A

AAA (authentication, authorization, accounting), 66 authentication servers, 66-67 authorization attributes, 193-195 servers high availability, 68 resiliency, 67 scalability, 67 aaa authentication http console command, 105 aaa authentication login sslvpn local command, 227 configuring, 144 port forwarding, 144-146 smart tunnels, 147-149 ASDM, 104-105 DAPs, 197 architecture, 190-191 clientless connections, 209-212 configuring, 192-197 records. See DAPR sequence of events, 191 troubleshooting,...

AAA Server Scalability and High Availability

The scalability and availability of the AAA server directly affect the availability of your VPN network and the user experience. For a small- to medium-sized VPN network, it is relatively easy to address this design issue. Because the number of the VPN users is relatively small, the scalability of the AAA server is less of an issue. Also, because small to medium deployment normally does not have dispersed Internet VPN access, the AAA servers normally reside on a local network, and network delay...

Access Method

On the Access Method tab, you can specify an access method for a DAP record. The supported access methods include AnyConnect Client, Web-Portal, Both-Default-Web-Portal, Both-Default-AnyConnect Client, and Unchanged. For example, if users match a DAP record but you do not want to give them AnyConnect Client functionality, select the Web-Portal option for that particular DAP record. If you select either the Both-Default-Web-Portal or Both-Default-AnyConnect Client, users who match the DAP record...

Acknowledgments

We would like to thank the technical editors, Pete Davis and David Garneau, for their time and technical expertise. They verified our work and provided recommendations on how to improve the quality of this manuscript. We would also like to thank Vincent Shan, Andy Qin, James Fu, and Awair Waheed from the Cisco Security Technical Group for their help and guidance. We also recognize Saddat Malik for providing content source for several figures in Chapter 2. Special thanks go to Scott Enicke and...

Advanced Endpoint Assessment

Advanced Endpoint Assessment is a licensed feature that allows you to update noncompliant computers to meet the requirements of an enterprise's security policy. For example, with Advanced Endpoint Assessment, if a remote user logs in to a security appliance that is running an older version of an antivirus definition, this feature can attempt to update the definition on the remote workstation. The Advanced Endpoint Assessment is independent of the basic Host Scan and Endpoint Assessment, which...

Aes

To replace the aging DES standard, the National Institute of Standards and Technology (NIST) called for the submission of an Advanced Encryption Standard (AES) in 1997. Out of several candidates such as MARS, Twofish, Serpent, Rijndael, and RC6, Rijndael was chosen as the final standard. AES is also a block cipher that works on a 128-bit data block and has a key size of 128, 192, and 256 bits. More information on AES can be found at http en.wikipedia.org wiki Advanced_Encryption_Standard. As a...

Any Connect Client and External Authentication

SecureMe has recently learned about the full network connectivity method that is offered by the Cisco IOS router through SSL VPN. The company wants to use this feature for its regular employees so that they can work from home and have full access to the internal network. Figure 6-46 shows SecureMe's network topology for AnyConnect Client. Figure 6-46 SecureMe's SSL VPN for AnyConnect Clients Figure 6-46 SecureMe's SSL VPN for AnyConnect Clients .SecureMe's security requirements are as follows...

Any Connect Client with CSD and External Authentication

SecureMe has recently learned about the SSL VPN functionality in Cisco ASA and wants to deploy it for a number of remote employees in New York. These employees need full access to the internal network without restriction to complete their tasks if they meet criteria defined by the administrator. Figure 5-65 shows SecureMe's network topology for AnyConnect Client. Figure 5-65 SecureMe's SSL VPN for AnyConnect Clients Figure 5-65 SecureMe's SSL VPN for AnyConnect Clients The security requirements...

Any Connect Ssl Vpn Client

During the early development period of SSL VPNs, network administrators needed a VPN client that had benefits that were similar to an IPsec remote access VPN client, but required less administrative overhead for installing and maintaining the IPsec VPN client. To accommodate those requirements, the idea of a full tunnel SSL VPN client emerged. Cisco first introduced the SSL VPN Client (SVC) that was a self-downloading, self-installing, self-configuring, and self-uninstalling VPN. In Release...

Any Connect VPN Client Configuration Guide

During the early development period of SSL VPNs, network administrators needed a VPN client that had similar benefits of an IPsec remote access VPN client, but required less administrative overhead than installing and maintaining the IPsec VPN client. To accommodate those requirements, the idea of a full tunnel SSL VPN client emerged. In the pre-version 8.0 releases, Cisco provided the SSL VPN Client (SVC). This is a self-downloading, self-installing, self-configuring, and self-uninstalling VPN...

Application Data

After the handshake phase, the application can begin to communicate under the protection of the newly established secure SSL connection. The record protocol is responsible for fragmenting, compressing, hashing, and encrypting all the application data at the sending side, as well as decrypting, verifying, decompressing, and reassembling messages at the receiving end. Figure 2-9 shows the SSL record layer operation. Figure 2-9 SSL TLS Record Protocol Operation Application Data Addition of SSL...

Applying Secure Desktop Restrictions

In addition to the global parameters that can be configured (discussed in the preceding section), you can apply certain restrictions to Secure Desktop to further enhance the level of security for SSL VPN sessions. These restrictions are defined in Secure Desktop Settings under a predefined location. These restrictions include the following Restrict application usage to the web browser only, with the following exceptions With this option, you can only allow users to launch multiple windows of...

Assigning CSD Policy

When a computer tries to connect to the security appliance, CSD matches it to one of the predefined locations. For each location, you can choose to load either Secure Desktop or Cache Cleaner on the workstation. Choose Configuration > Remote Access VPN > Secure Desktop Manager > Prelogin location and select the appropriate option. The option should be selected based on your security policies. For example, if a user is identified as a HomeCorpOwned workstation, you can choose to enable...

Basic Host Scan

Basic Host Scan can be used to identify the following information on a remote computer Operating systems and their respective service packs Specific process names in Windows operating systems Specific filenames in Windows operating systems Registry keys in Windows operating systems You can use basic Host Scan to determine whether a remote workstation matches a specific user profile by checking information such as its operating system, registry, files, or even an actively running process. When...

C

CA (certification authority), 230, 28, 99-100 Cache Cleaner, 166, 180-181 Mac Linux policies, defining, 298-300 policies, defining, 295-296 certification, 28-30 change cipher spec protocols, 34 CIFS (Common Internet File System) clientless issues, 218 configuring, 254-255 IOS router support, 253-257 servers, 257 cifs-url-list attribute (group policies), 246 CipherSuite, 37 Cisco SAFE VPN IPSec Virtual Private Networks in Depth website, 82 Secure ACS integration mode (CSM), 327, 330 VPN 3000...

Cache Cleaner

Cache Cleaner securely removes local browser data such as web pages, history information, and cached user credentials when the SSL VPN session is over. Cache Cleaner is supported not only on the Windows operating systems but also on the Linux and MAC OS X systems. When Cache Cleaner is launched on a client computer, it closes any existing browser windows and initiates the Cache Cleaner process. It monitors the browser data, and when user logs out of the SSL VPN session, it closes the browser...

Choice of Authentication Servers

You have a wide variety of identity technologies to choose from for authenticating users. The common choices are passwords, RADIUS, TACACS+, one-time password (OTP) systems, public-key infrastructure (PKI), smart cards, and so on. For remote access VPN authentication, a two-factor OTP system provides the strongest security and manageability combination. It is also common for small- to medium-sized companies to leverage existing user directory infrastructure such as Lightweight Directory Access...

Cisco ASA 5500 Series

The Cisco ASA 5500 series Adaptive Security Appliance provides an advanced Adaptive Identification and Mitigation (AIM) architecture and is a key component of the Cisco Self-Defending Network. As mentioned earlier in this chapter, the security appliances integrate firewall, IDS IPS, and VPN capabilities and provide an all-in-one solution for an organization. Seven Cisco ASA 5500 series models are available in the current Cisco ASA 5500 series product line. They include the following The Cisco...

Cisco IOS Routers

Cisco Systems introduced the SSL VPN functionality in Release 12.4(6)T of code of the Cisco IOS routers. Small- to medium-sized enterprises are perfectly positioned to use IOS SSL VPN to extend a remote access VPN solution to their employees and partners. Using a Cisco IOS router as an SSL VPN gateway, customers can deploy a single-box device to meet their routing, voice, wireless, firewall, IPS IDS, and remote access VPN requirements. Seven Cisco IOS router product series support SSL VPN. They...

Cisco Secure ACS Integration Mode

The Cisco Secure ACS integration mode provides more granular administrative permission controls than the native mode. The two main areas are as follows Application-specific roles Cisco Secure ACS allows you to define customized roles that have granular permission down to the policy and object level. For example, you can define an administrative role that is authorized only to view and modify SSL VPN policies, but not other security policies, such as firewall policies or IPS policies. Figure...

Cisco Secure Desktop

Cisco Secure Desktop (CSD) provides a secure desktop environment to remote users after validating a number of security parameters on the client workstation. The purpose of CSD is to minimize the risk posed by the remote workstations by collecting necessary information from them. If the received information matches the preconfigured criteria, the security appliance can create a secure environment and optionally apply certain policies to and restrictions on the user session. When the user session...

Cisco Ssl Vpn Family of Products

Cisco Systems first introduced the Secure Socket Layer (SSL) Virtual Private Network (VPN) functionality in its VPN 3000 concentrator product line. The first phase of SSL VPN functionality included the clientless and thin-client modes of connectivity. In the later software images, Cisco introduced the full-tunnel client mode functionality along with a number of SSL VPN-specific security features to provide a complete SSL VPN solution. In mid-2005, Cisco introduced the 5500 series Adaptive...

Client Operating System and Browser and Software Requirements

The SSL VPN functionality on Cisco security appliances is supported on a number of client operating systems and on a number of browsers. The supported platforms are discussed next. Compatible browser You must use an SSL-enabled browser such as Microsoft Internet Explorer, Firefox, Opera, Safari, Mozilla, Netscape, or Pocket Internet Explorer (PIE). Table 5-3 provides a list of operating systems and the supported Internet browsers. Table 5-3 Supported Operating Systems and Internet Browsers...

Clientless Connections with CSD

SecureMe wants to deploy an SSL VPN solution for a group of contractors that access some resources from their laptops. These contractors use a terminal server as well as a web server for browsing, and a Windows file server to save and retrieve their documents. All contractors use Windows-based operating systems on their workstations. SecureMe prefers to create a secure environment before SSL VPN sessions are allowed. Figure 6-45 shows SecureMe's proposed network topology for clientless...

Clientless Connections with DAP

After successfully implementing the AnyConnect functionality on the security appliance, SecureMe has now decided to provide clientless functionality to a group of mobile contractors. These contractors use a web server for browsing, a terminal server, and a Windows file server to save and retrieve their documents. Figure 5-66 shows SecureMe's proposed network topology for clientless connections. Figure 5-66 SecureMe's Clientless Connection Topology with DAP 192.168.1.0 24 The security...

Clientless Ssl Vpn Configuration Guide

The SSL VPN functionality on Cisco ASA is the most robust in the industry. The following sections focus on the clientless users who want to access internal corporate resources but do not have an SSL VPN client loaded on their workstations. These users typically access protected resources from shared workstations or even from the hotels or Internet caf s. The clientless configuration on Cisco ASA can be broken down into the following subsections. Enable SSL VPN on an interface Configure SSL VPN...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Configure Any Connect Ssl Vpn Properties

The last step necessary to meet the listed requirements is to configure AnyConnect VPN Client on the router for remote users. This deployment scenario assumes that an SSL VPN gateway and context were not defined earlier and creates new ones. Follow these guidelines to achieve the goals 4 Under IP Address Pool from Which Clients Will Be Assigned an IP Address, click the option and select Create a new IP Pool. Under Pool Name, specify SSLVPNPool, and then click Add to define a range of IP...

Configuring a Tunnel Group

A tunnel group can be configured by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles. Click Add to add a new tunnel group. As shown in Figure 5-5, a tunnel group called SecureMeClientlessTunnel has been added. After defining a tunnel group name, you can bind a user group-policy to a tunnel group. Once a user is connected, the attributes and policies defined under the group-policy will be applied to the user. A user group-policy of...

Configuring Anti Spyware Host Scan

To set up the security appliance to scan the remote workstation for antispyware, click Add under AntiSpyware. You can check remote workstations for antispyware compliance and update noncompliant computers. A new window opens with a list of all supported antispyware vendors and their respective products. Select the antispyware vendor and product that you use in your environment from the list and click OK when finished. Similar to the antivirus scan option, you can also force the remote...

Configuring Antivirus Host Scan

To check remote workstations for antivirus compliance and to update noncompliant computers, click Add under Antivirus. A new window opens with a list of all the supported antivirus vendors and their antivirus products. Select the antivirus vendor and product that you use in your environment from the list and click OK when finished. You can enable a couple of options, if your antivirus application supports them. They include the following Force File System Protection To make sure that the remote...

Configuring Bookmarks

Using a clientless SSL VPN, remote users can browse their internal websites, file server shares, and Outlook Web Access (OWA) servers. Cisco ASA achieves this functionality by terminating the SSL tunnels on its outside interface and then rewriting the content before sending it to the internal server. For example, if a user tries to access an internal website, the user's HTTPS connection is terminated to the outside interface. The ASA then forwards the HTTP or HTTPS request to the internal web...

Configuring Client Server Plug Ins

For known applications, such as VNC, Remote Desktop, Telnet, and SSH, you can allow the clientless SSL VPN users to connect to the protected network using the supported applications. This way, when a clientless SSL VPN user is authenticated, the user can choose to launch an application plug-in such as VNC and connect to an internal server running the VNC application. Cisco provides the client-server plug-ins for VNCs, Remote Desktop, and SSH Telnet. These plug-ins can be downloaded from the...

Configuring DAP

When a user tries to establish a connection, DAP can analyze the posture assessment result of a remote host and apply access policies that are dynamically generated. DAP can use the AAA attributes, such as RADIUS, LDAP, and Cisco-specific, and endpoint attributes, such as host scans and prelogin locations, before an action or a series of actions can be applied to a user session. It is designed to complement the authentication, authorization, and accounting (AAA) services by aggregating the...

Configuring DTLS

Datagram Transport Layer Security (DTLS), defined in RFC 4347, provides security and privacy for the UDP packets. This allows UDP-based applications to send and receive traffic in a secure fashion without worrying about packet tampering and message forgery. Thus, applications that do not want to be associated with the delays associated with TCP but still want to securely communicate can use DTLS. Cisco AnyConnect Client supports both SSL as well as DTLS transport protocols. If DTLS is enabled...

Configuring File Servers

In addition to the web servers, you can also define a bookmark list of the file servers that the clientless users can access. Cisco ASA supports network file sharing using the Common Internet File System (CIFS), a file system that uses the original IBM and Microsoft networking protocols. Through CIFS, users can access their file shares located on the file servers. Users can download, upload, delete, or rename the files under the shared directories, but only if the file system permissions allow...

Configuring Firewall Host Scan

To check remote workstations for personal firewall compliance, click Add under Personal Firewall. A new window opens with a list of all the supported firewall vendors and their respective products. Select the firewall vendor and product that you use in your environment from the list and click OK when finished. You can also configure a firewall action if your firewall application supports it. This option is useful if you want to make sure that the remote workstation has an active firewall...

Configuring Group Policies

The user group and default group policies are configured by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access or Network (Client) Access > Group Policies. Click Add to add a new group policy. As shown in Figure 5-4, a user group-policy, called ClientlessGroupPolicy, has been added. This group-policy only allows clientless SSL VPN tunnels to be established and strictly rejects all the other tunneling protocols. If you would rather assign attributes to default...

Configuring Port Forwarding

Using port forwarding, the clientless SSL VPN users can access corporate resources over the known and fixed TCP ports such as Telnet, SSH, Terminal Services, SMTP, and so on. The port-forwarding feature requires you to install Sun Microsystems' Java Runtime Environment (JRE) and configure applications on the end user's PC. If users are establishing the SSL VPN tunnel from public computers, such as Internet kiosks or web caf s, they might not be able to use this feature. The installation of...

Configuring Smart Tunnels

As discussed earlier, port forwarding provides access to applications that use static TCP ports. It modifies the HOSTS files on a host so that traffic can be redirected to a forwarder that encapsulates traffic over the SSL VPN tunnel. Additionally, with port forwarding, the Cisco ASA administrator needs to know what addresses and ports the SSL VPN users will connect to, and requires the SSL VPN users to have admin rights to modify the HOSTS file. To overcome some of the challenges related to...

Configuring Ssl Vpn Portal Customization

Figure 5-11 shows the default SSL VPN page when a connection is initiated from a web browser. The title of the page is SSL VPN Service and the Cisco Systems logo is displayed in the upper-left corner of the web page. The initial page prompts the user for user authentication credentials. Figure 5-11 Default SSL VPN Login Page Figure 5-11 Default SSL VPN Login Page You can customize the initial SSL VPN login page based on security policies of your organization. Cisco ASA also allows you to...

Configuring Traffic Filters

In its default firewall role, the Cisco ASA blocks decrypted traffic and protects the trusted network, unless the ACLs on the ingress interface explicitly permit traffic to pass through it. In case you trust all your remote AnyConnect VPN Clients, Cisco ASA can be configured to permit all decrypted SSL VPN packets to pass through it without inspecting them against the configured ACL. This is done with the sysopt connection permit-vpn command, as shown in Example 5-11. Example 5-11 Sysopt...

Configuring Websites

After adding a bookmark list, you can add a bookmark entry for the internal web servers that you want to give access to the clientless users. In Figure 5-26, a bookmark list name of InternalServers has been added. Because it is a new list, the administrator has added a bookmark title of InternalWebServer with a URL value of http intranet.securemeinc.com. Under advanced options, a subtitle of This is the internal web portal for SecureMe Inc. employees is added with a thumbnail of the...

Content Rewriting

The previous section described URL mangling, which is an important technique in the process by which SSL VPN users access corporate resources using the clientless web access mode. The second important technique is content rewriting. As a reverse proxy server, the SSL VPN gateway fetches web-based content from an internal web server and performs content rewriting. The main goal of the content rewriting is to change the URL references and Java socket calls so that all users' requests point to the...

Contents

Introduction xviii Chapter 1 Introduction to Remote Access VPN Technologies 3 Remote Access Technologies 5 IPsec 5 Software-Based VPN Clients 7 Hardware-Based VPN Clients 7 Cryptographic Building Blocks of SSL VPNs 17 Hashing and Message Integrity Authentication 17 Hashing 18 Message Authentication Code 18 Encryption 20 RC4 21 Diffie-Hellman 23 RSA and DSA 24 Digital Signatures and Digital Certification 24 Digital Signatures 24 Public Key Infrastructure, Digital Certificates, and Certification...

Corporate and Government Sales

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales pearsontechgroup.com For sales outside the United States, please contact International Sales international pearsoned.com

Cryptographic Building Blocks of Ssl Vpns

A VPN carries private traffic over public networks. A secure VPN meets the following basic requirements Authentication guarantees that the VPN entity communicates with the intended party. The authentication can apply to either a VPN device or a VPN user. For example, in a remote access VPN, the VPN head-end device can authenticate the user PC to make sure that it is indeed the PC that owns the IP address that it uses to connect to the concentrator. The concentrator can also authenticate the end...

CSD Architecture

CSD not only checks certain attributes on the client computer to ensure its compliance but also enhances data security by providing an encrypted vault to authorized users. When a user wants to establish an SSL VPN session and CSD is enabled, the client and the gateway go through a number of steps, discussed as follows. These steps are also illustrated in Figure 5-45 Step 1 A user tries to request the SSL VPN login page by pointing his or her browser to the gateway IP address. Step 2 The user...

Customized Login Page and User Connection Profile

After customizing the login page, the next logical step is to display it to the users who are logging in. You have two ways to display the login page to the user DefaultWEBVPNGroup connection profile If you want your customized login page to be displayed to all users who access the security appliance using its FQDN (fully qualified domain name) or the IP address, apply the customized object under the DefaultWEBVPNGroup connection profile by choosing Configuration > Remote Access VPN >...

Customized Portal Page and User Connection Profile

When a user first connects to the security appliance, the logon portal is presented based on how the SSL VPN connection is established. For example, if a user selects a logon group, after a successful user authentication, a user portal is shown based on what customization object is mapped to that user connection profile. You have the following three ways to display the customized portal page to a user Default Login without Group Selection When a user accesses the login page and authenticates...

DAP Architecture

As mentioned earlier, DAP analyzes the posture assessment result of a host and applies dynamically generated access policies when a user session is established. It is designed to complement the AAA services by aggregating the locally defined attributes with the received attributes from the AAA server. In the case of an authorization attribute conflict, the locally defined attribute is selected. Therefore, it is possible to generate DAP authorization attributes by aggregating multiple DAP...

DAP Sequence of Events

When a user tries to establish an SSL VPN tunnel to the security appliance and DAP is enabled, the following sequence of events occurs 1 The user negotiates an SSL VPN tunnel and is presented with a login page. 2 The security appliance collects user credentials and passes them to an authentication server. 3 If the user credentials are valid, the user is authenticated and the security appliance receives authorization attributes from the authentication server. 4 The posture assessment process is...

Data Theft

Several types of security threats lead to data theft or password theft Sensitive data left in a browser's cache Web browsers cache the various web objects that users downloaded during browsing. This caching helps browsers to improve the browsing experience. The browser cache files are physically stored on the user's computer in predefined directories. For example, the Temporary Internet Files folder is used for Internet Explorer browsers. After users finish browsing and leave the computer, the...

Defining a Pool of Addresses

During the SSL VPN tunnel negotiations, an IP address is assigned to the VPN adapter of the AnyConnect VPN Client. The client uses this IP address to access resources on the protected side of the tunnel. Cisco ASA supports three different methods to assign an IP address back to the client Many organizations prefer assigning an IP address from the local pool of addresses for flexibility. The IP address is assigned by configuring an address pool and then linking the pool to a policy group. You...

Defining Access Policies

After selecting the AAA and the endpoint attributes, the next step is to configure the policies that you want to apply to user sessions that match the attributes. You can configure VPN access attributes for a specific DAP record by using procedures outlined later in this chapter. For example, if a user's AAA and endpoint attributes match a DAP record, you can choose to allow that connection and apply certain ACLs configured into DAP to restrict user traffic. The DAP enforcements take precedence...

Defining Any Connect VPN Client Attributes

After loading the SVC package in the security appliance's configuration, ASDM allows you to define AnyConnect VPN Client parameters such as the IP address that client should receive. Before an AnyConnect SSL VPN tunnel is functional, you have to configure the following four required attributes Enabling AnyConnect VPN Client functionality Defining a pool of addresses Configuring traffic filters Optionally, you can define other attributes to enhance the functionality of the AnyConnect VPN...

Defining Cache Cleaner Policies

As discussed earlier in this chapter, Cache Cleaner securely removes local browser data such as web pages, history information, and cached user credentials. When Cache Cleaner is launched on a client computer, it closes any existing browser windows and initiates the Cache Cleaner process. It monitors browser data, and when the user logs out of the SSL VPN session, it closes the browser and cleans the cache associated with the SSL VPN session. Cache Cleaner can be configured under Cache Cleaner...

Defining Policies for the Mac and Linux Cache Cleaner

As mentioned earlier in the chapter, Cache Cleaner is supported not only on Windows operating systems but also on Linux and Mac OS X systems. Additionally, you can define a limited VPN feature policy for these clients. Table 6-8 lists the available features that you can implement for Mac- and Linux-based computers. Figure 6-43 Defining Windows CE Policies tMrtut Wpi-.um. 1 fiS.JOO. Sfcul_jKii*i.hfrJ yrniTKHTQ* KuiunrMi-Cjinlnil - bj HL Secure Desktop Manager tor W bVPN WN 1 ture Poky under...

Defining Prelogin Policies

In the supported Windows, OS X, and Linux-based operating systems, you can define the potential locations where the client computers might be connecting from. For example, if your users connect from the office network, home office network, and even Internet caf s, you can define a location for each setup and give appropriate access to your users. For users connecting from the office network, you classify those hosts fairly securely and allow a less restrictive environment. For users connecting...

Defining Prelogin Sequences

To configure CSD parameters, choose Configuration > Remote Access VPN > Secure Desktop Manager > Prelogin Policy. You can define a prelogin sequence that CSD can use to identify a host and match it to an appropriate profile. If the client's computer matches a certain profile, CSD can either create a Secure Desktop or launch Cache Cleaner. The following sections walk you through the configuration of Secure Desktop Manager in defining the profiles and the respective policies for the SSL VPN...

Defining Secure Desktop General Attributes

In CSD, you can set up general attributes that are applied to all SSL VPN sessions within a predefined location. For example, to allow users to switch between Secure Desktop and the local desktop, you can enable that feature here. The supported Secure Desktop general attributes include Enable switching between Secure Desktop and Local Desktop With this option enabled, the user has an option to switch back and forth between Secure Desktop and Local Desktop. In many cases, when an application is...

Deployment Scenarios

The Cisco SSL VPN solution is useful in deployments where remote and home users need access to corporate networks and administrators want to control their access based on a number of attributes. The SSL VPN solution can be deployed in many ways however, the sections that follow cover two design scenarios for ease of understanding AnyConnect Client with CSD and external authentication Clientless connections with DAP NOTE The design scenarios discussed in the following sections should be used...

DES and 3DES

Data Encryption Standard (DES) is by far the most widely used symmetric encryption algorithm. DES is a 64-bit block cipher that works on an 8-byte data block. The output cipher block has the same 8-byte length. At the decryption side, the same algorithm is applied in reverse with the same key. Due to the requirement of having parity bits, the effective key strength of DES is 56 bits. To encrypt a message that exceeds the DES block size, the individual cipher blocks are chained using a certain...

Device Placement

SSL VPN appliances are normally placed at the Internet edge of the corporate network. At the Internet edge of the network, other security devices are often deployed to protect the internal network from attacks. This section discusses the device placement issues you should consider when placing the SSL VPN devices among other security services at the edge. For companies that already have an IPsec-based remote access VPN solution deployed, the device placement considerations should also apply to...

Device View

As its name implies, device view provides a device-centric view of your SSL VPN network. Figure 7-1 shows the layout of a device view. Figure 7-1 Cisco Security Manager Device View Figure 7-1 Cisco Security Manager Device View Three main areas are in the device view. The upper-left area lists all the devices and device groups. The lower-left area shows the common policies based on the device selected. The right area is the policy content work area. The devices can be imported into CSM in...

Device View and Policy View

A central SSL VPN management solution manages multiple SSL VPN appliances that normally fall into two categories A local cluster of SSL VPN appliances Geographically dispersed SSL VPN appliances at various theaters of a company In either case, the SSL VPN policy would be very similar among all the SSL VPN appliances in terms of user access privilege policies, users and VPN policy groups, and security policies. The configuration differences are mainly in the network topology-related attributes,...

Diffie Hellman

Published in 1976, Diffie-Hellman (DH) was the first published public-key algorithm. Diffie-Hellman is a key agreement protocol that enables communication parties to agree on a shared secret without any prior-known secrets. Diffie-Hellman is often used in key exchange and during the establishment phase of a VPN tunnel. The Diffie-Hellman algorithm works as follows 1 The communication parties agree on two system parameters a large prime p and a generator g. These are chosen such that for any...

Digital Signatures

In a secure communication, you must often ensure that a message comes from an authentic sender, not from malicious parties who spoof and claim that they are the intended sender. On the flip side, you might also require that the sender of the message cannot later deny being the source of the message (this is known as nonrepudiation). People sign paper documents and use the signatures as proof of authenticity and nonrepudiation. In the digital world, digital signatures (through digital signing)...

DNS and WINS Assignment

For the AnyConnect VPN Clients, you can assign DNS and WINS server IP addresses so that they can browse and access internal sites after their SSL tunnel is established. You can configure these attributes by choosing Configuration > Remote Access VPN > Network (Client) Access > Group Policies > SSLVPNGroup > Edit > Servers. To add multiple DNS or WINS servers, use a comma (,) to separate the entries. In Figure 5-43, the primary DNS server is defined as 192.168.1.10 and the secondary...

Dynamic Access Policies

In remote access setups, such as SSL VPN, it is becoming extremely difficult to correctly identify users' environments. A remote user can establish an SSL VPN tunnel from his corporate-owned workstation in the morning and then connect to the corporate resources from an Internet caf in the evening. Moreover, if you are managing a remote access solution, it is challenging to map appropriate user authorization attributes based on their connection type. To provide a solution to these issues, Cisco...

Enabling Any Connect VPN Client Functionality

After the AnyConnect VPN Client is loaded into flash, the next step is to enable the AnyConnect Client functionality on the interface that is terminating the connection. This is achieved by selecting Enable Cisco AnyConnect VPN Client or Legacy SSL VPN Client Access on the Interfaces Selected in the Table Below in Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles. Select the outside interface if it is the interface that will terminate the SSL VPN...

Enabling Clientless Ssl Vpn on an Interface

The first step in setting up a clientless SSL VPN on the security appliances is to enable SSL VPN on the interface that will terminate the user session. If SSL VPN is not enabled on the interface, Cisco ASA will not accept any connections, even if SSL VPN is globally enabled. To enable SSL VPN on an interface through ASDM, choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles and select the Allow Access check box next to the interface on which you want...

Enabling Endpoint Host Scan

You can enable Endpoint Assessment by choosing Configuration > Remote Access VPN > Secure Desktop Manager > Host Scan and then selecting Endpoint Assessment ver w.x.y.z, where w.x.y.z is the version of Endpoint Host Scan you are using. Figure 5-55 illustrates Endpoint Assessment as being enabled and running version 2.5.4.1. After it is enabled, the Endpoint Assessment can scan for antivirus, personal firewall, and antispyware applications and updates. Figure 5-55 Enabling Endpoint...

Encryption

Encryption algorithms transfer plain text into cipher text. Different from hashing, encryption algorithms require keys for encryption and decryption. Two main types of encryption algorithms exist Symmetric encryption Uses the same key for encryption and decryption. It is also known as secret-key cryptography. The symmetric algorithms are normally used to encrypt the content of a message. Two main types of symmetric encryption algorithms Stream ciphers, such as RC4 Block ciphers, such as DES,...

Endpoint Assessment

Endpoint Assessment scans a remote computer for a large collection of firewall, antivirus, and antispyware software, as well as their associated signatures and definition updates. The collected information is then forwarded to the security appliance so that a specific action can be taken and enforced by dynamic access policy (DAP). You do not need to purchase any specific licenses to configure a security appliance to check for the presence of personal firewalls, antivirus software, and...

Endpoint Security Posture Assessment and Validation

A thorough preconnect security assessment is necessary. As discussed earlier, this helps prevent viruses, worms, and Trojan horses from spreading into the internal network and helps administrators make intelligent decisions on what access privilege to grant to the VPN users based on the endpoint security posture. The preconnect security posture validation can include the following aspects Location checking Using information such as IP address, Windows registries, or even PC screen banners, the...

Enrolling Digital Certificates Recommended

Enrollment is the process of obtaining a certificate from a certificate authority (CA). Before starting the enrollment process, you must generate the RSA key pair with the crypto key generate rsa command. To generate the keys, you must first configure a host name and domain name. Example 5-1 demonstrates how to configure a domain name of securemeinc.com and how to generate the RSA key pair of 1024-bit modulus size. NOTE If you want to test SSL VPN functionality in a lab environment or in a home...

F

File server bookmarks, configuring, 137 file server browsing attribute (ASA group policies), 109 file server entry attribute (ASA group policies), 109 filter attribute (group policies), 246 firewalls, 77, 188 full customization (clientless SSL VPN portals), 129 logon pages, 129-132 user web portal pages, 132-133 full tunnel features (ASA AnyConnect clients), 159 DNS WINS assignment, 161 DTLS configuration, 163 keeping client installed, 162 split tunneling, 159-160 functions attribute (group...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Functions

The Functions tab allows you to configure file server browsing and entry, HTTP proxy, and URL entry. You can choose to allow or deny users from using these features for a specific DAP record. You can even choose to use the values from the group-policy that the user is connecting to. For HTTP proxy, you have the option to launch an applet by DAP when a user connects. Refer to Table 5-12 for an explanation of file server browsing and entry, HTTP proxy, and URL entry features. Table 5-12...

Hardware Based VPN Clients

The Cisco hardware-based VPN clients implement the same functionality as discussed in the earlier section using the dedicated Cisco hardware devices. The hardware-based VPN is supported on the following platforms Cisco VPN 3002 hardware client A Cisco small office, home office (SOHO) router can act as a VPN client and initiate a VPN tunnel on behalf of the hosts residing on the private subnet. When the IPsec gateway receives interesting traffic destined to its protected network, it determines...

High Availability

The high availability (HA) consideration for a remote access VPN deployment has two parts local and geographic HA. Local HA methods include the following Hot standby failover The two SSL VPN appliances are in an active-passive failover session. Common failover protocols include Virtual Router Redundancy Protocol (VRRP) and Hot Standby Routing Protocol (HSRP). A stateful failover synchronizes the SSL VPN session information between the two units to ensure minimum user disruption during the...

Host Scan

Host Scan is a modular component of CSD. It is installed on the user's computer before the user logs in to the security appliance over an SSL VPN tunnel. If CSD is in use, Host Scan can collect some important endpoint attributes and pass them to other processes such as DAP for appropriate action. Host Scan can scan an end host for information that you want to collect, such as registry entries, filenames, and process names. Host Scan functionality can be greatly enhanced if an advanced Endpoint...

How This Book Is Organized

Part I of this book includes Chapters 1 and 2, which provide an overview of the remote access VPN technologies and introduce the SSL VPN technology. The remainder of the book is divided into two parts. Part II encompasses Chapters 3 and 4 and introduces the Cisco SSL VPN product lines, with guidance on different design considerations. Part III encompasses Chapters 5 through 7 and covers the installation, configuration, deployment, and troubleshooting of the individual components that make up...

I

Traffic ACL 101 IP Address 192.168.50.1 Domain Name securemeinc.com Simultaneous Login 3 WINS 192.168.1.40 Traffic ACL 101 IP Address 192.168.50.1 NOTE DfltGrpPolicy is a special group name, used solely for the default group-policy. After defining these policies, they must be bound to a tunnel group where users terminate their sessions. This way, a user who establishes his VPN session to a tunnel group will inherit all the policies mapped to that tunnel. The tunnel group defines a VPN...

Identifying Keystroke Loggers and Host Emulators

The robust implementation of CSD allows you to detect certain software-based keystroke loggers in a workstation and takes appropriate actions before allowing a user's computer to create a secure environment. Keystroke loggers usually capture keystrokes without informing the legitimate user of the computer. These applications then send the captured information to a server, generally owned by hackers. If, for example, you have a keystroke logger installed on your computer and you are doing online...

Information Area

The information area shows any text and image that you want to display on the logon page. You can specify whether you want to display the information area to the left or the right side of the logon form. The Cisco ASA administrator can choose to enable or disable this element under the Information Panel option. In Figure 5-15, the information panel is disabled by the administrator. Figure 5-15 Logon Page Information Area Customization Figure 5-15 Logon Page Information Area Customization...

Infrastructure Requirements

The infrastructure requirements for SSL VPNs include, but are not limited to, the following options ASA placement If you are installing a new security appliance, determine the location that best fits your requirements. If you plan to place it after a firewall, make sure that you allow appropriate SSL VPN ports to pass through the firewall. User account Before SSL VPN tunnels are established, users must authenticate themselves to either the local database or to an external authentication server....

Initial Connectivity Issues

If you are using AnyConnect VPN Client in your environment and a user is having initial connectivity issues, enable debug webvpn svc on the security appliance and analyze the debug messages. Most of the configuration-specific issues can be easily fixed by looking at the error messages. For example, if your security appliance is not configured to assign an IP address, you will receive a No Assigned Address error message in the debugs. This is highlighted in Example 5-14. Example 5-14 debug...

Initial Ssl Vpn Configuration

The configuration of SSL VPN can be accomplished in five steps. Figure 6-2 is used throughout this section to demonst rate how to set up Cisco IOS router. As shown in this figure, the IOS router is set up to accept the SSL VPN connections from the hosts on the Internet. There are several servers on the private network of the router. Table 6-3 describes the servers used in this setup. Table 6-3 Description and Location of Servers Table 6-3 Description and Location of Servers Resolves NetBIOS...

Internet Browser Settings

As discussed in the previous section, CSD is installed on the client computer through ActiveX, Java, or an executable file. You must configure the appropriate security settings in your Internet browser to allow those functions. For example, in Internet Explorer, use the guidelines discussed in Table 5-7. These settings are configured by choosing Tools > Internet Options > Security tab > Internet > Custom Level. ActiveX controls and plug-ins > Download signed ActiveX controls ActiveX...

Introduction to Remote Access VPN Technologies

Since the advent of the Internet, network administrators have looked for ways to leverage this low-cost, widespread medium to transport data while protecting data integrity and confidentiality. They looked for ways to protect the information within the data packets while providing transparency to the end user. This spawned the concept of Virtual Private Networks (VPN). Subsequently, the Internet Engineering Task Force (IETF) was engaged to craft standard protocols and procedures to be used by...

Ios Ssl Vpn Configuration Guide

After analyzing the deployment considerations and selecting SSL VPN as the remote access VPN solution, you must follow the configuration steps described in the subsequent sections. The configuration guide is divided into the following six configuration sections to match your deployment scenarios Configuring pre-SSL VPN setup Initial SSL VPN configuration Configuring clientless SSL VPNs Configuring thin client SSL VPNs Configuring AnyConnect Client SSL VPNs Configuring advanced SSL VPN features

Issues with CIFS

You can provide CIFS services to the clientless users so that they can access their shared resources on the Windows file servers. If the clientless SSL VPN users have issues with multiple logons when they try to access the servers, you can configure a single sign-on and see whether that resolves the issue. If users have issues connecting to the servers or have issues access their shared folders or files, you can try to access them by entering the server name and share through the bar inside the...

Issues with Websites

If you use clientless SSL VPN to provide connectivity to remote users and a user is having issues connecting to the websites through bookmarks, follow these steps to isolate the problem Check whether the user is having connectivity issues with all configured websites. If so, check whether other applications, such as CIFS, port forwarding, or smart tunnels, are working well. If connectivity issues are limited to one web server, check whether one user or all users are having issues connecting to...

Keeping the Ssl Vpn Client Installed

After the SSL VPN client is installed successfully, the security appliance allows you to keep the client installed on the computer, even if the tunnel is disconnected. By default, the AnyConnect Client is automatically removed after users log off and is reinstalled when the tunnel is successfully established. You should keep this option enabled so that users do not need to go through the process of installing the client. Additionally, the initial AnyConnect Client installation requires...

L2tp

Layer 2 Tunneling Protocol (L2TP), documented in RFC 2661, combines features from Layer 2 Forwarding (L2F) from Cisco Systems and PPTP from Microsoft. Documented in RFC 3931, enhancements were made in version 3 to add security features and improved encapsulation that meet the emerging industry requirements. It packages data within Point-to-Point Protocol (PPP) and uses registered User Datagram Protocol (UDP) port 1701 for both tunnel negotiations and data encapsulation. L2TP can replace remote...

Lack of Security on Unmanaged Computers

As mentioned earlier, SSL VPNs can support users coming from any computer on the Internet, such as public domain machines (for example, kiosk PCs) that are not controlled by the corporate IT department. This department ensures that the machines have proper service packs and security software, such as antivirus software. This poses a major threat to security. If, for example, SSL VPN users sign in to the SSL VPN from a compromised or infected PC, they can become a source for spreading viruses,...

Loading SDM Recommended

Cisco Security Device Manager (SDM) provides an easy-to-navigate and simple graphical user interface (GUI) to set up and manage different features that a Cisco IOS router provides. It is bundled with a variety of administration, configuration, and monitoring tools to check the health of the device and the traffic traversing through it. Although setting up SDM is optional, you should use SDM in configuring the SSL VPN functionality in Cisco IOS routers. NOTE SSL VPN is a relatively new feature...

Loading the CSD Package

Like Cisco AnyConnect VPN Client, you must load the CSD package in the local flash of the security appliance. If you're not sure whether you have CSD installed in your security appliance, choose Tools > File Management and look at the contents of the local flash. If you don't see a securedesktop-asa-3.x.xxx-k9.pkg file, upload the file from the local flash of the management host to the flash of the security appliance. After the CSD file is uploaded, choose Configuration > Remote Access VPN...