public
17
BRKSEC-3771
Buckets 86170
X
B
2013 Cisco and/or its affiliates. All rights reserved.
Buckets 129170
Buckets 171255
Cisco Public
18
How to force a switch / router to use GRE? Set WSA to Allow GRE
BRKSEC-3771
Cisco Public
19
BRKSEC-3771
Cisco Public
20
Internet
VLAN10
VLAN10
BRKSEC-3771
Cisco Public
23
Internet
VLAN40
Recommendations:
Assign seperate VLAN for the
connection to the WSA!
Redirect ACL only allows permit
statements on 3560/3750 Series!
12.2(58) added support for permit
VLAN10
BRKSEC-3771
Cisco Public
24
SrcAddr
------0x00000000
0x00000000
0x00000000
BRKSEC-3771
DstAddr
------0x00000000
0x00000002
0x00000004
SrcPort
------0x0000
0x0000
0x0000
DstPort
------0x0000
0x0000
0x0000
Version &
State
Redirect
Method
Assignment
Method
Mask Value
CE-IP
----0xAC100A64 (172.16.10.100)
0xAC100A64 (172.16.10.100)
0xAC100A64 (172.16.10.100)
Cisco Public
25
r1
Si
Si
r2
WAN
r1
Si
Si
r2
Cisco Public
26
BRKSEC-3771
Cisco Public
27
Internet
Cisco Public
28
e2
e0
Done in SW
e1
BRKSEC-3771
Cisco Public
31
e2
e0
e1
Problem to solve:
Traffic coming back from the Internet needs to be
redirected to the WSA by the network because the
Destination is now the Client Network, no longer the
WSA
IP Spoofing mostly used in transparent mode
Activated on the WSA in the WCCP Config:
BRKSEC-3771
Cisco Public
32
e2
e0
e1
WCCP 91
145.16.0.0 /16
BRKSEC-3771
ip cef
ip wccp version 2
ip wccp 91 redirect-list Redirect-Client
ip wccp 92 redirect-list Redirect-back
!
interface e0
ip wccp 91 redirect in
!
interface e2
ip wccp 92 redirect in
!
ip access-list extended Redirect-Client
permit tcp 145.16.0.0 0.0.255.255 eq www
permit tcp 145.16.0.0 0.0.255.255 eq 443
!
ip access-list extended Redirect-back
permit tcp any eq www 145.16.0.0 0.0.255.255
permit tcp any eq www 145.16.0.0 0.0.255.255
Cisco Public
33
e2
e0
e1
WCCP 91
145.16.0.0 /16
BRKSEC-3771
Cisco Public
34
BRKSEC-3771
Cisco Public
35
Agenda
Introduction
BRKSEC-3771
Cisco Public
36
Cisco Public
37
WCCP is ok
Parameters are not!
BRKSEC-3771
Cisco Public
38
I-See-You
BRKSEC-3771
Cisco Public
39
BRKSEC-3771
Cisco Public
40
BRKSEC-3771
Cisco Public
41
1-2 WSAs
3-4 WSAs
5-8 WSAs
9-16 WSAs
17-32 WSAs
1 bit, 2 slots
2 bits, 4 slots
3 bits, 8 slots
4 bits, 16 slots
5 bits, 32 slots
0x3 = 2 bits
4 slots for up to 4 WSA
BRKSEC-3771
Cisco Public
42
Cisco Public
43
Internet
VLAN40
WSA
VLAN10
BRKSEC-3771
Cisco Public
44
Cisco Public
45
Agenda
Introduction
47
BRKSEC-3771
Cisco Public
46
Authentication
User
User Directory
Authentication Protocols
Directory:
LDAP or NTLM
Method:
Basic: Credentials are sent unencrypted
NTLMSSP: Challenge-Response
TUI using CDA
Tracking the User
IP based Surrogates
Cookie based Surrogates
BRKSEC-3771
47
Cisco Public
User
User Directory
48
BRKSEC-3771
Cisco Public
Internet
User Directory
Client is not aware of a proxy -> HTTP response code 407 cannot be used
Need to use HTTP response code 401
Client needs to be first redirected to the wsa
Client must trust the redirect hostname when using NTLM to prevent prompting
49
BRKSEC-3771
Cisco Public
Scenario:
Multiple WSA , transparent deployment with
authentication
Client requests a Website
Switch redirects request to WSA1
WSA1 needs authentication, redirects Client to WSA1
Client sends request to WSA1, gets redirect through
WCCP
Redirect may end up on WSA1 but can also terminate
at any other WSA in the Cluster
Strange things happen from now on...
BRKSEC-3771
Cisco Public
51
Internet
VLAN40
VLAN40
WSA #1
VLAN10
ip routing
ip wccp 91 redirect-list wsa
ip access-list extended wsa
!Do not redirect traffic going DIRECTLY to wsa1/2
deny ip any host <wsa1>
deny ip any host <wsa2>
permit tcp any any eq www
permit tcp any any eq 443
!
interface Vlan10
ip address 172.16.10.10 255.255.255.0
ip wccp 91 redirect in
WSA #2
BRKSEC-3771
Cisco Public
53
BRKSEC-3771
Cisco Public
56
BRKSEC-3771
Cisco Public
57
BRKSEC-3771
Cisco Public
58
BRKSEC-3771
Cisco Public
60
BRKSEC-3771
Cisco Public
61
Internet
User Directory
SSO
User
w/ AnyConnect
Internet Web Server
User can surf via WSA without the need to authenticate again
WSA can be deployed explicit or transparent
BRKSEC-3771
Cisco Public
62
5
63
Client logs on to the AD Domain, CDA tracks AD audit logs and maps User - IP
Client request a Web Site
Traffic is transparently redirected to the WSA
WSA needs to authenticate and queries the CDA for the User IP mapping
WSA queries AD for User Group
Request is proxied and forwarded to the Internet
WMI
CDA
AD Controller
WSA
6
Internet
1
2
AD User
BRKSEC-3771
Switch w/ WCCP
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
Cisco Public
66
Cisco Public
67
Agenda
Introduction
62
BRKSEC-3771
Cisco Public
68
WWW Server
Internet
Cisco SIO
DNS Server
Client
BRKSEC-3771
AD Server
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
69
BRKSEC-3771
Cisco Public
70
Prox_track.log content
BRKSEC-3771
Cisco Public
71
General Statistics
Traffic Statistics:
If you have numbers increasing on throttled transactions this could indicate that the
appliance can not handle the load
BRKSEC-3771
Cisco Public
72
BRKSEC-3771
Cisco Public
73
Important Statistics
Client time:
Hit time:
Time that the WSA is using to fetch
content from the cache
Miss time:
Time that the WSA takes to fetch all
Data from the server
BRKSEC-3771
Cisco Public
74
BRKSEC-3771
Cisco Public
75
DNS Time:
Time for the WSA to do a DNS Resolution
High time does indicate a problem with the DNS Server
BRKSEC-3771
Cisco Public
76
BRKSEC-3771
Cisco Public
77
BRKSEC-3771
Cisco Public
78
Service Time:
Time that the Scanner used to scan the object
BRKSEC-3771
Cisco Public
79
Adaptive Scanning
Score is based on Type of object, effectiveness of malware scanner for this type and WBRS
(WBRS must be enabled on WSA)
Appliance will scan objects with the Scanner that is most appropriate for this object type
If appliance has a performance problem with the Anti Malware Scanners, it will drop objects
not to be scanned
Example: Dont scan *.jpg files with McAfee when they are coming from Websites with a good reputation.
BRKSEC-3771
Cisco Public
80
BRKSEC-3771
Cisco Public
81
BRKSEC-3771
%m : Authentication Method
%:>a : Authentication Wait time
%:>d : DNS Wait time
%:>r : Reputation Wait time
Cisco Public
82
BRKSEC-3771
Cisco Public
84
BRKSEC-3771
Cisco Public
85
SPLUNK Report on the Average time for REPUTATION and DNS Resolution per Domain
BRKSEC-3771
Cisco Public
86
BRKSEC-3771
Cisco Public
87
BRKSEC-3771
Cisco Public
88
BRKSEC-3771
Cisco Public
89
WWW Server
Internet
Cisco SIO
DNS Server
Client
BRKSEC-3771
AD Server
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
90
Agenda
Introduction
75
BRKSEC-3771
Cisco Public
93
ASA NGFW
Functionalities:
Restfull XML
BRKSEC-3771
Cisco Public
95
Access Policies
Filter URL, Mime Type, User Agent
Filter based on Reputation
Filter based on Source, Destination,
Network / Service Objects,...
Identity Policies
Active:
Basic Authentication, NTLM, Kerberos, LDAP
Passive:
CDA - Agent
Decryption Policies
Decrypt SSL Traffic
Decission based on URL, Source, Destination, User Agent,...
BRKSEC-3771
Cisco Public
96
Inline Deployment
FW
No Client
configuration required
Deactivation of HTTP
Inspection on ASA
necessary
BRKSEC-3771
NGFW
FW
Cisco Public
97
BRKSEC-3771
Cisco Public
98
Functional Distribution
URL Category/Reputation
HTTP Inspection
AVC
TLS Proxy
Multiple Policy
Decision Points
TCP Proxy
BRKSEC-3771
TCP Normalization
NAT
TCP Intercept
Routing
IP Option Inspection
ACL
IP Fragmentation
VPN Termination
ASA NGFW
ASA
Cisco Public
99
WSA
URL Filtering
Yes
Yes
Web Reputation
Yes
Yes
Malware Scanner
No
DLP
No
External Interface
Caching
No
Yes
No
Yes
No (roadmapped)
No (roadmapped)
No
Yes
SOCKS Proxy
No
Yes(v7.7)
Deployment
BRKSEC-3771
Cisco Public
100
WSA
Yes
Yes
No (roadmapped)
Yes
No (roadmapped)
Yes
No
Yes
IP Surrogates
No
Yes, up to 10 (v7.7)
Decryption of TLS
Yes
Yes
Yes
Yes (v7.7)
IPv6 Traffic
Yes
No (roadmapped)
BRKSEC-3771
Cisco Public
101
102
85
BRKSEC-3771
Cisco Public
110
Angel Aloisius
What happened to the advices to the Bavarian Government???
BRKSEC-3771
Cisco Public
111
Cisco Public
112