Cloud-delivered Security as a Service solution
Cisco CWS provides admins with the ability to configure flexible decryption policies for SSL encrypted web traffic and applications, enabling scanning for threats and applying of policies.
When CWS HTTPS Inspection is used, the cloud proxy initiates the HTTPS web request to the web server on behalf of the client and terminates the session in the cloud proxy where the traffic is decrypted for inspection. CWS then re-encrypts the traffic and creates an additional HTTPS stream from the cloud proxy back to the client, using Cisco’s SSL certificate. This method of HTTPS decryption is also known as “Man in the Middle”.
Access to private and confidential data on Cisco CWS systems is limited to only those employees with a specific need to retrieve this information. Cisco CWS uses best practice computer security safeguards to protect its databases and servers against risks of loss, unauthorized access, destruction, misuse, modification, or inadvertent or improper disclosure of data.
The Cisco Cloud Web Security Connector extends ISR firewall, intrusion prevention, VPN, and other security features. You can deploy market-leading web security quickly and easily and provide highly secure local Internet access for all sites and users, saving bandwidth, money, and resources.
With Cisco ISR with Cloud Web Security Connector, branch offices can intelligently redirect web traffic to the cloud to enforce detailed security and control policy over dynamic Web 2.0 content (Figure 1). The solution helps protect branch office users from threats such as Trojans, back doors, rogue scanners, viruses, and worms. The connector is available in the Cisco Security SEC-K9 license bundle.
Cisco® Cloud Web Security (CWS) takes standards and procedures very seriously as a Security-as-a-Service provider. In the data center and networking industries, al though certain Service Provider and Accreditation standards do exist, there is no central governing body regulating data center standards and procedures for cloud services. In many ways, providers define their own best practices. Cisco CWS data centers provide best in class cloud delivered security, with best in class infrastructure security and integrity, strict standards, true multi-tenant service, high resiliency and scalability.
Different types of organizations are finding that offering public Wi-Fi can be a viable business opportunity. In many places, whether a coffee shop, hotel, or retail store, Wi-Fi is no longer just desirable for customers and patrons - it is a necessity.
Cisco has recently announced that customers will be able to redirect their traffic toCWS using the new Cisco Integrated Services Router 4000 Series. For a period of time, this functionality will be available through Controlled Availability.
The Cisco Cloud Web Security team is dedicated to customer satisfaction, innovation and quick delivery of highly requested features and functionality. Please note the following aspects of controlled availability will apply to all sales that redirect traffic to the CWS web proxy using the Integrated Services Router 4000 Series.
A common question customers have about CWS is whether or not a destination web server would be able to ‘see’ the customer’s egress IP or the CWS cloud proxy’s egress IP.
When a customer's web traffic is redirected to a CWS cloud proxy the destination web server will see the customer’s traffic as originating from the CWS proxy's egress IP address. However, CWS inserts the customer's egress IP address into the XFF Header (X-Forwarded-For) and the X-ProxyUser-IP header. The destination web server would have to be capable of reading either header to retrieve the customer’s egress IP address.
Sizing Guide for Cisco Cloud Web Security Connector with the ASA 5500 Series Adaptive Security Appliances and ASA 5500-X Series Adaptive Security Appliances
Next-Generation Tower (NGT) sizing for Cloud Web Security connectors is now based on two testing metrics: requests per second (RPS, Xact/sec) and bandwidth (Mbps). Neither of these metrics should be exceeded when sending traffic to an NGT.
Due to TCP/IP limitations, the Web Security Appliance can use only 64,000 ports per single IP address. So, although the appliance can handle many users when proxied to a Cloud Web Security tower, there may be a bottleneck, depending on the type of traffic that is sent to Cloud Web Security. Microsoft Office 365 traffic, for example, will use many ports.