Tag: web

Cisco Web Security Appliance introduction

Leave a comment

In this and upcoming posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda for the upcoming weeks:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
In this blog we’ll talk about the product introduction.
The Cisco Web Security Appliance (WSA) is an appliance for securing http, https and ftp traffic from (and to) the internet.
The WSA replaces all, or most of these devices in your network:
Firewall
Webproxy
Anti spyware
Antivirus
URL Filtering
Policy management
As you can see, it’s more than just a regular proxy server.
The internet provides a lot of websites, good websites and bad websites. There are a lot of websites which are not work related for a lot of companies. If you want to limit or block those websites for users, the WSA is the product for you. Limitation can be time based, bandwidth based, user based or category based (79 categories). Road warriors (remote users) can be protected too by Anyconnect security or Web cloud Security, also known as Scansafe.
Read more

Cisco WSA Defending Malware

Leave a comment

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the last post in the series.
Malware.. we all know that we don’t want it. But how do we block it?
All websites have a Web based reputation number (WBRS). This is a number between -10 and +10. You can define what ranges are used for what action. Think about: -10 to -5 drop, -4 to +5 scan, +6 to +10 do not scan. The WSA receives regulary updates with new reputations.
Note: these features are licensed!
Read more

Cisco ISE Part 9: Guest and web authentication

5 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 9: Guest and web authentication
Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS,  because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.
There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.
To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.
You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.
Configuration
Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.
Edit the DefaultGuestPortal to your needs:

  • Password policies
  • Need of posture client
  • self service
  • device registration
  • DHCP settings
  • Policies
  • etc

guestportal1
guestportal2
Read more