Chapter 10: Content Security PDF
Document Details
Uploaded by jmclark59
null
Tags
Summary
This document is a chapter on content security, covering topics such as content security fundamentals, Cisco Secure Web Appliance, Cisco Secure Email, and Cisco Content Security Management Appliance. It also outlines the SCOR 350-701 exam objectives covered in the chapter.
Full Transcript
# CHAPTER 10 ## Content Security This chapter covers the following topics: - Content Security Fundamentals - Cisco Secure Web Appliance (formerly Web Security Appliance) - Cisco Secure Email (formerly Cisco Email Security Appliance) - Cisco Content Security Management Appliance The following SCOR...
# CHAPTER 10 ## Content Security This chapter covers the following topics: - Content Security Fundamentals - Cisco Secure Web Appliance (formerly Web Security Appliance) - Cisco Secure Email (formerly Cisco Email Security Appliance) - Cisco Content Security Management Appliance The following SCOR 350-701 exam objectives are covered in this chapter: ### Domain 4.0 Content Security - 4.1 Implement traffic redirection and capture methods - 4.2 Describe web proxy identity and authentication, including transparent user identification. - 4.3 Compare the components, capabilities, and benefits of local and cloud-based email and web solutions - 4.4 Configure and verify web and email security deployment methods to protect on-premises and remote users - 4.5 Configure and verify email security features such as SPAM filtering, antimalware filtering, DLP, blacklisting, and email encryption. - 4.6 Configure and verify secure internet gateway and web security features such as blacklisting, URL filtering, malware scanning, URL categorization, web application filtering, and TLS decryption. ## "Do I Know This Already?" Quiz The "Do I Know This Already?" quiz allows you to assess whether you should read this entire chapter or jump to the "Exam Preparation Tasks" section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 10-1 lists the major headings in this chapter and their corresponding "Do I Know This Already?" quiz questions. You can find the answers in Appendix A, "Answers to the "Do I know This Already?" Quizzes and Q&A Sections". | Foundation Topics Section | Questions | |---|---| | Content Security Fundamentals | 1 | | Cisco Secure Web Appliance | 2-5 | | Cisco Secure Email | 6-8 | | Cisco Content Security Management Appliance | 9-10 | **CAUTION:** The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you incorrectly guess skews your self-assessment results and might provide you with a false sense of security. 1. Which of the following statements is not true about AsyncOS? a. AsyncOS is the underlying operating system for Cisco Secure Web Appliance. b. AsyncOS is the underlying operating system for Cisco Secure Email. c. AsyncOS is the underlying operating system for Cisco SMA. d. AsyncOS provides a user UNIX shell, and administrators can configure the system using a web admin portal. 2. Which of the following is the Cisco Secure Web Appliance engine that analyzes and categorizes unknown URLs and blocks websites that fall below a defined security policy or threshold? a. AVC engine b. Web reputation engine c. CASB engine d. File reputation engine 3. In which type of Cisco Secure Web Appliance deployment mode is the client configured to use the web proxy? a. Transparent mode b. Explicit forward mode c. WCCP mode d. None of these answers are correct. 4. Which of the following statements is not true? a. Because the client knows there is a proxy and sends all traffic to the proxy in explicit forward mode, the client does not perform a DNS lookup of the domain before requesting the URL. b. When you configure the Cisco Secure Web Appliance in explicit mode, you do not need to configure any other network infrastructure devices to redirect client requests to the Cisco Secure Web Appliance. c. In transparent mode, you can also configure the client's proxy settings using DHCP or DNS, using proxy auto-configuration (PAC) files, or with Microsoft Group Policy Objects (GPOs). d. You can advertise and configure clients with PAC settings by using the Web Proxy Auto-Discovery (WPAD) protocol. 5. You are hired to deploy a web security solution using Cisco Secure Web Appliance. Your boss asks for you to select the best deployment option where web clients do not require an agent or a special configuration in the web browser or operating system. Which of the following is the best approach to accomplish this task? a. Enabling WCCP in your infrastructure to redirect web traffic to the Cisco Secure Web Appliance, requiring a review of routing configurations and firewall policies. b. Configuring the Cisco Secure Web Appliance in transparent mode using hardware load balancers and PAC files. c. Configuring policy-based routing along with hardware load balancers in explicit web traffic mode. d. Configuring the Cisco Secure Web Appliance in explicit mode using PAC files and policy-based routing in Cisco routers. 6. Which of the following is the entity responsible for forwarding emails from a sender to the recipient, which most people refer to as the "mail server"? a. Mail transfer agent b. Mail delivery agent c. Mail submission agent d. Mail user agent 7. The Cisco Secure Email acts as a mail transfer agent. The Cisco Secure Email is the destination of which public records? a. AA b. MX c. C-NAME d. All of these answers are correct. 8. Which of the following is used by the Cisco Secure Email to handle incoming SMTP connection requests? a. WCCP redirects b. MX records c. SMTP MSAS d. Listeners 9. Which of the following provides a means for gateway-based cryptographic signing of outgoing messages? a. SPF b. DKIM c. SenderBase d. Cisco SMA 10. You are hired to deploy an email and web security solution that can be managed from a centralized location. In addition, this solution must allow you to integrate with third-party solutions to monitor outgoing emails to make sure that no sensitive information is being transferred out of your company. Which of the following is the best approach to accomplish this task? a. Deploy Cisco FMC to manage and monitor Cisco Secure Email, Cisco Secure Web Appliance, and Cisco Secure Firewall with DLP services. b. Deploy Cisco SMA to manage and monitor Cisco Secure Email and Cisco Secure Web Appliance, and make sure that the Cisco Secure Email DLP email policies are enabled in the Outgoing Mail Policies table. c. Deploy Cisco SMA to manage and monitor Cisco Secure Email and Cisco Secure Web Appliance, and make sure that the Cisco FMC DLP email policies are enabled in the Outgoing Mail Policies table. d. Deploy Cisco FMC to manage and monitor Cisco Secure Email and Cisco Secure Web Appliance, and make sure that the Cisco Secure Email DLP email policies are enabled in the Outgoing Mail Policies table. ## Foundation Topics ### Content Security Fundamentals Cyber actors (attackers) use email and the web as the two top threat vectors to carry out many of their attacks. Why? It is because email and web protocols are the most popular protocols used by individuals and organizations. In Chapter 1, "Cybersecurity Fundamentals," you learned the many different social engineering attacks that can be carried over email (phishing, spear phishing, whaling, and so on). You also learned how attackers can fool users to follow malicious links, impersonate websites, and attack different web-based applications. Cisco acquired a company called Ironport that created what we know today as the Cisco Secure Web Appliance and the Cisco Secure Email to address this problem. The Cisco Secure Web Appliance and Cisco Secure Email are solutions designed to provide strong protection, complete control, and operational visibility into threats to an organization. The Cisco Secure Web Appliance and Cisco Secure Email have been integrated with other Cisco solutions such as Cisco Secure Endpoint and Cisco Secure Malware Analytics, and they also can digest threat intelligence from Cisco Talos. The Cisco Secure Web Appliance and Cisco Secure Email can be managed by the Cisco Content Security Management Appliance (SMA). The Cisco SMA provides a solution for centralizing the management and reporting functions of multiple Cisco Secure Email and Cisco Secure Web Appliance devices. When you deploy the Cisco SMA, it provides simplification of administration and planning, and it improves compliance monitoring. Another benefit of the Cisco SMA is that it allows administrators to enable consistent policy enforcement and enhances threat protection. The underlying operating system of the Cisco Secure Email, Cisco Secure Web Appliance, and Cisco SMA is the Async Operating System (AsyncOS). You will learn more about AsyncOS in the following section. ### Cisco Async Operating System (AsyncOS) AsyncOS powers the Cisco Secure Web Appliance, Cisco Secure Email, and Cisco SMA, and it is based on a FreeBSD-based kernel. However, Cisco enhanced AsyncOS to address some of the limitations of traditional Linux and UNIX operating systems. One focus was scalability in order to support thousands of connections per minute. Cisco Secure Web Appliance, Cisco Secure Email, and Cisco SMA running AsyncOS take advantage of a high-performance file system and optimized asynchronous communication of email and web transactions (thus the name AsyncOS). AsyncOS does not have a user UNIX shell. Administrators can configure the system using a web admin portal or a web-based GUI, or a fully scriptable command-line interface (CLI). ## Cisco Secure Web Appliance Under the hood, the Cisco Secure Web Appliance includes a web proxy, a threat analytics engine, antimalware engine, policy management, and reporting in a single physical or virtual appliance. The main use of the Cisco Secure Web Appliance is to protect users from accessing malicious websites and being infected by malware. Organizations can also configure the Cisco Secure Web Appliance to give users access to the sites they need to do their work and deny other sites, including gaming sites, social media, and so forth. The following are the different Cisco Secure Web Appliance feature engines: - **Web Reputation engine:** Analyzes and categorizes unknown URLs and blocks websites that fall below a defined security policy or threshold. The Web Reputation engine analyzes more than 200 different factors related to web traffic and the network to determine the level of risk associated with a site. The Cisco Secure Web Appliance Web Reputation engine is very different in comparison to legacy URL blacklisting and whitelisting capabilities of traditional web proxies. The Cisco Secure Web Appliance engine analyzes a large data set and produces a granular reputation score of -10 to +10. This reputation score allows security professionals to make a better risk assessment. - **Web filtering:** Syndicates traditional URL filtering with real-time dynamic content analysis. This, in turn, allows for granular acceptable use policy (AUP) creation and warns the user on certain quota and bandwidth conditions. - **Application Visibility and Control (AVC):** Enables the Cisco Secure Web Appliance to inspect and/or block applications that are not allowed by the organization's security policy. You can allow users to use social media sites like Twitter and Facebook and then block micro-applications within those social media sites (like Facebook games). - **Cloud access security:** The Cisco Secure Web Appliance can detect and stop hidden threats in cloud apps by leveraging built-in AVC along with integrations with cloud access security brokers (CASBs) such as Cisco Cloudlock. - **Antivirus scanning:** The Cisco Secure Web Appliance supports different antivirus programs such as McAfee, Sophos, and Webroot. - **File reputation:** Based on Cisco Talos threat intelligence, which is updated every three to five minutes. - **Data-loss prevention (DLP):** The Cisco Secure Web Appliance can redirect all outbound traffic to a third-party DLP system, allowing deep content inspection for regulatory compliance and data exfiltration protection. This allows you to inspect web content by title, metadata, and size, and even to prevent users from storing files to cloud services, such as Box, Dropbox, iCloud, and Google Drive. - **File sandboxing:** The Cisco Secure Web Appliance has been integrated with the Cisco Secure Endpoint and Cisco Secure Malware Analytics sandboxing capabilities. This allows for putting an unknown file in a sandbox to inspect its behavior. Cisco Secure Endpoint and Cisco Secure Malware Analytics use machine learning to analyze the file and determine the threat level. You will learn more about Cisco Secure Endpoint and Cisco Secure Malware Analytics in Chapter 11, "Endpoint Protection and Detection." - **File retrospection:** The Cisco Secure Web Appliance examines files that are downloaded and continues to cross-examine files over an extended period of time. The file disposition can be Unknown, Clean, Malware, and so on. A changed file disposition is referred to as a retrospective disposition. - **Cognitive threat analytics:** The Cisco Secure Web Appliance supports anomaly detection of HTTP and HTTPS traffic. The state and results of the cognitive threat analytics metrics are fine-tuned based on new threat information discovered by the system and Cisco Talos. This allows the Cisco Secure Web Appliance to discover confirmed threats in an environment even when HTTPS traffic inspection has been disabled. ## The Cisco Secure Web Appliance Proxy The Cisco Secure Web Appliance virtual and physical appliances are typically placed either on the inside of the internet edge firewall or in a demilitarized zone (DMZ). The reason you deploy the Cisco Secure Web Appliance behind the firewall or in a DMZ is to be able to centralize proxying and to reduce the number of Cisco Secure Web Appliance appliances. **NOTE:** The Cisco Secure Web Appliance can be deployed as a physical appliance or as a virtual machine running on VMware's ESX, KVM, or Microsoft's Hyper-V. A proxy sits between HTTP clients (web browsers or APIs [in the case of machine-to-machine communication]) and HTTP servers. This specifically means that the WSA as a web proxy has two sets of TCP sockets per client request: one connection from the client to the WSA and another connection from the WSA to the web server. Cisco Secure Web Appliance physical and virtual appliances have one or more of the following interface types: - **M1:** Typically used for management. The M1 interface can be used for data traffic (otherwise known as a one-armed interface configuration). - **P1/P2:** These are typically the interfaces used for web proxy traffic (that is, data interfaces). If you enable the P1 and P2 interfaces, each interface must be connected to different subnets. You can also combine M1 and P1. If doing so, M1 can be configured to proxy requests and P1 is used to send traffic to the Internet. If you use multiple interfaces for proxying, you need to configure static routes to direct the traffic to the correct interface. - **T1/T2:** Typically used for Layer 4 traffic monitoring to listen to all TCP ports. When you enable the T1/T2 ports, they are not configured with an IP address because they are promiscuous monitoring ports. T1 can be configured alone for duplex communication, or T1 and T2 can be configured together in simplex mode. For instance, T1 can be configured to receive all outgoing traffic to the Internet, and the T2 interface can be configured to receive all incoming traffic from the Internet. You can deploy the Cisco Secure Web Appliance in two different modes: - Explicit forward mode - Transparent mode ## Cisco Secure Web Appliance in Explicit Forward Mode In explicit forward mode, the client is configured to explicitly use the proxy, consequently sending all web traffic to the proxy, as demonstrated in Figure 10-1.  **TIP:** Because the client knows there is a proxy and sends all traffic to the proxy in explicit forward mode, the client does not perform a DNS lookup of the domain before requesting the URL. The Cisco Secure Web Appliance is responsible for DNS resolution, as well. When you configure the Cisco Secure Web Appliance in explicit mode, you do not need to configure any other network infrastructure devices to redirect client requests to the Cisco Secure Web Appliance. However, you must configure each client to send traffic to the Cisco Secure Web Appliance. In large environments, this could be problematic. However, you can also configure the client's proxy settings using DHCP or DNS, using proxy auto-configuration (PAC) files, or with Microsoft Group Policy Objects (GPOs). You can also lock browser proxy settings with solutions like Microsoft GPOs. **TIP:** You can advertise and configure clients with PAC settings by using the Web Proxy Auto-Discovery (WPAD) protocol. WPAD uses the auto-detect proxy settings found in every modern web browser. Proxy server configurations can be provisioned to clients through DHCP option 252 with the URL as a string in the option (for example, `https://secretcorp.org/wpad.dat`) or with DNS by creating an A host record for `wpad.secretcorp.org`. Figure 10-2 shows the proxy configuration of a macOS device.  The Cisco Secure Web Appliance also supports SOCKS proxy configurations. When it is configured as a SOCKS proxy, the client exchanges SOCKS protocol messages to negotiate a proxy connection. When a connection is established, the client communicates with the Cisco Secure Web Appliance by using the SOCKS protocol. **NOTE:** You need to configure a SOCKS policy in order to use the Cisco Secure Web Appliance SOCKS proxy. The SOCKS protocol (and consequently the Cisco Secure Web Appliance) only supports direct forward connections. The Cisco Secure Web Appliance does not forward traffic to any upstream proxies when configured as a SOCKS proxy. In addition, the Cisco Secure Web Appliance SOCKS proxy does not support scanning services, which are used by AVC, DLP, and malware detection. The Cisco Secure Web Appliance SOCKS proxy is not able to decrypt SSL traffic because it tunnels traffic from the client to the server. ## Cisco Secure Web Appliance in Transparent Mode When the Cisco Secure Web Appliance is in transparent mode, clients do not know there is a proxy deployed. Network infrastructure devices are configured to forward traffic to the Cisco Secure Web Appliance. In transparent mode deployments, network infrastructure devices redirect web traffic to the proxy. Web traffic redirection can be done using policy-based routing (PBR)-available on many routers-or using Cisco's Web Cache Communication Protocol (WCCP) on Cisco ASA, Cisco routers, or switches. Figure 10-3 shows a Cisco Secure Web Appliance in transparent mode.  **TIP:** WCCP is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. The following are the steps illustrated in Figure 10-3. 1. The client initiates a connection to `h4cker.org`. 2. The Cisco ASA redirects the request to the Cisco Secure Web Appliance using WCCP. 3. The Cisco Secure Web Appliance verifies the request and replies to the client if the web request violates a policy or the security engine flags it. 4. The Cisco Secure Web Appliance initiates a new connection to `h4cker.org`. 5. The `h4cker.org` web server replies to the Cisco Secure Web Appliance. The Cisco Secure Web Appliance checks for malicious or inappropriate content and blocks it, if needed. 6. If the content is acceptable, the Cisco Secure Web Appliance forwards the content to the client. **TIP:** In Figure 10-3, the client is unaware its traffic is being sent to a proxy (Cisco Secure Web Appliance) and, as a result, the client uses DNS to resolve the domain name in the URL and send the web request destined for the web server (not the proxy). When you configure the Cisco Secure Web Appliance in transparent mode, you need to identify a network choke point with a redirection device (in this example, a Cisco ASA) to redirect traffic to the proxy. When transparent mode is configured, you are able to force all traffic to the proxy if desired (without end-user interaction). Load balancing is inherent without the use of hardware load balancers or PAC files. Many organizations deploy transparent mode Cisco Secure Web Appliances in phases by using access control lists (ACLs) with policy-based routing or WCCP. **NOTE:** When you enable WCCP in your infrastructure, it requires review of routing configurations, firewall policies, and so on. For instance, when you configure WCCP in the Cisco ASA, the Cisco Secure Web Appliance and clients need to be within the same security zone. ## Configuring WCCP in a Cisco ASA to Redirect Web Traffic to a Cisco Secure Web Appliance The following are the steps to configure WCCP in the Cisco ASA: 1. Create an access control list (ACL) to define (match) the HTTP and HTTPS traffic from the 10.1.1.0/24 and 10.1.2.0/24 subnets, as shown in Example 10-1. **Example 10-1: Matching the HTTP and HTTPS Traffic** ``` access-list HTTP-TRAFFIC permit tcp 10.1.1.0 255.255.255.0 any eq www access-list HTTP-TRAFFIC permit tcp 10.1.2.0 255.255.255.0 any eq www access-list HTTPS-TRAFFIC permit tcp 10.1.1.0 255.255.255.0 any eq https access-list HTTPS-TRAFFIC permit tcp 10.1.2.0 255.255.255.0 any eq https ``` 2. You can also inspect FTP traffic in the Cisco Secure Web Appliance. In order to do so, create an ACL to match FTP traffic, as demonstrated in Example 10-2. **Example 10-2: Matching FTP Traffic** ``` access-list FTP-TRAFFIC permit tcp 10.1.1.0 255.255.255.0 any eq ftp access-list FTP-TRAFFIC permit tcp 10.1.1.0 255.255.255.0 any range 11000 11006 access-list FTP-TRAFFIC permit tcp 10.1.2.0 255.255.255.0 any eq ftp access-list FTP-TRAFFIC permit tcp 10.1.2.0 255.255.255.0 any range 11000 11006 ``` 3. Create another ACL to include the IP address of the Cisco Secure Web Appliance (10.1.2.3) and create the WCCP redirect lists, as demonstrated in Example 10-3. You can configure WCCP redirection of HTTP traffic (TCP port 80 traffic) and also non-HTTP TCP traffic, as well as UDP packets. For instance, you can redirect packets used for proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, audio and video applications, and so on. To achieve this task, you can configure multiple WCCP service groups. Service information is specified in the WCCP configuration commands using dynamic services identification numbers (such as "10" or "20", as shown in Example 10-4) or a predefined service keyword (such as "web-cache"). The networking device uses that information to validate that service group members are all providing or using the same service. **Example 10-3: Creating an ACL to Define Where to Send the Traffic and Creating the WCCP Redirect Lists** ``` access-list WSA extended permit ip host 10.1.2.3 any wccp web-cache redirect-list HTTP-TRAFFIC group-list WSA wccp 10 redirect-list FTP-TRAFFIC group-list WSA wccp 20 redirect-list HTTPS-TRAFFIC group-list WSA ``` 4. Finally, configure the WCCP redirection of traffic on the source interface (the inside interface in this example). **Example 10-4: Configuring Redirection of Traffic on Source Interface** ``` wccp interface inside web-cache redirect in wccp interface inside 10 redirect in wccp interface inside 20 redirect in ``` You can also configure WCCP on a Cisco Secure Firewall or Cisco Firepower Threat Defense (FTD) device by using the Cisco Firewall Management Center (formerly Cisco Firepower Management Console [FMC]) FlexConfig policies. A FlexConfig policy is a container of an ordered list of FlexConfig objects. Each object includes a series of Apache Velocity scripting language commands, Cisco ASA software configuration commands, and variables that you define. The contents of each FlexConfig object are essentially a program that generates a sequence of the Cisco ASA commands that will then be deployed to the assigned devices. This command sequence then configures the related feature on the Cisco Secure Firewall device. The Cisco Secure Firewall devices use Cisco ASA configuration commands to implement some features, but not all features. There is no unique set of Cisco Secure Firewall configuration commands. Instead, the point of FlexConfig is to allow you to configure features that are not yet directly supported through the Cisco FMC policies and settings. Figure 10-4 shows the use of FlexConfig to configure WCCP on a Cisco Secure Firewall device via the Cisco FMC. **NOTE:** Cisco strongly recommends using FlexConfig policies only if you are an advanced user with a strong Cisco ASA background and at your own risk. Enabling features through FlexConfig policies may cause unintended results with other configured features.  ## Configuring WCCP on a Cisco Switch Let's take a look on how to configure WCCP on a Cisco switch to redirect traffic to the Cisco Secure Web Appliance. Refer to the topology shown in Figure 10-5. The following are the steps to configure WCCP on a Cisco switch to send traffic to the Cisco Secure Web Appliance.  1. Configure an access control list (ACL) to match the web traffic, as demonstrated in Example 10-5. **Example 10-5: Matching HTTP and HTTPS Traffic** ``` ip access-list extended WEB-TRAFFIC permit tcp 10.1.1.0 0.0.0.255 any eq www permit tcp 10.1.2.0 0.0.0.255 any eq www permit tcp 10.1.1.0 0.0.0.255 any eq 443 permit tcp 10.1.2.0 0.0.0.255 any eq 443 ``` 2. You can also redirect FTP traffic to the Cisco Secure Web Appliance. In Example 10-6, an ACL called FTP-TRAFFIC is configured to redirect FTP traffic via WCCP. This ACL, along with the one configured in Example 10-5, will be associated to the WCCP configuration at a later step. **Example 10-6: Matching FTP Traffic** ``` ip access-list extended FTP-TRAFFIC permit tcp 10.1.1.0 0.0.0.255 any eq ftp permit tcp 10.1.1.0 0.0.0.255 any range 11000 11006 permit tcp 10.1.2.0 0.0.0.255 any eq ftp permit tcp 10.1.2.0 0.0.0.255 any range 11000 11006 ``` 3. Configure another ACL to define where to send the traffic (that is, the Cisco Secure Web Appliance's IP address), as shown in Example 10-7. **Example 10-7: Defining Where to Send the HTTP, HTTPS, and FTP Traffic** ``` ip access-list standard WSA permit 10.1.3.3 ``` 4. Create the WCCP lists, as demonstrated in Example 10-8. **Example 10-8: Creating the WCCP Lists** ``` ip wccp web-cache redirect-list HTTP-TRAFFIC group-list WSA ip wccp 10 redirect-list FTP-TRAFFIC group-list WSA ip wccp 20 redirect-list HTTPS-TRAFFIC group-list WSA ``` 5. Configure the WCCP redirection of traffic on the source interface, as shown in Example 10-9. **Example 10-9: Configuring the WCCP Redirection of Traffic on the Source Interface** ``` interface vlan88 ip wccp web-cache redirect in ip wccp 10 redirect in ip wccp 20 redirect in ``` ## Configuring the Cisco Secure Web Appliance to Accept WCCP Redirection Figure 10-6 shows how to configure WCCP on the Cisco Secure Web Appliance.  Navigate to `Network > Transparent Redirection` and click `Edit Device`. Select `WCCP v2 Router` from the drop-down and click `Submit`. Click `Add Service` to add a new WCCP redirection service, and the screen shown in Figure 10-6 is displayed. **NOTE:** The WCCP configuration can be customized to use different service IDs for different traffic. Each service ID needs a separate entry on the Cisco Secure Web Appliance. ## Traffic Redirection with Policy-Based Routing You can also configure PBR on a Cisco router to redirect web traffic to the Cisco Secure Web Appliance. **NOTE:** Configuring PBR can affect the router's performance if enabled in software (without hardware acceleration). You should review the respective router documentation to determine any impact. **Example 10-10: PBR Configuration in a Cisco Router** ``` access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80 access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 80 access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 443 access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 443 ! route-map WebRedirect permit 10 match ip address 101 set ip next-hop 10.1.3.3 interface vlan88 ip policy route-map WebRedirect ``` ## Cisco Secure Web Appliance Security Services The Cisco Secure Web Appliance uses security components to protect end users from a range of malware threats. You can configure antimalware and web reputation settings for each policy group. When you configure Access Policies, you can also have AsyncOS for Web choose a combination of antimalware scanning and web reputation scoring to use when determining what content to block. Figure 10-7 shows the Security Services options in the Cisco Secure Web Appliance.  **NOTE:** The CCNP Security 300-725 SWSA exam, "Securing the Web with Cisco Web Security Appliance (SWSA)," and the CCIE lab cover configuration and troubleshooting of the Cisco Secure Web Appliance. ## Deploying Web Proxy IP Spoofing When the Cisco Secure Web Appliance (as a web proxy) forwards a request, by default it changes the request source IP address to match its own address. However, you can change this behavior by enabling web proxy IP spoofing so that requests appear to come from the client rather than from the Cisco Secure Web Appliance. IP spoofing is supported in transparent and explicitly forwarded proxy configurations. When the Cisco Secure Web Appliance is deployed in transparent mode, you can enable IP spoofing either for only transparently redirected connections or for all connections (transparently redirected and explicitly forwarded). When you configure explicit proxy with IP spoofing, you must ensure that HTTP reply packets are routed back to the Cisco Secure Web Appliance. **NOTE:** When you configure IP spoofing and the Cisco Secure Web Appliance is connected to a WCCP router, two WCCP services must be configured (one based on source ports and one based on destination ports) in order to track the underlying HTTP transactions. ## Configuring Policies in the Cisco Secure Web Appliance The Cisco Secure Web Appliance identifies and controls web requests using different policies. When a client initiates a web request to a web server, the Cisco Secure Web Appliance inspects the transaction and determines to which policy it belongs. The defined policy actions are applied to the request. **TIP:** The Cisco Secure Web Appliance evaluates policies from the top down (similar to router and firewall ACLs). A best practice is to place the most accessed or used policies at the top to increase performance. One of the policy types you can enable in the Cisco Secure Web Appliance is called identification policies. Identification policies are configured to identify the users behind the web requests, instead of just reporting based on the IP address of the system or device making the web request. You can configure the Cisco Secure Web Appliance to interact with Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) authentication servers. **NOTE:** LDAP supports only basic authentication, whereas AD supports NTLM, Kerberos, and basic authentication. Traditionally, users can be identified by username and password and then their credentials are validated with an authentication. Subsequently, policies are applied based on the username. However, the WSA can be configured to authenticate users without prompting the end user for credentials (transparent identification). When you enable transparent identification, the user is authenticated using the authentication "state" obtained from another trusted source. Consequently, the Cisco Secure Web Appliance assumes that the user has already been authenticated by that trusted source and applies the configured policies. Transparent authentication is considered a single sign-on (SSO) environment, and the users are not aware that a proxy has been deployed. This is also useful when client devices are not capable of displaying an authentication prompt (such as a printer or an IP phone). The Cisco Secure Web Appliance provides different options for the AD or LDAP realm (authentication). The following are the available schemes when using AD authentication (AD realm): - **Basic authentication:** Done via a web browser. Basic authentication is not transparent. - **NTLMSSP:** This is a type of transparent authentication. The web browser must be compatible and provide support for NTLMSSP. NTLMSSP uses AD domain credentials for login and is typically used in Windows AD environments (although it can also work with Mac, with additional configuration on the client side). - **Kerberos:** Primarily used with Windows clients, Kerberos is considered the more secure option. The Cisco Secure Web Appliance supports different authentication schemes for a wide range of client support. The Authentication Surrogates options enable you to configure how web transactions will be associated with a user after the user has been successfully authenticated. The following options are provided by the Cisco Secure Web Appliance: - **IP Address:** The user's identity is used until the surrogate times out. - **Persistent Cookie:** The user's identity is used until the surrogate times out. - **Session Cookie:** The user's identity is used until the browser is closed or the session times out. There are also access policies. Access policies configured in the Cisco Secure Web Appliance map the identification profiles and users. They also map time-based restrictions, to make sure that the necessary controls align with your business policies. You can add a new policy by navigating to Web Security Manager > Access Policies > Add Policy. There you can assign a unique name for the policy and map the identification profile settings and optional additional advanced settings. After submitting the new policy, you can do additional customization to adjust how the access policy behaves compared to the global policy settings. **TIP:** You can use protocols and user agents to control policy access to protocols and configure blocking for specific client applications (including social media or instant messaging clients). You can also configure the Cisco Secure Web Appliance to tunnel HTTP CONNECT requests on specific ports. You can also customize URL filtering using different policies to specify how a transaction based on the URL category of a particular HTTP or HTTPS request is handled by the Cisco Secure Web Appliance. When you configure URL filtering, you can also define custom URL categories. Once the custom URL category is created, you can specify whether to block, redirect, allow, monitor, warn, or apply quota-based or time-based filters for websites in the custom categories. The following are some additional settings and customizations you can configure in the Cisco Secure Web Appliance: - Earlier in this chapter you learned about the AVC engine. You can use the AVC engine to enforce acceptable-use policy components to block or allow applications by application type and by individual applications. In addition, you can control different application behaviors (for example, file transfers). - You can also configure the Cisco Secure Web Appliance web proxy to block file downloads based on file characteristics, including the file size, file type, and MIME type. - By default, the Cisco Secure Web Appliance only redirects and decodes port 80 HTTP traffic. However, you can configure the Cisco Secure Web Appliance to decrypt and evaluate SSL traffic. You can do this by navigating to Security Services > HTTPS Proxy. Furthermore, a root certificate used to sign web traffic must be created or uploaded to the Cisco Secure Web Appliance. You can create a certificate on the Cisco Secure
