Internet Edge Design Summary October 2015 - Cisco · The following figure shows a dual ISP design...

transcript

CISCO VALIDATED DESIGN

REFERENCENETWORK

ARCHITECTURE

Internet Edge Design Summary

October 2015

Cisco Validated Design

Table of ContentsIntroduction ..................................................................................................................................... 1

Sub-Architectures for Specific Capabilities ..................................................................................... 8

Edge Connectivity ...........................................................................................................................................................8

Firewall Segmentation & Intrusion Prevention ...................................................................................................................9

Remote Access VPN ..................................................................................................................................................... 10

Email Security Using ESA .............................................................................................................................................. 11

Web Security ................................................................................................................................................................. 13

Cisco Web Security Appliance ....................................................................................................................... 15

Cisco Cloud Web Security ............................................................................................................................. 16

Cisco CWS Using the Connector for Cisco ASA ............................................................................................ 16

Cisco CWS Using Cisco AnyConnect ............................................................................................................ 18

Guest Wireless Termination ........................................................................................................................................... 20

Future Releases of Internet Edge .................................................................................................. 21

Summary ....................................................................................................................................... 22

Introduction

IntroductionThis guide describes architectural best practices for organizations with up to 10,000 connected users.

An important segment of an enterprise network is the Internet edge, where the corporate network meets the pub-lic Internet. As your network users reach out to websites and use email and other collaboration tools for business-to-business communication, the resources of the corporate network must remain both accessible and secure.

The Secure Architectural Framework Example (SAFE) for business networks locates the Internet edge as one of the places in the network (PINs). SAFE simplifies complexity across the enterprise by implementing a model that focuses on the areas that a company must secure. This model treats each area holistically, focusing on today’s threats and the capabilities needed to secure each area against those threats. Cisco has deployed, tested, and validated critical challenges. These solutions provide guidance, complete with configuration steps that ensure ef-fective, secure deployments for our customers.

The Internet edge is the highest-risk PIN because it is the primary Ingress for public traffic and the primary egress point to the Internet. Simultaneously, it is the critical resource that businesses need in today’s Internet-based economy. SAFE matches up defensive capabilities against the categories of threats today.

Introduction

The capabilities and architectures for the Internet edge provide users with the secure network access they re-quire, from a wide variety of locations and devices. The following table describes the functional security capabili-ties of Internet edge.

Table 1 SAFE defenses against specific Internet edge threats

Threat Defense

Use of malformed packets and abnormal protocol processes to gain access to the public and private networks

Firewall segmentation—Protects the network infrastructure and data resources through stateful packet filtering, protocol inspection, and network address translation

Infiltration via worms, viruses and various types of attacks to gain access to the internal servers by using Layer 4-7 traffic

Intrusion detection & prevention—Protects the network infrastructure and data resources from Internet-based threats such as worms, viruses, and targeted attacks by performing application and user-aware security inspection of Layer 4-7 traffic coordinated with global threat prevention information

Monitoring of unencrypted network traffic allows thieves to easily steal data and creden-tials

Remote access VPN—Provides secure encrypted access to resources inside the organization from remote locations and mobile devices

Access to critical resources by impersonating trusted users with basic authentication

Access control + TrustSec—Selective restriction of access, based on context, to a place or other resource

Distribution of viruses, malware files or compromised web links by email. Exfiltration of private data via email

Email security—Provides encryption, anti-spam, anti-malware, anti-virus inspection and message filtering services that protect against data loss and exfiltration

Infected ads and bogus web sites lure in users to access the malicious content by redirec-tion and service insertion

Web security—Provides inspection and filtering for web reputation, anti-malware, anti-virus. Protects against data loss and data exfiltration. Enforces acceptable-use controls and user monitoring

Single or multiple files which form a malware package and distributes itself throughout the entire network of servers and devices

Anti-malware—Files are securely analyzed and correlated against hundreds of millions of other analyzed malware artifacts to provide a global view of malware attacks, campaigns, and their distribu-tion on current and historical malware artifacts, indicators, and samples

Zero-day attacks and new forms of malware can initially bypass protections imple-mented through learned threat intelligence.

Threat intelligence—Threat intelligence is ev-idence-based knowledge, including context, mechanisms, indicators, implications, and action-able advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard

table continued on next page

Introduction

table continued from previous page

Threat Defense

New command & control traffic, telemetry and data exfiltration from successful attacks

Flow analytics—Network data flow behavior is analyzed to identify security incidents

Downloaded viruses and malware compromise devices, which take over systems and replicate

Host-based security—Security software to protect the host consisting of anti-virus, anti-malware, host firewall and VPN encryption.

Unencrypted traffic being copied and stolen from the in-frastructure via monitoring and malware

TLS encryption offload—This capability represents the ability to decrypt an encrypted data flow to and from a set of services. This hardware accel-erated offloading reduces the general computing load on the end servers, thereby improving scal-ability

Application-specific attacks that take advantage of poor application-development tech-niques and insecure modules

Web application firewalling—Advanced, special-ized web application inspection and monitoring for inbound and outbound service calls meeting a specifically tuned and configured policy

Massively scaled attacks that overwhelm the capacity of the network bandwidth, de-vice throughput, or process-ing capabilities of the network devices and/or servers

DDOS protection—Protection against network, session and application attacks such as: SYN floods, connection floods, ICMP fragmentation, DNS, SSL and the growing number of Layer 7 at-tacks

Infected ads and bogus web sites lure in users to access the malicious content by redirec-tion and service insertion

Cisco Cloud Web Security—Web Security servic-es that are based off-premise and in the cloud for lean enterprise deployments and roaming/remote user protection.

Accessing valuable network data through the deployment of rogue wireless devices and interception attacks

Guest wireless WIPS—Coordinated infrastructure to detect, locate, mitigate, and contain wireless rogues and threats at Layers 1 through 3

Compromised or infected devices allowed onto a network proliferate the distribution of malware and viruses to adja-cent network users

Guest network mobile device management—Control over endpoint access based on defined policies such as disallowing jail-broken devices, devices without anti-virus software, or prevent-ing corporate managed devices from using less secure guest networks

Introduction

Table 2 SAFE non-security-specific network capabilities

L2 / L3 Network——Routing and switching equipment that enables communication across an enterprise infrastructure and the Internet

Load balancing—Systems that distribute workloads across multiple computing resources to optimize resource use, maximize throughput, minimize response time, and avoid overload of any single resource

Wireless—Controllers and access points enabling the network connectivity necessary for mo-bile devices to communicate with the enterprise infrastructure.

LAN segment—Physical or virtual network segment

Table 3 SAFE management capabilities supporting the Internet edge

Identity/authorization—AAA provides the method of identifying users and authorizing their ac-cess to services and resources and tracking their use

Policy/configuration—Centralized and unified network management to provide consistent, se-cure access to end users, however they connect

Analysis/correlation---SIEM technology provides real-time reporting and long-term analysis of security events. The technology can also provide log collection, normalization, correlation, aggregation and reporting

Monitoring—Collection of network flows or traffic from specific infrastructure segments.

Vulnerability management— System tools that continually scan and test devices attached to the infrastructure, document them, and prompt for remediation on an ongoing basis

Logging/reporting—Centralized repository that collects syslog, SNMP, and other event infor-mation from all devices to ensure the integrity and enable the correlation of events.

Time synchronization—NTP is used to synchronize clocks among devices. This synchronization allows all events to be correlated when system logs are created and when other time-specific events occur.

Introduction

These security capabilities address the top threats and risks facing organizations today.

When developing individual designs, you should also take into consideration such non-security considerations as:

• Load-balancing routing protocols (e.g., eBGP, EIGRP, OSPF)

• VLANs for segmentation

• High-availability protocols such as HSRP & VRRP

• Common platform services such as network time protocol (NTP) and authentication, authorization, and ac-counting (AAA)

These topics will be covered in additional SAFE guides.

Figure 1 depicts the deployment and distribution of capabilities for building an Internet edge by using Cisco best practices. Capabilities are grouped into different security zones in order to more easily define policies for these areas (Untrusted, VPN, Perimeter, DMZ and Trusted). The dotted lines illustrate combined capabilities that you may implement in a single device. This further simplifies the connectivity and linking of the necessary capabilities in order to achieve the goals of the proposed architecture.

The Untrusted zone contains the edge routing capability as well as both the on-premise and off-premise distrib-uted denial-of-service (DDOS) capabilities. Cloud web services are included for illustration proposes at this time.

The remote access virtual private network (RA VPN) zone implements dedicated resources to connect remote users and sites.

The perimeter zone has the all of the core security and inspection capabilities necessary to protect the enterprise and segments the connections of the other zones.

The demilitarized zone (DMZ) is a restricted zone containing both internal and public facing services.

The trusted enterprise contains core services in order to securely implement, manage, monitor and operate the Internet edge.

Introduction

Figure 1 Internet edge capabilities

Untrusted

Perimeter DMZRA VPN

Trusted Enterprise

After defining the desired capabilities of the Internet edge, you can transition from a capability view to an archi-tecture view. The architecture enables the selection of product classes and models aligning the needs of the enterprise and to the available features unique to each platform.

The Internet edge architecture includes segmentation capabilities, such as LANs and VLANs separating services from each other. Several capabilities are duplicated in various areas in order to provide the best protection pos-sible (e.g., NGIPS at both the perimeter and after TLS decryption in the DMZ). Implementing dedicated resources in several areas ensures acceptable performance across the entire architecture.

Introduction

Figure 2 Internet edge architecture

Untrusted

RA VPN DMZPerimeter

TrustedEnterprise

CWS ISP DDOS

Cisco ASR

CiscoSecurity

Appliance

Cisco SecurityAppliance

Cisco Security

Appliance

Cisco Security

Appliance

CiscoESA

CiscoWSA

WebApplication

FirewallLoad

BalancerCiscoWLC

CiscoAMP onEndpoint

Figure 2 does not depict how high-availability requirements can be met through the deployment of redundant paired devices. This design assumes that you would deploy all capabilities as such when creating the detailed designs.

Sub-Architectures for Specific Capabilities

Sub-Architectures for Specific CapabilitiesThe following sections provide greater detail and guidance for deploying security capabilities in the Internet edge. Several have been fully validated using Cisco’s Validated Design program. For more information, see Cisco’s Design Zone:

http://www.cisco.com/go/designzone

EDGE CONNECTIVITY Two deployment options can address Internet edge capabilities with high availability and meet operational re-quirements for device-level separation between the remote access VPN and the firewall. The design shown in the following figure uses a single Internet connection and integrates the remote-access VPN function in the same Cisco Adaptive Security Appliance (ASA) pair that provides the firewall functionality.

Figure 3 Single ISP topology

RA VPN DMZPerimeter

TrustedEnterprise

Untrusted

CWS ISP DDOS

Cisco ASR

CiscoSecurity

Appliance

Cisco Security

Appliance

Cisco Security

Appliance

CiscoESA

CiscoWSA

WebApplication

FirewallLoad

BalancerCiscoWLC

CiscoAMP onEndpoint

RA VPN

CiscoSecurity

Appliance

The following figure shows a dual ISP design that provides highly resilient Internet access. This design uses a separate pair of Cisco ASA appliances in order to provide a remote access VPN, which offers additional scalability and operational flexibility.

Figure 4 Dual ISP topology

RA VPN DMZPerimeter

TrustedEnterprise

Untrusted

Cisco ASR

CiscoSecurity

Appliance

Cisco Security

Appliance

Cisco Security

Appliance

CiscoESA

CiscoWSA

WebApplication

FirewallLoad

BalancerCiscoWLC

CiscoAMP onEndpoint

ISP A ISP B

FIREWALL SEGMENTATION & INTRUSION PREVENTIONFirewalls and intrusion prevention systems (IPSs) provide vital security at the Internet edge. Firewalls control ac-cess into and out of the different segments of the Internet edge to filter unwanted and malicious traffic. Many firewalls also provide a suite of additional services such as network address translation (NAT) and multiple secu-rity zones. Support for policy-based operation can enhance firewall effectiveness by providing security without interfering with access to Internet-based applications or hindering connectivity to business partners’ data via extranet VPN connections.

Intrusion prevention systems complement firewalls by inspecting the traffic traversing the Internet edge in order to identify malicious behaviors and prevent proliferation of the malicious traffic.

Architectures for the Internet edge address firewall and IPS capabilities with the Cisco ASA family. Cisco ASA platforms provide advanced firewall and IPS capabilities with enterprise-class performance and security in a scalable design that can readily adapt to changing needs. They are situated between the organization’s internal network and the Internet in order to minimize the impact of network intrusions while maintaining worker productiv-ity, business communications and information integrity..

Designs for the Internet edge use the Cisco ASA 5500-X Series, configured in routing mode in active/standby pairs for high availability. They apply NAT and firewall policy and support FirePOWER next generation intrusion prevention software (NGIPS) that detects and mitigates malicious or harmful traffic. FirePOWER NGIPS delivers complete contextual awareness, full visibility, and control of users, devices and content in order to provide indus-try-leading threat prevention.

For more information about firewall and IPS solution deployment, see the Firewall and IPS Technology Design Guide. This guide covers the creation and use of demilitarized zone (DMZ) segments for Internet-facing services such as a web presence. The NGIPS content covers Internet edge inline deployments and internal distribution layer intru-sion detection system (IDS) deployments.

REMOTE ACCESS VPNEmployees, contractors, and partners often need to access the network when traveling or working from home or from other off-site locations. Many organizations therefore need to provide users in remote locations with network connectivity to data resources.

A secure connectivity solution for the Internet edge should support:

• A wide variety of endpoint devices.

• Seamless access to networked data resources.

• Authentication and policy control that integrates with the authentication resources used by the organization.

• Cryptographic security to prevent sensitive data from exposure to unauthorized parties who accidentally or intentionally intercept the data.

Designs for the Internet edge address these needs with the Cisco ASA Family and Cisco AnyConnect Secure Mobility Client.

The Cisco AnyConnect Secure Mobility Client is recommended for remote users who require full network con-nectivity. The Cisco AnyConnect client uses SSL and is designed for automated download and installation. SSL access can be more flexible and is likely to be accessible from more locations than IPsec, as few companies block HTTPS access out of their networks. The AnyConnect client may be configured as an always-on VPN.

The Trusted Network Detection capability of the Cisco AnyConnect client determines if a laptop is on a trusted internal network or an untrusted external network. If on an untrusted network, the client automatically tries to establish a VPN connection to the primary site. The user needs to provide credentials for authentication, but no other intervention is required. If the user disconnects the connection, no other network access is permitted.

Designs for the Internet edge offer two remote-access VPN design models:

• Remote access VPN integrated with Cisco ASA Series firewall (integrated design module)—This option is available with a lower capital investment and reduces the number of devices the network engineering staff must manage.

• Remote access VPN deployed on a pair of standalone Cisco ASA appliances (standalone design mod-ule)—This design offers greater operational flexibility and scalability while providing a simple migration path from an existing RA VPN installation.

For detailed design and configuration information about implementing a remote access VPN via Cisco AnyCon-nect for SSL connections, see the Remote Access VPN Technology Design Guide.

EMAIL SECURITY USING ESAEmail is a critical business service used by virtually everyone, every day, which makes it an attractive target for hackers. The two major threats to email systems are spam and malicious email.

If spam is not properly filtered, its sheer volume can consume valuable resources such as bandwidth and stor-age, and require network users to waste time manually filtering through messages. Legitimate messages may be discarded, potentially disrupting business operations. Failing to protect an email service against spam and malicious attacks can result in a loss of data and network-user productivity. Malicious email most often consists of embedded or phishing attacks. Embedded attacks contain viruses and malware that perform actions on the end device when clicked. Phishing attacks attempt to mislead network users into releasing sensitive information such as credit card numbers, social security numbers, or intellectual property.

Cisco Email Security Appliance (ESA) protects the email infrastructure and network users who use email at work by filtering unsolicited and malicious email before it reaches the user. The goal of the solution is to filter out posi-tively identified spam and quarantine or discard email sent from untrusted or potentially hostile locations. Antivirus scanning is applied to emails and attachments from all servers in order to remove known malware.

Cisco ESA easily integrates into existing email infrastructures by acting as a mail transfer agent (MTA), or mail relay, within the email-delivery chain. A normal email exchange, in which an organization is using an MTA, might look like the message flows shown in Figure 5 and Figure 6.

Figure 5 Inbound email message flow

Sender sends email to xyz@companyX.com

Email is sent

What is IP for CompanyX mail server (MX and A record DNS lookup)?

IP address for CompanyX email is a.b.c.d (Cisco ESA at CompanyX)

Internet DNSServer

EmailServer

Cisco EmailSecurity Appliance

Employee retrieves cleaned email

After inspection, the email is sent to the central email server

Figure 6 Outbound email message flow

Recipient retrieves email6

Email is sent

Cisco ESA inspects outbound email

EmailServer

Cisco EmailSecurity Appliance

Employee sends email to xyz@companyY.com

Central email server forwardsall non-local messages toCisco ESA smart host

Cisco ESA performs DNS lookupfor recipient domain and retrievesMX and A records

Cisco ESA can be deployed with a single physical interface to filter email to and from an organization’s mail server. A second, two-interface configuration option transfers email to and from the Internet by using one inter-face, and to and from internal servers by using the second interface. The Internet edge design uses the single-interface model for simplicity.

For more information about email security and Cisco ESA, see the Email Security Using ESA Technology Design Guide.

WEB SECURITYWeb access is a requirement for the day-to-day functions of most organizations, but a challenge exists to main-tain appropriate web access for everyone in the organization while minimizing unacceptable or risky use. A solu-tion is needed to control policy-based web access in order to ensure that users work effectively and ensure that personal web activity does not waste bandwidth, affect productivity, or expose the organization to undue risk.

Another risk associated with Internet access for the organization is the pervasive threat that exists from accessing sites and content. Other threats include the still popular and very broad threats of viruses and Trojans, in which a user receives a file in some manner and is tricked into running it, and the file then executes malicious code. The third variant uses directed attacks over the network. These types of risks are depicted in the figure below.

Figure 7 Business reasons for deploying Cisco Cloud Web Security

Bandwidthwaste Internet Edge

Firewall

Non-work-relatedweb browsing

Malicious software worms,viruses, phishing attacks, etc.

UserCommunityInternet

Two options address the need for a corporate web security policy by offering a combination of web usage con-trols with category and reputation-based control, malware filtering, and data protection:

• Cisco Web Security Appliance (WSA), which is deployed on premise

• Cisco Cloud Web Security (CWS), which is accessed by using the Cloud Web Security Connector for Cisco ASA or by using Cisco AnyConnect Secure Mobility Client.

Some key differences between Cisco CWS and Cisco WSA include the items listed in the following table.

Table 4 Cisco Web Security solution comparison

Cisco CWS Cisco WSA

Web/URL filtering Yes Yes

Supported protocols HTTP/HTTPS HTTP/HTTPS, FTP

Outbreak Intelligence (Zero Day Malware)

(Multiple scanners for malware)

(URL/IP reputation filter-ing, multiple scanners for malware)

Remote user securityVPN backhaul or direct to cloud using Cisco AnyConnect1

VPN backhaul

Deployment Redirect to cloud service On Premise Redirect

Policy and reporting Web portal (cloud) On Premise

1. Windows and Mac OS Only

Cisco Web Security ApplianceCisco WSA is a web proxy that works with other Cisco network components such as firewalls, routers, or switch-es in order to monitor and control web content requests from within the organization. It also scrubs the return traffic for malicious content, as shown in the following figure.

Figure 8 Cisco WSA traffic flows

UserCommunity

CiscoWSA

Internet

InternalNetwork

Web Site

RA VPN Client or

RA VPN Mobile Client

CiscoWSA

Internet

InternalNetwork

Web Site

CiscoWSA

Internet

InternalNetwork

Web Site

RA VPN Client or

RA VPN Mobile Client

Cisco WSA is connected by one interface to the inside network of Cisco ASA. In the Internet edge design, Cisco WSA connects to the same LAN switch as the ASA appliance and on the same VLAN as the inside interface of the ASA appliance. Cisco ASA redirects HTTP and HTTPS connections by using the Web Cache Communication Protocol (WCCP) to Cisco WSA.

For more information about how to deploy this solution, see the Web Security Using Cisco WSA Technology Design Guide. This guide focuses on using Cisco WSA in an Internet edge solution. It covers the mechanisms used to apply web security and content control, as well as the use of transparent -proxy mode and explicit-proxy mode deployments for redirecting web traffic to Cisco WSA.

Cisco Cloud Web SecurityThrough the use of multiple techniques, Cisco CWS provides granular control over all web content that is ac-cessed. These techniques include real-time dynamic web content classification, a URL-filtering database, and file-type and content filters. The policies enforced by Cisco CWS provide strong web security and control for an organization. Cisco CWS policies apply to all users regardless of their location and device type.

Figure 9 Cisco CWS Internet edge design

ApprovedContent

ApprovedWeb Requests

DMZ SwitchesInternetServers

Traffic Redirected to Cisco Web Security

Internet

Cisco ASA

DistributionSwitches

User Community

BlockedContent

BlockedURLs

BlockedFiles

Cisco CloudWeb Security

Web Sites

Cisco CWS Using the Connector for Cisco ASAInternal users at both the primary site and remote sites access the Internet by using the primary site’s Internet-edge Cisco ASA, which provides stateful firewall and intrusion prevention capabilities. It is simple and straightfor-ward to add Cisco CWS to a Cisco ASA appliance that is already configured and operational. This integration uses the Cloud Web Security Connector for Cisco ASA and requires no additional hardware.

Cloud Web Security using Cisco ASA enables the following security capabilities:

• Transparent redirection of user web traffic—Through seamless integration with the Cisco ASA firewall, web traffic is transparently redirected to the Cisco CWS service. No additional hardware or software is required, and no configuration changes are required on user devices.

• Web filtering—Cisco CWS supports filters based on predefined content categories and it also supports more detailed custom filters that can specify application, domain, and content type or file type. The filtering rules can be configured to block or warn based on the specific web-usage policies of an organization.

• Malware protection—Cisco CWS analyzes every web request in order to determine if content is malicious. CWS is powered by the Cisco Security Intelligence Operations (SIO) whose primary role is to help organi-zations secure business applications and processes through identification, prevention, and remediation of threats.

• Differentiated policies—The Cisco CWS web portal applies policies on a per-group basis. Group member-ship is determined by the group authentication key of the forwarding firewall, source IP address of the web request, or the Microsoft Active Directory user and domain information of the requestor.

The Cisco ASA firewall family sits between the organization’s internal network and the Internet and is a funda-mental infrastructural component that minimizes the impact of network intrusions while maintaining worker pro-ductivity and data security. The design uses Cisco ASA to implement a service policy that matches specified traf-fic and redirects the traffic to the Cisco CWS cloud for inspection. This method is considered a transparent proxy, and no configuration changes are required to web browsers on user devices.

The various traffic flows for each of these user types are shown in the following figures.

Figure 10 Cisco CWS with internal and guest users

InternalUser

Internet

Web SiteCisco Cloud

Web Security

GuestUser

Internet

Web SiteCisco Cloud

Web Security

InternalNetwork

GuestNetwork

Figure 11 Cisco CWS for mobile devices using remote-access VPN

Internet Internet

InternalNetwork

Web SiteRA VPN

Mobile Device

InternalNetwork

Web SiteRA VPN

Mobile Device

Certain source and destination pairs should be exempted from the service policy, such as remote-access VPN users accessing internal networks or internal users accessing DMZ networks.

For information about how to deploy this solution, see the Cloud Web Security Using Cisco ASA Technology Design Guide. This guide discussed the configurations required to implement a Cisco ASA service policy that matches specified traffic and redirects the traffic to the Cisco CWS cloud for inspection. This method is considered a transparent proxy, and no configuration changes are required to web browsers on user devices..

Cisco CWS Using Cisco AnyConnectMobile remote users connect to their organization’s network by using devices that generally fall into two catego-ries:

• Laptops

• Mobile devices such as smartphones and tablets

When provisioned with the Cisco AnyConnect Secure Mobility Client with Cisco CWS module, laptops are not required to send web traffic to the primary site. The CWS module gives the Cisco AnyConnect client the abil-ity to let Internet web traffic go out through a Cisco CWS proxy directly to the destination, without forcing traffic through the organization’s headend. Without Cisco CWS, the traffic must be routed down the VPN tunnel, in-spected at the campus Internet edge, and then redirected to the original destination.

This process consumes bandwidth and potentially increases latency. With Cisco CWS, the connection can be proxied through the Cisco ScanSafe cloud and never has to traverse the VPN tunnel, as shown in the following figure.

Figure 12 Web traffic flow for CWS with Windows and Mac OS X clients

RA VPNClient

InternalNetwork

Web Site

Internal Traffic(Static Exceptions) Internet

For the web security of Microsoft Windows and Apple Mac OS laptops, Cloud Web Security using Cisco AnyCon-nect enables the following security capabilities:

• Redirect web traffic—The Cisco CWS module can be integrated into the Cisco AnyConnect client, allowing web traffic to be transparently redirected to the Cisco CWS service. The CWS module is administered cen-trally on the RAVPN firewall and requires no additional hardware. Once installed, the CWS module continues to provide web security even when disconnected from the RAVPN firewall.

• Filter web content—Cisco CWS supports filters based on predefined content categories, as well as custom filters that can specify application, domain, content type, or file type. The filtering rules can be configured to block or warn based on the specific web usage policies of an organization.

• Protect against malware—Cisco CWS analyzes every web request to determine if the content is malicious. CWS is powered by the Cisco Security Intelligence Operations, the primary role of which is to help organi-zations secure business applications and processes through identification, prevention, and remediation of threats.

• Apply differentiated policies—The Cisco CWS web portal applies policies on a per-group basis. Group mem-bership is determined by the group authentication key assigned within the Cisco AnyConnect CWS profile on the RAVPN firewall.

Cloud Web Security using Cisco AnyConnect enables the following network capabilities:

• User authentication—The AnyConnect client requires all remote access users to authenticate before negoti-ating a secure connection. Both centralized authentication and local authentication options are supported.

• Differentiated access—The remote access VPN is configured to provide different access policies depending on assigned user roles.

• Strong encryption for data privacy—The Advanced Encryption Standard cipher with a key length of 256 bits is used for encrypting user data. Additional ciphers are also supported.

• Hashing for data integrity—The Secure Hash Standard 1 cryptographic hash function with a 160-bit message digest is used to ensure that data has not been modified during transit.

For more information about how to deploy this solution, see the Cloud Web Security Using Cisco AnyConnect Tech-nology Design Guide.

GUEST WIRELESS TERMINATIONGuest wireless termination within the Internet edge is detailed in the Campus Wireless LAN Technology Design Guide. The designs contained within the Campus Wireless LAN Technology Design Guide provide ubiquitous data and voice connectivity for employees and provides wireless Internet access for guests. Regardless of their location within the organization—on large campuses or at remote sites—wireless users have the same experience when connecting to voice, video, and data.

Future Releases of Internet Edge

Future Releases of Internet Edge This architecture document and its associated design guides describe only a portion of Internet edge’s many capabilities. Future releases will describe some of the following capabilities:

• Threat intelligence

• Anti-malware

• Host-based security

• Web application firewalling

• DDOS prevention

• TLS encryption offload

• Flow analytics

• Load-balancing considerations

• Management and policy

Summary

SummaryToday’s networks extend to wherever employees are, wherever data is, and wherever data can be accessed. The Internet edge is often the first line of attack and is subsequently the first line of defense against these at-tacks. As a result, technologies must be applied that focus on detecting, understanding, and stopping these threats. These attacks can render an enterprise inaccessible from the Internet and prevent employees from doing productive work locally and remotely.

Cisco’s Internet edge solutions work to mitigate these threats and minimize the impact of the enterprise’s pro-ductivity.

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BV Amsterdam,The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Please use the feedback form to send comments and suggestions about this guide.

B-000145c-2 10/15

Internet Edge Design Summary October 2015 - Cisco · The following figure shows a dual ISP design...

Documents