Cisco Cisco Web Security Appliance S670 信息指南

Contributed by Josh Wolfer and Siddharth Rajpathak, Cisco TAC
Engineers.
Jul 15, 2014

Environment: Cisco Web Security Appliance (WSA), all versions of AsyncOS

There are two areas where the WSA can be considered to be an open proxy:

HTTP clients that do not reside on your network are able to proxy through

1. 

Clients are using HTTP CONNECT requests to tunnel non HTTP traffic through

2. 

Each of these scenarios has completely different implications and will be discussed in more detail below.

The WSA will, by default, proxy any HTTP request sent to it, assuming the request on is on port the WSA is
listening on (defaults are 80 and 3128). This may pose to be a problem for you, as you may not want any
client from any network to be able to use the WSA. This is can be a huge issue if the WSA is using public IP
address and is accessible from the internet.

There are 2 ways that this can be remedied:

1. Utilize a firewall upstream to WSA in order to block unauthorized sources from HTTP access.

2. Create policy groups to only allow the clients on your desired subnets. A simple demonstration of this
policy is below:

Policy Group 1: Applies to subnet 10.0.0.0/8 (assuming this is your client network). Add your desired actions.
Default Policy: Block all protocols − HTTP, HTTPS, FTP over HTTP

More detailed policies may be created above Policy Group 1. As long as other rules only apply to the
appropriate client subnets, all other traffic will catch the "deny all" rule at the bottom.

HTTP CONNECT requests are used to tunnel non HTTP data via an HTTP proxy. The most common usage
of an HTTP CONNECT request is for tunneling HTTPS traffic. In order for an explicitly configured client to