1. No category

Internet Edge Design Summary October 2015

CISCO VALIDATED DESIGN
Internet Edge
Design Summary
October 2015
REFERENCE
NETWORK
ARCHITECTURE

Table of Contents
Introduction...................................................................................................................................... 1
Sub-Architectures for Specific Capabilities...................................................................................... 8
Edge Connectivity ............................................................................................................................................................8
Firewall Segmentation & Intrusion Prevention....................................................................................................................9
Remote Access VPN...................................................................................................................................................... 10
Email Security Using ESA............................................................................................................................................... 11
Web Security.................................................................................................................................................................. 13
Cisco Web Security Appliance........................................................................................................................ 15
Cisco Cloud Web Security.............................................................................................................................. 16
Cisco CWS Using the Connector for Cisco ASA............................................................................................. 16
Cisco CWS Using Cisco AnyConnect............................................................................................................. 18
Guest Wireless Termination............................................................................................................................................ 20
Future Releases of Internet Edge ................................................................................................... 21
Summary........................................................................................................................................ 22
Cisco Validated Design
Introduction
Introduction
This guide describes architectural best practices for organizations with up to 10,000 connected users.
An important segment of an enterprise network is the Internet edge, where the corporate network meets the public Internet. As your network users reach out to websites and use email and other collaboration tools for businessto-business communication, the resources of the corporate network must remain both accessible and secure.
The Secure Architectural Framework Example (SAFE) for business networks locates the Internet edge as one of
the places in the network (PINs). SAFE simplifies complexity across the enterprise by implementing a model that
focuses on the areas that a company must secure. This model treats each area holistically, focusing on today’s
threats and the capabilities needed to secure each area against those threats. Cisco has deployed, tested, and
validated critical challenges. These solutions provide guidance, complete with configuration steps that ensure effective, secure deployments for our customers.
The Internet edge is the highest-risk PIN because it is the primary Ingress for public traffic and the primary egress
point to the Internet. Simultaneously, it is the critical resource that businesses need in today’s Internet-based
economy. SAFE matches up defensive capabilities against the categories of threats today.
Cisco Validated Design
page 1
Introduction
The capabilities and architectures for the Internet edge provide users with the secure network access they require, from a wide variety of locations and devices. The following table describes the functional security capabilities of Internet edge.
Table 1 SAFE defenses against specific Internet edge threats
Threat
Defense
Use of malformed packets and
abnormal protocol processes
to gain access to the public
and private networks
Firewall segmentation—Protects the network
infrastructure and data resources through stateful
packet filtering, protocol inspection, and network
address translation
Infiltration via worms, viruses
and various types of attacks
to gain access to the internal
servers by using Layer 4-7
traffic
Intrusion detection & prevention—Protects the
network infrastructure and data resources from
Internet-based threats such as worms, viruses,
and targeted attacks by performing application
and user-aware security inspection of Layer 4-7
traffic coordinated with global threat prevention
information
Monitoring of unencrypted
network traffic allows thieves to
easily steal data and credentials
Remote access VPN—Provides secure encrypted
access to resources inside the organization from
remote locations and mobile devices
Access to critical resources by
impersonating trusted users
with basic authentication
Access control + TrustSec—Selective restriction
of access, based on context, to a place or other
resource
Distribution of viruses, malware
files or compromised web links
by email. Exfiltration of private
data via email
Email security—Provides encryption, anti-spam,
anti-malware, anti-virus inspection and message
filtering services that protect against data loss and
exfiltration
Infected ads and bogus web
sites lure in users to access the
malicious content by redirection and service insertion
Web security—Provides inspection and filtering for
web reputation, anti-malware, anti-virus. Protects
against data loss and data exfiltration. Enforces
acceptable-use controls and user monitoring
Single or multiple files which
form a malware package and
distributes itself throughout the
entire network of servers and
devices
Anti-malware—Files are securely analyzed and
correlated against hundreds of millions of other
analyzed malware artifacts to provide a global view
of malware attacks, campaigns, and their distribution on current and historical malware artifacts,
indicators, and samples
Zero-day attacks and new
forms of malware can initially
bypass protections implemented through learned threat
intelligence.
Threat intelligence—Threat intelligence is evidence-based knowledge, including context,
mechanisms, indicators, implications, and actionable advice about an existing or emerging menace
or hazard to assets that can be used to inform
decisions regarding the subject’s response to that
menace or hazard
table continued on next page
Cisco Validated Design
page 2
Introduction
table continued from previous page
Threat
Defense
New command & control traffic,
telemetry and data exfiltration
from successful attacks
Flow analytics—Network data flow behavior is
analyzed to identify security incidents
Downloaded viruses and
malware compromise devices,
which take over systems and
replicate
Host-based security—Security software to protect
the host consisting of anti-virus, anti-malware,
host firewall and VPN encryption.
Unencrypted traffic being
copied and stolen from the infrastructure via monitoring and
malware
TLS encryption offload—This capability represents
the ability to decrypt an encrypted data flow to
and from a set of services. This hardware accelerated offloading reduces the general computing
load on the end servers, thereby improving scalability
Application-specific attacks
that take advantage of poor
application-development techniques and insecure modules
Web application firewalling—Advanced, specialized web application inspection and monitoring
for inbound and outbound service calls meeting a
specifically tuned and configured policy
Massively scaled attacks that
overwhelm the capacity of
the network bandwidth, device throughput, or processing capabilities of the network
devices and/or servers
DDOS protection—Protection against network,
session and application attacks such as: SYN
floods, connection floods, ICMP fragmentation,
DNS, SSL and the growing number of Layer 7 attacks
Infected ads and bogus web
sites lure in users to access the
malicious content by redirection and service insertion
Cisco Cloud Web Security—Web Security services that are based off-premise and in the cloud for
lean enterprise deployments and roaming/remote
user protection.
Accessing valuable network
data through the deployment
of rogue wireless devices and
interception attacks
Guest wireless WIPS—Coordinated infrastructure
to detect, locate, mitigate, and contain wireless
rogues and threats at Layers 1 through 3
Compromised or infected
devices allowed onto a network
proliferate the distribution of
malware and viruses to adjacent network users
Guest network mobile device management—
Control over endpoint access based on defined
policies such as disallowing jail-broken devices,
devices without anti-virus software, or preventing corporate managed devices from using less
secure guest networks
Cisco Validated Design
page 3
Introduction
Table 2 SAFE non-security-specific network capabilities
L2 / L3 Network——Routing and switching equipment that enables communication across an
enterprise infrastructure and the Internet
Load balancing—Systems that distribute workloads across multiple computing resources to
optimize resource use, maximize throughput, minimize response time, and avoid overload of
any single resource
Wireless—Controllers and access points enabling the network connectivity necessary for mobile devices to communicate with the enterprise infrastructure.
LAN segment—Physical or virtual network segment
Table 3 SAFE management capabilities supporting the Internet edge
Identity/authorization—AAA provides the method of identifying users and authorizing their access to services and resources and tracking their use
Policy/configuration—Centralized and unified network management to provide consistent, secure access to end users, however they connect
Analysis/correlation---SIEM technology provides real-time reporting and long-term analysis
of security events. The technology can also provide log collection, normalization, correlation,
aggregation and reporting
Monitoring—Collection of network flows or traffic from specific infrastructure segments.
Vulnerability management— System tools that continually scan and test devices attached to
the infrastructure, document them, and prompt for remediation on an ongoing basis
Logging/reporting—Centralized repository that collects syslog, SNMP, and other event information from all devices to ensure the integrity and enable the correlation of events.
Time synchronization—NTP is used to synchronize clocks among devices. This synchronization
allows all events to be correlated when system logs are created and when other time-specific
events occur.
Cisco Validated Design
page 4
Introduction
These security capabilities address the top threats and risks facing organizations today.
When developing individual designs, you should also take into consideration such non-security considerations as:
•• Load-balancing routing protocols (e.g., eBGP, EIGRP, OSPF)
•• VLANs for segmentation
•• High-availability protocols such as HSRP & VRRP
•• Common platform services such as network time protocol (NTP) and authentication, authorization, and accounting (AAA)
These topics will be covered in additional SAFE guides.
Figure 1 depicts the deployment and distribution of capabilities for building an Internet edge by using Cisco best
practices. Capabilities are grouped into different security zones in order to more easily define policies for these
areas (Untrusted, VPN, Perimeter, DMZ and Trusted). The dotted lines illustrate combined capabilities that you
may implement in a single device. This further simplifies the connectivity and linking of the necessary capabilities
in order to achieve the goals of the proposed architecture.
The Untrusted zone contains the edge routing capability as well as both the on-premise and off-premise distributed denial-of-service (DDOS) capabilities. Cloud web services are included for illustration proposes at this time.
The remote access virtual private network (RA VPN) zone implements dedicated resources to connect remote
users and sites.
The perimeter zone has the all of the core security and inspection capabilities necessary to protect the enterprise
and segments the connections of the other zones.
The demilitarized zone (DMZ) is a restricted zone containing both internal and public facing services.
The trusted enterprise contains core services in order to securely implement, manage, monitor and operate the
Internet edge.
Cisco Validated Design
page 5
Introduction
Figure 1 Internet edge capabilities
Untrusted
Perimeter
Trusted Enterprise
DMZ
1350F
RA VPN
After defining the desired capabilities of the Internet edge, you can transition from a capability view to an architecture view. The architecture enables the selection of product classes and models aligning the needs of the
enterprise and to the available features unique to each platform.
The Internet edge architecture includes segmentation capabilities, such as LANs and VLANs separating services
from each other. Several capabilities are duplicated in various areas in order to provide the best protection possible (e.g., NGIPS at both the perimeter and after TLS decryption in the DMZ). Implementing dedicated resources
in several areas ensures acceptable performance across the entire architecture.
Cisco Validated Design
page 6
Introduction
Figure 2 Internet edge architecture
Untrusted
CWS
ISP DDOS
Cisco
WLC
Load
Balancer
Web
Application
Firewall
Cisco ASR
Cisco
AMP on
Endpoint
Cisco
Security
Appliance
Cisco Security
Appliance
Cisco Security
Appliance
RA VPN
Perimeter
Cisco
WSA
Cisco
ESA
Cisco
Security
Appliance
Cisco
Security
Appliance
DMZ
1351F
Trusted
Enterprise
Figure 2 does not depict how high-availability requirements can be met through the deployment of redundant
paired devices. This design assumes that you would deploy all capabilities as such when creating the detailed
designs.
Cisco Validated Design
page 7
Sub-Architectures for Specific Capabilities
Sub-Architectures for Specific Capabilities
The following sections provide greater detail and guidance for deploying security capabilities in the Internet edge.
Several have been fully validated using Cisco’s Validated Design program. For more information, see Cisco’s
Design Zone:
http://www.cisco.com/go/designzone
EDGE CONNECTIVITY
Two deployment options can address Internet edge capabilities with high availability and meet operational requirements for device-level separation between the remote access VPN and the firewall. The design shown in
the following figure uses a single Internet connection and integrates the remote-access VPN function in the same
Cisco Adaptive Security Appliance (ASA) pair that provides the firewall functionality.
Figure 3 Single ISP topology
Untrusted
CWS
ISP DDOS
Cisco
WLC
Load
Balancer
Web
Application
Firewall
Cisco ASR
Cisco
AMP on
Endpoint
Cisco
Security
Appliance
Cisco Security
Appliance
Cisco Security
Appliance
RA VPN
Perimeter
Cisco
WSA
Cisco
ESA
Cisco
Security
Appliance
Cisco
Security
Appliance
DMZ
1352F
Trusted
Enterprise
Cisco Validated Design
page 8
Sub-Architectures for Specific Capabilities
The following figure shows a dual ISP design that provides highly resilient Internet access. This design uses a
separate pair of Cisco ASA appliances in order to provide a remote access VPN, which offers additional scalability
and operational flexibility.
Figure 4 Dual ISP topology
Untrusted
ISP A
ISP B
Cisco
WLC
Load
Balancer
Web
Application
Firewall
Cisco ASR
Cisco
AMP on
Endpoint
Cisco
Security
Appliance
Cisco Security
Appliance
Cisco Security
Appliance
RA VPN
Cisco
WSA
Cisco
ESA
Perimeter
Cisco
Security
Appliance
Cisco
Security
Appliance
DMZ
1353F
Trusted
Enterprise
FIREWALL SEGMENTATION & INTRUSION PREVENTION
Firewalls and intrusion prevention systems (IPSs) provide vital security at the Internet edge. Firewalls control access into and out of the different segments of the Internet edge to filter unwanted and malicious traffic. Many
firewalls also provide a suite of additional services such as network address translation (NAT) and multiple security zones. Support for policy-based operation can enhance firewall effectiveness by providing security without
interfering with access to Internet-based applications or hindering connectivity to business partners’ data via
extranet VPN connections.
Cisco Validated Design
page 9
Sub-Architectures for Specific Capabilities
Intrusion prevention systems complement firewalls by inspecting the traffic traversing the Internet edge in order to
identify malicious behaviors and prevent proliferation of the malicious traffic.
Architectures for the Internet edge address firewall and IPS capabilities with the Cisco ASA family. Cisco ASA
platforms provide advanced firewall and IPS capabilities with enterprise-class performance and security in a
scalable design that can readily adapt to changing needs. They are situated between the organization’s internal
network and the Internet in order to minimize the impact of network intrusions while maintaining worker productivity, business communications and information integrity..
Designs for the Internet edge use the Cisco ASA 5500-X Series, configured in routing mode in active/standby
pairs for high availability. They apply NAT and firewall policy and support FirePOWER next generation intrusion
prevention software (NGIPS) that detects and mitigates malicious or harmful traffic. FirePOWER NGIPS delivers
complete contextual awareness, full visibility, and control of users, devices and content in order to provide industry-leading threat prevention.
For more information about firewall and IPS solution deployment, see the Firewall and IPS Technology Design Guide.
This guide covers the creation and use of demilitarized zone (DMZ) segments for Internet-facing services such as
a web presence. The NGIPS content covers Internet edge inline deployments and internal distribution layer intrusion detection system (IDS) deployments.
REMOTE ACCESS VPN
Employees, contractors, and partners often need to access the network when traveling or working from home or
from other off-site locations. Many organizations therefore need to provide users in remote locations with network
connectivity to data resources.
A secure connectivity solution for the Internet edge should support:
•• A wide variety of endpoint devices.
•• Seamless access to networked data resources.
•• Authentication and policy control that integrates with the authentication resources used by the organization.
•• Cryptographic security to prevent sensitive data from exposure to unauthorized parties who accidentally or
intentionally intercept the data.
Designs for the Internet edge address these needs with the Cisco ASA Family and Cisco AnyConnect Secure
Mobility Client.
The Cisco AnyConnect Secure Mobility Client is recommended for remote users who require full network connectivity. The Cisco AnyConnect client uses SSL and is designed for automated download and installation. SSL
access can be more flexible and is likely to be accessible from more locations than IPsec, as few companies
block HTTPS access out of their networks. The AnyConnect client may be configured as an always-on VPN.
The Trusted Network Detection capability of the Cisco AnyConnect client determines if a laptop is on a trusted
internal network or an untrusted external network. If on an untrusted network, the client automatically tries to
establish a VPN connection to the primary site. The user needs to provide credentials for authentication, but no
other intervention is required. If the user disconnects the connection, no other network access is permitted.
Cisco Validated Design
page 10
Sub-Architectures for Specific Capabilities
Designs for the Internet edge offer two remote-access VPN design models:
•• Remote access VPN integrated with Cisco ASA Series firewall (integrated design module)—This option is
available with a lower capital investment and reduces the number of devices the network engineering staff
must manage.
•• Remote access VPN deployed on a pair of standalone Cisco ASA appliances (standalone design module)—This design offers greater operational flexibility and scalability while providing a simple migration path
from an existing RA VPN installation.
For detailed design and configuration information about implementing a remote access VPN via Cisco AnyConnect for SSL connections, see the Remote Access VPN Technology Design Guide.
EMAIL SECURITY USING ESA
Email is a critical business service used by virtually everyone, every day, which makes it an attractive target for
hackers. The two major threats to email systems are spam and malicious email.
If spam is not properly filtered, its sheer volume can consume valuable resources such as bandwidth and storage, and require network users to waste time manually filtering through messages. Legitimate messages may
be discarded, potentially disrupting business operations. Failing to protect an email service against spam and
malicious attacks can result in a loss of data and network-user productivity. Malicious email most often consists of
embedded or phishing attacks. Embedded attacks contain viruses and malware that perform actions on the end
device when clicked. Phishing attacks attempt to mislead network users into releasing sensitive information such
as credit card numbers, social security numbers, or intellectual property.
Cisco Email Security Appliance (ESA) protects the email infrastructure and network users who use email at work
by filtering unsolicited and malicious email before it reaches the user. The goal of the solution is to filter out positively identified spam and quarantine or discard email sent from untrusted or potentially hostile locations. Antivirus
scanning is applied to emails and attachments from all servers in order to remove known malware.
Cisco ESA easily integrates into existing email infrastructures by acting as a mail transfer agent (MTA), or mail
relay, within the email-delivery chain. A normal email exchange, in which an organization is using an MTA, might
look like the message flows shown in Figure 5 and Figure 6.
Cisco Validated Design
page 11
Sub-Architectures for Specific Capabilities
Figure 5 Inbound email message flow
1 Sender sends email to
[email protected]
2 What is IP for CompanyX mail server
(MX and A record DNS lookup)?
3 IP address for CompanyX email is
a.b.c.d (Cisco ESA at CompanyX)
4 Email is sent
Internet DNS
Server
Cisco Email
Security Appliance
5 After inspection,
the email is sent to the
central email server
1071F
Email
Server
6 Employee retrieves cleaned email
Figure 6 Outbound email message flow
6 Recipient retrieves email
3 Cisco ESA inspects outbound email
5 Email is sent
4 Cisco ESA performs DNS lookup
for recipient domain and retrieves
MX and A records
Cisco Email
Security Appliance
2 Central email server forwards
all non-local messages to
Cisco ESA smart host
1 Employee sends email to
[email protected]
Cisco Validated Design
1078F
Email
Server
page 12
Sub-Architectures for Specific Capabilities
Cisco ESA can be deployed with a single physical interface to filter email to and from an organization’s mail
server. A second, two-interface configuration option transfers email to and from the Internet by using one interface, and to and from internal servers by using the second interface. The Internet edge design uses the singleinterface model for simplicity.
For more information about email security and Cisco ESA, see the Email Security Using ESA Technology Design
Guide.
WEB SECURITY
Web access is a requirement for the day-to-day functions of most organizations, but a challenge exists to maintain appropriate web access for everyone in the organization while minimizing unacceptable or risky use. A solution is needed to control policy-based web access in order to ensure that users work effectively and ensure that
personal web activity does not waste bandwidth, affect productivity, or expose the organization to undue risk.
Another risk associated with Internet access for the organization is the pervasive threat that exists from accessing
sites and content. Other threats include the still popular and very broad threats of viruses and Trojans, in which a
user receives a file in some manner and is tricked into running it, and the file then executes malicious code. The
third variant uses directed attacks over the network. These types of risks are depicted in the figure below.
Figure 7 Business reasons for deploying Cisco Cloud Web Security
Internet Edge
Firewall
User
Community
Internet
Malicious software worms,
viruses, phishing attacks, etc.
Non-work-related
web browsing
2292F
Bandwidth
waste
Two options address the need for a corporate web security policy by offering a combination of web usage controls with category and reputation-based control, malware filtering, and data protection:
•• Cisco Web Security Appliance (WSA), which is deployed on premise
•• Cisco Cloud Web Security (CWS), which is accessed by using the Cloud Web Security Connector for Cisco
ASA or by using Cisco AnyConnect Secure Mobility Client.
Cisco Validated Design
page 13
Sub-Architectures for Specific Capabilities
Some key differences between Cisco CWS and Cisco WSA include the items listed in the following table.
Table 4 Cisco Web Security solution comparison
Cisco CWS
Cisco WSA
Web/URL filtering
Yes
Yes
Supported protocols
HTTP/HTTPS
HTTP/HTTPS, FTP
Yes
Yes
(Multiple scanners for malware)
(URL/IP reputation filtering, multiple scanners for
malware)
Remote user security
VPN backhaul or direct to cloud using
Cisco AnyConnect1
VPN backhaul
Deployment
Redirect to cloud service
On Premise Redirect
Policy and reporting
Web portal (cloud)
On Premise
Outbreak Intelligence
(Zero Day Malware)
Note:
1.Windows and Mac OS Only
Cisco Validated Design
page 14
Sub-Architectures for Specific Capabilities
Cisco Web Security Appliance
Cisco WSA is a web proxy that works with other Cisco network components such as firewalls, routers, or switches in order to monitor and control web content requests from within the organization. It also scrubs the return
traffic for malicious content, as shown in the following figure.
Figure 8 Cisco WSA traffic flows
RA VPN Client
or
RA VPN
Mobile Client
Web Site
RA VPN Client
or
RA VPN
Mobile Client
Web Site
Web Site
Internet
Internet
Internal
Network
User
Community
Cisco
WSA
Internet
Cisco
WSA
Internal
Network
Cisco
WSA
3027F
Internal
Network
Cisco WSA is connected by one interface to the inside network of Cisco ASA. In the Internet edge design, Cisco
WSA connects to the same LAN switch as the ASA appliance and on the same VLAN as the inside interface of
the ASA appliance. Cisco ASA redirects HTTP and HTTPS connections by using the Web Cache Communication
Protocol (WCCP) to Cisco WSA.
For more information about how to deploy this solution, see the Web Security Using Cisco WSA Technology Design
Guide. This guide focuses on using Cisco WSA in an Internet edge solution. It covers the mechanisms used to
apply web security and content control, as well as the use of transparent -proxy mode and explicit-proxy mode
deployments for redirecting web traffic to Cisco WSA.
Cisco Validated Design
page 15
Sub-Architectures for Specific Capabilities
Cisco Cloud Web Security
Through the use of multiple techniques, Cisco CWS provides granular control over all web content that is accessed. These techniques include real-time dynamic web content classification, a URL-filtering database, and
file-type and content filters. The policies enforced by Cisco CWS provide strong web security and control for an
organization. Cisco CWS policies apply to all users regardless of their location and device type.
Figure 9 Cisco CWS Internet edge design
Web Sites
Approved
Web Requests
Blocked
Content
Cisco Cloud
Web Security
Blocked
Files
Internet
Blocked
URLs
Approved
Content
DMZ Switches
Internet
Servers
Cisco ASA
User
Community
Traffic Redirected to
Cisco Web Security
2293F
Distribution
Switches
Cisco CWS Using the Connector for Cisco ASA
Internal users at both the primary site and remote sites access the Internet by using the primary site’s Internetedge Cisco ASA, which provides stateful firewall and intrusion prevention capabilities. It is simple and straightforward to add Cisco CWS to a Cisco ASA appliance that is already configured and operational. This integration uses
the Cloud Web Security Connector for Cisco ASA and requires no additional hardware.
Cisco Validated Design
page 16
Sub-Architectures for Specific Capabilities
Cloud Web Security using Cisco ASA enables the following security capabilities:
•• Transparent redirection of user web traffic—Through seamless integration with the Cisco ASA firewall, web
traffic is transparently redirected to the Cisco CWS service. No additional hardware or software is required,
and no configuration changes are required on user devices.
•• Web filtering—Cisco CWS supports filters based on predefined content categories and it also supports more
detailed custom filters that can specify application, domain, and content type or file type. The filtering rules
can be configured to block or warn based on the specific web-usage policies of an organization.
•• Malware protection—Cisco CWS analyzes every web request in order to determine if content is malicious.
CWS is powered by the Cisco Security Intelligence Operations (SIO) whose primary role is to help organizations secure business applications and processes through identification, prevention, and remediation of
threats.
•• Differentiated policies—The Cisco CWS web portal applies policies on a per-group basis. Group membership is determined by the group authentication key of the forwarding firewall, source IP address of the web
request, or the Microsoft Active Directory user and domain information of the requestor.
The Cisco ASA firewall family sits between the organization’s internal network and the Internet and is a fundamental infrastructural component that minimizes the impact of network intrusions while maintaining worker productivity and data security. The design uses Cisco ASA to implement a service policy that matches specified traffic and redirects the traffic to the Cisco CWS cloud for inspection. This method is considered a transparent proxy,
and no configuration changes are required to web browsers on user devices.
The various traffic flows for each of these user types are shown in the following figures.
Figure 10 Cisco CWS with internal and guest users
Web Site
Internet
Cisco Cloud
Web Security
Web Site
Internet
Guest
Network
Internal
Network
Internal
User
Cisco Validated Design
Guest
User
3028F
Cisco Cloud
Web Security
page 17
Sub-Architectures for Specific Capabilities
Figure 11 Cisco CWS for mobile devices using remote-access VPN
RA VPN
Mobile Device
Cisco Cloud
Web Security
Web Site
Internet
Internal
Network
RA VPN
Mobile Device
Web Site
Internet
Internal
Network
3029F
Cisco Cloud
Web Security
Certain source and destination pairs should be exempted from the service policy, such as remote-access VPN
users accessing internal networks or internal users accessing DMZ networks.
For information about how to deploy this solution, see the Cloud Web Security Using Cisco ASA Technology Design
Guide. This guide discussed the configurations required to implement a Cisco ASA service policy that matches
specified traffic and redirects the traffic to the Cisco CWS cloud for inspection. This method is considered a
transparent proxy, and no configuration changes are required to web browsers on user devices..
Cisco CWS Using Cisco AnyConnect
Mobile remote users connect to their organization’s network by using devices that generally fall into two categories:
•• Laptops
•• Mobile devices such as smartphones and tablets
When provisioned with the Cisco AnyConnect Secure Mobility Client with Cisco CWS module, laptops are not
required to send web traffic to the primary site. The CWS module gives the Cisco AnyConnect client the ability to let Internet web traffic go out through a Cisco CWS proxy directly to the destination, without forcing traffic
through the organization’s headend. Without Cisco CWS, the traffic must be routed down the VPN tunnel, inspected at the campus Internet edge, and then redirected to the original destination.
Cisco Validated Design
page 18
Sub-Architectures for Specific Capabilities
This process consumes bandwidth and potentially increases latency. With Cisco CWS, the connection can be
proxied through the Cisco ScanSafe cloud and never has to traverse the VPN tunnel, as shown in the following
figure.
Figure 12 Web traffic flow for CWS with Windows and Mac OS X clients
RA VPN
Client
Web Site
Cisco Cloud
Web Security
Internal
Network
Internet
1115F
Internal Traffic
(Static Exceptions)
For the web security of Microsoft Windows and Apple Mac OS laptops, Cloud Web Security using Cisco AnyConnect enables the following security capabilities:
•• Redirect web traffic—The Cisco CWS module can be integrated into the Cisco AnyConnect client, allowing
web traffic to be transparently redirected to the Cisco CWS service. The CWS module is administered centrally on the RAVPN firewall and requires no additional hardware. Once installed, the CWS module continues
to provide web security even when disconnected from the RAVPN firewall.
•• Filter web content—Cisco CWS supports filters based on predefined content categories, as well as custom
filters that can specify application, domain, content type, or file type. The filtering rules can be configured to
block or warn based on the specific web usage policies of an organization.
•• Protect against malware—Cisco CWS analyzes every web request to determine if the content is malicious.
CWS is powered by the Cisco Security Intelligence Operations, the primary role of which is to help organizations secure business applications and processes through identification, prevention, and remediation of
threats.
•• Apply differentiated policies—The Cisco CWS web portal applies policies on a per-group basis. Group membership is determined by the group authentication key assigned within the Cisco AnyConnect CWS profile on
the RAVPN firewall.
Cisco Validated Design
page 19
Sub-Architectures for Specific Capabilities
Cloud Web Security using Cisco AnyConnect enables the following network capabilities:
•• User authentication—The AnyConnect client requires all remote access users to authenticate before negotiating a secure connection. Both centralized authentication and local authentication options are supported.
•• Differentiated access—The remote access VPN is configured to provide different access policies depending
on assigned user roles.
•• Strong encryption for data privacy—The Advanced Encryption Standard cipher with a key length of 256 bits
is used for encrypting user data. Additional ciphers are also supported.
•• Hashing for data integrity—The Secure Hash Standard 1 cryptographic hash function with a 160-bit message
digest is used to ensure that data has not been modified during transit.
For more information about how to deploy this solution, see the Cloud Web Security Using Cisco AnyConnect Technology Design Guide.
GUEST WIRELESS TERMINATION
Guest wireless termination within the Internet edge is detailed in the Campus Wireless LAN Technology Design
Guide. The designs contained within the Campus Wireless LAN Technology Design Guide provide ubiquitous
data and voice connectivity for employees and provides wireless Internet access for guests. Regardless of their
location within the organization—on large campuses or at remote sites—wireless users have the same experience
when connecting to voice, video, and data.
Cisco Validated Design
page 20
Future Releases of Internet Edge
Future Releases of Internet Edge
This architecture document and its associated design guides describe only a portion of Internet edge’s many
capabilities. Future releases will describe some of the following capabilities:
•• Threat intelligence
•• Anti-malware
•• Host-based security
•• Web application firewalling
•• DDOS prevention
•• TLS encryption offload
•• Flow analytics
•• Load-balancing considerations
•• Management and policy
Cisco Validated Design
page 21
Summary
Summary
Today’s networks extend to wherever employees are, wherever data is, and wherever data can be accessed.
The Internet edge is often the first line of attack and is subsequently the first line of defense against these attacks. As a result, technologies must be applied that focus on detecting, understanding, and stopping these
threats. These attacks can render an enterprise inaccessible from the Internet and prevent employees from doing
productive work locally and remotely.
Cisco’s Internet edge solutions work to mitigate these threats and minimize the impact of the enterprise’s productivity.
Cisco Validated Design
page 22
Please use the feedback form to send comments and
suggestions about this guide.
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV Amsterdam,
The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS
IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT
SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION,
LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR
THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS
OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON
FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included
in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2015 Cisco Systems, Inc. All rights reserved.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go
to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not
imply a partnership relationship between Cisco and any other company. (1110R)
Cisco Validated Design
B-000145c-2 10/15

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz