Lab.4 - Application firewall (WSA)

The last Cisco equipment that we are going to use is Web Security Appliance (WSA) to filter http traffic (both inbound and outbound).

The VM runs in VirtualBox with 1 management interface (assigned to network adapter 1 - host-only adapter) with ip address 192.168.56.102 and default gateway 192.168.56.1 (Windows host machine - in vbox vmnet) - see here for details.

Just in case you need to modify the mgmt interface configuration:

ironport.example.com> interfaceconfig


Currently configured interfaces:
1. Management (172.19.7.165/24 on Management: ironport.example.com)

Choose the operation you want to perform:
- NEW - Create a new interface.
- EDIT - Modify an interface.
- DELETE - Remove an interface.
- DETAILS - Show details of an interface.

[]> EDIT
Enter the number of the interface you wish to edit.
[]> 1
Would you like to configure an IPv4 address for this interface (y/n)? [Y]>
[...]

Select there ipv4 only, add an ip address from vbox vmnet subnet and let ftp,http,https ports opened.

Do not forget to add a default gateway:

ironport.example.com> setgateway

Warning: setting an incorrect default gateway may cause the current connection
to be interrupted when the changes are committed.
Set the default gateway for:
1. IPv4
2. IPv6
[1]> 1
Enter new default gateway:
[]> 192.168.56.1

There is also need to have a ntp server configured - use pool.ntp.org:

ironport.example.com> ntpconfig
[...]

Then, commit and verify the time:

ironport.example.com> commit
[...]
ironport.example.com> date

Wed Nov 10 13:43:24 2019 GMT

Credentials for WSA (default ones are used):

  • user: admin
  • passwd: ironport

The following ports are opened:

  • 8080: used for accessing the WebUI using HTTP
  • 8443: used for accessing the WebUI using HTTPS
  • 21: FTP access
  • 22: SSH access (you can start PuTTY and add to host name the ip address 192.168.56.102 with the credentials from above)

Golden rule on WSA: in order to apply any changes, you must commit them.

There are two different approaches for filtering: whitelisting and blacklisting. The first one requires to create a list of hosts that are permitted for accessing, while denying anything else and the second one just to define what is not permitted. By default, WSA is configured to run in the second mode (it allows all traffic). Change this behavior by going to WebUI > Web Security Manager > Access Policies and modify URL Filtering tab from Monitor to Block.

For authenticating users, we can use:

  1. static entries (based on IPs)
  2. LDAP authentication (on Linux machine or service on Active Directory)
sred/laborator_4._application_firewall_wsa.txt ยท Last modified: 2019/11/13 15:20 by horia.stoenescu
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0