Cisco Cisco Web Security Appliance S360

Software-based 
FIPS Level 1 
Compliance

The Federal Information Processing Standard (FIPS) 140-2 is a publicly announced 
standard developed jointly by the United States and Canadian federal governments 
specifying requirements for cryptographic modules that are used by all government 
agencies to protect sensitive but unclassified information. With AsyncOS 7.7 for 
Web, FIPS 140-2 Level 1 compliance can be enabled via a few simple steps in the 
Web Security Appliance GUI. 

This feature utilizes the Cisco Common Crypto Module (C3M) rather than the 
previously used Hardware Security Module (HSM) for all cryptographic operations 
and it will be available via AsyncOS 7.7 for Web running on all currently supported 
hardware models. See FIPS Compliance in the user guide or online help.

SOCKS Proxy

Support for SOCKS-based applications, including Bloomberg Terminals. Define 
SOCKS-specific user and group policies as well as specific TCP and UDP 
destination ports. SOCKS logs and reports allow you to track and analyze SOCKS 
proxy usage. See Overview of SOCKS Proxy Services in the user guide or online 
help.

Insert custom request headers. Certain websites such as YouTube for Schools 
require that web requests to their domains be appended with customized header 
strings. In the case of YouTube for Schools, an account-specific string must be sent 
with each request to YouTube’s domains so that YouTube can recognize users from 
a Schools account and serve content accordingly. This function allows you to utilize 
the CLI to specify the custom header string and the domains for which requests will 
be appended. See “Custom Headers” in the in the user guide or online help.

OCSP

Use the Online Certificate Status Protocol (OCSP) to provide revocation status 
updates for X.509 certificates. OCSP provides a more timely means of validation 
for certificates than the alternative Certificate Revocation Lists (CRL). 

Currently, the administrator can configure the invalid certificate handling policies 
under the HTTPS Proxy page. Enable/disable OCSP and configure new OCSP 
policies using the Web UI. Configure timeout values, and select a configured 
upstream proxy group. Configure a list of exempt servers that WSA will connect to 
directly without using the upstream proxy. See Enabling Real-Time Revocation 
Status Checking in the user guide or online help.

Certificate Trust 
Store 
Management

Greater management control of certificates and certificate authorities. View all of 
the Cisco-bundled certificates, remove trust of any Cisco-trusted root certificate 
authorities, and view the Cisco-published blacklist. This will provide more 
flexibility in making your own decisions with regards to acceptable and 
unacceptable certificates used by the WSA. 

Within the Web UI, import your own trusted certificates and add them to the trusted 
root certificate list. View current Cisco-trusted root certificates and select an option 
to override each individual certificate, removing trust by the WSA for that 
certificate. View Cisco’s intermediate certificate blacklist. Due to real-life 
incidents where certain intermediate CA's were compromised, the WSA was given 
a hard-coded list of blacklisted intermediate certificates that was previously 
transparent to administrators. This now becomes a viewable list. See Adding 
Certificates to the Trusted List and Removing Certificates from the Trusted List in 
the user guide or online help.