Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Cisco Hosted Security as a Service— Design Guide

advertisement 
Cisco Hosted Security as a Service—
Design Guide—Last Updated: September 3, 2014
About the Authors
About the Authors
Albra Welch, Security Solutions Architect, Security Business Group, Cisco
Albra joined Cisco in 1998. She has held various senior technical roles including: VXI
Systems Architect, TrustSec Solution Manager and Architect, MACsec Partner
Relationship Manager, IOS VPN Technical Leader, and uBR925 Cable Modem
Software Project Leader.
Albra Welch
Peter Dowker, Security Solutions Architect, Security Business Group, Cisco
Peter Dowker has worked at Cisco Systems as Consulting Systems Engineer,
Systems Engineer, Manager, Systems Engineering and Content Security Solutions
Architect in the Service Provider, Enterprise and Government sectors.
Peter Dowker
Terri Quinn, Security Solutions Manager, Security Business Group, Cisco
Terri is a Security Solutions Manager in the Security Business Group at Cisco
Systems. She joined Cisco in 1995, working in multiple areas during her tenure,
including Product Management, Technical Marketing, Advanced Services, Compliance
Solutions Management and Marketing.
Terri Quinn
2
CONTENTS
Introduction 4
Products and Releases 5
Assumptions 6
Solution Overview 6
Architecture 6
Design Considerations for Hosted Web Security Services 12
Web Service Tier Examples 12
WSAV Sizing and Performance 13
WSAV on UCS 15
WSAV Licensing 15
WSAV Monitoring Profile and Reports 15
Design Considerations for Hosted Email Security Services 18
Email Service Tier Examples 18
ESAV Sizing and Performance 19
ESAV on UCS 19
ESAV Licensing 20
ESAV Monitoring Profile and Reports 20
Service Fulfillment Design Considerations 21
UBIqube MSActivator Sizing Requirements 22
Data Retention Requirements 23
Service Provider Administrator Provision Requirements 23
Solution Validation 24
Creating the Service Tiers 25
Creating the Service Tiers 30
Creating Delegation Profiles 38
Creating Managers 42
Creating Devices 49
Concluding Remarks 60
Appendix A—References 60
Appendix B—HSS Component Configurations Tested 60
ASA 5585X Customer Private Context Configuration 60
ASA 5585X Customer DMZ Configuration 62
Cisco Hosted Security as a Service—Design Guide
3
Introduction
Enterprise customer are adopting cloud services from their service providers more quickly in 2014 than
in previous years, and this trend will increase over the next several years. Cost savings, staffing
shortages, and gaps in technology expertise are a few of the drivers these businesses face.
Service providers are introducing more cloud service offerings at a faster pace to meet this increase in
demand. They provide their enterprise customers with a full suite of services that span collaboration,
video, security, networking, and disaster recovery solutions.
The Cisco Hosted Security as a Service (HSS) Solution allows service providers to deliver
cost-effective managed security services to enterprise customers who have challenges with maintaining
a secure infrastructure and controlling costs, and who lack security expertise. By adopting managed
security services based on Cisco HSS, service providers can help customers reduce their IT security
costs and provide always up-to-date security protection while offloading security management
operations.
This HSS design is based on Cisco Virtualized Multiservice Data Center (VMDC) architecture, which
allows the service provider to deliver bundles of cloud services including security, collaboration,
infrastructure as a service (IaaS), and application services. For more information on VMDC 2.3, refer
to the VMDC 2.3 Design Guide at the following URL:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VMDC/2.3/design_guide/VMDC_2.3_DG.ht
ml
This HSS Cisco Validated Design includes the Cisco Web Security Virtual Appliance (WSAV) and
Cisco Email Security Virtual Appliance (ESAV) to provide content security services. The HSS solution
resides in the service provider data center, and can be managed directly by the service provider, Cisco
Smart Ops team, or a third-party managed service provider.
Cisco has partnered with UBIqube to provide service provisioning and monitoring for the HSS
solution. UBIqube provides true multitenant security domain management with the capability to
integrate with cloud orchestration and Business Support Systems (BSS)/Operations Support Systems
(OSS) solutions.
With the Cisco HSS solution, service providers benefit in the following ways:
•
Mitigation of financial, technology, and market risks by using virtual machines instead of physical
security appliances—Service providers avoid the risk associated with upfront investment in specific
hardware, in addition in the lifecycle of the service it avoids technology obsolescence.
•
Acceleration of time to revenue by offering services using virtual platforms in the cloud
infrastructure foundation.
•
Increased average revenue base—Multiple service offerings can be bundled to the same customer to
increase the spending of existing customers, and to increase the number of enterprise customers
through broadened service offerings.
Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
Copyright © 2014 Cisco Systems, Inc. All rights reserved
Introduction
•
Proven technology solution—Built with industry standard hardware (VMDC) and enterprise-class
virtual security software (email, web, firewall, and so on).
•
Reduced CapEx and OpEx in offering the service(s)—Because of lower initial price as well as
increased automation and standardization.
•
Competitive differentiation—Ability to offer a variety of bundled services, along with multiple
service tiers and service-level agreements (SLAs).
Products and Releases
The Cisco Hosted Security as a Service Solution uses the components listed in Table 1. The versions
tested are listed. Table 1 also lists the HSS component requirement status.
Table 1
Cisco Hosted Security as a Service Solution Components
Solution Component
HSS
VMDC 2.3
Required/ Recommended/
Optional
Required
Product
WSAV
Release
AsyncOS 7.7.5, premium
license
ESAV
8.0, inbound license
Required
UBIqube MSActivator Security
Domain Manager
13.1
Recommended
VMDC
2.3 Gold Container
Recommended
Unified Computing System (UCS)
2.0 (4b)
UCS B or C Required
ASR 1006
IOS XE 3.7.1S
ASA 5555-X (Remote Access)
ASA 5585-X (FW)
Nexus 7004 Sup-2, N7K-F248-12
Nexus 5548UP
Nexus 1010
Nexus 1000v
Virtual Security Gateway (VSG)
Prime Network Management
Controller (PNMC)
Citrix Netscaler VPX, SPX (not
tested)
FAS6040 (Production Pod)
9.0.1
9.0.1
NX-OS 6.1(3)
NX-OS 5.2(1)N1(2)
NX-OS 4.2(1)SP1(5.1)
NX-OS 4.2(1)SV2(1.1)
NX-OS 4.2(1) VSG1 (4.1)
2.0(3f)
Cisco 7600/ASR
1000/ASR 9000
Recommended
Recommended
Recommended
Recommended
Recommended
Recommended
Recommended
Optional
Optional
FAS3240 (Management Pod).
VMware vSphere
VMware vCenter
10.1
ONTAP 8.1.1
ESXi 5.1
5.1.0 Build 880146
Citrix or F5
Recommended (if needed)
NetApp or EMC
Recommended
Required
Required
5
Solution Overview
Note
WSAV 8.0.6 software provides improved performance for HTTP traffic, but was not in general release
at the time of this CVD publication.
Assumptions
Solution dependencies that are out of scope include the following:
•
Service provider DNS
•
Customer network DNS
•
DomainKeys (DKIM), Sender Policy Framework (SPF), and Domain-based Message
Authentication, Reporting, and Conformance (DMARC) security on DNS records for ESAV
•
Public Key Infrastructure (PKI) and PKI Certificate Authority (CA)
•
Out-of-band/offline update provisioning and management for WSAV and ESAV virtual machines
Solution Overview
Architecture
The Cisco HSS Solution uses virtual security appliances hosted in the service provider cloud to deliver
managed security services for their business customers. The Cisco HSS Solution can offer multiple
services to a single business customer, such as email security, web security, firewall, and VPN services
(see Figure 1). This CVD covers web security and inbound email security.
Figure 1
6
Cisco Hosted Security as a Service Solution Topology Overview
Solution Overview
The Cisco HSS Solution uses three topology layers: the infrastructure layer, services layer, and
orchestration layer, as shown in Figure 2.
Figure 2
Hosted Security Solution Topology Layers
The Cisco HSS solution uses the Cisco VMDC 2.3 Expanded Gold Container as the architectural
foundation for HSS service offerings, and adds WSAV, ESAV, and UBIqube MSActivator components
to that architecture. (See Figure 3.)
7
Solution Overview
Figure 3
Cisco VMDC 2.3 Expanded Gold Container Topology
The following changes were required to accommodate HSS in a VMDC 2.3 Expanded Gold Container:
•
The remote access VPN needed to move and be attached to the customer private context firewall
instead of the customer DMZ context firewall. This was required for WSAV to support users
connecting from the customer site and also via remote access VPN. Web Cache Communication
Protocol (WCCP) Redirect is recommended to be configured on the customer DMZ context firewall,
so the remote access VPN had to be attached to an alternative firewall for traffic to flow properly.
•
Firewall policy and routing to allow access from customer site to Internet required the following:
– Injection of default routes into the customer site, pulling traffic into the private zone.
– Firewall policies allowing access from the customer site to the DMZ.
– Static routes for customer site subnets were needed on firewalls in both private and DMZ
contexts as well as being injected into routing into the tenant virtual routing and forwarding
(VRF) tables.
– Firewall policies needed to allow for SMTP and DNS queries to be forwarded.
– WCCP Redirect was configured on the firewall in the customer DMZ context.
8
•
UBIqube MSActivator connectivity is required via a shared Cisco Adaptive Security Appliance
(ASA) context that must be reachable by each tenant container. Network Address Translation (NAT)
is used to map WSAV/ESAV IP addresses to a unique IP address in the service provider cloud
administrator context. This is required because there may be overlapping addressing used across
tenant containers.
•
The ESAV location is in DMZ 1 VLAN of the tenant container, which is connected to the customer
DMZ VRF on the M1 interface. Single NIC mode is recommended for simplicity. The default
gateway is the customer DMZ firewall.
Solution Overview
•
The WSAV location is in DMZ 2 VLAN of the tenant container, which is connected to the tenant
service VLAN on the M1 interface. Single NIC mode simplifies connectivity to both the tenant
Active Directory and service provider management. A static route is required on the WSAV to the
UBIqube MSActivator. The default gateway points to the customer DMZ firewall.
Figure 4 shows the HSS VMDC topology.
Figure 4
Cisco Hosted Security as a Service Solution VMDC Topology
Adding WSAV into the VMDC 2.3 architecture results in the web traffic flows shown in Figure 5.
9
Solution Overview
Figure 5
WSAV Flows in the VMDC 2.3 Expanded Gold Container
Email flows can come from the customer hosted email or service provider hosted email, as shown in
Figure 6 and Figure 7.
Figure 6
10
ESAV Flows for Customer Hosted Email
Solution Overview
Figure 7
ESAV Flows for Service Provider Hosted Email
UBIqube MSActivator acts as the security domain manager in the HSS solution. UBIqube has designed
a framework, the MSActivator, that abstracts the fulfillment of any vendor device to create a common
service activation layer (see Figure 8).
Figure 8
UBIqube MSActivator Architecture
The MSActivator is engineered as a telco grade (scalable), multitenant. and vendor-agnostic
orchestration system. The framework simplifies device or element configuration and the activation and
management of services. It features Open APIs to integrate with legacy OSS systems and SDKs for
customization and integration of new vendors devices.
For more information on UBIqube, see the following URL: http://www.ubiqubesolutions.com/.
The HSS solution in this design guide uses VMware ESXi 5.1. It requires a 64-bit processor, 2GB
RAM minimum, and at least 8GB of RAM to take full advantage of ESXi 5.1 features and to run virtual
machines in typical production requirements. The following VMware features are supported by the
11
Design Considerations for Hosted Web Security Services
security virtual appliances in this validated design:
•
VM Templates (OVAs)
•
VMware Clone
•
VMware vMotion
•
VMware Storage vMotion
•
VMware High Availability (HA)
•
VMware Site Recovery Manager (SRM)
•
VMware Identity Feature
•
Boot from SAN
Future HSS design validations will expand to Kernel-based Virtual Machine (KVM) support.
Design Considerations for Hosted Web Security Services
The web security portion of HSS uses the virtual web security appliance, WSAV version 7.7.5, and the
solution includes two areas; web filtering and web security functions. Web filtering includes web usage
controls, URL filtering, application visibility, and bi-directional control. Web security includes
anti-malware protection, web content analysis and script emulation. (See Figure 9
Figure 9
HSS Solution Web Filtering and Web Security
Web Service Tier Examples
The design includes six service tiers that a service provider can offer their enterprise customers (see
Table 2), which were tested and validated.
Table 2
Service
Tier
1
2
3
4
12
Service Tiers
Web
Reputation
X
X
X
X
Real-Time
Malware
Scanning
X
X
X
X
URL
Filtering:
Monitoring
URL
Filtering:
Blocking
X
X
X
AVC:
Monitoring
X
AVC:
Blocking
HTTPS
Proxy
optional
optional
optional
optional
External User
Authentication
optional
optional
optional
optional
Design Considerations for Hosted Web Security Services
Table 2
Service
Tier
5
6
Service Tiers (continued)
Web
Reputation
X
X
Real-Time
Malware
Scanning
X
X
URL
Filtering:
Monitoring
URL
Filtering:
Blocking
X
X
AVC:
Monitoring
X
X
AVC:
Blocking
X
X
HTTPS
Proxy
optional
optional
External User
Authentication
optional
optional
WSAV Sizing and Performance
The WSAV requires the disk, memory, and core space per tenant instance of the virtual machine, as
shown in Table 3.
Table 3
Disk, Memory, and Core Space per Tenant
Physical HW Equivalent
S170
Model
Disk (GB)
250
Memory (GB)
4
Cores
1
S170
S100V
250
6
2
S370
S300V
1024
8
4
S000V
1
1. This model is for lab testing only, not production.
The performance of a single instance on the WSAV, version 7.7.5 is as shown in Table 4, where RPS is
HTTP requests per second.
Table 4
Single Instance of WSAV Performance
Software Blades
Essentials (WBRS, WUC)
Anti-Malware (WBRS, NTLM, Sophos,
Webroot, Adaptive Scanning)
Premium (WBRS, NTLM, WUC, Webroot,
Sophos, Adaptive Scanning, Complex
Policies
Premium (WBRS, NTLM, WUC, Webroot,
Sophos, Complex Policies
Premium (WBRS, NTLM, WUC, McAfee,
Webroot, Adaptive Scanning)
S300V
600 RPS
(89 Mbps)
425 RPS
(63 Mbps)
290 RPS
(43 Mbps)
S100V
360 RPS
(53 Mbps)
250 RPS
(37 Mbps)
170 RPS
(25 Mbps)
S000V
150 MPS
(22 Mbps)
100 RPS
(15 Mbps)
70 RPS
(10 Mbps)
320 RPS
(47 Mbps)
265 RPS
(39 Mbps)
170 RPS
(25 Mbps)
125 RPS
(19 Mbps)
70 RPS
(10 Mbps)
50 RPS
(7 Mbps)
Note the following:
•
Cisco recommends RAID 10 under the WSAV because RAID 5 has a slow write speed.
•
WUC includes URL filtering and AVC features enabled.
•
Policy setup is one global identity and one access policy. Adding more complexity will introduce
performance degradation approaching RPS numbers of complex policies.
13
Design Considerations for Hosted Web Security Services
– All tests were run with 10 percent HTTPs traffic being decrypted.
– Complex policy setup – 30 access policies, 15 identities, and 29 custom categories
– Three NTLM forests with no trust between them were set up for authentication.
•
There is only one premium bundle.
•
WSAV version 8.0.6 provides increased performance, but was not in general release at the time of
this CVD release.
The performance of a multiple instances of WSAV using version 8-0-0-410 is shown in Table 5 and
Table 6.
Table 5
WSAV Performance
Premium Bundle (Sophos) Tests
Client
Latency (ms)1
1880
1000
1080
TestID
WSA1520_SSL_25
WSA1520_SSL_25
WSA1520_SSL_25
Deployment
1 x S300V
1 x S300V
12 x S300V
Test Type
Benchmark
50% Load
50% Load
Cache Hit
22%
22%
23%
WSA1551_SSL_25
WSA1551_SSL_25
WSA1551_SSL_25
1 x S300V
1 x S300V
12 x S300V
Essentials Bundle (No A/V) Tests
Benchmark
1330
21%
50% Load
1000
23%
50% Load
1000
23%
Aggregated
Throughput
Mbits/sec
42
18
216
Aggregated Rps
380
162
1944
64
32
384
578
282
3384
1. Client latency: Cisco’s tests introduce 1000ms of server-side latency. Any latency above this is introduced by the proxy being under load.
Table 6
WSAV Performance—Disk Stats
Premium Bundle (Sophos) Tests Disk Stats
Deployment
1 x S300V
1 x S300V
12 x S300V
1 x S300V
1 x S300V
12 x S300V
Test Type
Benchmark
50% Load
50% Load
Benchmark
50% Load
50% Load
Reads/sec
159
67
803
103
73
870
Writes/sec
376
201
2414
MBytes
Read/sec
41
20
240
MBytes
Written/sec
83
40
480
Essentials Bundle (No A/V) Tests Disk Stats
494
6
20
289
3
10
3463
35
116
IOPS
535
269
3222
Disk Latency
< 5ms
< 5ms
< 10ms
597
378
4530
< 5ms
< 5ms
< 10ms
The hardware specifications information shown in Figure 10 was used for the multi WSAV testing.
14
Design Considerations for Hosted Web Security Services
Figure 10
Hardware Specifications
WSAV on UCS
Sizing WSAV on Cisco Unified Computing System (UCS) should be done with Cisco Content Security
Product team experts.
WSAV Licensing
The HSS web security services use the WSAV Premium License. Providing anti-malware and
anti-virus protection is the foundation for this service. URL filtering and application control are service
options.
WSAV Monitoring Profile and Reports
The set of WSAV SNMP objects that were tested in this CVD are defined in the WSAV Monitoring
Profile, as shown in Figure 11. Custom graphs and objects tracked are supported. The WSAV
Monitoring Profile is an example of the data that can be monitored. It can be tailored to service
provider-specific requests.
15
Design Considerations for Hosted Web Security Services
Figure 11
WSAV Monitoring Profile
Table 7 lists the WSAV MIB objects that the WSAV Monitoring profile uses.
Table 7
WSAV MIB Objects
WSAV MIB Object
cacheBwidthTotal1dayMean
cacheBwidthTotal1hrMean
cacheBwidthTotal1weekMean
cacheBusyCPUPct
cacheBwidthSaving1hrMean
cacheBwidthSaving1dayMean
cacheBwidthSaving1weekMean
cacheMaxResSize
cacheTotalRespTime1hrMean
cacheTotalRespTime1dayMean
16
Description
Average bandwidth total in the last day (in Kb/sec)
Average bandwidth total in the last hour (in Kb/sec)
Average bandwidth total in the last week (in Kb/sec)
Percentage of busy time of CPU
Average bandwidth savings in the last hour (in Kb/sec)
Average bandwidth savings in the last day (in Kb/sec)
Average bandwidth savings in the last week (in Kb/sec)
Maximum resident size in KB
Average cache total response time in the last hour
Average cache total response time in the last day
Design Considerations for Hosted Web Security Services
Table 7
WSAV MIB Objects (continued)
cacheTotalRespTime1weekMean
cacheServerInKb
cacheServerErrors
Note
Average cache total response time in the last week
The number of KBs received by the proxy from remote servers.
The number of HTTP errors while fetching objects.
The full set of WSAV SNMP objects possible to monitor for 7.7.0 is AsyncOS Web MIB (7.7.x); see the
following URL: http://www.cisco.com/web/ironport/tools/web/7.7.0/asyncosweb-mib.txt.
The service provider administrator can capture the WSAV access logs via syslog from the VM so that
the reports can be generated. UBIqube has created a custom W3C log file format that is loaded into the
WSAV at provisioning time called testW3C, with the log fields shown in Table 8.
Table 8
Log Fields
Log Field
c-ip
cs-username
s-ip
cs(Referer)
cs-url
s-hostname
s-port
sc-http-status
sc-bytes
Bytes
x-elapsed-time
s-hierarchy
cs(User-Agent)
cs-uri
Timestamp
x-webcat-code-abbr
x-webcat-code-full
x-mcafee-virus-name
x-mcafee-scanverdict
x-webroot-threat-name
x-webroot-scanverdict
sc-result-code
Description
Client IP address
Client-to-server username
Server IP address
Referer
The entire URL
Data source or server IP address
Destination port number
HTTP response code
Response size (header + body)
Max syslog message length
Elapsed time
Hierarchy retrieval
User agent. This field is written with
double-quotes in the access logs.
Request URI
Timestamp in UNIX epoch
The URL category verdict determined during
request-side scanning, abbreviated.
The URL category verdict determined during
request-side scanning, full name.
McAfee specific identifier: (virus name). Field
written with double-quotes in the access logs.
Request side DVS scan verdict
Webroot specific identifier (threat name). This
field is written with double-quotes in the access
logs.
Malware scanning verdict from Webroot
Result code. For example: TCP_MISS, TCP_HIT
This is the set of fields that UBIqube’s WSAV default report requires to generate the UBIqube reports.
17
Design Considerations for Hosted Email Security Services
Note
The full set of W3C logs can be found at the following URLs:
http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-7-5/user_guide/WSA_7-7-5_UserGuidebook.pdf, Table 24-11.
The service provider administrator may be interested in the following reporting tabs on the WSAV:
•
Reporting -> System Capacity
•
Reporting -> System Status
The rest of the reporting capabilities on the WSAV are most relevant to the end customer administrator.
For some customers, monitoring the reports will be sufficient, but others will want guest or read-only
access to the WSAV GUI. UBIqube’s role-based access capabilities support this.
WSAV role-based access controls must also be used to ensure that the end customer does not upgrade
their level of service without service provider knowledge. WSAV enforces this by creating user
accounts with guest or read-only access.
The retention policy for log files is one year by default. It is configured globally for the UBIqube
MSActivator. All customers will have same retention policy. All logs are easily visible from UBIqube
MSActivator for one month. They are archived after a month, and access to the UBIqube MSActivator
CLI is necessary to retrieve the log files from the archive.
Design Considerations for Hosted Email Security Services
The email security portion of HSS uses the virtual email security appliance, ESAV, using AsyncOS 8.0
for Email. (See Figure 12.)
The solution includes inbound email protection for the following:
•
Spam defense
•
Virus and malware defense
•
SenderBase reputation scoring
•
Content and outbreak filters
Outbound email protection will be documented in a later HSS phase.
Figure 12
HSS Solution Email Security
Email Service Tier Examples
The design includes inbound email security only, and covers four service tiers that a service provider
18
Design Considerations for Hosted Email Security Services
can offer their enterprise customers (see Table 9), which were tested and validated.
Table 9
Service
Tier
1
2
3
4
Email Service Tier
SenderBase
Reputation
Scoring
X
X
X
X
Anti-Spam
X
X
X
X
Outbreak Filters,
Content
Sophos Anti-Virus Filters
X
X
X
X
X
HA/Clustering: Load
Balancing
Quarantine
Optional
Optional
Optional
X
Optional
ESAV Sizing and Performance
The ESAV requires the disk, memory, and core space per tenant listed in Table 10.
Table 10
Disk, Memory, and Core Space
Physical HW
Equivalent
C160
Model
C160
Disk (GB)
200
Memory (GB)
4
Cores
1
C100V
200
6
2
C360
C300V
500
8
4
C660
C600V
500
8
8
C000V
1
1. This model is for lab testing only, not production.
Table 11 lists the performance of a single instance on the ESAV.
Table 11
Model
C000V
C100V
C300V
C600V
Note
ESAV Performance—Single Instance
Message per second
2.54
5.25
11
17.4
Message per minute
152
315
660
1,044
Message per hour
9,144
18,900
39,600
62,400
Cisco recommends RAID 10 under the ESAV because RAID 5 has a slow write speed.
ESAV on UCS
Sizing ESAV on Cisco UCS should be done with Cisco Content Security Product team experts.
19
Design Considerations for Hosted Email Security Services
ESAV Licensing
HSS email security uses the Email Security Inbound License. Cisco did not validate the outbound email
security; however, if a service provider wants to offer outbound email security services, the Email
Security ESA-ESO-LIC= License will be required.
ESAV Monitoring Profile and Reports
The set of ESAV SNMP objects that were tested in this CVD are defined in the ESAV Monitoring
Profile (see Figure 13). Custom graphs and objects tracked are supported. The ESAV Monitoring
Profile is an example of the data that can be monitored. It can be tailored to service provider-specific
requests.
Figure 13
ESAV Monitoring Profile
ESA MIB objects that the ESAV Monitoring profile uses are as follows:
Note
20
•
ESAV MIB Object
•
perCentCPUUtilization
•
perCentMemoryUtilization
•
perCentQueueUtilization
•
workQueueMessages
•
mailTransferThreads
For the full set of ESAV SNMP objects available, see the following URLs:
http://www.cisco.com/web/ironport/tools/email/ASYNCOS-MAIL-MIB.txt and
http://www.cisco.com/web/ironport/tools/email/IRONPORT-SMI.txt
Service Fulfillment Design Considerations
The service provider administrator can capture the mail logs via syslog from the ESAV so that the
reports can be generated. UBIqube uses the standard format for the ESAV mail logs.
The service provider administrator may be interested in several reporting tabs on the ESAV:
•
Reporting -> System Capacity
•
Reporting -> System Status
The rest of the reporting capabilities on the ESAV are most relevant to the end customer administrator.
For some customers, monitoring the daily and monthly reports directly from the ESAV will be
sufficient; others may want guest or read-only access to the ESAV GUI. UBIqube’s role-based access
capabilities support this.
ESAV role-based access controls must also be used to ensure that the end customer does not upgrade
their level of service without service provider knowledge. The service provider must create a new role
with the right entitlements for the end customer administrator.
The log retention policy for log files in the HSS solution is one year by default. This retention policy is
configured globally for the UBIqube MSActivator. All customers will have same retention policy. All
logs are easily visible from UBIqube MSActivator for one month. they are archived after a month, and
access to the UBIqube MSActivator CLI is necessary to retrieve the log files from the archive.
Service Fulfillment Design Considerations
For the HSS solution, Cisco partners with UBIqube for service fulfillment, which includes the
following:
•
Service provisioning and activation
•
License management
•
Change management
•
Service monitoring
•
Updates
•
Reporting
In this solution, Cisco used UBIqube MSActivator version 13.1, and primarily the Security Domain
Manager. UBIqube MSActivator abstracts the fulfillment of Cisco (and other vendors) devices to create
a common service activation layer. It is a telco grade, multitenant, and vendor-agnostic orchestration
system, simplifying element configuration, activation, and management of services.
The MSActivator is a converged managed services delivery platform structured around an Information
Technology Infrastructure Library (ITIL)-based configuration management database. The MSActivator
modules are operated through the unified web portal. This Virtual Security Operation Center (VSOC)
allows centralized provisioning, management, and monitoring of the devices and services. (See
Figure 14.)
21
Service Fulfillment Design Considerations
Figure 14
UBIqube MSActivator
UBIqube MSActivator Sizing Requirements
The size of the hardware is determined according to the number of managed devices and the monitoring
level of those devices.
MSActivator offers various levels of monitoring:
•
Silver Monitoring checks the status of the devices, and also polls the device with SNMP to build
graphs according to key performance indicators (KPI).
•
Gold Monitoring collects devices events to measure activity. Events are classified to reflect activity
on a per-type basis.
•
Email Alert guarantees a real-time alerting on events occurring on devices. This service requires
Gold Monitoring.
•
Detail Reporting aggregates events and generates PDF reports. This service requires Gold
Monitoring.
Table 12 lists various UBIqube MSActivator specifications.
Table 12
MSActivator Specifications
VM
UBIqube
MSActivator
Number of VM
1
CPU cores
4 or 8
Memory (GB)
4–16
Disk space
(GB)
200–500
Monitoring
Gold or Silver
For more details, see the MSActivator hardware sizing and distribution document at the following
URL: https://training.ubiqube.com/DocsInterWiki/MSActivator_sizing_guide.pdf.
22
Service Fulfillment Design Considerations
Data Retention Requirements
Service providers need to estimate how much disk space is needed for the deployment of all tenants.
The estimate is largely based on the services that are deployed and the number of users. The guidance
shown in Figure 15 is the method that is recommended for determining how much disk space is
required for monitoring logs and reports that need to be archived.
Figure 15
Disk Space Requirements
Service Provider Administrator Provision Requirements
Service provider administrators need to deploy security services that must support automation for
provisioning, reporting, and billing. UBIqube MSActivator Security Domain Manager can integrate
into an service provider’s existing cloud orchestration solution, if one exists.
There are two primary levels of service provider administrators: SP Service Administrator and SP
Operations Activation Administrator.
UBIqube MSActivator Security Domain Manager enables the SP Service Administrator to do the
following:
•
Create the service tiers for each security service
•
Integrate service into a billing system
•
Define the data retention policy services
•
Define the end customer level of access policy
•
Define service provider operation level access policy
Refer to the UBIqube MS Activator documentation for additional information.
UBIqube MSActivator Security Domain Manager enables the SP Operations Service Activation
Administrator to do the following:
•
Create a new customer
•
Create/add service for the customer
23
Solution Validation
•
Provide customizable levels of access policy
•
Monitor service and provide customizable reports to the end customer
•
Assign data retention policy for the customer
•
Manage user license
Refer to the UBIqube MS Activator documentation for additional information.
Solution Validation
This section details the configuration of the HSS components and provisioning using UBIqube
MSActivator.
Figure 16 shows a sample configuration for service provider A. SPA-Admin is logged into UBIqube
MSActivator and this display shows two tenants: Customer 1 and Customer 2. Customer 1 has one
ESAV and one WSAV configured. Customer 2 has one WSAV configured.
Figure 16
Sample Configuration
For Cisco ESAV and WSAV, device configurations are pushed via an scp (copy over ssh) connection.
Through UBIqube's template-based provisioning, MSA builds the configuration according to the set of
templates attached to the device, and pushes it to the ESAV/WSAV. The ESA/WSA appliance replaces
all the XML sections that are in the running configuration with the ones contained in the pushed
configuration; that is, as soon as you push a particular section via a template, it replaces the already
existing one on the appliance.
24
Solution Validation
Figure 17 shows a diagram explaining the provisioning workflow.
Figure 17
Provisioning Workflow
Creating the Service Tiers
This section describes the service tier examples for both the ESA and WSA, and the template library
used to create the customizable service tiers. These template libraries were created in the repository in
UBIqube MSActivator. Both the ESA and WSA appliance are policy provisioned by
creating/modifying the XML configuration file. When ESA and WSA devices are created with
UBIqube MSActivator, a configuration is applied to the device and will be used to provision the initial
policy. For the case of the ESAV and WSAV, it is assumed that VMware vCenter has already
provisioned a virtual machine for the content security virtual appliance with the correct number of
cores, memory, and disk required by the virtual appliance model.
Table 13 lists the service tier examples for the ESAV.
25
Solution Validation
Table 13
Service Tier
1
2
3
4
ESAV Service Tier Examples (Inbound Only)
SenderBase
Reputation
Scoring
X
X
X
X
Anti-Spam
X
X
X
X
Local
Anti-Spam
Quarantine
X
X
X
X
Outbreak
Filters, Sophos
Anti-Virus
Content Filters
External Load
Balancing
X
X
X
X
X
optional
Figure 18 shows the repository files for the configuration templates for the ESAV. A service provider
can use one of the sample configurations for tiers 1–4, or create their own using the elements in the
HSS_ESA_Template_Library. Each element of the library corresponds to specific features in the XML
configuration file that UBIqube creates when the configuration file is applied to the device when it is
created.
Figure 18
Repository Files
Each service tier template is built using ESA Template elements. Following is the current set of
26
Solution Validation
elements available in the HSS Phase 1 library.
Table 14 lists the ESA template library elements.
Table 14
ESA Template Library Elements
Element Name
ESA_HEADER
Element Description
These two required elements begin and end an ESA configuration
template.
ESA_FOOTER
ESA_LDAP_Enabled
ESA_Network
ESA_Reporting_disabled
ESA_SECURITY
ESA_SNMP
This element can optionally be included in the ESA configuration
template to setup LDAP Server Profiles.
This element can optionally be included in the ESA configuration
template to setup DNS Server, NTP server and time zone.
This element can optionally be included in the ESA configuration
template to disable Security Management Appliance reporting.
This element can optionally be included in the ESA configuration
template and contains some global security settings.
This element can optionally be included in the ESA configuration
template to enable SNMP monitoring by UBIqube MSActivator
Table 15 lists the ESA feature elements.
Table 15
ESA Feature Elements
ESA Feature Element Name
Antivirus
ESA_Antivirus_Disabled_Antispam_Enabled
ESA_Antivirus_Enabled_Antispam_Enabled
Content Filters
ESA_Content_filter_Disabled
ESA_Content_filter_Enabled
Outbreak Filters
ESA_Outbreak_filter_Disabled
ESA_Outbreak_filter_Enabled
User Quarantine
ESA_User_quarantine_disabled
ESA_User_quarantine_enabled
Reputation Scoring
ESA_Senderbased_enabled
Data Loss Prevention
ESA_Data_loss_preventon_Disabled
Element Description
To enable/disable antivirus support, include one of these elements in the
ESA configuration file. Antispam is enabled by default in both
elements.
To enable/disable content filters, include one of these elements in the
ESA configuration file.
To enable/disable outbreak filters, include one of these elements in the
ESA configuration file.
To enable/disable user quarantine support, include one of these
elements in the ESA configuration file.
Sender-based reputation scoring should be enabled by default and this
element should be included in the ESA configuration file.
Data Loss Prevention is an outbound mail feature and is not yet
supported via UBIqube MSActivator. It is recommended that this
element be included in the ESA configuration file.
Table 16 lists the service tier examples for the WSAV.
27
Solution Validation
Table 16
Service
Tier
1
2
3
4
5
6
WSAV Service Tier Examples
Web
Reputation
X
X
X
X
X
X
Real-Time
Malware
Scanning
X
X
X
X
X
X
URL
Filtering:
Monitoring
X
X
X
X
X
URL
Filtering:
Blocking
AVC:
Monitoring
AVC:
Blocking
X
X
X
X
X
X
X
HTTPS
Proxy
optional
optional
optional
optional
optional
optional
External User
Authentication
optional
optional
optional
optional
optional
optional
Figure 19 shows the repository files for the configuration templates for the WSAV. A service provider
can use one of the sample configurations for tiers 1–6, or create their own using the elements in the
HSS_WSA_Template_Library. Each element of the library corresponds to specific features in the XML
configuration file that UBIqube creates when the configuration file is applied to the device when it is
created.
28
Solution Validation
Figure 19
Repository Files
Each service tier template is built using WSA Template elements. Following is the current set of
elements available in the HSS Phase 1 library.
Table 17 lists the WSA template library elements.
Table 17
WSA Template Library Elements
Element Name
WSA_HEADER
WSA_FOOTER
WSA_AUTH_SERVER
WSA_Network
WSA_LOGFILE_ALERTS
Element Description
These two required elements begin and end an WSA configuration
template.
This element can optionally be included in the WSA configuration
template to set up authentication realms.
This element can optionally be included in the WSA configuration
template to set up the DNS server, NTP server, default gateway,
and static routes.
This element can optionally be included in the WSA configuration
template to enable WSA reporting UBIqube MSActivator. The log
subscription testW3C is created, which is a collection of syslogs
that is summarized by MSActivator.
29
Solution Validation
Table 18 lists the WSA feature elements.
Table 18
WSA Feature Elements
WSA Feature Element Name
Antivirus
WSA_Malware_scanning
URL Filtering and Application Visibility Control
WSA_No_URL_Filtering
WSA_URL_Filtering_Blocking
WSA_URL_Filtering_Monitoring
WSA_URL_Filtering_Blocking_AVC_Blocking
WSA_URL_Filtering_Monitoring_AVC_Blocking
WSA_URL_Filtering_Monitoring_AVC_Monitoring
Element Description
To enable/disable Sophos or McAfee antivirus support, include
one of these elements in the WSA configuration file.
To enable/disable URL Filtering and Application Visibility
Control, include one of these elements in the WSA configuration
file.
Creating the Service Tiers
ESA and WSA physical or virtual appliances are policy provisioned by creating/modifying the XML
configuration file. When ESA and WSA devices are created with UBIqube MSActivator, a
configuration is applied to the device and will be used to provision the initial policy. For the case of the
ESAV and WSAV, it is assumed that VMware vCenter has already provisioned a virtual machine for
the content security virtual appliance with the correct number of cores, memory, and disk required by
the virtual appliance model.
Note
Best practice: Create a new service tier by cloning from one of the existing examples and modifying the
attributes in the clone.
Create all new service tiers under the Operator section. In the following example, the silver tier is
cloned from the bronze and URL Blocking is enabled. The operator is Service Provider A (SPA).
Procedure
Step 1
30
Log in as the SP privileged administrator. SPA-Admin is an example administrator, as shown in
Figure 20.
Solution Validation
Figure 20
Step 2
Click Management/Manage repository. (See Figure 21.)
Figure 21
Step 3
Login
Manage Repository
Select SPA_WSA_Bronze template in the repository. (See Figure 22.)
31
Solution Validation
Figure 22
Step 4
Copy the SPA_WSA_Bronze service tier by CTRL-Click of the tier and selecting Copy. (See
Figure 23.)
Figure 23
32
SPA_WSA_Bronze
Copying the Service Tier
Solution Validation
Step 5
Paste it into the service provider’s SPA->Cisco->WSA folder by CTRL-Click of the folder. (See
Figure 24.)
Figure 24
Step 6
Pasting
CTRL-click copy_SPA_WSA_Bronze and select Properties. (See Figure 25.)
Figure 25
Properties
33
Solution Validation
Step 7
34
Rename the cloned template from copy_of_SPA_WSA_Bronze to SPA_WSA_Silver and select Save.
(See Figure 26 and Figure 27.)
Figure 26
Renaming the Cloned Template
Figure 27
Saving
Solution Validation
Step 8
Open SPA_WSA_Silver and delete WSA_NO_URL_Filtering. Click on the trash can to the right of
WSA_NO_URL_Filtering to delete it. (See Figure 28.)
Figure 28
Step 9
Deleting
Copy the element WSA_URL_Blocking from the Cisco->WSA template library by CTRL-Click of the
element. (See Figure 29.)
Figure 29
Copying the Element
35
Solution Validation
Step 10
Step 11
36
Paste element WSA_URL_Blocking to the SPA_WSA_Silver template by CTRL-Click of the tier. (See
Figure 30 and Figure 31.)
Figure 30
Pasting the Element
Figure 31
Pasting the Element (2)
CTRL-click the comment element WSA_Bronze, and select Properties. (See Figure 32.)
Solution Validation
Figure 32
Step 12
Rename the comment element to SPA_WSA_Silver and select Save. (See Figure 33.)
Figure 33
Step 13
Properties
Renaming the Comment Element
The result of the SPA_WSA_Silver should look like Figure 34.
37
Solution Validation
Figure 34
SPA_WSA_Silver
Creating Delegation Profiles
Define the end customer level of access policy using delegation profiles. The level of access is very
granular, depending on the desired access required by the end customer user. In general, there are
usually two levels for end customer manager accounts. End Customer Monitors Only access and End
Customer Admin access. It is best to decide all the levels of access that are required across all the end
customers, and to set up a standard set of delegation profiles in the beginning. As customers are created
in MSActivator, you will need to create the managers and then apply the delegation profile.
Procedure
Step 1
38
Log in as the SP privileged administrator. SPA-Admin is an example administrator. (See Figure 35.)
Solution Validation
Figure 35
Step 2
Click Management/Create a delegation. (See Figure 36.)
Figure 36
Step 3
Login
Create a Delegation
End Customer Security Admin is a sample end customer delegation profile for managers that are
allowed to change configuration policy in addition to the default monitoring that all managers get. (See
Figure 37, Figure 38, Figure 39, and Figure 40.)
39
Solution Validation
40
Figure 37
Sample End Customer Delegation Profile
Figure 38
Sample Profile (2)
Solution Validation
Figure 39
Sample Profile (3)
Figure 40
Sample Profile (4)
41
Solution Validation
Creating Managers
Define the end customer level of access policy using delegation profiles. The level of access is very
granular, depending on the desired access required by the end customer user. In general, there are
usually two levels for end customer manager accounts. End Customer monitors only access and End
Customer Admin access. It is best to decide all the levels of access that are required across all the end
customers, and set up a standard set of delegation profiles up front. As customers are created in
MSActivator, you will need to create the managers and will then apply the delegation profile.
Procedure
Step 1
Log in as the SP privileged administrator. SPA-Admin is an example administrator. (See Figure 41.)
Figure 41
Step 2
42
Login
Click Management/Create a manager. (See Figure 42.)
Solution Validation
Figure 42
Step 3
Create a Manager
Create manager CU1-Admin and assign it the End Customer Security Admin delegation profile.
Select validate once complete. (See Figure 43 and Figure 44.)
43
Solution Validation
Figure 43
44
Creating a Manager
Solution Validation
Figure 44
Step 4
Validating
Attach the customer to the manager just created by selecting Manager management in the previous
screen and proceeding to the following screen. (See Figure 45.)
45
Solution Validation
Figure 45
Step 5
46
Attach the Customer
Select Customer 1 from the available customers and attach it to the manager CU1-Admin that was just
created. Select finish when done. (See Figure 46 and Figure 47.)
Solution Validation
Figure 46
Attaching Customer to the Manager
Figure 47
Finish
47
Solution Validation
In the example above, manager accounts for Customer 1 and Customer 2 were created. CU1-Admin
and CU2-Admin share the End Customer Security Admin Profile, and CU1-Monitor and
CU2-Monitor share End Customer Security Monitor Profile.
Step 6
Define service provider operation level access policy with delegation profiles.
There are generally two types of service provider administrators. The service provider admin is a
privileged administrator and is created when the operator is created during MSActivator initial
configuration. Additional administrators can be created with service provider-specific delegation
profiles. (See Figure 48.)
Figure 48
Managers
The SPA-Monitor manager was created above with the role of Manager and the delegation profile SPA
Monitor Profile. This allows read-only access to all the devices across all the customers supported by
the operator.
48
Solution Validation
Creating Devices
The following sample workflow shows how to create a device in MSActivator for the ESAV or WSAV.
Procedure
Step 1
Log in as the SP privileged administrator. SPA-Admin is an example administrator. (See Figure 49.)
Figure 49
Step 2
Login
Select the customer for which to create the device. In the example shown in Figure 50, Customer 2 is
selected.
49
Solution Validation
Figure 50
Step 3
50
Selecting the Customer
Create the device by selecting Start Device Wizard. (See Figure 51.)
Solution Validation
Figure 51
Step 4
Start Device Wizard
Select Cisco for the Manufacturer, and then select either the ESA or WSA as highlighted in Figure 52.
Figure 52
Selecting Manufacturer and Model
51
Solution Validation
Step 5
Fill in the required fields in the device wizard creation form. Provide a device name, IP address,
hostname, username/password for WSAV; and enable gold and silver monitoring, mail alerts, and
reporting. (See Figure 53.)
Figure 53
Step 6
52
Device Wizard Creation Form
Select Edit the configuration file for the new device. (See Figure 54.)
Solution Validation
Figure 54
Step 7
Attach a license to the WSAV device by selecting the plus sign. (See Figure 55.)
Figure 55
Step 8
Edit the Configuration Files
Attaching a License
Navigate to the proper license, select it and apply it by selecting OK. (See Figure 56.)
53
Solution Validation
Figure 56
Step 9
Attach a configuration template to the WSAV device by selecting the plus sign. (See Figure 57.)
Figure 57
Step 10
54
Selecting the License
Attaching a Configuration Template
Attach the SPA_WSA_Silver configuration template to the new WSAV device being created. (See
Figure 58.)
Solution Validation
Figure 58
Step 11
Attaching the Configuration Template to the New Device
The following five screens show an example of configuring the device settings for the SPA_WSA_Silver
template that will be applied when this device is provisioned.
55
Solution Validation
56
Figure 59
Configuration Example (1)
Figure 60
Configuration Example (2)
Solution Validation
Figure 61
Configuration Example (3)
Figure 62
Configuration Example (4)
57
Solution Validation
Figure 63
Step 12
Once the license and configuration is attached to the new WSAV device, the next step is to perform
Initial Provisioning, as shown in Figure 64.
Figure 64
58
Configuration Example (5)
Initial Provisioning
Solution Validation
Step 13
When automatic updates for the device are disabled, you will be additionally prompted to confirm the
WSAV credentials. The XML config file that will be pushed to the device is displayed in Figure 65
screen as well.
Figure 65
Step 14
Confirming the WSAV Credentials
Figure 66 shows an example of a successful confirmation that the WSAV was created.
Figure 66
Successful Confirmation
59
Concluding Remarks
Concluding Remarks
This guide describes the design topology and provides design guidance for the Cisco Hosted Security
as a Service Solution for web and email security services. Consult the references in Appendix A for
more detailed information on products included in this design.
Appendix A—References
•
Virtual MultiService Data Center 2.3—http://www.cisco.com/go/vmdc
•
WSAV—http://www.cisco.com/c/en/us/products/security/web-security-appliance/datasheet-listing.ht
ml
•
ESAV—http://www.cisco.com/c/en/us/products/security/product-listing.html
•
UBIqube—http://www.ubiqubesolutions.com
•
Cisco Powered Cloud and Managed Services Program—
http://www.cisco.com/web/solutions/trends/cisco-powered/index.html
Appendix B—HSS Component Configurations Tested
ASA 5585X Customer Private Context Configuration
interface Port-channel11.2502
nameif dmz
security-level 50
ip address 8.88.25.4 255.255.255.128 standby 8.88.25.5
!
access-list 8 extended permit ip any any
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu dmz 1500
monitor-interface outside
monitor-interface inside
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
access-group 8 in interface outside
access-group 8 in interface inside
access-group 8 in interface dmz
route dmz 0.0.0.0 0.0.0.0 8.88.25.1 1
route inside 8.25.21.0 255.255.255.0 8.25.201.1 1
route inside 8.25.22.0 255.255.255.0 8.25.201.1 1
route inside 8.25.23.0 255.255.255.0 8.25.201.1 1
route outside 8.250.1.0 255.255.255.0 8.25.200.1 1
timeout xlate 3:00:00
60
Appendix B—HSS Component Configurations Tested
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh timeout 60
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map no-smtp-inspect-policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy no-smtp-inspect-policy global
Cryptochecksum:0717555f8b1fe8faa14021cccf33f241
: end
cvf8-fw-1/tenant25-gold-pvt#
61
Appendix B—HSS Component Configurations Tested
ASA 5585X Customer DMZ Configuration
cvf8-fw-1/tenant25-gold-dmz# sh run
: Saved
:
ASA Version 9.0(2) <context>
!
hostname tenant25-gold-dmz
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
interface Port-channel11.888
nameif internet
security-level 0
ip address 8.88.0.25 255.255.255.0 standby 8.88.0.125
!
interface Port-channel11.2501
nameif dmz
security-level 50
ip address 8.89.25.4 255.255.255.0 standby 8.89.25.5
!
interface Port-channel11.2502
nameif pvt
security-level 100
ip address 8.88.25.1 255.255.255.128 standby 8.88.25.2
!
same-security-traffic permit intra-interface
access-list 8 extended permit ip any any
access-list wsavs extended permit ip host 8.88.25.10 any
access-list proxylist extended permit tcp any any eq www
access-list proxylist extended permit tcp any any eq https
access-list proxylist extended deny ip host 8.88.25.10 any
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered debugging
mtu internet 1500
mtu dmz 1500
mtu pvt 1500
monitor-interface internet
monitor-interface dmz
monitor-interface pvt
icmp unreachable rate-limit 1 burst-size 1
icmp permit any internet
icmp permit any dmz
icmp permit any pvt
no asdm history enable
arp timeout 14400
access-group 8 in interface internet
access-group 8 in interface dmz
access-group 8 in interface pvt
route internet 0.0.0.0 0.0.0.0 8.88.0.254 1
route pvt 8.25.21.0 255.255.255.0 8.88.25.4 1
route pvt 8.25.22.0 255.255.255.0 8.88.25.4 1
route pvt 8.25.23.0 255.255.255.0 8.88.25.4 1
route pvt 8.25.201.0 255.255.255.0 8.88.25.4 1
route dmz 8.90.25.0 255.255.255.0 8.89.25.1 1
62
Appendix B—HSS Component Configurations Tested
route pvt 8.250.1.0 255.255.255.0 8.88.25.4 1
route pvt 10.8.25.0 255.255.255.0 8.88.25.4 1
route pvt 192.168.84.0 255.255.255.0 8.88.25.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh timeout 60
no threat-detection statistics tcp-intercept
wccp 92 redirect-list proxylist group-list wsavs
wccp interface pvt 92 redirect in
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map no-smtp-inspect-policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy no-smtp-inspect-policy global
63
Appendix B—HSS Component Configurations Tested
Cryptochecksum:9d5675e0b9cc0b4906c3482e68174fc6
: end
64
Related documents
3232P STUDENTS Parent and Students Rights In Administration of Surveys, Analysis or...
3232P STUDENTS Parent and Students Rights In Administration of Surveys, Analysis or...
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Module 1 - Ivy Tech Community College
Module 1 - Ivy Tech Community College
Download
advertisement