WEBVTT

0:00:02.220000 --> 0:00:07.880000
 In this video, I'm going to talk about
 an introduction to WSA features,

0:00:07.880000 --> 0:00:13.760000
 some of the features that the web security
 appliance uses to provide security.

0:00:13.760000 --> 0:00:16.780000
 So at a high level, we're going to
 go over the following features.

0:00:16.780000 --> 0:00:20.400000
 Real quickly, we're going to talk about
 URL filtering, blacklisting, and

0:00:20.400000 --> 0:00:25.340000
 categorization, content
 filtering, and AMP.

0:00:25.340000 --> 0:00:30.100000
 Layer 4 traffic monitoring and HTTPS
 decryption, data loss prevention

0:00:30.100000 --> 0:00:35.880000
 features, and some configurable actions
 you can have for web requests.

0:00:35.880000 --> 0:00:38.260000
 Now, we're not going to go into the details
 of these or how you configure

0:00:38.260000 --> 0:00:41.800000
 these. I just want you to understand
 what these terms mean.

0:00:41.800000 --> 0:00:45.300000
 So when you see them, you'll understand
 sort of at a high level what's

0:00:45.300000 --> 0:00:49.680000
 going on the background when the WSA
 is configured to utilize any of these

0:00:49.680000 --> 0:00:52.940000
 things. All right, so
 let's get into these.

0:00:52.940000 --> 0:00:58.620000
 Let's start with URL filters
 and categorization.

0:00:58.620000 --> 0:01:03.400000
 So what we're talking about here is
 the ability to have the web security

0:01:03.400000 --> 0:01:07.660000
 appliance inspect outbound
 web requests.

0:01:07.660000 --> 0:01:11.320000
 Web requests are initiated from your
 client, your laptop, your PC, your

0:01:11.320000 --> 0:01:16.280000
 server, and that web request is redirected
 to the WSA where it looks at

0:01:16.280000 --> 0:01:21.400000
 the URL that you are requesting, the
 URL that you are trying to get to.

0:01:21.400000 --> 0:01:25.500000
 And based on configurable policies, the
 web security appliance can decide

0:01:25.500000 --> 0:01:28.100000
 if that URL is acceptable or not.

0:01:28.100000 --> 0:01:30.260000
 So there's a variety of
 ways it can do this.

0:01:30.260000 --> 0:01:32.820000
 There are category filters.

0:01:32.820000 --> 0:01:35.840000
 So there's 79 predefined
 URL filters.

0:01:35.840000 --> 0:01:40.220000
 You can see some of them right here,
 adult dating, hacking, hate speech,

0:01:40.220000 --> 0:01:42.140000
 all sorts of other ones.

0:01:42.140000 --> 0:01:46.620000
 And within each one of these categories
 are basically dictionaries of

0:01:46.620000 --> 0:01:51.100000
 well-known websites that
 fall into this category.

0:01:51.100000 --> 0:01:55.840000
 So for example, if I want to turn on
 the hacking category, if I want my

0:01:55.840000 --> 0:02:00.860000
 WSA to prevent people from trying to
 browse websites having anything to

0:02:00.860000 --> 0:02:03.300000
 do with hacking, I
 would select that.

0:02:03.300000 --> 0:02:06.700000
 And then a variety of websites that are
 well-known to fall into that category

0:02:06.700000 --> 0:02:09.880000
 would now be prevented.

0:02:09.880000 --> 0:02:13.040000
 Those URLs, matching that
 would be prevented.

0:02:13.040000 --> 0:02:14.800000
 You can do custom URLs.

0:02:14.800000 --> 0:02:19.060000
 Maybe there's URLs that don't necessarily
 fit into a particular category,

0:02:19.060000 --> 0:02:21.940000
 or maybe they do fit into a category,
 but for one reason or another they

0:02:21.940000 --> 0:02:26.340000
 have not made it into the database yet,
 you can customize which URLs you

0:02:26.340000 --> 0:02:30.260000
 want the WSA to allow or deny.

0:02:30.260000 --> 0:02:34.600000
 And barring that, it also has the ability
 of dynamic content analysis

0:02:34.600000 --> 0:02:37.160000
 for filtering out of URL strings.

0:02:37.160000 --> 0:02:42.120000
 It can look for URLs that have certain
 keywords or phrases and filter

0:02:42.120000 --> 0:02:48.280000
 those out. So the URL filtering database
 is actually comprised of analyzing

0:02:48.280000 --> 0:02:51.840000
 sites in 190 countries in over
 50 different languages.

0:02:51.840000 --> 0:02:54.620000
 It is pretty comprehensive.

0:02:54.620000 --> 0:02:57.100000
 And of course, you can also
 do black listing on here.

0:02:57.100000 --> 0:03:02.480000
 So black listing is where you actually
 type in in the WSA a predefined

0:03:02.480000 --> 0:03:05.880000
 URL that you don't want
 users to access.

0:03:05.880000 --> 0:03:07.860000
 So that's the idea
 of black listing.

0:03:07.860000 --> 0:03:13.120000
 Pre-configuring the WSA in advance to
 say this website is not permitted.

0:03:13.120000 --> 0:03:19.420000
 Now in addition to do that, so now
 we're talking about the uploading,

0:03:19.420000 --> 0:03:22.580000
 right? The client who's
 asking for a website.

0:03:22.580000 --> 0:03:27.720000
 Let's say a client has asked for a
 website, it has passed the WSA, and

0:03:27.720000 --> 0:03:32.140000
 so now the website is starting to download
 information back to the client.

0:03:32.140000 --> 0:03:35.180000
 Well, we can also inspect
 that as well.

0:03:35.180000 --> 0:03:40.960000
 So for that, we can use content filtering
 and Cisco's advanced malware

0:03:40.960000 --> 0:03:43.460000
 protection. So how do we filter?

0:03:43.460000 --> 0:03:45.000000
 How do we block this out?

0:03:45.000000 --> 0:03:49.500000
 Well, so web content filtering, once again,
 this is in the download direction.

0:03:49.500000 --> 0:03:53.640000
 This is customized filters for certain
 file types, for example.

0:03:53.640000 --> 0:03:59.520000
 Maybe you don't want users downloading
 zip files or files that have PDFs

0:03:59.520000 --> 0:04:04.540000
 or, you know, with SWF extensions
 or something of that nature.

0:04:04.540000 --> 0:04:08.580000
 So that's how web content
 filtering can be done.

0:04:08.580000 --> 0:04:11.540000
 We also have anti-malware
 content filtering.

0:04:11.540000 --> 0:04:14.540000
 So this leverages Cisco's
 AMP solution.

0:04:14.540000 --> 0:04:20.980000
 It requires an additional add-on license
 and allows your web security

0:04:20.980000 --> 0:04:26.800000
 appliance to frequently receive updates
 from Cisco Talos, which maintains

0:04:26.800000 --> 0:04:33.360000
 a huge database of well-known virus
 and malware signatures, as well as

0:04:33.360000 --> 0:04:37.940000
 well-known websites where
 these viruses reside.

0:04:37.940000 --> 0:04:41.160000
 Update approximately
 every five minutes.

0:04:41.160000 --> 0:04:49.080000
 In addition to that, we have
 dynamic content analysis.

0:04:49.080000 --> 0:04:53.400000
 So this is used to determine the category
 of newer websites that have

0:04:53.400000 --> 0:04:57.600000
 not yet been categorized
 into Cisco's database.

0:04:57.600000 --> 0:05:02.380000
 It determines the nature in real time
 using Cisco's dynamic content analysis

0:05:02.380000 --> 0:05:07.440000
 engine. And the findings are sent back
 to the sender base repository if

0:05:07.440000 --> 0:05:09.180000
 you, the customer elects, do so.

0:05:09.180000 --> 0:05:12.240000
 Now, this might raise a
 question in your mind.

0:05:12.240000 --> 0:05:16.680000
 How does the appliance, the WSA, validate
 the security of unknown and

0:05:16.680000 --> 0:05:19.500000
 unrated sites? Well, it does
 this in a variety of ways.

0:05:19.500000 --> 0:05:24.440000
 After checking the domain owner, the
 server where the site is hosted,

0:05:24.440000 --> 0:05:28.600000
 and the time that the site was created
 and the type of site, the site

0:05:28.600000 --> 0:05:32.480000
 is assigned something called a reputation
 score based on those things.

0:05:32.480000 --> 0:05:36.480000
 Based on that reputation score and
 the selected security policies that

0:05:36.480000 --> 0:05:40.240000
 you have configured, the site can be
 either blocked, allowed, or possibly

0:05:40.240000 --> 0:05:41.900000
 delivered with a warning.

0:05:41.900000 --> 0:05:45.320000
 And I'll show you what those
 look like in a moment.

0:05:45.320000 --> 0:05:49.460000
 An acceptable use policy enforcement
 also comes along with this.

0:05:49.460000 --> 0:05:52.880000
 Now, some other useful features of the
 web security appliances that, by

0:05:52.880000 --> 0:05:58.820000
 default, it has something turned on
 called the Layer 4 traffic monitor.

0:05:58.820000 --> 0:06:03.340000
 So what this does is it utilizes a
 database that's frequently updated

0:06:03.340000 --> 0:06:08.520000
 and downloaded from Cisco of known
 IP addresses, DNS names, and other

0:06:08.520000 --> 0:06:13.040000
 information that malware utilizes when
 sending packets from infected clients

0:06:13.040000 --> 0:06:15.480000
 to the outside world.

0:06:15.480000 --> 0:06:19.260000
 The idea here is that for some reason
 malware has gotten past all your

0:06:19.260000 --> 0:06:21.860000
 security restrictions.

0:06:21.860000 --> 0:06:27.480000
 Malware has been downloaded on a
 client's laptop, PC, or server.

0:06:27.480000 --> 0:06:30.020000
 And now that malware is
 trying to phone home.

0:06:30.020000 --> 0:06:34.220000
 Phone home, meaning it's trying to contact
 a website, trying to contact

0:06:34.220000 --> 0:06:38.580000
 some external database so it can download
 some additional malicious code,

0:06:38.580000 --> 0:06:43.700000
 so it can maybe upload the information
 stolen from you, whatever.

0:06:43.700000 --> 0:06:47.640000
 So Layer 4 traffic monitor
 is designed to spot that.

0:06:47.640000 --> 0:06:51.300000
 Now, when that malware on your laptop
 is trying to phone home, it's probably

0:06:51.300000 --> 0:06:56.420000
 not going to use TCP port
 80 or TCP port 443.

0:06:56.420000 --> 0:06:58.700000
 Those are well-known ports
 for web browsing.

0:06:58.700000 --> 0:07:03.840000
 So it's going to try to select some randomized,
 weird, unused TCP or even

0:07:03.840000 --> 0:07:08.400000
 UDP port to get to that malware website
 or to get to that malware server

0:07:08.400000 --> 0:07:10.200000
 to do its thing.

0:07:10.200000 --> 0:07:12.820000
 And Layer 4 traffic monitor
 is designed to prevent that.

0:07:12.820000 --> 0:07:18.780000
 So the idea is that hopefully
 this malware is already known.

0:07:18.780000 --> 0:07:20.920000
 Cisco Talos is already
 aware of it.

0:07:20.920000 --> 0:07:24.280000
 They're already aware of what IP address
 is, what TCP UDP port numbers

0:07:24.280000 --> 0:07:29.080000
 it uses to try to circumvent
 security and phone home.

0:07:29.080000 --> 0:07:33.100000
 And so when Layer 4 traffic monitor
 spots that, it can stop that from

0:07:33.100000 --> 0:07:34.840000
 happening. How does it stop it?

0:07:34.840000 --> 0:07:39.160000
 Well, if that malware is trying to initiate
 a TCP connection and the web

0:07:39.160000 --> 0:07:43.660000
 security appliance spots that, it will
 send a TCP reset, killing the TCP

0:07:43.660000 --> 0:07:48.120000
 connection. If the malware is attempting
 to do this using UDP, the web

0:07:48.120000 --> 0:07:53.040000
 security appliance will send
 an ICMP unreachable message.

0:07:53.040000 --> 0:07:57.840000
 Now, the web security appliance also
 has something called intelligent

0:07:57.840000 --> 0:08:02.700000
 HTTPS decryption, which raises
 an interesting question.

0:08:02.700000 --> 0:08:09.300000
 If you know how HTTPS works, the idea
 is that initially, my very first

0:08:09.300000 --> 0:08:13.640000
 one or two packets to an HTTPS
 website are in plain text.

0:08:13.640000 --> 0:08:17.300000
 They're clear. But then after
 that, everything is encrypted.

0:08:17.300000 --> 0:08:22.940000
 That website downloads some sort
 of a key that only my laptop has.

0:08:22.940000 --> 0:08:26.600000
 And now when the website is downloading
 encrypted information to me, only

0:08:26.600000 --> 0:08:29.920000
 I can decrypt that because I'm
 the only one that has the key.

0:08:29.920000 --> 0:08:33.960000
 So how is the WSA going to do
 this if it never gets the key?

0:08:33.960000 --> 0:08:38.860000
 Well, in order for all this to work,
 what has to happen is, initially,

0:08:38.860000 --> 0:08:43.460000
 when you open up an HTTPS session to
 whatever website you're thinking

0:08:43.460000 --> 0:08:49.900000
 of, that HTTPS session is redirected
 to the WSA, and actually you'll be

0:08:49.900000 --> 0:08:54.560000
 creating a secure HTTPS
 session with the WSA.

0:08:54.560000 --> 0:08:55.880000
 You don't know that.

0:08:55.880000 --> 0:08:58.840000
 You see, what's going to happen
 in the background is the WSA.

0:08:58.840000 --> 0:09:02.320000
 Let's say you're sending a secure
 connection to INE.com.

0:09:02.320000 --> 0:09:04.840000
 You're doing HTTPS INE.com.

0:09:04.840000 --> 0:09:07.920000
 That gets redirected to the WSA.

0:09:07.920000 --> 0:09:09.700000
 Now, two things happen at once.

0:09:09.700000 --> 0:09:17.520000
 The WSA on your behalf will initiate
 its own HTTPS session to INE.com.

0:09:17.520000 --> 0:09:24.040000
 At the same time it's doing that, it
 will sort of pose as INE.com to you.

0:09:24.040000 --> 0:09:25.160000
 It'll send back to you.

0:09:25.160000 --> 0:09:29.500000
 It'll say, oh, I'm INE.com, and here's
 my digital certificate that contains

0:09:29.500000 --> 0:09:35.700000
 my public key. Now, while that's happening,
 presumably, the WSA has completed

0:09:35.700000 --> 0:09:40.340000
 its secure connection to the real I
&E.com, so it's basically a man in

0:09:40.340000 --> 0:09:45.060000
 the middle. And so you're looking at
 the secure website, assuming that

0:09:45.060000 --> 0:09:49.520000
 it's getting through the WSA, but what
 you don't know is, you're not actually

0:09:49.520000 --> 0:09:53.620000
 getting end-to-end encryption
 between you and that website.

0:09:53.620000 --> 0:09:57.060000
 Your encryption is
 going to the WSA.

0:09:57.060000 --> 0:10:02.700000
 I should say decrypting what you're sending,
 inspecting it, re-encrypting

0:10:02.700000 --> 0:10:05.760000
 it, sending it upstream
 to the web server.

0:10:05.760000 --> 0:10:09.680000
 And when the web server sends its encrypted
 traffic back, it's being decrypted

0:10:09.680000 --> 0:10:15.180000
 on the WSA, inspected, if it's okay,
 if it passes all the guidelines and

0:10:15.180000 --> 0:10:18.960000
 filters, it gets re-encrypted
 and sent back to you.

0:10:18.960000 --> 0:10:23.880000
 So it's a man in the middle.

0:10:23.880000 --> 0:10:27.940000
 And that's what this is all
 talking about right here.

0:10:27.940000 --> 0:10:33.140000
 Now, there is one major drawback with
 this, which is going to require

0:10:33.140000 --> 0:10:36.200000
 a little bit of additional effort on
 your part if you want to utilize

0:10:36.200000 --> 0:10:41.440000
 this feature. You see, normally, when
 I establish a secure connection

0:10:41.440000 --> 0:10:47.260000
 to, let's say, INE.com, I expect to
 get the digital certificate from I

0:10:47.260000 --> 0:10:51.180000
&E.com that has INE.com's
 public key in it.

0:10:51.180000 --> 0:10:53.360000
 That's not going to happen here.

0:10:53.360000 --> 0:10:58.140000
 If the WSA is in the middle and it's
 proxying everything, when I try to

0:10:58.140000 --> 0:11:02.160000
 initiate a secure connection to INE
.com, what I'm going to get back is

0:11:02.160000 --> 0:11:07.240000
 a digital certificate from the
 WSA with its public key.

0:11:07.240000 --> 0:11:10.400000
 Most web browsers will
 say, what is this?

0:11:10.400000 --> 0:11:11.840000
 This is not what I was expecting.

0:11:11.840000 --> 0:11:14.180000
 This says INE. It's got
 a public key in here.

0:11:14.180000 --> 0:11:18.760000
 This is not the certificate I was expecting
 from wherever it is I was

0:11:18.760000 --> 0:11:19.900000
 trying to go to.

0:11:19.900000 --> 0:11:23.960000
 This says Cisco WSA, not INE.com.

0:11:23.960000 --> 0:11:28.200000
 And so most web browsers will, at minimum,
 give you a warning and ask

0:11:28.200000 --> 0:11:29.840000
 you if you want to proceed.

0:11:29.840000 --> 0:11:34.320000
 So you'll have to, if you want to get
 this to work, you'll have to tweak

0:11:34.320000 --> 0:11:37.940000
 some browsers. You'll have to go into
 your end users browsers, tweak them

0:11:37.940000 --> 0:11:46.180000
 a little bit to allow them to be from
 the WSA so that all this can work.

0:11:46.180000 --> 0:11:51.000000
 Also, the WSA can be, give you
 data loss prevention features.

0:11:51.000000 --> 0:11:55.120000
 Mod, what's being posted, what's
 being uploaded from your company?

0:11:55.120000 --> 0:11:59.080000
 Are people posting on a Dropbox or posting
 on a Google Drive or posting

0:11:59.080000 --> 0:12:04.640000
 on the blogs or wikis, company confidential
 or sensitive information?

0:12:04.640000 --> 0:12:08.180000
 So that's what data loss prevention
 is, stopping that from happening.

0:12:08.180000 --> 0:12:12.100000
 So in order for this to work, the WSA
 actually works in partnership with

0:12:12.100000 --> 0:12:17.440000
 an appliance from another company called
 the Digital Guardian DLP appliance.

0:12:17.440000 --> 0:12:21.240000
 So Digital Guardian is separate from Cisco,
 but they are in a close partnership

0:12:21.240000 --> 0:12:26.520000
 with Cisco. And Digital Guardian has
 a DLP appliance, so the WSA will

0:12:26.520000 --> 0:12:31.020000
 sort of offload DLP functionality to
 that device and wait and see what

0:12:31.020000 --> 0:12:33.440000
 that device has to say.

0:12:33.440000 --> 0:12:37.940000
 So in uploading content to a website
 like Dropbox or Google or something,

0:12:37.940000 --> 0:12:42.240000
 DLP policies can be configured to determine
 what's allowable and what

0:12:42.240000 --> 0:12:43.840000
 should be blocked.

0:12:43.840000 --> 0:12:46.840000
 So this right here is sort of a picture
 of how all that works, and you

0:12:46.840000 --> 0:12:50.580000
 can see the URL where
 this is taken from.

0:12:50.580000 --> 0:12:55.760000
 Where sensitive documents or clean
 documents are sent to the WSA, when

0:12:55.760000 --> 0:12:58.940000
 it's configured for data loss protection,
 it'll forward all that stuff

0:12:58.940000 --> 0:13:01.520000
 to the Digital Guardian
 DLP appliance.

0:13:01.520000 --> 0:13:06.040000
 That will inspect it and then provide
 a verdict of whether or not that

0:13:06.040000 --> 0:13:11.560000
 information should be blocked, or whether
 it's all allowed to go out.

0:13:11.560000 --> 0:13:18.900000
 Now the last thing I sort of want to talk
 about here is what are the configurable

0:13:18.900000 --> 0:13:24.640000
 actions. So when stuff is either going
 outbound and the WSA is inspecting

0:13:24.640000 --> 0:13:29.460000
 it, or stuff is coming back inbound
 from the Internet, what can the WSA

0:13:29.460000 --> 0:13:32.480000
 do after it has scanned
 the information?

0:13:32.480000 --> 0:13:34.080000
 Well, it can take one
 of three actions.

0:13:34.080000 --> 0:13:35.900000
 It can allow the content.

0:13:35.900000 --> 0:13:40.580000
 It can warn you that what you're about
 to do is potentially malicious

0:13:40.580000 --> 0:13:45.340000
 or might break the acceptable use
 policy or can entirely block it.

0:13:45.340000 --> 0:13:48.080000
 And here on the last slide, I'd like
 to show you images of exactly what

0:13:48.080000 --> 0:13:49.560000
 that will look like.

0:13:49.560000 --> 0:13:55.540000
 So here you can see, on the left, if the
 WSA has determined that the information

0:13:55.540000 --> 0:13:58.560000
 you're trying to upload or the information
 that's coming back to you is

0:13:58.560000 --> 0:14:02.840000
 malicious or otherwise should be blocked,
 you'll get that access denied

0:14:02.840000 --> 0:14:05.160000
 message on your browser.

0:14:05.160000 --> 0:14:09.040000
 Otherwise, it might send you a warning,
 which you can see here, and now

0:14:09.040000 --> 0:14:14.480000
 it's up to you. If you press that accept
 button, just be warned that the

0:14:14.480000 --> 0:14:28.340000
 WSA is telling you what you might be
 doing so that concludes this video,

0:14:28.340000 --> 0:14:30.440000
 and thank you very
 much for watching.