With the growth of sophisticated threats, information sharing has becoming an important aspect to combat threats. Many organizations are collecting web traffic from various network hops and consolidating them in a single point of log management system to provide a consolidated end point, network, and security analytics. This provides a faster detection rate, which, in turn, will prevent cyber threats. Consolidated log systems also provide organizations with consolidated log retention and alignment with compliance.
About this document
This document describes how to configure the Web Traffic Tap feature on Cisco® Web Security Appliance (WSA) using AsyncOS® 11.5.1 to mirror web traffic across Intrusion Detection System (IDS). In this setup, we have used Cisco Next-Generation Intrusion Prevention System (NGIPS) to function as IDS via Cisco Firepower® Management Center (FMC). Because virtual devices do not have web interfaces, you must use the Command-Line Interface (CLI) to register a virtual device to FMC, which can be physical or virtual.
This document covers:
● Introduction to Cisco IDS (NGIPS in passive mode)
● Introduction to Web Traffic Tap
● Web Traffic Tap configuration on WSA
● Traffic collection configuration on Cisco IDS and FMC
● View and analyze web traffic in FMC
● Build a view in FMC
Introduction to Cisco IDS
Cisco Intrusion Detection System is a signature-based detection approach. In IDS mode, it generates an alert when the signature matches the malicious traffic, whereas in IPS mode, it generates an alert and blocks malicious traffic.
Cisco Next-generation Intrusion Prevention System deployed in passive mode functions as an IDS. In a passive deployment, virtual devices can perform network-based file and malware detection and security intelligence monitoring, as well as network discovery. In this document, IDS is deployed in promiscuous mode, where it can sense the network traffic but is not in the direct path within the network, which eliminates the possibility of any network impact in the event of failure.
The core capabilities of Cisco IDS are:
● Set a baseline of normal network behavior to help identify abnormal activities
● Perform deep packet capture for advanced forensics
● Detect unauthorized or suspicious application activities
In this document, we are integrating IDS with WSA Web Traffic Tap to run advanced forensics and compliance.
Introduction to Web Traffic Tap
From AsyncOS 11.5.1, an admin can enable one of its network interfaces as a traffic tap interface. This interface will be used to selectively mirror both HTTP and decrypted HTTPS traffic to be forwarded to an external traffic collector. In this document, we will configure the WSA to send web traffic, both HTTP and decrypted HTTPS, to LogRhythm.
This feature provides flexible traffic selection based on policy (URL categories) and identity.
Figure 1. Web Traffic Tap (WTT) – Feature overview
Cisco recommends that you have knowledge of these topics:
● Cisco WSA
● Cisco NGIPS/IDS
● Cisco FMC
The information in this document is based on these software and hardware versions:
● Cisco WSA Version 11.5.1
● Cisco NGIPSv for VMware Version 6.2.2 (build 81)
● Cisco FMC for VMWare Version 6.2.2 (build 81)
Note: Contents of the document were created from the devices in a specific lab environment. All of the devices used in this document were started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Web Traffic Tap configuration on WSA
Step 1 – Log in to the WSA UI using admin credential: https://wsa_hostname:8443.
Step 2 – Navigate to Network > Web Traffic Tap.
Step 3 – Click Edit Settings. The Web Traffic Tap feature is disabled by default.
Step 4 – Tick Enable on Web Traffic Tap and choose an unused interface for the Tap Interface. Click Submit to enable it.
Note: The IDS needs to listen on the network configured for Tap Interface, which is covered in a later section.
Step 5 – To configure Web Traffic Tap policies, navigate to Web Security Manager > Web Traffic Tap Policies.
Note: A default Global Policy has been preconfigured with the No Tap policy configured.
Step 6 – To enable all URL categories to be monitored by IDS except the finance category, click Select all on the Tap column and Select Finance on the No Tap column. Click Submit to enable it.
Here is a summary of the Web Traffic Tap policy.
Note: If specific policies are required, it can be added through the Add Policy… button.
Note: For HTTPS traffic, please kindly ensure matching decryption policies have been created, as mirrored HTTPS traffic will be decrypted traffic.
Comprehensive filtering policies can be created with specific identity and/or advanced policy member definitions such as protocols (HTTP/HTTPS), subnets, URL categories, or user agents.
Step 7 – Commit Changes once the configuration has been completed.
Step 8 – Summary of tapped traffic can be viewed in Reporting > Overview.
Traffic collection configuration on Cisco IDS and FMC
Step 1 – Log in to Cisco IDS (NGIPS) CLI interface via Secure Shell (SSH) Protocol.
Step 2 – At the prompt, register the device to an FMC using the configure manager add command. A unique self-generated alphanumeric registration key is always required to register a device to an FMC.
In most cases, you must provide the FMC’s IP address along with the registration key. For example:
Note: When using the Esxi vSphere instance to register a virtual device to an FMC, you must use the IP address (not the hostname) of the managing FMC.
Step 3 – Log in to the FMC web interface and use the Device Management (Devices > Device Management) page to add the device once you have set up the FMC. For more information, see the Managing Devices chapter in the FMC Configuration Guide.
Add IDS details with the same registration key as set on IDS CLI and create a new access policy with default action set to Network Discovery. Then click Save.
Next, Click on Register and add the IDS device with at least the URL filtering license enabled.
Once the device is added successfully, it will appear as shown below:
Step 4 - Go to Policies > Access Control and edit the policy created at the time of device registration. Click on the pencil icon to edit a policy or rule as shown below:
Add a new rule to allow the web traffic and set the zone and logging configuration as shown below:
Note: Checking the logging at the beginning of the connection will display the first packet that hits the IDS.
Once the policy rules have been added, click Save and then deploy the policy to the device.
Note: It may take a few minutes to deploy the policy onto IDS.
Step 5 – Log in to the vSphere client and ensure that the virtual machine settings are configured appropriately for IDS to be able to sense traffic.
The promiscuous mode setting on the distribution switch for the respective VLAN network that is used to tap the traffic and for communication between IDS and FMC is to accept all the network traffic. Go to Home > Inventory > Networking > Select switch > portgroup and edit.
Ensure that the IDS virtual machine has the WSA tap network selected and is connected in the power-on state. For example, in the image below, WSA is set to tap at the P1 interface, which corresponds to Lan A-1613:
The IDS is set to monitor Lan A-1613 broadcast traffic, which has the WSA tap interface configuration on it.
With the firewall-engine-debug command, you can confirm whether traffic flow is evaluated against the proper access control rule and hitting the IDS device.
SSH into the IDS CLI interface and run the following command: system support firewall-engine-debug.
View and analyze web traffic in FMC
Step 1 - Go to Analysis > Connections > Events to view the events. More details about the traffic view are covered in the following section.
Step 2 - Click on the time range on the right-hand top corner and select Sliding Time Window to show events for the previous hour. This allows you to get optimum output for testing and validation.
Step 3 - Browse the Internet traffic from any of the clients configured to route traffic via WSA and view the results.
Note: You may pause and resume the events to reload the window.
Step 4 - You may also browse the most-viewed applications using the Overview > Dashboards page.
Note: You can may click on any website to view the corresponding events.
Build a view in FMC
You can customize what columns are shown in the displayed web traffic events and filter the events. The same can also be saved as bookmarks for future use. Shown below is an example to display limited information for a particular client IP address.
Step 1 - Go to Analysis > Connections > Events and click on Table View of Connection Events.
Step 2 - As displayed above, click on the cross next to any column and select the options you want to be displayed. Then click Save.
Step 3 - Click on the Search icon on the right-hand top corner and enter an initiator IP. Then save the search.
Step 4 - Select the custom search saved in the previous step and edit the columns as per step 1. Then click Bookmark This Page. The saved search can be later viewed by clicking on the View Bookmarks Page.
Note: You will have to edit the time window after you select any saved search or bookmarks.
In conclusion, why do we think it is important to integrate WSA with the Cisco IDS appliance?
Here is a list of the benefits:
● WSA will act as a single point of decryption for HTTPS traffic without requiring an external SSL decryption appliance.
● It allows you to use custom views and searches to monitor the desired traffic and associated threats.
● Cisco IDS helps refine policy applications with the option of creating rules that can match a number of conditions such as networks, VLAN IDs, application filters, ports, and more.
● It helps analyze network vulnerabilities at a deeper level to identify needed security policies.
● Integration with IDS provides a flexible reporting system that allows you to quickly and easily generate multisection reports with the event views or dashboards that appear on your FMC. You can also design your own custom reports from scratch and generate reports in various flows and formats.
It makes it easier to troubleshoot granular issues with the availability of a wide range of connection events such as Security Sockets Layer flow error, Quality of Service(QOS) polices, port information, and more.
For more detailed information on Cisco WSA, visit https://www.cisco.com/go/wsa.
For more about Cisco NGIPS, visit https://www.cisco.com/c/en/us/td/docs/security/firepower/60/quick_start/ngips_virtual/NGIPSv-quick/setup-ngipsv.html#62776.
For more about Cisco FMC, visit https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/introduction_to_the_cisco_firepower_system.html.
A Cisco sales representative, channel partner, or systems engineer can help you evaluate how Cisco web security will work for you.