Any Connect Ssl Vpn Client

During the early development period of SSL VPNs, network administrators needed a VPN client that had benefits that were similar to an IPsec remote access VPN client, but required less administrative overhead for installing and maintaining the IPsec VPN client. To accommodate those requirements, the idea of a full tunnel SSL VPN client emerged. Cisco first introduced the SSL VPN Client (SVC) that was a self-downloading, self-installing, self-configuring, and self-uninstalling VPN. In Release...

Any Connect VPN Client Configuration Guide

During the early development period of SSL VPNs, network administrators needed a VPN client that had similar benefits of an IPsec remote access VPN client, but required less administrative overhead than installing and maintaining the IPsec VPN client. To accommodate those requirements, the idea of a full tunnel SSL VPN client emerged. In the pre-version 8.0 releases, Cisco provided the SSL VPN Client (SVC). This is a self-downloading, self-installing, self-configuring, and self-uninstalling VPN...

Applying Secure Desktop Restrictions

In addition to the global parameters that can be configured (discussed in the preceding section), you can apply certain restrictions to Secure Desktop to further enhance the level of security for SSL VPN sessions. These restrictions are defined in Secure Desktop Settings under a predefined location. These restrictions include the following Restrict application usage to the web browser only, with the following exceptions With this option, you can only allow users to launch multiple windows of...

Cisco ASA 5500 Series

The Cisco ASA 5500 series Adaptive Security Appliance provides an advanced Adaptive Identification and Mitigation (AIM) architecture and is a key component of the Cisco Self-Defending Network. As mentioned earlier in this chapter, the security appliances integrate firewall, IDS IPS, and VPN capabilities and provide an all-in-one solution for an organization. Seven Cisco ASA 5500 series models are available in the current Cisco ASA 5500 series product line. They include the following The Cisco...

Cisco Secure ACS Integration Mode

The Cisco Secure ACS integration mode provides more granular administrative permission controls than the native mode. The two main areas are as follows Application-specific roles Cisco Secure ACS allows you to define customized roles that have granular permission down to the policy and object level. For example, you can define an administrative role that is authorized only to view and modify SSL VPN policies, but not other security policies, such as firewall policies or IPS policies. Figure...

Clientless Connections with CSD

SecureMe wants to deploy an SSL VPN solution for a group of contractors that access some resources from their laptops. These contractors use a terminal server as well as a web server for browsing, and a Windows file server to save and retrieve their documents. All contractors use Windows-based operating systems on their workstations. SecureMe prefers to create a secure environment before SSL VPN sessions are allowed. Figure 6-45 shows SecureMe's proposed network topology for clientless...

Clientless Connections with DAP

After successfully implementing the AnyConnect functionality on the security appliance, SecureMe has now decided to provide clientless functionality to a group of mobile contractors. These contractors use a web server for browsing, a terminal server, and a Windows file server to save and retrieve their documents. Figure 5-66 shows SecureMe's proposed network topology for clientless connections. Figure 5-66 SecureMe's Clientless Connection Topology with DAP 192.168.1.0 24 The security...

Clientless Ssl Vpn Configuration Guide

The SSL VPN functionality on Cisco ASA is the most robust in the industry. The following sections focus on the clientless users who want to access internal corporate resources but do not have an SSL VPN client loaded on their workstations. These users typically access protected resources from shared workstations or even from the hotels or Internet caf s. The clientless configuration on Cisco ASA can be broken down into the following subsections. Enable SSL VPN on an interface Configure SSL VPN...

Configure Any Connect Ssl Vpn Properties

The last step necessary to meet the listed requirements is to configure AnyConnect VPN Client on the router for remote users. This deployment scenario assumes that an SSL VPN gateway and context were not defined earlier and creates new ones. Follow these guidelines to achieve the goals 4 Under IP Address Pool from Which Clients Will Be Assigned an IP Address, click the option and select Create a new IP Pool. Under Pool Name, specify SSLVPNPool, and then click Add to define a range of IP...

Configuring a Tunnel Group

Set up a new tunnel group by choosing Configuration > Remote Access VPN > Network (Client) Access > Connection Profiles > Add. For demonstration purposes, a tunnel group called SSLVPNTunnel has been added for the AnyConnect Clients. After defining a tunnel group name, you can bind the SSLVPNGroup group-policy to this tunnel group. If a user tries to connect to this tunnel group, the user will inherit attributes and policies defined under the user group-policy. Refer to Figure 5-5 for...

Configuring Client Server Plug Ins

For known applications, such as VNC, Remote Desktop, Telnet, and SSH, you can allow the clientless SSL VPN users to connect to the protected network using the supported applications. This way, when a clientless SSL VPN user is authenticated, the user can choose to launch an application plug-in such as VNC and connect to an internal server running the VNC application. Cisco provides the client-server plug-ins for VNCs, Remote Desktop, and SSH Telnet. These plug-ins can be downloaded from the...

Configuring DAP

When a user tries to establish a connection, DAP can analyze the posture assessment result of a remote host and apply access policies that are dynamically generated. DAP can use the AAA attributes, such as RADIUS, LDAP, and Cisco-specific, and endpoint attributes, such as host scans and prelogin locations, before an action or a series of actions can be applied to a user session. It is designed to complement the authentication, authorization, and accounting (AAA) services by aggregating the...

Configuring File Servers

In addition to the web servers, you can also define a bookmark list of the file servers that the clientless users can access. Cisco ASA supports network file sharing using the Common Internet File System (CIFS), a file system that uses the original IBM and Microsoft networking protocols. Through CIFS, users can access their file shares located on the file servers. Users can download, upload, delete, or rename the files under the shared directories, but only if the file system permissions allow...

Configuring Group Policies

The user group and default group policies are configured by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access or Network (Client) Access > Group Policies. Click Add to add a new group policy. As shown in Figure 5-4, a user group-policy, called ClientlessGroupPolicy, has been added. This group-policy only allows clientless SSL VPN tunnels to be established and strictly rejects all the other tunneling protocols. If you would rather assign attributes to default...

Configuring Ssl Vpn Portal Customization

Figure 5-11 shows the default SSL VPN page when a connection is initiated from a web browser. The title of the page is SSL VPN Service and the Cisco Systems logo is displayed in the upper-left corner of the web page. The initial page prompts the user for user authentication credentials. Figure 5-11 Default SSL VPN Login Page Figure 5-11 Default SSL VPN Login Page You can customize the initial SSL VPN login page based on security policies of your organization. Cisco ASA also allows you to...

Configuring Traffic Filters

In its default firewall role, the Cisco ASA blocks decrypted traffic and protects the trusted network, unless the ACLs on the ingress interface explicitly permit traffic to pass through it. In case you trust all your remote AnyConnect VPN Clients, Cisco ASA can be configured to permit all decrypted SSL VPN packets to pass through it without inspecting them against the configured ACL. This is done with the sysopt connection permit-vpn command, as shown in Example 5-11. Example 5-11 Sysopt...

Configuring Websites

After adding a bookmark list, you can add a bookmark entry for the internal web servers that you want to give access to the clientless users. In Figure 5-26, a bookmark list name of InternalServers has been added. Because it is a new list, the administrator has added a bookmark title of InternalWebServer with a URL value of http intranet.securemeinc.com. Under advanced options, a subtitle of This is the internal web portal for SecureMe Inc. employees is added with a thumbnail of the...

Content Rewriting

The previous section described URL mangling, which is an important technique in the process by which SSL VPN users access corporate resources using the clientless web access mode. The second important technique is content rewriting. As a reverse proxy server, the SSL VPN gateway fetches web-based content from an internal web server and performs content rewriting. The main goal of the content rewriting is to change the URL references and Java socket calls so that all users' requests point to the...

Customized Login Page and User Connection Profile

After customizing the login page, the next logical step is to display it to the users who are logging in. You have two ways to display the login page to the user DefaultWEBVPNGroup connection profile If you want your customized login page to be displayed to all users who access the security appliance using its FQDN (fully qualified domain name) or the IP address, apply the customized object under the DefaultWEBVPNGroup connection profile by choosing Configuration > Remote Access VPN >...

Defining Cache Cleaner Policies

As discussed earlier in this chapter, Cache Cleaner securely removes local browser data such as web pages, history information, and cached user credentials. When Cache Cleaner is launched on a client computer, it closes any existing browser windows and initiates the Cache Cleaner process. It monitors browser data, and when the user logs out of the SSL VPN session, it closes the browser and cleans the cache associated with the SSL VPN session. Cache Cleaner can be configured under Cache Cleaner...

Defining Policies for the Mac and Linux Cache Cleaner

As mentioned earlier in the chapter, Cache Cleaner is supported not only on Windows operating systems but also on Linux and Mac OS X systems. Additionally, you can define a limited VPN feature policy for these clients. Table 6-8 lists the available features that you can implement for Mac- and Linux-based computers. Figure 6-43 Defining Windows CE Policies tMrtut Wpi-.um. 1 fiS.JOO. Sfcul_jKii*i.hfrJ yrniTKHTQ* KuiunrMi-Cjinlnil - bj HL Secure Desktop Manager tor W bVPN WN 1 ture Poky under...

Defining Prelogin Policies

In the supported Windows, OS X, and Linux-based operating systems, you can define the potential locations where the client computers might be connecting from. For example, if your users connect from the office network, home office network, and even Internet caf s, you can define a location for each setup and give appropriate access to your users. For users connecting from the office network, you classify those hosts fairly securely and allow a less restrictive environment. For users connecting...

Defining Secure Desktop General Attributes

In CSD, you can set up general attributes that are applied to all SSL VPN sessions within a predefined location. For example, to allow users to switch between Secure Desktop and the local desktop, you can enable that feature here. The supported Secure Desktop general attributes include Enable switching between Secure Desktop and Local Desktop With this option enabled, the user has an option to switch back and forth between Secure Desktop and Local Desktop. In many cases, when an application is...

Device View

As its name implies, device view provides a device-centric view of your SSL VPN network. Figure 7-1 shows the layout of a device view. Figure 7-1 Cisco Security Manager Device View Figure 7-1 Cisco Security Manager Device View Three main areas are in the device view. The upper-left area lists all the devices and device groups. The lower-left area shows the common policies based on the device selected. The right area is the policy content work area. The devices can be imported into CSM in...

DNS and WINS Assignment

For the AnyConnect VPN Clients, you can assign DNS and WINS server IP addresses so that they can browse and access internal sites after their SSL tunnel is established. You can configure these attributes by choosing Configuration > Remote Access VPN > Network (Client) Access > Group Policies > SSLVPNGroup > Edit > Servers. To add multiple DNS or WINS servers, use a comma (,) to separate the entries. In Figure 5-43, the primary DNS server is defined as 192.168.1.10 and the secondary...

Endpoint Security Posture Assessment and Validation

A thorough preconnect security assessment is necessary. As discussed earlier, this helps prevent viruses, worms, and Trojan horses from spreading into the internal network and helps administrators make intelligent decisions on what access privilege to grant to the VPN users based on the endpoint security posture. The preconnect security posture validation can include the following aspects Location checking Using information such as IP address, Windows registries, or even PC screen banners, the...

Information Area

The information area shows any text and image that you want to display on the logon page. You can specify whether you want to display the information area to the left or the right side of the logon form. The Cisco ASA administrator can choose to enable or disable this element under the Information Panel option. In Figure 5-15, the information panel is disabled by the administrator. Figure 5-15 Logon Page Information Area Customization Figure 5-15 Logon Page Information Area Customization...

Initial Connectivity Issues

If you are using AnyConnect VPN Client in your environment and a user is having initial connectivity issues, enable debug webvpn svc on the security appliance and analyze the debug messages. Most of the configuration-specific issues can be easily fixed by looking at the error messages. For example, if your security appliance is not configured to assign an IP address, you will receive a No Assigned Address error message in the debugs. This is highlighted in Example 5-14. Example 5-14 debug...

Initial Ssl Vpn Configuration

The configuration of SSL VPN can be accomplished in five steps. Figure 6-2 is used throughout this section to demonst rate how to set up Cisco IOS router. As shown in this figure, the IOS router is set up to accept the SSL VPN connections from the hosts on the Internet. There are several servers on the private network of the router. Table 6-3 describes the servers used in this setup. Table 6-3 Description and Location of Servers Table 6-3 Description and Location of Servers Resolves NetBIOS...

Internet Browser Settings

As discussed in the previous section, CSD is installed on the client computer through ActiveX, Java, or an executable file. You must configure the appropriate security settings in your Internet browser to allow those functions. For example, in Internet Explorer, use the guidelines discussed in Table 5-7. These settings are configured by choosing Tools > Internet Options > Security tab > Internet > Custom Level. ActiveX controls and plug-ins > Download signed ActiveX controls ActiveX...

Introduction to Remote Access VPN Technologies

Since the advent of the Internet, network administrators have looked for ways to leverage this low-cost, widespread medium to transport data while protecting data integrity and confidentiality. They looked for ways to protect the information within the data packets while providing transparency to the end user. This spawned the concept of Virtual Private Networks (VPN). Subsequently, the Internet Engineering Task Force (IETF) was engaged to craft standard protocols and procedures to be used by...

Issues with CIFS

You can provide CIFS services to the clientless users so that they can access their shared resources on the Windows file servers. If the clientless SSL VPN users have issues with multiple logons when they try to access the servers, you can configure a single sign-on and see whether that resolves the issue. If users have issues connecting to the servers or have issues access their shared folders or files, you can try to access them by entering the server name and share through the bar inside the...

Loading SDM Recommended

Cisco Security Device Manager (SDM) provides an easy-to-navigate and simple graphical user interface (GUI) to set up and manage different features that a Cisco IOS router provides. It is bundled with a variety of administration, configuration, and monitoring tools to check the health of the device and the traffic traversing through it. Although setting up SDM is optional, you should use SDM in configuring the SSL VPN functionality in Cisco IOS routers. NOTE SSL VPN is a relatively new feature...

Maninthe Middle Attacks

There have been known man-in-the-middle (MITM) attacks to the SSL protocol, and this is how they can work. The attacker first launches an Address Resolution Protocol (ARP) spoofing attack or Domain Name System (DNS) spoofing attack to the SSL VPN user. The success of the attack will redirect the SSL traffic to the attack host that is configured with SSL proxy software. The attack host then acts as the destination web server by establishing an SSL connection with the user on one side and another...

Message Authentication Code

Message authentication code (MAC) is a cryptographic checksum that is used to ensure the integrity of the message during transmission. To generate a MAC, you can use either an encryption algorithm, such as Data Encryption Standard (DES), or a hashing algorithm. Hashing is generally much faster than encryption algorithms, so the hash-based MAC (HMAC) is the most popular way. HMAC is a keyed hash function. Here is how it works To generate an HMAC of a message M, you need to pick two system...

Monitoring and Troubleshooting Ssl Vpn

The following sections discuss the monitoring and troubleshooting steps that are available to help you in running the SSL VPN solution smoothly on a security appliance. To monitor the WebVPN sessions, first check how many active SSL VPN tunnels are established on the security appliance. You can do this by choosing Monitoring > VPN > VPN Statistics > Sessions. The security appliance shows you all the active VPN sessions, including the clientless and full tunnel client connections. As shown...

Not All Resource Access Methods Are Equal

As mentioned in Chapter 2, SSL VPN Technology, SSL VPN employs a variety of techniques, each of which has its unique characteristics in terms of user experience, user privilege requirements, and levels of access to the network resources. This is one of the major differences between SSL VPN and traditional remote access solutions, such as IPsec-based remote access VPN. When you design an SSL VPN network, it is important to understand that not all access methods are equal and different access...

Remote Access Technologies

Organizations are constantly under pressure to reduce costs by leveraging newer technology in their existing network infrastructure. With the growth of the Internet and greater focus on globalization, organizations are required to provide their employees with 24 7 access to organizational resources. The increasing number of mobile workers and telecommuters is a major factor in the exponential growth of remote access technologies. These users require the traditional LAN-based applications, such...

S

AAA servers, 67 design considerations, 81 SCEP (Simple Certificate Enrollment Protocol), 230 context configuration, 240 gateway configuration, 238 loading, 232-234 website, 233 Secure ACS Configuration Guide website, 331 Secure Desktop, 165 attributes, defining, 176-178, 292-293 AnyConnect client with CSD and external authentication deployment, 207 loading CSD package, 169-170 policies, assigning, 174 prelogin sequences, 170 Cache Cleaner policies, 180-181 host emulators, 175-176 keystroke...

Selecting Endpoint Attributes

After defining the AAA attributes, you can optionally select the endpoint attributes. These attributes are collected by a number of sources, including Host Scans (basic, Endpoint, or Advanced Endpoint), Secure Desktop, and NAC. The AAA attributes are validated during user authentication, whereas the endpoint attributes are collected by the security appliance prior to user authentication. Table 5-11 presents all the available attributes that you can select and configure under endpoint...

Setting Up the Appliance

When the ASDM file is accessed, the Cisco ASA loads the first ASDM image that it finds from the local flash. If multiple ASDM images exist in the flash, use the asdm image command and specify the location of the ASDM image you want to load. This ensures that the appliance always loads the specified image when ASDM is launched. In Example 5-9, the appliance is set up to use asdm-603.bin as the ASDM image file. Example 5-9 Specifying the ASDM Location Chicago(config) asdm image disk0 asdm-603.bin...

Single SignOn

Optionally, you can add a single sign-on (SSO) server to ensure that clientless users do not get prompted again to enter their user credentials if they try to access windows-based shares. In SSO, the security appliance acts as a proxy between the clientless SSL VPN user and the authentication server. The security appliance uses users' cached credentials (an authentication cookie) when the user tries to access secure websites or shares within the private network. If you use NT LAN Manager (NTLM)...

Split Tunneling

After the tunnel is up, the default behavior of the Cisco AnyConnect VPN Client is to encrypt traffic destined to all the IP addresses. This means that if an SSL VPN user wants to browse to http www.cisco.com over the Internet, as illustrated in Figure 5-41, the packets will get encrypted and be sent to Cisco ASA. After decrypting them, the security appliance will look at its routing table and forward the packet to the appropriate next-hop IP address in clear text. These steps are reversed when...

SSL Connection Setup

This section looks at the messages and operations necessary to establish an SSL connection. Using a simple-mode SSL negotiation as an example should help you understand how the different pieces discussed so far (cryptographic algorithms and SSL protocols) work together to bring up an SSL connection. Because you are mainly an SSL VPN user rather than an implementer, the focus is on explaining the big picture, not the implementation details. Handshake protocols are used for the SSL client and...

Ssl Vpn Licenses on Cisco ASA

Unlike IPsec, the SSL VPN capability in the security appliance is not included free of charge in the base system price. If you want to enable SSL VPN on a security appliance, you must purchase appropriate licenses. The base security appliance includes two SSL VPN users by default for evaluation, lab testing, and remote management purposes. Anything beyond that requires you to buy a separate SSL VPN license. For example, if your environment will have 75 SSL VPN users, you can buy the SSL VPN...

Ssl Vpn Licenses on Cisco IOS Routers

Just as with Cisco ASAs, you need to purchase licenses to enable SSL VPN on a Cisco IOS router. Before you implement SSL VPN on an IOS router, or in a cluster of IOS routers, you need to determine the size of SSL VPN deployment, especially the number of concurrent users of this service. For example, if one IOS router is not enough to support the required number of users, you must consider traditional load balancers or server-clustering schemes to accommodate all potential remote users. SSL VPN...

Ssl Vpn Prerequisites

You must meet a number of prerequisites before you can start implementing an SSL VPN in your enterprise. They are discussed in the following sections. The SSL VPN functionality on the ASAs requires that you have appropriate licenses. For example, if your environment is going to have 75 SSL VPN users, you can buy the SSL VPN license that can accommodate up to 100 potential users. Table 5-2 lists the available licenses and their respective part numbers. Note that an SSL VPN license file for ten...

Ssl Vpn Tunnel Client

Traditional clientless web access and port-forwarding access do not satisfy the needs of power users and telecommuters who run VPNs on corporate-owned machines and like to have full access to the corporate resources. The IPsec VPN is a better fit to provide full network-layer access to the VPN users. Organizations that already have a remote access IPsec VPN can use the existing VPN solution to provide network-layer access and clientless SSL VPN for application-level VPN access. Today, most SSL...

Step 1 Define Clientless Connections

The first step in achieving the listed goals is to set up clientless connections for remote contractors as follows 1 Define bookmarks for the internal servers (web and CIFS) by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks > Add. Specify a bookmark list name called Contractors-List and then click Add to specify a bookmark title of Internal-Web. Select http under the URL Value drop-down menu, and configure a URL value of http...

Step 1 Loading the Any Connect Package

Before you define configuration policies for the AnyConnect VPN Client in an IOS router, you have to load the client package in the local flash. You can verify it by issuing the show flash or dir command and looking for the svc.pkg file. Using SDM, you can choose Configure > VPN > SSL VPN > Packages and check whether the Cisco AnyConnect VPN Client software is installed. SDM allows you to Download the latest version of AnyConnect Client if you do not already have it. It connects to...

Step 1 Set Up CSD

The first step in achieving the listed goals is to create a secure environment for remote users. This is achieved by following these steps 1 Choose Configuration > Remote Access VPN > Secure Desktop Manager > Setup, click Browse Flash to select the CSD file you want to use, and select Enable Secure Desktop. 2 Choose Configuration > Remote Access VPN > Secure Desktop Manager > Windows Location Setting and define a prelogin sequence based on registry key and IP address range. Create a...

Step 2 Configuring DAP

SecureMe wants to apply policy enforcements through DAP. The next step is to configure DAP by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies. 1 Create a new DAP record by clicking Add and specifying the record name of Contractors-DAP. Under AAA attribute selection criteria, click Add and select RADIUS as the AAA Attribute Type. Under Attribute ID, specify 25 and select Value equal to Contractors. Insert another AAA attribute type of Cisco...

Step 2 Setting Up an Ssl Vpn Context

After setting up the SSL VPN gateway, you must define an SSL VPN context. The actual user sessions are established to the SSL VPN context using the IP address definition of the SSL VPN gateway. Additionally, you can apply all the policies to limit a user or a group of users. An authentication server that is mapped to the context performs the actual user authentication here. After a user is authenticated, any configured policies are applied to the user's session. Step 4 discusses user and group...

Step 3 Configuring Ssl Vpn Look and Feel

Figure 6-5 shows the default SSL VPN page when a connection is made to the IOS router from a web browser. The title of the page is SSLVPN Service, and the Cisco Systems logo is displayed in the upper-left corner of the web page. The initial page prompts the user for user authentication credentials. The default login message is Welcome to Cisco Systems SSLVPN Service. You can customize the initial SSL VPN login page based on the security policies of your organization. Cisco IOS routers also...

Step 3 Define Clientless Connections

The last step in achieving the listed goals is to set up clientless connections for remote contractors as follows 1 Choose Configure > VPN > SSL VPN > SSL VPN Gateways > Add to create a gateway. Specify a gateway name of SecureMeGW, enable this gateway, and configure 209.165.200.225 as the IP address of this gateway. Select a digital gateway if one is already installed. If you prefer to use a self-signed certificate, select a certificate from the Trustpoint drop-down menu. Click OK when...

Step 3 Defining Policies for Windows Based Clients

After successfully logging in to Secure Desktop Manager, you can define policies that the SSL VPN users must adhere to. If the client's computer matches a certain profile, the client is given access based on the configured policies on the profile. The following sections walk you through the configuration of Secure Desktop Manager in defining the profiles and the respective policies for the SSL VPN users. The following topics are presented Identifying keystroke loggers Defining Secure Desktop...

Step 3 Obtaining an Identity Certificate

After the CA certificate is obtained from the CA server, use the crypto ca enroll command followed by the trustpoint name to generate an identity certificate request to the server. Example 5-5 demonstrates how to generate the certificate request. Example 5-5 Generating the ID Certificate Request Chicago(config) crypto ca enroll SecureMeTrustPoint The fully-qualified domain name in the certificate will be Chicago.securemeinc.com Include the device serial number in the subject name yes no no...

Step 4 Configuring Ssl Vpn Group Policies

A group policy is a set of common parameters that an SSL VPN user inherits during tunnel negotiations. You can define multiple group policies in a context however, only one group policy can be designated as the default policy, and only one group policy can be applied to a user. If you need to satisfy requirements for different sets of users, you can define multiple group policies to meet those requirements. You can leverage a RADIUS server to pass the group policy when the user authentication...

Traffic Specific Issues

If you are able to connect but fail to successfully send traffic over the SSL VPN tunnel, look at the traffic statistics on the client to verify that traffic is being received and transmitted by the client. As illustrated in Figure 5-67, the client has encrypted 1146682 bytes and decrypted 1296849 bytes. Therefore, as far as the client is concerned, it is transmitting and receiving traffic. Next, check the security appliance for received and transmitted traffic, as shown in Figure 5-68. If the...

Use of Common Objects for Multidevice Management

We just discussed how to define an SSL VPN policy template and then share it among multiple devices. One question you might have asked by now is this What about device-dependent attributes, such as interface names and VPN IP pool ranges These attributes are different from device to device. For example, in a generic SSL VPN policy, the SSL VPN policy template assigns IP addresses to tunnel client users from an IP pool named sslvpn-ip-pool. However, when it comes to each individual device that...

Warning and Disclaimer

This book is designed to provide information about the Secure Socket Layer (SSL) Virtual Private Network (VPN) technology on Cisco products. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information...

Windows File Sharing

Cisco IOS routers support network file sharing through Common Internet File System (CIFS). Using CIFS, users can access their file shares located on the file servers, as illustrated in Figure 6-15. Users can download, upload, delete, or rename the files under the shared directories, but only if the file system permissions allow them to perform those actions. Figure 6-15 CIFS Browsing on the IOS SSL VPN Gateway mMBjjl'UMMI Figure 6-15 CIFS Browsing on the IOS SSL VPN Gateway mMBjjl'UMMI...

Workflow Control

The CSM comes with the following two modes The workflow mode The workflow is for organizations that have a division of responsibility between administrators who can define the security policies and those who administer them. Figure 7-10 shows an example. The security operation group defines the policy. The policy is then approved by the approver. The network operation group then deploys the policy to the security devices. Figure 7-10 Example of a Security Policy Provisioning Cycle Figure 7-10...

Full Customization of a Logon Page

The default logon page is shown in Figure 5-11. If instead you would rather have a customized logon page as illustrated in Figure 5-22, follow these steps. Step 1 Begin with your own logon page. If you already have an HTML code, you can leverage it to define the logon customization. In the following example, a simple code is developed to design the logon page. You can see that we have left space after Please log in using your user credentials. This is where we will insert the code for the user...

Monitoring an Ssl Vpn in Cisco IOS

This section discusses the monitoring steps that are available to help you run the SSL VPN solution smoothly on the IOS router. To monitor SSL VPN sessions, the first step is to check how many active SSL VPN tunnels are established on the IOS router. You can achieve this by choosing Monitor > VPN Status > SSL VPN (All Contexts) > SecureMeContext > Users. The Cisco IOS router shows you all the active VPN sessions for the SecureMeContext context. As shown in Figure 6-47, an active...

Step 1 Setting Up an Ssl Vpn Gateway

In SSL VPNs, the Cisco IOS router acts as a proxy between the SSL-enabled VPN client and the resources on the private network. Before an SSL VPN tunnel can be established, you need to allocate a public IP address or host name to terminate the VPN sessions. The VPN users point their browser to this configured IP address or host name and start the SSL negotiation process. An IOS SSL VPN gateway can be configured by issuing the webvpn gateway command followed by a gateway name. This gateway only...

Enrolling Digital Certificates Recommended

Enrollment is the process of obtaining a certificate from a certificate authority (CA). Before starting the enrollment process, you must generate the RSA key pair with the crypto key generate rsa command. To generate the keys, you must first configure a host name and domain name on a Cisco IOS router. Example 6-5 demonstrates how to configure a domain name of securemeinc.com and how to generate the RSA key pair of 1024 bits modulus size. Example 6-5 Generating the RSA Key Pair Chicago(config)...

Public Key Infrastructure Digital Certificates and Certification

The preceding section showed how you can use digital signatures to achieve important security requirements, such as entity authentication, nonrepudiation, and data origin authentication. You might have noticed that one piece is still missing in the picture. To verify the digital signature, you need to have the sender's public key. This public key should be distributed not only to the public in a scalable way but also be trusted as the true public key of the sender. (For example, Bob can post...

Case Study SSL Connection Setup

The section examines the setup of an SSL connection as a case study of the workings and implementations of the concepts we have discussed so far. The section examines the communications from both the SSL session level and lower TCP IP packet level using tools such as ssldump and ethereal. The SSL connection used in this case study is fairly simple. A user at IP address 10.1.1.200 browses to a website at IP address 66.94.230.34 using HTTPS, views the page, and then closes the connection. First,...

L2TP over IPsec

Organizations that prefer to use a built-in remote access client in the Windows-based operating systems can use L2TP. However, L2TP fails to provide strong data confidentiality. Therefore, most of the L2TP implementations use IPsec to provide data security. This methodology is commonly referred to as L2TP over IPsec and is documented in RFC 3139. In an L2TP over IPsec implementation, the client workstation and the home gateway device go through seven steps, as depicted in Figure 1-6 and...

Reverse Proxy Technology

HTTPS provides secure web communication between a browser and a web server that supports the HTTPS protocol. SSL VPN extends this model to allow VPN users to access corporate internal web applications and other corporate application servers that might or might not support HTTPS, or even HTTP. SSL VPN does this by using several techniques that are collectively called reverse proxy technology. A reverse proxy is a proxy server that resides in front of the application servers, normally web...

Setting Up User Authentication

Cisco ASA supports a number of authentication servers, such as RADIUS, NT domain, Kerberos, SDI, LDAP, digital certificates, smart cards, and local databases. For small organizations, a local database can be set up for user authentication. For medium to large SSL VPN deployments, it is highly recommended that you use an external authentication server, such as RADIUS or Kerberos, as the user authentication database. If you are deploying the SSL VPN feature for a few users, you can use the local...

Accessing ASDM

ASDM's interface can be accessed from any workstation whose IP address is in the trusted network list. Before you establish the secure connection to the appliance, verify that IP connectivity exists between the workstation and the Cisco ASA. To establish an SSL connection, launch a browser and point the URL to the IP address of the appliance. In Figure 5-1, the administrator is accessing ASDM by entering https 192.168.1.1 admin as the URL. The URL is redirected to https 192.168.L1 admin public...

Setting Up Basic Host Scan

To configure CSD to scan a remote computer for basic information, click Add under Basic Host Scan and select the type of basic scan you would like to configure. As mentioned in the previous section, a basic Host Scan can identify registry keys, active processes, and files located on the remote workstation. For example, if you want CSD to scan a registry key from the workstation and based on that information you want to apply appropriate action by DAP, add Registry Scan under Basic Host Scan....

Step 2 Defining Any Connect VPN Client Attributes

After loading the AnyConnect package in the router's configuration, SDM allows you to define the client parameters. Before an AnyConnect VPN Client is functional, you have to configure the following attributes Defining a pool of addresses Creating a Layer 3 interface Optionally, you can define other attributes to enhance the functionality of the SSL VPN configuration. They include Keep SSL VPN client installed The sections that follow define these options. The Cisco IOS router allows you to...

Port Forwarding Technology

Clientless web access supports only a small set of corporate business applications that already have a web interface or can be easily webified. To be a complete remote access VPN solution, SSL VPN-based solutions need to be able to support other types of applications. The port-forwarding client solves part of the problems. The SSL VPN port-forwarding client is a client-side agent that intercepts specific application traffic and redirects the traffic to the SSL VPN gateway through the...

Full Customization of a User Portal Page

If you want to customize the user web portal, you can use the following steps to provide full customization. These steps are similar to the steps described for the logon page customization. The default user web portal is shown in Figure 5-23. Figure 5-23 Default User Web Portal Page Figure 5-23 Default User Web Portal Page & h ttpc 209,165.200,225 + CSC OE+ porta .html - Windows Internet Explorer (gjl CertificateError jjitj Google 5 Step 1 Choose Configuration > Remote Access VPN >...

Selecting a AAA Attribute

Because DAP complements the AAA process, the security appliance can select DAP records based on AAA authorization attributes that it receives from the following storages Table 5-10 defines the attributes that you can select within ASDM. Table 5-10 defines the attributes that you can select within ASDM. Group names that the authenticated user is a member of Group name value that is passed through the class attribute Tunnel group name that the user connects to NOTE You can leverage the advanced...

Configuring Web Type ACLs

Cisco ASA enables network administrators to further their clientless SSL VPN security by configuring web-type access control lists ACL to manage access to web, Telnet, SSH, citrix, FTP, file, e-mail servers, or all types of traffic. These ACLs affect only the clientless SSL VPN traffic and are processed in sequential order until a match is found. If an ACL is defined but no match exists, the default behavior on the security appliance is to drop the packets. On the other hand, if no web-type ACL...

Configuring Application ACL

Vpn Ssl Port Forward Cisco Java Applet

Network administrators can restrict their clientless SSL VPN users to access certain application servers by configuring the application access control lists ACL . They can filter traffic such as Hypertext Transfer Protocol HTTP , HTTPS, FTP, and Common Internet File System CIFS , to name a few. These ACLs affect only the clientless SSL VPN traffic. An application ACL is configured by choosing Configure gt VPN gt SSL VPN gt Edit SSL VPN gt SecureMeContext gt Edit gt App ACL. Click Add, specify...

Configuring Clientless Ssl Vpns

As mentioned in Chapter 3, SSL VPN Design Considerations, Chapter 4, Cisco SSL VPN Family of Products, and Chapter 5, SSL VPNs on Cisco ASA, remote users can use SSL VPNs to browse their internal websites and Outlook Web Access. A Cisco IOS router terminates the HTTPS connections on its public interface and then forwards the HTTP or HTTPS requests to the internal web server. The response from the web server is then encapsulated into HTTPS and forwarded to the client. This feature uses only an...