Professional Documents
Culture Documents
Scenario 1: Configuration Overview - Overview of the ASA configuration used in this demonstration
Scenario 2: Event Monitoring - Operational monitoring of the managed devices in this demonstration
Scenario 3: Application Awareness - Enhanced visibility and control of network traffic on standard and non-standard
ports
Scenario 4: Managing Encrypted Traffic - Decryption of traffic for inspection and access control
Scenario 5: Authentication - Active and passive authentication of users with CDA integration
Demonstration Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1.
Demonstration Requirements
Required
Laptop
Cisco AnyConnect
Optional
Mobile Devices with AnyConnect VPN
o Apple iPad
o Apple iPhone
o Android devices
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 31
Demonstration Configuration
This demonstration contains preconfigured users and components to illustrate the scripted scenarios and features. All information
needed to complete the access components, is located in the the demo script.
Demonstration Topology
Figure 1.
Demo Topology
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 31
Demonstration Preparation
BEFORE DEMONSTRATING
We strongly recommend that you go through this process at least once, before presenting in front of a live audience. This will allow
you to become familiar with the structure of the document and the demonstration.
PREPARATION IS KEY TO A SUCCESSFUL CUSTOMER PRESENTATION.
Follow the steps below to schedule your demonstration and configure your demonstration environment.
1.
Browse to dcloud.cisco.com, select the location closest to you, and then login with your Cisco.com credentials.
2.
3.
Test your bandwidth from the demonstration location before performing any demonstration scenario. [Show Me How]
4.
Verify your demonstration has a status of Active under My Demonstrations on the My Dashboard page in the dCloud UI.
5.
After connecting to the demonstration via AnyConnect, use your local RDP client to connect to CSM located at
198.19.10.39. Login with username dcloud\administrator and password C1sco12345.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 31
From the CSM workstation, launch Internet Explorer and open Cisco Prime Security Manager (PRSM) using the Favorites
bar.
2.
Login as admin/C1sco12345.
3.
4.
Figure 2.
5.
Device Policies/Settings
Select the New Tab icon and then select Traffic Redirection.
Figure 3.
Traffic Redirection
Figure 4.
6.
Select the New Tab icon and then select Access policies.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 31
Figure 5.
7.
Figure 6.
8.
Inbound Policies
Expand the outside_access_in sub tab to see the access control lists that are configured on the ASA.
9.
Access Policies
The access list can be edited here and applied to the ASA as needed.
These are the policies that are implemented for this demonstration.
Note that a policy has been defined to deny Facebook Applications: Games.
11. Click the Facebook Applications: Games policy and then click the Edit button.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 31
Figure 7.
Figure 8.
Facebook Policy
Note that the Application/Service selected is Facebook Applications: Games and the Policy Action is Deny.
12. Click within the Application/Service field to scroll through the options for applications and services that can be configured for
a policy.
Figure 9.
Application/Service Options
NOTE: If you want to show more detailed information about applications and application types, go to Components > Applications
and demonstrate the Application Viewer.
13. Click Cancel to close the Edit policy window and return to the list of policies.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 31
From the list of policies, note that a policy is defined to Warn for destination named Questionable Sites. This policy will
warn users, but will not block them.
14. Click Questionable Sites to see configuration details for the destination.
Figure 10.
Questionable Sites
A View URL object window will open. Note that the destination is a URL object that includes a list of Web categories.
When users access Web pages matching these categories, they will be warned, but not blocked.
15. Click Close to close the View URL object window and return to the list of policies.
16. Click the Unacceptable Sites policy.
Figure 11.
Unacceptable Sites
A View URL object window will open. Note that the destination is a URL object that includes a list of Web categories.
When users access Web pages matching these categories, they will be blocked.
17. Click Close to close the View URL object window and return to the list of policies.
18. Click the last access policy row in the list and click the Edit button.
Figure 12.
Behavioral Policy
The Edit Policy window will open showing details about the policy configuration.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 7 of 31
Figure 13.
Application Behaviors
In the Edit Policy window, a list of application behaviors will display. Based on the application you can allow or deny
certain behaviors.
HIGHLIGHT: Cisco Prime Security Manager enables policies to be based on a rich set of contextual elements. For example,
instead of a policy that allows or denies the entire Facebook application, application behaviors within Facebook that are used for
business purposes can be enabled, while nonbusiness application behaviors such as Facebook Games can be disabled.
19. Click Close to return to the list of policies.
20. Select the New Tab icon and then select Malware Protection.
Figure 14.
Malware Protection
The Local Malware Protection Configuration tab shows the current setting.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 8 of 31
Figure 15.
Malware Protection
In this case, protection is On and is set to the default web reputation profile, which is the recommended filtering level.
Intrusion Prevention
22. Click inside the box next to NG IPS profile and select the Default NG IPS profile.
23. Click Save.
Figure 17.
IPS Configuration
24. Near the top of the window, you will see a CHANGES PENDING notification.
25. Click the link to view the Commit and Deploy Changes screen. Click Commit to commit the changes.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 9 of 31
Figure 18.
Commit Changes
The ASA is now configured for Intrusion Prevention using the selected policy.
HIGHLIGHT: The Cisco Threat Operations Center uses dynamic updates and actionable intelligence obtained from ASAs, IPSs,
Email Security Appliances, Web Security Appliances, and system administrators to calculate a web reputation score for web sites.
Web reputation is a statistical assessment based on context and past behavior and combines many factors of varying significance
into one correlated metric. Similar to a persons credit score, web reputation is a continuous value along a graduated scale from 10 to 10. By defining a low reputation zone, you can implement predictive, zero-day protection against low reputation sites, the
ones that are most likely to serve malware to your users.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 10 of 31
To open the PRSM Event Monitor, go to Events > Context Aware Security.
Figure 19.
The list of events represents traffic flowing through a CX device. In this case the ASA5515X.
By default the list is set to pull historical events from the last 30 minutes when you click the Filter button and displays the
newest events at the top of the list.
In this demonstration, filters have been created to reduce the number of events. These filters can be removed to view all
events from all traffic sources.
2.
In a new Internet Explorer tab, click the Favorites shortcut for ihaveabadreputation.com.
Figure 20.
3.
Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
Figure 21.
4.
ihaveabadreputation.com
Events List
The display is customizable and can include more or less information about the event as preferred.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 11 of 31
Figure 22.
View Details
In the event details popup, you will see that the threat type is listed as Suspected Malware. Since Malware Protection is
on, this is the expected behavior.
Figure 23.
Suspected Malware
5.
6.
Figure 24.
7.
Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
Figure 25.
8.
poker.com
Event
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 12 of 31
Figure 26.
9.
Figure 27.
Policy Details
In the Access portion of the Policy section, note that the policy for Unacceptable Sites resulted in the Deny action for this
event.
Figure 28.
ebay.com
14. Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 13 of 31
NOTE: Due to the nature of the eBay website, multiple events will appear in the list. You may need to scroll to find the event for
www.ebay.com.
15. Close the Internet Explorer tab open to eBay to prevent further events from populating the list.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 14 of 31
In a new Internet Explorer tab, click the Favorites shortcut for http_outside.com-9980.
This site is used to illustrate that the ASA CX correctly identifies the traffic as HTTP traffic even though it is not on the
standard HTTP port, 80.
2.
Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
In the event list, note that the event for the site is correctly identified as HyperText Transfer Protocol.
Figure 30.
HTTP Event
3.
4.
Figure 31.
Event Details
5.
6.
7.
From the list of Saved Sessions, select Outside.com:9922 and click Open.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 15 of 31
Figure 32.
8.
Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
In the event list, you will have a new event identified as Secure Shell to Destination Port 9922.
Figure 33.
9.
SSH to Outside.com
The ASA CX identified the traffic as Secure Shell even though it appeared on port 9922.
Close all Internet Explorer tabs except the tab open to the PRSM Event Monitor.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 16 of 31
If the traffic is allowed, any profiles defined in the access policy for the flow are applied, and the flow is re-encrypted and
sent to its destination.
Return trip traffic is also decrypted, inspected, then re-encrypted and sent to the client.
Decryption Configuration
1.
2.
Select the New Tab icon and then select Decryption Settings.
Figure 34.
The Local Decryption Settings window displays showing that decryption is enabled using a VeriFraud certificate.
Figure 35.
3.
Decryption Settings
Decryption Settings
Select the New Tab icon and then select Decryption Policies.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 17 of 31
HIGHLIGHT: The default behavior of the ASA CX is to not decrypt encrypted traffic. Therefore, policies are created to apply the
Decrypt Everything or Decrypt Potentially Malicious Traffic actions. Policies that use Do Not Decrypt are necessary only if they
specify a subset of traffic that would otherwise match a policy that applies some level of decryption.
4.
Figure 36.
Decryption Policies
The first policy exempts update traffic coming from the ASA or PRSM.
The second policy exempts traffic to finance web sites from decryption.
Figure 37.
6.
In a new Internet Explorer tab, click the Favorites shortcut for Google.
7.
Figure 38.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 18 of 31
8.
Note that the VeriFraud certificate used has been supplied by the ASA CX.
Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
Figure 39.
9.
Flow Decrypted
Note that the default decryption policy was applied to the traffic to www.google.com and the traffic was decrypted.
Switch to the Internet Explorer tab open to Google. Click the Favorites shortcut for US Bank.
Note that Entrust has issued the certificate for this site.
11. Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
Figure 41.
Note that the Do NOT Decrypt Finance policy was applied to the traffic and the traffic was NOT decrypted.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 19 of 31
Figure 42.
NG IPS Tab
13. In a new Internet Explorer tab, click the Favorites shortcut for Outside.com-cmd.exe.
Figure 43.
Favorites Bar
14. Go back to the Internet Explorer tab open to the PRSM Event Monitor. Click the Filter button to retrieve the latest events.
You will see a new event in the NG IPS tab that indicates that traffic was denied.
Event Details
Threat Details
The ASA CX was able to detect the threat after the traffic was decrypted.
17. Close all Internet Explorer tabs except the tab open to the PRSM Event Monitor.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 20 of 31
Scenario 5: Authentication
Authentication is the act of confirming the identity of a user. You can obtain user identities passively or actively. With passive
authentication, user identity is obtained by checking a mapping of IP addresses to user identity collected by the Context Directory
Agent (CDA) or AD agent application. Authentication is passive because the user is not prompted to provide credentials.
With active authentication, when an HTTP or decrypted HTTPS traffic flow comes from an IP address for which ASA CX has no
user-identity mapping, you can decide whether to authenticate the user who initiated the traffic flow against the directories
configured for the network. If the user successfully authenticates, the IP address is considered to have the identity of the
authenticated user.
Authentication Configuration
1.
From the CSM workstation Internet Explorer tab open to PRSM, go to Configurations > Policies/Settings.
NOTE: If you have multiple tabs open, you may wish to close those now.
2.
Figure 46.
3.
Select the New Tab icon and then select Identity Policies.
Figure 47.
4.
AD Agent
Identity Policies
Expand the policy list. Select the policy and click the Edit button.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 21 of 31
Figure 48.
Figure 49.
Edit Policy
In the Edit policy popup window, the details of the configuration show that the Realm is dCloud and the Action is set to
get identity using AD agent.
If the AD agent cannot identify the user, active authentication using NTLM will be used.
5.
6.
In a new Internet Explorer tab, click the Favorites shortcut for CDA.
7.
Login as admin/C1sco12345.
8.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 22 of 31
Figure 50.
9.
The configured Active Directory Servers and their status will display.
Users log into the domain with an Active Directory username and password.
Active Directory and CDA communicate user information including username and IP address.
Figure 51.
Figure 52.
IP to Identity
IP Address Mappings
From the list you can see which IP address is currently mapped to which AD user.
Figure 53.
Authentication Events
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 23 of 31
After connecting to the demonstration via AnyConnect, use your local RDP client to connect to wkst1 located at
198.19.10.36. Login with username wkst1\administrator and password C1sco12345.
NOTE: The login credentials are for the local machine account (wkst1) rather than the domain (dcloud).
13. Launch Internet Explorer.
NOTE: This authentication is now cached in CDA and will not prompt for authentication again. If you wish to clear authentication to
show the process again, close all open Internet Explorer windows and run the applet on the desktop, NGFW Clear Auth.
15. Return to the PRSM Event Monitor on the CSM workstation. Click the Filter button to retrieve the latest events.
Figure 54.
Authentication Event
View Details
The Event Details popup window includes additional information about the authentication event.
Note that this active authentication via NTLM is the backup method if the AD agent cannot identify the user.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 24 of 31
Figure 56.
Testing Websites
You will see events related to traffic inspection, denial and decryption for each of the sites accessed by wkst1.
After connecting to the demonstration via AnyConnect, use your local RDP client to connect to vpn-wkst located at
198.18.133.36. Login with username vpn-wkst\administrator and password C1sco12345.
Figure 57.
23. From vpn-wkst, right-click the taskbar icon for the Cisco AnyConnect Secure Mobility Client, and select VPN Connect.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 25 of 31
Figure 58.
AnyConnect Client
Certificate Warning
26. Locate your AnyConnect credentials from your Active session found in the session details tab of the running dCloud demo:
Username: Your CCO user ID. This is the ID you used to login to Cisco dCloud.
Password: The AnyConnect password shown in the Session Details of your active demo.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 26 of 31
Figure 61.
27. Enter the username and password from the Session Details and click OK.
Figure 62.
AnyConnect Credentials
A message will display indicating that VPN connection is up and the AnyConnect icon in the taskbar will show a lock.
28. Return to the Internet Explorer tab open to CDA on the CSM workstation.
29. Go to Mappings > IP to Identity.
Figure 63.
IP to Identity
The first entry in the list should show a VPN mapping for the remote user.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 27 of 31
Figure 64.
CDA Mappings
When the VPN was formed, the ASA communicated that information to CDA.
Now that the user has been authenticated, all traffic will be subject to the policies and actions configured on the ASA CX.
31. Return to the PRSM Event Monitor on the CSM workstation and go to Events > All Events.
32. On vpn-wkst, use the Internet Explorer Favorites links to open tabs to poker.com, ebay.com and Google.com.
Access will be inspected, denied or decrypted according to the policy settings. Note that no second authentication prompt
is required within Internet Explorer since single-sign-on (SSO) is used even though this device is NOT joined to the
domain.
Figure 65.
Testing Websites
33. Return to the PRSM Event Monitor on the CSM workstation. Click the Filter button to retrieve the latest events.
You will see events related to traffic inspection, denial and decryption for each of the sites accessed by vpn-wkst.
34. Close the Internet Explorer tab open to CDA on the CSM workstation.
35. Close the connection to wkst1.
36. Close the connection to the vpn-wkst.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 28 of 31
2.
3.
Figure 66.
Time Range
4.
5.
Under Top CX destinations, click on one of the Web categories to drill down.
Figure 67.
6.
Top CX Destinations
Identify the top user (Top Sources) for the selected category.
Figure 68.
Top Sources
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 29 of 31
To view the dashboard, select Dashboard > Malware Traffic. You can also view the dashboard by clicking View All in the
Malicious Transactions dashboard on the Network Overview.
8.
Figure 69.
9.
View More
For one of the threat types, click on the number of transactions to view the actual events.
Figure 70.
Transactions
Applications Dashboard
10. Go to Dashboard > Applications.
11. For Time Range, select Last 24 Hours.
12. Click on the application name for one of the applications listed.
Figure 71.
Application
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 30 of 31
13. Show the detailed information provided, including top sources and destinations for that application.
Note the number of detected threats. In the lab environment, 100% of the detected threats will be blocked.
PDF Reports
15. In the upper right hand corner of the dashboard, click on the Generate report link.
Figure 72.
Generate Report
Figure 73.
Report Parameters
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 31 of 31