IWSVA5 Cisco ASA WCCP Int Guide 100602 PDF

Securing Your Web World
A Trend Micro TrendEdge Solution

Advanced Technologies and Techniques to Enhance Your Product
Eumir Nogales
Senior Product Specialist
Trend Micro, Inc.
Vernon Lee
Senior Enterprise Sales Engineer
Trend Micro, Inc.
Jody Butler
Senior Corporate Sales Engineer
Trend Micro, Inc.
Peter Wei
Senior Software Architect
Trend Micro, Inc.
TREND MICRO INC.
10101 N. De Anza Blvd. Cupertino, CA, 95014 www.trendmicro.com
Toll free: +1 800.228.5651 Fax: +1 408.257.2003 Phone: +1 408.257.1500
Integrating Trend Micro IWSVA with Cisco ASA
Using WCCP
June 2010
Integrating Trend Micro IWSVA with Cisco ASA Using WCCP

i
A TrendEdge Solution
Contents

Executive Summary ......................................................................................................................... 1
Suggested Network Architecture................................................................................................... 1
Requirements .................................................................................................................................. 2
Procedure ........................................................................................................................................ 3
Logging WCCP Traffic Using IWSVA and Cisco ASA Features ................................................... 3
To log WCCP traffic using the IWSVA: .................................................................................... 3
To log WCCP traffic using the ASA: ........................................................................................ 4
Verifying that WCCP is Working Correctly................................................................................... 4
References ...................................................................................................................................... 5
About the Authors .......................................................................................................................... 6
Eumir Nogales ........................................................................................................................... 6
Vernon Lee ................................................................................................................................ 6
Jody Butler ................................................................................................................................ 6
Peter Wei ................................................................................................................................... 6
About Trend Micro Incorporated .................................................................................................. 7
Contacting TrendEdge Publications ............................................................................................. 8

Trend Micro, the Trend Micro t-ball logo, and InterScan are trademarks or registered trademarks of Trend Micro,
Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.

Trend Micro Incorporated reserves the right to make changes to this document and to the product described herein
without notice, and the information contained in this document is provided as-is. This document is for informational
purposes only, and is not supported by Trend Micro or its partners.

TREND MICRO MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Copyright 2010 Trend Micro Incorporated. All rights reserved.

Document Part No. TE07WSVA50_100602US


1
Executive Summary
This document describes how to set up Trend Micro InterScan Web Security Virtual Appliance 5.0 (IWSVA)
to work with a Cisco Adaptive Security Appliance (ASA) and the Cisco-developed Web Cache Communication
Protocol (WCCP).
Note: Trend Micro provides this document "as-is" as a courtesy to interested parties. The accuracy of the
information is solely the authors responsibility. Neither Trend Micro nor its partners support this
document.
Cisco Adaptive Security Appliances (ASA) are Layer 3 devices that can redirect traffic to one or more transparent
proxy web cache servers. Web caches reduce network latency by enabling end users to retrieve web pages that
they have accessed previously from a memory buffer or cache instead of from a web server.
Cisco created the Web Cache Communication Protocol (WCCP) to control the interaction of external web cache
devices with Adaptive Security Appliances. WCCP not only reduces the load on web cache devices, but it also
provides load balancing and support for multiple routers and protocols. WCCP is transparent to the end user.
Suggested Network Architecture
This document describes how to configure IWSVA to run in WCCP mode and communicate with a Cisco ASA in
an N-tier environment. When an IWSVA is running in WCCP mode and is integrated with a Cisco ASA, it
becomes a web cache even though it does not specifically serve cached content. Instead it serves as a cache
engine for the ASA, which scans the requested content for malicious code.
Figure 1 below shows traffic moving into and out of a network with a Cisco ASA and an IWSVA. Since an ASA
operates as a router, an external firewall can function as a gateway out of the network if you configure it to do so.
The ASA uses WCCP during the initial request when HTTP packets arrive at the device from the internal
network. Once an outbound packet reaches the internal network port on the ASA, the ASA encapsulates it and
hands it off to the IWSVA. The IWSVA, in turn, then requests the content from the external web server, scans it,
and permits or denies the request. If the IWSVA approves the request, it then delivers the web content to the
client.
Note: This document was written using IWSVA 5.0, a Cisco ASA 5510 running version 8.2(1) of Cisco IOS,
and WCCP Version 2.0. Trend Micro customers should be aware that Cisco can make changes at
anytime to IOS, and the ability of an ASA to work with WCCP, without notice.


2

Figure 1. Flow of Traffic between a Cisco ASA and an IWSVA in an N-Tier Environment
Requirements
! The client (browser) and IWSVA cache engine(s) must be on the same Cisco Adaptive Security Appliance
(ASA) internal interface.
! The Cisco ASA and IWSVA must be configured to use WCCPv2.
Note: For additional hardware and software requirements, consult to the relevant Cisco and Trend Micro
product documentation. Trend Micro IWSVA documentation is available at the following location:

http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=249&regs=NABU&
lang_loc=1

See the Reference section for links to the relevant Cisco documentation.

3
Procedure
Follow the steps below to configure the Cisco ASA and IWSVA to work with WCCP:
1. Log into the CLI of the Cisco ASA and create two access control lists (ACLs): one for the web cache and
another for the redirect list:

Router#configure terminal
Router(config)#access-list wccp extended permit tcp any any eq www
Router(config)#access-list mycache-wccp extended permit tcp host <IWSVA-IP Address> any
Router(config)#wccp 80 redirect-list wccp password novirus
Router(config)#wccp interface internal 80 redirect in

2. Log into the IWSVA Web Console and do the following:
a. Configure IWSVA to use WCCPv2 and enter the router address.
b. Enter a password. Use novirus
c. Save the changes.
3. Open a terminal session to the IWSVA shell.
4. Change the directory to /var/iwss/
5. Open the IWSSPIProtocolHttpProxy.pni file.
6. Look for the string wccp_service and then change the parameters in Table 1 below:

Table 1. IWSVA wccp_service Parameters for the Cisco ASA

Existing Parameter New Parameter
wccp_assignment_method=2 wccp_assignment_method=1
wccp_service=dynamic 80 protocol=tcp wccp_service=dynamic 80 protocol=tcp
flags=src_ip_hash priority=120
ports=80,21,443
flags=src_ip_hash,dst_ip_hash,source_port_hash
priority=120 ports=80,21,443

7. Access the IWSVA CLI. Restart the IWSS daemon by typing the following commands:

/usr/iwss/S99ISWCCPd stop
/usr/iwss/S99ISWCCPd start
Logging WCCP Traffic Using IWSVA and Cisco ASA Features
To log IWSVA and Cisco ASA WCCP traffic, follow the steps below.
To log WCCP traffic using the IWSVA:
1. Open a terminal session to the IWSVA shell.
2. Navigate to the /var/iwss directory.
3. Open the IWSSPIProtocolHttProxy.pni file.
4. Look for the string wccp_logging. Change the value from 0 to 1.

Note: IWSVA saves WCCP debug output in its HTTP logs.

4
To log WCCP traffic using the ASA:
1. Log into the ASA shell then go into configure mode.
2. Type the command:

Router(config)#debug wccp event

Note: Once you have configured the Cisco ASA server, you have the option to route the WCCP debug
information through a Syslog server or to display the events on the router console.
Verifying that WCCP is Working Correctly

1. Check the IWSVA HTTP logs. You should see the following string(s):

<date> <time><zone> <id> WCCP: Sending WCCPv2 HERE_I_AM for service ID
<serviceid>
<date> <time><zone> <id> WCCP: Received WCCPv2 I_SEE_YOU from <router ip>
<date> <time><zone> <id> WCCP: Good Received WCCPv2 I_SEE_YOU

2. Log into the Cisco ASA shell and type show wccp to view the WCCP information on the router. Here is
an example of what you should see:

WCCP-EVNT: Built I_See_You msg body w/1 usable web caches, change # 0000000A
WCCP-EVNT: Web Cache 192.168.25.3 added
WCCP-EVNT: Built I_See_You msg body w/2 usable web caches, change # 0000000B
WCCP-EVNT: Built I_See_You msg body w/2 usable web caches, change # 0000000C

The IP address should be the IP address of the IWSVA. Refer to the below link for more information on
debugging Cisco ASA WCCPv2:

http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_ex
ample09186a00801854c4.shtml

5
References
How to configure web cache services using WCCP on Cisco ASA 5500 Series Adaptive
Security Appliances

https://supportforums.cisco.com/docs/DOC-3006
Cisco Security Appliance Command Line Configuration Enabling WCCP Redirection

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.htm
l#wp1094628
Configuring WCCP Version 2 on a Cisco Content Engine and Router

http://www.cisco.com/en/US/products/hw/contnetw/ps546/products_configuration_ex
ample09186a00800a6a72.shtml


6
About the Authors
Eumir Nogales
Eumir Nogales has been with Trend Micro for 7 years and is currently a Senior Product Specialist with the
Philippine Core Team. Before joining this group, Eumir was a member of a 24/7 team where he supported the
Cisco ASA CSC product, which contains Trend Micro technology.
Mr. Nogales has 15 years of IT experience, which includes positions in network/system administration, software
development, project management, consulting, and system support.
Vernon Lee
Vernon Lee currently serves as a Senior Enterprise Sales Engineer for Trend Micro. Prior to working for Trend
Micro, he was employed as a Security Solutions Engineer at another well-known provider of best-of-breed
security solutions. Vernon has a total of 11 years experience in the network security arena.
Jody Butler
Jody Butler is currently serving as a Senior Corporate Sales Engineer for Trend Micro. Prior to joining Trend
Micro, he was a Senior Security Engineer for the State of Texas, served as a network administrator for a
healthcare organization, and worked in field sales engineering for a local reseller. He brings a total of 12 years
network security, systems administration, and virtualization experience to Trend Micro. He also holds a
Bachelors degree in Computer Information Systems Management and Networking.
Peter Wei
Peter Wei works as a Senior Software Architect for the Trend Micro Web gateway product line where he is
responsible for product architecture, road maps, customer support activities and other technical roles. Peter has
more than 15 years of experience in networking and network security, and has served in system architect and
management roles at several Silicon Valley companies.

7
About Trend Micro Incorporated
Trend Micro Incorporated, a global leader in Internet content security, focuses on securing the exchange of
digital information for businesses and consumers. A pioneer and industry vanguard, Trend Micro is advancing
integrated threat management technology to protect operational continuity, personal information, and property
from malware, spam, data leaks and the newest Web threats. Trend Micros flexible solutions, available in
multiple form factors, are supported 24/7 by threat intelligence experts around the globe. A transnational
company, with headquarters in Tokyo, Trend Micros trusted security solutions are sold through its business
partners worldwide.
For more information, please visit www.trendmicro.com.

8
Contacting TrendEdge Publications
The Trend Micro TrendEdge team is always seeking to provide better solutions. Have a question or comment
about this document? We would like to hear from you. Contact us at:
sav@trendmicro.com

IWSVA5 Cisco ASA WCCP Int Guide 100602 PDF

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

IWSVA5 Cisco ASA WCCP Int Guide 100602 PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Securing Your Web World

A Trend Micro TrendEdge Solution

Você também pode gostar