JacksBlog: February 2016

Why use it

HTTP/HTTPS proxy
FTP proxy
Caching engine (delivers pages faster)
URL filtering with built in categories and dynamic filtering (block facebook etc)
Antimalware
Uses web reputation to block malware
Signature based malware engines
L4 traffic monitoring sort of like IPS
You want all traffic to go through the WSA
Use FW to restrict only the WSA to have access to the internet.
Span port on internet facing port if there is any web traffic not sourced from the WSA it can do a TCP reset
Web security is layer 7
The web is not a safe place so the WSA can help protect you.
Be aware some of the features overlap with the ASA so don't pay for same thing twice.

Unit types

S170 (physical unit, lowest end unit)
1 rack unit
1 dual core 2.8 Ghz
4GB mem
500GB HD (2x250GB sata RAID 1)
Hot swapable HDs
5 Ethernet ports and a console port

S000V (the virtual appliance)
S100V (more powerful etc)
S300V

Ports
M1 can be dedicated for managemetn and proxy
P1 and P2 can only be used for proxy
T1 and T2 are for L4TM similar to IPS

Licensing

You must have a physical unit licensed first then you can download the virtual appliance
Take the serial for the device and apply for software bundle license for free
loadlicense xml file. You need to ftp the xml file onto the device. You can also paste into CLI.

Alternatively apply for 45 day demo license
Demo licenses can be aquired through the cisco licensing page:
https://tools.cisco.com/SWIFT/LicensingUI/demoPage
Choose demo or evaluation licenses

Ironport was acquired by Cisco there is still some Ironport tech and terminology
Licenses give you access to "blades" or modules with features in them
Most licenses will last for 1 year when activated.

You can split your license between two virtual boxes to be used in HA. 500 seat license becomes two 250 seat licenses. You'll need to get the serials and log a call with Cisco even they seem to be confused about it. I had to send, serial and mac addresses to them. They ask for VLN which can be found in show license but if the license is expired or its a fresh install you won't have a VLN yet you need Cisco to resolve that.

You can fulfill the PAK on your primary machine and use the share function in our Licensing Registration Portal for your secondary virtual machine. You will get 2 license files each for your Virtual Machines.

I had to select physical machine. Added first VLN. Add device Added second VLN, then selected virtual and next and it sent me two files. Applied the files with loadlicense command.

If FTP is enabled you can use windows explorer to browse to ftp://x.x.x.x/configuration and drag and drop the lic file there. Then use loadlic from the CLI of the WSA. When reinstalling you can just apply the same lic file again.

Licenses may show as "Dormant" until you enable Web and/or https proxy.

AsyncOS

Based on FreeBDS
Optimized for low latency
Caching used for optimize disk IO
No shell access
No tuning of the OS
Need Cisco TAC to do password recovery

Web proxy
All connection can from the
Anti-virus
Url filter
Policy management
All in the same box

Some of the features overlap with the ASA

Layer4 traffic monitoring

Scans outbound traffic at wire speed and can disrupt sessions
Active session and passive blocking

M1 management interface

How to get traffic
WCCP method (transparent proxy mode)
User -> Switch -> WSA -> internet
internet -> WSA -> switch -> User
The user doesn't know they have been proxied

Proxy server method
User -> WSA -> internet
internet -> WSA -> user
User uses a proxy server we can enforce proxy with group policy
Restrict access to install other applications like firefox etc

We can also use a pac file so when DHCP gets an address it pull in the pac file and gets the proxy settings can be hard to get to work with all browsers etc.

Admin interfaces

http://wsa-m1:8080
https://wsa-m1:8443
You can change these

default username/password
admin/ironport

CLI
SSH TCP 22
History up and down arrow
Tab completion
? for list of commands
default IP address 192.168.42.42

CLI Commands

version - version and license information

authcache <- see list of authenticated users (can flush them)

grep > 1 (accesslog) > DENIED or domain.com or DOMAIN\\username
nslookup

ping

telnet
interfaceconfig (setup IP addresses on interfaces)
setgateway (set default gw)
sethostname (set the hostname)
etherconfig (quick way to see the MAC addresses)
etherconfig ( you can use to setup sub interfaces / trunk interface, can only be done in CLI)
etherconfig > VLAN > NEW > 100 > P1 -> commit
Restart proxy services - diagnostic -> proxy -> kick (users will lose connection for 5 secs)
shutdown - shutdown the ironport if you need to make a change in vmware
commit (after making changes always do commit to save)
status detail - see CPU and RAM usage

Searching the logs
Top Auth failed sources (bypass if needed)
grep -i 'No such user' authlog.current | awk '{s[$15]++;} END { for(i in s) print s[i], i }' | sort -n -k 1 | tail -n 30 | sort -n -r

grep -i 'No such user' authlog.@20180314T162255.s | awk '{s[$15]++;} END { for(i in s) print s[i], i }' | sort -n -k 1 | tail -n 30 | sort -n -r

Auth failed destination (bypass if needed)
grep 'TCP_DENIED\/407 ' aclog.current | awk '{print $7}' | awk -F / '{print $3}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n12

grep '\/401 ' aclog.current | awk '{print $7}' | awk -F / '{print $3}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n12

Check for hight numbers of codes in this case 503 DNS errors are high
cat aclog.current | awk '{print $4}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n30

NONE/503 8910946 <<<
TCP_MISS/200 5994669
TCP_CLIENT_REFRESH_MISS/200 1911343
TCP_DENIED/407 1714271
TCP_MISS/401 234946
TCP_REFRESH_HIT/200 135614

Top failed DNS destinations (check DNS server and config local DNS entries)
grep 'NONE\/503 ' aclog.current | awk '{print $7}' | awk -F / '{print $3}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n12

Initial config

default IP address https://192.168.42.42:8443
default u: admin p: ironport
Accept eula
Hostname.domain.local
DNS servers
NTP server
Set time region
Network context page
Do you have another appliance somewhere in the network
Put the WSA closest to the clients downstream of the other proxy
Just click next if you don't have another proxy

DNS names are important in the WSA so make sure
wsa.domain.com resolves.
You can make a host entry if needed
on the CLI dnsconfig -> localhosts (hidden command)

Interfaces
Tick box to use M1 for management only *** (Important)
Ticking that box gives you a different routes for the Management interface which is useful.
P1 = data interface
Default GW

You can also have
M1 (inside) management only
P1 INSIDE
P2 DMZ
Set default route for DMZ

Transparent settings
Layer 4 Switch or No Device

Set admin password
Set email alerts
Untick boxes for anonymous statistics

Security settings
Most settings defaults are fine security settings are enabled

Review page of all settings

The changes pending button appears in the top right
Changes you make need to be committed, this button appears after making changes

Activate licenses

Commit changes button

When you make changes in the web interface you'll see the commit changes button turn yellow in the top right. You need to click this to save your changes. In the CLI run the commit command.

Reports

You can get it to run a report on a schedule and email it to you

Remember you need to commit changes.

If you don't commit nothing will happen

Policy Trace

System administration -> Policy trace
You can put in a URL and a source IP (like a packet trace on ASA)
You have to fill in the username and IP or I've seen inconsistent results
Fill in url, auth, ip address, username

Lots of advanced values you can fill in
If a websites web reputation is good the wsa won't block it
It takes a little while to complete wait for final result

Deploying proxy services

We have two options for proxy deployment

Transparent mode

Explicit forward (clients are pointed at the proxy server IP)

Logging

There isn't much space built in for logging so we need to configure a syslog server
In the CLI type grep (you can choose to tail later with this command)
Logs are in the squid-cache format
TCP_MISS means it wasn't cached by the WSA
TCP_HIT means it came from the cache
List of TCP codes
http://www.tcpipguide.com/free/t_HTTPStatusCodeFormatStatusCodesandReasonPhrases-3.htm
Cisco also offers AWSR (advanced web security reporting tool) which is basically splunk. It has its own license. Syslog server will probably do the job.

Custom block page

Security Services > End-User Notification -> Edit settings
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010100.html

The PAC file

The pac file is just a javascript file. PAC stands for proxy autoconfig. We drop the pac file on a webserver somewhere. You can also host it on the WSA. Can be easier to just deploy proxy settings with group policy.

function FindProxyForURL (url,host)

{

return "PROXY wsa.lab.local:80; DIRECT";

}

Sec services -> pac file hosting

remember port is 9001

Choose the file and upload

commit changes

In browser (you can use a GPO to push this out to the clients)

Autoconfig url

wsa.lab.local:9001/pac.txt

One method to ensure user must use the WSA is to only allow the WSA internet access on your firewall.

Management roles

Administrator - Full rights
Operator - Can make some changes but can't do some tasks like upgrades etc
Read only Operator - Can only read information
Read only Guest - Can only read system status

Policies

We can create policies to create groups of user, sites etc and create access policies.

There is a global policy for everything with nothing blocked.

You can choose to block IM clients, youtube, p2p, social media etc
You may have to enable https inspection to fully block these applications.

Identities - Policies based on who you are. It identifies the user being proxy'd.
There are many policies you can combine them to get what you want.

Acceptable Use controls

Enable dynamic content analysis engine (blocks site that appear to be gambling etc but don't have a web reputation score yet)

Logging
You can ftp into the WSA
You can frp or scp the file off
You can configure a syslog server
Splunk is advised for managing the log files

You can create some simple categories ALLOWED and BLOCKED.
On their own they don't do anything you need to add these unto the access policy
You can configure a custom time range.
Don't forget to commit changes

We can have an identity for the users. So marketing users are allowed access to facebook but accounts users are not.

Network -> Authentication

Add realm
Make sure your time matches on IP and DC's
Add NTLM if you are using active directory you could use LDAP either
Add the DC ip addresses
Enter IPs of domain controller 192.168.1.10 (incase DNS goes down)
Fill in your domain lab.local
When Joining the domain (creating the computer account) don't use DOMAIN\administrator just use administrator
Test realm settings.
Don't forget to commit changes

You can setup the WSA to require authentication. You can set exceptions for things like windows and adobe updates. You can even allow an exception for guest users that they get a different level of web access without authentication

authencache
list shows you authenticated users

Web proxy

Headers

x-forwarded-for

If you have upstream proxies you may need to change this to send for authentication to work correctly

Can proxy FTP, HTTPS etc if you have the license

WSA http processing

Rule processing order:

Check if the URL is in a custom category (allow/deny)

Check the rules for the built in URL categories

If it isn't matched by above, WSA check un-categorised URL rules

Web reputation score

Anti malware scanning

Application visibility and control (facebook allowed but apps denied)

Matching URLs

www.google.com = www.google.com exactly is matched

.google.com = all sub domains are matched.

You can use regular expressions too.

WSA HTTPS/SSL decryption

Sec Services -> HTTPS proxy
Enable HTTPS proxy

Create decryption policy

Explicit forward mode is better for http decryption as HTTP CONNECT messages are sent to the WSA

Default - pass through (do nothing)

decrypt - WSA acts as man in the middle

drop - drop the traffic

Monitor - watch whats going on but allow it

If the action is to decrypt we decrypt but then we sent it through the access policies too. You need a ROOT certificate.Subject Type=CA, No End Entity. Its not the same as normal SSL cert signing.

Security services -> HTTPS proxy

Takes some time to enable (wait 5 min)

Now click enable and edit settings, accept the EULA

Leave default port of 443

Use generage cert+key for self signed key

cn: lab.domain.com

org: myorg

ou: mylab

country: ie

duration: 36

click generate

Download the CSR and get signed by your CA then upload back or WSA
Or download cert from WSA and push out via group policy.

untick enable decryption for authentication

Might need to enable decryption for enchanced AVC

Submit

We can change settings to control what WSA does if there is an issue with the cert on the destination server, we can drop allow etc

URL filter policy

After its setup run a policy trace on https://www.google.ie

Keep in mind some global settings can override your policies

Default action kicks in when the WSA couldn't decide on a final action.

High availability

Can use a dedicated load balancer if you want

HA is available in Async OS 8.5.0

HA is available in both physical and virtual

Single master, multiple backups

Preemption (the master can take back over)
HA DOES NOT SYNC CONFIG, you need to do it manually

You cannot sync the config with HA but yes you can manually transfer the config to another WSA. P

Steps to copy config from the WSA:

Set up the master how you want with all settings etc
Go to WSA GUI > System Administration > Configuration File > Uncheck “Mass passphrases” by selecting “Plain passwords in the Configuration Files” > Now click submit and the config will be downloaded as a xml file.

Steps to upload config to another WSA:
Go to WSA GUI > System Administration > Configuration File > under Load configuration select “Load a configuration file from local computer” > Browse to the downloaded config and then click load.

Setting up the HA
On master
Make sure you are running at least 8.5
Network -> High availability
New failover group

Need a VIP (subnet mask must match interface it gets bound to)
Bind it to an interface
Master
Can enable a shared secret

On backup
Configured
Same failover group
same VIP
Set priority as backup
same shared secret if you set that

higher priority = will become master

Point clients at the VIP in their proxy settings.

on the master
failoverconfig - see failover settings
testfailovergroup (then -1)

Make sure to do the ESX/vswitch part

ESX config
https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/119188-technote-wsa-00.html

Check
Net.ReversePathFwdCheckPromisc” is set to 1

Edit properties on the vswitch where hosts are.
Edit -> Security
Promiscuous mode = accept

Bandwidth and time quota

Quotas can be applied for HTTP/HTTPS and FTP

Quotas are reset daily

Web security manager -> Time range and quotas

Add time range button

Add quota button

Give a make, set the time for quota to be reset (defualt midnight)

Volume quota set MB or Gig.

Tie to an access policy
Web security policy -> Access polices -> URL filtering

Pick a category and tick quota

Tick quota based, select your quota

Commit

Users will get a message that they are over quota when they go over.

Upgrades

Its best to upgrade from the VMware console as you will see all errors there.

More info

CCIE Security Advanced Technology Course v4

Shortcut	Function
CTRL-R	Reprint line, useful to recover from a trashed prompt from console messages
CTRL-A	Move cursor to beginning of line
CTRL-E	Move cursor to end of line
Esc-B	Move backwards one word
Esc-F	Move forward one word
CTRL-W	Deletes the word cursor is under
CTRL-U	Deletes the entire line
CTRL-Shift-6	Terminate operation (ping, traceroute, etc)
CTRL-Shift-6,X	Suspends Session
CTRL-Z	Exits configuration mode, returning you to privileged EXEC mode
TAB	Completes a partial command
CTRL-P	Rotate backward through command history
CTRL-N	Rotate forward through command history

Since you don't have ssh already setup you'll probably need to connect with the console cable

Stop the annoying logs interrupting you on the console
line con 0
logging sync

Setting up a host name and domain name on the router
conf t
hostname R1
ip domain name example.com

Generate your keys
conf t
crypto key generate rsa
Key length should be 1024 (Need at least 1024 for ssh version2)

Configure a username and password
username admin priv 15 secret mypassword
password mypassword will be stored in plain text
secret mypassword will be stored in md5 hash

Enable aaa
aaa new-model (make the router ask for a username and a password)

enable secret myenablepw

Turn off telnet
line vty 0 4 (on router)
line vty 0 15 (on switch)
line vty 0 4
transport input ssh

Named Access-list
*** Important to type ip in front of access-list if you are used to ASA ***
*** Don't for get to look for access lists under the vty lines ***
ip access-list extended MYACL_NAME permit tcp host s.s.s.s host d.d.d.d eq 22
int g0/0
ip access-group MYACL_NAME in

Numbered Access-list
access-list 150 permit tcp host s.s.s.s host d.d.d.d eq 22
int g0/0
ip acccess-group 150 in

Example ACL

ip access-list extended OUTSIDE_IN

10 permit tcp host x.x.x any

20 permit tcp host y.y.y.y any

30 permit tcp z.z.z.z 0.0.0.15 (networks need to be added with wildcard)

200 deny ip any any log

interface Dialer1

ip access-group OUTSIDE_in in

JacksBlog

Tuesday 23 February 2016

Cisco ASA troubleshooting commands

Wednesday 17 February 2016

Cisco WSA ironport

Why use it

Unit types

Licensing

AsyncOS

Layer4 traffic monitoring

Admin interfaces

CLI Commands

Initial config

Commit changes button

Reports

Policy Trace

Deploying proxy services

Logging

Custom block page

The PAC file

Management roles

Policies

Web proxy

WSA http processing

WSA HTTPS/SSL decryption

High availability

Bandwidth and time quota

Upgrades

More info

how to get email alerts from cisco ASA

Monday 15 February 2016

access router with octopus cable

Monday 8 February 2016

quick way to see if a port is connected

CLI shortcuts on cisco devices

Wednesday 3 February 2016

Log off a stuck session off anyconnect

Monday 1 February 2016

Allow ssh access to a cisco router

Adding a license on ASA