Cisco® CCNA Security Exam Notes : Mitigation Technology For Web-based Threats

7. Content and Endpoint Security

7.2 Mitigation technology for web-based threats

WSA: Cisco Web Security Appliance (WSA), powered by Cisco Talos, protects you by automatically blocking risky sites and testing unknown sites before allowing users to link to them. WSA uses AsyncOS Operating System. Cisco WSA uses cloud based intelligence including zero day threat intelligence and web reputation.

Cisco WSA can work in two modes:

1. Explicit Proxy Mode: In the explicit proxy mode, WSA connects to the website on behalf of the internal user.

2. Transparent Mode: When used in transparent proxy mode, the user request for a web address is redirected to WSA using WCCP

Cisco's Web Security Appliance (WSA) can be deployed in explicit proxy mode or transparent proxy mode and uses WCCP.

Given below are some of the frequently used abbreviations:

ESA: Email Security Appliance.

WSA: Web Security Appliance

CWS: Cloud Web Security

WCCP: Web Cache Communication Protocol

SMA: Security Management Appliance.

TLS: The following are the features of TLS 1.0 protocol:

1. Widely supported on the server side to secure communications with clients. It is also widely supported on major web browsers.

2. Start with unsecured communications and dynamically switch to a secured channel based on the requirement while negotiating with the other side.

3. The keyed-Hashing for Message Authentication Code (HMAC) algorithm replaces the SSL Message Authentication Code (MAC) algorithm.

HMAC produces more secure hashes than the MAC algorithm. The HMAC produces an integrity check value as the MAC does, but with a hash function construction that makes the hash much harder to break.

4. TLS standards were developed by IETF, a standards body whereas SSL was developed by Netscape, and almost at the end of utilization.

5. In TLS, it is not always necessary to include certificates all the way back to the root CA. You can use an intermediary authority.

The recent version of TLS 1.2 provides improved security by implementation of stronger security algorithms and is being adopted widely.

SSL VPN Session

1. Client initiates contact with the server over TCP port 443

2. 3-way handshake takes place

3. Server provides its digital certificate and public key among others

4. Client verifies the digital certificate with CA

5. The client generates it shared key and encrypts it with server's public key and sends it to the server

6. The server decrypts the sent symmetric key using the server's own private key, and now both devices in the session

7. SSL session starts by using the shared key.

Note that all these are Cisco(R) trademarked and proprietary devices and used in different contexts.

The WSA proxy is basically the middle man (proxy) between HTTP clients (Internet User) and HTTP servers.

When requests are being redirected to the WSA transparently, the WSA must pretend to be the OCS (origin content server), since the client is unaware of the existence of a proxy. This is called transparent proxy mode. On the contrary, if a request is explicitly sent to the WSA, then it is said to be working in explicit mode.

Note that, an explicit request has a destination IP address of the configured proxy. A transparent request has a destination IP address of the intended web server (DNS resolved by the client).

WSA Transparent deployment may use 1) a layer 4 switch to redirect port 80 requiests, 2) a WCCP enabled device, or 3) Bridged mode.

On the other hand, WSA Explicit Proxy deployment may be 1) Browser based or 2) PAC file based.

A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for fetching a given URL.

CWS is a cloud based security service from Cisco(R). Users can connect to the CWS service directly by using Proxy autoconfiguration (PAC) file in the user endpoint or through connector. The following products from Cisco provide access to this service:

1. ISR G2 routers

2. Cisco ASA

3. Cisco WSA

4. Cisco AnyConnect Secure Mobility client

The following are the cisco(R) SMA(Security Management Appliance)

1. SMA M680 : Suitable for large organizations with 10,000 and above users

2. SMAV M600v : Suitable for large organizations and service providers

3. SMA M380 : Suitable for organizations with 1000 to 10,000 users.

4. SMAV M000v : Suitable for organizations with 1000 to 5000 users.

5. SMA M170 : Suitable for small business or branch offices with up to 1000 users.

6. SMAV M100v : Suitable for small business or branch offices with up to 1000 users

7. SMAV M000v : Used for evaluation purposes only.

Previous   Contents   Next