AAA Server Scalability and High Availability

The scalability and availability of the AAA server directly affect the availability of your VPN network and the user experience. For a small- to medium-sized VPN network, it is relatively easy to address this design issue. Because the number of the VPN users is relatively small, the scalability of the AAA server is less of an issue. Also, because small to medium deployment normally does not have dispersed Internet VPN access, the AAA servers normally reside on a local network, and network delay...

Any Connect Client and External Authentication

SecureMe has recently learned about the full network connectivity method that is offered by the Cisco IOS router through SSL VPN. The company wants to use this feature for its regular employees so that they can work from home and have full access to the internal network. Figure 6-46 shows SecureMe's network topology for AnyConnect Client. Figure 6-46 SecureMe's SSL VPN for AnyConnect Clients Figure 6-46 SecureMe's SSL VPN for AnyConnect Clients .SecureMe's security requirements are as follows...

Any Connect Client with CSD and External Authentication

SecureMe has recently learned about the SSL VPN functionality in Cisco ASA and wants to deploy it for a number of remote employees in New York. These employees need full access to the internal network without restriction to complete their tasks if they meet criteria defined by the administrator. Figure 5-65 shows SecureMe's network topology for AnyConnect Client. Figure 5-65 SecureMe's SSL VPN for AnyConnect Clients Figure 5-65 SecureMe's SSL VPN for AnyConnect Clients The security requirements...

Any Connect Ssl Vpn Client

During the early development period of SSL VPNs, network administrators needed a VPN client that had benefits that were similar to an IPsec remote access VPN client, but required less administrative overhead for installing and maintaining the IPsec VPN client. To accommodate those requirements, the idea of a full tunnel SSL VPN client emerged. Cisco first introduced the SSL VPN Client (SVC) that was a self-downloading, self-installing, self-configuring, and self-uninstalling VPN. In Release...

Any Connect VPN Client Configuration Guide

During the early development period of SSL VPNs, network administrators needed a VPN client that had similar benefits of an IPsec remote access VPN client, but required less administrative overhead than installing and maintaining the IPsec VPN client. To accommodate those requirements, the idea of a full tunnel SSL VPN client emerged. In the pre-version 8.0 releases, Cisco provided the SSL VPN Client (SVC). This is a self-downloading, self-installing, self-configuring, and self-uninstalling VPN...

Applying Secure Desktop Restrictions

In addition to the global parameters that can be configured (discussed in the preceding section), you can apply certain restrictions to Secure Desktop to further enhance the level of security for SSL VPN sessions. These restrictions are defined in Secure Desktop Settings under a predefined location. These restrictions include the following Restrict application usage to the web browser only, with the following exceptions With this option, you can only allow users to launch multiple windows of...

Assigning CSD Policy

When a computer tries to connect to the security appliance, CSD matches it to one of the predefined locations. For each location, you can choose to load either Secure Desktop or Cache Cleaner on the workstation. Choose Configuration > Remote Access VPN > Secure Desktop Manager > Prelogin location and select the appropriate option. The option should be selected based on your security policies. For example, if a user is identified as a HomeCorpOwned workstation, you can choose to enable...

C

CA (certification authority), 230, 28, 99-100 Cache Cleaner, 166, 180-181 Mac Linux policies, defining, 298-300 policies, defining, 295-296 certification, 28-30 change cipher spec protocols, 34 CIFS (Common Internet File System) clientless issues, 218 configuring, 254-255 IOS router support, 253-257 servers, 257 cifs-url-list attribute (group policies), 246 CipherSuite, 37 Cisco SAFE VPN IPSec Virtual Private Networks in Depth website, 82 Secure ACS integration mode (CSM), 327, 330 VPN 3000...

Cisco ASA 5500 Series

The Cisco ASA 5500 series Adaptive Security Appliance provides an advanced Adaptive Identification and Mitigation (AIM) architecture and is a key component of the Cisco Self-Defending Network. As mentioned earlier in this chapter, the security appliances integrate firewall, IDS IPS, and VPN capabilities and provide an all-in-one solution for an organization. Seven Cisco ASA 5500 series models are available in the current Cisco ASA 5500 series product line. They include the following The Cisco...

Cisco IOS Routers

Cisco Systems introduced the SSL VPN functionality in Release 12.4(6)T of code of the Cisco IOS routers. Small- to medium-sized enterprises are perfectly positioned to use IOS SSL VPN to extend a remote access VPN solution to their employees and partners. Using a Cisco IOS router as an SSL VPN gateway, customers can deploy a single-box device to meet their routing, voice, wireless, firewall, IPS IDS, and remote access VPN requirements. Seven Cisco IOS router product series support SSL VPN. They...

Cisco Secure ACS Integration Mode

The Cisco Secure ACS integration mode provides more granular administrative permission controls than the native mode. The two main areas are as follows Application-specific roles Cisco Secure ACS allows you to define customized roles that have granular permission down to the policy and object level. For example, you can define an administrative role that is authorized only to view and modify SSL VPN policies, but not other security policies, such as firewall policies or IPS policies. Figure...

Cisco Secure Desktop

Cisco Secure Desktop (CSD) provides a secure desktop environment to remote users after validating a number of security parameters on the client workstation. The purpose of CSD is to minimize the risk posed by the remote workstations by collecting necessary information from them. If the received information matches the preconfigured criteria, the security appliance can create a secure environment and optionally apply certain policies to and restrictions on the user session. When the user session...

Client Operating System and Browser and Software Requirements

The SSL VPN functionality on Cisco security appliances is supported on a number of client operating systems and on a number of browsers. The supported platforms are discussed next. Compatible browser You must use an SSL-enabled browser such as Microsoft Internet Explorer, Firefox, Opera, Safari, Mozilla, Netscape, or Pocket Internet Explorer (PIE). Table 5-3 provides a list of operating systems and the supported Internet browsers. Table 5-3 Supported Operating Systems and Internet Browsers...

Clientless Connections with CSD

SecureMe wants to deploy an SSL VPN solution for a group of contractors that access some resources from their laptops. These contractors use a terminal server as well as a web server for browsing, and a Windows file server to save and retrieve their documents. All contractors use Windows-based operating systems on their workstations. SecureMe prefers to create a secure environment before SSL VPN sessions are allowed. Figure 6-45 shows SecureMe's proposed network topology for clientless...

Clientless Connections with DAP

After successfully implementing the AnyConnect functionality on the security appliance, SecureMe has now decided to provide clientless functionality to a group of mobile contractors. These contractors use a web server for browsing, a terminal server, and a Windows file server to save and retrieve their documents. Figure 5-66 shows SecureMe's proposed network topology for clientless connections. Figure 5-66 SecureMe's Clientless Connection Topology with DAP 192.168.1.0 24 The security...

Clientless Ssl Vpn Configuration Guide

The SSL VPN functionality on Cisco ASA is the most robust in the industry. The following sections focus on the clientless users who want to access internal corporate resources but do not have an SSL VPN client loaded on their workstations. These users typically access protected resources from shared workstations or even from the hotels or Internet caf s. The clientless configuration on Cisco ASA can be broken down into the following subsections. Enable SSL VPN on an interface Configure SSL VPN...

Configure Any Connect Ssl Vpn Properties

The last step necessary to meet the listed requirements is to configure AnyConnect VPN Client on the router for remote users. This deployment scenario assumes that an SSL VPN gateway and context were not defined earlier and creates new ones. Follow these guidelines to achieve the goals 4 Under IP Address Pool from Which Clients Will Be Assigned an IP Address, click the option and select Create a new IP Pool. Under Pool Name, specify SSLVPNPool, and then click Add to define a range of IP...

Configuring a Tunnel Group

A tunnel group can be configured by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles. Click Add to add a new tunnel group. As shown in Figure 5-5, a tunnel group called SecureMeClientlessTunnel has been added. After defining a tunnel group name, you can bind a user group-policy to a tunnel group. Once a user is connected, the attributes and policies defined under the group-policy will be applied to the user. A user group-policy of...

Configuring Anti Spyware Host Scan

To set up the security appliance to scan the remote workstation for antispyware, click Add under AntiSpyware. You can check remote workstations for antispyware compliance and update noncompliant computers. A new window opens with a list of all supported antispyware vendors and their respective products. Select the antispyware vendor and product that you use in your environment from the list and click OK when finished. Similar to the antivirus scan option, you can also force the remote...

Configuring Bookmarks

Using a clientless SSL VPN, remote users can browse their internal websites, file server shares, and Outlook Web Access (OWA) servers. Cisco ASA achieves this functionality by terminating the SSL tunnels on its outside interface and then rewriting the content before sending it to the internal server. For example, if a user tries to access an internal website, the user's HTTPS connection is terminated to the outside interface. The ASA then forwards the HTTP or HTTPS request to the internal web...

Configuring Client Server Plug Ins

For known applications, such as VNC, Remote Desktop, Telnet, and SSH, you can allow the clientless SSL VPN users to connect to the protected network using the supported applications. This way, when a clientless SSL VPN user is authenticated, the user can choose to launch an application plug-in such as VNC and connect to an internal server running the VNC application. Cisco provides the client-server plug-ins for VNCs, Remote Desktop, and SSH Telnet. These plug-ins can be downloaded from the...

Configuring DAP

When a user tries to establish a connection, DAP can analyze the posture assessment result of a remote host and apply access policies that are dynamically generated. DAP can use the AAA attributes, such as RADIUS, LDAP, and Cisco-specific, and endpoint attributes, such as host scans and prelogin locations, before an action or a series of actions can be applied to a user session. It is designed to complement the authentication, authorization, and accounting (AAA) services by aggregating the...

Configuring DTLS

Datagram Transport Layer Security (DTLS), defined in RFC 4347, provides security and privacy for the UDP packets. This allows UDP-based applications to send and receive traffic in a secure fashion without worrying about packet tampering and message forgery. Thus, applications that do not want to be associated with the delays associated with TCP but still want to securely communicate can use DTLS. Cisco AnyConnect Client supports both SSL as well as DTLS transport protocols. If DTLS is enabled...

Configuring File Servers

In addition to the web servers, you can also define a bookmark list of the file servers that the clientless users can access. Cisco ASA supports network file sharing using the Common Internet File System (CIFS), a file system that uses the original IBM and Microsoft networking protocols. Through CIFS, users can access their file shares located on the file servers. Users can download, upload, delete, or rename the files under the shared directories, but only if the file system permissions allow...

Configuring Group Policies

The user group and default group policies are configured by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access or Network (Client) Access > Group Policies. Click Add to add a new group policy. As shown in Figure 5-4, a user group-policy, called ClientlessGroupPolicy, has been added. This group-policy only allows clientless SSL VPN tunnels to be established and strictly rejects all the other tunneling protocols. If you would rather assign attributes to default...

Configuring Ssl Vpn Portal Customization

Figure 5-11 shows the default SSL VPN page when a connection is initiated from a web browser. The title of the page is SSL VPN Service and the Cisco Systems logo is displayed in the upper-left corner of the web page. The initial page prompts the user for user authentication credentials. Figure 5-11 Default SSL VPN Login Page Figure 5-11 Default SSL VPN Login Page You can customize the initial SSL VPN login page based on security policies of your organization. Cisco ASA also allows you to...

Configuring Traffic Filters

In its default firewall role, the Cisco ASA blocks decrypted traffic and protects the trusted network, unless the ACLs on the ingress interface explicitly permit traffic to pass through it. In case you trust all your remote AnyConnect VPN Clients, Cisco ASA can be configured to permit all decrypted SSL VPN packets to pass through it without inspecting them against the configured ACL. This is done with the sysopt connection permit-vpn command, as shown in Example 5-11. Example 5-11 Sysopt...

Configuring Websites

After adding a bookmark list, you can add a bookmark entry for the internal web servers that you want to give access to the clientless users. In Figure 5-26, a bookmark list name of InternalServers has been added. Because it is a new list, the administrator has added a bookmark title of InternalWebServer with a URL value of http intranet.securemeinc.com. Under advanced options, a subtitle of This is the internal web portal for SecureMe Inc. employees is added with a thumbnail of the...

Content Rewriting

The previous section described URL mangling, which is an important technique in the process by which SSL VPN users access corporate resources using the clientless web access mode. The second important technique is content rewriting. As a reverse proxy server, the SSL VPN gateway fetches web-based content from an internal web server and performs content rewriting. The main goal of the content rewriting is to change the URL references and Java socket calls so that all users' requests point to the...

Customized Login Page and User Connection Profile

After customizing the login page, the next logical step is to display it to the users who are logging in. You have two ways to display the login page to the user DefaultWEBVPNGroup connection profile If you want your customized login page to be displayed to all users who access the security appliance using its FQDN (fully qualified domain name) or the IP address, apply the customized object under the DefaultWEBVPNGroup connection profile by choosing Configuration > Remote Access VPN >...

DAP Architecture

As mentioned earlier, DAP analyzes the posture assessment result of a host and applies dynamically generated access policies when a user session is established. It is designed to complement the AAA services by aggregating the locally defined attributes with the received attributes from the AAA server. In the case of an authorization attribute conflict, the locally defined attribute is selected. Therefore, it is possible to generate DAP authorization attributes by aggregating multiple DAP...

Defining a Pool of Addresses

During the SSL VPN tunnel negotiations, an IP address is assigned to the VPN adapter of the AnyConnect VPN Client. The client uses this IP address to access resources on the protected side of the tunnel. Cisco ASA supports three different methods to assign an IP address back to the client Many organizations prefer assigning an IP address from the local pool of addresses for flexibility. The IP address is assigned by configuring an address pool and then linking the pool to a policy group. You...

Defining Cache Cleaner Policies

As discussed earlier in this chapter, Cache Cleaner securely removes local browser data such as web pages, history information, and cached user credentials. When Cache Cleaner is launched on a client computer, it closes any existing browser windows and initiates the Cache Cleaner process. It monitors browser data, and when the user logs out of the SSL VPN session, it closes the browser and cleans the cache associated with the SSL VPN session. Cache Cleaner can be configured under Cache Cleaner...

Defining Policies for the Mac and Linux Cache Cleaner

As mentioned earlier in the chapter, Cache Cleaner is supported not only on Windows operating systems but also on Linux and Mac OS X systems. Additionally, you can define a limited VPN feature policy for these clients. Table 6-8 lists the available features that you can implement for Mac- and Linux-based computers. Figure 6-43 Defining Windows CE Policies tMrtut Wpi-.um. 1 fiS.JOO. Sfcul_jKii*i.hfrJ yrniTKHTQ* KuiunrMi-Cjinlnil - bj HL Secure Desktop Manager tor W bVPN WN 1 ture Poky under...

Defining Prelogin Policies

In the supported Windows, OS X, and Linux-based operating systems, you can define the potential locations where the client computers might be connecting from. For example, if your users connect from the office network, home office network, and even Internet caf s, you can define a location for each setup and give appropriate access to your users. For users connecting from the office network, you classify those hosts fairly securely and allow a less restrictive environment. For users connecting...

Defining Prelogin Sequences

To configure CSD parameters, choose Configuration > Remote Access VPN > Secure Desktop Manager > Prelogin Policy. You can define a prelogin sequence that CSD can use to identify a host and match it to an appropriate profile. If the client's computer matches a certain profile, CSD can either create a Secure Desktop or launch Cache Cleaner. The following sections walk you through the configuration of Secure Desktop Manager in defining the profiles and the respective policies for the SSL VPN...

Defining Secure Desktop General Attributes

In CSD, you can set up general attributes that are applied to all SSL VPN sessions within a predefined location. For example, to allow users to switch between Secure Desktop and the local desktop, you can enable that feature here. The supported Secure Desktop general attributes include Enable switching between Secure Desktop and Local Desktop With this option enabled, the user has an option to switch back and forth between Secure Desktop and Local Desktop. In many cases, when an application is...

Device Placement

SSL VPN appliances are normally placed at the Internet edge of the corporate network. At the Internet edge of the network, other security devices are often deployed to protect the internal network from attacks. This section discusses the device placement issues you should consider when placing the SSL VPN devices among other security services at the edge. For companies that already have an IPsec-based remote access VPN solution deployed, the device placement considerations should also apply to...

Device View

As its name implies, device view provides a device-centric view of your SSL VPN network. Figure 7-1 shows the layout of a device view. Figure 7-1 Cisco Security Manager Device View Figure 7-1 Cisco Security Manager Device View Three main areas are in the device view. The upper-left area lists all the devices and device groups. The lower-left area shows the common policies based on the device selected. The right area is the policy content work area. The devices can be imported into CSM in...

DNS and WINS Assignment

For the AnyConnect VPN Clients, you can assign DNS and WINS server IP addresses so that they can browse and access internal sites after their SSL tunnel is established. You can configure these attributes by choosing Configuration > Remote Access VPN > Network (Client) Access > Group Policies > SSLVPNGroup > Edit > Servers. To add multiple DNS or WINS servers, use a comma (,) to separate the entries. In Figure 5-43, the primary DNS server is defined as 192.168.1.10 and the secondary...

Enabling Any Connect VPN Client Functionality

After the AnyConnect VPN Client is loaded into flash, the next step is to enable the AnyConnect Client functionality on the interface that is terminating the connection. This is achieved by selecting Enable Cisco AnyConnect VPN Client or Legacy SSL VPN Client Access on the Interfaces Selected in the Table Below in Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles. Select the outside interface if it is the interface that will terminate the SSL VPN...

Enabling Clientless Ssl Vpn on an Interface

The first step in setting up a clientless SSL VPN on the security appliances is to enable SSL VPN on the interface that will terminate the user session. If SSL VPN is not enabled on the interface, Cisco ASA will not accept any connections, even if SSL VPN is globally enabled. To enable SSL VPN on an interface through ASDM, choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles and select the Allow Access check box next to the interface on which you want...

Enabling Endpoint Host Scan

You can enable Endpoint Assessment by choosing Configuration > Remote Access VPN > Secure Desktop Manager > Host Scan and then selecting Endpoint Assessment ver w.x.y.z, where w.x.y.z is the version of Endpoint Host Scan you are using. Figure 5-55 illustrates Endpoint Assessment as being enabled and running version 2.5.4.1. After it is enabled, the Endpoint Assessment can scan for antivirus, personal firewall, and antispyware applications and updates. Figure 5-55 Enabling Endpoint...

Endpoint Security Posture Assessment and Validation

A thorough preconnect security assessment is necessary. As discussed earlier, this helps prevent viruses, worms, and Trojan horses from spreading into the internal network and helps administrators make intelligent decisions on what access privilege to grant to the VPN users based on the endpoint security posture. The preconnect security posture validation can include the following aspects Location checking Using information such as IP address, Windows registries, or even PC screen banners, the...

Enrolling Digital Certificates Recommended

Enrollment is the process of obtaining a certificate from a certificate authority (CA). Before starting the enrollment process, you must generate the RSA key pair with the crypto key generate rsa command. To generate the keys, you must first configure a host name and domain name. Example 5-1 demonstrates how to configure a domain name of securemeinc.com and how to generate the RSA key pair of 1024-bit modulus size. NOTE If you want to test SSL VPN functionality in a lab environment or in a home...

I

Traffic ACL 101 IP Address 192.168.50.1 Domain Name securemeinc.com Simultaneous Login 3 WINS 192.168.1.40 Traffic ACL 101 IP Address 192.168.50.1 NOTE DfltGrpPolicy is a special group name, used solely for the default group-policy. After defining these policies, they must be bound to a tunnel group where users terminate their sessions. This way, a user who establishes his VPN session to a tunnel group will inherit all the policies mapped to that tunnel. The tunnel group defines a VPN...

Information Area

The information area shows any text and image that you want to display on the logon page. You can specify whether you want to display the information area to the left or the right side of the logon form. The Cisco ASA administrator can choose to enable or disable this element under the Information Panel option. In Figure 5-15, the information panel is disabled by the administrator. Figure 5-15 Logon Page Information Area Customization Figure 5-15 Logon Page Information Area Customization...

Initial Ssl Vpn Configuration

The configuration of SSL VPN can be accomplished in five steps. Figure 6-2 is used throughout this section to demonst rate how to set up Cisco IOS router. As shown in this figure, the IOS router is set up to accept the SSL VPN connections from the hosts on the Internet. There are several servers on the private network of the router. Table 6-3 describes the servers used in this setup. Table 6-3 Description and Location of Servers Table 6-3 Description and Location of Servers Resolves NetBIOS...

Internet Browser Settings

As discussed in the previous section, CSD is installed on the client computer through ActiveX, Java, or an executable file. You must configure the appropriate security settings in your Internet browser to allow those functions. For example, in Internet Explorer, use the guidelines discussed in Table 5-7. These settings are configured by choosing Tools > Internet Options > Security tab > Internet > Custom Level. ActiveX controls and plug-ins > Download signed ActiveX controls ActiveX...

Introduction to Remote Access VPN Technologies

Since the advent of the Internet, network administrators have looked for ways to leverage this low-cost, widespread medium to transport data while protecting data integrity and confidentiality. They looked for ways to protect the information within the data packets while providing transparency to the end user. This spawned the concept of Virtual Private Networks (VPN). Subsequently, the Internet Engineering Task Force (IETF) was engaged to craft standard protocols and procedures to be used by...

Issues with Websites

If you use clientless SSL VPN to provide connectivity to remote users and a user is having issues connecting to the websites through bookmarks, follow these steps to isolate the problem Check whether the user is having connectivity issues with all configured websites. If so, check whether other applications, such as CIFS, port forwarding, or smart tunnels, are working well. If connectivity issues are limited to one web server, check whether one user or all users are having issues connecting to...

Keeping the Ssl Vpn Client Installed

After the SSL VPN client is installed successfully, the security appliance allows you to keep the client installed on the computer, even if the tunnel is disconnected. By default, the AnyConnect Client is automatically removed after users log off and is reinstalled when the tunnel is successfully established. You should keep this option enabled so that users do not need to go through the process of installing the client. Additionally, the initial AnyConnect Client installation requires...

Loading SDM Recommended

Cisco Security Device Manager (SDM) provides an easy-to-navigate and simple graphical user interface (GUI) to set up and manage different features that a Cisco IOS router provides. It is bundled with a variety of administration, configuration, and monitoring tools to check the health of the device and the traffic traversing through it. Although setting up SDM is optional, you should use SDM in configuring the SSL VPN functionality in Cisco IOS routers. NOTE SSL VPN is a relatively new feature...

Loading the CSD Package

Like Cisco AnyConnect VPN Client, you must load the CSD package in the local flash of the security appliance. If you're not sure whether you have CSD installed in your security appliance, choose Tools > File Management and look at the contents of the local flash. If you don't see a securedesktop-asa-3.x.xxx-k9.pkg file, upload the file from the local flash of the management host to the flash of the security appliance. After the CSD file is uploaded, choose Configuration > Remote Access VPN...

Loading the SVC Package

Before you define configuration policies for the AnyConnect VPN Client, you have to load the AnyConnect VPN Client package in the local flash of the security appliance. You can verify whether it is installed by choosing Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN > Client Setting. If an AnyConnect VPN Client image is not installed, you can click Add to Browse through the local flash of the security appliance and select the AnyConnect file you want...

Maninthe Middle Attacks

There have been known man-in-the-middle (MITM) attacks to the SSL protocol, and this is how they can work. The attacker first launches an Address Resolution Protocol (ARP) spoofing attack or Domain Name System (DNS) spoofing attack to the SSL VPN user. The success of the attack will redirect the SSL traffic to the attack host that is configured with SSL proxy software. The attack host then acts as the destination web server by establishing an SSL connection with the user on one side and another...

Message Authentication Code

Message authentication code (MAC) is a cryptographic checksum that is used to ensure the integrity of the message during transmission. To generate a MAC, you can use either an encryption algorithm, such as Data Encryption Standard (DES), or a hashing algorithm. Hashing is generally much faster than encryption algorithms, so the hash-based MAC (HMAC) is the most popular way. HMAC is a keyed hash function. Here is how it works To generate an HMAC of a message M, you need to pick two system...

Monitoring and Troubleshooting Ssl Vpn

The following sections discuss the monitoring and troubleshooting steps that are available to help you in running the SSL VPN solution smoothly on a security appliance. To monitor the WebVPN sessions, first check how many active SSL VPN tunnels are established on the security appliance. You can do this by choosing Monitoring > VPN > VPN Statistics > Sessions. The security appliance shows you all the active VPN sessions, including the clientless and full tunnel client connections. As shown...

Not All Resource Access Methods Are Equal

As mentioned in Chapter 2, SSL VPN Technology, SSL VPN employs a variety of techniques, each of which has its unique characteristics in terms of user experience, user privilege requirements, and levels of access to the network resources. This is one of the major differences between SSL VPN and traditional remote access solutions, such as IPsec-based remote access VPN. When you design an SSL VPN network, it is important to understand that not all access methods are equal and different access...

OSI Layer Placement and Tcpip Protocol Support

SSL is a platform-independent and application-independent protocol that is used to secure TCP-based applications. It sits on top of the TCP layer, below the application layer, and acts like sockets connected by TCP connections. Figure 2-6 shows the SSL placement in the protocol stack. HTTP SMTP Application Layer SSL assumes reliable underlying packet delivery thus, it always runs only on top of TCP, not over UDP or directly over IP. Although SSL should work with any static client-server TCP...

Overview of Cisco Ssl Vpn Product Portfolio

Cisco currently offers the SSL VPN functionality in a number of its product offerings, including the following Cisco VPN 3000 series concentrator The Cisco VPN 3000 series concentrator was the first Cisco product to offer the SSL VPN functionality. The clientless and thin-client modes were introduced in the 4.1 version of code, whereas the full-tunnel client support was added in the 4.7 version of code. Cisco VPN 3000 series concentrators are now end-of-life units. Cisco recommends that you...

Performance and Scalability

Performance considerations for an SSL VPN design are a bit different from those of the IPsec-based VPN because of the multiple technologies that the SSL VPN features. When you try to determine the performance of an SSL VPN appliance, you need to be clear about which resource access method you have in mind. The performance of different access methods varies greatly. The following list outlines the performance characteristics of the two most popular access methods Reverse-proxy-based web access...

Port Forwarding Lists

The Port Forwarding Lists tab allows you to apply a preconfigured port-forwarding list to a DAP record. If you do not have a preconfigured port-forwarding list, you can define one under this tab. Because DAP enforces action and policies, you can deny users the use of a port-forwarding list even if the group policy that the user is assigned to allows it. Similarly, if a group policy does not have a port-forwarding list mapped to the group policy, you can choose to auto-start the selected list....

R

Authentication, 112, 207 configuring, 228 mapping to tunnel groups, 113 user authentication, 305 radius-server host command, 228 RC4 encryption, 21, 60 record protocols, 33, 42 records (DAP), 191 accessing, 204 actions, 198 functions, 200-201 network ACLs, 198 port-forwarding lists, 202 URL lists, 203 web-type ACLs, 199 registry endpoint attribute, 196 remote access protocols, 4 technologies IPsec, 5-7 L2TP, 9-10 L2TP over IPsec, 11-12 PPTP, 13 SSL VPN, 7-8 summary, 14 requirements (Secure...

Remote Access Technologies

Organizations are constantly under pressure to reduce costs by leveraging newer technology in their existing network infrastructure. With the growth of the Internet and greater focus on globalization, organizations are required to provide their employees with 24 7 access to organizational resources. The increasing number of mobile workers and telecommuters is a major factor in the exponential growth of remote access technologies. These users require the traditional LAN-based applications, such...

Resource Access Privilege Management

After user authentication, the remote access VPN device should be able to authorize the user with resource access privileges based on the user's attributes. As described earlier, because of the ubiquity of the SSL VPN, its design needs to ensure the integrity of the endpoint. Hence the resource authorization also goes beyond the standard user attributes to include other security attributes. The following is a list of attributes that can be used to determine resource access privilege Sign-in URL...

S

AAA servers, 67 design considerations, 81 SCEP (Simple Certificate Enrollment Protocol), 230 context configuration, 240 gateway configuration, 238 loading, 232-234 website, 233 Secure ACS Configuration Guide website, 331 Secure Desktop, 165 attributes, defining, 176-178, 292-293 AnyConnect client with CSD and external authentication deployment, 207 loading CSD package, 169-170 policies, assigning, 174 prelogin sequences, 170 Cache Cleaner policies, 180-181 host emulators, 175-176 keystroke...

Selecting Endpoint Attributes

After defining the AAA attributes, you can optionally select the endpoint attributes. These attributes are collected by a number of sources, including Host Scans (basic, Endpoint, or Advanced Endpoint), Secure Desktop, and NAC. The AAA attributes are validated during user authentication, whereas the endpoint attributes are collected by the security appliance prior to user authentication. Table 5-11 presents all the available attributes that you can select and configure under endpoint...

Setting Up the Appliance

When the ASDM file is accessed, the Cisco ASA loads the first ASDM image that it finds from the local flash. If multiple ASDM images exist in the flash, use the asdm image command and specify the location of the ASDM image you want to load. This ensures that the appliance always loads the specified image when ASDM is launched. In Example 5-9, the appliance is set up to use asdm-603.bin as the ASDM image file. Example 5-9 Specifying the ASDM Location Chicago(config) asdm image disk0 asdm-603.bin...

Setting Up Tunnel and Group Policies

Cisco ASA uses an inheritance model when it pushes network and security policies to the end-user sessions. Using this model, you can configure policies at the following three locations In the inheritance model, a user inherits the attributes and policies from the user policy, which inherits its attributes and policies from the user group-policy, which in turn inherits its attributes and policies from the default group-policy, as illustrated in Figure 5-3. A user, sslvpnuser, receives a traffic...

Setting Up User Authentication

Cisco IOS routers support a variety of authentication servers, such as RADIUS, TACACS, and the local database. For small organizations, a local database can be set up for user authentication. For medium to large SSL VPN deployments, you should use an external RADIUS server as the user authentication database. If you are deploying the SSL VPN feature for a few users, you can use the local database, as shown in Example 6-1. Two accounts, sslvpnuser and adminuser, are configured for user...

Single SignOn

Optionally, you can add a single sign-on (SSO) server to ensure that clientless users do not get prompted again to enter their user credentials if they try to access windows-based shares. In SSO, the security appliance acts as a proxy between the clientless SSL VPN user and the authentication server. The security appliance uses users' cached credentials (an authentication cookie) when the user tries to access secure websites or shares within the private network. If you use NT LAN Manager (NTLM)...

Split Tunneling

In a remote access VPN deployment, split tunneling gives the user direct access to a public network and VPN access to a private network simultaneously. The end user's computer becomes an extended Internet entry point to the corporate network. If no proper security measures are in place on the end user's computer, attackers have opportunities to compromise the computer from the Internet and gain access to the internal network through the VPN tunnel. For this reason, many organizations choose to...

Spread of Viruses Worms and Trojans from Remote Computers to the Internal Network

Corporate networks are vulnerable to the spread of viruses, worms, and Trojans when the SSL VPN users connect using the tunnel client mode. With the tunnel client mode, the endpoints are directly connected to the corporate network with full network-layer access. Endpoints might not be compliant with corporate security policy, which can require, for example, a proper Windows patching level or up-to-date antivirus DAT files. In this case, a high possibility exists that the endpoints will forward...

SSL Connection Setup

This section looks at the messages and operations necessary to establish an SSL connection. Using a simple-mode SSL negotiation as an example should help you understand how the different pieces discussed so far (cryptographic algorithms and SSL protocols) work together to bring up an SSL connection. Because you are mainly an SSL VPN user rather than an implementer, the focus is on explaining the big picture, not the implementation details. Handshake protocols are used for the SSL client and...

SSL Record Protocol and Handshake Protocols

This section describes the SSL protocol operation, including SSL connection negotiation, key derivation, and secure data transfer. The section explains how the various cryptographic elements described earlier are used in SSL to build a secure communication. An SSL connection is established in two main phases. The handshake phase (phase 1) negotiates cryptographic algorithms, authenticates the server, and establishes keys for data encryption and MAC. The secure data transfer phase (phase 2) is...

SSL Remote Access VPNs

Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America Library of Congress Catalog...

Ssl Vpn Design Considerations

Before you implement the SSL VPN services in Cisco ASA, you have to analyze your current environment and determine which features and modes might be useful in your implementation. Some of the SSL VPN design considerations are as follows User connectivity Before designing and implementing the SSL VPN solution for your corporate network, you need to determine whether your users connect to your corporate network from public shared computers, such as workstations made available to guests in a hotel...

Ssl Vpn Licenses on Cisco ASA

Unlike IPsec, the SSL VPN capability in the security appliance is not included free of charge in the base system price. If you want to enable SSL VPN on a security appliance, you must purchase appropriate licenses. The base security appliance includes two SSL VPN users by default for evaluation, lab testing, and remote management purposes. Anything beyond that requires you to buy a separate SSL VPN license. For example, if your environment will have 75 SSL VPN users, you can buy the SSL VPN...

Ssl Vpn Licenses on Cisco IOS Routers

Just as with Cisco ASAs, you need to purchase licenses to enable SSL VPN on a Cisco IOS router. Before you implement SSL VPN on an IOS router, or in a cluster of IOS routers, you need to determine the size of SSL VPN deployment, especially the number of concurrent users of this service. For example, if one IOS router is not enough to support the required number of users, you must consider traditional load balancers or server-clustering schemes to accommodate all potential remote users. SSL VPN...

Ssl Vpn Prerequisites

You must meet a number of prerequisites before you can start implementing an SSL VPN in your enterprise. They are discussed in the following sections. The SSL VPN functionality on the ASAs requires that you have appropriate licenses. For example, if your environment is going to have 75 SSL VPN users, you can buy the SSL VPN license that can accommodate up to 100 potential users. Table 5-2 lists the available licenses and their respective part numbers. Note that an SSL VPN license file for ten...

Ssl Vpn Specifications on Cisco ASA

As with any network design, you need to determine the size and scope of the SSL VPN implementation, especially the number of concurrent users that will connect to gain network access. If one Cisco ASA is not enough to support the required number of users, the available load-balancing features, such as ASA clustering, must be considered to accommodate all the potential remote users. Table 4-1 lists the supported security appliances, their VPN throughput, and the number of supported SSL VPN users...

Ssl Vpn Tunnel Client

Traditional clientless web access and port-forwarding access do not satisfy the needs of power users and telecommuters who run VPNs on corporate-owned machines and like to have full access to the corporate resources. The IPsec VPN is a better fit to provide full network-layer access to the VPN users. Organizations that already have a remote access IPsec VPN can use the existing VPN solution to provide network-layer access and clientless SSL VPN for application-level VPN access. Today, most SSL...

Sslvpn

Secure Socket Layer (SSL) VPN is the emerging remote access technology that provides secure connectivity to the internal corporate resources through a web browser or a dedicated client. It sits between the transport and application layers of the OSI model. The SSL protocol was developed by Netscape to promote e-commerce sites that required data encryption and user authentication. With online banking, for example, the user session is securely established by using this protocol. Even though it...

Step 1 Define Clientless Connections

The first step in achieving the listed goals is to set up clientless connections for remote contractors as follows 1 Define bookmarks for the internal servers (web and CIFS) by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks > Add. Specify a bookmark list name called Contractors-List and then click Add to specify a bookmark title of Internal-Web. Select http under the URL Value drop-down menu, and configure a URL value of http...

Step 1 Defining a Smart Tunnel List

You must define a list of the applications that you want clientless SSL VPN users to access. Smart tunnel list is defined by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels > Add. Specify a name for the new smart tunnel list. This list name has only local significance, and it is eventually used to map the smart tunnel attributes to a group policy, discussed in the next step. To define a specific application to be used for smart...

Step 1 Defining Port Forwarding Lists

You must define a list of servers and their respective applications that you want clientless SSL VPN users to access. A port-forwarding list is defined by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Port Forwarding > Add. Specify a name for the new port-forwarding list. This list name has local significance and it is eventually used to map the port-forwarding attributes to a group policy, discussed in the next step. To define a specific...

Step 1 Loading the Any Connect Package

Before you define configuration policies for the AnyConnect VPN Client in an IOS router, you have to load the client package in the local flash. You can verify it by issuing the show flash or dir command and looking for the svc.pkg file. Using SDM, you can choose Configure > VPN > SSL VPN > Packages and check whether the Cisco AnyConnect VPN Client software is installed. SDM allows you to Download the latest version of AnyConnect Client if you do not already have it. It connects to...

Step 1 Loading the CSD Package

Like AnyConnect Client, you have to load the CSD package in the local flash of the SSL VPN gateway. If you are not sure whether you have CSD installed on your IOS router, type show flash or dir and look for the sdesktop.pkg file in the webvpn directory. Using SDM, you can choose Configure > VPN > SSL VPN > Packages and check whether the CSD is installed. SDM allows you to Download the latest Cisco Secure Desktop (CSD) installation bundle. It connects to Cisco.com by prompting you for...

Step 1 Set Up CSD

The first step in achieving the listed goals is to create a secure environment for remote users. This is achieved by following these steps 1 Choose Configuration > Remote Access VPN > Secure Desktop Manager > Setup, click Browse Flash to select the CSD file you want to use, and select Enable Secure Desktop. 2 Choose Configuration > Remote Access VPN > Secure Desktop Manager > Windows Location Setting and define a prelogin sequence based on registry key and IP address range. Create a...

Step 2 Configuring DAP

SecureMe wants to apply policy enforcements through DAP. The next step is to configure DAP by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies. 1 Create a new DAP record by clicking Add and specifying the record name of Contractors-DAP. Under AAA attribute selection criteria, click Add and select RADIUS as the AAA Attribute Type. Under Attribute ID, specify 25 and select Value equal to Contractors. Insert another AAA attribute type of Cisco...

Step 2 Mapping a Smart Tunnel List to a Group Policy

The smart tunnel list, defined in Step 1, is then mapped to a user or group policy. Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > ClientlessGroupPolicy > Edit > Portal and select the list on the Smart Tunnel List dropdown menu. Additionally, select the Auto Start option to automatically install and start the applet as soon as the clientless SSL VPN user connects to the security appliance. As shown in Figure 5-35, a smart tunnel list of...

Step 2 Mapping Port Forwarding Lists to a Group Policy

The port-forwarding list, defined in Step 1, is then mapped to a user or group policy. Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > ClientlessGroupPolicy > Edit > Portal and select the list on the Port Forwarding List drop-down menu. Additionally, select the Auto Applet Download option to automatically install and start the applet as soon as the clientless SSL VPN user establishes a connection to the security appliance. As shown in Figure...

Step 2 Setting Up an Ssl Vpn Context

After setting up the SSL VPN gateway, you must define an SSL VPN context. The actual user sessions are established to the SSL VPN context using the IP address definition of the SSL VPN gateway. Additionally, you can apply all the policies to limit a user or a group of users. An authentication server that is mapped to the context performs the actual user authentication here. After a user is authenticated, any configured policies are applied to the user's session. Step 4 discusses user and group...

Step 3 Configure Any Connect Ssl Vpn

The last step needed to meet the listed requirements is to configure AnyConnect VPN Client on the security appliance for remote users. Follow these guidelines to achieve the goals 1 Choose Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN > Client Settings > Add. Click Browse Files and select AnyConnect VPN client. 2 After loading the AnyConnect Client, enable full tunnel client functionality on the outside interface. This is achieved by selecting the...

Step 3 Configuring Ssl Vpn Look and Feel

Figure 6-5 shows the default SSL VPN page when a connection is made to the IOS router from a web browser. The title of the page is SSLVPN Service, and the Cisco Systems logo is displayed in the upper-left corner of the web page. The initial page prompts the user for user authentication credentials. The default login message is Welcome to Cisco Systems SSLVPN Service. You can customize the initial SSL VPN login page based on the security policies of your organization. Cisco IOS routers also...

Step 3 Define Clientless Connections

The last step in achieving the listed goals is to set up clientless connections for remote contractors as follows 1 Choose Configure > VPN > SSL VPN > SSL VPN Gateways > Add to create a gateway. Specify a gateway name of SecureMeGW, enable this gateway, and configure 209.165.200.225 as the IP address of this gateway. Select a digital gateway if one is already installed. If you prefer to use a self-signed certificate, select a certificate from the Trustpoint drop-down menu. Click OK when...

Step 3 Defining Policies for Windows Based Clients

After successfully logging in to Secure Desktop Manager, you can define policies that the SSL VPN users must adhere to. If the client's computer matches a certain profile, the client is given access based on the configured policies on the profile. The following sections walk you through the configuration of Secure Desktop Manager in defining the profiles and the respective policies for the SSL VPN users. The following topics are presented Identifying keystroke loggers Defining Secure Desktop...

Step 3 Obtaining an Identity Certificate

After the CA certificate is obtained from the CA server, use the crypto ca enroll command followed by the trustpoint name to generate an identity certificate request to the server. Example 5-5 demonstrates how to generate the certificate request. Example 5-5 Generating the ID Certificate Request Chicago(config) crypto ca enroll SecureMeTrustPoint The fully-qualified domain name in the certificate will be Chicago.securemeinc.com Include the device serial number in the subject name yes no no...

Step 4 Configuring Ssl Vpn Group Policies

A group policy is a set of common parameters that an SSL VPN user inherits during tunnel negotiations. You can define multiple group policies in a context however, only one group policy can be designated as the default policy, and only one group policy can be applied to a user. If you need to satisfy requirements for different sets of users, you can define multiple group policies to meet those requirements. You can leverage a RADIUS server to pass the group policy when the user authentication...