Cisco Web Security (formerly ScanSafe) is a cloud based Web Filtering solution. It works pretty well and integrates with Anyconnect so travelling users will also get the policy. Here’s a basic config (on ASA).
One of the things we have to do is configure an ACL on our ASA to permit Cisco’s servers access to our Active Directory. The servers perform an LDAP lookup for the username and group membership. You can get the list of servers from your ScanSafe portal.
object-group network SCANSAFE_TOWERS description Permit CWS Towers to access LDAP for Authentication network-object host 108.171.133.225 network-object host 80.254.145.4 network-object host 108.171.131.225 network-object host 108.171.131.224 network-object host 108.171.133.224 network-object host 46.255.41.27 network-object host 46.255.41.2
Best practice dictates that you create a source (ie one of your internal hosts) whitelist and a destination (ie a public host) whitelist.
object-group network SOURCE_WHITELIST description Hosts that are whitelisted network-object host 192.168.10.10
We specifically whitelist internal sites so they will never be blocked.
object-group network DESTINATION_WHITELIST description Websites/IP's that are whitelisted group-object RFC-1918 object-group network RFC-1918 network-object 10.0.0.0 255.0.0.0 network-object 192.168.0.0 255.255.0.0 network-object 172.16.0.0 255.240.0.0
Finally we create the access list. Note that we only specify TCP 80 and TCP 443 since that is the only currently support protocols.
access-list HTTP extended deny tcp object-group SOURCE_WHITELIST any eq www access-list HTTP extended deny tcp any object-group DESTINATION_WHITELIST eq www access-list HTTP extended permit tcp any any eq www access-list HTTPS extended deny tcp object-group SOURCE_WHITELIST any eq https access-list HTTPS extended deny tcp any object-group DESTINATION_WHITELIST eq https access-list HTTPS extended permit tcp any any eq https
Next we start the CWS configuration. The server and port that you need to entered should be provided by you from Cisco via email when you sign up for the service. The license key will also be included in that email and it is also available in the portal. You will need to configure DNS (internal) on the ASA as well.
scansafe general-options server primary fqdn access4.cws.sco.cisco.com port 8080 server backup fqdn access6.cws.sco.cisco.com port 8080 retry-count 5 license ************** encrypted
Our next step is to configure AAA on the ASA and have it point to our Active Directory. This example covers connecting to one server. For redundancy configure a minimum of two.
aaa-server ActiveDirectory (inside) host MY-DC1 server-port 389 ldap-base-dn DC=packetpros,DC=com ldap-scope subtree ldap-login-password ***** ldap-login-dn CN=ldap-asa,OU=Accounts-Service,OU=Accounts,DC=packetpros,DC=com server-type microsoft ldap-attribute-map LDAP-MAPS
Next we create an LDAP MAP. This allows us to have different AD groups map to different policies. For example if you’re a member of the ‘Users – Web Security’ group you will be mapped to the RegularUsers policy.
ldap attribute-map LDAP-MAPS map-name memberOf IETF-Radius-Class map-value memberOf "CN=Users - Web Security,OU=Security,OU=Groups,DC=packetpros,DC=com" RegularUsers map-value memberOf "CN=Vendors - Web Security,OU=Security,OU=Groups,DC=packetpros,DC=com" NoCWS-GroupPolicy map-value memberOf "CN=Users - ANYCONNECT,OU=Security,OU=Groups,DC=packetpros,DC=com" GroupPolicy_ssl-vpn
Our next step is to configure the firewall for Identity. We use CDA for this. We configure the ‘user-group’ to permit/deny users to specific sites. For example anyone that is a member of “CWS – Facebook” can access Facebook. If a user is not a member of the group, they will continue down the list and down the CWS policy to determine an action.
user-identity domain PACKET aaa-server ActiveDirectory user-identity default-domain PACKET user-identity action netbios-response-fail remove-user-ip user-identity ad-agent aaa-server CDA-AGENT user-identity user-not-found enable user-identity monitor user-group "PACKET\\CWS - Facebook"
Alright we’re almost there. We need to create a class map that contains the ACL’s we built earlier.
class-map HTTPS-CWS match access-list HTTPS class-map HTTP-CWS match access-list HTTP
Now we configure the policy maps so we can apply them to the service policy next.
policy-map type inspect scansafe HTTPS-PMAP parameters default group TCP-443 https class WHITELIST whitelist
policy-map type inspect scansafe HTTP-PMAP parameters default group TCP-80 http class WHITELIST whitelist
And the policy map. We can fail-open (permit all web traffic) or fail-close (deny all web traffic).
policy-map inside-policy class HTTP-CWS inspect scansafe HTTP-PMAP fail-open class HTTPS-CWS inspect scansafe HTTPS-PMAP fail-open
The last step is to apply the service policy to the inside interface.
service-policy inside-policy interface inside
We can test everything is working properly by opening a web browser and entering the URL of http://whoami.scansafe.net. You should receive a page that lists your username, what groups you belong to, etc.
authUserName: CISCO\user
authenticated: true
companyName: Cisco
connectorGuid: ABC012345AB
connectorVersion: AP_ASA-x.x(x)
countryCode: US
externalIp: 12.34.56.78
groupNames: []
internalIp: 1.2.3.4
logicalTowerNumber: 1782
staticGroupNames:
– CISCO\Group
userName: CISCO\user