Monday, September 14, 2015

Cisco Cloud Web Security (CWS) Using an ASA Connector

I had the opportunity to do a proof-of-concept (POC) for Cisco Cloud Web Security (CWS), formerly known as Scansafe; and SourceFire, which is Cisco's Next-Generation Intrusion Prevention System (NGIPS).

I did CWS first, which is their web filtering using Cisco's Software-as-a-Service (SaaS) cloud solution. This allows companies with existing ASA firewalls and ISR G2 routers (called CWS connectors) to redirect web traffic (HTTP and HTTPS) to Cisco's security cloud solution. I was given an 1.5 months eval license.

The CWS is a huge topic in SITCS (300-207) exam and I'm glad I was able to setup one. It also pushed me to take SITCS and complete my CCNP Security certification.


ciscoasa# show run dns    // ENSURE ASA CAN DNS QUERY SCANSAFE PROXY SERVERS
dns domain-lookup outside   
dns domain-lookup inside
DNS server-group DefaultDNS
    name-server 208.67.222.222
    name-server 208.67.220.220
    domain-name sg.net

ciscoasa# ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.58.196.174, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

ciscoasa(config)# scansafe ?

configure mode commands/options:
  general-options  To configure the Scansafe server and licence related details
ciscoasa(config)# scansafe general-options
ciscoasa(cfg-scansafe)# ?

Scansafe general-options configuration commands:
  license      Specify the scansafe server license provided to you.
  no           Negate a command or set its defaults
  publickey    Specify the location of the scansafe public key file
  retry-count  Specify the number of consecutive attempts to be made before
               declaring the server dead
  server       Specify the scansafe server address and port
ciscoasa(cfg-scansafe)# server ?

scansafe mode commands/options:
  backup   Specify the address of the backup/secondary scansafe server
  primary  Specify the address of the primary scansafe server
ciscoasa(cfg-scansafe)# server primary ?

scansafe mode commands/options:
  fqdn  Specify fully qualified domain name
  ip    Specify IP address
ciscoasa(cfg-scansafe)# server primary fqdn ?

scansafe mode commands/options:
  WORD < 65 char  fully-qualified domain name
ciscoasa(cfg-scansafe)# server primary fqdn proxy2332.scansafe.net ?

scansafe mode commands/options:
  port  Specify the server port to which web traffic must be redirected to.
  <cr>
ciscoasa(cfg-scansafe)# server primary fqdn proxy2332.scansafe.net port ?

scansafe mode commands/options:
  <0-65535>  Port number for web traffic
ciscoasa(cfg-scansafe)# server primary fqdn proxy2332.scansafe.net port 8080   // USE FQDN SINCE THE NEAREST/LOCAL POP PROXY SERVER (SCANSAFE TOWER) WILL BE USED; PROXY SERVER IP MIGHT ALSO CHANGE
ciscoasa(cfg-scansafe)# server backup fqdn access615.cws.sco.cisco.com ?

scansafe mode commands/options:
  port  Specify the server port to which web traffic must be redirected to.
  <cr>
ciscoasa(cfg-scansafe)# server backup fqdn access615.cws.sco.cisco.com port 8080
ciscoasa(cfg-scansafe)# retry-count ?

scansafe mode commands/options:
  <2-100>  Number of attempts to be made
ciscoasa(cfg-scansafe)# retry-count 5
ciscoasa(cfg-scansafe)# license ?

scansafe mode commands/options:
  WORD < 65 char  16 byte scansafe license provided to you
ciscoasa(cfg-scansafe)# license B1310A75BE380A5767F21194930C7XYZ   // GENERATED FROM ADMIN > AUTHENTICATION > COMPANY KEY > GENERATE
ciscoasa(cfg-scansafe)# exit   
ciscoasa(config)# access-list ?

configure mode commands/options:
  WORD < 241 char  Access list identifier
  alert-interval   Specify the alert interval for generating syslog message
                   106001 which alerts that the system has reached a deny flow
                   maximum. If not specified, the default value is 300 sec
  deny-flow-max    Specify the maximum number of concurrent deny flows that can
                   be created. If not specified, the default value is 4096
ciscoasa(config)# access-list HTTP ?

configure mode commands/options:
  deny      Specify packets to reject
  extended  Configure access policy for IP traffic through the system
  line      Use this to specify line number at which ACE should be entered
  permit    Specify packets to forward
  remark    Specify a comment (remark) for the access-list after this keyword
  rename    rename an existing access-list
  standard  Use this to configure policy having destination host or network
            only
  webtype   Use this to configure WebVPN related policy
ciscoasa(config)# access-list HTTP extended ?

configure mode commands/options:
  deny    Specify packets to reject
  permit  Specify packets to forward
ciscoasa(config)# access-list HTTP extended permit ?

configure mode commands/options:
  <0-255>       Enter protocol number (0 - 255)
  ah           
  eigrp        
  esp          
  gre          
  icmp         
  icmp6        
  igmp         
  igrp         
  ip           
  ipinip       
  ipsec        
  nos          
  object        Specify a service object after this keyword
  object-group  Specify a service or protocol object-group after this keyword
  ospf         
  pcp          
  pim          
  pptp         
  snp          
  tcp          
  udp          
ciscoasa(config)# access-list HTTP extended permit tcp ?

configure mode commands/options:
  A.B.C.D                Source IP address
  X:X:X:X::X/<0-128>     Source IPv6 address/prefix
  any                    Abbreviation for source address/mask of
                         0.0.0.0/0.0.0.0 OR source prefix ::/0
  any4                   Abbreviation of source address and mask of 0.0.0.0
                         0.0.0.0
  any6                   Abbreviation for source prefix ::/0
  host                   Use this keyword to configure source host
  interface              Use interface address as source address
  object                 Keyword to enter source object name
  object-group           Network object-group for source address
  object-group-security  Keyword to specify security object-group for source
  object-group-user      Keyword to specify user object-group for source
  security-group         Keyword to specify inline security-group
  user                   Keyword to specify user for source
  user-group             Keyword to specify user-group for source
ciscoasa(config)# access-list HTTP extended permit tcp any ?

configure mode commands/options:
  A.B.C.D                Destination IP address
  X:X:X:X::X/<0-128>     Destination IPv6 address/prefix
  any                    Abbreviation for destination address/mask of
                         0.0.0.0/0.0.0.0 OR destination prefix ::/0
  any4                   Abbreviation for destination address and mask of
                         0.0.0.0 0.0.0.0
  any6                   Abbreviation for destination prefix ::/0
  eq                     Port equal to operator
  gt                     Port greater than operator
  host                   Use this keyword to configure destination host
  interface              Use interface address as destination address
  lt                     Port less than operator
  neq                    Port not equal to operator
  object                 Keyword to enter destination object name
  object-group           Optional service object-group name for source port or
                         network object-group for destination address
  object-group-security  Keyword to specify security object-group for
                         destination
  range                  Port range operator
  security-group         Keyword to specify inline security-group
ciscoasa(config)# access-list HTTP extended permit tcp any any ?

configure mode commands/options:
  eq            Port equal to operator
  gt            Port greater than operator
  inactive      Keyword for disabling an ACL element
  log           Keyword for enabling log option on this ACL element
  lt            Port less than operator
  neq           Port not equal to operator
  object-group  Optional service object-group for destination port
  range         Port range operator
  time-range    Keyword for attaching time-range option to this ACL element
  <cr>
ciscoasa(config)# access-list HTTP extended permit tcp any any eq ?

configure mode commands/options:
  <1-65535>        Enter port number (1 - 65535)
  aol             
  bgp             
  chargen         
  cifs            
  citrix-ica      
  cmd             
  ctiqbe          
  daytime         
  discard         
  domain          
  echo            
  exec            
  finger          
  ftp             
  ftp-data        
  gopher          
  h323            
  hostname        
  http            
  https           
  ident           
  imap4           
  irc             
  kerberos        
  klogin          
  kshell          
  ldap            
  ldaps           
  login           
  lotusnotes      
  lpd             
  netbios-ssn     
  nfs             
  nntp            
  pcanywhere-data 
  pim-auto-rp     
  pop2            
  pop3            
  pptp            
  rsh             
  rtsp            
  sip             
  smtp            
  sqlnet          
  ssh             
  sunrpc          
  tacacs          
  talk            
  telnet          
  uucp            
  whois           
  www             
ciscoasa(config)# access-list HTTP extended permit tcp any any eq www
ciscoasa(config)# access-list HTTPS extended permit tcp any any eq https
ciscoasa(config)# class-map ?

configure mode commands/options:
  WORD < 41 char  class-map name
  type            Specifies the type of class-map
ciscoasa(config)# class-map CMAP-HTTP
ciscoasa(config-cmap)# ?

MPF class-map configuration commands:
  description  Specify class-map description
  exit         Exit from MPF class-map configuration mode
  help         Help for MPF class-map configuration commands
  match        Configure classification criteria
  no           Negate or set default values of a command
  rename       Rename this class-map
ciscoasa(config-cmap)# match ?

mpf-class-map mode commands/options:
  access-list                 Match an Access List
  any                         Match any packet
  default-inspection-traffic  Match default inspection traffic:
                              ctiqbe----tcp--2748      dns-------udp--53      
                              ftp-------tcp--21        gtp-------udp--2123,3386
                              h323-h225-tcp--1720      h323-ras--udp--1718-1719
                              http------tcp--80        icmp------icmp         
                              ils-------tcp--389       ip-options-----rsvp    
                              mgcp------udp--2427,2727 netbios---udp--137-138 
                              radius-acct----udp--1646 rpc-------udp--111     
                              rsh-------tcp--514       rtsp------tcp--554     
                              sip-------tcp--5060      sip-------udp--5060    
                              skinny----tcp--2000      smtp------tcp--25      
                              sqlnet----tcp--1521      tftp------udp--69      
                              waas------tcp--1-65535   xdmcp-----udp--177     
  dscp                        Match IP DSCP (DiffServ CodePoints)
  flow                        Flow based Policy
  port                        Match TCP/UDP port(s)
  precedence                  Match IP precedence
  rtp                         Match RTP port numbers
  tunnel-group                Match a Tunnel Group
ciscoasa(config-cmap)# match access-list ?

mpf-class-map mode commands/options:
  WORD  Access List name
ciscoasa(config-cmap)# match access-list HTTP
ciscoasa(config-cmap)# exit
ciscoasa(config)# class-map CMAP-HTTPS
ciscoasa(config-cmap)# match access-list HTTPS
ciscoasa(config-cmap)# exit
ciscoasa(config)# policy-map ?

configure mode commands/options:
  WORD < 41 char  policy-map name
  type            Specifies the type of policy-map
ciscoasa(config)# policy-map type ?

configure mode commands/options:
  inspect  Configure a policy-map of type inspect
ciscoasa(config)# policy-map type inspect ?

configure mode commands/options:
  dcerpc             Configure a policy-map of type DCERPC
  dns                Configure a policy-map of type DNS
  esmtp              Configure a policy-map of type ESMTP
  ftp                Configure a policy-map of type FTP
  gtp                Configure a policy-map of type GTP
  h323               Configure a policy-map of type H.323
  http               Configure a policy-map of type HTTP
  im                 Configure a policy-map of type IM
  ip-options         Configure a policy-map of type IP-OPTIONS
  ipsec-pass-thru    Configure a policy-map of type IPSEC-PASS-THRU
  ipv6               Configure a policy-map of type IPv6
  mgcp               Configure a policy-map of type MGCP
  netbios            Configure a policy-map of type NETBIOS
  radius-accounting  Configure a policy-map of type Radius Accounting
  rtsp               Configure a policy-map of type RTSP
  scansafe           Configure a policy-map of type SCANSAFE
  sip                Configure a policy-map of type SIP
  skinny             Configure a policy-map of type Skinny
ciscoasa(config)# policy-map type inspect scansafe ?

configure mode commands/options:
  WORD < 41 char  policy-map name
ciscoasa(config)# policy-map type inspect scansafe HTTP-PMAP
ciscoasa(config-pmap)# ?

MPF policy-map configuration commands
  class        Policy criteria
  description  Specify policy-map description
  exit         Exit from MPF policy-map configuration mode
  help         Help for MPF policy-map configuration commands
  no           Negate or set default values of a command
  parameters   Specify this keyword to enter policy parameters.
  rename       Rename this policy-map
  <cr>
ciscoasa(config-pmap)# parameters ?

mpf-policy-map mode commands/options:
  <cr>
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# ?

MPF policy-map parameter configuration commands:
  class    Policy criteria
  default  Specify the default user and group name
  exit     Exit from MPF policy-map parameter configuration submode
  help     Help for MPF policy-map parameter submode commands
  http     Specify that the web traffic needs to be redirected to Scansafe
           server
  https    Specify that the ssl traffic needs to be redirected to Scansafe
           server
  match    Specify policy criteria via inline match
  no       Negate or set default values of a command
  quit     Exit from MPF policy-map parameter configuration submode
  <cr>
ciscoasa(config-pmap-p)# http
ciscoasa(config-pmap-p)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# policy-map type inspect scansafe HTTP-PMAPS
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# https
ciscoasa(config-pmap-p)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# policy-map ?

configure mode commands/options:
  WORD < 41 char  policy-map name
  type            Specifies the type of policy-map
ciscoasa(config)# policy-map PMAP-WEBTRAFFIC
ciscoasa(config-pmap)# ?

MPF policy-map configuration commands
  class        Policy criteria
  description  Specify policy-map description
  exit         Exit from MPF policy-map configuration mode
  help         Help for MPF policy-map configuration commands
  no           Negate or set default values of a command
  rename       Rename this policy-map
  <cr>
ciscoasa(config-pmap)# class ?

mpf-policy-map mode commands/options:
  WORD            class-map name
  class-default   System default class matching otherwise unclassified packets

configure mode commands/options:
  WORD < 41 char  class-map name
  type            Specifies the type of class-map
ciscoasa(config-pmap)# class CMAP-HTTP
ciscoasa(config-pmap-c)# ?

MPF policy-map class configuration commands:
  cxsc             Send traffic to CXSC blade
  exit             Exit from MPF class action configuration mode
  help             Help for MPF policy-map class/match submode commands
  no               Negate or set default values of a command
  police           Rate limit traffic for this class
  priority         Strict scheduling priority for this class
  quit             Exit from MPF class action configuration mode
  set              Set connection values
  user-statistics  configure user statistics for identity firewall
  <cr>
  csc              Content Security and Control service module
  flow-export      Configure filters for NetFlow events
  inspect          Protocol inspection services
  ips              Intrusion prevention services
ciscoasa(config-pmap-c)# inspect ?

mpf-policy-map-class mode commands/options:
  ctiqbe          
  dcerpc          
  dns             
  esmtp           
  ftp             
  gtp             
  h323            
  http            
  icmp            
  ils             
  im              
  ip-options      
  ipsec-pass-thru 
  ipv6            
  mgcp            
  mmp             
  netbios         
  pptp            
  rsh             
  rtsp            
  scansafe        
  sip             
  skinny          
  snmp            
  sqlnet          
  sunrpc          
  tftp            
  waas            
  xdmcp           
ciscoasa(config-pmap-c)# inspect scansafe ?

mpf-policy-map-class mode commands/options:
  WORD < 41 char  scansafe type policy-map name
ciscoasa(config-pmap-c)# inspect scansafe HTTP-PMAP ?

mpf-policy-map-class mode commands/options:
  fail-close  If scansafe servers are not reachable then close the connection.
  fail-open   If scansafe servers are not reachable then open the connection
              directly.
  <cr>
ciscoasa(config-pmap-c)# inspect scansafe HTTP-PMAP fail-open
ciscoasa(config-pmap-c)# inspect scansafe HTTPS-PMAP fail-open
ciscoasa(config-pmap-c)# exit
ciscoasa(config-pmap)# exit
ciscoasa(config)# service-policy ?

configure mode commands/options:
Available policy-maps:
  global_policy
  PMAP-WEBTRAFFIC
ciscoasa(config)# service-policy PMAP-WEBTRAFFIC ?

configure mode commands/options:
  global     Enter this keyword to specify a global policy
  interface  Enter this keyword to specify an interface policy
ciscoasa(config)# service-policy PMAP-WEBTRAFFIC interface ?

configure mode commands/options:
Current available interface(s):
  inside      Name of interface GigabitEthernet0/2
  management  Name of interface Management0/0
  outside     Name of interface GigabitEthernet0/0
ciscoasa(config)# service-policy PMAP-WEBTRAFFIC interface inside


Here are some useful ASA CLI show commands:
 
ciscoasa# show run scansafe    // TO VERIFY SCANSAFE (CWS) CONFIG
!
scansafe general-options
 server primary fqdn proxy2332.scansafe.net port 8080
 server backup fqdn access615.cws.sco.cisco.com port 8080
 retry-count 5
 license UqSGYa8xyWWqJ5x1 encrypted

ciscoasa# show scansafe ?

  server      Show scansafe server status
  statistics  Show scansafe server statistics

ciscoasa# show scansafe server
Primary: proxy2332.scansafe.net (202.79.203.106) (REACHABLE)*    // EQUINIX ASIA IP ADDRESS
Backup: access615.cws.sco.cisco.com (108.171.133.142)   // CISCO USA IP ADDRESS


ciscoasa# show scansafe statistics
Current HTTP sessions : 3
Current HTTPS sessions : 11
Total HTTP Sessions : 460
Total HTTPS Sessions : 373
Total Fail HTTP sessions : 0
Total Fail HTTPS sessions : 0
Total Bytes In : 17331806 Bytes
Total Bytes Out : 2506536 Bytes
HTTP session Connect Latency in ms(min/max/avg) : 4/272/20
HTTPS session Connect Latency in ms(min/max/avg) : 3/272/3

ciscoasa# show conn scansafe
45 in use, 397 most used
TCP outside  209.68.0.123(202.79.203.789):80 inside  10.100.2.47:29861, idle 0:00:01, bytes 3109, flags UFxIO Z
TCP outside  209.68.0.123(202.79.203.789):80 inside   10.100.2.47:27512, idle 0:09:47, bytes 5835, flags UFxIO Z
TCP outside  209.68.0.123(202.79.203.789):80 inside  10.100.2.47:26616, idle 0:21:20, bytes 3592, flags UFxIO Z
TCP outside  216.58.196.456(202.79.203.789):443 inside  10.100.2.47:26647, idle 0:18:09, bytes 4822, flags UFxIO Z
TCP outside  216.58.196.456174(202.79.203.789):443 inside  10.100.2.47:26644, idle 0:18:06, bytes 3673, flags UFxIO Z
TCP outside  216.58.196.456(202.79.203.789):443 inside   10.100.2.47:26642, idle 0:18:08, bytes 3471, flags UFxIO Z
TCP outside  50.31.164.456(202.79.203.789):443 inside  10.100.2.47:27554, idle 0:09:39, bytes 2529, flags UFxIO Z

<OUTPUT TRUNCATED>


This is the CWS portal web page. Upon initial login, it will ask you to change to a "complex" password of at least 8 characters length, alphanumeric, upper and lower case and using a special symbol or character. Upon successful login, you'll be re-directed to the CWS dashboard.





This is where the  Scansafe "license" key will be generated and to be configured on the CWS connector: Go to Admin > Authentication > Company Key > click Generate. Just copy and paste into notepad or you could also email a copy of the license key.


Before creating the URL policy, you'll create a filter first (MY_FILTER). For domain blocking, I've blocked Cisco, CNN and Facebook websites. This is similar on what we do on OpenDNS console except that we could use any DNS servers on the inside clients. Then create the web filtering policy (MY_POLICY) and apply the filter created earlier. There's also an option to choose a schedule to apply your policy.





An "Access Denied" page will be displayed if the domain name matches the URL filter policy.

As a troubleshooting step on the client PC, we could open a web browser and type whoami.scansafe.net on the address bar to know if the CWS policies are being applied.

  

Below is an example of a client where CWS policy was applied on the client. There's a caveat or "gotcha" for HTTPS traffic and that is to create certificates. There are two approach to generate CWS certificate: one is a self-signed certificate and manually deploy it to clients; the other approach is to generate a Certificate Signing Request (CSR) to get and upload an Secure Sockets Layer (SSL) certificate from a third party Certificate Authority (CA) like Verisign or GoDaddy.

Aside from domain or URL filter, we could go granular by blocking web contents such as pictures and videos that are displayed on a website, block Windows update and stopped Internet Explorer web browser from being used on client machines.






There are also cool custom reports that can be generated on CWS and exported to either a PDF or CSV file.





1 comment:

  1. Nice Blog! This blog is explains about the Cisco Cloud Web Security (CWS) Using an ASA Connector. Thank you for sharing.

    ReplyDelete