Cisco Web Security

Cisco Cloud Web Security

Last Updated: December 21, 2012

The Cisco Cloud Web Security feature provides content scanning of HTTP and secure HTTP (HTTPS) traffic and malware protection service to web traffic. The feature helps devices transparently redirect HTTP and HTTPS traffic to the Cisco Web Security cloud.

This module describes the Cisco Cloud Web Security feature and how to configure it.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Cisco Cloud Web Security

Ensure that both Wide Area Application Services (WAAS) and the content scanning feature are not applied on the same TCP session in the following scenarios:
  • When you enable content scanning on an interface that has WAAS configured.
  • When the network connection from a branch office to the Internet is over a Multiprotocol Label Switching (MPLS) cloud.

Restrictions for Cisco Cloud Web Security

  • Device-on-a-stick configuration is not supported.
  • If Network Address Translation (NAT) is not configured on Cisco Cloud Web Security devices, only 64,000 translation sessions are supported.
  • If you configure a host whitelist rule, the sender of an HTTP packet can spoof the Host field of the HTTP header with a whitelisted hostname or whitelist HTTP packets even if the destination HTTP server is not whitelisted. Content scan whitelisting does not verify whether the Host field of an HTTP request matches the destination IP address. Therefore, when providing restricted access to nonauthorized servers, use access control lists (ACLs), which are more effective than whitelists and allow entry to only configured IP addresses.

  • If you configure a user agent whitelist rule, the sender of an HTTP packet can spoof the User-Agent field of the HTTP header and the spoofing can result in users accessing a host that is not whitelisted. By using the User-Agent field of the HTTP header, the sender of an HTTP packet can add any HTTP connection request to a whitelist, thus providing unauthorized users access to restricted or nonauthorized servers. Therefore, when providing restricted access to nonauthorized servers, use ACLs, which are more effective than whitelists and allow entry to only configured IP addresses.

  • Loadsharing between Cisco Cloud Web Security towers is not supported.
  • Virtual routing and forwarding (VRF) is not supported.
  • The web traffic that comes into a branch office is not redirected to Cisco Cloud Web Security for content scanning. Content scanning is configured on the Internet-facing WAN interface, protecting the web traffic that goes out of the branch office.
  • When the network connection from a branch office to the Internet is over a Multiprotocol Label Switching (MPLS) cloud, the content scanning feature will not work without split tunneling.
  • When Wide-Area Application Services (WAAS) is enabled, the content scanning feature will not work in branch deployments without split tunneling.

Information About Cisco Cloud Web Security

Overview of Cisco Cloud Web Security

The Cisco Cloud Web Security feature provides content scanning of HTTP and secure HTTP (HTTPS) traffic and malware protection service to web traffic. This feature helps devices to transparently redirect HTTP and HTTPS traffic to the Cisco Web Security cloud. The Cisco Web Security cloud refers to servers in the Cisco Cloud Web Security data center that are accessible over the public Internet and provide security as a service. Cisco Web Security servers scan the web traffic content and either allow or block the traffic based on the configured policies and thus protect clients from malware. Servers use credentials such as private IP addresses, usernames, and user groups to identify and authenticate users and redirect the traffic for content scanning.

The Cisco Cloud Web Security feature enables branch offices to intelligently redirect web traffic to the Cisco Web Security cloud to enforce security and acceptable use of policies over the web traffic. A device authenticates and identifies users who make web traffic requests by using configured authentication and authorization methods such as user credentials (usernames and user groups) available in the traffic that the device redirects to Cisco Cloud Web Security. Cisco Cloud Web Security uses the user credentials to determine the policies that need to be applied to specific users and for user-based reporting. Cisco Cloud Web Security supports all authentication methods such as HTTP Basic, Web Authorization Proxy, and Windows NT LAN Manager (NTLM) (passive or explicit).

A device that cannot determine a client's credentials uses a default user group name to identify all clients who are connected to a specific interface on that device. Prior to CSCty48221, the user group that was configured using the user-group command in parameter-map type inspect configuration mode had precedence over any default user group that was configured using the user-group default command in interface configuration mode. With the fix for CSCty48221, a device selects a user group in the following order:
  • Authentication methods.
  • User group configured using the user-group default command on an interface.
  • User group configured using the user-group command in parameter-map type inspect configuration mode. Configure the parameter-map type content-scan global command before configuring the user-group command.

You can configure a device in such a way that the approved web traffic does not get scanned by Cisco Cloud Web Security. Instead, the traffic goes directly to the originally requested web server. Clients are any devices that connect to a device, either directly or indirectly. When a client sends an HTTP or HTTPS request, the device receives the request, authenticates the user, and retrieves the group name from the authentication server. The device identifies the user and then consults the whitelist database to determine whether to send the HTTP or HTTPS client response to Cisco Cloud Web Security.

You can configure primary and backup Cisco Cloud Web Security proxy servers. The device regularly polls each of these proxy servers to check their availability.

Whitelisting

A whitelist is an approved list of entities that are provided a particular privilege, service, mobility, access, or recognition. Whitelisting means to grant access. You can configure a device in such a way that the approved web traffic does not get redirected to Cisco Cloud Web Security for scanning. When you bypass Cisco Cloud Web Security content scanning, the device retrieves the content directly from the originally requested web server without contacting Cisco Cloud Web Security. Once the device receives a response from the web server, the device sends the data to the client. This process is called whitelisting of web traffic.

You can bypass content scanning based on the following client web traffic properties:
  • IP address--You can bypass content scanning for web traffic by matching a configured numbered or named access control list (ACL). Use this method for traffic that is sent to trusted sites, such as intranet servers.
  • HTTP-based header fields--You can bypass scanning for web traffic that matches a configured HTTP header field. You can match the host and user agent header fields. Use this method for user agents that do not function properly when scanned or to disable the scanning of traffic that is intended for trusted hosts, such as third-party partners.

Cisco Cloud Web Security Headers

A device that forwards web traffic to Cisco Cloud Web Security proxy servers includes additional HTTP headers in each HTTP and HTTPS request. Cisco Cloud Web Security uses these headers to obtain information about customer deployments, including information about the user who had originally made the client request and the device that sent the request. For security purposes, the information in the headers is encrypted and then hexadecimal encoded.

Cisco Cloud Web Security headers use both asymmetric and symmetric cryptography by using industry standard algorithms. Asymmetric encryption is done by using the RSA/ECB/PKCS1Padding algorithm that uses key pairs of 512 bits. Symmetric encryption is done by using the triple "DESede" algorithm with a randomly generated triple Data Encryption Standard (DES) key of 168 bits.

How to Configure Cisco Cloud Web Security

Configuring Cisco Cloud Web Security

SUMMARY STEPS

1.   enable

2.   configure terminal

3.   parameter-map type content-scanning global

4.   server scansafe primary ipv4 ip-address port http port-number https port-number

5.   license 0 license-key

6.   publickey file-system

7.   source address ipv4 ip-address

8.   exit

9.   interface type number

10.    content-scan out

11.   ip virtual-reassembly in

12.   ip virtual-reassembly out

13.   end

14.   show content-scan


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
parameter-map type content-scanning global


Example:

Device(config)# parameter-map type content-scanning global

 

Configures a global content-scan parameter map and enters parameter-map type inspect configuration mode.

 
Step 4
server scansafe primary ipv4 ip-address port http port-number https port-number


Example:

Device(config-profile)# server scansafe primary ipv4 10.12.34.23 port http 8080 https 443

 
Configures the Cisco Cloud Web Security primary server for content scanning.
  • The default Cisco Cloud Web Security port for the proxied HTTP and HTTPS traffic is 8080.
 
Step 5
license 0 license-key


Example:

Device(config-profile)# license 0 D7BF98AFEB0B4AFA5954CB0F81FFB620

 

Configures an unencrypted license key that is sent to Cisco Cloud Web Security for authentication.

 
Step 6
publickey file-system


Example:

Device(config-profile)# publickey flash:testPublicKey.txt

 
Configures the location of the 512-byte public key that is used for encrypting the session key that is used for Cisco Cloud Web Security header encryption.
  • Cisco Cloud Web Security supports only local file systems.
 
Step 7
source address ipv4 ip-address


Example:

Device(config-profile)# source address ipv4 10.2.1.2

 

Configures the source IP address for content scan redirection.

 
Step 8
exit


Example:

Device(config-profile)# exit

 

Exits parameter-map type inspect configuration mode and enters global configuration mode.

 
Step 9
interface type number


Example:

Device(config)# interface ethernet 0/0

 

Configures an interface and enters interface configuration mode.

 
Step 10
content-scan out


Example:

Device(config-if)# content-scan out

 

Configures the egress interface for content scanning.

 
Step 11
ip virtual-reassembly in


Example:

Device(config-if)# ip virtual-reassembly in

 

Enables Virtual Fragment Reassembly (VFR) on the ingress.

 
Step 12
ip virtual-reassembly out


Example:

Device(config-if)# ip virtual-reassembly out

 

Enables VFR on the egress.

 
Step 13
end


Example:

Device(config-if)# end

 

Exits interface configuration mode and enters privileged EXEC mode.

 
Step 14
show content-scan


Example:

Device# show content-scan

 

Displays content scanning information.

 

Example

The following is sample output from the show content-scan history command:

Device# show content-scan history 6

	Protocol 	Source 												 Destination 										Bytes 								 URI 																Time 
	HTTP 					192.168.100.2:1347  209.165.201.4:80    (102:45)   			 www.google.com    		00:01:13 
	HTTP 					192.168.100.2:1326  209.165.201.6:80    (206:11431)    www.google.com    		00:12:55 
	HTTP 					192.168.100.2:1324  209.165.201.5:80    (206:11449)    www.google.com    		00:15:20 
	HTTP 					192.168.100.2:1318  209.165.201.5:80    (206:11449)    www.google.com    		00:17:43
	HTTP 					192.168.100.2:1316  209.165.201.4:80    (206:11449)    www.google.com    		00:20:04 
	HTTP 					192.168.100.2:1315  10.254.145.107:80   (575:1547)     alert.scansafe.net  00:21:32 

Configuration Examples for Cisco Cloud Web Security

Example: Configuring Cisco Cloud Web Security

Device# configure terminal
Device(config)# parameter-map type content-scan
Device(config-profile)# server scansafe primary ipv4 10.12.34.23 port http 8080 https 443
Device(config-profile)# license 0 D7BF98AFEB0B4AFA5954CB0F81FFB620
Device(config-profile)# publickey flash:testPublicKey.txt
Device(config-profile)# source address ipv4 10.2.1.2
Device(config-profile)# exit
Device(config)# interface ethernet 0/0
Device(config-if)# content-scan out
Device(config-if)# ip virtual-assembly in
Device(config-if)# ip virtual-assembly out
      

Additional References

Related Documents

Related Topic Document Title

Cisco IOS commands

Master Command List, All Releases

Firewall commands

Cisco Cloud Web Security solution guide

Cisco ISR Web Security with Cisco ScanSafe Solution Guide

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Cisco Cloud Web Security

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for Cisco Cloud Web Security
Feature Name Releases Feature Information

Cisco Cloud Web Security

15.2(1)T1

15.2(4)M

The Cisco Cloud Web Security feature provides content scanning of HTTP and HTTPS traffic and malware protection service to web traffic. This feature helps a device transparently redirect HTTP and HTTPS traffic to the Cisco Web Security cloud.

The following commands were introduced or modified: clear content-scan, content-scan out, content-scan whitelisting, debug content-scan, ip admission name http-basic, ip admission name method-list, ip admission name ntlm, ip admission name order, ip admission virtual-ip, license (parameter-map), logging (parameter-map), parameter-map type content-scan global, publickey, server scan-safe, show content-scan, show ip admission, source (parameter-map), timeout (parameter-map), user-group (parameter-map), whitelist.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.