Content Security Flashcards
Cisco acquired company that created what we know today as the Cisco Web Security Appliance (WSA) and the Cisco Email Security Appliance (ESA)
Ironprot
Cisco WSA and Cisco ESA can be managed by ?
This provides a solution for centralizing the management and reporting functions of multiple Cisco ESA and Cisco WSA devices
Cisco Security Management appliance (SMA)
This power Cisco WSA, ESA and SMA. It is based on freeBSD based kernel. This does not have a user UNIX Shell. Administrators can configure the system using a web admin portal (or web based) or a fully scriptable command-line interface (CLI)
Cisco Async Operating System (AsyncOS)
Different Web Security Appliance (WSA) feature engine
- web reputation engine
- web filtering
- application visibility and control (AVC)
- cloud access security
- anti virus scanning
- file reputation
- data-loss prevention
- file sandboxing
- file retrospection
- cognitive threat analysis
Cisco WSA typically placed either on the inside of the internet edge firewall or in a demilitarized zone. Cisco WSA have one or more of the following interface types
- M1 : Typically used for management
- P1/P2 : Typically the interfaces used for web proxy traffic. Each interface must be connected to different subnets
- T1/T2: Used for layer 4 traffic monitoring to listen to all TCP Ports. They are not configured with IP address because they are promiscuous monitoring ports.
Two modes of deployment for Cisco WSA
- Explicit forward mode (client explicitly use proxy)
- Transparent mode (client dont know there is a proxy. Network infrastructure device are configured to forward traffic to WSA)
On WSA traffic redirection can be done using?
PBR (policy based routing) on many routers
Cisco’s Web Cache Communication Protocol (WCCP) on Cisco ASA, routers and switches
Steps in configure WCCP in Cisco ASA to redirect web traffic to Cisco WSA
- Create ACL to define Http and https
- access-list HTTP-traffic permit tcp 10.1.1.0 255.255.255.0 any eq www
- access-list HTTPS-traffic permit tcp 10.1.1.0 255.255.255.0 any eq https - You can also inspect FTP traffic
- access-list FTP traffic permit tcp 10.1.1.0 255.255.255.0 any eq ftp
- acecss-list FTP-traffic permit tcp 10.1.1.0 255.255.255.0 ay range 1100 11006 - creating an ACL to define where to send the traffic
- acess-list WAA extended permit ip 10.1.2.3 any
- wccp web-cache redirect HTTP-traffic group-list wsa
- wccp 10 redirect-list FTP-traffic group-list WSA
- wccp 20 redirect-list HTTPS-traffic group-list WSA - configuring traffic redirection on source interface
- wccp interface inside web-cache redirect in
- wccp interface inside 10 redirect in
- wccp interface inside 20 redirect in
You can configure WCCP on a Cisco Firepower Threat Defence (FTD) device by using this. It is a container of an ordered list of FlexConfig objects.
Cisco Firepower Management Console (FMC) Flexconfig Policies
When Cisco WSA (a s web proxy) forward request, by default it changes the request source iP address to match it own IP. However you can change this by enabling ______ ?
Web proxy IP Spoofing
Policy type that you can enable in the Cisco WSA. This policies are configured to identify user behind the web request instead of just IP address
Identification policies
Cisco WSA provides different options for the AD or LDAP realm authentication. These are the available schemes
- Basic authentication : Done via web browser. Not transparent
- NTLMSSP : This is transparent authentication. The web browser must be compatible and provide support for NTLMSSP.
- Kerberos: Primarily use for windows client. Considered as a more secure options
Authentication surrogates options enable you to configure how web transactions willbe associated with a user after the user has been successfully authenticated. Here are the options
- IP Address : until surroages times out
- Persistent cookie : until surrogates timeout
- session cookie: until session timeout or browser is closed
This policies in WSA map the identification profile for users. also time-based restrictions
Access policies
Additional settings and customizations you can configure on WSA:
- you can use the AVC engine to enforce acceptable use-policy components to block or allow applications
- configure as web proxy to block file downloads on file chracacteristics
- define an access policy to apply antimalware and url reputation
- configure WSA to decrypt and evaluate SSL traffic.
- create an outbound malware policy on Cisco WSA to block malware upload
- Cisco WSA support DLP servers.