Scribd
Upload
615 views17 pages

Cisco WSA

This document provides an overview of the Cisco Web Security Appliance (WSA). It discusses the business needs for the WSA, including protecting employee productivity and liability risks. It then describes the key technologies of the WSA, including its web reputation, filtering, antivirus, sandboxing and data loss prevention engines. It also covers the explicit forward and transparent deployment modes. Finally, it reviews the hardware options and licensing for the WSA.

Uploaded by

Ehab Rushdy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
615 views17 pages

Cisco WSA

This document provides an overview of the Cisco Web Security Appliance (WSA). It discusses the business needs for the WSA, including protecting employee productivity and liability risks. It then describes the key technologies of the WSA, including its web reputation, filtering, antivirus, sandboxing and data loss prevention engines. It also covers the explicit forward and transparent deployment modes. Finally, it reviews the hardware options and licensing for the WSA.

Uploaded by

Ehab Rushdy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Cisco Web Security

Appliance (WSA)
Mohamed Maklad
Cybersecurity Services Consultant
CCIE Security # 55128
Agenda
• Cisco WSA Business Needs
• WSA Technology Overview
• Cisco WSA Engines Features
• Cisco WSA Deployment Modes
• Cisco WSA Hardware Overview
• Cisco WSA Licensing

5
Cisco WSA Business Needs
• Web access offers great rewards for
organizations, as well as great risks.
• Offering employee web access creates
three substantial risks:

✓ The loss of employee productivity


loss browsing and bandwidth
consumption.

✓ Threats from malicious software


which can cause data leakage.

✓ Liability exposure resulting from


employees’ access of unsavory
content.
Cisco WSA Technology Overview
• WSA is a web proxy that works with other Cisco network components to monitor and
control outbound requests for Web content and scrubs return traffic for unwanted or
malicious content.
Cisco WSA Engines Features
• Web Reputation Engine

o Analyzes and categorizes unknown URLs.


o The Web Reputation engine analyzes different factors related to web
traffic and the network to determine the level of risk associated with a
site (such as Domain registrar information, Presence of virus / spam /
spyware / phishing, Age of a URL, ……).
o Blocks websites that fall below a defined security policy or threshold.
o The Cisco WSA engine analyzes a large data set and produces a granular
web reputation score (WBRS) of –10 to +10.
❖ -10 to -6.0 ----- > Block
❖ -5.9 to 5.9 ----- > Scan
❖ 6.0 to 10.0 ---- > Allow
Cisco WSA Engines Features (Continue)

• Web filtering

o Applying traditional URL filtering and allows for granular acceptable use
policy (AUP) creation and warns the user on certain quota and bandwidth
conditions.

• Application Visibility and Control (AVC)

o Enables the Cisco WSA to inspect and/or block applications that are not
allowed by the organization’s security policy.
o You can allow users to use social media sites like Twitter and Facebook and
then block micro-applications within those social media sites (like Facebook
games).
Cisco WSA Engines Features (Continue)

• Antivirus scanning:

o The Cisco WSA supports different antivirus engines such as McAfee, Sophos,
and Webroot.
• File sandboxing:

o The Cisco WSA has been integrated with the Cisco AMP and Cisco Threat
Grid sandboxing capabilities.
o This allows for putting an unknown file in a sandbox to inspect its behavior.
Cisco AMP and Threat Grid use machine learning to analyze the file and
determine the threat level.
Cisco WSA Engines Features (Continue)

• Data-loss prevention (DLP):

o The Cisco WSA can redirect all outbound traffic to a third-party DLP system,
allowing deep content inspection for regulatory compliance and data
exfiltration protection.
o This allows you to inspect web content to prevent users from storing files to
cloud services, such as Box, Dropbox, iCloud, and Google Drive.
Cisco WSA Deployment Modes

You can deploy the Cisco WSA in two different modes:


▪ Explicit forward mode
▪ Transparent mode

Cisco WSA in Explicit Forward Mode


Cisco WSA Deployment Modes (Continue)

Cisco WSA in Explicit Forward Mode (Continue)

• The client is configured to explicitly use the proxy, subsequently sending all
web traffic to the proxy.

• You must configure each client to send traffic to the Cisco WSA.

• In large environments, you can also configure the client’s proxy settings using
DHCP or DNS, using proxy auto-configuration (PAC) files, or with Microsoft
Group Policy Objects (GPOs). You can also lock browser proxy settings with
solutions like Microsoft GPOs.
Cisco WSA Deployment Modes (Continue)

Cisco WSA in Transparent Mode

• When the Cisco WSA is in transparent mode, clients do not know there is a proxy
deployed.
• Network infrastructure devices are configured to forward traffic to the Cisco WSA.
• In transparent mode deployments, network infrastructure devices redirect web
traffic to the proxy.
• Web traffic redirection can be done using policy-based routing (PBR)—available on
many routers —or using Cisco’s Web Cache Communication Protocol (WCCP) on
Cisco ASA, Cisco routers, or switches.
Cisco WSA Deployment Modes (Continue)
Cisco WSA in Transparent Mode (Continue)

Step 1. The client initiates a connection to h4cker.org.


Step 2. Cisco ASA redirects the request to the Cisco WSA using WCCP.
Step 3. The Cisco WSA verifies the request and replies to the client if the web request violates a policy, or the security
engine flags it.
Step 4. The Cisco WSA initiates a new connection to h4cker.org.
Step 5. The h4cker.org web server replies to the Cisco WSA. The Cisco WSA checks for malicious or inappropriate content
and blocks it, if needed.
Step 6. If the content is acceptable, the Cisco WSA forwards the content to the client.
Cisco WSA Deployment Modes (Continue)
Configuring WCCP in a Cisco ASA to Redirect Web Traffic to a Cisco WSA
Step 1. Create an access control list (ACL) to define(match) the HTTP and HTTPS traffic from the 10.1.1.0/24 and 10.1.2.0/24 subnets
access-list http-traffic extended permit tcp 10.1.1.0 255.255.255 any eq 80
access-list http-traffic extended permit tcp 10.1.2.0 255.255.255 any eq 80
access-list http-traffic extended permit tcp 10.1.1.0 255.255.255 any eq 443
access-list http-traffic extended permit tcp 10.1.2.0 255.255.255 any eq 443

Step2. Create another ACL to include the IP address of the Cisco WSA (10.1.2.3)

access-list WSA extended permit ip host 10.1.2.3 any

Step 3. Configuring WCCP

wccp web-cache redirect-list http-traffic group-list WSA

Step 4. Applying Redirection of Traffic on Source Interface

wccp interface inside web-cache redirect in


Cisco WSA Hardware Overview

Cisco WSA S190

Cisco WSA S690


Cisco WSA Hardware Overview (Continue)
Item Port Description
1 Proxy port 1 Connect proxy port P1 to the network for both incoming and
outgoing traffic.
2 Proxy port 2 When both proxy ports P1 and P2 are enabled, you must
connect P1 to the internal network and P2 to the Internet.
3 Traffic Monitor port 1 Traffic monitor port T1 for Duplex Ethernet tap: One cable for
all incoming and outgoing traffic.
4 Traffic Monitor port 2 Traffic monitor port for Simplex Ethernet tap: One cable for
all packets destined for the internet (T1), and one cable for all
packets coming from the Internet (T2).
5 Remote Power Cycle The port that is used for Remote Power Cycle (RPC).

6 Console

7 Management interface 1

8 Management interface 2
Cisco WSA Licensing
Thank you

You might also like