Cisco ScanSafe, aka Cisco Cloud Web Security

Eugeniu Patrascu eugen at
Wed Dec 4 17:18:06 UTC 2013

On Wed, Dec 4, 2013 at 5:53 PM, Herro91 <herro91 at> wrote:

> Hi,
> I'm doing some research on the Cisco Cloud Web Security offering, also
> known as ScanSafe.
> Has anyone on the lists explored Cisco's ScanSafe SaaS offering, now called
> Cisco Cloud Web Security - as a means of providing protection in the cloud
> that would potentially negate the requirement to have a full tunnel (i.e.
> allow split tunneling) for teleworkers?

First of all, why are you allowing or disallowing split tunnel networks ?

The only case I see when you want to route all traffic through the gateway
is when you have a big network that changes constantly and you don't want
to update ACLs all day to make sure a teleworker can reach certain
equipment no matter what.

Other than that, when the laptop is not connected to the VPN and the user
can browse whatever site on the internet and from a security standpoint
there is no benefit.

There is always the risk that he/she may get infected with some malware
that your antivirus does not recognize and it spreads through the internet
network when the user VPNs to the corporate network.

Even with a malware cloud service, you still have security gaps and
opportunity windows for attackers to get to you. One thing is that it not
always feasible to have a proxy set up in your browser all the time as for
example it would be impossible to connect to the internet when you are at a
hotel that has a captive portal. And in order to get access you will have
to disable the proxy, log into the captive portal, pay (optionally), accept
the terms and reactive the proxy settings in the browser. And fi you forget
to do this... well, you're on your own and hope for the best and that the
locally installed AV and anti-malware solution is "good enough".

What I would suggest is that you only allow access to some jump hosts
(linux/windows/etc) that are being protected by adequate security measures
such an IPS. This also assumes that the same level of protection exists
between your user network and server network, otherwise it's pretty much
game over once the user is back in the office with full network access.


More information about the NANOG mailing list