Thanks, Jon....great stuff

I am pretty light when it comes to Internet access schemes, especially as they relate to security, in enterprise environments. In the environment in which I worked the longest. we defaulted to a firewall and that was that, nothing fancy. No WCCP, no proxy engines, period.

You described one way to do it, can you delineate a few other ways it can be done, taking into consideration browser configurations? Need to discuss with a client and dont want to look like a moron. :-)

If you don't set the proxy in the browser then there is no browser configuration to be done because you are then relying on the network configuration to redirect the traffic. Bear in mind if you have a centralised site where the proxy is then you don't necessarily need to configure WCCP/PBR in all the other sites, you can just configure it where the traffic comes into the main site and send it to the proxy. If you do this though you do need a default route in your routing tables on the other sites pointing back to the main site.

For larger enviornments using a proxy makes sense because -

1) it is a central point of control for internet access

2) it is more efficient use of your internet bandwidth because of caching

3) you can tie the proxy into other services such as virus checking, web sites allowed and not allowed etc.

4) you can lock down your outbound firewall access to only the proxy IP rather than have an open outbound policy for all clients

5) updates to web site lists etc. can be done centrally

obviously that is not to say  that you should not run a virus checker on the clients anyway, you should but it is an additional layer of protection.

If you set the proxy explicitly in the browser you can also use exception lists for internal web servers and if i remember correctly this can be done on domain name rather than IP (although i could be misremembering - sorry).

With WCCP/PBR you use either redirect lists or PBR acls and you would need to use IPs as far as i am aware for the exceptions. Worth mentioning as well with WCCP some switches do not support redirect lists which are used like acls to define which traffic to send to the proxy. What this means in practice is if you applied WCCP to an interface and it did not support redirect lists it basically means all http/https etc. traffic arriving on that interface is sent to the proxy which may or may not be what you want.

It really does depend on the company setup and their specific requirements.

Finally one thing none of them really fully protect against is a user or group getting their own internet line and using that. Using group policy as we did meant they couldn't use company devices but they could still connect their own devices and point them to their own line.

Using WCCP/PBR doesn't help either because if it is their own device they can simply point the default gateway to be the device connecting to their internet connection.

So neither is foolproof and you need additional security measures such as port security, authenticating to the network etc. to protect against that and they are not trivial to implement.

But it depends on what the company wants a proxy for.

And all of the above should be backed up by a written security policy that everyone is -

a) aware of

and

b) has signed up to

although i freely admit this can be one of the hardest things of all to achieve.

Hope some of that helped, please come back if you have further queries.

Jon

Jon, thanks. Good stuff to think about.

As for this client, he already uses a proxy, Bluecoat ProxySG. He uses WCCP to redirect to a pair of SGs in an HA cluster. He doesnt leverage multicast addressing - he just points to a unicast VIP. He also doesn't use the browser to redirect. The question posed to me is how I would work around not having WCCP. I'm using Dell Force10 switches.

Given his pretty simple setup and the fact that he doesn;t seem to be using much of WCCP's functionality (I saw the config - nothing to it, really), I think I can get away with PBR. I'll create a policy to block Bogons (RFC 1918 addresses) and forward the rest based on ports 80/443/23. I think that'll do it.

I checked out Juniper's redirect solution, and it uses PBR as I described.

Thoughts?

I think PBR could be used in this setup and it would work fine.

You are still just redirecting specific traffic to another IP address ie. the proxy VIP and you aren't actually modifying any of the IP addressing with PBR.

Just remember that if there are any internal websites that are not meant to be accessed via the proxy then you need to make sure they are not policy routed although that may not be an issue in your case.

The only other thing i would say is that i'm not familiar with the switches you mention and so the following may not apply but with some Cisco switches using certain things such as deny lines in your PBR acl is not recommended as they can have an adverse effect on the CPU of the switch.

Just something to be aware of.

Jon

Jon, you raise a good issue that I thought of before. Still trying to find the answer...

Is PBR in Cisco switches performed in hardware or software? or is it a combination of both. You mention ACLs causing the CPU to spike, but I thought ACL processing is done in TCAM (hardware).

PBR is done in hardware on Cisco switches but depending on the switch there are -

a) certain commands that are not supported

b) certain configurations that can cause packets to be sent to the main CPU ie. software switched.

When you define your acls for PBR using a deny line (which can be quite useful) causes the packets matched by that line to be software switched, or at least they did when i last checked.

So you need to be careful when you use PBR and you need to keep an eye on the CPU usage.

There are a number of threads on this site about PBR and, for example, the 3750 switch and CPU spikes and it is to do with the actual PBR confiiguration normally.

So firstly it's important to look at the configuration guides for your switch together with the IOS version. In the IP routing chapter PBR will be covered and there will guidelines/restrictions as to what is and isn't supported and what you should and shouldn't use in your PBR configuration.

Jon

Interesting. Perhaps it may be a better approach to simply leverage a proxy setting in the browser and depend on normal IP routing to reach the proxy engine. What do you think of that over PBR?