BRKSEC-2101 Web Security Deployment Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 10 Web Application Control Many Applications work on top of HTTP t
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 100 Web Security & AnyConnect Configuration for Web Security wit
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 101 Web Security & AnyConnect Configuration – Client Profile Sc
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 102 Web Security & AnyConnect Configuration – Client Profile Ex
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 103 Web Security & AnyConnect Configuration – Client Profile Ac
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 104 Web Security & AnyConnect Configuration – Client Profile Au
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 105 Web Security & AnyConnect Configuration – Config on ASA if u
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 106 Web Security & AnyConnect Configuration for Web Security wi
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 107 Beacon Server for the AnyConnect Web Security module Beacon Se
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 108 DEMO – AnyConnect with Web Security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 109 Scansafe & IPv6 Support Current version of Web Security do
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 11 About Reputation Cisco SIO gathers statistical informations fro
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 110 Upcoming: Easy ID Clientless User authentication via webbrowse
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 111 Agenda Overview Web Security Web Security with Cisco Ironpor
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 112 Secure Mobility Future – Hybrid Security Internet Remote User w
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 113 Summary Cisco Web Security Solution leverages a comprehensive
Recommended Reading Please visit the Cisco Store for suitable reading.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 115 Please complete your Session Survey Don't forget to compl
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 116
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 117 Thank you.
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 12 About Reputation Malicious websites are tracked globally throu
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 13 Examples: Reputation Values Known Botnet or Phising Site Agr
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 14 Examples: Reputation Values (2) Neutral Site Site with good h
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 15 Network Participation Admin can define the level of participati
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 16 Agenda Overview Web Security Web Security with Cisco Ironport
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 17 Explicit Proxy Internet Internet Web server Web Security Applianc
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 18 How does the Browser find the Proxy? Proxy setting in the brows
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 19 How does the Browser find the Proxy? Automatic Configuration vi
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 2 Housekeeping We value your feedback- don't forget to comple
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 20 PAC Deployment Via AD and GPO Via script Via manual setting
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 21 WPAD Server WPAD Server hosts PAC file as wpad.dat File is re
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 22 WPAD and Windows 2008 Starting with W2008 DNS Server, its no lo
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 23 Explicit Deployment - Summary Requires Client Settings in the B
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 24 Transparent Proxy via WCCP Internet Internet Web server Web Secur
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 25 Background on WCCP WCCPv1 developed in 1997 by Cisco Systems an
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 26 Details Assignment The WCCP assignment method is used to determin
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 27 Gory Details for HASH and MASK Hash - Combines packet’s src/des
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 28 Details Redirect and Return Redirect Method - WCCP GRE - Entire
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 29 WCCP input redirect Ingress Interface Egress Interface WCCP Input
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 3 For Your Reference There are (many...) slides in your print-outs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 30 WCCP output redirect and input exclude Ingress Interface Egress I
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 31 How WCCP registration works WCCP Client WCCP Server 1. Registrati
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 32 Buckets 86–170 Buckets 86–128 Buckets 1–85 Buckets 129–170 Bucket
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 33 Using WCCP for Traffic Redirection WCCPv2 support is availible
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 34 Using WCCP for Traffic Redirection (2) Performance Considerations
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 35 WCCP Protocol Service Group The routers/switches and WCCP clien
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 36 Current (Cisco) Service Groups ID Product Name Protocol Port
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 37 VLAN10 WCCP with L3 Switch (3560/3750) L2 Redirect VLAN10 Interne
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 38 VLAN40 WCCP with L3 Switch (3560/3750) L2 Redirect VLAN10 Interne
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 39 WCCP with L3 Switch L2 Redirect - Verification munlab-3560X#show
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 4 Agenda Overview Web Security Web Security with Cisco Ironport
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 40 WCCP with L3 Switch (CAT6500) L2 or GRE Redirect r1 r2 WAN SiSiS
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 41 WCCP with ASA access-list WCCPRedirectionList extended deny ip 17
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 42 Internet WCCP with ASA – Virtual Context Virtual Firewalls with s
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 43 WCCP with Router – ISR, ISRG2 ip cef ip wccp version 2 ip wccp 91
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 44 WCCP Router Redirect and Return Support WCCP GRE Redirect WCCP L
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 45 WCCP Platform Recommendations Function Support / Recommend Softw
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 46 Transparent Redirection and HTTPS Symptoms: Successfully config
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 47 Transparent Deployment - Summary No client settings necessary
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 48 DEMO – WSA with transparent redirection
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 49 Deploying using external Loadbalancer Scalable up to 16 Gig Thr
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 5 1996
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 50 General Consideration - Upstream Proxy WSA can be deployed behi
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 51 Special Case...not yet validated Internet Internet Web server W
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 52 Clientless SSL with WSA - Example For Your Reference For Your Ref
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 53 Agenda Overview Web Security Web Security with Cisco Ironport
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 54 Policy - Authentication Policy objects can be managed from cent
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 55 Authentication User Directory Web Security Appliance Authentic
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 56 Surrogates Surrogates define how Users are tracked once the hav
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 57 Proxy and Authentication Types Proxy Type Authentication Browser
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 58 HTTP Response Codes 200 – OK Request was sent successfully 30
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 59 NTLM Authentication NTLM requires Account in the AD Domain Cr
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 6 Today‘s Websites...
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 60 LDAP Authentication LDAP queries on port 389 or 636 (Secure LDA
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 61 Authentication against LDAP Knowing the LDAP Base DN is fundame
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 62 Authentication against LDAP Knowing the LDAP Base DN is fundame
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 63 Testing the query After defining the query, check result! For
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 64 Authentication in Explicit Deployment Web Security Appliance Use
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 65 Authentication in Transparent Deployment Web Security Appliance
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 66 Authentication in Transparent Deployment What the client thinks
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 67 IE8/IE9 with Single-Sign On SSO on WSA correctly configured but
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 68 Transparent User Identification (TUI) Web Security Release 7.5 In
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 69 Transparent User Identification (TUI) Web Security Release 7.5 –
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 7 Appliance or Cloud?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 70 Transparent User Identification (TUI) Web Security Release 7.5 -
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 71 Transparent User Identification (TUI) Web Security Release 7.5 -
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 72 DEMO – WSA with Transparent User Identification
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 73 Transparent User Identification – Summary & Caveats Uses an
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 74 Cisco Ironport WSA & IPv6 Support Current version of WSA do
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 75 Sizing for WSA Main Parameter for sizing is “requests per secon
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 76 Summary – Cisco Ironport Web Security Appliance Scalable On-pre
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 77 Agenda Overview Web Security Web Security with Cisco Ironport
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 78 Websecurity through Cloudservice Hosted Websecurity through Cis
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 79 Data Flow with ScanSafe Web requests Allowed traffic Filtered tra
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 8 Agenda Overview Web Security Web Security with Cisco Ironport
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 80 Scalability & Reliability See BRKSEC-2346: Inside the Scansa
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 81 Outbreak Intelligence <html> <js> <swf> <pdf
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 82 Agenda Overview Web Security Web Security with Cisco Ironport
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 83 Corporate Network Challenge: Branch Office with local Breakout In
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 84 Firewall directs web traffic to ScanSafe security service via T
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 85 ASA 8.3 Port Forwarding Config object network scansafe-protected-
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 86 HTTP only Non standard HTTP ports must get a dedicated NAT Ru
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 87 Proxy Settings are pushed to browsers via Active Directory GPO
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 88 Agenda Overview Web Security Web Security with Cisco Ironport
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 89 PIM is a small EXECUTABLE, run by Login Script or GPO Runs GP
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 9 Cisco Web Security Appliance Web Proxy incl. Caching (http,htt
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 90 PIM adds -XS headers to the browser’s user agent string Inclu
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 91 Proxy Settings are pushed to browsers via AD,GPO or PAC file
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 92 ISR G2 with integrated Connector 92 Connector is integrated in
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 93 ISR G2 with integrated Connector Simple Config 93 parameter-map t
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 94 ISR G2 with integrated Connector Solution Guide 94 www.cisco.com/
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 95 Sizing and scalability for ISR with Connector 3945E 3925E 3945 39
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 96 Installs a Network Driver which binds to all connections (LAN,
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 97 Web Security & AnyConnect 97 Supported on Windows & MAC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 98 Web Security & AnyConnect 98 Single and modular client VPN
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2101 99 How Does it Work? Authenticates and directs your external clien
Kommentare zu diesen Handbüchern