Guest

Router Security

Cisco ISR Web Security with Cisco Cloud Web Security Data Sheet

  • Viewing Options

  • PDF (918.5 KB)
  • Feedback

Product Overview

Extend the numerous security services available with the Cisco® Integrated Services Router (ISR) family with Cisco ISR Web Security with Cisco Cloud Web Security (CWS). Security features in the Cisco ISR include a firewall, intrusion prevention, and VPN. Now you can extend them with a simple, cost-effective, on-demand web security solution that requires no additional hardware. Deploy market-leading web security quickly and easily and provide highly secure local Internet access for all sites and users, saving bandwidth, money, and resources.

With Cisco ISR Web Security with CWS, branch offices can intelligently redirect web traffic to the cloud to enforce detailed security and control policy over dynamic Web 2.0 content (Figure 1). It helps protect branch office users from threats such as Trojans, back doors, rogue scanners, viruses, and worms. The Cisco ISR Web Security with CWS feature is available in the Cisco Security SEC-K9 license bundle.

Features and Benefits

Cisco ISR Web Security with CWS:

   Works independently but can also be used with Cisco IOS® Software-based security solutions such as the Cisco IOS Zone-Based Policy Firewall, Cisco IOS Intrusion Prevention System (IPS), and Cisco IOS Secure Sockets Layer (SSL) and IP Security (IPsec) VPNs

   Supports detailed policies for web usage and security

   Can drastically reduce an organization’s on-premises hardware footprint, pushing all high-resource-intensive tasks (such as content analysis, report storage, and generation) to the cloud

   Provides zero-day threat protection powered by Cisco Outbreak Intelligence, which uses dynamic reputation- and behavior-based analysis

   Blocks over 25 percent more malware than traditional signature-based security solutions

   Eliminates the need to backhaul Internet traffic from branch offices, so offices can access the web directly, without losing control of or visibility into web usage

The Cisco ISR integrates with directory services such as Active Directory, so policies can be defined and enforced right down to the individual user. Cisco ISR Web Security with CWS offers web content filtering and zero-day malware protection and allows organizations to build a detailed global policy for all web traffic, including SSL-encrypted communications. Security policy can be created based on categories, content, file types, schedules, and quotas. Integrated outbound policy helps ensure that confidential data, such as customer details or credit card numbers, does not leave the network.

Cisco ISR Web Security with CWS analyzes every piece of web content accessed, including HTML, images, scripts, and Flash content. Each piece is analyzed using artificial-intelligence-based “scanlets” to build a detailed view of each web request and the associated security risk. All resource-intensive operations, from content analysis to global reporting, are cloud based; as a result, the web security functionality does not affect the performance of the other ISR services.

Why Choose Cisco ISR Web Security with Cisco CWS?

   Lower total cost of ownership: Cisco ISR Web Security with CWS helps you avoid the costs associated with the deployment and maintenance of on-premises software and hardware.

   Leading security and peace of mind: Real-time cloud-based scanning blocks malware and inappropriate content before it reaches the network.

   Scalability and availability: Our global network processes high volumes of web content at high speeds, everywhere, for a true global solution that is always available.

   Integration with other Cisco security products: Cisco ISR Web Security with CWS integrates with Cisco AnyConnect® to offer a web security solution for users both on and off the network.

   Consistent, unified policy: An acceptable use policy (AUP) can be applied to all users regardless of location, simplifying management.

   Predictable operational expenses: Clients can plan capacity and budget.

Centralized Management and Reporting

Cisco ISR Web Security with CWS is managed through ScanCenter, an intuitive web-based interface, which integrates all management and reporting capabilities (Figure 2). A global web security policy can be created and enforced across the organization, even down to the group or user level, and any edits to the policy are rolled out in real time. ScanCenter offers overview data, ongoing trending reports, and forensic audits (Figure 3 and Figure 4).

Cisco Security Manager

Cisco Security Manager is an enterprise-class management application that is designed to configure firewall, VPN, and IPS security services on Cisco network and security devices. Its unified interface can be used to activate the Cisco ISR Web Security with CWS feature in Cisco IOS Software when deploying ISR routers in large-scale deployments.

Supported Platforms

Table 1 lists the platforms that support Cisco CWS.

Table 1.       Platform Support

Product

Supported Platforms

Cisco 800 Series Routers

Cisco 819, 860VAE, 880VA, 881, 881W, 887V, 888E, 888EA, 888, 888W, 891, 891W, 892, 892F, 892FW, and 892W

Cisco 1900 Series Integrated Services Routers

Cisco 1905, 1921, 1941, 1941W

Cisco 2900 Series Integrated Services Routers

Cisco 2901, 2911, 2921 and 2951

Cisco 3900 Series Integrated Services Routers

Cisco 3925, 3925E, 3945, 3945E

Performance Numbers

Table 2 displays the average connection rate and average throughput for Cisco CWS on supported platforms. Average Connection Rates per Second and Average Throughput for Cisco CWS

Table 2.       CWS Performance Numbers

Feature

Cisco 891

Cisco 1921

Cisco 1941

Cisco 2901

Cisco 2911

Cisco 2921

Cisco 2951

Cisco 3925

Cisco 3925E

Cisco 3945

Cisco 3945E

CWS 1000 Object HTTP

Average connection rate

371

559

610

600

676

830

1,018

1,367

3,344

1,543

4,179

Average throughput

39 Mbps

59 Mbps

65 Mbps

64 Mbps

71 Mbps

88 Mbps

11 Mbps

15 Mbps

35 Mbps

16 Mbps

44 Mbps

CWS Varied 1000 Object HTTP

Average connection rate

370

554

599

588

632

777

959

1,315

3,270

1,488

4,128

Average throughput

39 Mbps

59 Mbps

63 Mbps

62 Mbps

67 Mbps

82 Mbps

20 Mbps

14 Mbps

34 Mbps

16 Mbps

44 Mbps

CWS plus NAT HTTP

Average connection rate

50

87

95

93

101

125

158

218

664

 

702

Average throughput

69 Mbps

12 Mbps

13 Mbps

13 Mbps

14 Mbps

17 Mbps

22 Mbps

30 Mbps

92 Mbps

 

97 Mbps

CWS plus Zone-Based Firewall HTTP

Average connection rate

52

98

108

105

114

141

181

247

692

280

704

Average throughput

72 Mbps

14 Mbps

15 Mbps

15 Mbps

16 Mbps

20 Mbps

25 Mbps

34 Mbps

96 Mbps

39 Mbps

97 Mbps

CWS plus Zone-Based Firewall plus NAT HTTP

Average connection rate

31

63

69

68

74

90

101

139

442

156

543

Average throughput

43 Mbps

87 Mbps

95 Mbps

94 Mbps

10 Mbps

12 Mbps

14 Mbps

19 Mbps

61 Mbps

22 Mbps

75 Mbps

CWS plus IPS HTTP

Average connection rate

32

42

46

45

49

61

74

103

580

119

687

Average throughput

44 Mbps

59 Mbps

64 Mbps

62 Mbps

68 Mbps

85 Mbps

10 Mbps

14 Mbps

80 Mbps

16 Mbps

95 Mbps

CWS plus Zone-Based Firewall plus IPS HTTP

Average connection rate

25

38

41

40

43

53

63

87

445

99

552

Average throughput

35 Mbps

53 Mbps

57 Mbps

55 Mbps

60 Mbps

74 Mbps

87 Mbps

12 Mbps

62 Mbps

14 Mbps

76 Mbps

CWS plus NAT plus Zone-Based Firewall plus IPS HTTP

Average connection rate

20

31

34

33

36

44

51

71

311

80

387

Average throughput

28 Mbps

43 Mbps

47 Mbps

46 Mbps

50 Mbps

60 Mbps

70 Mbps

98 Mbps

43 Mbps

11 Mbps

53 Mbps

Note:    A 1k object is a file that is 1024 bytes and is obtained by the client from the server via HTTP.

All the test results are obtained using a local simulated tower setup in the lab, and not with the real CWS tower.

Topology and Test Methodology

   Tests showed an average of eight authentications per minute per 1000 users.

   There were 25 concurrent threads per 1000 users.

   There were 250 incoming requests per second per 1000 users across the 25 concurrent threads.

   The average size of HTTP objects was 15,000 bytes.

   The total average bandwidth across 1000 users was 4 Mbps.

   Tests were run without authentication.

Table 3 displays the number of users that each Cisco ISR G2 platform can support. These numbers represent only the CWS connector service enabled on the Cisco ISR G2 router. These numbers do not represent the Cisco ISR G2 router running other software services operating together with the CWS connector.

Table 3.       Scaling for the Supported Cisco CWS Platforms (in Number of Users)

Cisco ISR G2 Router

Authentication (NTLM, HTTP Basic, Web Proxy)

No Authentication

800

120

120

1921

300

300

1941

350

350

2901

350

350

2911

500

500

2951

600

600

3925

900

900

3925E

1,200

5,000

3945

1200

1200

3945E

1200

5000

Note:    A maximum limit of 32,767 sessions applies to Cisco ISR G2 routers, regardless of the platform type.

Topology and Test Methodology

   Tests were run with each connection fetching 16,000 objects, which means that every single HTTP get request is answered by an object 16,000 in size, which is the average seen across CWS deployments.

   Tests were done to determine the maximum number of connections with a maximum of 0.0001 percent transaction failures.

   Mapping of users was based on data seen across current CWS customer deployments.

   Estimates of the user count on the Cisco 3925E and 3945E ISRs were based on CPU rather than connection rate because the bandwidth maxed out before peak CPU utilization.

   Tests estimated that customers leave CPU headroom of around 50 percent in order to deploy other Cisco IOS features such as Network Address Translation or Zone-Based Policy Firewall along with CWS connector.

   Before the tests were run, each platform was loaded with the maximum memory that the platform could handle.

   Tests were run with authentication using the Windows NT LAN Manager (NTLM), and the test setup was designed in such a way that every GET request makes Cisco ISR G2 routers apply a header to the request.

   The actual Internet traffic profile may vary based on usage, but we strongly recommend that customers adhere to the sizing guidelines provided in 3.

Additional Resources

For more information about Cisco Integrated Services Routers and Cisco ISR Web Security with Cisco CWS visit:

   Cisco ISR G2 platform: http://www.cisco.com/go/isrg2

   Cisco Cloud Web Security: http://www.cisco.com/c/en/us/products/security/router-security/isr_web_security.html

   Cloud Web Security Solution Guide: http://www.cisco.com/c/dam/en/us/products/collateral/security/router-security/cws-solution-guide.pdf

   Cloud Web Security Design Guide: http://www.cisco.com/c/dam/en/us/products/collateral/security/router-security/cws-design-guide.pdf

   Troubleshooting Guide: http://www.cisco.com/c/dam/en/us/products/collateral/security/router-security/cws-troubleshooting.pdf