Академический Документы
Профессиональный Документы
Культура Документы
Internet Web
server
Internet
ASA 5500
Firewall
Explicit Proxy with IPv4 and IPv6
• Client requests a website
• Browser connects first to WSA using IPv4 or IPv6
• WSA does DNS lookup
- A record returned and/or AAAA record returned
• Depending on WSA setting, WSA builts outgoing connection either on IPv4 or
IPv6
Web Security Appliance
Internet Web
server
IPv6
IPv4
Internet
ASA 5500
Firewall
Explicit Mode with IPv4 and IPv6
• Setting IPv6 Adresses on the Interfaces
Explicit Mode with IPv4 and IPv6
• Setting IPv6 Routes
Explicit Mode with IPv4 and IPv6
• Setting DNS Servers
Internet
ASA 5500
Firewall
WCCP IPv6
ipv6 wccp 91 redirect-list wsav6
!
Internet interface Vlan10
ip address 172.16.10.10
255.255.255.0
ipv6 address 2001:db8:1:10::66/64
VLAN40 ipv6 nd ra suppress
ipv6 wccp 91 redirect in
20
WCCP Dual-Stack with Router – ISRG2 (2)
Lab Setup with ISR G2
interface Vlan200
Internet description WCCP Inside
ip address 172.16.200.1 255.255.255.0
ip wccp 91 redirect in
P2 ipv6 address FE80::1 link-local
ipv6 address FD00:ABCD:1:1::1/64
P1 ipv6 nd prefix D00:ABCD:1:1::/64 no-advertise
ipv6 wccp 90 redirect in
Gi0 !
interface FastEthernet0
switchport mode trunk
no ip address
Fa0
21
WCCP and IPv6 - PMTUD
• Explicit Mode:
• Works straight forward as the Client (End-Host) talks to the Proxy
(End-Host)
• Proxy establishes a new Connection to the Destination Server
(Separate Session)
WCCP and IPv6 - PMTUD
25
Redundancy Using CARP (2)
26
Redundancy Using CARP (3)
28
Redundancy using CARP (5)
Testing via CLI – “TESTFAILOVERCONFIG”
29
IPv6 Links to Try
• http://www.ripe.net • http://6only.6now.net/
• Displays your incoming IPv6 • Print a T-Shirt with the IPv6
Address Address you used to reach the
Website
• http://test-ipv6.com/
• Check if your Computer is IPv6 • http://6lab.cisco.com
capable • Check IPv6 Adoption
• http://sixy.ch • http://www.kame.net/
• Search Engine for IPv6 • The dancing turtle…
Enabled Websites
• http://loopsofzen.co.uk/
• Game only reachable over IPv6
30
CARP on Virtual Appliances
• vSwitch will by default drop all requests to any MAC address that is
not bound to a physical interface
• Requires to set the Security on ESX to “Promiscous Mode = Accept”
31
CARP – Log Files
Logging to be found in the “system_logs”
32
SPLUNK for WSA with v6
Leveraging field extractions from the Advanced Reporting App for WSA
33
Customising the Access Log
Extremely useful in Dual-Stack
Environments to find out
whether WSA makes the
outgoing connection on IPv4 or
IPv6!
• Display the V6 to V6
Connections from the last 24
hours
37
SPLUNK for WSA with v6 (2)
Example Report #2
• Display the top Domains that are IPv6 enabled together with the Web Category
38
SPLUNK for WSA with v6 (2)
Example Report #2
39
Summary of IPv6 Deployment
• WSA can use IPv4 and IPv6 concurrently
• Setup is done with just a few steps
• If only outgoing is IPv6 enabled, IPv4 clients require zero change
• Easy to make your first step towards IPv6 with the use of WSA!
• Authentication and Decryption work the same with IPv6 as with IPv4
• Transparent redirection via IPv6 requires support of WCCP v2.01
• Take care of MTU size in your network
• Modification of the access log with additional parameters enables good visibility
into IPv6 network traffic using tools like SPLUNK
40
Kerberos Authentication
Kerberos – A Quick Refresher
44
Configuration on WSA
• If you upgraded from 7.x to 8.x, re-join the domain
• After re-join, the Kerberos Scheme is availible
Configuration on WSA (2)
• Edit your Identities to use Kerberos as an authentication Scheme
Multiple Realms within One Identity
• WSA can only use one NTLM Realm within one Authentication
Sequence
• WSA can use multiple Kerberos Realms in one Authentication
Sequence
Multiple Realms within One Identity
• Config Sequence
1. Create each Realm on the WSA
2. Create a sequence on all the Realms
3. Create Identity
WSA
Configuration on WSA (3)
• BASIC. The user name was authenticated using the Basic authentication scheme.
• NTLMSSP. The user name was authenticated using the NTLMSSP authentication scheme.
• NEGOTIATE. The user name was authenticated using the KERBEROS authentication scheme.
• SSO_TUI. The user name was obtained by matching the client IP address to an authenticated user name using
transparent user identification.
• SSO_ASA. The user is a remote user and the user name was obtained from a Cisco ASA using the Secure
Mobility.
• SSO_ISE. The user was transparently authenticated by ISE
• FORM_AUTH. The user entered authentication credentials in a form in the web browser when accessing a
application.
• GUEST. The user failed authentication and instead was granted guest access.
Client Tickets on a Windows7 Machine
Command : ”klist tickets’
Ticket-Granting Ticket
50
Client Tickets with AES Encryption
CSCuo74136 – fixed in 8.0.7 / 8.5.0
set to <null>
• Result: Clients requesting Ticket for the WSA
Service will get Default Tickets with DES / RC4
• Object msDS-SupportedEncryptionTypes must
be set to ‘0x1C’
• OS Version must be ‘6’ or higher
51
Example #1: Join the AD domain with your MAC
• Joining the MAC to the AD Domain will create a computer account on the
AD Server
• After successful join, log out and log in again with your AD Account
• When opening Safari, you will get authenticated to the WSA without
prompt
• http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf
Kerberos Authentication with WCCP
• When using transparent redirection and Kerberos, non-windows Clients
like MAC OS X sometimes have problems with the redirection
• Make sure the WSA Hostname is the same than the redirection name
AD-User Kerberos
Dual Stack with Kerberos
• Windows AD by default does not include the Client IP in the Client Ticket
http://support.microsoft.com/kb/837361
• Ticket can be used for IPv4 & IPv6 Connections
Authentication
HTTP Proxy HTTPS Proxy
Cont. Evaluation of
Block Page Cont Encrypted Decryption Policies
Warn Page Goto
displayed Evaluation displayed Page
Access If “Decrypt for EUN”
of Access displayed
Policy Selected (in 7.7)
Policies
Page Page Block Page
blocked allowed displayed
Flow for Decryption (2)
Monitor Monitor
Default Action
Certificate Installation and Usage - Recap
• The WSA needs a CA Certificate to be installed
• Not a WEB SERVER CERTIFICATE!!! TAC will say thank you for
this!
• After receiving the HTTPS Request, the WSA will grab the Server
Certificate from the Destination
• It will create a new Certificate with (nearly) all the fields and sign this with
its own Certificate
• CRL is not replicated because it would not match the “new”
Certificate
• Client needs to trust the Certificate from the WSA
• Use a trusted subordinate CA Certificate or roll out your self-signed
Cert to the Clients via GPO
Decryption Policy
• Policy can be based on
• Identification Profile (Identity)
• URL Category
• Web Reputation
• Additional Options
Certificate Error Handling
Settings on the WSA
• Default Values provide a good balance between Security and User Experience
• End-User Notification in case of a “DROP” requires “DECRYPTION”
66
Decrypting Web Category “Search Engines”
Explicit Mode
67
Decrypting Web Category “Search Engines”
Transparent mode
Access or
ACL Decission Tag Identity
Decryption Policy
DECRYPT_WEBCAT_7-DefaultGroup-ID.MUNSEC-NONE-NONE-NONE-DefaultGroup
Outbound
Malware
Data
Scanning External Routing
Security
Policy DLP Policy Policy
Policy
WSA, Authentication and SSL
• In Explicit mode, a CONNECT request is made, giving the full URL to the
WSA together with the CONNECT request
• WSA replies with - 407 Proxy auth required
• At this time, WSA has the following information:
- destination host
- user agent
- user credentials verified
• WSA can decide whether to decrypt based on:
- Destination Host
- User Agent
- Proxy Port
- Subnets
- Time Range
WSA, Authentication and SSL (2)
• In Transparent mode, there is no “CONNECT” but a “TCP_CONNECT”
• Since Client is not aware of WSA it will start a TCP connection to remote
server
• Connection is redirected to WSA, client start an HTTPS/SSL connection
directly
• At this point WSA only knows destination IP and port
• WSA sends HTTPS “probe” (it‘s own Client Hello) to get “Server Hello”
and server certificate
WSA, Authentication and SSL (3)
• With the server certificate, WSA has knowledge of:
- Client IP
- Destination IP
- Server Certificate
- Common Name (CN) from server certificate is used as a request
URL, thus used for URL category matching
• Based on this information WSA can match Identity and Decryption Policy
and determine whether to DECRYPT or PASS THROUGH the request
• All information normally send in the HTTP Header (Cookies, User Agent,
Mime-Type etc) are encrypted in the tunnel and thus not available to the
WSA at this point.
WSA, Authentication and SSL (4)
• Should we decrypt? Very often based on URL Category...(think of finance
websites...)
WSA, Authentication and SSL (4)
• Should we decrypt? Very often based on URL Category...(think of finance
websites...)
WSA, Authentication and SSL (5)
• Finding out the correct URL Category....
• Solution:
Usage of SNI (Server Name Indication) is required from Proxy
side (supported in v7.7+)
• Most Browser have supported for years
• CLIENT HELLO during TLS sends the Host URL:
Server Name Indication - Test
Yes, it Does!
Testing the Server for a Specific Protocol (3)
This is how it would look like in case the protocol is not supported…
No, it is not!
81
Easier to Check a Website
https://www.ssllabs.com/ssltest/
82
Common SSL Troubleshooting Steps
• Check your Access Logs
• Look at ACL Decission tags
• Check the destination url on https://www.ssllabs.com/
• Alternative: SSLYZE from https://github.com/nabla-
c0d3/sslyze/releases
• Try to access the page directly without the WSA in the Path
• Using curl or openssl
• Try to access the page with the WSA in the Path
• Check the https_logs -> put at least into “debug” mode
• Check the PCAPS
HTTP and TLS
HTTP
“Pipelining”
• HTTP 1.0
• One Request -> One Response
• “Head of Line” Blocking Problem (like a Supermarket with only one register)
• HTTP 1.1 “Pipelining”
• Multiple Requests sent at once
• Opening more Registers in the Supermarket…
• Still, Responses have to arrive in the order the Requests were sent….Does
not solve the “Head of Line” Blocking Problem
• Most Browsers might limit the amount of connections you can send at
once.
HTTP
“Pipelining”
Page comes up pretty fast but takes long time to complete:
GET index.html <-- pretty fast
GET favicon.gif <-- pretty fast
GET picture?user=scoultr <--- takes a long time because database lookup
Page does not display anything in the beginning but then displays all in the end:
GET picture?user=scoultr <--- takes a long time because database lookup
GET index.html <-- pretty fast
GET favicon.gif <-- pretty fast
SPDY
“Speedy”
Public Key is likely to stay the same even if the Certificate is renewed
• Chrome connecting to gmail.com, twitter, FF connecting to mozilla.org
https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_st
ate_static.json 91
Example: Firefox
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
0: Pinning disabled
1: Allow User MiTM (with a trusted CA)
2: Strict. Always enforced
3: Enforce Test Mode
Example: Firefox
Strict Pinning
Links for further information
For reading in those nights where you cannot sleep…