WSA HTTPS Decryption

HTTPS connections are used to encrypt traffic used for most websites to ensure confidentiality. HTTPS can contain malicious content such as malware/viruses and other threats. The Cisco WSA supports HTTPS decryption, which allows the appliance to view the contents and inspect the traffic.

When using HTTPS decryption on a WSA, there are two different HTTPS connections, one between the user and the WSA and another between the WSA and the web server. The WSA performs the SSL handshake twice. The handshake between the user and the WSA, the WSA sends the client its own certificate, spoofing the requested web server certificate.

The diagram below represents the traffic flow between a client and a HTTPS server that goes through the WSA.

Continue reading “WSA HTTPS Decryption” →

WSA transparent proxy using WCCP on ASA/IOS-XE

This post describes the steps required to configure WCCP on Cisco ASA firewalls and Cisco IOS-XE switches. For more detailed information on WSA configuration, refer to the previous post WSA transparent proxy using WCCP on FTD, which covers the WSA configuration in detail.

WCCP is used for traffic redirection from the ASA or IOS-XE device (switch or router) to the WSA, WCCP redirection is supported using GRE or L2.

• Use GRE if WSA is in another subnet
  
• Use L2 if WSA and ASA are in the same subnet
  

In transparent mode, HTTPS Proxy must be active, but it is not necessary to decrypt the requests.

ASA Configuration

The following is important information related to configuring WCCP on the Cisco ASA.

• Redirection is GRE based only
  
• The client and the WSA must be on the same ASA interface
  
• Redirect ACL permits or denies traffic to be redirected to the WSA
  

Transparent redirection should be setup on the WSA, in this instance Service ID.

Continue reading “WSA transparent proxy using WCCP on ASA/IOS-XE” →

WSA pxGrid integration with ISE

The Cisco WSA uses the pxGrid (Platform Exchange Grid) to subscribes to published information on Cisco ISE, to learn IP, Username, Security Group Tags (SGT) information of connected users authenticated by ISE. This information can then be used by WSA policies to transparently authenticate users. Using WSA integration with ISE, allows the WSA to know the authenticated users without having to prompt for authentication with a HTTP 407 proxy authentication error code, therefore not forcing the user to provide authentication credentials. WSA/ISE pxgrid integration authetication exchange takes less time and is less overhead on the WSA compared to other methods.

Certificates are used for mutual authentication between the WSA and ISE, three unique certificates are used, including:

• ISE Admin Certificate
  
• ISE pxGrid certificate
  
• WSA client certificate
  

The certificates can be signed by a public certificate (i.e., Verisign, Symantec etc), an Internal CA (i.e., Windows Server Certificate Authority) or using Cisco ISE Internal CA. Which ever CA is used WSA and ISE must trust the certificate(s) by having the root certificate in the certificate store.

This post covers pxGrid integration between ISE/WSA and assumes wired or wireless 802.1x is setup correctly and working.
Continue reading “WSA pxGrid integration with ISE” →

WSA Authentication Realms

The Cisco Web Security Appliance (WSA) supports authentication against Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) directory service, this allows policies to be applied per user or group rather than IP address. The table below summarises the supported authentication schemes and network protocols for each directory service.

Directory Service	Authentication Scheme	Supported Network Protocols
Active Directory	Kerberos NTLMSSP Basic	HTTP, HTTPS, Native FTP, FTP over HTTP and SOCKS (Basic authentication)
LDAP	Basic	HTTP, HTTPS, Native FTP, FTP over HTTP and SOCKS

Reference Cisco guide – https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_01001.html

The table below provides a comparison between the different Authentication Schemes.
Continue reading “WSA Authentication Realms” →

WSA transparent proxy using WCCP on FTD

The Cisco Web Security Appliance (WSA) supports two modes of operation, explicit or transparent. In explicit mode the user’s web browser must be explicitly configured with the WSA as the proxy server. In transparent mode no proxy is configured, the user’s traffic is routed to WCCP enabled device which redirects the traffic to the WSA, which proxies the traffic to the original destination. In transparent mode the WSA pretends to be original destination server as the client is unaware of the existence of the WSA proxy server.

In this post we will cover the configuration setting up WCCP between a Cisco FTD (version 7.1) using local FDM management and a Cisco WSA (version 10.1.3)

Topology

The figure below represents the topology used in this scenario.

Continue reading “WSA transparent proxy using WCCP on FTD” →

WSA initial setup

The Cisco Web Security Appliance (WSA) acts as a proxy that intercepts and monitors internet traffic and applies policies to secure the internal network from malware, data loss and other internet-based threats. The WSA can be deployed using dedicated physical appliances or a virtual image.

In this post we will cover configuring the basic WSA settings from initial boot to initial configuration and filtering user traffic.

WSA Configuration

• Boot the appliance and connect using a console cable
  
• When prompted enter the username as admin and password as ironport
  

Continue reading “WSA initial setup” →