IronPort Web-Security and Cisco ASA 5500 series

2010.02.08

Some nuances I figured out while setting up an IronPort Web-Security appliance with a ASA firewalls.  The how-tos I’ve seen online were a bit lacking.

It’s easiest to use WCCP to hand-off traffic to the IronPort WSA.  WCCP requires basically three things to function:  Which ACLs you want to redirect, where you want to redirect them to, and which WCCP ‘service’ you want to use:

  1. In ASDM, the standard ACLs can be edited in Firewall | Advanced | ACL Manager
  2. Create an ACL of IPs you want to (or not) redirect to your WSA.  Redirect only the TCP/UDP services you want sent to the WSA.  If you configure ip/any in the ACL, then all packets will get sent over to the WSA.  This seems to break ICMP.  Do this through the GUI or from the CLI.  Some http-based apps don’t like this redirection so putting a ‘deny’ at the top of the ACL works.
  3. Create another ACL of your IronPort WSAs.  I think these need to be on the same subnet as the WCCP is happening (multicast and all).  i didn’t try putting the WSA on a separate interface than the ASA, nor did i try it with multicast routing enabled between them either.
  4. Third, we need to configure the redirection, and which interfaces the ASA listens to for WCCP.  In the GUI, Device Management | Advanced | WCCP.  Create a Service Redirection first.  This binds which IPs get to which WSAs.  Leave it on Web Cache for the simplest configuration.  I tried setting a password but that seemed to break WCCP.  (See notes below)


    The ‘redirection’ binds which interface the ASA listens for WCCP on.
  5. Lastly, don’t forget to set up ACLs so your WSAs can access the internet
  6. configuring the WSA-end of things is straight forward.  following the instructions from the help menu is about all you need.

Notes:

  • So far, I’ve only worked with the WSA 6.3.x code tree.
  • About policy matching:  Identity Polcy matches first.  Whether it’s IP or authentication based, first rule wins.  Take the matching Identity Policy that won and match it to the first Access Policy.  Then applications, URL categories, objects, etc.
  • As of ASA code 8.2.1, WCCP load balancing is only hash-based.  There’s no way to change it to (subnet) mask balancing.  if you need mask balancing, use an IOS-based device for now.
  • As of ASA code 8.2.1, any time you apply policy on the WSA (update access lists, identities, anything at all, really) you need to re-apply the service group (step 4); delete the policy, apply it.  create the policy and apply it.
  • The redirection password may be an issue with re-applying WSA policies.  We’re in production now so I haven’t taken it down to play.
  • If you use a ‘warning’ page for suspect URL categories (streaming media, social networking, etc) and you have hash-based load balancing, the users will get warned from each WSA you have load balanced
  • At this time, there’s no central management for multiple WSAs.  If you change policy on one WSA, you need to apply it to the other manually.
Categories : geek

choose

2010.02.01

I giggled.

Categories : fun  OMG DUDA WTF