Wednesday, 17 February 2016

Cisco WSA ironport

Why use it

HTTP/HTTPS proxy
FTP proxy
Caching engine (delivers pages faster)
URL filtering with built in categories and dynamic filtering (block facebook etc)
Antimalware
Uses web reputation to block malware
Signature based malware engines
L4 traffic monitoring sort of like IPS
You want all traffic to go through the WSA
Use FW to restrict only the WSA to have access to the internet.
Span port on internet facing port if there is any web traffic not sourced from the WSA it can do a TCP reset
Web security is layer 7
The web is not a safe place so the WSA can help protect you.
Be aware some of the features overlap with the ASA so don't pay for same thing twice.

Unit types

S170 (physical unit, lowest end unit)
1 rack unit
1 dual core 2.8 Ghz
4GB mem
500GB HD (2x250GB sata RAID 1)
Hot swapable HDs
5 Ethernet ports and a console port

S000V (the virtual appliance)
S100V (more powerful etc)
S300V

Ports
M1 can be dedicated for managemetn and proxy
P1 and P2 can only be used for proxy
T1 and T2 are for L4TM similar to IPS

Licensing

You must have a physical unit licensed first then you can download the virtual appliance
Take the serial for the device and apply for software bundle license for free
loadlicense xml file. You need to ftp the xml file onto the device. You can also paste into CLI.

Alternatively apply for 45 day demo license
Demo licenses can be aquired through the cisco licensing page:
https://tools.cisco.com/SWIFT/LicensingUI/demoPage
Choose demo or evaluation licenses

Ironport was acquired by Cisco there is still some Ironport tech and terminology
Licenses give you access to "blades" or modules with features in them
Most licenses will last for 1 year when activated.

You can split your license between two virtual boxes to be used in HA. 500 seat license becomes two 250 seat licenses. You'll need to get the serials and log a call with Cisco even they seem to be confused about it. I had to send, serial and mac addresses to them. They ask for VLN which can be found in show license but if the license is expired or its a fresh install you won't have a VLN yet you need Cisco to resolve that.

You can fulfill the PAK on your primary machine and use the share function in our Licensing Registration Portal for your secondary virtual machine. You will get 2 license files each for your Virtual Machines.

I had to select physical machine. Added first VLN. Add device Added second VLN, then selected virtual and next and it sent me two files. Applied the files with loadlicense command.

If FTP is enabled you can use windows explorer to browse to ftp://x.x.x.x/configuration and drag and drop the lic file there. Then use loadlic from the CLI of the WSA. When reinstalling you can just apply the same lic file again.

Licenses may show as "Dormant" until you enable Web and/or https proxy.

AsyncOS

Based on FreeBDS
Optimized for low latency
Caching used for optimize disk IO
No shell access
No tuning of the OS
Need Cisco TAC to do password recovery

Web proxy
All connection can from the
Anti-virus
Url filter
Policy management
All in the same box

Some of the features overlap with the ASA

Layer4 traffic monitoring 

Scans outbound traffic at wire speed and can disrupt sessions
Active session and passive blocking

M1 management interface

How to get traffic
WCCP method (transparent proxy mode)
User -> Switch -> WSA -> internet
internet -> WSA -> switch -> User
The user doesn't know they have been proxied

Proxy server method
User -> WSA -> internet
internet -> WSA -> user
User uses a proxy server we can enforce proxy with group policy
Restrict access to install other applications like firefox etc

We can also use a pac file so when DHCP gets an address it pull in the pac file and gets the proxy settings can be hard to get to work with all browsers etc.

Admin interfaces

http://wsa-m1:8080
https://wsa-m1:8443
You can change these

default username/password
admin/ironport

CLI
SSH TCP 22
History up and down arrow
Tab completion
? for list of commands
default IP address 192.168.42.42

CLI Commands

version - version and license information 
authcache <- see list of authenticated users (can flush them)
grep > 1 (accesslog) > DENIED or domain.com or DOMAIN\\username
nslookup
ping
telnet
interfaceconfig (setup IP addresses on interfaces)
setgateway (set default gw)
sethostname (set the hostname)
etherconfig (quick way to see the MAC addresses)
etherconfig ( you can use to setup sub interfaces / trunk interface, can only be done in CLI)
etherconfig > VLAN > NEW > 100 > P1 -> commit
Restart proxy services - diagnostic -> proxy -> kick (users will lose connection for 5 secs)
shutdown - shutdown the ironport if you need to make a change in vmware
commit (after making changes always do commit to save)
status detail - see CPU and RAM usage

Searching the logs
Top Auth failed sources (bypass if needed)
grep -i 'No such user' authlog.current | awk '{s[$15]++;} END { for(i in s) print s[i], i }' | sort -n -k 1 | tail -n 30 | sort -n -r

grep -i 'No such user' authlog.@20180314T162255.s | awk '{s[$15]++;} END { for(i in s) print s[i], i }' | sort -n -k 1 | tail -n 30 | sort -n -r

Auth failed destination (bypass if needed)
grep 'TCP_DENIED\/407 ' aclog.current | awk '{print $7}' | awk -F / '{print $3}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n12

grep '\/401 ' aclog.current | awk '{print $7}' | awk -F / '{print $3}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n12

Check for hight numbers of codes in this case 503 DNS errors are high
cat aclog.current | awk '{print $4}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n30

NONE/503 8910946  <<<
TCP_MISS/200 5994669
TCP_CLIENT_REFRESH_MISS/200 1911343
TCP_DENIED/407 1714271
TCP_MISS/401 234946
TCP_REFRESH_HIT/200 135614


Top failed DNS destinations (check DNS server and config local DNS entries)
grep 'NONE\/503 ' aclog.current | awk '{print $7}' | awk -F / '{print $3}' | awk '{for(i=1;i<=NF;i++)a[$i]++}END{for(o in a) printf "%s %s\n",o,a[o]}' | sort -gr +1 | head -n12


Initial config

default IP address https://192.168.42.42:8443
default u: admin p: ironport
Accept eula
Hostname.domain.local
DNS servers
NTP server
Set time region
Network context page
Do you have another appliance somewhere in the network
Put the WSA closest to the clients downstream of the other proxy
Just click next if you don't have another proxy

DNS names are important in the WSA so make sure
wsa.domain.com resolves.
You can make a host entry if needed
on the CLI dnsconfig -> localhosts (hidden command)

Interfaces
Tick box to use M1 for management only *** (Important)
Ticking that box gives you a different routes for the Management interface which is useful.
P1 = data interface
Default GW

You can also have
M1 (inside) management only
P1 INSIDE
P2 DMZ
Set default route for DMZ

Transparent settings
Layer 4 Switch or No Device

Set admin password
Set email alerts
Untick boxes for anonymous statistics

Security settings
Most settings defaults are fine security settings are enabled

Review page of all settings

The changes pending button appears in the top right
Changes you make need to be committed, this button appears after making changes

Activate licenses

Commit changes button

When you make changes in the web interface you'll see the commit changes button turn yellow in the top right. You need to click this to save your changes. In the CLI run the commit command.

Reports

You can get it to run a report on a schedule and email it to you
Remember you need to commit changes.
If you don't commit nothing will happen

Policy Trace

System administration -> Policy trace
You can put in a URL and a source IP (like a packet trace on ASA)
You have to fill in the username and IP or I've seen inconsistent results
Fill in url, auth, ip address, username
Lots of advanced values you can fill in
If a websites web reputation is good the wsa won't block it
It takes a little while to complete wait for final result

Deploying proxy services

We have two options for proxy deployment
Transparent mode
Explicit forward (clients are pointed at the proxy server IP)

Logging

There isn't much space built in for logging so we need to configure a syslog server
In the CLI type grep (you can choose to tail later with this command)
Logs are in the squid-cache format
TCP_MISS means it wasn't cached by the WSA
TCP_HIT means it came from the cache
List of TCP codes
http://www.tcpipguide.com/free/t_HTTPStatusCodeFormatStatusCodesandReasonPhrases-3.htm
Cisco also offers AWSR (advanced web security reporting tool) which is basically splunk. It has its own license. Syslog server will probably do the job.

Custom block page


Security Services > End-User Notification -> Edit settings
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010100.html

The PAC file

The pac file is just a javascript file. PAC stands for proxy autoconfig. We drop the pac file on a webserver somewhere. You can also host it on the WSA. Can be easier to just deploy proxy settings with group policy.

function FindProxyForURL (url,host) 
{
return "PROXY wsa.lab.local:80; DIRECT";
}

Sec services -> pac file hosting
remember port is 9001
Choose the file and upload
commit changes

In browser (you can use a GPO to push this out to the clients)
Autoconfig url
wsa.lab.local:9001/pac.txt

One method to ensure user must use the WSA is to only allow the WSA internet access on your firewall.

Management roles

Administrator - Full rights
Operator - Can make some changes but can't do some tasks like upgrades etc
Read only Operator - Can only read information
Read only Guest - Can only read system status 

Policies

We can create policies to create groups of user, sites etc and create access policies.
There is a global policy for everything with nothing blocked.
You can choose to block IM clients, youtube, p2p, social media etc
You may have to enable https inspection to fully block these applications.
Identities - Policies based on who you are. It identifies the user being proxy'd.
There are many policies you can combine them to get what you want.

Acceptable Use controls
Enable dynamic content analysis engine (blocks site that appear to be gambling etc but don't have a web reputation score yet)

Logging
You can ftp into the WSA
You can frp or scp the file off
You can configure a syslog server
Splunk is advised for managing the log files

You can create some simple categories ALLOWED and BLOCKED.
On their own they don't do anything you need to add these unto the access policy
You can configure a custom time range.
Don't forget to commit changes

We can have an identity for the users. So marketing users are allowed access to facebook but accounts users are not.

Network -> Authentication 
Add realm
Make sure your time matches on IP and DC's
Add NTLM if you are using active directory you could use LDAP either
Add the DC ip addresses
Enter IPs of domain controller 192.168.1.10 (incase DNS goes down)
Fill in your domain lab.local
When Joining the domain (creating the computer account) don't use DOMAIN\administrator just use administrator
Test realm settings.
Don't forget to commit changes

You can setup the WSA to require authentication. You can set exceptions for things like windows and adobe updates. You can even allow an exception for guest users that they get a different level of web access without authentication

authencache
list shows you authenticated users

Web proxy

Headers
x-forwarded-for 
If you have upstream proxies you may need to change this to send for authentication to work correctly
Can proxy FTP, HTTPS etc if you have the license

WSA http processing 

Rule processing order:
Check if the URL is in a custom category (allow/deny)
Check the rules for the built in URL categories
If it isn't matched by above, WSA check un-categorised URL rules
Web reputation score
Anti malware scanning
Application visibility and control (facebook allowed but apps denied)

Matching URLs
www.google.com = www.google.com exactly is matched
.google.com = all sub domains are matched.
You can use regular expressions too.

WSA HTTPS/SSL decryption

Sec Services -> HTTPS proxy
Enable HTTPS proxy
Create decryption policy
Explicit forward mode is better for http decryption as HTTP CONNECT messages are sent to the WSA
Default - pass through (do nothing)
decrypt - WSA acts as man in the middle
drop - drop the traffic
Monitor - watch whats going on but allow it

If the action is to decrypt we decrypt but then we sent it through the access policies too. You need a ROOT certificate.Subject Type=CA, No End Entity. Its not the same as normal SSL cert signing.


Security services -> HTTPS proxy
Takes some time to enable (wait 5 min)
Now click enable and edit settings, accept the EULA
Leave default port of 443
Use generage cert+key for self signed key
cn: lab.domain.com
org: myorg
ou: mylab
country: ie
duration: 36
click generate

Download the CSR and get signed by your CA then upload back or WSA
Or download cert from WSA and push out via group policy.

untick enable decryption for authentication 
Might need to enable decryption for enchanced AVC
Submit

We can change settings to control what WSA does if there is an issue with the cert on the destination server, we can drop allow etc

URL filter policy

After its setup run a policy trace on https://www.google.ie

Keep in mind some global settings can override your policies

Default action kicks in when the WSA couldn't decide on a final action. 

High availability

Can use a dedicated load balancer if you want
HA is available in Async OS 8.5.0
HA is available in both physical and virtual
Single master, multiple backups
Preemption (the master can take back over)
HA DOES NOT SYNC CONFIG, you need to do it manually

You cannot sync the config with HA but yes you can manually transfer the config to another WSA. P

Steps to copy config from the WSA:

Set up the master how you want with all settings etc
Go to WSA GUI > System Administration > Configuration File > Uncheck “Mass passphrases” by selecting “Plain passwords in the Configuration Files” > Now click submit and the config will be downloaded as a xml file.

Steps to upload config to another WSA:
Go to WSA GUI > System Administration > Configuration File > under Load configuration select “Load a configuration file from local computer” > Browse to the downloaded config and then click load.

Setting up the HA
On master
Make sure you are running at least 8.5
Network -> High availability
New failover group
Need a VIP (subnet mask must match interface it gets bound to)
Bind it to an interface
Master
Can enable a shared secret

On backup
Configured
Same failover group
same VIP
Set priority as backup
same shared secret if you set that

higher priority = will become master

Point clients at the VIP in their proxy settings.

on the master
failoverconfig - see failover settings
testfailovergroup (then -1)

Make sure to do the ESX/vswitch part

ESX config
https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/119188-technote-wsa-00.html  

Check
Net.ReversePathFwdCheckPromisc” is set to 1


Edit properties on the vswitch where hosts are.
Edit -> Security
Promiscuous mode = accept  

Bandwidth and time quota

Quotas can be applied for HTTP/HTTPS and FTP
Quotas are reset daily

Web security manager -> Time range and quotas
Add time range button
Add quota button
Give a make, set the time for quota to be reset (defualt midnight)
Volume quota set MB or Gig.

Tie to an access policy
Web security policy -> Access polices -> URL filtering
Pick a category and tick quota
Tick quota based, select your quota
Commit

Users will get a message that they are over quota when they go over.

Upgrades

Its best to upgrade from the VMware console as you will see all errors there.

More info

CCIE Security Advanced Technology Course v4

No comments:

Post a Comment