Cisco CCIE Security 350-701 – CIsco Web Security Appliance – WSA

1. Cisco Web Security – WSA-CWS

The next thing we will try to understand the Cisco solution to provide web security. Now, Cisco mainly offers two solutions to provide web security. One is for on premises by using a dedicated device called WSM. And we have another solution for cloud, cloud web security. The basic difference is on premises means like you have your internal network. Let’s say this is my internal network, my company network, the LAN and the users sitting in my land or trying to access the resources on the internet. Let’s say the web traffic. Now the web traffic goes through your gateway.

Now your gateway can be a router or can be ASA. Like mostly we have some ASAS generally, which also do deep packet inspection, stateful firewall filtering options. So what ASA is going to do is the gateway, we can configure the ACA to redirect the traffic or we can have an inline WSA. Basically we have a device called a Blissa which will be completely monitoring your web traffic depending upon the policies or the rules. Whatever we configure the traffic will be allowed. We can filter the URLs, we can say specific social networking site should be blocked. We can define the URLs, we’ll see more on that. So this is what we call as on premises.

On premises means you are providing the web security to your network which is present in your company. So it’s like on premises, we call it as. Now another, we have users who are remote users. Like, let’s take an example here. You got a branch office here. Now you want this branch office also should be secured, means whatever the traffic going on, the internet should be secured. The web security you want to apply. But basically you may have multiple branch offices. Let’s say I got some multiple branch offices. So implementing WSA for each and every branch office probably on premises is not going to be scalable. Or even you have some remote users, like remote users or the VPN users who are trying to access from a different location, not from your branch office.

So what you can do is you can configure something called cloud web security where you can ensure that whatever the traffic going from this ASA, it actually connects to some kind of cloud infrastructure. Like it’s a kind of cloud environment which is going to scan the traffic for malware as well as it is going to scan for kind of policy enforcement. Now your traffic will be redirected to the cloud instead of getting into the WSA here. So you have a WSA here on premises, but here you don’t have onpremises. So this cloud infrastructure, which is like centralized cloud, they connect to that particular cloud infrastructure where you enforce the policies and where it scans from some kind of malicious codes and then before it actually goes on the internet. So this way we can provide your remote branches or the remote users to secure the web traffic.

The same way as you do on on premises. So there’s no much difference between these two. So the only difference is one is on premises, other one is on the cloud. To make that possible again, you generally configure some kind of the device, the ASA or whatever the gateway routers, they use some kind of CWS connectors which will be used to retire the traffic onto the cloud infrastructure. So there are different options. Even most of the ISR g two routers, even the Cisco ASA Firewalls, or even if you’re using remote users, basically, we have something like any connect mobility, client software can be used which can be used to redirect the traffic to the cloud infrastructure. So we got two solutions. Both does the same job. So Cisco acquired a company called Iron Port. So that’s the reason when you get into the command line, you still see some kind of iron port name. That’s a company which was acquired by Cisco to provide web security for on premises. And we have something like scansif. That was the company which was providing the cloud securities.

2. What is WSA ?

Let’s try to understand what is WSA? As I said, WSA stands for Web security appliance from Cisco. Now WSA mainly do two jobs. It provides something called web filtering, filtering the web traffic and it provides something called web caching. So the proxy kind of services, proxy services. So basically what is the job up of the WSA or securing the web traffic where we need to ensure that whatever the traffic which is going on to the web, anything on the internet which is going through ASA file wall in general. So this web traffic should be secured. Now you can ask me like already we have a WSA, sorry, the ASA device. So what additionally the WSA is going to do. So WSA is kind of dedicated device only for web traffic because again ASA does something like deep packet inspection and kind of state full packet filtering, firewall rules, ACLs basically.

But this is like a dedicated device where you have a lot of options to secure your web traffic. But again in ASA it’s kind of limited, it becomes a little bit more complex if you want to secure the web traffic. And of course proxy services are not available again, so what devlisa can do is do web filtering and inspection. So one of the option is web filtering. Now in this web filtering the is going to filter the traffic based on some predefined categories. Like here you have some predefined categories, you have something called bad sites let’s say. And if you’re trying to access any kind of bad website which is like having basically again there is some kind of reputation scoring.

So if you’re trying to access some kind of website will be automatically blocked based on the predefined categories, means you don’t need to specifically say that okay, block this specific URL. So any kind of website which contains malicious codes as per the database, it will be blocked automatically. Or even you can define your own categories. Also even I can create my own URL categories to block specific URLs or specific sites in general. So you can also define something like you can say block all the social networking sites or even you can say like gaming sites or any kind of movies. So basically you can block this kind of URLs or even you can say let’s say hello the Facebook, but don’t allow video chatting or those kind of applications should not run at the back end.

So kind of micro or mini applications inside that particular URL. So you can specifically define that. So blocks up application at the application level. As I said, you can block specific things in the Facebook and also it will do monitoring, monitoring your traffic, keep a track of all the web traffic which is going. And you can also define some different policies, differentiated policies. Like you can have a separate policy for separate group, like let’s say you have a group, one where you have some it users for them. You can define a separate policy to allow specific traffic. You have a marketing team, you want to hello, maybe you do marketing on a Facebook. So you want to allow Facebook for those users but not to the It department. Let’s say like that you can have a differentiated rules or the policies based on different groups. So additionally, traffic monitoring also includes, as I said, the inspection.

All the traffic which is going from your land towards the internet will be inspected for kind of malware detection. So you have some inbuilt malware detection. So if any kind of trusted website you are trying to access, let’s say@yahoo. com, and if that particular website has a malicious course, it will be automatically blocked. So you have something like malware detection and the protection and this database is automatically updated again. So if you’re connecting to internet and it will be downloaded from the Cisco cloud infrastructure again based on some updates just like your antivirus programs, whenever you connect to internet it gets updated the signatures similarly. So that will be keep on updating. So as I said, this will help you to identify prevent the kind of threads from the malwares. Now additionally what it will do is it will provide you some kind of web caching proxy services.

Now, the basic example of the proxy is like generally you may have a term called proxy servers or proxies. And the proxies what happens is the client is going to send out a request to the proxy server or the caching server and this proxy server is going to forward the request onto the internet. Let’s say you are trying to access a specific kind of yahoo page and this proxy server is going to check whether this web information is present in my database or not. If it is not in the database, it will forward the request on behalf and get the content and this content will be stored or we can say it is cached in its memory. So the next time when any other user trying to access the same URL or the same specific content, so this copy of this information will be sent directly from the proxy and the requests do not reach the Internet all the time. So this is very important.

Generally if you take an example of your LAN, so typically your LAN connect to the router and then you have access to internet and let’s say I’m using some kind of 20 Mbps line onto the internet and maybe your LAN is 100 Mbps let’s say. So each time the request and let’s say you have 100 users and if the 100 users are trying to access a specific URL maybe 100 times, so every time the request goes to the internet come back, that will increase unnecessary traffic here.

At the same time it will add some delay. So instead it will be cached again, WSA also provides the caching services. So the first time the request goes here and then goes on the internet and the next time probably the same content will be downloaded or you get from the proxy server instead of going to the internet. So basically this is kind of option so not only Http, it also provides a proxy for Https even some of the native FTP applications also it supports and also some other applications we saw uses these specific protocols. So the same example here web proxy basic services what they do so basically this is a job of a proxy server so you have proxy services inbuilt Inside the Devils.

3. WSA- HOw it Works

Now the next thing we’ll try to understand the BLA deployment modes. Now the WSA can be deployed in two different modes. Either you can configure in a transparent mode or explicit mode. By default explicit mode is enabled. Now the mode will define how the traffic is being redirected to the replacement. So normally the traffic, when the user initiates the traffic, it has to get redirected to the replacement. That is compulsory. Now there are options whether you want the end user, the browser redirect directly to the replacement or you want the gateway to redirect the traffic. So it depends on the mode and also who will redirect and how it will get redirected and also who will do the resolution, the DNS resolution. Like whenever you type@yahoo. com you need to know what is the IP again, so that DNS request is initiated by the WSA or the end device.

So the simple difference between these two is if you are running in an explicit mode, explicit mode, what happens is we’ll go inside the browser. So there are options inside the browser generally. So inside the browser, like let’s say I’m using Internet Explorer, so we’ll go to the end device and onto the Internet Explorer. We have an option of proxy settings in that we are going to tell the WSA is let’s say the IP address of the device is 108, 216815 and we’ll define that all the web traffic should be proxy to this particular server. This is my WSA IP.

So which means your web browser is configured to redirect the traffic automatically to the TABLESA without reaching the gateway. Means normally it doesn’t go to the gateway, the web traffic in the explicit mode, it will be sent directly to the device based on the proxy settings inside your browser. So the client request for website, the browser first goes to the device and from there the same process again, the device initiates a request and then inspect all the things as they discussed in the previous. The same thing happens, it will check the policies, all those things and then from there it goes to the end here and then on the Internet and come back. And that’s how it goes. So here the DNS resolution is done by the device. So device is going to resolve the, basically resolve the DNS resolutions here. Now, whereas if you’re using transparent proxy mode, which we generally use the preferable option because in explicit proxy configuring each and every browser, it’s not really scalable again.

So basically what we’ll do is we use a transparent proxy where the client requests the website and then the browser is trying to connect to the website. So whenever the web traffic is initiated, so it goes to the gateway. And on the gateway we’ll configure saying that if any traffic coming from this source, if it matches port number 80, whatever the ports we are using, then that will be, that should get redirected. So here the network device is going to redirect all the web traffic based on the configuration to the WSA by using WCCP protocol. And from there again, the same process like WSA will check whether it is allowed or not and then initiates a connection, get the web page, check for the malicious content and return back to the end user.

And here the resolution is done by the client. So the client is going to resolve first, because whenever the client sends a request like XYZ. com, the client sends a request to the DNS server and get the resolution automatically. And then after that the request goes to the device. So depending upon which mode you actually use so there are two differences. One is, if you’re using explicit mode, we need to configure the browser to redirect the traffic inside the proxy settings to the device. So the browser should be configured, but whereas in transparent mode we’ll configure the gateway, so we’ll configure the gateway to redirect the traffic to all the web traffic, http or Https, all this traffic should get redirected to the device.

So irrespective of what browser the end user uses, so that will give flexibility for us because we are conferring on the gateway, because all the traffic has to go by a gateway only.

4. WSA Deployment Modes

We will try to understand the debris models. Now, Cisco come up with two different models. We have a physical box because it has physical model and these are the models. If you visit the URL, you’ll find these models and then we have a virtual models as well, like the VMware file, you can download some kind of virtual file. These are the virtual files install on any one of the service. Like you can use Cisco UCS servers inside your VMware. You can use a VMware application to open those applications and you can run it on any high end server also. So you can visit this specific URLs to actually get into the let’s go to the web page here. So there’s the two URLs, you can go to Cisco WSA and compare models. So the basic difference is like the size and the memory capabilities.

Just like your routers, you can see the options like different types of ports available, the CPU and what is the Ram capability of these features. So if you go to virtual appliance, virtual appliance, again, we have different files. So these are like features and depending upon this is actually the physical model. You can see S six, nine, five, the product specifications. These are like the hardware specifications again on the same URL. And if you’re using WSV in the virtual image, again, that comes with multiple options. Here you can see these options and the disk size and what is the memory, how many core processors involved in that. So, mostly Cisco use here is a specific hardware which we can use, but still you can run on any other hardware models as well. Here you can see the same models if anything, depending upon the number of users. You can select the models. If you’re a user, the number of users are less than 1500. So you can go with the low end model S 170 and if your users increases automatically, need to go with the high end model.

So the high end model requires more Ram, more CPUs and also more space is generally required. And these are the specifications here, the ports, the speeds it supports. So similar way again, if you’re using WSA V, the virtual depending upon the number of users, if your users are less than 1000. So probably you go with this virtual image as a V and then you have 100 V, 300 V like this depending upon this. And probably you use some cisco UCS. That’s something Cisco recommends to use this M series models, content, SMA model. So basically this supports some more users again, so this is a specific one user service. So probably I’ll just talk how to download. Basically when I get into the installation process, there will be specifically sharing some URLs from where you can download by using some kind of Cisco account. So by using parts and login, you can download these virtual images.

Also in general, again, the performance totally depends upon specific features like what are the different features you are trying to implement, like if you’re using URL filtering, anti Malware, ABC Application, Visibility Application and Visibility Control and the Web Reputation filtering. So depending upon the license and the number of features you want to support. So basically that is one major factor which will decide the performance of your WSA and of course the users, the number of web requests and the number of users and of course the bandwidth which is reserved for the web traffic. So depending upon the number of users, basically the features will be similar in all the cases that will not vary. So the main performance factor will be decided based on the number of users and the web request again. So if you are looking for additional licenses again, that will slightly degrade the.

5. WSA models – Physical -Virtual Appliance

So next thing, let’s try to see the licensing options with Cisco de Blissive. So, once you have your model, whether it is a physical or virtual appliance models, now we need to get the license. Now the license is mainly divided into three options. Now, before I go to the options, like these are the three options basically depending upon the number of features you want to support. Now, all these licenses, whatever the three licenses which I discussed, the options, they come in two options again, means we can say, it can be either term based, we can get these three licenses either year based, like one year, two years or five years.

Or you can also get a license based on the user, the number of users, the request generally happens. So again you need to contact the sales customer support team. Basically they can give some more information, again the costing, all those things, again the licensing. Either we go with this license, which is general common one, the Web Security Essential license. Now, this provides you with an option of URL filtering. URL filtering, as I said, you can filter specific URLs where you can define your own custom URLs, or you can have predefined URLs, like prevent all social networking sites like that. You can selectively decide with the predefined categories.

So basically WSA have an inbuilt database which will be used to do this URL filtering. Or you can build your own URL as well. And we have something called web reputation. Web Reputation is like generally specific contents or the websites have a rating depending upon the rating. Like there is something like minus ten to plus ten. So if any specific URL have a rating of minus ten, basically it’s like a very bad website and that will be automatically blocked. So this rating is done basically there are many, many factors done by a centralized database. So there’s something called web reputation. I’ll talk more on this Web Reputation a little bit more in detail in the next sections.

So I’m just giving you an overview. Here the basic overview ABC Application Visibility Control so this helps you to identify the applications. Like as I said, you are using a Facebook. com, you’re accessing this URL, but inside that URL you are also using some kind of, let’s say, gaming application. So this WC have a mechanism to check the inside contents. So not just seeing whether it is Http traffic or not, also the specific application used. And based on that we can restrict, we call it as a micro application kind of thing. So on which port, what protocol, even if there are options like you have something like Https page because it is encrypted, even WS have a mechanism to decrypt this page and scan the complete page again, encrypt back and send back to the end user. So we have something like decryption encryption, decryption policies as well.

So these are the things it supports. Usually it has something like thread intelligence. So for thread detection by using Cisco Talos, that is a centralized kind of database and also it supports something called layer four traffic monitoring. So WS have an inbuilt layer for traffic monitoring service which generally blocks some suspicious sessions similar to IPS kind of thing for your web traffic. And Cisco Tele has already said it is like an intelligence organization where you have a group of experts, experts basically what they do is these experts will provide protection for the customers, products and the end services. So kind of building the database maintained by a group of expert security experts.

So additionally it supports policy management. You can create a separate policies for individual groups, we call them as access policies here, distribution of policies based on different groups and also you get some reports as well. So it helps you to maintain the reports and see the reports in a more efficient way which will minimize the time wastage especially when you are monitoring your traffic. You need to have some analyzed reports, some kind of reports or alerts, which will help you to identify the threads or even it will show you most of the options where you can focus completely on verifying the infected users or the host, those kind of information.

So this is kind of web security license. You can go with this additionally if you want, there are additional options like you have web reputation, so Force and webroot anti malware. This is for anti malware protection. Sophos and webfoot are kind of vendors where they are specifically responsible. They provide a protection against some kind of malware, malware or spywares, a kind of antivirus kind of programs. So they basically stop the malicious codes and the malicious applications and blocks most of the unwanted web content in general.

So they have their own databases. So basically Cisco integrates with their database to provide anti malware protection for your web traffic. So if you’re going with web security premium license, so you get both the features in built in this. So if you want both anti malware protection along with all these features. So basically you’ll be going with the premium license. And as I said, these three licenses can be either term based, you can go with the term based license or you can go with quantity based license. Again, there are some additional options licenses as well.

You can go with MacAfee anti malware protection, same like for malware protection and also some advanced model protection. These are like individual additional options. Even you have cognitive threat analysis. This is basically it discovered the threats on its own generally where you don’t need any human intervention required.

• Category: Uncategorized