Cisco S170 Manuale Utente

BRKSEC-2101 Web Security Deployment Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 10 Web Application Control  Many Applications work on top of HTTP t

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 100 Web Security & AnyConnect Configuration for Web Security wit

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 101 Web Security & AnyConnect Configuration – Client Profile Sc

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 102 Web Security & AnyConnect Configuration – Client Profile Ex

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 103 Web Security & AnyConnect Configuration – Client Profile Ac

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 104 Web Security & AnyConnect Configuration – Client Profile Au

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 105 Web Security & AnyConnect Configuration – Config on ASA if u

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 106 Web Security & AnyConnect Configuration for Web Security wi

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 107 Beacon Server for the AnyConnect Web Security module  Beacon Se

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 108 DEMO – AnyConnect with Web Security

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 109 Scansafe & IPv6 Support  Current version of Web Security do

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 11 About Reputation  Cisco SIO gathers statistical informations fro

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 110 Upcoming: Easy ID  Clientless User authentication via webbrowse

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 111 Agenda  Overview Web Security  Web Security with Cisco Ironpor

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 112 Secure Mobility Future – Hybrid Security Internet Remote User w

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 113 Summary  Cisco Web Security Solution leverages a comprehensive

Recommended Reading Please visit the Cisco Store for suitable reading.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 115 Please complete your Session Survey  Don't forget to compl

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 116

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 117 Thank you.

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 12 About Reputation  Malicious websites are tracked globally throu

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 13 Examples: Reputation Values  Known Botnet or Phising Site  Agr

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 14 Examples: Reputation Values (2)  Neutral Site  Site with good h

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 15 Network Participation  Admin can define the level of participati

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 16 Agenda  Overview Web Security  Web Security with Cisco Ironport

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 17 Explicit Proxy Internet Internet Web server Web Security Applianc

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 18 How does the Browser find the Proxy?  Proxy setting in the brows

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 19 How does the Browser find the Proxy?  Automatic Configuration vi

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 2 Housekeeping  We value your feedback- don't forget to comple

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 20 PAC Deployment  Via AD and GPO  Via script  Via manual setting

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 21 WPAD Server  WPAD Server hosts PAC file as wpad.dat  File is re

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 22 WPAD and Windows 2008  Starting with W2008 DNS Server, its no lo

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 23 Explicit Deployment - Summary  Requires Client Settings in the B

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 24 Transparent Proxy via WCCP Internet Internet Web server Web Secur

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 25 Background on WCCP  WCCPv1 developed in 1997 by Cisco Systems an

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 26 Details Assignment The WCCP assignment method is used to determin

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 27 Gory Details for HASH and MASK  Hash - Combines packet’s src/des

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 28 Details Redirect and Return  Redirect Method - WCCP GRE - Entire

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 29 WCCP input redirect Ingress Interface Egress Interface WCCP Input

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 3 For Your Reference  There are (many...) slides in your print-outs

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 30 WCCP output redirect and input exclude Ingress Interface Egress I

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 31 How WCCP registration works WCCP Client WCCP Server 1. Registrati

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 32 Buckets 86–170 Buckets 86–128 Buckets 1–85 Buckets 129–170 Bucket

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 33 Using WCCP for Traffic Redirection  WCCPv2 support is availible

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 34 Using WCCP for Traffic Redirection (2) Performance Considerations

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 35 WCCP Protocol Service Group  The routers/switches and WCCP clien

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 36 Current (Cisco) Service Groups ID Product Name Protocol Port

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 37 VLAN10 WCCP with L3 Switch (3560/3750) L2 Redirect VLAN10 Interne

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 38 VLAN40 WCCP with L3 Switch (3560/3750) L2 Redirect VLAN10 Interne

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 39 WCCP with L3 Switch L2 Redirect - Verification munlab-3560X#show

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 4 Agenda  Overview Web Security  Web Security with Cisco Ironport

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 40 WCCP with L3 Switch (CAT6500) L2 or GRE Redirect r1 r2 WAN SiSiS

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 41 WCCP with ASA access-list WCCPRedirectionList extended deny ip 17

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 42 Internet WCCP with ASA – Virtual Context Virtual Firewalls with s

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 43 WCCP with Router – ISR, ISRG2 ip cef ip wccp version 2 ip wccp 91

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 44 WCCP Router Redirect and Return Support WCCP GRE Redirect WCCP L

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 45 WCCP Platform Recommendations Function Support / Recommend Softw

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 46 Transparent Redirection and HTTPS Symptoms:  Successfully config

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 47 Transparent Deployment - Summary  No client settings necessary 

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 48 DEMO – WSA with transparent redirection

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 49 Deploying using external Loadbalancer  Scalable up to 16 Gig Thr

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 5 1996

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 50 General Consideration - Upstream Proxy  WSA can be deployed behi

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 51 Special Case...not yet validated  Internet Internet Web server W

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 52 Clientless SSL with WSA - Example For Your Reference For Your Ref

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 53 Agenda  Overview Web Security  Web Security with Cisco Ironport

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 54 Policy - Authentication  Policy objects can be managed from cent

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 55 Authentication User Directory Web Security Appliance  Authentic

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 56 Surrogates  Surrogates define how Users are tracked once the hav

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 57 Proxy and Authentication Types Proxy Type Authentication Browser

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 58 HTTP Response Codes  200 – OK Request was sent successfully  30

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 59 NTLM Authentication  NTLM requires Account in the AD Domain  Cr

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 6 Today‘s Websites...

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 60 LDAP Authentication  LDAP queries on port 389 or 636 (Secure LDA

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 61 Authentication against LDAP  Knowing the LDAP Base DN is fundame

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 62 Authentication against LDAP  Knowing the LDAP Base DN is fundame

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 63 Testing the query  After defining the query, check result! For

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 64 Authentication in Explicit Deployment Web Security Appliance Use

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 65 Authentication in Transparent Deployment Web Security Appliance

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 66 Authentication in Transparent Deployment What the client thinks

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 67 IE8/IE9 with Single-Sign On  SSO on WSA correctly configured but

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 68 Transparent User Identification (TUI) Web Security Release 7.5 In

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 69 Transparent User Identification (TUI) Web Security Release 7.5 –

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 7 Appliance or Cloud?

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 70 Transparent User Identification (TUI) Web Security Release 7.5 -

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 71 Transparent User Identification (TUI) Web Security Release 7.5 -

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 72 DEMO – WSA with Transparent User Identification

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 73 Transparent User Identification – Summary & Caveats  Uses an

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 74 Cisco Ironport WSA & IPv6 Support  Current version of WSA do

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 75 Sizing for WSA  Main Parameter for sizing is “requests per secon

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 76 Summary – Cisco Ironport Web Security Appliance  Scalable On-pre

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 77 Agenda  Overview Web Security  Web Security with Cisco Ironport

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 78 Websecurity through Cloudservice  Hosted Websecurity through Cis

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 79 Data Flow with ScanSafe Web requests Allowed traffic Filtered tra

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 8 Agenda  Overview Web Security  Web Security with Cisco Ironport

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 80 Scalability & Reliability See BRKSEC-2346: Inside the Scansa

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 81 Outbreak Intelligence <html> <js> <swf> <pdf

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 82 Agenda  Overview Web Security  Web Security with Cisco Ironport

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 83 Corporate Network Challenge: Branch Office with local Breakout In

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 84  Firewall directs web traffic to ScanSafe security service via T

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 85 ASA 8.3 Port Forwarding Config object network scansafe-protected-

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 86  HTTP only  Non standard HTTP ports must get a dedicated NAT Ru

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 87  Proxy Settings are pushed to browsers via Active Directory GPO

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 88 Agenda  Overview Web Security  Web Security with Cisco Ironport

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 89  PIM is a small EXECUTABLE, run by Login Script or GPO  Runs GP

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 9 Cisco Web Security Appliance  Web Proxy incl. Caching (http,htt

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 90  PIM adds -XS headers to the browser’s user agent string  Inclu

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 91  Proxy Settings are pushed to browsers via AD,GPO or PAC file 

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 92 ISR G2 with integrated Connector 92  Connector is integrated in

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 93 ISR G2 with integrated Connector Simple Config 93 parameter-map t

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 94 ISR G2 with integrated Connector Solution Guide 94 www.cisco.com/

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 95 Sizing and scalability for ISR with Connector 3945E 3925E 3945 39

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 96  Installs a Network Driver which binds to all connections (LAN,

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 97 Web Security & AnyConnect 97  Supported on Windows & MAC

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 98 Web Security & AnyConnect 98  Single and modular client VPN

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 99 How Does it Work?  Authenticates and directs your external clien