Ask the Expert: Cisco Cloud Web Security – Transparent Solution

ciscomoderator · ‎07-26-2013

With Jennifer Halim

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Cisco Cloud Web Security with Cisco Expert and CCIE Jennifer Halim. Cisco Cloud Web Security provides exceptional threat protection and control for organizations of all sizes - delivered through the cloud. It is a transparent experience with Cisco Cloud Web Security using your existing Cisco devices like Web Security Appliance (WSA) Connector, ASA Connector, or ISRG2 Connector.

Jennifer Halim is a technical account manager (TAM) for the Cisco ScanSafe (Cisco Cloud Web Security) solution for the Asia Pacific and US regions and the team lead. Her work involves implementing the solution within the customer's environment, managing the project and an escalation point of contact for technical account manager team. Prior to her current role, she was part of the Australia Security team in the Technical Assistance Center that helps customers configure and troubleshoot Cisco security technologies. She also served as a mentor to other Technical Assistance Center engineers. Halim is also a top contributor in the Cisco Support Community. She has worked in the networking security field for more than 11 years and holds CCIE certification in Security (#16480) as well as CCDP, CISSP and ITILv3 certifications.

Remember to use the rating system to let Jennifer know if you have received an adequate response.

Jennifer might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community Web Security discussion forum shortly after the event.

This event lasts through through August 9, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

You can read the interview with Jennifer in the Cisco Support Community.

Jennifer Halim · ‎07-28-2013

[FACT] Do you know that ...

Cisco Cloud Web Security (CWS), aka ScanSafe can be transparently redirected using your existing appliances, ie: WSA, ASA or ISRG2.

ROBERTO TACCON · ‎07-29-2013

Hello Jennifer,

please can you indicate:

- which protocols can be transparently redirected

- how to configure the CWS on Cisco ASA and Cisco routers using cli

- are there an evaluation license to test the CWS

- which are the limits of the CWS (in terms of Cisco ASA/ISRG2 and concurrent number of users, bandwidth, ...)

- is there an ordering guide (part numbers for Cisco ASA and ISRG2)

Thanks

Jennifer Halim · ‎07-30-2013

Hi Roberto,

- HTTP and HTTPS (port 80 and 443) can be transparently redirected.

- Here is configuration guide to configure CWS:

Cisco ASA:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11720/solution_overview_c07-721174.pdf

Cisco ISRG2:

http://www.cisco.com/en/US/docs/security/web_security/ISR_SS/ISR_ScanSafe_SolutionGuide.pdf

- Yes, you can request for 45-day evaluation to test CWS.

- Here is the sizing guide for your reference:

ASA:

ISRG2 is currently under Controlled Availability and will provide sizing guide when CWS evaluation is requested.

- There is no platform specific ordering part number, for ASA, you would need to have the K9 image, and for ISRG2 - SEC-K9 license.

Here is the ordering guide for CWS:

http://www.cisco.com/en/US/partner/prod/collateral/vpndevc/ps10142/ps11720/cloud_web_security_ordering_guide.pdf

Hope that helps.

huangedmc · ‎07-30-2013

hi Jennifer,

From what I can tell, CWS is a proxy-based solution.

Would our users appear to come from the CWS source IP, or our own IP?

I'm asking because different user groups subscribe to hosting services that require IP based authentication. (if you come from w.x.y.z, you can access contents)

How can customers work around this problem?

Also, is it possible to control URL-filter based on AD group first, and fallback to client source IP, if AD info is unavailable? (many users don't login to Windows domain, especially BYOD).

I'm thinking this will be difficult, because by the time CWS receives the redirected packets, they'd be NAT'd w/ our external IP's...wouldn't they?

What's the order of operation on the ASA's?

NAT first, then redirect to CWS second?

According to the sizing guide from Networkers BRKSEC-2695, the ASA5585's are rated to support 7500 users.

Is this concurrent? What happens to the 7501st user/flow?

What if our user population is much more than 7500? Not an option for us?

Also what's the latency like, if we were to redirect all web traffic to CWS? pretty negligible?

It means all users would go through CWS out to the Internet.

What about websites/app's that don't work well w/ proxy?

I assume we can exempt those sites by FQDN?

Finally, the sizing guide link you posted above isn't accessible publicly...it resolves to an internal RFC1918 IP.

http://sswiki.cisco.com/images/1/18/ASA_CWS_Sizing.png

Non-authoritative answer:

Name: sswiki.cisco.com

Address: 10.89.242.203

===

Is there a different site you can host it, or have GTRC make it publicly available?

thanks,

Kevin

Jennifer Halim · ‎07-30-2013

Hi Kevin,

You are right. CWS is a proxy based solution.

Users will be coming from CWS IP Address. For IP based authentication, unfortunately you would need to whitelist that traffic from being proxied to CWS, and go direct instead.

Yes, you can configure URL policy base on AD Group, as well as specific internal subnet. If you are using either ASA, ISR or WSA as the redirection method, it is able to obtain the internal IP address information and pass that to CWS tower.

I've uploaded the sizing guide, and hopefully you would be able to see that information. It will be total number of CWS users, not concurrent users. If you have more than 7500 users, you can always send the users to multipile ASA5585.

In terms of latency, it will depend on where the internet is egressing from. Customer would typically be allocated tower closest to the internet egress point.

Websites/apps that doesn't work well with proxy can be exempted/white listed by IP or FQDN.

Hope that answers your questions.

CharlesM1 · ‎08-01-2013

Hello Jennifer

I'm trying to get help with the ACE 4710 Load Balancer and the ability to restrict trffic to only HTTPS and SSH. Can you help or is there another forum?

Thank you in advance for any assistance.

Charles

Jennifer Halim · ‎08-01-2013

Hi Charles,

For question on ACE, please kindly post on Application Networking section of the forum.

eric.ahernandez · ‎08-01-2013

Hi Jennifer,

You said you can request 45-day evaluation to test CWS, is this possible for any kind of implementation? I'm asking this because I 'm interested in testing this solution in a Cisco 2901 router, so basically my question is regarding the possibility of an evaluation for a CWS ISR G2 implementation and if you have any URLs to request this evaluation. Also what kind of requirements does the ISR G2 router needs to fulfill (licensing, ram, flash, etc)

Jennifer Halim · ‎08-01-2013

Hi Eric,

Yes, the evaluation can be done on any kind of implementation.

ISRG2 needs to have SEC-K9 license and running version 15.3(3)M.

To request for the evaluation, please kindly check in with your local Cisco Security/Content Sales, and they will be able to assist you further with that.

huangedmc · ‎08-01-2013

hi Jennifer,

We currently redirect web URL's to SecureComputing/N2H2's SmartFilter from the ASA5585's via IFP.

Is it possible to keep doing that, while only redirecting a few specific hosts, or subnets to CWS, for test & trial purpose?

thanks,

Kevin

Jennifer Halim · ‎08-02-2013

Hi Kevin,

I personally haven't tested both features (ie: URL Filter and CWS) enabled on the same ASA, however, since N2H2 is configured under URL Filter section, and CWS is triggered via service policy, I don't see a reason why it won't work in parallel.

For N2H2, you would need to exclude those IP/Subnet that you would like to test via CWS, and on CWS class-map, you would need to explicitly only include the specific IP/Subnet that you want to test.

pedro.campos · ‎08-06-2013

Hi Jennifer.

We have a scenario were the customer router (1921) is connected to two diferrent ISP, ADSL link for the primary circuit, and 3G for the backup link.

The public ip address is not fixed, so we have a DDNS service running.

Is it possible to use the CWS solution on this scenario?

Do we have to register the public IP address when we subscribe the service?

Will it work when the primary link is down and we have to use the backup link?

Thanks for your help.

Regards

Jennifer Halim · ‎08-06-2013

Hi Pedro,

You do not have to use public IP adress to use CWS solution. The 1921 router can be configured to use license key generated from CWS portal to authenticate that the web traffic is coming from your organization.

Yes, you can configure CWS with primary and backup link, and it will work using both primary and when it falls to backup link.

Hope that answers your questions.

praetoleiad · ‎08-07-2013

hi Jennifer,

can i use third party FW or router for CWS?