When it comes to protecting user access to the web, Cisco’s Secure Web Appliance (SWA) offers far more than a traditional firewall. Unlike stateful firewalls or routers using Access Control Lists (ACLs) that operate at Layers 3 or 4, proxies – specifically Web Application Firewalls (WAFs) – operate at Layer 7, inspecting actual content and offering advanced threat defense.

Why Proxies Are Needed

ACLs on an ASA or router can permit or deny traffic based on ports or IP addresses, but they lack visibility into the content of the traffic. Without L7 inspection (unless an NGFW such as Secure Firewall is in the path with services enabled), the following limitations exist:

  • No antivirus or antispyware
  • No URL filtering
  • No anti-malware scanning
  • No advanced content filtering

To address these gaps, proxies are introduced. A proxy sits between the user and the internet, inspecting and filtering web requests. Most proxies offer basic features, such as URL filtering, and may also include anti-virus scanning. Standard proxies typically handle common ports, such as 80 (HTTP) and 443 (HTTPS). For implicit proxy setups, even DNS requests (port 53) can be intercepted and resolved by the proxy.

However, traffic for non-standard ports (such as custom Exchange ports, like 5566) may not work through the proxy. In those cases, traffic is routed directly through the firewall with ACLs, bypassing the proxy.

SWA Overview

Cisco’s Secure Web Appliance expands on the functionality of traditional proxies, adding multiple layers of security and control:

  • Proxy Functions: SWA proxies traffic on ports 80, 443, and 21 (for FTP). It also supports SOCKS tunneling.
  • URL Filtering: While not foolproof alone (since most URLs aren’t categorized in proxy databases), SWA enhances security by analyzing the content downloaded from sites in real-time.
  • DVS (Dynamic Vectoring and Streaming): This powerful engine categorizes web content dynamically, even when URL categorization is incomplete or incorrect. It inspects downloaded content to assess its nature and classify it appropriately.
  • User Authentication: SWA can integrate with Active Directory (AD) for user authentication, enabling policy enforcement based on usernames or user groups rather than just IP addresses. NTLM and Kerberos are supported, with NTLM being the most commonly used.
  • AVC (Application Visibility and Control): This feature allows blocking specific applications within web services. For example, it can block Facebook Chat while allowing other parts of Facebook.
  • Bandwidth Control: Admins can throttle bandwidth for specific users or applications. Example: Limiting YouTube to 500 kbps per user.
  • Appliance Options: Physical models include the S196, S396, S696. Virtual options are available too – S100V, S300V, S600V, S1000V
  • SMA for Centralized Management: Both physical and virtual SMA (Security Management Appliance) options exist to manage SWAs centrally.
  • Interface Ports: Each physical SWA appliance includes at least:
    • One M1 management port
    • Two proxy ports (P1, P2)
    • Two L4TM ports (T1, T2)

Secure Web Appliance Deployment Options

Layer 4 Traffic Monitoring (L4TM)

Malware often attempts to bypass proxies by changing ports or protocols. L4TM combats this by inspecting traffic that doesn’t go through the proxy:

  • L4TM monitors traffic via SPAN to the T1/T2 ports.
  • It scans for malware and spyware using anti-virus tools.
  • If licensed, it integrates with AMP (Advanced Malware Protection).
  • It also leverages Cisco’s Security Intelligence feeds to block malicious domains or IPs.

Web Proxy Modes

SWA can function as a web proxy in two main deployment modes:

1. Transparent Proxy

Traffic is automatically redirected to the SWA without requiring user-side configuration. Redirection is typically achieved using:

  • WCCP (Web Cache Communication Protocol) – Available on ASA, some switches, and Cisco routers.
  • PBR (Policy-Based Routing) – Available on ASA, switches, and routers.

In transparent mode:

  • DNS is resolved by the client.
  • The redirection is invisible to users.
  • User authentication is supported, though FTP proxy authentication is not.

2. Explicit Proxy

The browser must be configured to forward traffic to the proxy. This can be done through:

  • Manual proxy settings in the browser
  • PAC (Proxy Auto-Configuration) files
  • WPAD (Web Proxy Auto-Discovery) services

In explicit mode:

  • The proxy handles DNS resolution.
  • The browser sends requests to the proxy, which downloads and filters the content before sending it to the user.

Configuring Cisco SWA with WCCP for Transparent Redirection

Web Cache Communication Protocol (WCCP) allows network devices like routers and firewalls to transparently redirect traffic to a Secure Web Appliance, which then inspects and forwards the traffic to its destination. This setup enables administrators to enforce web security policies without configuring each client device individually.

What Is WCCP?

WCCP is a protocol that enables redirection of network traffic between routers/switches and a caching engine or proxy, like Cisco’s SWA. When configured, WCCP intercepts specific types of traffic (e.g., web traffic on port 80 or 443) and sends it to the SWA for inspection. The SWA analyzes the content and forwards the traffic to the internet.

Many Cisco switches support WCCP, but they may require resource allocation (such as configuring sdm prefer routing) and a reload to function properly. For routers and switches, WCCP defaults to version 1; however, the Cisco SWA only supports version 2. Therefore, ensure that you change it accordingly.

Step-by-Step Configuration Guide

1. Set WCCP Version on the Router or Switch
Configure the router to use version 2:

ip wccp version 2

2. Create an ACL for the SWA Itself

Define the IP address of the SWA:

access-list 1 permit host 192.1.200.50

3. Create an ACL for Traffic Redirection

Specify which traffic should be redirected to the SWA. For example:

access-list 101 permit tcp any any eq 80
access-list 101 permit tcp any any 8000

4. Link the ACLs to WCCP Configuration

You have two options:

If you want to only redirect port 80 traffic, use the web-cache keyword:

ip wccp web-cache group-list 1 redirect-list 101 password cisco

For additional ports or service IDs, use a numeric service ID (e.g., 99):

ip wccp 99 group-list 1 redirect-list 101 password cisco

The password is optional, but it must match between the router and SWA. Make sure the SWA is configured with the same service ID (e.g., 99).

5. Apply the WCCP Redirect on the Ingress Interface

Identify the interface where user traffic enters and apply the redirect:

interface g1
ip wccp 99 redirect in

If using the web-cache keyword, replace 99 with web-cache.

6. Verify WCCP Operation

Use the following command to check the WCCP configuration:

show ip wccp 99 view

Note: It may appear blank until the SWA side is also fully configured.

Setting up WCCP provides a seamless method for redirecting web traffic for inspection, eliminating the need for manual browser or device configuration. With support for dynamic port selection and optional security through shared keys, it offers flexibility and scalability for large environments. Just be sure to align service IDs and ACLs between your router/switch and SWA for successful deployment.