Ask the Expert:Cisco Web Security

ciscomoderator · ‎09-23-2011

With Ryan Wager

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about design, configuration and troubleshooting of the Cisco Web Security Solutions including Cisco Ironport WSA and Cisco ScanSafe with Cisco experts Kiran Sirupa and Ryan Wager. Kiran Sirupa is a technical marketing engineer in the product marketing team for the Cisco IronPort Web Security Appliance product line. He also works on documentation, partner ,and system engineering training. Kiran has been working in the Cisco Security Technologies group for more than six years. Ryan Wager is a technical marketing engineer at Cisco in the product management team for the ScanSafe Web Security platform. He is heavily involved with the product's integration with the Cisco Integrated Services Router Generation 2 platform, along with documentation, training, and testing of all new products and features. Before joining the product management team, Wagner spent two years as an implementation engineer helping ScanSafe's largest customers implement the platform into their networks.

Remember to use the rating system to let Kiran and Ryan know if you have received an adequate response.

They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, discussion forum shortly after the event. This event lasts through October 7, 2011.. Visit this forum often to view responses to your questions and the questions of other community members.

Gustavo Hernandez · ‎09-26-2011

Hello, I would like to know what's the difference between Cisco IronPort Web Usage Contros and Cisco IronPort URL filters. Can you please explain how these two differ?

ksirupa · ‎09-26-2011

Sure, Cisco IronPort Web Usage Controls is created and maintained by Cisco. This database has over 65 URL categories as part of the static list. In addition, CIWUC contains on-box dynamic categorization technology to provide enhanced on-the-fly acceptable use controls for previously unknown Web 2.0 sites. In addition, this URL database is used as a key component for Application Visibility and Control. Cisco IronPort URL filters is a static URL list that contains approximately 52 URL categories. This technology will not be used to leverage many of the value added features available in Async OS 7.0 such as Application Visibility and Control.

Fernando Mondragon · ‎09-27-2011

Hello, I would like to know what types of reporting are available on the WSA?

ksirupa · ‎09-27-2011

The WSA offers two different kinds of reporting:

The on-box reporting offers valuable insight into overall web activity, as well as threat identification and prevention, within corporate networks. The reports are designed to provide actionable information as well as historical trends. Enhanced reporting gives enterprises visibility into policy and security violations. SMA reports have the same functionality as WSA reports, but present aggregated information for all WSAs managed.

The second option for reporting is "Splunk for WSA", an off-box reporting tool. Splunk for WSA covers specific use cases not covered by on-box reporting:

Scalable reporting for 25K+ user customers
Group-based reporting
Long-term reporting
Historical reporting (re-loading logs to get reports for a specific time period)

Sveta Prutikova · ‎09-28-2011

Hi Kiran and Ryan, I want to know the difference between Data Security Integrity and full DLP integration. Can you explain this in detail?

ksirupa · ‎09-28-2011

Data Security Policies are delivered via an on-box mechanism. DLP integration leverages standards-based ICAP to hand content to a separate DLP server for additional scanning. Data Security Policies allow for simple no-nonsense policies by blocking HTTP POSTs based on content meta-data. The classic example is to block all outbound Microsoft Office documents that are being sent out through Gmail. DLP integration allows customers to further leverage their existing investments to provide additional granularity. For instance, the WSA can take all outbound webmail attachments and hand them via ICAP to Vontu / Tablus to scan the actual file contents as opposed to just file metadata.

Carlos Lesaige · ‎09-30-2011

Hello,

I wold like to know what makes the cloud a better place to do security scanning?

ksirupa · ‎09-30-2011

With a datacenter, you have the cpu capacity of over 600+ cores in many instances to do a level of deep content analysis, structural content investigation, and virtualized script emulation from a heuristic scanning standpoint that can simply not be attained by an appliance solution. Even when comparing Cisco to other cloud services, the level of despondency is astronomical in terms of the level of CPU we have built into our DC’s versus theirs.

ToX1c1986 · ‎10-04-2011

Hello!

Could you explain me, which function IronPort will support (Anti-Virus, Anti-Malware and etc) working in Transparent or Forwarding mode in environment with existing proxy. I can`t find this information in User Guide.

Thank you!

ksirupa · ‎10-04-2011

Yes, the IronPort WSA will support all the security functions including Anti-Virus, Anti-Malware, Anti-Spyware, Web Reputation when working in conjunction with an existing proxy.

There are two conditions:

1. WSA acts as an upstream proxy - In this case, the authentication will be handled by your existing proxy, but the WSA is the first layer of defense. The WSA will perform a lookup in its web reputation database based on the destination. Also, The WSA can scan the http response with Anti-Virus, Anti-SpyWare and Anti-Malware software. However, since the WSA doesn't have user authentication information, you can only apply global controls for Acceptable Use.

2. WSA has to go through an existing upstream proxy - In this case, the WSA has all the security functionality. In addition, it also handles the authentication. Hence, you can apply role based controls.

You may refer to the following links for more information:

WSA Product Literature: http://www.cisco.com/en/US/products/ps10164/prod_literature.html

Cisco Security Reports: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html

Cisco Security Intelligence Operations: http://tools.cisco.com/security/center/home.x

fadimabrouk · ‎10-04-2011

Hello Kiran,

i would like to know about Cisco IronPort web, is it a hardware box or simply a software/application? and will be thankful if you could provide me with the range of prices on the same.

thank you

ksirupa · ‎10-04-2011

Hi Fadi,

Cisco offers Web Security in two form factors: Hosted or On-Premise.

The Cisco Ironport WSA (Web Security Appliance) is a hardware box.

Data sheet: http://www.cisco.com/en/US/products/ps10164/prod_models_home.html

Pricing depends on number of users, hardware and features enabled. There are multiple bundles and we also offer flexible licenses to chose various combination of security services.

The Cisco ScanSafe Cloud Web Security is a SaaS (Software as Service) solution. In this model, the end-user web traffic will be redirected to the nearest Cisco ScanSafe datacenter to apply web filtering and web security. Pricing depends on length of the contract and number of users.

http://www.cisco.com/en/US/products/ps11734/index.html

Please contact your favorite Cisco Partner or Cisco Account team for detailed pricing information.

Thanks,

Kiran

andis.sokoli · ‎10-05-2011

Hi Kiran,

I have an real IP and I want to spread it into a VLAN by using NAT. The device is ASA 5505. The configuration is as follow:

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 ospf authentication null
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 109.69.31.2 255.255.255.192
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 109.69.31.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside

With this configuration I am not being able to comunicate. Maybe there is any problem with this conf.

If you could help me I would really appreciate it.

Thanks in advance,

Andis

ksirupa · ‎10-05-2011

Hi Andis, I suspect this statement has a typo:

route outside 0 0 109.69.31.2 1

May be it should be the default gateway: 'route outside 0 0 109.69.31.1 1'

Hope this helps.