Tutorial: Cisco Routers Add Web Security with Cisco ScanSafe

IOS adds in proxy features to forward web traffic to cloud web security offering

Cisco launched this feature to the market last month at Interop. In a nutshell, it provides IOS routers with intelligent, identity aware, traffic redirection to the Cisco ScanSafe web security cloud offering. ScanSafe provides the following web security features as a cloud service:

• URL Filtering
• Scanlets analyze all elements of a web request including HTML, JavaScript, Flash and even obfuscated active scripts
• Zero-day malware prevention
• Protection against Phishing attacks
• Granular Reporting with a multi-tenant design
• 100% uptime over the last 8+ years
• Heuristic Malware identification

Here is a graphical look at how each web request is processed in the cloud:

This means that http and https traffic will be redirected from the router to the ScanSafe cloud where it will be filtered according to your policy settings. In addition to the redirection of traffic, the ISR G2 will also provide identity (group and user based) to ScanSafe for granular policy selection. Identity can be obtained using multiple methods (AD, web auth, etc) but Active Directory will probably be the most popular. The router encrypts all identity info before it is sent to the cloud.

This type of feature will allow companies to securely stop back-hauling web traffic from remote site VPNs to the central site and back out again. It also allows for a common web security policy across remote sites, central sites, and even remote hosts with the AnyConnect ScanSafe integration. Sending web traffic directly to the Internet results in performance and user satisfaction improvements and decreased bandwidth requirements for HQ. Here is a simple graphic to illustrate this intelligent redirection of web traffic.

Now on to how you configure this on the router.
First configure Identity on the router. This example will focus on active directory

LDAP integration.
Ldap server ad-server
ipv4 10.0.1.250
transport port 3268
bind authenticate root-dn cn=scansafe,cn=users,dc=test,dc=localdomain password 7 4424A34232
base‐dn dc=test,dc=localdomain

search‐filter user‐object‐type top
authentication bind‐first

Next, create an ldap group

Aaa group server ldap ad-servers
Server ad-server

Now Define ip admission control:

Aaa authentication login cs-aaa group ad-servers
Aaa authorization network cs-aaa group ad-servers
Aaa accounting network cs-aaa none

Ip admission virtual-ip 1.1.1.1
Ip admission name csauth ntlm
Ip admission name csauth order ntlm
Ip admission name csauth method-list authentication cs-aaa authorization cs-aaa accounting cs-aaa
Ip http server

Interface Gig0/1
!Internal interface
Ip admission csauth

Now that we have identity configured we move on to configuring the scansafe redirection commands:

parameter-map type content-scan global
server scansafe primary ipv4 72.37.244.147 port http 8080 https 8080
server scansafe secondary ipv4 80.254.145.147 port http 8080 https 8080
license 0 source interface GigabitEthernet0/0
timeout server 30 user-group ciscogroup username ciscouser
logging server scansafe on-failure block-all

Turn on content scanning on the external interface:

interface GigabitEthernet0/0
!external interface
ip address 128.107.150.75 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip virtual-reassembly out
content-scan out

To whitelist sites you create a parameter map like the following example:

parameter-map type regex site_param
pattern google
pattern cisco
parameter-map type regex browser_param
pattern Chrome
content-scan whitelisting
whitelist header user-agent regex browser_param
whitelist header host regex site_param

Supported Cisco ISR G2 Platforms and requirements include
-881,891
-19xx, 29xx, 39xx
-Security feature license or higher is required
-Valid Cisco ScanSafe license

Cisco will release the IOS code end of this month. It will be 15.2(1)T. You can find more information at these links.

www.cisco.com/go/scansafe
www.cisco.com/go/isrg2

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.

• Cisco
• Outsourcing
• Security
• Security
• cisco scansafe
• cisco web security
• cloud web security
• Heary
• ios web security
• isr g2 security
• isr scansafe
• Jamey Heary
• scansafe
• scansafe ios
• Web security