Cisco launched this feature to the market last month at Interop. In a nutshell, it provides IOS routers with intelligent, identity aware, traffic redirection to the Cisco ScanSafe web security cloud offering. ScanSafe provides the following web security features as a cloud service:
- URL Filtering
- Scanlets analyze all elements of a web request including HTML, JavaScript, Flash and even obfuscated active scripts
- Zero-day malware prevention
- Protection against Phishing attacks
- Granular Reporting with a multi-tenant design
- 100% uptime over the last 8+ years
- Heuristic Malware identification
Here is a graphical look at how each web request is processed in the cloud:
This means that http and https traffic will be redirected from the router to the ScanSafe cloud where it will be filtered according to your policy settings. In addition to the redirection of traffic, the ISR G2 will also provide identity (group and user based) to ScanSafe for granular policy selection. Identity can be obtained using multiple methods (AD, web auth, etc) but Active Directory will probably be the most popular. The router encrypts all identity info before it is sent to the cloud.
This type of feature will allow companies to securely stop back-hauling web traffic from remote site VPNs to the central site and back out again. It also allows for a common web security policy across remote sites, central sites, and even remote hosts with the AnyConnect ScanSafe integration. Sending web traffic directly to the Internet results in performance and user satisfaction improvements and decreased bandwidth requirements for HQ. Here is a simple graphic to illustrate this intelligent redirection of web traffic.
Now on to how you configure this on the router.
First configure Identity on the router. This example will focus on active directory
First configure Identity on the router. This example will focus on active directory
LDAP integration.
Ldap server ad-server
ipv4 10.0.1.250
transport port 3268
bind authenticate root-dn cn=scansafe,cn=users,dc=test,dc=localdomain password 7 4424A34232
base‐dn dc=test,dc=localdomainsearch‐filter user‐object‐type top
authentication bind‐first
Next, create an ldap group
Aaa group server ldap ad-servers
Server ad-server
Now Define ip admission control:
Aaa authentication login cs-aaa group ad-servers
Aaa authorization network cs-aaa group ad-servers
Aaa accounting network cs-aaa noneIp admission virtual-ip 1.1.1.1
Ip admission name csauth ntlm
Ip admission name csauth order ntlm
Ip admission name csauth method-list authentication cs-aaa authorization cs-aaa accounting cs-aaa
Ip http serverInterface Gig0/1
!Internal interface
Ip admission csauth
Now that we have identity configured we move on to configuring the scansafe redirection commands:
parameter-map type content-scan global
server scansafe primary ipv4 72.37.244.147 port http 8080 https 8080
server scansafe secondary ipv4 80.254.145.147 port http 8080 https 8080
license 0source interface GigabitEthernet0/0
timeout server 30 user-group ciscogroup username ciscouser
logging server scansafe on-failure block-all
Turn on content scanning on the external interface:
interface GigabitEthernet0/0
!external interface
ip address 128.107.150.75 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip virtual-reassembly out
content-scan out
To whitelist sites you create a parameter map like the following example:
parameter-map type regex site_param
pattern google
pattern cisco
parameter-map type regex browser_param
pattern Chrome
content-scan whitelisting
whitelist header user-agent regex browser_param
whitelist header host regex site_param
Supported Cisco ISR G2 Platforms and requirements include
-881,891
-19xx, 29xx, 39xx
-Security feature license or higher is required
-Valid Cisco ScanSafe license
-881,891
-19xx, 29xx, 39xx
-Security feature license or higher is required
-Valid Cisco ScanSafe license
Cisco will release the IOS code end of this month. It will be 15.2(1)T. You can find more information at these links.