Transcription

GuideCisco publicIntegration of Cisco Web SecurityAppliance Web Traffic Tap withLogRhythm NetMonOverviewWith the growth of sophisticated threats, information sharing has becomingan important aspect to combat threats. Many organizations are collectingweb traffic from various network hops and consolidating them in a single pointof a log management system to provide a consolidated end point, network,and security analytics. This provides a faster detection rate that in turn willprevent cyber threats. A consolidated log system also provides organizationswith consolidated log retention and alignment with compliance.About this documentThis document describes how to configure the Web Traffic Tap feature on Cisco Web SecurityAppliance (WSA) using AsyncOS 11.5.1 to mirror web traffic across to LogRhythm as well asenabling LogRhythm to collect traffic from WSA.This document covers: Introduction to NetMon Introduction to Web Traffic Tap Traffic collection configurationon LogRhythm Cisco product/software andthird-party product requirements Next Steps Web Traffic Tap configuration on WSA 2018 Cisco and/or its affiliates. All rights reserved. Conclusion

GuideCisco publicContentsIntroduction to NetMonOverviewNetwork Monitor (NetMon), as its name suggests, provides visibility into data traversing your network byperforming monitoring activities. The core capabilities of NetMon are:About this documentIntroduction to NetMon Setting a baseline of normal network behavior to help identify abnormal activitiesPerforming deep packet capture for advanced forensicsDetecting unauthorized or suspicious application activitiesMonitoring bandwidth consumption of applicationsIntroduction to Web Traffic TapIn this document, we are integrating LogRhythm NetMon with WSA Web Traffic Tap to run advancedforensics and compliance.Cisco product/software and third-partyproduct requirementsIntroduction to Web Traffic TapWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionFrom AsyncOS 11.5.1, an admin can enable one of its network interfaces as a traffic tap interface.This interface will be used to selectively mirror both HTTP and decrypted HTTPS traffic to be forwardedto an external traffic collector. In this document, we will configure the WSA to send web traffic,both HTTP and decrypted HTTPS, to LogRhythm.This feature provides flexible traffic selection based on policy (URL categories) and identity.Figure 1. Web Traffic Tap traffic flow!Next stepsUnencrypted trafficHTTP and HTTPSUser: MarketingDecryptedtrafficHTTPHTTPSUser: EnggHTTP and HTTPSUser: Exec 2018 Cisco and/or its affiliates. All rights reserved.Unencrypted ionsystemInspection/forensicsUnencrypted trafficSecurity packetanalyzer

GuideCisco publicContentsOverviewCisco product/software and third-party productrequirementsAbout this document LogRhythm, software version 3.8.1Introduction to NetMonWeb Traffic Tap configuration on WSAIntroduction to Web Traffic TapStep 1. Log in to the WSA user interface using admin credentials https://wsa hostname:8443Cisco product/software and third-partyproduct requirements WSA, software version 11.5.1 or later (all hardware and virtual platforms are supported)Step 2. Navigate to Network Web Traffic Tap.Web Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsStep 3. Click Edit Settings. The Web Traffic Tap feature is disabled by default.OverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSAStep 4. Tick Enable on the Web Traffic Tap Settings and choose an unused interface for theTap Interface. Click Submit to enable it.Note: The Tap Interface needs to be connected directly to LogRhythm, or connected in a dedicatedVLAN via a Layer 2 switch.Traffic collection configuration onLogRhythmConclusionNext stepsStep 5. To configure Web Traffic Tap policies, navigate to Web Security Manager Web TrafficTap Policies.Note: A default Global Policy has been preconfigured with No Tap policy configured. 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsOverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext stepsStep 6. To enable all URL categories to be mirrored to LogRhythm except the Finance category,click Select all on the Tap column and select Finance in the No Tap column. Click Submit to enable it. 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsOverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsHere is a summary of the Web Traffic Tap policies.OverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsNote: If a specific policy is required, it can be added through the Add Policy button.Web Traffic Tap configuration on WSAFor HTTPS traffic, please kindly ensure that matching decryption policies have been created, asmirrored HTTPS traffic will be decrypted traffic.Traffic collection configuration onLogRhythmA comprehensive filtering policy can be created with a specific identity and/or advanced policy memberdefinitions such as protocols (HTTP/HTTPS), subnets, URL categories, or user agents.ConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsOverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsStep 7. Select Commit Changes once the configuration has been completed.OverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsStep 8. A summary of the tapped traffic can be viewed in Reporting Overview.Web Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsOverviewAbout this documentIntroduction to NetMonTraffic collection configuration on LogRhythmStep 1. Log in to the LogRhythm user interface using admin credentials: https://logrhythm hostname.Step 2. Navigate to Configuration Network and ensure that the interface is receiving traffic.Note: Please ensure that the LogRhythm interface has been connected directly to the WSATap Interface, or in the same VLAN as the WSA Tap Interface.Introduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmAlternatively, navigate to Diagnostics Network and ensure that the Packet Rate graph is receivingtraffic (blue line).ConclusionNext stepsStep 3. To specify what applications are to be monitored, navigate to Configuration Capture.To capture all applications, toggle the Capture All field to ON, and click the Apply Changes button. 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsOverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmTo capture all applications and exclude a subset of applications, list the applications to be excludedafter the Capture All field is toggled ON by typing the application name.ConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsTo include only a subset of applications, toggle the Capture All field to OFF, and type the applicationnames to be included.OverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsStep 4. For a quick overview of all traffic captured by LogRhythm, navigate to Analyze Dashboards.OverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsClicking on the time period field (highlighted in the red box above) provides the flexibility of multipleselections (Quick, Relative, or Absolute) for the time period in the dashboard report.OverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsStep 5. To view the tapped traffic from WSA, navigate to Analyze Discover for an overview of allcaptured traffic.Web Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsLooking closely at one of the sessions, you can see detailed information about host name, user agent,content type, date, source, destination IPs, and ports.OverviewAbout this documentIntroduction to NetMonStep 6. Expanding on any HTTPS traffic will list header information of the plaintext HTTP.Introduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext stepsFrom the above example, we can see that the destination port is 443, which is HTTPS traffic.Expanding on the session, we can see the plaintext HTTP header information (which, in a normalHTTPS session, will be encrypted).Hostname: shaver.services.mozilla.comUser agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0For convenience, the data can also be viewed in JSON format by clicking on the JSON tab. 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsOverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSATraffic collection configuration onLogRhythmConclusionNext steps 2018 Cisco and/or its affiliates. All rights reserved.

GuideCisco publicContentsOverviewAbout this documentIntroduction to NetMonIntroduction to Web Traffic TapCisco product/software and third-partyproduct requirementsWeb Traffic Tap configuration on WSAConclusionIn conclusion, why do we think it is important to integrate WSA with the LogRhythm NetMon appliance?Here is a list of the benefits: WSA will act as a single point of decryption device for HTTPS traffic without requiring an externalSSL decryption appliance. WSA provides flexible policy creation to mirror ALL or a subset of web traffic that will allow an adminto only monitor interested traffic on LogRhythm. LogRhythm also provides further policy flexibility by creating rules that can match a number ofconditions such as matching an email address with a different domain, saving PCAP files to a few IPaddresses, or monitoring the usage of protocols at a specific time (for example, after hours). The integration will amplify any operational anomalies. For example, an admin believes that a policy hasbeen configured to block a certain type of traffic; however, this traffic is later found within LogRhythm.This provides an opportunity for the admin to rectify the policy configuration.Traffic collection configuration onLogRhythm WSA has both Bandwidth and Time Quota features; however, if LogRhythm is deployed as acentralized collector from various network devices, it can be used to discover bandwidth hogs andidentify time-based activity trends.Conclusion With this integration, troubleshooting latency will become an easier task. Because LogRhythm collectsdata from various network devices, it is easier to pinpoint where the issue occurs.Next stepsNext stepsFor detailed information on Cisco WSA, go to www.cisco.com/go/wsa.Find out more about LogRhythm NetMon at www.logrhythm.com/products/logrhythm-netmon/.A Cisco sales representative, consulting system engineer, or channel partner can help to evaluate howCisco WSA will enhance your security. 2018 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries.To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The useof the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C07-741190-00 08/18