Zero to Hero with Cisco WSA
Let’s talk about why Cisco WSA. Think of a day when you are working in your organization and mistakenly you download some malware from Internet which corrupts your important data? How bad that would be?
NOT ENOUGH ??
Okay, Let’s say you are a Manager in an IT Organization and your team is playing online games in your absence or maybe accessing some websites on the Internet which you may not want them to access? Such Employees may put your Organization at risk by clicking where they shouldn’t.
THIS IS ABSOLUTELY NOT GOOD !!
Here comes the Proxy Server in picture. Proxy Server is a device that sits between a client application, such as a web browser and a real server. Proxy service is generally used for 3 major applications:-
- HTTP
- HTTPS
- FTP
Cisco has a solution called Web Security Appliance which is also known as Cisco WSA. Cisco WSA protects your Organization by automatically blocking malicious and unknown sites before allowing users to connect to them. It is powered by Cisco Talos which provides Intelligence to the WSA.
Cisco WSA provides Application Visibility and Control by creating and enforcing granular policies for websites like Facebook and LinkedIn with embedded applications which means you can protect your network without affecting productivity or burdening IT resources.
Cisco WSA can be deployed as a Hardware and as a Virtual Appliance as well. There are various models available by Cisco for Hardware like S190 & S195 (for small size office or branch), S390 & S395 (for Midsize Office) and S690 & S695 (for Large Enterprise).
For more information about hardware and virtual models, Check out the below mentioned link:
Centralized Management
Think of a situation when you are a Security Admin and your Organization has multiple branches. You have implemented Cisco WSA in your multiple branches.
How cool it would be if you can centrally monitor, manage and track the policies of those WSA Appliances and get the report of the web traffic of every branch from logging into 1 single device?
Pretty Cool, Huh?
Cisco provides the solution called Cisco Content Security Management Appliance also known as SMA. All you need is to just register your WSA appliances in SMA then you can monitor the health of your WSA appliances, you can centrally create the policies and push on targeted WSA Appliances.
Just like WSA, Cisco provides the flexible deployment options of SMA. It can be deployed as a physical and virtual appliance. There are various models of SMA available by Cisco as per the requirement.
To compare and know more about the exact model required for your needs, check out the link mentioned below.
Now after knowing about the solution, you must be thinking about how Cisco WSA can fit in your Network Infrastructure. Keep following ..
Deployment of Cisco WSA
In order to understand the complete deployment of Cisco WSA, we will go through the following stages of WSA Deployment.
Step # 1 Planning the Web Security Appliance installation
Determining how web traffic will be sent to WSA is one of the challenging parts of WSA deployment because it involves devices other than WSA as well.
There are 2 possible methods to accomplish the redirection of Web traffic to WSA.
Explicit Proxy Deployment
With an Explicit Deployment, you explicitly tell the client computers to send the web traffic to the Cisco WSA. From an Operational standpoint, this method provides you the least complexity. In today’s operating systems, most of the client applications like web browsers are proxy aware so you can easily configure the Proxy settings in Web Browser.
Note:- when you are defining the IP address of a Proxy server in your web browser, don’t forget to define Port 3128 which is the default port number used by Cisco WSA for Proxy.
Now think of a situation where you are having servers in your Internal Network which works on port 443 or 80. If you want to access the gui of those servers from your internal network using a web browser, that traffic will also be redirected to a proxy server which is not the ideal case. So to avoid this situation, you can use a PAC file.
A Proxy Auto Configuration (PAC) file is a script that determines whether web browser requests (HTTP, HTTPS and FTP) go direct to the destination server or are forwarded to a Web Proxy server. So you create a PAC file and host it on WSA and on a browser, instead of giving ip address of a WSA, you can define a link to download the PAC file and run it.
Note: WSA host the PAC files on port number 9001 by default. So when using automatic configuration script in browser, don’t forget to use 9001 port.
To know more about PAC files or to know how to create PAC files, check the below mentioned links.
Transparent Proxy deployment
Another deployment method is a Transparent proxy deployment where all port 80 and 443 traffic is redirected to WSA in an encapsulated GRE packet by some other network device that supports Web Cache Communication Protocol (WCCP). WCCP intercepts packets entering or leaving one interface and it redirects to a device connected to a different interface.
1. User initiates web request
2. Firewall redirects traffic to WSA
3. WSA checks whether the user is authorized or not and replies with denial to user if there is any policy violation.
4. WSA Initiates a connection with the web server
5. WSA checks the content received from web server and forwards content to user if the policy allows.
To know more about Cisco WCCP configurations on Cisco Switches and ASA firewall. Check out the below mentioned links.
Step #2 Completing the Initial Configuration of Cisco Web Security Appliance
You can do the initial configuration of WSA by command line (CLI) as well as through browser (GUI). Following are the initial configurations to be done in WSA.
- Hostname
- DNS, NTP and Timezone
- Network Interface settings
- Transparent Connection settings (if using wccp)
- Administrative and Security Settings
- Upgrade the appliance
- Feature Keys (license keys for different features available on box)
- Upload the CA Server Certificate in trusted root CA certificate directory (if using any ca server for pki)
- Generate an SSL certificate CSR using OpenSSl, get it signed from your CA server and upload it in WSA (if using SSL decryption and self signing on WSA)
To know more about OpenSSL and how to create CSRs, private keys and certificates. Check out the below mentioned link.
For step by step installation of physical and virtual WSA, check out the below mentioned link.
https://www.cisco.com/c/dam/en/us/td/docs/security/content_security/hardware/x90_series/S690_QSG.pdf
Step # 3 Configuring High Availability
Another important aspect of deploying WSA is High Availability. High Availability is the requirement of all business organization in the modern era of technology. Cisco WSA provides high availability using Failover Groups. You can configure 2 or more WSA appliances in the same failover group and that failover group will share a common proxy ip address for that failover group. So all you need is to provide that common ip address to the host for proxy.
Here is the catch, Failover is only available for Proxy service not for management service. So when you create a failover group, automatically proxy interface binds to the failover group. So if proxy interface goes down for any reason, failover is triggered.
It is just like HSRP or VRRP which we use for first hop redundancy protocol. Now you must be thinking whether Cisco WSA also uses VRRP or HSRP for a failover group. Well, technically No.. Cisco WSA uses Common Address Redundancy Protocol (CARP) to share a common IP address for proxy. CARP is similar to HSRP or VRRP where one host becomes a master and another becomes a backup. You can assign a priority to a WSA ranging from 0 to 255 and highest priority is preferred to become a master proxy server.
Note:- There can be only one master host in each failover group.
To know more about configuring and troubleshooting failover in WSA. Check the User guide of Cisco WSA. Link is mentioned at the end of this blog.
If you are using WSA with failover group in virtual environment, there are several requirements to be met. For troubleshooting, check out the below mentioned link.
Step #4 Configuring Policies
Once the deployment is done, the most important work begins. Now there are majorly 3 things which you should know before creating any policy in Cisco WSA.
- Who should use the proxy service ? – Authorized Users
- Do you want decryption to happen in WSA? – Maybe Yes
- What all URLs should be allowed for specified users? – As per Requirement
User Authentication
To restrict unauthorized users to use the Proxy service, you need User Based Authentication in Cisco WSA. When you enable authentication, the WSA verifies the identity of clients on the network before allowing them to connect to a destination server. There are 2 options to do user authentication in Cisco WSA.
Authentication via Active Directory
Cisco WSA supports authentication via AD using Lightweight Directory Access Protocol (LDAP) and NT LAN Manager (NTLM). User identities can be created on AD server and can be authenticated by WSA.
To know more about configuring authentication via AD, check out the user guide. Link is mentioned at the end of this blog.
IP Based Authentication using Identity group
IP based Authentication is the least complex method to do user authentication. All you need is to create an identity group and specify the IP Address or a subnet which you want to allow using proxy services.
To know more about configuring identity group, check out the user guide. Link is mentioned at the end of this blog.
Decryption Policy
In today’s world, most of the web traffic is https that means encrypted. If you want to decrypt the traffic at WSA, you need to create a Decryption Policy. In Decryption Policy you can call the identity group to specify the users for whom this decryption policy will be applied.
In Decryption policy, you can specify the URL categories and Action to be taken for that category like Decrypt, Pass-through, Drop etc. Along with it you can also tell WSA to check the Web Reputation for the respective categories and take the required action.
To know more about configuring Decryption Policies, check out the user guide. Link is mentioned at the end of this blog.
Note:- Decryption Policy is only applicable for HTTPS traffic.
Access Policy
The most important one is the Access policy where you define the URL categories and respective action to be taken for the selected URL categories. Not just URL Categories, Access Policy also gives you the option to choose the web applications like facebook, yahoo chat etc and define the action whether to allow or drop it.
That’s all you require to configure the WSA. There are many more add-on features which Cisco WSA provides like web caching, Custom URL Categories, Integration with ISE etc.
To know more about the all the features, policies, configurations we discussed and other features, check out the Cisco WSA User Guide. Below mentioned is the link.
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-7/user_guide/b_WSA_UserGuide_11_7.html
Are you looking for advisory, consulting and professional services that will help you meet your Information Technology goals? Zindagi can help!
Zindagi Technologies is an IT consultancy and professional services organisation based out of New Delhi, India. We’re experts in best practice design, large scale data centre design and deployment, service provider network design, information security, blockchain, IoT, Smart Cities, and Private/Public/Hybrid cloud solutions. Each one of us has years of experience in large scale network design, deployment and automation. Our “customer first” motto drives us forward, and we believe in providing quality services to our clients always.
Contact us now, to know how Zindagi can help solve your IT / Information Security related problems. We’re also available on email and phone (India business hours).
Author
Harpreet Singh Batra
Consulting Engineer
