Cisco ScanSafe, aka Cisco Cloud Web Security
Hi, I'm doing some research on the Cisco Cloud Web Security offering, also known as ScanSafe. Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now called Cisco Cloud Web Security - as a means of providing protection in the cloud that would potentially negate the requirement to have a full tunnel (i.e. allow split tunneling) for teleworkers? Thanks!
On Wed, Dec 4, 2013 at 5:53 PM, Herro91 <herro91@gmail.com> wrote:
Hi,
I'm doing some research on the Cisco Cloud Web Security offering, also known as ScanSafe.
Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now called Cisco Cloud Web Security - as a means of providing protection in the cloud that would potentially negate the requirement to have a full tunnel (i.e. allow split tunneling) for teleworkers?
First of all, why are you allowing or disallowing split tunnel networks ? The only case I see when you want to route all traffic through the gateway is when you have a big network that changes constantly and you don't want to update ACLs all day to make sure a teleworker can reach certain equipment no matter what. Other than that, when the laptop is not connected to the VPN and the user can browse whatever site on the internet and from a security standpoint there is no benefit. There is always the risk that he/she may get infected with some malware that your antivirus does not recognize and it spreads through the internet network when the user VPNs to the corporate network. Even with a malware cloud service, you still have security gaps and opportunity windows for attackers to get to you. One thing is that it not always feasible to have a proxy set up in your browser all the time as for example it would be impossible to connect to the internet when you are at a hotel that has a captive portal. And in order to get access you will have to disable the proxy, log into the captive portal, pay (optionally), accept the terms and reactive the proxy settings in the browser. And fi you forget to do this... well, you're on your own and hope for the best and that the locally installed AV and anti-malware solution is "good enough". What I would suggest is that you only allow access to some jump hosts (linux/windows/etc) that are being protected by adequate security measures such an IPS. This also assumes that the same level of protection exists between your user network and server network, otherwise it's pretty much game over once the user is back in the office with full network access. Regards, Eugeniu
First of all, why are you allowing or disallowing split tunnel networks ?
There is always the risk that he/she may get infected with some malware that your antivirus does not recognize and it spreads through the internet network when the user VPNs to the corporate network.
From what I've seen, many government agencies - particularly those that work with sensitive data - take a very risk-averse position when dealing with remote access - if it is allowed at all.
Such networks also tend to be fairly compartmentalized out of necessity. Still the possibility of a breach that originated from a user that was VPN'd in and happened to open "not-infected-srsly.zip" gives IT admins in such environments more than a bit of heartburn. jms
We currently use CCWS (previously ScanSafe) with the Anyconnect client. Nice solution. Whether your in the office or remoting from a Starbucks, the traffic is always proxied. We went with the solution because of a couple reasons: 1. with multiple egress points on the corporate network, we didn't want to be down if we lost a proxy server. 2. corporate laptops whether in the office or at Starbucks would still be proxied. This helps limit our virus and malware infections. and provides HR reports. 3 split tunneling would be an option because the traffic doesn't have to come back to your internal proxy. 4. our remote home office bandwidth is very limited, so using the cloud it provided for better use of that bandwidth. all and all it's a good solution. I'm not going to tell you that we have not had any issues, but with any new solution, there will be a couple bruises along the way. YMMV Scott On Wed, Dec 4, 2013 at 7:53 AM, Herro91 <herro91@gmail.com> wrote:
Hi,
I'm doing some research on the Cisco Cloud Web Security offering, also known as ScanSafe.
Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now called Cisco Cloud Web Security - as a means of providing protection in the cloud that would potentially negate the requirement to have a full tunnel (i.e. allow split tunneling) for teleworkers?
Thanks!
Hi, How do you handle captive portals in hotels and other venues where you first have to login into the portal and then have Internet access ? This is my biggest woe right now in this regards with any kind of proxy settings I can push to users. Thanks, Eugeniu On Thu, Dec 5, 2013 at 10:05 PM, Scott Voll <svoll.voip@gmail.com> wrote:
We currently use CCWS (previously ScanSafe) with the Anyconnect client. Nice solution. Whether your in the office or remoting from a Starbucks, the traffic is always proxied. We went with the solution because of a couple reasons:
1. with multiple egress points on the corporate network, we didn't want to be down if we lost a proxy server.
2. corporate laptops whether in the office or at Starbucks would still be proxied. This helps limit our virus and malware infections. and provides HR reports.
3 split tunneling would be an option because the traffic doesn't have to come back to your internal proxy.
4. our remote home office bandwidth is very limited, so using the cloud it provided for better use of that bandwidth.
all and all it's a good solution. I'm not going to tell you that we have not had any issues, but with any new solution, there will be a couple bruises along the way.
YMMV
Scott
On Wed, Dec 4, 2013 at 7:53 AM, Herro91 <herro91@gmail.com> wrote:
Hi,
I'm doing some research on the Cisco Cloud Web Security offering, also known as ScanSafe.
Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now called Cisco Cloud Web Security - as a means of providing protection in the cloud that would potentially negate the requirement to have a full tunnel (i.e. allow split tunneling) for teleworkers?
Thanks!
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Hi Eugeniu, You could use the inexpensive Mikrotik User Manager http://wiki.mikrotik.com/wiki/User_Manager/Introduction http://wiki.mikrotik.com/wiki/Manual:User_Manager http://wiki.mikrotik.com/wiki/User_Manager/Getting_started http://www.youtube.com/watch?v=blEGv5i-aO4 Good Luck :) Edy On 12/6/2013 3:14 PM, Eugeniu Patrascu wrote:
Hi,
How do you handle captive portals in hotels and other venues where you first have to login into the portal and then have Internet access ?
This is my biggest woe right now in this regards with any kind of proxy settings I can push to users.
Thanks, Eugeniu
On Thu, Dec 5, 2013 at 10:05 PM, Scott Voll <svoll.voip@gmail.com> wrote:
We currently use CCWS (previously ScanSafe) with the Anyconnect client. Nice solution. Whether your in the office or remoting from a Starbucks, the traffic is always proxied. We went with the solution because of a couple reasons:
1. with multiple egress points on the corporate network, we didn't want to be down if we lost a proxy server.
2. corporate laptops whether in the office or at Starbucks would still be proxied. This helps limit our virus and malware infections. and provides HR reports.
3 split tunneling would be an option because the traffic doesn't have to come back to your internal proxy.
4. our remote home office bandwidth is very limited, so using the cloud it provided for better use of that bandwidth.
all and all it's a good solution. I'm not going to tell you that we have not had any issues, but with any new solution, there will be a couple bruises along the way.
YMMV
Scott
On Wed, Dec 4, 2013 at 7:53 AM, Herro91 <herro91@gmail.com> wrote:
Hi,
I'm doing some research on the Cisco Cloud Web Security offering, also known as ScanSafe.
Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now called Cisco Cloud Web Security - as a means of providing protection in the cloud that would potentially negate the requirement to have a full tunnel (i.e. allow split tunneling) for teleworkers?
Thanks!
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Helllo Pui, Thanks for the pointers but I think you misunderstood my question. I know how to set up a captive portal for WiFi access. What I wanted to know is how are users logging into captive portals when the browser has a proxy set and it tries to send all requests to the proxy server which until they authenticate to the captive portal they cannot reach ? Eugeniu On Fri, Dec 6, 2013 at 9:47 AM, Pui Edylie <email@edylie.net> wrote:
Hi Eugeniu,
You could use the inexpensive Mikrotik User Manager
http://wiki.mikrotik.com/wiki/User_Manager/Introduction
http://wiki.mikrotik.com/wiki/Manual:User_Manager
http://wiki.mikrotik.com/wiki/User_Manager/Getting_started
http://www.youtube.com/watch?v=blEGv5i-aO4
Good Luck :)
Edy
On 12/6/2013 3:14 PM, Eugeniu Patrascu wrote:
Hi,
How do you handle captive portals in hotels and other venues where you first have to login into the portal and then have Internet access ?
This is my biggest woe right now in this regards with any kind of proxy settings I can push to users.
Thanks, Eugeniu
On Thu, Dec 5, 2013 at 10:05 PM, Scott Voll <svoll.voip@gmail.com> wrote:
We currently use CCWS (previously ScanSafe) with the Anyconnect client.
Nice solution. Whether your in the office or remoting from a Starbucks, the traffic is always proxied. We went with the solution because of a couple reasons:
1. with multiple egress points on the corporate network, we didn't want to be down if we lost a proxy server.
2. corporate laptops whether in the office or at Starbucks would still be proxied. This helps limit our virus and malware infections. and provides HR reports.
3 split tunneling would be an option because the traffic doesn't have to come back to your internal proxy.
4. our remote home office bandwidth is very limited, so using the cloud it provided for better use of that bandwidth.
all and all it's a good solution. I'm not going to tell you that we have not had any issues, but with any new solution, there will be a couple bruises along the way.
YMMV
Scott
On Wed, Dec 4, 2013 at 7:53 AM, Herro91 <herro91@gmail.com> wrote:
Hi,
I'm doing some research on the Cisco Cloud Web Security offering, also known as ScanSafe.
Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now
called
Cisco Cloud Web Security - as a means of providing protection in the
cloud
that would potentially negate the requirement to have a full tunnel (i.e. allow split tunneling) for teleworkers?
Thanks!
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
participants (5)
-
Eugeniu Patrascu
-
Herro91
-
Justin M. Streiner
-
Pui Edylie
-
Scott Voll