Scribd
Upload
10 views12 pages

Scansafe Web Sec

The Cisco Cloud Web Security feature provides content scanning and malware protection for HTTP and HTTPS traffic by redirecting it to the Cisco Web Security cloud. The document outlines configuration steps, prerequisites, restrictions, and additional features such as telemetry and user-group support for authentication. It emphasizes the importance of proper configuration to ensure effective security and access control while using the service.

Uploaded by

tiatanasov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views12 pages

Scansafe Web Sec

The Cisco Cloud Web Security feature provides content scanning and malware protection for HTTP and HTTPS traffic by redirecting it to the Cisco Web Security cloud. The document outlines configuration steps, prerequisites, restrictions, and additional features such as telemetry and user-group support for authentication. It emphasizes the importance of proper configuration to ensure effective security and access control while using the service.

Uploaded by

tiatanasov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Cisco Cloud Web Security

The Cisco Cloud Web Security feature provides content scanning of HTTP and secure HTTP (HTTPS)
traffic and malware protection services to web traffic. The feature helps devices transparently redirect HTTP
and HTTPS traffic to the Cisco Web Security cloud.
This module describes the Cisco Cloud Web Security feature and how to configure it. This module also
describes the Cloud Web Security Tower Telemetry and Default User-Group Support for Authentication
features.

• Finding Feature Information, page 1


• Prerequisites for Cisco Cloud Web Security, page 1
• Restrictions for Cisco Cloud Web Security, page 2
• Information About Cisco Cloud Web Security, page 2
• How to Configure Cisco Cloud Web Security, page 6
• Configuration Examples for Cisco Cloud Web Security, page 10
• Additional References for Cisco Cloud Web Security, page 11
• Feature Information for Cisco Cloud Web Security, page 11

Finding Feature Information


Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to [Link]/go/cfn. An account on [Link] is not required.

Prerequisites for Cisco Cloud Web Security


Ensure that both Wide Area Application Services (WAAS) and the content scanning feature are not applied
on the same TCP session in the following scenarios:

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
1
Cisco Cloud Web Security
Restrictions for Cisco Cloud Web Security

• When you enable content scanning on an interface that has WAAS configured.
• When the network connection from a branch office to the Internet is over a Multiprotocol Label Switching
(MPLS) cloud.

Restrictions for Cisco Cloud Web Security


• Device-on-a-stick configuration is not supported.
• If Network Address Translation (NAT) is not configured on Cisco Cloud Web Security devices, only
64,000 translation sessions are supported.
• If you configure a host whitelist rule, the sender of an HTTP packet can spoof the Host field of the HTTP
header with a whitelisted hostname or whitelist HTTP packets even if the destination HTTP server is
not whitelisted. Content scan whitelisting does not verify whether the Host field of an HTTP request
matches the destination IP address. Therefore, when providing restricted access to nonauthorized servers,
use access control lists (ACLs), which are more effective than whitelists and allow entry to only configured
IP addresses.
• If you configure a user agent whitelist rule, the sender of an HTTP packet can spoof the User-Agent
field of the HTTP header and the spoofing can result in users accessing a host that is not whitelisted. By
using the User-Agent field of the HTTP header, the sender of an HTTP packet can add any HTTP
connection request to a whitelist, thus providing unauthorized users access to restricted or nonauthorized
servers. Therefore, when providing restricted access to nonauthorized servers, use ACLs, which are
more effective than whitelists and allow entry to only configured IP addresses.
• Loadsharing between Cisco Cloud Web Security towers is not supported.
• Virtual routing and forwarding (VRF) is not supported.
• The web traffic that comes into a branch office is not redirected to Cisco Cloud Web Security for content
scanning. Content scanning is configured on the Internet-facing WAN interface, protecting the web
traffic that goes out of the branch office.
• When the network connection from a branch office to the Internet is over a Multiprotocol Label Switching
(MPLS) cloud, the content scanning feature will not work without split tunneling.
• When Wide-Area Application Services (WAAS) is enabled, the content scanning feature will not work
in branch deployments without split tunneling.

Information About Cisco Cloud Web Security

Overview of Cisco Cloud Web Security


The Cisco Cloud Web Security feature provides content scanning of HTTP and secure HTTP (HTTPS) traffic
and malware protection service to web traffic. This feature helps devices to transparently redirect HTTP and
HTTPS traffic to the cloud. Cloud refers to servers in the Cisco Cloud Web Security data center that are
accessible over the public Internet and provide security as a service. Cisco Cloud Web Security servers scan
the web traffic content and either allow or block the traffic based on the configured policies and thus protect

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
2
Cisco Cloud Web Security
Whitelists

clients from malware. Servers use credentials such as private IP addresses, usernames, and user groups to
identify and authenticate users and redirect the traffic for content scanning.
This feature enables branch offices to intelligently redirect web traffic to the cloud to enforce security and
acceptable use of policies over the web traffic. A device authenticates and identifies users who make web
traffic requests by using configured authentication and authorization methods such as user credentials
(usernames and user groups) available in the traffic that the device redirects to Cisco Cloud Web Security.
Cisco Cloud Web Security uses the user credentials to determine the policies that need to be applied to specific
users and for user-based reporting. Cisco Cloud Web Security supports all authentication methods such as
HTTP Basic, Web Authorization Proxy, and Windows NT LAN Manager (NTLM) (passive or explicit).
A device that cannot determine a client’s credentials uses a default user group name to identify all clients who
are connected to a specific interface on that device. Prior to CSCty48221, the user group that was configured
using the user-group command in parameter-map type inspect configuration mode had precedence over any
default user group that was configured using the user-group default command in interface configuration
mode. With the fix for CSCty48221, a device selects a user group in the following order:
• Authentication methods.
• User group configured using the user-group default command on an interface.
• User group configured using the user-group command in parameter-map type inspect configuration
mode. Configure the parameter-map type content-scan global command before configuring the
user-group command.

You can configure a device in such a way that the approved web traffic does not get scanned by Cisco Cloud
Web Security. Instead, the traffic goes directly to the originally requested web server. Clients are any devices
that connect to a device, either directly or indirectly. When a client sends an HTTP or HTTPS request, the
device receives the request, authenticates the user, and retrieves the group name from the authentication server.
The device identifies the user and then consults the whitelist database to determine whether to send the HTTP
or HTTPS client response to Cisco Cloud Web Security.
You can configure primary and backup Cisco Cloud Web Security proxy servers. The device regularly polls
each of these proxy servers to check their availability.

Whitelists
A whitelist is an approved list of entities that are provided a particular privilege, service, mobility, access, or
recognition. Whitelisting means to grant access. You can configure a device in such a way that the approved
web traffic does not get redirected to Cisco Cloud Web Security for scanning. When you bypass Cisco Cloud
Web Security content scanning, the device retrieves the content directly from the originally requested web
server without contacting Cisco Cloud Web Security. Once the device receives a response from the web server,
the device sends the data to the client. This process is called whitelisting of web traffic.
You can bypass content scanning based on the following client web traffic properties:
• IP address—You can bypass content scanning for web traffic that matches a configured numbered or
named access control list (ACL). Use this method for traffic that is sent to trusted sites, such as intranet
servers.
• HTTP-based header fields—You can bypass scanning for web traffic that matches a configured HTTP
header field. You can match the host and user agent header fields. Use this method for user agents that
do not function properly when scanned or to disable the scanning of traffic that is intended for trusted
hosts, such as third-party partners.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
3
Cisco Cloud Web Security
Cisco Cloud Web Security Headers

Cisco Cloud Web Security Headers


A device that forwards web traffic to Cisco Cloud Web Security proxy servers includes additional HTTP
headers in each HTTP and HTTPS request. Cisco Cloud Web Security uses these headers to obtain information
about customer deployments, including information about the user who had originally made the client request
and the device that sent the request. For security purposes, the information in the headers is encrypted and
then hexadecimal encoded.
Cisco Cloud Web Security headers provide both asymmetric cryptography and symmetric cryptography by
using industry standard algorithms. Asymmetric encryption is done by using the RSA/ECB/PKCS1Padding
algorithm that uses key pairs of 512 bits. Symmetric encryption is done by using the triple “DESede” algorithm
with a randomly generated triple Data Encryption Standard (DES) key of 168 bits.

Cloud Web Security Tower Telemetry


The Cloud Web Security Tower Telemetry feature:
• Tracks the state of the content scan and the state of the device on which the Cisco Cloud Web Security
feature is configured.
• Logs debug messages when delays are encountered while accessing a website.
• Identifies the source of performance issues.

Telemetry is an automated communications process in which measurements are made and data that is collected
at remote sites is transmitted to receiving equipment for monitoring.
The device on which the Cisco Cloud Web Security feature is configured is monitored, and data is generated
periodically. Because most of these devices do not have a large amount of memory or a secondary storage,
the generated data is exported to an external device. For the Cisco Cloud Web Security feature, the generated
data is stored in the Cloud Web Security tower. The device connects to a URL hosted by the Cloud Web
Security tower by using the HTTP POST method to periodically send telemetry data. This method is called
out-of-band telemetry.
Because the Cloud Web Security tower does not have information about all whitelisted traffic, a connector
(a persistent, out-of-band secure channel between the device and the Cloud Web Security tower) periodically
sends all exception rules configured on the device to the tower. Just like telemetry, the connector makes a
POST request and pushes all exception rules to a URL. This URL is separate from the telemetry URL.
The Cloud Web Security tower monitors the TCP session between the client browser and the tower and the
TCP session between the tower and the device. The tower also collects debug information at HTTP and TCP
levels. The tower also collects information and statistics about the parent HTTP session and all subordinate
sessions created by the main URL. The TCP session statistics include retransmission count, window update
count, window size, duplicate acknowledgments (ACKs), and time stamps of segment arrival and departure.

Default User-Group Support for Authentication


The Default User-Group Support for Authentication feature redirects unauthorized web traffic to the Cloud
Web Security server, also called the tower, for content scanning. Prior to the introduction of this feature, any
unauthenticated traffic that fails all login attempts to the Cloud Web Security tower was dropped by the IP
admission module and the session was moved to the service-deny state.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
4
Cisco Cloud Web Security
Default User-Group Support for Authentication

For the Default User-Group Support for Authentication feature, the Windows NT LAN Manager (NTLM)
acts as the authentication module and updates the user-group database (IP and user-group bindings) with the
user-group string that is received as authorization data from the authentication, authorization, and accounting
(AAA) or Lightweight Directory Access Protocol (LDAP) servers. Port access control lists (PACLs) perform
access control of the web traffic. If no PACL is configured on a port, unauthenticated user traffic is allowed.
Even if a user fails the NTLM authentication, the user can be given default access based on your PACL
configuration. You can configure a PACL to permit unauthorized users access to the Cloud Web Security
tower by using the permit command.
The various modules interact with each other to enable the default user-group support, as follows:
• ACL module—Controls port access based on the configured policy.
• Content-Scan—Forwards web traffic from clients to the Cloud Web Security tower for content scanning.
• IP admission or NTLM module—Intercepts the traffic destined to port 80 and port 443 and authenticates
users with the Microsoft Active Directory server.
• User-Group database—Maintains the IP and user-group bindings that are received from the LDAP server
as part of the authorization data. This database is updated by the IP admission module after the
authentication.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
5
Cisco Cloud Web Security
How to Configure Cisco Cloud Web Security

How to Configure Cisco Cloud Web Security

Configuring Cisco Cloud Web Security


SUMMARY STEPS

1. enable
2. configure terminal
3. parameter-map type content-scan global
4. server scansafe primary ipv4 ip-address port http port-number https port-number
5. server scansafe secondary ipv4 ip-address port http port-number https port-number
6. license 7 license-key
7. source interface type number
8. timeout server seconds
9. timeout session-inactivity seconds
10. user-group group-name username username
11. server scansafe on-failure block-all
12. user-group exclude username
13. exit
14. interface type number
15. content-scan out
16. ip virtual-reassembly in
17. ip virtual-reassembly out
18. end
19. show content-scan

DETAILED STEPS

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
6
Cisco Cloud Web Security
Configuring Cisco Cloud Web Security

Command or Action Purpose


Step 3 parameter-map type content-scan global Configures a global content-scan
parameter map and enters parameter-map
Example: type inspect configuration mode.
Device(config)# parameter-map type content-scan global

Step 4 server scansafe primary ipv4 ip-address port http port-number https Configures a Cisco Cloud Web Security
port-number primary server for content scanning.
• The default Cisco Cloud Web
Example: Security port for the proxied HTTP
Device(config-profile)# server scansafe primary ipv4 [Link]
port http 8080 https 8080 and HTTPS traffic is 8080.
• You can use either the HTTP port or
the HTTPS port or both.

Step 5 server scansafe secondary ipv4 ip-address port http port-number https Configures a Cisco Cloud Web Security
port-number secondary server for content scanning.
• The default Cisco Cloud Web
Example: Security port for the proxied HTTP
Device(config-profile)# server scansafe secondary ipv4 [Link]
port http 8080 https 8080 and HTTPS traffic is 8080.
• You can use either the HTTP port or
the HTTPS port or both.

Step 6 license 7 license-key Configures an encrypted license key that


is sent to Cisco Cloud Web Security for
Example: authentication.
Device(config-profile)# license 7
D5D4A545D7A53222E706D1A5D3B5D4E345E5B25737A737B6613724257425A507

Step 7 source interface type number Configures the source interface for content
scan redirection.
Example:
Device(config-profile)# source interface fastethernet 0/2

Step 8 timeout server seconds Specifies a server keepalive time in


seconds.
Example:
Device(config-profile)# timeout server 5

Step 9 timeout session-inactivity seconds Specifies the session inactivity time in


seconds.
Example:
Device(config-profile)# timeout session-inactivity 3600

Step 10 user-group group-name username username Specifies a default usergroup.

Example:
Device(config-profile)# user-group marketing username superuser

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
7
Cisco Cloud Web Security
Configuring Cisco Cloud Web Security

Command or Action Purpose


Step 11 server scansafe on-failure block-all Blocks all traffic to a web server when
communication between the web server
Example: and the Cisco Cloud Web Security server
Device(config-profile)# server scansafe on-failure block-all fails.

Step 12 user-group exclude username Excludes the specified user group.

Example:
Device(config-profile)# user-group exclude marketing

Step 13 exit Exits parameter-map type inspect


configuration mode and enters global
Example: configuration mode.
Device(config-profile)# exit

Step 14 interface type number Configures an interface and enters


interface configuration mode.
Example:
Device(config)# interface ethernet 0/0

Step 15 content-scan out Configures the egress interface for content


scanning.
Example:
Device(config-if)# content-scan out

Step 16 ip virtual-reassembly in Enables Virtual Fragment Reassembly


(VFR) on the ingress.
Example:
Device(config-if)# ip virtual-reassembly in

Step 17 ip virtual-reassembly out Enables VFR on the egress.

Example:
Device(config-if)# ip virtual-reassembly out

Step 18 end Exits interface configuration mode and


enters privileged EXEC mode.
Example:
Device(config-if)# end

Step 19 show content-scan Displays content scanning information.

Example:
Device# show content-scan

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
8
Cisco Cloud Web Security
Enabling Out-of-Band Telemetry

Example
The following is sample output from the show content-scan history command:
Device# show content-scan history 6

Protocol Source Destination Bytes URI


Time
HTTP [Link]:1347 [Link]:80 (102:45) [Link]
[Link]
HTTP [Link]:1326 [Link]:80 (206:11431) [Link]
[Link]
HTTP [Link]:1324 [Link]:80 (206:11449) [Link]
[Link]
HTTP [Link]:1318 [Link]:80 (206:11449) [Link]
[Link]
HTTP [Link]:1316 [Link]:80 (206:11449) [Link]
[Link]
HTTP [Link]:1315 [Link]:80 (575:1547) [Link]
[Link]

Enabling Out-of-Band Telemetry


Perform this task to enable the storing of content scan data in the Cloud Web Security tower:

SUMMARY STEPS

1. enable
2. configure terminal
3. parameter-map type content-scan global
4. out-of-band telemetry interval interval
5. end

DETAILED STEPS

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 parameter-map type content-scan global Configures a global content-scan parameter map and enters
parameter-map type inspect configuration.
Example:
Device(config)# parameter-map type content-scan
global

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
9
Cisco Cloud Web Security
Configuration Examples for Cisco Cloud Web Security

Command or Action Purpose


Step 4 out-of-band telemetry interval interval Enables out-of-band telemetry and content-scan exception
rules.
Example:
Device(config-profile)# out-of-band telemetry
interval 60

Step 5 end Exits parameter-map type inspect configuration mode and


returns to privileged EXEC mode.
Example:
Device(config-profile)# end

Configuration Examples for Cisco Cloud Web Security

Example: Configuring Cisco Cloud Web Security


Device# configure terminal
Device(config)# parameter-map type content-scan
Device(config-profile)# server scansafe primary ipv4 [Link] port http 8080 https 8080
Device(config-profile)# server scansafe secondary ipv4 [Link] port http 8080 https
8080
Device(config-profile)# license 7
D5D4A545D7A53222E706D1A5D3B5D4E345E5B25737A737B6613724257425A507
Device(config-profile)# source interface fastethernet 0/2
Device(config-profile)# timeout server 5
Device(config-profile)# timeout session-inactivity 3600
Device(config-profile)# user-group marketing username superuser
Device(config-profile)# server scansafe on-failure block-all
Device(config-profile)# user-group exclude marketing
Device(config-profile)# exit
Device(config)# interface ethernet 0/0
Device(config-if)# content-scan out
Device(config-if)# ip virtual-assembly in
Device(config-if)# ip virtual-assembly out
Device(config-if)# end

Example: Enabling Out-of-Band Telemetry


Device# configure terminal
Device(config)# parameter-map type content-scan global
Device(config-profile)# out-of-band telemetry interval 60
Device(config-profile)# end

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
10
Cisco Cloud Web Security
Additional References for Cisco Cloud Web Security

Additional References for Cisco Cloud Web Security


Related Documents

Related Topic Document Title


Cisco IOS commands Cisco IOS Master Command List, All Releases

Firewall commands
• Cisco IOS Security Command Reference: Commands A
to C
• Cisco IOS Security Command Reference: Commands D
to L
• Cisco IOS Security Command Reference: Commands M
to R
• Cisco IOS Security Command Reference: Commands S
to Z

Cisco Cloud Web Security solution guide Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Technical Assistance

Description Link
The Cisco Support and Documentation website [Link]
provides online resources to download documentation,
software, and tools. Use these resources to install and
configure the software and to troubleshoot and resolve
technical issues with Cisco products and technologies.
Access to most tools on the Cisco Support and
Documentation website requires a [Link] user ID
and password.

Feature Information for Cisco Cloud Web Security


The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to [Link]/go/cfn. An account on [Link] is not required.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
11
Cisco Cloud Web Security
Feature Information for Cisco Cloud Web Security

Table 1: Feature Information for Cisco Cloud Web Security

Feature Name Releases Feature Information


Cisco Cloud Web 15.2(1)T1 The Cisco Cloud Web Security feature provides content scanning
Security of HTTP and HTTPS traffic and malware protection services to web
15.2(4)M
traffic. This feature helps a device transparently redirect HTTP and
HTTPS traffic to the Cisco Web Security cloud.
The following commands were introduced or modified: clear
content-scan, content-scan out, content-scan whitelisting, debug
content-scan, ip admission name http-basic, ip admission name
method-list, ip admission name ntlm, ip admission name order,
ip admission virtual-ip, license (parameter-map), logging
(parameter-map), parameter-map type content-scan global,
publickey, server scan-safe, show content-scan, show ip
admission, source (parameter-map), timeout (parameter-map),
user-group (parameter-map), whitelist.
Cloud Web Security 15.3(3)M The Cloud Web Security Tower Telemetry feature:
Tower Telemetry
• Tracks the state of the content scan and the state of the device
on which the Cisco Cloud Web Security feature is configured.
• Logs debug messages when delays are encountered while
accessing a website.
• Identifies the source of performance issues.

The following commands were introduced or modified: out-of-band


telemetry and test content-scan.

Default User-Group 15.3(3)M The Default User-Group Support for Authentication feature redirects
Support for unauthorized web traffic to the Cloud Web Security server for
Authentication content scanning.

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
12

You might also like