With Ryan Wager
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about design, configuration and troubleshooting of the Cisco Web Security Solutions including Cisco Ironport WSA and Cisco ScanSafe with Cisco experts Kiran Sirupa and Ryan Wager. Kiran Sirupa is a technical marketing engineer in the product marketing team for the Cisco IronPort Web Security Appliance product line. He also works on documentation, partner ,and system engineering training. Kiran has been working in the Cisco Security Technologies group for more than six years. Ryan Wager is a technical marketing engineer at Cisco in the product management team for the ScanSafe Web Security platform. He is heavily involved with the product's integration with the Cisco Integrated Services Router Generation 2 platform, along with documentation, training, and testing of all new products and features. Before joining the product management team, Wagner spent two years as an implementation engineer helping ScanSafe's largest customers implement the platform into their networks.
Remember to use the rating system to let Kiran and Ryan know if you have received an adequate response.
They might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, discussion forum shortly after the event. This event lasts through October 7, 2011.. Visit this forum often to view responses to your questions and the questions of other community members.
Hello, I would like to know what's the difference between Cisco IronPort Web Usage Contros and Cisco IronPort URL filters. Can you please explain how these two differ?
Sure, Cisco IronPort Web Usage Controls is created and maintained by Cisco. This database has over 65 URL categories as part of the static list. In addition, CIWUC contains on-box dynamic categorization technology to provide enhanced on-the-fly acceptable use controls for previously unknown Web 2.0 sites. In addition, this URL database is used as a key component for Application Visibility and Control. Cisco IronPort URL filters is a static URL list that contains approximately 52 URL categories. This technology will not be used to leverage many of the value added features available in Async OS 7.0 such as Application Visibility and Control.
The WSA offers two different kinds of reporting:
The on-box reporting offers valuable insight into overall web activity, as well as threat identification and prevention, within corporate networks. The reports are designed to provide actionable information as well as historical trends. Enhanced reporting gives enterprises visibility into policy and security violations. SMA reports have the same functionality as WSA reports, but present aggregated information for all WSAs managed.
The second option for reporting is "Splunk for WSA", an off-box reporting tool. Splunk for WSA covers specific use cases not covered by on-box reporting:
Hi Kiran and Ryan, I want to know the difference between Data Security Integrity and full DLP integration. Can you explain this in detail?
Data Security Policies are delivered via an on-box mechanism. DLP integration leverages standards-based ICAP to hand content to a separate DLP server for additional scanning. Data Security Policies allow for simple no-nonsense policies by blocking HTTP POSTs based on content meta-data. The classic example is to block all outbound Microsoft Office documents that are being sent out through Gmail. DLP integration allows customers to further leverage their existing investments to provide additional granularity. For instance, the WSA can take all outbound webmail attachments and hand them via ICAP to Vontu / Tablus to scan the actual file contents as opposed to just file metadata.
With a datacenter, you have the cpu capacity of over 600+ cores in many instances to do a level of deep content analysis, structural content investigation, and virtualized script emulation from a heuristic scanning standpoint that can simply not be attained by an appliance solution. Even when comparing Cisco to other cloud services, the level of despondency is astronomical in terms of the level of CPU we have built into our DC’s versus theirs.
Could you explain me, which function IronPort will support (Anti-Virus, Anti-Malware and etc) working in Transparent or Forwarding mode in environment with existing proxy. I can`t find this information in User Guide.
Yes, the IronPort WSA will support all the security functions including Anti-Virus, Anti-Malware, Anti-Spyware, Web Reputation when working in conjunction with an existing proxy.
There are two conditions:
1. WSA acts as an upstream proxy - In this case, the authentication will be handled by your existing proxy, but the WSA is the first layer of defense. The WSA will perform a lookup in its web reputation database based on the destination. Also, The WSA can scan the http response with Anti-Virus, Anti-SpyWare and Anti-Malware software. However, since the WSA doesn't have user authentication information, you can only apply global controls for Acceptable Use.
2. WSA has to go through an existing upstream proxy - In this case, the WSA has all the security functionality. In addition, it also handles the authentication. Hence, you can apply role based controls.
You may refer to the following links for more information:
WSA Product Literature: http://www.cisco.com/en/US/products/ps10164/prod_literature.html
Cisco Security Reports: http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
Cisco Security Intelligence Operations: http://tools.cisco.com/security/center/home.x
i would like to know about Cisco IronPort web, is it a hardware box or simply a software/application? and will be thankful if you could provide me with the range of prices on the same.
Cisco offers Web Security in two form factors: Hosted or On-Premise.
The Cisco Ironport WSA (Web Security Appliance) is a hardware box.
Pricing depends on number of users, hardware and features enabled. There are multiple bundles and we also offer flexible licenses to chose various combination of security services.
The Cisco ScanSafe Cloud Web Security is a SaaS (Software as Service) solution. In this model, the end-user web traffic will be redirected to the nearest Cisco ScanSafe datacenter to apply web filtering and web security. Pricing depends on length of the contract and number of users.
Please contact your favorite Cisco Partner or Cisco Account team for detailed pricing information.
I have an real IP and I want to spread it into a VLAN by using NAT. The device is ASA 5505. The configuration is as follow:
! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ospf cost 10 ospf authentication null ! interface Vlan2 nameif outside security-level 0 ip address 188.8.131.52 255.255.255.192 ospf cost 10 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-603.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 route outside 0.0.0.0 0.0.0.0 184.108.40.206 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.2-192.168.1.129 inside dhcpd enable inside
With this configuration I am not being able to comunicate. Maybe there is any problem with this conf.
If you could help me I would really appreciate it.
Thanks in advance,
Hi Andis, I suspect this statement has a typo:
route outside 0 0 220.127.116.11 1
May be it should be the default gateway: 'route outside 0 0 18.104.22.168 1'
Hope this helps.