The WSA main features are L4 Traffic Monitor and Web Proxy. Other features are
– URL filtering
– Web usage controls
– Application visibility & control
– Anti-Malware scanning (Sophos, McAfee, Webroot)
Secure web proxy monitors and scans web traffic for malicious content. When you enable the web proxy, you can configure it to be in transparent or explicit forward mode
The L4 Traffic Monitor detects and blocks rogue traffic across all ports and IP addresses. The L4 Traffic Monitor listens to network traffic that comes in over all ports and IP addresses on the appliance and matches domain names and IP addresses against entries in its own database tables to determine whether to allow outgoing traffic. L4 Traffic Monitor deployment is independent of the Web Proxy deployment. You can connect the L4 Traffic Monitor to a network tap or the mirror/span port of a switch.
When you enable the web proxy, you can configure it to be in transparent or explicit forward mode.
Deployment
Features you enable determine how you deploy and physically connect the appliance to the network. Two main deployment methods are Explicit forward proxy and Transparent Proxy.
Explicit Forward Proxy: Client applications, such as web browsers, are aware of the Web Proxy and must be configured to point to a single Web Security appliance. This deployment requires a connection to a standard network switch. When you deploy the Web Proxy in explicit forward mode, you can place it anywhere in the network. IP spoofing is disabled by default
ON – IP address of original source is maintained. OFF – Changing IP address to WSA IP address
Automatic: Configure each client application to use a PAC file to detect the appliance Web Proxy automatically. Then you can edit the PAC file to specify the appliance Web Proxy information. PAC files work with web browsers only.
Manual: Configure each client application to point the appliance Web Proxy by specifying the appliance hostname or IP address and the port number, such as 3128, used for listening to data traffic.
Transparent Proxy: Clients applications are unaware of the Web Proxy and do not have to be configured to connect to the proxy. This deployment requires an Layer 4 switch or a WCCP v2 router. When you specify a WCCP router, you need to configure additional settings on the appliance.When you specify a Layer 4 switch, you only need to specify that the appliance is connected to a Layer 4 switch when you configure the appliance.
Note: When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests
Device Interface:
Management – M1 and M2: Use for management of the WSA. Can also be used for data traffic in deployments where there is no separate management network.
Data – P1 and P2: Use the Data interfaces for Web Proxy data traffic. Only P1 enabled by default. If P2 is enabled both interfaces should be connected to a different subnet.
L4 Traffic Monitor – T1 and T2: Use for Tap and Span. Can be used in simplex (only T1 for incoming and outgoing traffic) or duplex (T1 and T2 connected. T1 for outgoing and T2 for incoming) communication.
Web Security Appliance Ethernet Ports
WSA Initial Configs
Initial interface config can be done via CLI or by going to default IP address and configuring from browser (Wizard or manual). Default setting are:
default username/password: admin/ironport
default ip address/mask: 192.168.42.42/24
No default gateway is set
default port: 8080 and 8443 for http and https
Implementing WCCP
To set up the WSA to use WCCP you need to create at least one WCCP service on the appliance and configure the router to work with the Web Security appliance.
A WCCP service is an appliance configuration that defines a service group to a WCCP v2 router. It includes information such as the service ID and ports used. Service groups allow a web proxy to establish connectivity with a WCCP router and to handle redirected traffic from the router
Example WCCP Service
ip wccp version 2 ip wccp service_group interface interface_type_number ip wccp service_group redirect direction ip wccp service_group password password ip wccp service_group redirect direction
ip wccp service_group redirect direction
Use in when you want the router to redirect packets as they enter the router
Use out when you want the router to redirect packets right before they leave the router
ASA supports only redirect in
ip wccp service_group.
Web-cache. Enter “web-cache” when the appliance WCCP service uses the standard service
Service ID number. Enter a number from 0 to 255 when the appliance WCCP service uses a dynamic service ID. The number should match the service ID number used in the appliance.
Example WCCP Service — Standard Service, No Password Required
ip wccp version 2 ip wccp web-cache [redirect-list acl] interface GigabitEthernet1/0/14 ip wccp web-cache redirect in
Example WCCP Service — Dynamic Service for IP Spoofing, Password required
ip wccp version 2 ip wccp 90 interface GigabitEthernet1/0/14 ip wccp 90 redirect in ip wccp 90 password Cisco123 show wccp show wccp 90 service show wccp 91 detail
There are 2 WCCP redirection methods
– Layer 2: WSA and router are on same layer 2 network.
– GRE
Note: ASA only supports GRE.
Implementing L4 Traffic Monitor
Configure span session for Vlan where traffic will be monitored.
WSA
packetcapture – look at packets destined any interface of the wsa.
Switch
monitor session 1 source int g1/0/1
monitor session 1 destination interface g1/0/20
show monitor
Miscellaneous commands:
showconfig – show running config
resetconfig – reset to factory defaults
interfaceconfig – configure wsa interface
setgateway – configure wsa default gateway
resetconfig – reset to factory default
ping, nslookup, grep, authcache
Source:
http://www.cisco.com/en/US/docs/security/wsa/wsa7.7.5/user_guide/WSA_7.7.5_UserGuide.book.pdf
IP Expert VOD, INE Security Boot Camp
Recent Comments