Secure Web and Email through Cisco Content Security

Secure Web and Email through Cisco Content Security Paul Beyleveld, CISSP® Consul=ng Systems Engineer Contents 1.  Cisco Content Security Por@olio Overview 1. 
2. 
3. 
4. 
Why Content Security MaDers Architecture Advanced Malware Protec=on Centralized Management 2.  Content Security Deployment 1. 
2. 
3. 
4. 
Email, Web and Cloud Transparent user iden=fica=on Demonstra=on Secure Mobility with Anyconnect CONTENT SECURITY OVERVIEW An Evolving Threat Landscape Targeted ADacks IPv6 Spam Hidden Malware Blended Threats Botnets Anatomy of a Phishing ADack (Blended Threat) Various Types – 
– 
– 
• 
General Phishing Spear Phishing Whaling ADack (the big phish) However the process is always the same 1. 
2. 
3. 
• 
• 
• 
An aDacker cra[s an en=cing message and send to user via email User open email which contains link to infected/spoofed website User click on link/aDachment ADacker Backchannel • 
Seemingly Legi=mate URL Code exploits vulnerability(Flash, Java, Silverlight) to infect machine Steals user creden=als on fake site Many other similar types of aDacks Vic=m The Reali,es of Today’s Threat Landscape Most organiza,ons, large and small, have already been compromised and don’t even know it: 100 percent of business networks analyzed by Cisco have traffic going to websites that host malware. -­‐ Cisco 2014 Annual Security Report If you knew you would be compromised, would you do security differently? Protec=on Across the ADack Con=nuum ADack Con=nuum BEFORE
Discover Enforce Harden DURING
Detect Block Defend AFTER
Scope Contain Remediate Filtering
Malware Signature
File Retrospection
Usage Controls
File Reputation
Threat Analytics
Reputation
File Behavior
Actionable Reporting
Cisco Content Security Por@olio Flexibility to meet every requirement Informa=on Email Security
Appliance (ESA)
Cisco® SIO
Updates Users Community FirePOWER on
ASA
VPN Security Management
Appliance (SMA)
Cisco Cloud
Web Security
(CWS)
Web Security Appliance
(WSA)
Roaming Users
Internet
Cloud-­‐Based Collec=ve Security Intelligence for the Broadest Visibility on the Internet 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00
101000 0II0 00 0III000 III0I00II II II0000I II0
100I II0I III00II 0II00II I0I000 0II0 00
I00I III0I III00II 0II00II I0I000 0110 00
Cisco C101
loud-­‐Based 10I000 0II0 00 0III000 II1010011
1100001 110
110000III000III0 I00I II0I III0011 0110011
101000 0110 00
Collec=ve Collects 1.6 million 35% 100 TB 13 billion global sensors of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers Spam Traps, Honeypots, Crawlers Delivers Security Intelligence worldwide email traffic web requests 180,000+ File Samples per Day 24x7x365 opera=ons Signatures From leading vendors Advanced Malware Protec=on: Outbreak Intelligence File Reputa=on Addi=onal cloud-­‐based scanning engines per file type Score between 0 and 100 Reputa=on Scores 200 parameters generate a reputa=on score (-­‐10 to +10) for every email & web servers 40+ languages File Sandboxing Executes the file in a safe cloud environment Retrospec=ve Detec=on Con=nuously analyzes files & alerts retrospec=vely Appliance
Virtual
Cloud
Reference Web Security Product Comparison Firewall Integrated Cloud (FirePOWER on ASA) Support higher on premise throughput •  Easier to implement transparently •  Full NGIPS capability providing full protocol stack visibility • 
Form Factor Strengths Web/URL Filtering Applica,on Visibility & Controls (AVC) Malware Protec,on Remote User Security Deployment Policy & Repor,ng Licensing / Subscrip,on Appliance, Physical & Virtual (Cloud Web Security) Web Security for many remote branches •  Web Security for Remote Users without VPN backhaul • 
(Web Security Appliance) Proxy Based support caching and SOCKS proxy •  Support local DLP system integra=on through ICAP •  Video and Bandwidth ThroDling • 
þ þ þ Ports (all) Protocols (all) Ports (80, 443) Protocols (HTTP(S)) Ports (21, 80, 443) Protocols (HTTP(S), FTP) AMP / IP reputa=on filtering, NGIPS IP reputa=on filtering + Mul=ple scanners for malware AMP, IP reputa=on filtering + Mul=ple scanners for malware VPN Backhaul Direct to cloud VPN Backhaul On the firewall, default Internet Gateway Redirect to cloud via ASA, ISR, WSA, AnyConnect On Premise Redirect Transparent(WCCP) or Explicit(PAC) On Premise In the Cloud On Premise Based on ASA model 1Y / 3Y / 5Y Based on user count 1Y / 3Y / 5Y Based on user count 1Y / 3Y / 5Y Cisco Security Intelligence Opera=ons (SIO) 24x7x365
More than US$100 million 600+
operations
spent on dynamic research and development engineers, technicians, and researchers
40+ 80+ languages PH.D., CCIE, CISSP, AND MSCE users Cisco® SIO
WWW
Devices Endpoints
Visibility
Updates Networks IPS
Cisco CWS Web Informa=on Email Cisco IPS Cisco AnyConnect® WWW
Cisco ESA
Cisco ASA Cisco WSA
Control
1.6 million
35%
3- to 5-
200+
global sensors
worldwide email traffic
minute updates
parameters tracked
100 TB 13 billion of data received per day web requests 150 million+ deployed endpoints 5,500+ 70+ IPS signatures produced publica=ons produced 8 million+ rules per day Gateway Email Security Appliances • 
High Performance SMTP MTA – 
– 
• 
• 
AsyncOS, BSD Based OS Python Stackless Threading Industry proven highest catch rate lowest false posi=ve rate* snowshoe Layered Defense – 
– 
– 
– 
– 
Reputa=on Filtering An=-­‐Spam Outbreak Filters (ZeroDay Defense) URL Intelligence/URL Re-­‐write Advanced Malware Protec=on • 
(File Reputa=on, Sandboxing and Retrospec=ve An=-­‐Malware) *Opus One July 2014: hDp://www.opus1.com/www/whitepapers/snowshoe2014.pdf Cisco Email Security Threat Defense Cisco® SIO
SenderBase Reputa=on Filtering Drop
An=-­‐Spam & Spoofing Preven=on Drop/Quarantine
AV Scanning & AMP Drop/Quarantine
Real-­‐=me URL Analysis Deliver
Quarantine
Quarantine/Re-write
Re-write URLs
Drop
Email Security Strong Outbound Control Sender Rate Limi=ng Outbound AS/AV Checks Compliance/ DLP Encrypt Sensi=ve Data DKIM/SPF Recipient Stopping Phishing ADacks and Blended Threats Reputation filter
Spam filter
Blocks
unwanted
messages
Message content analysis
Administrator black lists
Spoofing prevention
Filters bad URLs based on
web reputation and category
Re-routes suspicious links to be
executed in a secure cloud environment
Gateway Web Security Appliances •  High performance Caching Proxy •  Explicit and Transparent Deployment •  Layered Built in Defense –  URL Filtering/Applica=on Visibility and Control –  HTTPS Decryp=on –  Dynamic Content Analysis –  Advanced Malware Protec=on –  Mul=ple An=-­‐Malware Engines •  Flexible Authen=ca=on op=ons Acceptable Use Controls URL Filtering Applica=on Visibility and Control (AVC) •  Control over 1,000+ Apps hDp:// •  URL database covering over 50 million sites worldwide +
•  Policy control over 150,000+ Micro-­‐
Apps •  Real-­‐=me dynamic categoriza=on for unknown URLs collabora=ve and Web 2.0 applica=ons Applica,on Behavior which apps can be used by which users and devices •  Granular enforcement of behaviors within applica=ons and shaping •  Visibility of ac=vity across the network Mul=-­‐Layers Web Threat Defense WWW URL Filtering WWW Block
Reputa=on Filter WWW Block
Dynamic Content Analysis (DCA) WWW Block
Signature-­‐based An=-­‐Malware Engines WWW Block
Advanced Malware Protec=on WWW Block
Time of Request Cisco® SIO
Time of Response WWW Allow
WWW Warn
WWW Partial
Block
WWW Block
Cisco Web Security Offers Complete Control Applica=on Visibility and Control (AVC) WWW Allow
WWW Partial Block
Data Loss Preven=on (DLP) Centralized Management & Repor=ng Policy Admin Threat Protec=on Cisco Web Usage Controls User WWW Block
Advanced Malware Protec,on (AMP) Beyond the Event Horizon Con=nuous Protec=on Point-in-time Detection
Antivirus
Analysis Stops
Not 100%
Sleep Techniques
Unknown
Protocols
Encryption
Sandboxing
Initial Disposition = Clean
Polymorphism
Actual Disposition = Bad = Too Late!!
Retrospective Detection,
Analysis Continues
AMP
Initial Disposition = Clean
Actual Disposition = Bad = Blocked
New AMP for Content Security Appliances •  File Reputa=on –  Behavioral analysis of unknown files –  Looks for suspicious behavior –  Feeds intelligence back to AMP cloud •  File Retrospec=on –  Con=nuous analysis of files that have traversed the gateway –  Retrospec=ve aler=ng a[er an aDack when file is determined to be malicious AMP Client Local Cache File Reputation Query
File Reputation
update
•  File Sandboxing AMP Cloud Content Security Pipeline
–  Blocks known and unknown files –  Reputa=on verdicts delivered by AMP cloud intelligence network To Next Engine to
Process
Sha256 checksum
+SPERO fingerprint for WinPE files
Verdict
Unknown File
Upload for Sandboxing
VRT
Sandboxing
From Previous
Engine
AMP Connector Sandbox Integra=on Decision Flow AMP Client ESA/WSA Policy Ac=on AMP Cloud Service Verdict Score Clean Recognized File No score Malicious No score Verdict Malicious Verdict Unknown File SHA Hash Fingerprint Verdict Clean 1-­‐>100 1-­‐>59 : clean 60-­‐>100: malicious Amp Service Send to Sandbox ? Yes Verdict Clean + Send to Sandbox No Verdict Clean File Unknown Content Security Management Centralized Management and Repor=ng Web and Email Security Appliances Centralized Management Centralized Policy Management Centralized Repor=ng In-­‐Depth Threat Visibility Delegated Administra=on Extensive Forensic Capabili=es Insight Control Visibility Across Threats, Data and Applica=ons Consistent Policy Across Offices and for Remote Users Visibility Across Different Devices, Services, and Network Layers Analyze, troubleshoot, and refine security policies Central Management Features Manage both Web and Email from single appliance •  Web Security –  Centralized Web Policy Management –  Centralized Web Repor=ng –  Centralized Tracking •  Email Security –  Centralized Email Repor=ng –  Centralized Email tracking –  Central Spam and Policy Quaran=nes –  Spam Digest, End User quaran=ne management From Generic to Specific Repor=ng Top ‘N’ Summary “Overview” Reports “Detailed” Reports Targeted Search Needle in Haystack Some Web Security Reports Available Acceptable Use Security Overviews An=-­‐malware Users Client Malware Risk Websites Reputa=on Filters URL Categories File Reputa=on Applica=on Visibility Socks Proxy Reports Reports by Loca=on All reports have drill-­‐down capabili=es to view individual transac=ons Cisco Advanced Repor=ng for WSA Scalability Use Cases •  >20,000 users •  Extended storage term •  Group-­‐based repor=ng •  Historical data import •  Integra=on/correla=on with other tools Alterna=ve web repor=ng solu=on for scalability and specific use cases DEPLOYMENT General Sizing Guidance • 
Gather informa=on – 
– 
• 
• 
• 
• 
• 
Number of users Number/Size of Internet Links/Loca=ons Calculate the number of appliances required for capacity +1 for HA Determine Appliance loca=on and placement in Network (Virtual, Transparent or Explicit) Plan for extra capacity when enabling addi=onal features Plan for load balancing infrastructure if required to meet HA Requirements Add SMA model same size or larger than largest ESA/WSA in deployment ESA Appliance ESA C170 C380 C680 ESAv C100v C300v C600v Es,mated Users <1000 <5000 WSA Appliance WSA S170 S380 S680 WSAv S100v S300v Es,mated Bandwidth Users <20Mbps <1000 <50Mbps <5000 Disclaimer: You mileage may vary, when sizing solu=on >5000 users contact your Cisco Security SE for sizing guidance Licensing • 
• 
• 
Licensed per user base on feature subscribed to Subscrip=on based 1y,3y or 5y Valid feature subscrip=on en=tles customers to deploy virtual appliances – 
– 
• 
• 
No addi=onal cost for virtual appliances Supports short term high demand or disaster recovery scenarios Same license en=tlement deployed across all appliances of same type in customer network To enable addi=onal features simply subscribe and turn the func=onality on Example En=tlement 5000 x WSA-­‐WSP-­‐LIC= 5000 x SMA-­‐WMGT-­‐LIC= SMA M380 Headquarters: All-­‐HW environment WSAv S300v WSAv S100v Branch Office 1 WSA S380 Branch Office 2 WSAv S100v Branch Office 3 Balancing Load Op=ons •  Email Security –  MX Priority and DNS Round Robin –  VIP with Load Balancer #Example DNS smtp IN CNAME smtp2 smtp IN CNAME smtp3 IN MX 10 smtp1 smtp1 IN A 192.168.10.1 IN MX 20 smtp1 smtp2 IN A 192.168.10.2 smtp2 IN A 192.168.10.3 •  Web Security –  PAC File (<4 Proxies) –  VIP with Load Balancer (=p use s=cky sessions on SRC IP) –  WCCP (<10 Proxies) Load Balancer VIP Reference PAC Load Balance using URL ATOI HASH func=on FindProxyForURL(url, host) { //Define the two proxy addresses var PROXY1 = "proxy01.example.com:80"; var PROXY2 = "proxy02.example.com:80"; /* Don't proxy local addresses */ if (host == "localhost" || host == "127.0.0.1") { return "DIRECT"; } if (isPlainHostName(host)) { return "DIRECT"; } if (isResolvable(host)) { /* Don't proxy non-­‐routable addresses (RFC 1918) */ if (isInNet(host, "0.0.0.0", "255.0.0.0" ) || isInNet(host, "10.0.0.0", "255.0.0.0") || isInNet(host, "127.0.0.0", "255.0.0.0") || isInNet(host, "169.254.0.0", "255.255.0.0") || isInNet(host, "172.31.0.0", "255.240.0.0") || isInNet(host, "192.0.2.0", "255.255.255.0") || isInNet(host, "192.88.99.0", "255.255.255.0") || isInNet(host, "192.168.0.0", "255.255.0.0") || isInNet(host, "198.18.0.0", "255.248.0.0") || isInNet(host, "224.0.0.0", "240.0.0.0") || isInNet(host, "240.0.0.0", "240.0.0.0")) { return 'DIRECT'; } } ret = URLhash(host); //Calculate url hash for load balancing if ( (ret % 2) == 0 ) { //Choose the correct proxy as per url hash return "PROXY " + PROXY1 + "; PROXY " + PROXY2; //Return primary proxy with failback to secondary } else { return "PROXY " + PROXY2 + "; PROXY " + PROXY1; //Return secondary proxy with failback to primary } } func=on FindProxyForURL(url, host) { … //URLhash func=on to calculate hash value of url func=on URLhash(name) { var cnt=0; var ch=0; var str=name.toLowerCase(name); if (str.length == 0) { return cnt; } else { for ( var i = 0; i <= str.length; i++) { ch = atoi(str.substring(i,i + 1)); cnt += ch; } return cnt ; } } func=on atoi(charstring) { if ( charstring == "a" ) return 65; if ( charstring == "b" ) return 66; if ( charstring == "c" ) return 67; if ( charstring == "d" ) return 68; if ( charstring == "e" ) return 69; if ( charstring == "f" ) return 70; if ( charstring == "g" ) return 71; if ( charstring == "h" ) return 72; if ( charstring == "i" ) return 73; if ( charstring == "j" ) return 74; if ( charstring == "k" ) return 75; if ( charstring == "l" ) return 76; if ( charstring == "m" ) return 77; if ( charstring == "n" ) return 78; if ( charstring == "o" ) return 79; if ( charstring == "p" ) return 80; if ( charstring == "q" ) return 81; if ( charstring == "r" ) return 82; if ( charstring == "s" ) return 83; if ( charstring == "t" ) return 84; if ( charstring == "u" ) return 85; if ( charstring == "v" ) return 86; if ( charstring == "w" ) return 87; if ( charstring == "x" ) return 88; if ( charstring == "y" ) return 89; if ( charstring == "z" ) return 90; if ( charstring == "0" ) return 48; if ( charstring == "1" ) return 49; if ( charstring == "2" ) return 50; if ( charstring == "3" ) return 51; if ( charstring == "4" ) return 52; if ( charstring == "5" ) return 53; if ( charstring == "6" ) return 54; if ( charstring == "7" ) return 55; if ( charstring == "8" ) return 56; if ( charstring == "9" ) return 57; if ( charstring == "." ) return 46; return 32; } ret = URLhash(host); //Calculate url hash for load balancing if ( (ret % 2) == 0 ) { //Choose the correct proxy as per url hash return "PROXY " + PROXY1 + "; PROXY " + PROXY2; //Return primary proxy with failback to secondary } else { return "PROXY " + PROXY2 + "; PROXY " + PROXY1; //Return secondary proxy with failback to primary } …} Email Security Appliance Deployment Email Security Appliance Deployment 1.  DNS is cri=cally important. A, PTR, MX and any required TXT records MUST by configured 2.  Deploy ESA in DMZ, either unified SMTP listener or separate listener for inbound and outbound 3.  Mul=ple ESA appliances is “clustered” together to share common configura=on 4.  For outbound email configure groupware server to relay outbound through ESA ESA SMTP Listener SMTP MAPI/POP/IMAP/SMTP SMTP Groupware Exchange 3rd Party Email Server User Community Web Security Deployment Reference Flexible Web Security Deployment Op=ons On-­‐premises Deployment Op,ons Appliance Virtual Cloud Next Genera=on Firewall Cloud Connec,on Methods Router Firewall Appliance Roaming Roaming Redirectors WCCP PAC File Explicit WCCP PAC File Explicit Mixed-­‐Mode Deployments Supported Virtual WSA Branch Office 1 HW WSA Branch Office 2 HW SMA Headquarters: All-­‐HW environment Virtual WSA Hardware & virtual appliances interoperable All appliances (virtual or HW) can be centrally managed by SMA WSA Proxy Deployment Modes •  Explicit Forward Mode –  Redirect to proxy using browser configura=on through Group policy or Proxy Auto Configura=on(PAC) –  Load Balancing can be achieved using PAC or L4 Load balancing –  Not recommended for BYOD devices •  Transparent Mode –  Redirect traffic to proxy using network. WCCP or L4 load balancer with PBR can be used to redirect traffic. –  WCCP and L4 Load balancer support traffic load balancing –  Recommended deployment to support BYOD devices since no client side configura=on is required –  Requires HTTPS proxy to redirect HTTPS traffic Explicit Forward Mode Deployment 1.  Determine Proxy to use, browser seƒng or PAC 2.  Browser requests web site from Proxy 3.  WSA requests resource from Internet WSA function FindProxyForURL(url, host) {
return "PROXY wsa.example.com:3128";
}
1. Get PAC User Community 2. HTTP Get 3. HTTP Get Transparent Mode Deployment 1.  Browser Request Web Page directly from internet 2.  Network Redirects request to WSA 3.  WSA requests resource from Internet WSA 2. WCCP Redirect 3. HTTP Get 1. HTTP Get User Community Note: A WSA in Transparent Mode also serve clients explicitly, many customers deploy both modes simultaneously. WSA User Iden=fica=on Enabling User/Group Based Policy •  Ac=ve Authen=ca=on –  Basic •  Can be secure over HTTPS –  NTLMSSP –  Kerberos •  Supported Iden=ty stores –  LDAP/S –  Ac=ve Directory/Mul=ple forests without trust •  Primary authen=ca=on method for corporate users and devices •  Passive Iden=fica=on –  Context Directory Agent (CDA) – Free Virtual Appliance –  Passive IP to User mapping for user logged into AD or ISE •  Integrate with AD through WMI for domain logged in AD users •  ISE integra=on through Syslog •  Augment ac=ve authen=ca=on techniques and helpful to support seamless BYOD user experience CDA Passive Iden=fica=on Enabling seamless BYOD experience using ISE and WSA
1.  User Authen=cates to SSID 2.  ISE Validates User against AD and allows Network Access 3.  ISE sends Syslog to CDA and CDA learn User to IP mapping 4.  User Request Web Page, network redirect to WSA 5.  WSA perform user lookup from CDA and allows access based on Iden=ty without promp=ng user for creden=al 6.  WSA Requests Page Ac=ve Directory WMI Context Directory Agent 2. User Auth Iden=ty Services Engine 5. User <> IP WSA Mapping 3. Syslog 4. HTTP 1.  EAP-­‐MSCHAPv2 Cisco WLAN Controller 4. HTTP 6. HTTP AnyConnect Secure Mobility ASA and WSA Integra=on AnyConnect VPN Client
• 
Web Security Appliance
Seamless Connec=vity (Always On, Trusted Network Detec=on) • 
Unified Endpoint Agent (Windows, OSX) (VPN, NAM, CWS, NAC Posture) • 
Integra=on/Collabora=on • 
An=-­‐Malware • 
Reputa=on Filters • 
L4 Traffic Monitor • 
Web Usage Controls Informa=on Sharing Between ASA and WSA ASA Cisco Web Security Appliance Users Outside Network Corporate AD Social Networking Enterprise SaaS DEMONSTRATION BYOD + TUI + HTTPS Decryp=on •  Problem –  BYOD devices require manual proxy configura=on to access Internet –  Constant authen=ca=on popups on BYOD devices trying to access the Internet creates unwanted poor user experience –  HTTPS decryp=on is required for transparent mode deployment –  Decryp=ng HTTPS requires an internal CA signing cer=ficate installed on the WSA –  This means every decrypted HTTPS request from a BYOD device will generate a cer=ficate valida=on error. •  Solu=on –  Use Cisco ISE Supplicant provisioning wizard to provision internal CA cer=ficates on BYOD devices –  Use ISE to authen=cate user and no=fy CDA of IP address associated to user –  Transparently redirect HTTP/S traffic to the Cisco WSA using the network to avoid any explicit proxy configura=ons Cloud Web Security Deployment Mul=ple Connector Op=ons Cloud Web Security AnyConnect
Internet
ISR-G2
ASA
WSA
Cisco Connectors for Cloud Web Security §  Eliminates Backhaul §  Speeds Deployment §  Extends Value of Exis=ng Investments Cloud Web eb SSecurity ecurity Cloud W
Internet
§  Simple Global Policy and Repor=ng Cisco ASA
AnyConnect
Cisco ISR G2
VPN
Employees
Employees
VPN
VPN
Headquarters
Branch Office
Standardized Connector Op=ons for Maximum Flexibility Direct to Cloud Internet Edge Branch Reference Enterprise Enterprise Enterprise, SMB, Mid-­‐Market Custom Deployment ISR Connector WSA Connector ASA Connector Cloud •  Exis=ng/poten=al ISR-­‐G2 customer •  Advanced proxy features •  Transparent redirec=on •  Virtualized form factor •  No backhaul of internet traffic •  120 – 1200 users •  DLP needs •  No ASA/ISR G2 •  Max users = 7,500 •  Scenarios with no ISR G2 •  Exis=ng firewall customer •  Need cloud-­‐based authen=ca=on •  No backhaul of internet traffic •  Max users = 7,500 •  Roaming Users •  Exis=ng AnyConnect / VPN customers •  Transparent redirect •  25 -­‐ 7500 users AnyConnect ISR Connector §  Content-­‐scan global Parameter-­‐map parameter-­‐map type content-­‐scan global server scansafe primary name tower32.scansafe.net port hDp 8080 hDps 8080 server scansafe secondary name tower31.scansafe.net port hDp 8080 hDps 8080 license 0 D7BF98AFEB0B4AFA5954CB0F81FFB620 source interface GigabitEthernet0/1 publickey flash0:testPublicKey.txt • 
• 
• 
• 
user-­‐group ciscogroup username ciscouser server scansafe on-­‐failure block-­‐all §  Egress interface configura,ons interface GigabitEthernet0/1 ip address 72.163.218.75 255.255.255.240 content-­‐scan out • 
• 
• 
Available in IOS (universal) images with security feature set (SEC) licenses. Supported on the 880, 890, 19XX, 29XX and 39XX/E ISR G2 pla@orms. Supports re-­‐direc=on of HTTP/HTTPS traffic. Supports Single Sign-­‐on based iden=ty with LDAP and AD sync. User provisioning are configured using ScanCenter Web Portal. Repor=ng (accesses allowed or denied per user or group, etc…) Provides Scanning tower redundancy ASA Connector •  Configure Global Seƒngs •  Enable cloud redirec=on using service policy rules •  Support Per-­‐context redirec=on to Cisco Cloud Web Security •  Can include user iden=ty •  Provides scanning tower redundancy scansafe general-­‐op=ons server primary fqdn proxy197.scansafe.net port 8080 server backup fqdn proxy137.scansafe.net port 8080 retry-­‐count 5 license xxxxxxxxxxxxxxxxxxxxxxxxx WSA Connector •  Provides Limited WSA func=onality –  User Iden=ty to cloud (NTLM, Basic, Kerberos) –  Bypass certain sites –  External DLP integra=on –  Local logging via Syslog •  Select Cloud connector Mode during System Configura=on Wizard AnyConnect Connector •  Cloud Hosted Configura=on •  Dynamic Updates •  Detect Closest Cloud Web Security Tower •  Trusted Network detec=on with HTTPs server •  Local Username/Machine name logging •  Fail Open/Fail closed op=on Summary We discussed the following • 
• 
• 
Email, Web and Cloud Security Design and func=onality New built in Advanced Malware Protec=on Capability Deployment op=ons – 
– 
• 
Web Security Appliance Cloud Web Security Methods to enable BYOD and deliver excep=onal user experience while maintaining security Recognized as Content Security Leader Secure Web Gateway MQ 2013 Secure Email Gateway MQ 2013 References • 
• 
Cisco Annual Security Report 2014 Technology Design Guides – 
– 
• 
Web Security Using Cisco WSA Email Security Using Cisco ESA Opus One Snowshoe Spam July 2014 Paul Beyleveld, CISSP® Consul=ng Systems Engineer pbeyleve@cisco.com Linked In: za.linkedin.com/in/paulbeyleveld/ TwiDer: @RegardingPaul Thank You 
Download PDF
Similar pages