Cisco Cisco Web Security Appliance S660 Release Notes
4
Release Notes for Cisco IronPort AsyncOS 7.7.5 for Web
What’s New in Cisco IronPort AsyncOS 7.7.0 for Web
Software-based
FIPS Level 1
Compliance
FIPS Level 1
Compliance
The Federal Information Processing Standard (FIPS) 140-2 is a publicly announced
standard developed jointly by the United States and Canadian federal governments
specifying requirements for cryptographic modules that are used by all government
agencies to protect sensitive but unclassified information. With AsyncOS 7.7 for
Web, FIPS 140-2 Level 1 compliance can be enabled via a few simple steps in the
Web Security Appliance GUI.
standard developed jointly by the United States and Canadian federal governments
specifying requirements for cryptographic modules that are used by all government
agencies to protect sensitive but unclassified information. With AsyncOS 7.7 for
Web, FIPS 140-2 Level 1 compliance can be enabled via a few simple steps in the
Web Security Appliance GUI.
This feature utilizes the Cisco Common Crypto Module (C3M) rather than the
previously used Hardware Security Module (HSM) for all cryptographic operations
and it will be available via AsyncOS 7.7 for Web running on all currently supported
hardware models. See FIPS Compliance in the user guide or online help.
previously used Hardware Security Module (HSM) for all cryptographic operations
and it will be available via AsyncOS 7.7 for Web running on all currently supported
hardware models. See FIPS Compliance in the user guide or online help.
SOCKS Proxy
Support for SOCKS-based applications, including Bloomberg Terminals. Define
SOCKS-specific user and group policies as well as specific TCP and UDP
destination ports. SOCKS logs and reports allow you to track and analyze SOCKS
proxy usage. See Overview of SOCKS Proxy Services in the user guide or online
help.
SOCKS-specific user and group policies as well as specific TCP and UDP
destination ports. SOCKS logs and reports allow you to track and analyze SOCKS
proxy usage. See Overview of SOCKS Proxy Services in the user guide or online
help.
Custom Header
Insertion
Insertion
Insert custom request headers. Certain websites such as YouTube for Schools
require that web requests to their domains be appended with customized header
strings. In the case of YouTube for Schools, an account-specific string must be sent
with each request to YouTube’s domains so that YouTube can recognize users from
a Schools account and serve content accordingly. This function allows you to utilize
the CLI to specify the custom header string and the domains for which requests will
be appended. See “Custom Headers” in the in the user guide or online help.
require that web requests to their domains be appended with customized header
strings. In the case of YouTube for Schools, an account-specific string must be sent
with each request to YouTube’s domains so that YouTube can recognize users from
a Schools account and serve content accordingly. This function allows you to utilize
the CLI to specify the custom header string and the domains for which requests will
be appended. See “Custom Headers” in the in the user guide or online help.
OCSP
Use the Online Certificate Status Protocol (OCSP) to provide revocation status
updates for X.509 certificates. OCSP provides a more timely means of validation
for certificates than the alternative Certificate Revocation Lists (CRL).
updates for X.509 certificates. OCSP provides a more timely means of validation
for certificates than the alternative Certificate Revocation Lists (CRL).
Currently, the administrator can configure the invalid certificate handling policies
under the HTTPS Proxy page. Enable/disable OCSP and configure new OCSP
policies using the Web UI. Configure timeout values, and select a configured
upstream proxy group. Configure a list of exempt servers that WSA will connect to
directly without using the upstream proxy. See Enabling Real-Time Revocation
Status Checking in the user guide or online help.
under the HTTPS Proxy page. Enable/disable OCSP and configure new OCSP
policies using the Web UI. Configure timeout values, and select a configured
upstream proxy group. Configure a list of exempt servers that WSA will connect to
directly without using the upstream proxy. See Enabling Real-Time Revocation
Status Checking in the user guide or online help.
Certificate Trust
Store
Management
Store
Management
Greater management control of certificates and certificate authorities. View all of
the Cisco-bundled certificates, remove trust of any Cisco-trusted root certificate
authorities, and view the Cisco-published blacklist. This will provide more
flexibility in making your own decisions with regards to acceptable and
unacceptable certificates used by the WSA.
the Cisco-bundled certificates, remove trust of any Cisco-trusted root certificate
authorities, and view the Cisco-published blacklist. This will provide more
flexibility in making your own decisions with regards to acceptable and
unacceptable certificates used by the WSA.
Within the Web UI, import your own trusted certificates and add them to the trusted
root certificate list. View current Cisco-trusted root certificates and select an option
to override each individual certificate, removing trust by the WSA for that
certificate. View Cisco’s intermediate certificate blacklist. Due to real-life
incidents where certain intermediate CA's were compromised, the WSA was given
a hard-coded list of blacklisted intermediate certificates that was previously
transparent to administrators. This now becomes a viewable list. See Adding
Certificates to the Trusted List and Removing Certificates from the Trusted List in
the user guide or online help.
root certificate list. View current Cisco-trusted root certificates and select an option
to override each individual certificate, removing trust by the WSA for that
certificate. View Cisco’s intermediate certificate blacklist. Due to real-life
incidents where certain intermediate CA's were compromised, the WSA was given
a hard-coded list of blacklisted intermediate certificates that was previously
transparent to administrators. This now becomes a viewable list. See Adding
Certificates to the Trusted List and Removing Certificates from the Trusted List in
the user guide or online help.
Table 3
New Features for AsyncOS 7.7 for Web (continued)
Feature
Description