Cisco IronPort AsyncOS 7.5 for Web User Guide February 16, 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco IronPort AsyncOS 7.5 for Web User Guide © 2012 Cisco Systems, Inc. All rights reserved. C O N T E N T S CHAPTER 1 Getting Started with the Web Security Appliance 1-1 What’s New in This Release 1-1 How to Use This Guide 1-7 Before You Begin 1-7 Where to Find More Information 1-8 Documentation Set 1-8 Security Training Services & Certification 1-8 Knowledge Base 1-9 Cisco Support Community 1-9 Cisco IronPort Customer Support 1-9 Third Party Contributors 1-10 Cisco Welcomes Your Comments 1-10 Web Security Appliance Overview 1-10 CHAPTER 2 Using the Web Security Appliance 2-1 Understanding How the Web Security Appliance Works 2-1 Web Proxy 2-1 The L4 Traffic Monitor 2-2 Administering the Web Security Appliance 2-2 System Setup Wizard 2-2 Accessing the Web Security Appliance 2-2 Using the Command Line Interface (CLI) 2-3 Using an Ethernet Connection 2-3 Using a Serial Connection 2-3 Reporting and Logging 2-4 Navigating the Web Security Appliance Web Interface 2-4 Logging In 2-5 Browser Requirements 2-6 Supported Languages 2-6 Reporting Tab 2-6 Web Security Manager Tab 2-7 Security Services Tab 2-7 Network Tab 2-8 System Administration Tab 2-8 Cisco IronPort AsyncOS 7.5 for Web User Guide iii Contents Committing and Clearing Changes 2-9 Committing and Clearing Changes in the Web Interface 2-9 Committing Changes 2-9 Clearing Changes 2-10 Committing and Clearing Changes in the CLI 2-10 Checking for Web Proxy Restart on Commit 2-10 The Cisco SensorBase Network 2-11 Sharing Data 2-12 CHAPTER 3 Deployment 3-1 Deployment Overview 3-1 Preparing for Deployment 3-2 Appliance Interfaces 3-2 Management Interface 3-3 Data Interfaces 3-3 L4 Traffic Monitor Interfaces 3-3 Example Deployment 3-4 Deploying the Web Proxy in Explicit Forward Mode 3-4 Configuring Client Applications 3-5 Connecting Appliance Interfaces 3-5 Testing an Explicit Forward Configuration 3-5 Deploying the Web Proxy in Transparent Mode 3-5 Connecting Appliance Interfaces 3-6 Connecting the Appliance to a WCCP Router 3-6 Configuring the Web Security Appliance 3-6 Configuring the WCCP Router 3-6 Example WCCP Configurations 3-8 Example 1 3-8 Example 2 3-9 Example 3 3-9 Working with Multiple Appliances and Routers 3-10 Using the Web Security Appliance in an Existing Proxy Environment 3-10 Transparent Upstream Proxy 3-11 Explicit Forward Upstream Proxy 3-11 Deploying the L4 Traffic Monitor 3-11 Connecting the L4 Traffic Monitor 3-12 Configuring an L4 Traffic Monitor Wiring Type 3-12 Physical Dimensions 3-13 Cisco IronPort AsyncOS 7.5 for Web User Guide iv Contents CHAPTER 4 Installation and Configuration 4-1 Before You Begin 4-1 Connecting a Laptop to the Appliance 4-2 Connecting the Appliance to the Network 4-2 Gathering Setup Information 4-3 DNS Support 4-4 System Setup Wizard 4-5 Accessing the System Setup Wizard 4-5 Step 1. Start 4-6 Step 2. Network 4-6 Step 3. Security 4-14 Step 4. Review 4-16 CHAPTER 5 FIPS Management 5-1 FIPS Management Overview 5-1 Understanding How FIPS Management Works 5-1 Initializing the HSM Card 5-2 Logging into the FIPS Management Console 5-3 Working with the FIPS Officer Password 5-5 Supported Certificate Types 5-6 Logging 5-6 Managing Certificates and Keys 5-6 Uploading a Certificate and Key for Secure Authentication 5-8 Uploading and Generating a Certificate and Key for the HTTPS Proxy 5-9 Uploading and Generating a Certificate and Key for SaaS Access Control 5-11 Backing up and Restoring Certificates and Keys 5-13 Backing up Certificates and Keys 5-14 Restoring Certificates and Keys 5-14 Using the fipsconfig CLI Command 5-14 Working with Multiple HSM Cards 5-15 CHAPTER 6 Web Proxy Services 6-1 About Web Proxy Services 6-1 Web Proxy Cache 6-2 Configuring the Web Proxy 6-2 Working with FTP Connections 6-6 Using Authentication with Native FTP 6-7 Working with Native FTP in Transparent Mode 6-8 Cisco IronPort AsyncOS 7.5 for Web User Guide v Contents Configuring FTP Proxy Settings 6-8 Bypassing the Web Proxy 6-11 Understanding How the Proxy Bypass List Works 6-12 Using WCCP with the Proxy Bypass List 6-13 Bypassing Application Scanning 6-13 Proxy Usage Agreement 6-13 Configuring Client Applications to Use the Web Proxy 6-13 Working with PAC Files 6-14 PAC File Format 6-14 Creating a PAC File for Remote Users 6-15 Specifying the PAC File in Browsers 6-15 Entering the PAC File Location 6-16 Detecting the PAC File Location Automatically 6-16 Adding PAC Files to the Web Security Appliance 6-17 Specifying the PAC File URL 6-18 Uploading PAC Files to the Appliance 6-19 Understanding WPAD Compatibility with Netscape and Firefox 6-20 Advanced Proxy Configuration 6-21 Authentication Options 6-22 Caching Options 6-27 DNS Options 6-30 EUN Options 6-31 NATIVEFTP Options 6-32 FTPOVERHTTP Options 6-34 HTTPS Options 6-34 Scanning Options 6-35 Miscellaneous Options 6-35 CHAPTER 7 Working with Policies 7-1 Working with Policies Overview 7-1 Policy Types 7-2 Identities 7-2 Decryption Policies 7-3 Routing Policies 7-3 Access Policies 7-3 Cisco IronPort Data Security Policies 7-3 External DLP Policies 7-4 Outbound Malware Scanning Policies 7-4 SaaS Application Authentication Policies 7-4 Cisco IronPort AsyncOS 7.5 for Web User Guide vi Contents Working with Policy Groups 7-4 Creating Policy Groups 7-5 Using the Policies Tables 7-5 Policy Group Membership 7-7 Authenticating Users versus Authorizing Users 7-7 Working with Failed Authentication and Authorization 7-8 Working with All Identities 7-8 Policy Group Membership Rules and Guidelines 7-8 Working with Time Based Policies 7-9 Creating Time Ranges 7-9 Working with User Agent Based Policies 7-11 Configuring User Agents for Policy Group Membership 7-11 Exempting User Agents from Authentication 7-12 Tracing Policies 7-13 CHAPTER 8 Identities 8-1 Identities Overview 8-1 Evaluating Identity Group Membership 8-2 Understanding How Authentication Affects Identity Groups 8-3 Understanding How Authentication Affects HTTPS and FTP over HTTP Requests 8-4 Understanding How Authentication Scheme Affects Identity Groups 8-5 Matching Client Requests to Identity Groups 8-6 Allowing Guest Access to Users Who Fail Authentication 8-8 Identifying Users Transparently 8-10 Understanding Transparent User Identification 8-11 Transparent User Identification with Active Directory 8-12 Transparent User Identification with Novell eDirectory 8-14 Rules and Guidelines 8-15 Configuring Transparent User Identification 8-16 Using the CLI to Configure Transparent User Identification 8-16 Creating Identities 8-17 Configuring Identities in Other Policy Groups 8-22 Example Identity Policies Tables 8-24 Example 1 8-24 Example 2 8-26 CHAPTER 9 Access Policies 9-1 Access Policies Overview 9-1 Cisco IronPort AsyncOS 7.5 for Web User Guide vii Contents Access Policy Groups 9-1 Understanding the Monitor Action 9-2 Evaluating Access Policy Group Membership 9-3 Matching Client Requests to Access Policy Groups 9-4 Creating Access Policies 9-4 Controlling HTTP and Native FTP Traffic 9-7 Protocols and User Agents 9-9 URL Categories 9-10 Applications 9-10 Object Blocking 9-11 Web Reputation and Anti-Malware 9-11 Blocking Specific Applications and Protocols 9-12 Blocking on Port 80 9-12 Policy: Protocols and User Agents 9-12 Policy: URL Categories 9-14 Policy: Objects 9-14 Blocking on Ports Other Than 80 9-14 CHAPTER 10 Working with External Proxies 10-1 Working with External Proxies Overview 10-1 Routing Traffic to Upstream Proxies 10-1 Adding External Proxy Information 10-2 Evaluating Routing Policy Group Membership 10-3 Matching Client Requests to Routing Policy Groups 10-4 Creating Routing Policies 10-5 CHAPTER 11 Decryption Policies 11-1 Decryption Policies Overview 11-1 Decryption Policy Groups 11-2 Personally Identifiable Information Disclosure 11-3 Understanding the Monitor Action 11-3 Digital Cryptography Terms 11-4 HTTPS Basics 11-5 SSL Handshake 11-6 Digital Certificates 11-7 Validating Certificate Authorities 11-7 Validating Digital Certificates 11-8 Decrypting HTTPS Traffic 11-9 Cisco IronPort AsyncOS 7.5 for Web User Guide viii Contents Mimicking the Server Digital Certificate 11-10 Working with Root Certificates 11-11 Using Decryption with the AVC Engine 11-13 Using Decryption with AOL Instant Messenger 11-14 Converting Certificate and Key Formats 11-14 Enabling the HTTPS Proxy 11-15 Evaluating Decryption Policy Group Membership 11-19 Matching Client Requests to Decryption Policy Groups 11-20 Creating Decryption Policies 11-20 Controlling HTTPS Traffic 11-23 Bypassing Decryption 11-26 Importing a Trusted Root Certificate 11-26 Logging 11-27 CHAPTER 12 Outbound Malware Scanning 12-1 Outbound Malware Scanning Overview 12-1 User Experience with Blocked Requests 12-1 Outbound Malware Scanning Policy Groups 12-2 Evaluating Outbound Malware Scanning Policy Group Membership 12-2 Matching Client Requests to Outbound Malware Scanning Policy Groups 12-3 Creating Outbound Malware Scanning Policies 12-4 Controlling Upload Requests Using Outbound Malware Scanning Policies 12-6 Logging 12-8 CHAPTER 13 Data Security and External DLP Policies 13-1 Data Security and External DLP Policies Overview 13-1 Bypassing Upload Requests Below a Minimum Size 13-2 User Experience with Blocked Requests 13-2 Working with Data Security and External DLP Policies 13-3 Data Security Policy Groups 13-3 External DLP Policy Groups 13-4 Evaluating Data Security and External DLP Policy Group Membership 13-4 Matching Client Requests to Data Security and External DLP Policy Groups 13-5 Creating Data Security and External DLP Policies 13-6 Controlling Upload Requests Using Cisco IronPort Data Security Policies 13-9 URL Categories 13-11 Web Reputation 13-12 Cisco IronPort AsyncOS 7.5 for Web User Guide ix Contents Content Blocking 13-12 Defining External DLP Systems 13-13 Configuring External DLP Servers 13-14 Controlling Upload Requests Using External DLP Policies 13-16 Logging 13-17 CHAPTER 14 Achieving Secure Mobility 14-1 Achieving Secure Mobility Overview 14-1 Working with Remote Users 14-2 Enabling Secure Mobility 14-2 Transparently Identifying Remote Users 14-4 Logging 14-4 Configuring Secure Mobility Using the CLI 14-5 CHAPTER 15 Controlling Access to SaaS Applications 15-1 SaaS Access Control Overview 15-1 Understanding How SaaS Access Control Works 15-2 Authenticating SaaS Users 15-2 Authentication Requirements 15-4 Enabling SaaS Access Control 15-4 Understanding the Single Sign-On URL 15-4 Using SaaS Access Control with Multiple Appliances 15-5 Configuring the Appliance as an Identity Provider 15-5 Creating SaaS Application Authentication Policies 15-8 CHAPTER 16 Notifying End Users 16-1 Notifying End Users of Organization Policies 16-1 Configuring General Settings for Notification Pages 16-3 Working With On-Box End-User Notification Pages 16-4 Configuring On-Box End-User Notification Pages 16-4 Editing On-Box End-User Notification Pages 16-5 Rules and Guidelines for Editing On-Box End-User Notification Pages 16-8 Using Variables in Customized On-Box End-User Notification Pages 16-8 Defining End-User Notification Pages Off-Box 16-9 Rules and Guidelines 16-9 End-User Notification Page Parameters 16-10 Redirecting End-User Notification Pages to a Custom URL 16-11 Cisco IronPort AsyncOS 7.5 for Web User Guide x