Thursday, May 11, 2017

300-210 1.2.b Cisco Web Security Appliance - Implement data security

When implementing data security, the first thing that needs to be done is to enable the Cisco Data Security Filters service (see Security Services > Data Transfer Filters).  Don't forget to commit changes.  The Data Security page looks like this initially:
A Global policy is provided by default, but has no initial rules.   Important to note, only the content filters are available out of the box.  Both URL Filtering and Web Reputation require additional licenses to enable.
Clicking the Content link opens up the following page:
Not only can the maximum http/https and FTP filesize be set, but also blocking certain file types, adding custom MIME types, and explicit file names to block.

The URL filtering options open up the following page:
This page allows the admin to either monitor or block certain types of traffic.  Common types of traffic that are blocked include pornography, gambling, and video games.

The Web Reputation link opens up the following page:
The slider can be moved back and forth to dynamically set either blocking or monitoring by the WSA based on the Web Reputation score.  The lower the number, the less trusted the site.  This slider moves between -10 and 0, however website trust goes all the way up to +10.  Sites that are above zero in reputation score are not able to be blocked.

When adding a new policy group, the screen looks like this:

The Global Policy will always be the last.  Any new policies can be ordered the way you like, above the Global Policy.  Advanced settings can be configured now, during policy creation, or afterwards, from the main Data Security page.
Posted by at No comments:

Tuesday, May 9, 2017

300-210 1.2.a Cisco Web Security Appliance - Describe features and functionality

Talos Security Intelligence
Talos provides 24/7 rule updates to protect against new threats.  Continually generates new rules to combat Zero Hour threats, and send these down to the WSA every 3 to 5 minutes.

Cisco Web Usage Controls
Web URL database of blocked sites for dynamic content filtering.  Categorizes websites based on scans of text, scoring of the text for relevancy, calculation of model document proximity.  Generates a score that can be used for trust decisions.

 Advanced Malware Protection
AMP requires an additional license.  Enables malware detection and blocking, continuous analysis, and retrospective alerting. Augments the malware detection and blocking capabilities already offered in the Cisco WSA with enhanced file reputation capabilities, detailed file-behavior reporting, continuous file analysis, and retrospective verdict alerting. The Cisco AMP Threat Grid delivers malware protection through an on-premises appliance for organizations that have compliance or policy restrictions on submitting malware samples to the cloud. The Layer 4 Traffic Monitor continuously scans activity, detecting and blocking spyware “phone-home” communications. By tracking all network applications, the Layer 4 Traffic Monitor effectively stops malware that attempts to bypass classic web security solutions. It dynamically adds IP addresses of known malware domains to its list of malicious entities to block.

 Cognitive Threat Analytics
A cloud-based tool that identifies the symptoms of a malware infection or data breach using behavioral analysis and anomaly detection.  Requires an add-on license.

 Application Visibility and Control (AVC)
Allows blocking/allowing applications (database is constantly updated).  Also allows customized bandwidth and time quotas per user, per group, and per policy.

 Data Loss Prevention (DLP)
Creates context-based rules for basic DLP. The Cisco WSA also uses Internet Content Adaptation Protocol (ICAP) to integrate with third-party DLP solutions for deep content inspection and enforcement of DLP policies. The Cisco WSA also supports Secure ICAP to encrypt the traffic exchanged between WSA and third-party DLP solutions.
 Roaming-User Protection
Integrates with AnyConnect  and Cisco ISE for VPN usage.

 Centralized Management and Reporting
A centralized management tool to control operations, manage policies, and view reports. Cisco® Web Security Reporting Application is a reporting solution that rapidly indexes and analyzes logs produced by Cisco Web Security Appliances (WSA) and Cisco Cloud Web Security (CWS).
 Flexible Deployment
Physical boxes and virtual device install option.  Both versions can interact with one another.

Deployment:
Two deployment options available
  • Explicit mode (proxy automatic configuration [PAC] files, Web Proxy Auto-Discovery [WPAD], browser settings)
  • Transparent mode (Web Cache Communication Protocol [WCCP], Policy-Based Routing [PBR], load balancers)

Licenses:

  • Cisco Web Security Essentials
    • Threat Intelligence via Cisco Talos
    • Layer 4 traffic monitoring
    • Application Visibility and Control (AVC)
    • Policy management
    • Actionable reporting
    • URL filtering
    • Third-party DLP integration via ICAP
  • Cisco Anti-Malware
    • Real-time malware scanning
  • Cisco Web-Security Premium
    • Web Security Essentials
    • Real-time Malware Scanning
  • Advanced Malware Protection
    • AMP augments anti-malware detection and blocking capabilities with file reputation scoring and blocking, static and dynamic file analysis (sandboxing), and file retrospection for continuous analysis of threats.
  • Cognitive Threat Analysis
    • CTA relies on advanced statistical modeling and machine learning to independently identify new threats, learn from what it sees, and adapt over time
  • McAfee Anti-Malware
    • McAfee real-time malware scanning is available as a single, a-la-carte license.
Posted by at No comments:
Subscribe to: Comments (Atom)