WEBVTT 0:00:02.040000 --> 0:00:06.420000 In this brief video, I'd like to go over four deployment options you have 0:00:06.420000 --> 0:00:11.180000 when utilizing a Cisco Web Security Appliance. 0:00:11.180000 --> 0:00:14.580000 So I'm going to be talking about the methods of implementing something 0:00:14.580000 --> 0:00:18.880000 called a transparent proxy, or alternatively you could implement it as 0:00:18.880000 --> 0:00:23.260000 what's called an explicit forward proxy, and I'll also briefly show you 0:00:23.260000 --> 0:00:27.260000 where the WSA would sit as far as the layer forward traffic monitoring 0:00:27.260000 --> 0:00:29.140000 features concerned. 0:00:29.140000 --> 0:00:33.000000 So the first thing we have to be aware of are the WSA interfaces and what 0:00:33.000000 --> 0:00:37.560000 they look like. So you notice here that there are three main kinds of 0:00:37.560000 --> 0:00:41.340000 interfaces, MP and T interfaces. 0:00:41.340000 --> 0:00:46.780000 So the M1 port as you can see here, highlighted in orange, so right here 0:00:46.780000 --> 0:00:49.960000 is our M1 port, that's used for managing the device. 0:00:49.960000 --> 0:00:51.020000 So that's the management port. 0:00:51.020000 --> 0:00:55.560000 It can also be used as an additional data port if you wish, but that's 0:00:55.560000 --> 0:00:57.720000 not its primary function. 0:00:57.720000 --> 0:01:05.120000 Your data ports are the P1 and P2 ports that we see right here, P1 and 0:01:05.120000 --> 0:01:09.720000 P2 ports. So that's where the actual web lookups and download web pages 0:01:09.720000 --> 0:01:14.620000 would be sent to physically terminate on those interfaces. 0:01:14.620000 --> 0:01:18.800000 And then lastly, if you're implementing the layer four traffic monitoring 0:01:18.800000 --> 0:01:25.180000 feature, that traffic goes in and out of your T1 and possibly T2 ports 0:01:25.180000 --> 0:01:29.260000 as well. Now I'll go into a little bit more detail as far as why is there 0:01:29.260000 --> 0:01:35.340000 that separation between the P1 and P2 and the T1 and T2. 0:01:35.340000 --> 0:01:39.720000 All right, so real quickly deployment options, let's start with transparent 0:01:39.720000 --> 0:01:44.560000 deployments. Your first option is transparent proxy with the layer four 0:01:44.560000 --> 0:01:49.160000 switch. Now when we say transparent, what that means is that the client, 0:01:49.160000 --> 0:01:54.380000 the laptop, the PC has no idea that there's this proxy device, this WSA 0:01:54.380000 --> 0:01:58.500000 that's actually intercepting its traffic and monitoring that traffic, 0:01:58.500000 --> 0:02:01.020000 both in the upload and download direction. 0:02:01.020000 --> 0:02:02.560000 That's what we mean by transparent. 0:02:02.560000 --> 0:02:06.840000 So there's nothing being done on the end user itself, the laptop, the 0:02:06.840000 --> 0:02:11.300000 PC, the server. So if you're using a layer four switch, most likely we 0:02:11.300000 --> 0:02:14.800000 would have to implement policy based routing on the layer four switch 0:02:14.800000 --> 0:02:21.400000 to pick up your HTTP and HTTPS traffic and redirect it to the P1 or P2 0:02:21.400000 --> 0:02:24.340000 port of your web security appliance. 0:02:24.340000 --> 0:02:29.840000 If your switch does not support policy based routing, alternatively, or 0:02:29.840000 --> 0:02:33.540000 if you don't want to do that, you can do transparent proxy using a firewall 0:02:33.540000 --> 0:02:38.020000 or router. In this particular case, you could still use policy based routing 0:02:38.020000 --> 0:02:42.180000 if you're using a firewall or router or you could potentially use the 0:02:42.180000 --> 0:02:47.300000 web cache communications protocol to redirect the information to and from 0:02:47.300000 --> 0:02:54.220000 the WSA. By the way, the web cache control protocol is Cisco proprietary. 0:02:54.220000 --> 0:02:59.860000 Alternatively, we could have explicit forward proxy, probably the least 0:02:59.860000 --> 0:03:09.560000 desirable of all of your clients, your laptops, your PCs, your servers, 0:03:09.560000 --> 0:03:13.980000 and configure those browsers to send their web traffic to this proxy, 0:03:13.980000 --> 0:03:15.680000 which is the WSA. 0:03:15.680000 --> 0:03:21.120000 That's going to require the most work from you as a network administrator. 0:03:21.120000 --> 0:03:24.000000 And then here we have the layer four traffic monitor. 0:03:24.000000 --> 0:03:27.060000 Now a couple of things I want to point out here. 0:03:27.060000 --> 0:03:30.780000 Use of the layer four traffic monitor feature is not an or solution, it's 0:03:30.780000 --> 0:03:31.560000 an and solution. 0:03:31.560000 --> 0:03:35.900000 You can use both the WSA as a layer four traffic monitor as well as the 0:03:35.900000 --> 0:03:41.000000 normal WSA features of filtering and monitoring of web traffic. 0:03:41.000000 --> 0:03:44.220000 So the thing you got to keep in mind is the layer four traffic monitoring 0:03:44.220000 --> 0:03:50.020000 engine is actually a completely separate engine from all the other stuff 0:03:50.020000 --> 0:03:52.040000 that the WSA does. 0:03:52.040000 --> 0:03:55.940000 So it doesn't have actually any visibility. 0:03:55.940000 --> 0:03:58.940000 The layer four traffic monitoring engine does not have any visibility 0:03:58.940000 --> 0:04:00.720000 to what's going on with these P ports. 0:04:00.720000 --> 0:04:02.520000 The P one and the P two. 0:04:02.520000 --> 0:04:05.580000 So traffic is coming in and going out of P one and P two. 0:04:05.580000 --> 0:04:08.520000 The layer for traffic monitoring engine doesn't see it. 0:04:08.520000 --> 0:04:11.840000 That's why if you're going to have layer four traffic monitoring, you 0:04:11.840000 --> 0:04:15.220000 have to send this stuff to the T one and T two ports because that's where 0:04:15.220000 --> 0:04:18.340000 that engine is actually inspecting things. 0:04:18.340000 --> 0:04:24.800000 Now also when you're using layer four traffic monitoring, okay, so the 0:04:24.800000 --> 0:04:31.180000 idea here is that this port, the T one port is not actually in line with 0:04:31.180000 --> 0:04:34.080000 the traffic. So what do I mean by that? 0:04:34.080000 --> 0:04:39.780000 So for using, for example, a switch right here as the traffic comes in, 0:04:39.780000 --> 0:04:42.620000 the switch would implement the span feature. 0:04:42.620000 --> 0:04:50.140000 You might know that as the port monitoring feature, which basically tells 0:04:50.140000 --> 0:04:55.000000 the switch, hey, this is your span ingress port right here, maybe an entire 0:04:55.000000 --> 0:04:59.580000 VLAN. That's your span source port. 0:04:59.580000 --> 0:05:03.420000 And then your span destination port is this port right here that connects 0:05:03.420000 --> 0:05:05.260000 to the T one port. 0:05:05.260000 --> 0:05:08.000000 So what span is doing in case you're not familiar with this feature is 0:05:08.000000 --> 0:05:12.380000 span just says, hey, when traffic comes in my span source port, let it 0:05:12.380000 --> 0:05:23.740000 go through like it normally does, but so in this case, the WSA is because 0:05:23.740000 --> 0:05:25.480000 it's not in line, right? 0:05:25.480000 --> 0:05:30.340000 The traffic is sort of flowing outside of it, but the copy traffic is 0:05:30.340000 --> 0:05:35.140000 reaching the WSA on its T one port where layer four traffic monitoring 0:05:35.140000 --> 0:05:38.200000 can inspect it. Now you might be wondering, well, if this is not in line, 0:05:38.200000 --> 0:05:42.240000 if the traffic is going right around it, how can the layer four traffic 0:05:42.240000 --> 0:05:47.160000 monitoring prevent malware and viruses and stuff from phoning home from 0:05:47.160000 --> 0:05:48.180000 sending information upstream? 0:05:48.180000 --> 0:05:53.240000 Well, because if the layer four traffic monitoring engine spots that happening, 0:05:53.240000 --> 0:05:56.460000 it can actually stop in one of two ways. 0:05:56.460000 --> 0:05:59.580000 It can send out a TCP reset. 0:05:59.580000 --> 0:06:06.980000 If we're talking about TCP messages, or it can send out an ICMP message, 0:06:06.980000 --> 0:06:14.820000 ICMP host unreachable for UDP traffic. 0:06:14.820000 --> 0:06:19.440000 So what you really have to think about is that these two things would 0:06:19.440000 --> 0:06:24.480000 be combined. In other words, this switch right here would actually have 0:06:24.480000 --> 0:06:27.000000 two physical connections. 0:06:27.000000 --> 0:06:30.160000 If we're going to assume it's connected to a switch, it would have two 0:06:30.160000 --> 0:06:33.100000 physical connections to the WSA. 0:06:33.100000 --> 0:06:41.080000 Let me just draw it like this. 0:06:41.080000 --> 0:06:49.640000 So what you'd be looking at is here's the client, here's the switch, and 0:06:49.640000 --> 0:07:00.040000 here's my WSA. You'd have something like this. 0:07:00.040000 --> 0:07:05.560000 So this would be configured as a span source port. 0:07:05.560000 --> 0:07:10.360000 This would be your span destination port. 0:07:10.360000 --> 0:07:13.060000 This would be your T1 port. 0:07:13.060000 --> 0:07:15.940000 So that's for your layer four traffic monitoring. 0:07:15.940000 --> 0:07:21.020000 So maybe this is port zero slash four on the switch, zero slash five would 0:07:21.020000 --> 0:07:23.140000 also connect to the WSA. 0:07:23.140000 --> 0:07:26.440000 That would be my P1 port. 0:07:26.440000 --> 0:07:33.720000 So what I would have going on here is as traffic is coming in, because 0:07:33.720000 --> 0:07:39.220000 it's a span port, a copy of that traffic would be sent here for layer 0:07:39.220000 --> 0:07:41.300000 four traffic monitoring. 0:07:41.300000 --> 0:07:46.140000 And then because I have policy based routing turned on in this switch, 0:07:46.140000 --> 0:07:50.200000 the traffic would also be redirected out this way. 0:07:50.200000 --> 0:08:00.340000 So it could be analyzed and inspected by all the other WSA features. 0:08:00.340000 --> 0:08:05.940000 So that concludes this video about WSA deployment options. 0:08:05.940000 --> 0:08:06.620000 Thank you for watching.