Guest

Router Security

Cisco ISR Web Security with Cisco Cloud Web Security Data Sheet

  • Viewing Options

  • PDF (862.0 KB)
  • Feedback

Product Overview

Extend the numerous security services available with the Cisco® Integrated Services Router (ISR) family with Cisco ISR Web Security with Cisco Cloud Web Security (CWS). Security features in the Cisco ISR include a firewall, intrusion prevention, and VPN. Now you can extend them with a simple, cost-effective, on-demand web security solution that requires no additional hardware. Deploy market-leading web security quickly and easily and provide highly secure local Internet access for all sites and users, saving bandwidth, money, and resources.

With Cisco ISR Web Security with CWS, branch offices can intelligently redirect web traffic to the cloud to enforce detailed security and control policy over dynamic Web 2.0 content (Figure 1). It helps protect branch office users from threats such as Trojans, back doors, rogue scanners, viruses, and worms. The Cisco ISR Web Security with CWS feature is available in the Cisco Security SEC-K9 license bundle.

Figure 1.      Typi cal Cisco ISR Web Security with CWS Deployment

Features and Benefits

Cisco ISR Web Security with CWS:

   Works independently but can also be used with Cisco IOS® Software-based security solutions such as the Cisco IOS Zone-Based Policy Firewall, Cisco IOS Intrusion Prevention System (IPS), and Cisco IOS Secure Sockets Layer (SSL) and IP Security (IPsec) VPNs

   Supports detailed policies for web usage and security

   Can drastically reduce an organization’s on-premises hardware footprint, pushing all high-resource-intensive tasks (such as content analysis, report storage, and generation) to the cloud

   Provides zero-day threat protection powered by Cisco Outbreak Intelligence, which uses dynamic reputation- and behavior-based analysis

   Blocks over 25 percent more malware than traditional signature-based security solutions

   Eliminates the need to backhaul Internet traffic from branch offices, so offices can access the web directly, without losing control of or visibility into web usage

The Cisco ISR integrates with directory services such as Active Directory, so policies can be defined and enforced right down to the individual user. Cisco ISR Web Security with CWS offers web content filtering and zero-day malware protection and allows organizations to build a detailed global policy for all web traffic, including SSL-encrypted communications. Security policy can be created based on categories, content, file types, schedules, and quotas. Integrated outbound policy helps ensure that confidential data, such as customer details or credit card numbers, does not leave the network.

Cisco ISR Web Security with CWS analyzes every piece of web content accessed, including HTML, images, scripts, and Flash content. Each piece is analyzed using artificial-intelligence-based “scanlets” to build a detailed view of each web request and the associated security risk. All resource-intensive operations, from content analysis to global reporting, are cloud based; as a result, the web security functionality does not affect the performance of the other ISR services.

Why Choose Cisco ISR Web Security with Cisco CWS?

   Lower total cost of ownership: Cisco ISR Web Security with CWS helps you avoid the costs associated with the deployment and maintenance of on-premises software and hardware.

   Leading security and peace of mind: Real-time cloud-based scanning blocks malware and inappropriate content before it reaches the network.

   Scalability and availability: Our global network processes high volumes of web content at high speeds, everywhere, for a true global solution that is always available.

   Integration with other Cisco security products: Cisco ISR Web Security with CWS integrates with Cisco AnyConnect® to offer a web security solution for users both on and off the network.

   Consistent, unified policy: An acceptable use policy (AUP) can be applied to all users regardless of location, simplifying management.

   Predictable operational expenses: Clients can plan capacity and budget.

Centralized Management and Reporting

Cisco ISR Web Security with CWS is managed through ScanCenter, an intuitive web-based interface, which integrates all management and reporting capabilities (Figure 2). A global web security policy can be created and enforced across the organization, even down to the group or user level, and any edits to the policy are rolled out in real time. ScanCenter offers overview data, ongoing trending reports, and forensic audits (Figure 3 and Figure 4)

Figure 2.      Exa mple of ScanCenter Reporting Output

Figure 3.      Scan Center Web Filtering Reporting Output

Figure 4.      Sca nCenter Web Filtering Reporting Output Showing Blocked Viruses

Cisco Security Manager

Cisco Security Manager is an enterprise-class management application that is designed to configure firewall, VPN, and IPS security services on Cisco network and security devices. Its unified interface can be used to activate the Cisco ISR Web Security with CWS feature in Cisco IOS Software when deploying ISR routers in large-scale deployments.

Supported Platforms

Table 1 lists the platforms that support Cisco CWS.

Table 1.       Platform Support

Product

Supported Platforms

Cisco 800 Series Routers

Cisco 819, 860VAE, 880VA, 881, 881W, 888, 888EA, 891, 891F, 891FW, 892FSP, 896VA, 896VAG, 897VA, 897VAB, 897VAG, 897VAM, 897VAMG, 897VAW, 898EA, 898EAG, 899G

Cisco 1900 Series Integrated Services Routers

Cisco 1905, 1921, 1941, 1941W

Cisco 2900 Series Integrated Services Routers

Cisco 2901, 2911, 2921 and 2951

Cisco 3900 Series Integrated Services Routers

Cisco 3925, 3925E, 3945, 3945E

Performance Numbers

Table 2 displays the average connection rate and average throughput for Cisco CWS on supported platforms. Average Connection Rates per Second and Average Throughput for Cisco CWS

Table 2.       CWS Performance Numbers

Feature

Cisco 891

Cisco 1921

Cisco 1941

Cisco 2901

Cisco 2911

Cisco 2921

Cisco 2951

Cisco 3925

Cisco 3925E

Cisco 3945

Cisco 3945E

CWS 1000 Object HTTP

Average connection rate

371

559

610

600

676

830

1,018

1,367

3,344

1,543

4,179

Average throughput

39
Mbps

59
Mbps

64 Mbps

63
Mbps

71
Mbps

88
Mbps

107 Mbps

145 Mbps

352 Mbps

162 Mbps

441 Mbps

CWS Varied 1000 Object HTTP

Average connection rate

370

554

599

588

632

777

959

1,315

3,270

1,488

4,128

Average throughput

101
Mbps

266 Mbps

293 Mbps

285 Mbps

304 Mbps

384 Mbps

603 Mbps

813 Mbps

1013 Mbps

920 Mbps

1013 Mbps

CWS plus NAT HTTP

Average connection rate

50

87

95

93

101

125

158

218

664

 

702

Average throughput

69
Mbps

120 Mbps

132 Mbps

129 Mbps

140 Mbps

173 Mbps

218 Mbps

302 Mbps

917 Mbps

 

971 Mbps

CWS plus Zone-Based Firewall HTTP

Average connection rate

52

98

108

105

114

141

181

247

692

280

704

Average throughput

72
Mbps

136 Mbps

149 Mbps

145 Mbps

157 Mbps

195 Mbps

250 Mbps

342 Mbps

957 Mbps

387 Mbps

974 Mbps

CWS plus Zone-Based Firewall plus NAT HTTP

Average connection rate

31

63

69

68

74

90

101

139

442

156

543

Average throughput

43
Mbps

87
Mbps

95 Mbps

94
Mbps

102 Mbps

124 Mbps

139 Mbps

192 Mbps

611 Mbps

215 Mbps

751 Mbps

CWS plus IPS HTTP

Average connection rate

32

42

46

45

49

61

74

103

580

119

687

Average throughput

44
Mbps

59
Mbps

64 Mbps

62
Mbps

68 Mbps

85
Mbps

102 Mbps

142 Mbps

802 Mbps

164 Mbps

949 Mbps

CWS plus Zone-Based Firewall plus IPS HTTP

Average connection rate

25

38

41

40

43

53

63

87

445

99

552

Average throughput

35
Mbps

53
Mbps

57 Mbps

55
Mbps

60 Mbps

74
Mbps

87 Mbps

120 Mbps

615 Mbps

137 Mbps

764 Mbps

CWS plus NAT plus Zone-Based Firewall plus IPS HTTP

Average connection rate

20

31

34

33

36

44

51

71

311

80

387

Average throughput

28
Mbps

43
Mbps

47 Mbps

46
Mbps

50 Mbps

60
Mbps

70 Mbps

98
Mbps

430 Mbps

110 Mbps

535 Mbps

Note:    A 1k object is a file that is 1024 bytes and is obtained by the client from the server via HTTP.

All the test results are obtained using a local simulated tower setup in the lab, and not with the real CWS tower.

Topology and Test Methodology

   Tests showed an average of eight authentications per minute per 1000 users.

   There were 25 concurrent threads per 1000 users.

   There were 250 incoming requests per second per 1000 users across the 25 concurrent threads.

   The average size of HTTP objects was 15,000 bytes.

   The total average bandwidth across 1000 users was 4 Mbps.

   Tests were run without authentication.

Table 3 displays the number of users that each Cisco ISR G2 platform can support. These numbers represent only the CWS connector service enabled on the Cisco ISR G2 router. These numbers do not represent the Cisco ISR G2 router running other software services operating together with the CWS connector.

Table 3.       Scaling for the Supported Cisco CWS Platforms (in Number of Users)

Cisco ISR G2 Router

Authentication (NTLM, HTTP Basic, Web Proxy)

No Authentication

800

120

120

1921

300

300

1941

350

350

2901

350

350

2911

500

500

2951

600

600

3925

900

900

3925E

1,200

5,000

3945

1200

1200

3945E

1200

5000

Note:    A maximum limit of 32,767 sessions applies to Cisco ISR G2 routers, regardless of the platform type.

Topology and Test Methodology

   Tests were run with each connection fetching 16,000 objects, which means that every single HTTP get request is answered by an object 16,000 in size, which is the average seen across CWS deployments.

   Tests were done to determine the maximum number of connections with a maximum of 0.0001 percent transaction failures.

   Mapping of users was based on data seen across current CWS customer deployments.

   Estimates of the user count on the Cisco 3925E and 3945E ISRs were based on CPU rather than connection rate because the bandwidth maxed out before peak CPU utilization.

   Tests estimated that customers leave CPU headroom of around 50 percent in order to deploy other Cisco IOS features such as Network Address Translation or Zone-Based Policy Firewall along with CWS connector.

   Before the tests were run, each platform was loaded with the maximum memory that the platform could handle.

   Tests were run with authentication using the Windows NT LAN Manager (NTLM), and the test setup was designed in such a way that every GET request makes Cisco ISR G2 routers apply a header to the request.

   The actual Internet traffic profile may vary based on usage, but we strongly recommend that customers adhere to the sizing guidelines provided in 3.

Additional Resources

For more information about Cisco Integrated Services Routers and Cisco ISR Web Security with Cisco CWS visit:

   Cisco ISR G2 platform: http://www.cisco.com/go/isrg2

   Cisco Cloud Web Security: http://www.cisco.com/c/en/us/products/security/router-security/isr_web_security.html

   Cloud Web Security Solution Guide: http://www.cisco.com/c/dam/en/us/products/collateral/security/router-security/cws-solution-guide.pdf

   Cloud Web Security Design Guide: http://www.cisco.com/c/dam/en/us/products/collateral/security/router-security/cws-design-guide.pdf

   Troubleshooting Guide: http://www.cisco.com/c/dam/en/us/products/collateral/security/router-security/cws-troubleshooting.pdf