cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6953
Views
31
Helpful
12
Replies

Ask the Expert: Cloud Web Security on ASA

ciscomoderator
Community Manager
Community Manager

Read the bioWith Maite Cadenas Sanchez

 

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco Cloud Web Security on ASA with Cisco expert Maite Cadenas.

 

 

Cisco Cloud Web Security, formerly called Scansafe, provides exceptional threat protection and control for organizations of all sizes, delivered through the cloud. ASA is one of the transparent connectors you can have with Cisco Cloud Web Security.

 

Maite Cadenas is a service delivery manager (SDM) for the Cisco Cloud Web Security solution for the EMEAR region. Her work involves helping customers to implement the CWS solution in their environment, making sure that they have the support needed during the implementation and as a first technical point of contact. Prior this role, she was part of the Brussels Security Team in the TAC Center that helps customers troubleshoot Cisco security technologies. She holds a master's degree in telecommunication engineering and a bachelor's degree in networking technologies from Universitat Enginyeria i Arquitechtura la Salle. She also holds CCIE certification in security (#26075) as well as ITILv3 Foundations. 

Remember to use the rating system to let Maite know if you have received an adequate response. 

Maite might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Security community,  sub-community, Firewalling discussion forum shortly after the event. This event lasts through January 31, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

12 Replies 12

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Maite,

First of all thanks for taking the time to answer all of our questions

Now here are the questions I have at the moment.

1)

I can see there are 2 different types of key:

Company Authentication Key and the Group Authentication Key.

Are both required? Or can I just simply use the Group one or Company one?

I can see they both do the same (Enable the Cloud Web Security Feature) but the Group one actually identifies all traffic from the ASA to be sent to the ScanSafe tower.

2)How does the firewall determine which SSL packets not to redirect to the ScanSafe cloud?

I mean  How does the firewall inspect the HTTPS traffic in order to determine whether the traffic should be redirected or not as I have not seen in the past the ASA workings as an HTTPS Proxy.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

Thank you for your questions.

1)  Regarding your question about the keys, indeed there are 2 types of keys, but you only need to use one,  which will be the license that is requested when configuring scansafe feature (CWS) on your ASA.

---

scansafe general-options

server primary ip [PRIMARY PROXY IP] port 8080

server backup ip [SECONDARY PROXY IP] port 8080

retry-count 5

license [AUTH KEY]

exit

----

You can make the choice which one to use:

- Company key: You can only create one per portal

or

-Group Key: You can create as much as custom groups. This offers more granularity.

You can read more information about the advantages of each one in the following link:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11720/solution_overview_c07-721174.html

2) Regarding which https traffic to redirect, it does it based on the policy map configured for it.

In the following "ASA. Scansafe step by step configuration guide", you can see on step 2 that you define an ACL to match all https. If you would like to match it for specific networks only you can make the ACL more specific.

https://supportforums.cisco.com/docs/DOC-29676#2_Create_an_accesslist_of_the_traffic_that_needs_to_be_redirected_to_WCCP

Also, it exist the possibility to whitelist some traffic. You can find more information how to do it in the following video:

https://supportforums.cisco.com/videos/6513

Hope that helps.

Maite

Hello Maria,

First thanks for the answer

Regarding the SSL one.

Yeah I know it's via the MPF setup but that was not my question:

How does the firewall determine which SSL packets not to redirect to the ScanSafe cloud?

I mean  How does the firewall inspect the HTTPS traffic in order to determine whether the traffic should be redirected or not as I have not seen in the past the ASA workings as an HTTPS Proxy.

I mean is all of the SSL traffic being redirected or can I say only SSL traffic to facebook for example?

If the facebook option (example) is used how does the firewall determine that facebook is inside the SSL payload as ofcourse goes encrypted.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

Good question.

ASA is only redirecting the https by adding the scansafe (CWS) header in front of the https traffic, by looking the L3 and L4 (in this case https) information that is matching the traffic specified by the ACL on the MPF.

ASA is not inspecting inside the SSL traffic since, as you said, of course goes encrypted. The https inspection is done in the cloud. And you need to make sure that you have perform all the steps to enable https inspection on your CWS portal.

The most common scenarios I've seen is to send all the traffic with destination to port https (and just limiting the source network on the MPF ACL) and then of course adding some whitelisting.

Here you can see an example of whitelisting based on source and destination networks.

https://supportforums.cisco.com/videos/6513

Have in mind that, regarding whitelisting with https traffic, ASA (firewall) won’t be able to decrypt HTTPS traffic, and whitelist can only be done via IP Address/Subnet.

Let me know if that answers your question.

Maite

John Ventura
Level 1
Level 1

Hello Maite,

I need some help please.  My question is if I have an issue with CWS, how do I know if the issue is the ASA or in the cloud? Look forward to hearing back from you soon.

Thank you.

John

Hello John,

Thanks for your question.

Indeed, it is important to be able to narrow down were is the issue. Specially if you need assistance and open a TAC ticket to get quicker to the right team (ASA team or CWS team) to troubleshoot the issue.

In the following link there is a good troubleshooting guide and you can find a section "

Distinguishing Between ASA and CWS Proxy Problems": Basically the idea is to bypass the CWS on ASA and define CWS as explicit proxy on the browser of the user.

- If after specifying the the explicit proxy on the browser CWS works, and before you were having an issue, then the issue is pointing to the ASA.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11720/solution_overview_C07-726113.html

Also some other tips to have in mind:

NOTE: CWS (Scansafe) towers do not reply to ping (ICMP), therefore that  wouldn't be a valid test and you need to test the connectivity. A valid test would be to test the TCP connection on port 8080 to the proxy tower. For example:

- When testing explicity connector: telnet on port 8080

- When testing from ASA: ASA#ping tcp 8080

Also, in case you need to open a TAC ticket, it will be useful to provide already the following outputs:

From ASA:

1) Show tech

2) show scansafe tower

3) ASA# ping tcp 8080

4) show service-policy inspect scansafe

5) show scansafe statistics

6) Any logs you have collected at the moment of the issue.

From testing PC:

1) whoami.scansafe.net

Other:

Screenshot of the errors you are getting

Hope that helps

Maite

Hello,

Good to see you are talking about this; I'm wondering how and what I need to open the ScanSafe account in order to configure the policies. I have found the info to configure the ASA, and to configure and modify the content filtering policies once in the portal; but I do not find any info on how to get the username and pass necessary to login into the portal.

Thanks.

DL.

Hello Dennis,

To have access to the CWS portal, you need to order CWS licenses or you can also request a 45-days evaluation.

To know the details about how to request it, please kindly check in with your local  Cisco Security/Content Sales, and they will be able to assist you  further with that.

If currently you don't have a direct contact, please, check the following link, section "Let Us Help"

http://www.cisco.com/en/US/products/ps11720/index.html

Hope that helps,

Maite

ocsic25
Level 1
Level 1

Hello Maria,

I've recently implemented Cloud Web Security on a 5505 for a client, and the HTTP filtering appears to be working fine.  However - when I enable the HTTPS redirect to CWS in on the ASA in the service policy rules section - users attempting to visit HTTPS sites that are being blocked (based on category such as "Adult" in the CWS portal) are simply receiving a generic "unable to load webpage" type message instead of the message from CWS stating they are being filtered like they do for HTTP pages?

Do I need to enable HTTPS inspection and push a certificate to each end-user device for for this to function correctly?  I was under the impression that HTTPS inspection was not necessary to simply block/allow sites based on their URL and was only necessary if one wished to block content IN those sites, if that makes sense?

Still learning about this product - appreciate any assistance/insight!  Thank you.

Hello John,

Thanks for posting this question.

In short, yes, to get full extent of HTTPS block page, HTTPS Inspection needs to be enabled, and certificate needs to be pushed down to all user’s certificate store.

Below is an explanation:

- User experience when HTTPS inspection is enabled

If HTTPS inspection is enabled, the browser will establish the HTTPS connection with the CWS service using the details provided by the auto generated SSL certificate. Once the HTTPS session is established the website request can be blocked and the user block page successfully displayed within the HTTPS session.

- User experience when HTTPS inspection is disabled

When a user attempts to access an HTTPS website, which is a blocked, the browser will display an error message and not the block page.  The browser displays the error message because the HTTPS connection was terminated before it could be fully established. This is not a fault with Cisco Cloud Web Security. It is expected behaviour for any web security solution that blocks an HTTPS request without having an HTTPS inspection capability enabled.

The error is displayed because the HTTPS session was terminated before it was established. The session was terminated to prevent encrypted content from the website being allowed through to the browser as specified by the web policy. The browser ignores any content returned outside the HTTPS session and this is the reason the block page cannot be displayed.

In contrast, when HTTPS inspection is enabled the block page can be displayed because (a) it allows the HTTPS session to be established and therefore doesn’t cause the browser to display an error (b) because the session has been established the block page can be returned to the browser within the encrypted HTTPS session and isn’t ignored, it is trusted and displayed.

Note: legacy browsers may exhibit a different behaviour from that outlined above. In some cases these less secure browsers may allow the block page to be displayed.

Hope that helps.

Maite

John Ventura
Level 1
Level 1

Hello Maite,

Thanks for answering my question.  Another quick question for you.  Is CWS supported in multi context?  Really appreciate your help.

Thank you,

John

Hello John,

Thanks for your interest on this topic.

Yes, CWS (Scansafe) is supported in ASA single and multiple context as well.

One thing to have in mind is that when configuring it in multiple context mode the  CWS server configuration part is done  only in the system context mode and the MPF config is allowed only in  the user contexts.

You can read more details about it in the following link and also see the configuration examples.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1326437

Hope that helps

Maite

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: