Tutorial: Cisco Routers Add Web Security with Cisco ScanSafe

IOS adds in proxy features to forward web traffic to cloud web security offering

Cisco launched this feature to the market last month at Interop. In a nutshell, it provides IOS routers with intelligent, identity aware, traffic redirection to the Cisco ScanSafe web security cloud offering. ScanSafe provides the following web security features as a cloud service:

  • URL Filtering
  • Scanlets analyze all elements of a web request including HTML, JavaScript, Flash and even obfuscated active scripts
  • Zero-day malware prevention
  • Protection against Phishing attacks
  • Granular Reporting with a multi-tenant design
  • 100% uptime over the last 8+ years
  • Heuristic Malware identification
Here is a graphical look at how each web request is processed in the cloud:

This means that http and https traffic will be redirected from the router to the ScanSafe cloud where it will be filtered according to your policy settings. In addition to the redirection of traffic, the ISR G2 will also provide identity (group and user based) to ScanSafe for granular policy selection. Identity can be obtained using multiple methods (AD, web auth, etc) but Active Directory will probably be the most popular. The router encrypts all identity info before it is sent to the cloud. This type of feature will allow companies to securely stop back-hauling web traffic from remote site VPNs to the central site and back out again. It also allows for a common web security policy across remote sites, central sites, and even remote hosts with the AnyConnect ScanSafe integration. Sending web traffic directly to the Internet results in performance and user satisfaction improvements and decreased bandwidth requirements for HQ. Here is a simple graphic to illustrate this intelligent redirection of web traffic.

Now on to how you configure this on the router. First configure Identity on the router. This example will focus on active directory

LDAP integration. Ldap server ad-server ipv4 10.0.1.250 transport port 3268 bind authenticate root-dn cn=scansafe,cn=users,dc=test,dc=localdomain password 7 4424A34232 base‐dn dc=test,dc=localdomain search‐filter user‐object‐type top authentication bind‐first
Next, create an ldap group
Aaa group server ldap ad-servers Server ad-server
Now Define ip admission control:
Aaa authentication login cs-aaa group ad-servers Aaa authorization network cs-aaa group ad-servers Aaa accounting network cs-aaa none Ip admission virtual-ip 1.1.1.1 Ip admission name csauth ntlm Ip admission name csauth order ntlm Ip admission name csauth method-list authentication cs-aaa authorization cs-aaa accounting cs-aaa Ip http server Interface Gig0/1 !Internal interface Ip admission csauth
Now that we have identity configured we move on to configuring the scansafe redirection commands:
parameter-map type content-scan global server scansafe primary ipv4 72.37.244.147 port http 8080 https 8080 server scansafe secondary ipv4 80.254.145.147 port http 8080 https 8080 license 0 source interface GigabitEthernet0/0 timeout server 30 user-group ciscogroup username ciscouser logging server scansafe on-failure block-all
Turn on content scanning on the external interface:
interface GigabitEthernet0/0 !external interface ip address 128.107.150.75 255.255.255.0 ip nat outside ip virtual-reassembly in ip virtual-reassembly out content-scan out
To whitelist sites you create a parameter map like the following example:
parameter-map type regex site_param pattern google pattern cisco parameter-map type regex browser_param pattern Chrome content-scan whitelisting whitelist header user-agent regex browser_param whitelist header host regex site_param
Supported Cisco ISR G2 Platforms and requirements include -881,891 -19xx, 29xx, 39xx -Security feature license or higher is required -Valid Cisco ScanSafe license Cisco will release the IOS code end of this month. It will be 15.2(1)T. You can find more information at these links. www.cisco.com/go/scansafe www.cisco.com/go/isrg2

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.