Cisco WSA Authentication

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:

Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware

This is the 6th part of the series.

A proxy is no real proxy without user authentication. That’s what I’m going to discuss in this post. Authentication is needed for logging and user tracking.

Authentication options:

  • Basic (local accounts)
  • NTLMSSP (for Microsoft Active Directory)

In explicit forwarding mode you can use straightforward proxy authentication. In transparant mode you have to fool the WSA.

In case all authentication services are unavailable, you can choose to permit or block all traffic. You can find this setting in Network > Authentication, click Edit Global Settings.

Continue reading

Cisco WSA Acceptable Use and HTTPS inspection

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:

Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware

This is the 5th part of the series

How can you enforce the Acceptable use?

Acceptable use is mostly defined by Application Visibility Control (AVC). Websites are classified by a URL lookup in the cisco database, based on the URL itself, or a dynamic scan of the website.

To configure this, click Security Services > Acceptable Use Controls

avc

AVC is enabled by default.

HTTPS Inspection (HTTPS Proxy)

It’s getting more important to decrypt HTTPS sessions to check against your policies. You can receive a lot of nasty stuff inside your HTTPS session. But there is one major drawback: the WSA shows the user a SSL certificate of the WSA appliance. In almost all circumstances this certificate wouldn’t match all requirements, so the users receive SSL certificate errors. Make sure your users are familiar with your HTTPS inspection!

How does it works? It’s pretty simple: the WSA creates the HTTPS session to the webserver and creates a new HTTPS session to the user. The responses from the webserver are checked and scanned and deliverd over the new HTTPS session to the user.

Continue reading

Cisco Champion 2015 Rob Rademakers

Cisco Champion 2015 Datacenter

Today is a big day in Cisco social networks: the Cisco Champions for 2015 are selected and I’m proud, honored and excited to announce that I’m elected as a Cisco Champion 2015 for datacenter 2015.

As you might now, I was a Cisco Champion too in 2014, that was the first year the program existed. The second year started today!

For more information about the Cisco Champion program, click here.

As another bonus this year, my colleague Rob Heygele is selected as Cisco Champion in Enterprise networks! Congrats to him and offcourse to all other fellow Champions of 2015!

Cisco WSA Policies

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:

Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware

This is the 4th part of the series.

Creating policies is one the major (en most fun) part of the WSA. In this blog I’ll cover the configuration of access policies and identities.

Click  Web Security Manager > Access Policies

access policy default

Only one policy can be applied. This is based on first match (top-down). If no policy matches, the Global Policy will be used.

First, you have to create a identity. An identity doesn’t identify a user, but it identifies a client or transaction that may require authentication. Identity membership is determined before authentication is done. Policy group membership is determined after authentication is performed.

Click  Web Security Manager > Identities > add identity and create the identity, based on IP’s ip ranges or IP subnets. Possible identities are:

  • Kiosk users
  • Update agents
  • Company users

Continue reading

Cisco WSA Deploying Proxy Services

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:

Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware

This is the 3th blog in the series about the proxy configuration.

There are a two proxy modes:

  • Explicit Forward Mode
  • Transparent Mode

In Explicit Forward Mode the client does have an Proxy configuration. There is no configuration needed on the network infrastructure (routers/switches). Authentication is easy and there are three methods for providing the proxy information:

  • Automatic Proxy script
  • Enter the proxy server IP address
  • Automatic detect settings using WPAD protocol

In transparent mode, there is no configuration needed on the clients. The network infrastructure redirects the traffic (WCCP). Authentication could be an issue.

Redirection options are:

  • Web Cache control protocol (WCCP, used in Cisco ASA, ASR and Catalyst switches)
  • Policy based routing
  • Layer 4 switch
  • Layer 7 switch (like a Citrix Netscaler)

WCCP is the most used redirection option for transparant proxies. For more information about WCCP and the configuration, check this link.

PAC files

PAC files are used in Explicit Forward Mode. The PAC file link is configured on the clients’ proxy settings. If you need help with creating PAC files, check this link.

You can host the PAC file on any webserver, but hosting on the WSA is possible too. Click Security Services > PAC File Hosting  and upload your PAC file. It’s recommended to host the PAC file on a seperate web server.

Continue reading