Guest

Cisco Web Security Appliance

How to prevent the Web Security Appliance to be an open proxy

Document ID: 117933

Updated: Jul 15, 2014

Contributed by Josh Wolfer and Siddharth Rajpathak, Cisco TAC Engineers.

   Print

Question:


Environment
: Cisco Web Security Appliance (WSA), all versions of AsyncOS

There are two areas where the WSA can be considered to be an open proxy:

  1. HTTP clients that do not reside on your network are able to proxy through
  2. Clients are using HTTP CONNECT requests to tunnel non HTTP traffic through

Each of these scenarios has completely different implications and will be discussed in more detail below.

HTTP clients that do not reside on your network are able to proxy through


The WSA will, by default, proxy any HTTP request sent to it, assuming the request on is on port the WSA is listening on (defaults are 80 and 3128). This may pose to be a problem for you, as you may not want any client from any network to be able to use the WSA. This is can be a huge issue if the WSA is using public IP address and is accessible from the internet.


There are 2 ways that this can be remedied:

1. Utilize a firewall upstream to WSA in order to block unauthorized sources from HTTP access.

2. Create policy groups to only allow the clients on your desired subnets. A simple demonstration of this policy is below:

Policy Group 1: Applies to subnet 10.0.0.0/8 (assuming this is your client network). Add your desired actions.
Default Policy: Block all protocols - HTTP, HTTPS, FTP over HTTP


More detailed policies may be created above Policy Group 1. As long as other rules only apply to the appropriate client subnets, all other traffic will catch the "deny all" rule at the bottom.

Clients are using HTTP CONNECT requests to tunnel non HTTP traffic through


HTTP CONNECT requests are used to tunnel non HTTP data via an HTTP proxy. The most common usage of an HTTP CONNECT request is for tunneling HTTPS traffic. In order for an explicitly configured client to access an HTTPS site, it MUST first send an HTTP CONNECT request the WSA.

An example of a CONNECT request is as such: CONNECT http://www.website.com:443/ HTTP/1.1

This tells the WSA that the client desires to tunnel through the WSA to http://www.website.com/ on port 443.


HTTP CONNECT requests can be used to tunnel any port. Due to potential security issues, the WSA only allows CONNECT requests to the following ports by default:

20, 21, 443, 563, 8443, 8080


If it is needed to add additional CONNECT tunnel ports, for security reasons, it is recommended that you add them in an additional policy group that applies only to the client IP subnets that need this additional access. The allowed CONNECT ports can be found in each policy group, under "Applications" -> "Protocol Controls".


An example of sending an SMTP request through an open proxy is below:
myhost$ telnet proxy.mydomain.com 80
Trying xxx.xxx.xxx.xxx...
Connected to proxy.mydomain.com.
Escape character is '^]'.
CONNECT smtp.foreigndomain.com:25 HTTP/1.1
Host: smtp.foreigndomain.com

HTTP/1.0 200 Connection established

220 smtp.foreigndomain.com ESMTP
HELO test
250 smtp.foreigndomain.com

Updated: Jul 15, 2014
Document ID: 117933