AAA Server Scalability and High Availability

The scalability and availability of the AAA server directly affect the availability of your VPN network and the user experience. For a small- to medium-sized VPN network, it is relatively easy to address this design issue. Because the number of the VPN users is relatively small, the scalability of the AAA server is less of an issue. Also, because small to medium deployment normally does not have dispersed Internet VPN access, the AAA servers normally reside on a local network, and network delay...

Acknowledgments

We would like to thank the technical editors, Pete Davis and David Garneau, for their time and technical expertise. They verified our work and provided recommendations on how to improve the quality of this manuscript. We would also like to thank Vincent Shan, Andy Qin, James Fu, and Awair Waheed from the Cisco Security Technical Group for their help and guidance. We also recognize Saddat Malik for providing content source for several figures in Chapter 2. Special thanks go to Scott Enicke and...

Any Connect Client and External Authentication

SecureMe has recently learned about the full network connectivity method that is offered by the Cisco IOS router through SSL VPN. The company wants to use this feature for its regular employees so that they can work from home and have full access to the internal network. Figure 6-46 shows SecureMe's network topology for AnyConnect Client. Figure 6-46 SecureMe's SSL VPN for AnyConnect Clients Figure 6-46 SecureMe's SSL VPN for AnyConnect Clients .SecureMe's security requirements are as follows...

Any Connect Client with CSD and External Authentication

SecureMe has recently learned about the SSL VPN functionality in Cisco ASA and wants to deploy it for a number of remote employees in New York. These employees need full access to the internal network without restriction to complete their tasks if they meet criteria defined by the administrator. Figure 5-65 shows SecureMe's network topology for AnyConnect Client. Figure 5-65 SecureMe's SSL VPN for AnyConnect Clients Figure 5-65 SecureMe's SSL VPN for AnyConnect Clients The security requirements...

Any Connect Ssl Vpn Client

During the early development period of SSL VPNs, network administrators needed a VPN client that had benefits that were similar to an IPsec remote access VPN client, but required less administrative overhead for installing and maintaining the IPsec VPN client. To accommodate those requirements, the idea of a full tunnel SSL VPN client emerged. Cisco first introduced the SSL VPN Client (SVC) that was a self-downloading, self-installing, self-configuring, and self-uninstalling VPN. In Release...

Any Connect VPN Client Configuration Guide

During the early development period of SSL VPNs, network administrators needed a VPN client that had similar benefits of an IPsec remote access VPN client, but required less administrative overhead than installing and maintaining the IPsec VPN client. To accommodate those requirements, the idea of a full tunnel SSL VPN client emerged. In the pre-version 8.0 releases, Cisco provided the SSL VPN Client (SVC). This is a self-downloading, self-installing, self-configuring, and self-uninstalling VPN...

Application Data

After the handshake phase, the application can begin to communicate under the protection of the newly established secure SSL connection. The record protocol is responsible for fragmenting, compressing, hashing, and encrypting all the application data at the sending side, as well as decrypting, verifying, decompressing, and reassembling messages at the receiving end. Figure 2-9 shows the SSL record layer operation. Figure 2-9 SSL TLS Record Protocol Operation Application Data Addition of SSL...

Applying Secure Desktop Restrictions

In addition to the global parameters that can be configured (discussed in the preceding section), you can apply certain restrictions to Secure Desktop to further enhance the level of security for SSL VPN sessions. These restrictions are defined in Secure Desktop Settings under a predefined location. These restrictions include the following Restrict application usage to the web browser only, with the following exceptions With this option, you can only allow users to launch multiple windows of...

Assigning CSD Policy

When a computer tries to connect to the security appliance, CSD matches it to one of the predefined locations. For each location, you can choose to load either Secure Desktop or Cache Cleaner on the workstation. Choose Configuration > Remote Access VPN > Secure Desktop Manager > Prelogin location and select the appropriate option. The option should be selected based on your security policies. For example, if a user is identified as a HomeCorpOwned workstation, you can choose to enable...

Basic Host Scan

Basic Host Scan can be used to identify the following information on a remote computer Operating systems and their respective service packs Specific process names in Windows operating systems Specific filenames in Windows operating systems Registry keys in Windows operating systems You can use basic Host Scan to determine whether a remote workstation matches a specific user profile by checking information such as its operating system, registry, files, or even an actively running process. When...

C

CA (certification authority), 230, 28, 99-100 Cache Cleaner, 166, 180-181 Mac Linux policies, defining, 298-300 policies, defining, 295-296 certification, 28-30 change cipher spec protocols, 34 CIFS (Common Internet File System) clientless issues, 218 configuring, 254-255 IOS router support, 253-257 servers, 257 cifs-url-list attribute (group policies), 246 CipherSuite, 37 Cisco SAFE VPN IPSec Virtual Private Networks in Depth website, 82 Secure ACS integration mode (CSM), 327, 330 VPN 3000...

Cisco ASA 5500 Series

The Cisco ASA 5500 series Adaptive Security Appliance provides an advanced Adaptive Identification and Mitigation (AIM) architecture and is a key component of the Cisco Self-Defending Network. As mentioned earlier in this chapter, the security appliances integrate firewall, IDS IPS, and VPN capabilities and provide an all-in-one solution for an organization. Seven Cisco ASA 5500 series models are available in the current Cisco ASA 5500 series product line. They include the following The Cisco...

Cisco IOS Routers

Cisco Systems introduced the SSL VPN functionality in Release 12.4(6)T of code of the Cisco IOS routers. Small- to medium-sized enterprises are perfectly positioned to use IOS SSL VPN to extend a remote access VPN solution to their employees and partners. Using a Cisco IOS router as an SSL VPN gateway, customers can deploy a single-box device to meet their routing, voice, wireless, firewall, IPS IDS, and remote access VPN requirements. Seven Cisco IOS router product series support SSL VPN. They...

Cisco Secure ACS Integration Mode

The Cisco Secure ACS integration mode provides more granular administrative permission controls than the native mode. The two main areas are as follows Application-specific roles Cisco Secure ACS allows you to define customized roles that have granular permission down to the policy and object level. For example, you can define an administrative role that is authorized only to view and modify SSL VPN policies, but not other security policies, such as firewall policies or IPS policies. Figure...

Cisco Secure Desktop

Cisco Secure Desktop (CSD) provides a secure desktop environment to remote users after validating a number of security parameters on the client workstation. The purpose of CSD is to minimize the risk posed by the remote workstations by collecting necessary information from them. If the received information matches the preconfigured criteria, the security appliance can create a secure environment and optionally apply certain policies to and restrictions on the user session. When the user session...

Client Operating System and Browser and Software Requirements

The SSL VPN functionality on Cisco security appliances is supported on a number of client operating systems and on a number of browsers. The supported platforms are discussed next. Compatible browser You must use an SSL-enabled browser such as Microsoft Internet Explorer, Firefox, Opera, Safari, Mozilla, Netscape, or Pocket Internet Explorer (PIE). Table 5-3 provides a list of operating systems and the supported Internet browsers. Table 5-3 Supported Operating Systems and Internet Browsers...

Clientless Connections with CSD

SecureMe wants to deploy an SSL VPN solution for a group of contractors that access some resources from their laptops. These contractors use a terminal server as well as a web server for browsing, and a Windows file server to save and retrieve their documents. All contractors use Windows-based operating systems on their workstations. SecureMe prefers to create a secure environment before SSL VPN sessions are allowed. Figure 6-45 shows SecureMe's proposed network topology for clientless...

Clientless Connections with DAP

After successfully implementing the AnyConnect functionality on the security appliance, SecureMe has now decided to provide clientless functionality to a group of mobile contractors. These contractors use a web server for browsing, a terminal server, and a Windows file server to save and retrieve their documents. Figure 5-66 shows SecureMe's proposed network topology for clientless connections. Figure 5-66 SecureMe's Clientless Connection Topology with DAP 192.168.1.0 24 The security...

Clientless Ssl Vpn Configuration Guide

The SSL VPN functionality on Cisco ASA is the most robust in the industry. The following sections focus on the clientless users who want to access internal corporate resources but do not have an SSL VPN client loaded on their workstations. These users typically access protected resources from shared workstations or even from the hotels or Internet caf s. The clientless configuration on Cisco ASA can be broken down into the following subsections. Enable SSL VPN on an interface Configure SSL VPN...

Configure Any Connect Ssl Vpn Properties

The last step necessary to meet the listed requirements is to configure AnyConnect VPN Client on the router for remote users. This deployment scenario assumes that an SSL VPN gateway and context were not defined earlier and creates new ones. Follow these guidelines to achieve the goals 4 Under IP Address Pool from Which Clients Will Be Assigned an IP Address, click the option and select Create a new IP Pool. Under Pool Name, specify SSLVPNPool, and then click Add to define a range of IP...

Configuring a Tunnel Group

A tunnel group can be configured by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles. Click Add to add a new tunnel group. As shown in Figure 5-5, a tunnel group called SecureMeClientlessTunnel has been added. After defining a tunnel group name, you can bind a user group-policy to a tunnel group. Once a user is connected, the attributes and policies defined under the group-policy will be applied to the user. A user group-policy of...

Configuring Anti Spyware Host Scan

To set up the security appliance to scan the remote workstation for antispyware, click Add under AntiSpyware. You can check remote workstations for antispyware compliance and update noncompliant computers. A new window opens with a list of all supported antispyware vendors and their respective products. Select the antispyware vendor and product that you use in your environment from the list and click OK when finished. Similar to the antivirus scan option, you can also force the remote...

Configuring Bookmarks

Using a clientless SSL VPN, remote users can browse their internal websites, file server shares, and Outlook Web Access (OWA) servers. Cisco ASA achieves this functionality by terminating the SSL tunnels on its outside interface and then rewriting the content before sending it to the internal server. For example, if a user tries to access an internal website, the user's HTTPS connection is terminated to the outside interface. The ASA then forwards the HTTP or HTTPS request to the internal web...

Configuring Client Server Plug Ins

For known applications, such as VNC, Remote Desktop, Telnet, and SSH, you can allow the clientless SSL VPN users to connect to the protected network using the supported applications. This way, when a clientless SSL VPN user is authenticated, the user can choose to launch an application plug-in such as VNC and connect to an internal server running the VNC application. Cisco provides the client-server plug-ins for VNCs, Remote Desktop, and SSH Telnet. These plug-ins can be downloaded from the...

Configuring DAP

When a user tries to establish a connection, DAP can analyze the posture assessment result of a remote host and apply access policies that are dynamically generated. DAP can use the AAA attributes, such as RADIUS, LDAP, and Cisco-specific, and endpoint attributes, such as host scans and prelogin locations, before an action or a series of actions can be applied to a user session. It is designed to complement the authentication, authorization, and accounting (AAA) services by aggregating the...

Configuring DTLS

Datagram Transport Layer Security (DTLS), defined in RFC 4347, provides security and privacy for the UDP packets. This allows UDP-based applications to send and receive traffic in a secure fashion without worrying about packet tampering and message forgery. Thus, applications that do not want to be associated with the delays associated with TCP but still want to securely communicate can use DTLS. Cisco AnyConnect Client supports both SSL as well as DTLS transport protocols. If DTLS is enabled...

Configuring File Servers

In addition to the web servers, you can also define a bookmark list of the file servers that the clientless users can access. Cisco ASA supports network file sharing using the Common Internet File System (CIFS), a file system that uses the original IBM and Microsoft networking protocols. Through CIFS, users can access their file shares located on the file servers. Users can download, upload, delete, or rename the files under the shared directories, but only if the file system permissions allow...

Configuring Firewall Host Scan

To check remote workstations for personal firewall compliance, click Add under Personal Firewall. A new window opens with a list of all the supported firewall vendors and their respective products. Select the firewall vendor and product that you use in your environment from the list and click OK when finished. You can also configure a firewall action if your firewall application supports it. This option is useful if you want to make sure that the remote workstation has an active firewall...

Configuring Group Policies

The user group and default group policies are configured by choosing Configuration > Remote Access VPN > Clientless SSL VPN Access or Network (Client) Access > Group Policies. Click Add to add a new group policy. As shown in Figure 5-4, a user group-policy, called ClientlessGroupPolicy, has been added. This group-policy only allows clientless SSL VPN tunnels to be established and strictly rejects all the other tunneling protocols. If you would rather assign attributes to default...

Configuring Port Forwarding

Using port forwarding, the clientless SSL VPN users can access corporate resources over the known and fixed TCP ports such as Telnet, SSH, Terminal Services, SMTP, and so on. The port-forwarding feature requires you to install Sun Microsystems' Java Runtime Environment (JRE) and configure applications on the end user's PC. If users are establishing the SSL VPN tunnel from public computers, such as Internet kiosks or web caf s, they might not be able to use this feature. The installation of...

Configuring Smart Tunnels

As discussed earlier, port forwarding provides access to applications that use static TCP ports. It modifies the HOSTS files on a host so that traffic can be redirected to a forwarder that encapsulates traffic over the SSL VPN tunnel. Additionally, with port forwarding, the Cisco ASA administrator needs to know what addresses and ports the SSL VPN users will connect to, and requires the SSL VPN users to have admin rights to modify the HOSTS file. To overcome some of the challenges related to...

Configuring Ssl Vpn Portal Customization

Figure 5-11 shows the default SSL VPN page when a connection is initiated from a web browser. The title of the page is SSL VPN Service and the Cisco Systems logo is displayed in the upper-left corner of the web page. The initial page prompts the user for user authentication credentials. Figure 5-11 Default SSL VPN Login Page Figure 5-11 Default SSL VPN Login Page You can customize the initial SSL VPN login page based on security policies of your organization. Cisco ASA also allows you to...

Configuring Websites

After adding a bookmark list, you can add a bookmark entry for the internal web servers that you want to give access to the clientless users. In Figure 5-26, a bookmark list name of InternalServers has been added. Because it is a new list, the administrator has added a bookmark title of InternalWebServer with a URL value of http intranet.securemeinc.com. Under advanced options, a subtitle of This is the internal web portal for SecureMe Inc. employees is added with a thumbnail of the...

Content Rewriting

The previous section described URL mangling, which is an important technique in the process by which SSL VPN users access corporate resources using the clientless web access mode. The second important technique is content rewriting. As a reverse proxy server, the SSL VPN gateway fetches web-based content from an internal web server and performs content rewriting. The main goal of the content rewriting is to change the URL references and Java socket calls so that all users' requests point to the...

Cryptographic Building Blocks of Ssl Vpns

A VPN carries private traffic over public networks. A secure VPN meets the following basic requirements Authentication guarantees that the VPN entity communicates with the intended party. The authentication can apply to either a VPN device or a VPN user. For example, in a remote access VPN, the VPN head-end device can authenticate the user PC to make sure that it is indeed the PC that owns the IP address that it uses to connect to the concentrator. The concentrator can also authenticate the end...

CSD Architecture

CSD not only checks certain attributes on the client computer to ensure its compliance but also enhances data security by providing an encrypted vault to authorized users. When a user wants to establish an SSL VPN session and CSD is enabled, the client and the gateway go through a number of steps, as outlined in the list that follows. These steps are illustrated in Figure 6-33. Step 1 Users request the SSL VPN login page by pointing their browsers to the gateway IP address. Step 2 User sessions...

Customized Login Page and User Connection Profile

After customizing the login page, the next logical step is to display it to the users who are logging in. You have two ways to display the login page to the user DefaultWEBVPNGroup connection profile If you want your customized login page to be displayed to all users who access the security appliance using its FQDN (fully qualified domain name) or the IP address, apply the customized object under the DefaultWEBVPNGroup connection profile by choosing Configuration > Remote Access VPN >...

Customized Portal Page and User Connection Profile

When a user first connects to the security appliance, the logon portal is presented based on how the SSL VPN connection is established. For example, if a user selects a logon group, after a successful user authentication, a user portal is shown based on what customization object is mapped to that user connection profile. You have the following three ways to display the customized portal page to a user Default Login without Group Selection When a user accesses the login page and authenticates...

D

Accessing, 204 actions, 198 functions, 200-201 network ACLs, 198 port-forwarding lists, 202 URL lists, 203 web-type ACLs, 199 DAPs (Dynamic Access Policies), 189 architecture, 190-191 clientless connections, 209-210 clientless connections, defining, 210-211 DAP configuration, 211-212 configuring, 192-193 AAA authorization attributes, 193-195 access policies, 197-204 clientless connections, 211-212 endpoint attributes, 195-197 sequence of events, 191 troubleshooting, 219-220 Data Encryption...

DAP Architecture

As mentioned earlier, DAP analyzes the posture assessment result of a host and applies dynamically generated access policies when a user session is established. It is designed to complement the AAA services by aggregating the locally defined attributes with the received attributes from the AAA server. In the case of an authorization attribute conflict, the locally defined attribute is selected. Therefore, it is possible to generate DAP authorization attributes by aggregating multiple DAP...

Defining a Pool of Addresses

During the SSL VPN tunnel negotiations, an IP address is assigned to the VPN adapter of the AnyConnect VPN Client. The client uses this IP address to access resources on the protected side of the tunnel. Cisco ASA supports three different methods to assign an IP address back to the client Many organizations prefer assigning an IP address from the local pool of addresses for flexibility. The IP address is assigned by configuring an address pool and then linking the pool to a policy group. You...

Defining Any Connect VPN Client Attributes

After loading the SVC package in the security appliance's configuration, ASDM allows you to define AnyConnect VPN Client parameters such as the IP address that client should receive. Before an AnyConnect SSL VPN tunnel is functional, you have to configure the following four required attributes Enabling AnyConnect VPN Client functionality Defining a pool of addresses Configuring traffic filters Optionally, you can define other attributes to enhance the functionality of the AnyConnect VPN...

Defining Cache Cleaner Policies

As discussed earlier in this chapter, Cache Cleaner securely removes local browser data such as web pages, history information, and cached user credentials. When Cache Cleaner is launched on a client computer, it closes any existing browser windows and initiates the Cache Cleaner process. It monitors browser data, and when the user logs out of the SSL VPN session, it closes the browser and cleans the cache associated with the SSL VPN session. Cache Cleaner can be configured under Cache Cleaner...

Defining Policies for the Mac and Linux Cache Cleaner

As mentioned earlier in the chapter, Cache Cleaner is supported not only on Windows operating systems but also on Linux and Mac OS X systems. Additionally, you can define a limited VPN feature policy for these clients. Table 6-8 lists the available features that you can implement for Mac- and Linux-based computers. Figure 6-43 Defining Windows CE Policies tMrtut Wpi-.um. 1 fiS.JOO. Sfcul_jKii*i.hfrJ yrniTKHTQ* KuiunrMi-Cjinlnil - bj HL Secure Desktop Manager tor W bVPN WN 1 ture Poky under...

Defining Prelogin Policies

In the supported Windows, OS X, and Linux-based operating systems, you can define the potential locations where the client computers might be connecting from. For example, if your users connect from the office network, home office network, and even Internet caf s, you can define a location for each setup and give appropriate access to your users. For users connecting from the office network, you classify those hosts fairly securely and allow a less restrictive environment. For users connecting...

Defining Prelogin Sequences

To configure CSD parameters, choose Configuration > Remote Access VPN > Secure Desktop Manager > Prelogin Policy. You can define a prelogin sequence that CSD can use to identify a host and match it to an appropriate profile. If the client's computer matches a certain profile, CSD can either create a Secure Desktop or launch Cache Cleaner. The following sections walk you through the configuration of Secure Desktop Manager in defining the profiles and the respective policies for the SSL VPN...

Defining Secure Desktop General Attributes

In CSD, you can set up general attributes that are applied to all SSL VPN sessions within a predefined location. For example, to allow users to switch between Secure Desktop and the local desktop, you can enable that feature here. The supported Secure Desktop general attributes include Enable switching between Secure Desktop and Local Desktop With this option enabled, the user has an option to switch back and forth between Secure Desktop and Local Desktop. In many cases, when an application is...

Deployment Scenarios

The Cisco SSL VPN solution is useful in deployments where remote and home users need access to corporate networks and administrators want to control their access based on a number of attributes. The SSL VPN solution can be deployed in many ways however, the sections that follow cover two design scenarios for ease of understanding AnyConnect Client with CSD and external authentication Clientless connections with DAP NOTE The design scenarios discussed in the following sections should be used...

DES and 3DES

Data Encryption Standard (DES) is by far the most widely used symmetric encryption algorithm. DES is a 64-bit block cipher that works on an 8-byte data block. The output cipher block has the same 8-byte length. At the decryption side, the same algorithm is applied in reverse with the same key. Due to the requirement of having parity bits, the effective key strength of DES is 56 bits. To encrypt a message that exceeds the DES block size, the individual cipher blocks are chained using a certain...

Device Placement

SSL VPN appliances are normally placed at the Internet edge of the corporate network. At the Internet edge of the network, other security devices are often deployed to protect the internal network from attacks. This section discusses the device placement issues you should consider when placing the SSL VPN devices among other security services at the edge. For companies that already have an IPsec-based remote access VPN solution deployed, the device placement considerations should also apply to...

Device View

As its name implies, device view provides a device-centric view of your SSL VPN network. Figure 7-1 shows the layout of a device view. Figure 7-1 Cisco Security Manager Device View Figure 7-1 Cisco Security Manager Device View Three main areas are in the device view. The upper-left area lists all the devices and device groups. The lower-left area shows the common policies based on the device selected. The right area is the policy content work area. The devices can be imported into CSM in...

Diffie Hellman

Published in 1976, Diffie-Hellman (DH) was the first published public-key algorithm. Diffie-Hellman is a key agreement protocol that enables communication parties to agree on a shared secret without any prior-known secrets. Diffie-Hellman is often used in key exchange and during the establishment phase of a VPN tunnel. The Diffie-Hellman algorithm works as follows 1 The communication parties agree on two system parameters a large prime p and a generator g. These are chosen such that for any...

Digital Signatures

In a secure communication, you must often ensure that a message comes from an authentic sender, not from malicious parties who spoof and claim that they are the intended sender. On the flip side, you might also require that the sender of the message cannot later deny being the source of the message (this is known as nonrepudiation). People sign paper documents and use the signatures as proof of authenticity and nonrepudiation. In the digital world, digital signatures (through digital signing)...

DNS and WINS Assignment

For the AnyConnect VPN Clients, you can assign DNS and WINS server IP addresses so that they can browse and access internal sites after their SSL tunnel is established. You can configure these attributes by choosing Configuration > Remote Access VPN > Network (Client) Access > Group Policies > SSLVPNGroup > Edit > Servers. To add multiple DNS or WINS servers, use a comma (,) to separate the entries. In Figure 5-43, the primary DNS server is defined as 192.168.1.10 and the secondary...

Enabling Any Connect VPN Client Functionality

After the AnyConnect VPN Client is loaded into flash, the next step is to enable the AnyConnect Client functionality on the interface that is terminating the connection. This is achieved by selecting Enable Cisco AnyConnect VPN Client or Legacy SSL VPN Client Access on the Interfaces Selected in the Table Below in Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles. Select the outside interface if it is the interface that will terminate the SSL VPN...

Enabling Clientless Ssl Vpn on an Interface

The first step in setting up a clientless SSL VPN on the security appliances is to enable SSL VPN on the interface that will terminate the user session. If SSL VPN is not enabled on the interface, Cisco ASA will not accept any connections, even if SSL VPN is globally enabled. To enable SSL VPN on an interface through ASDM, choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles and select the Allow Access check box next to the interface on which you want...

Enabling Endpoint Host Scan

You can enable Endpoint Assessment by choosing Configuration > Remote Access VPN > Secure Desktop Manager > Host Scan and then selecting Endpoint Assessment ver w.x.y.z, where w.x.y.z is the version of Endpoint Host Scan you are using. Figure 5-55 illustrates Endpoint Assessment as being enabled and running version 2.5.4.1. After it is enabled, the Endpoint Assessment can scan for antivirus, personal firewall, and antispyware applications and updates. Figure 5-55 Enabling Endpoint...

Endpoint Security Posture Assessment and Validation

A thorough preconnect security assessment is necessary. As discussed earlier, this helps prevent viruses, worms, and Trojan horses from spreading into the internal network and helps administrators make intelligent decisions on what access privilege to grant to the VPN users based on the endpoint security posture. The preconnect security posture validation can include the following aspects Location checking Using information such as IP address, Windows registries, or even PC screen banners, the...

Enrolling Digital Certificates Recommended

Enrollment is the process of obtaining a certificate from a certificate authority (CA). Before starting the enrollment process, you must generate the RSA key pair with the crypto key generate rsa command. To generate the keys, you must first configure a host name and domain name. Example 5-1 demonstrates how to configure a domain name of securemeinc.com and how to generate the RSA key pair of 1024-bit modulus size. NOTE If you want to test SSL VPN functionality in a lab environment or in a home...

High Availability

The high availability (HA) consideration for a remote access VPN deployment has two parts local and geographic HA. Local HA methods include the following Hot standby failover The two SSL VPN appliances are in an active-passive failover session. Common failover protocols include Virtual Router Redundancy Protocol (VRRP) and Hot Standby Routing Protocol (HSRP). A stateful failover synchronizes the SSL VPN session information between the two units to ensure minimum user disruption during the...

Host Scan

Host Scan is a modular component of CSD. It is installed on the user's computer before the user logs in to the security appliance over an SSL VPN tunnel. If CSD is in use, Host Scan can collect some important endpoint attributes and pass them to other processes such as DAP for appropriate action. Host Scan can scan an end host for information that you want to collect, such as registry entries, filenames, and process names. Host Scan functionality can be greatly enhanced if an advanced Endpoint...

I

Traffic ACL 101 IP Address 192.168.50.1 Domain Name securemeinc.com Simultaneous Login 3 WINS 192.168.1.40 Traffic ACL 101 IP Address 192.168.50.1 NOTE DfltGrpPolicy is a special group name, used solely for the default group-policy. After defining these policies, they must be bound to a tunnel group where users terminate their sessions. This way, a user who establishes his VPN session to a tunnel group will inherit all the policies mapped to that tunnel. The tunnel group defines a VPN...

Information Area

The information area shows any text and image that you want to display on the logon page. You can specify whether you want to display the information area to the left or the right side of the logon form. The Cisco ASA administrator can choose to enable or disable this element under the Information Panel option. In Figure 5-15, the information panel is disabled by the administrator. Figure 5-15 Logon Page Information Area Customization Figure 5-15 Logon Page Information Area Customization...

Initial Ssl Vpn Configuration

The configuration of SSL VPN can be accomplished in five steps. Figure 6-2 is used throughout this section to demonst rate how to set up Cisco IOS router. As shown in this figure, the IOS router is set up to accept the SSL VPN connections from the hosts on the Internet. There are several servers on the private network of the router. Table 6-3 describes the servers used in this setup. Table 6-3 Description and Location of Servers Table 6-3 Description and Location of Servers Resolves NetBIOS...

Internet Browser Settings

As discussed in the previous section, CSD is installed on the client computer through ActiveX, Java, or an executable file. You must configure the appropriate security settings in your Internet browser to allow those functions. For example, in Internet Explorer, use the guidelines discussed in Table 5-7. These settings are configured by choosing Tools > Internet Options > Security tab > Internet > Custom Level. ActiveX controls and plug-ins > Download signed ActiveX controls ActiveX...

Introduction to Remote Access VPN Technologies

Since the advent of the Internet, network administrators have looked for ways to leverage this low-cost, widespread medium to transport data while protecting data integrity and confidentiality. They looked for ways to protect the information within the data packets while providing transparency to the end user. This spawned the concept of Virtual Private Networks (VPN). Subsequently, the Internet Engineering Task Force (IETF) was engaged to craft standard protocols and procedures to be used by...

Issues with Websites

If you use clientless SSL VPN to provide connectivity to remote users and a user is having issues connecting to the websites through bookmarks, follow these steps to isolate the problem Check whether the user is having connectivity issues with all configured websites. If so, check whether other applications, such as CIFS, port forwarding, or smart tunnels, are working well. If connectivity issues are limited to one web server, check whether one user or all users are having issues connecting to...

Keeping the Ssl Vpn Client Installed

After the SSL VPN client is installed successfully, the security appliance allows you to keep the client installed on the computer, even if the tunnel is disconnected. By default, the AnyConnect Client is automatically removed after users log off and is reinstalled when the tunnel is successfully established. You should keep this option enabled so that users do not need to go through the process of installing the client. Additionally, the initial AnyConnect Client installation requires...

Lack of Security on Unmanaged Computers

As mentioned earlier, SSL VPNs can support users coming from any computer on the Internet, such as public domain machines (for example, kiosk PCs) that are not controlled by the corporate IT department. This department ensures that the machines have proper service packs and security software, such as antivirus software. This poses a major threat to security. If, for example, SSL VPN users sign in to the SSL VPN from a compromised or infected PC, they can become a source for spreading viruses,...

Loading SDM Recommended

Cisco Security Device Manager (SDM) provides an easy-to-navigate and simple graphical user interface (GUI) to set up and manage different features that a Cisco IOS router provides. It is bundled with a variety of administration, configuration, and monitoring tools to check the health of the device and the traffic traversing through it. Although setting up SDM is optional, you should use SDM in configuring the SSL VPN functionality in Cisco IOS routers. NOTE SSL VPN is a relatively new feature...

Loading the CSD Package

Like Cisco AnyConnect VPN Client, you must load the CSD package in the local flash of the security appliance. If you're not sure whether you have CSD installed in your security appliance, choose Tools > File Management and look at the contents of the local flash. If you don't see a securedesktop-asa-3.x.xxx-k9.pkg file, upload the file from the local flash of the management host to the flash of the security appliance. After the CSD file is uploaded, choose Configuration > Remote Access VPN...

Loading the SVC Package

Before you define configuration policies for the AnyConnect VPN Client, you have to load the AnyConnect VPN Client package in the local flash of the security appliance. You can verify whether it is installed by choosing Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN > Client Setting. If an AnyConnect VPN Client image is not installed, you can click Add to Browse through the local flash of the security appliance and select the AnyConnect file you want...

Logout Page

Cisco ASA even allows you to customize the logout page. You can define the logout message and provide an option for whether users can be allowed to log back in. You can pick the color of the title font and title background, and the font and background colors of the logout page. In Figure 5-19, the administrator has added the logout message Please Clear Your Browser's Cache, Delete Any Downloaded Files, and Close All Open Browsers Before You Sign Out. The login button is not allowed, and thus...

Maninthe Middle Attacks

There have been known man-in-the-middle (MITM) attacks to the SSL protocol, and this is how they can work. The attacker first launches an Address Resolution Protocol (ARP) spoofing attack or Domain Name System (DNS) spoofing attack to the SSL VPN user. The success of the attack will redirect the SSL traffic to the attack host that is configured with SSL proxy software. The attack host then acts as the destination web server by establishing an SSL connection with the user on one side and another...

Message Authentication Code

Message authentication code (MAC) is a cryptographic checksum that is used to ensure the integrity of the message during transmission. To generate a MAC, you can use either an encryption algorithm, such as Data Encryption Standard (DES), or a hashing algorithm. Hashing is generally much faster than encryption algorithms, so the hash-based MAC (HMAC) is the most popular way. HMAC is a keyed hash function. Here is how it works To generate an HMAC of a message M, you need to pick two system...

Monitoring and Troubleshooting Ssl Vpn

The following sections discuss the monitoring and troubleshooting steps that are available to help you in running the SSL VPN solution smoothly on a security appliance. To monitor the WebVPN sessions, first check how many active SSL VPN tunnels are established on the security appliance. You can do this by choosing Monitoring > VPN > VPN Statistics > Sessions. The security appliance shows you all the active VPN sessions, including the clientless and full tunnel client connections. As shown...

Native Mode

In the native mode, the following default roles are available with predefined permissions, including view, modify, assign, approve, import, deploy, control, and submit Help Desk Help desk users can view (but not modify) devices, policies, objects, and topology maps. Network Operator In addition to viewing permissions, network operators can view CLI commands and CSM administrative settings. Network operators can also modify the configuration archive and issue commands (such as ping) to devices....

Network ACL

The Network ACL tab allows you to apply traffic filters for the user session that match the DAP record. You can define traffic filters in the form of network ACLs. Each ACL can have either a permit or deny statement, but you cannot have both. If an ACL has both permit and deny rules, DAP rejects it as a configuration error. If a user session matches multiple DAP records, an aggregated ACL is applied on the user. The aggregated list considers a number of parameters, such as the priority of each...

Not All Resource Access Methods Are Equal

As mentioned in Chapter 2, SSL VPN Technology, SSL VPN employs a variety of techniques, each of which has its unique characteristics in terms of user experience, user privilege requirements, and levels of access to the network resources. This is one of the major differences between SSL VPN and traditional remote access solutions, such as IPsec-based remote access VPN. When you design an SSL VPN network, it is important to understand that not all access methods are equal and different access...

OSI Layer Placement and Tcpip Protocol Support

SSL is a platform-independent and application-independent protocol that is used to secure TCP-based applications. It sits on top of the TCP layer, below the application layer, and acts like sockets connected by TCP connections. Figure 2-6 shows the SSL placement in the protocol stack. HTTP SMTP Application Layer SSL assumes reliable underlying packet delivery thus, it always runs only on top of TCP, not over UDP or directly over IP. Although SSL should work with any static client-server TCP...

Overview of Cisco Ssl Vpn Product Portfolio

Cisco currently offers the SSL VPN functionality in a number of its product offerings, including the following Cisco VPN 3000 series concentrator The Cisco VPN 3000 series concentrator was the first Cisco product to offer the SSL VPN functionality. The clientless and thin-client modes were introduced in the 4.1 version of code, whereas the full-tunnel client support was added in the 4.7 version of code. Cisco VPN 3000 series concentrators are now end-of-life units. Cisco recommends that you...

Performance and Scalability

Performance considerations for an SSL VPN design are a bit different from those of the IPsec-based VPN because of the multiple technologies that the SSL VPN features. When you try to determine the performance of an SSL VPN appliance, you need to be clear about which resource access method you have in mind. The performance of different access methods varies greatly. The following list outlines the performance characteristics of the two most popular access methods Reverse-proxy-based web access...

Platform Options

SSL VPNs are evolving in a manner similar to IPsec technology. This technology started as dedicated VPN concentrators and slowly became integrated with other network and security services. Two types of SSL VPN solutions are on the market the pure-play SSL VPN appliances and the solutions that integrate SSL VPN functionalities with other network devices such as routers and firewalls. The emerging Unified Threat Management (UTM) market provides enterprises with options to deploy a single security...

Policy View

The policy view displays the policy-centric view. This is where you can define generic SSL VPN policy templates without worrying about specific device settings. The policy templates can later be assigned to an individual or a group of SSL VPN devices. Figure 7-6 shows the layout of the policy view. Similar to the device view, the upper-left area displays the list of security policies templates. Clicking SSL VPN, you can see all the generic SSL VPN policy templates that are supported by the CSM,...

Port Forwarding Lists

The Port Forwarding Lists tab allows you to apply a preconfigured port-forwarding list to a DAP record. If you do not have a preconfigured port-forwarding list, you can define one under this tab. Because DAP enforces action and policies, you can deny users the use of a port-forwarding list even if the group policy that the user is assigned to allows it. Similarly, if a group policy does not have a port-forwarding list mapped to the group policy, you can choose to auto-start the selected list....

Portal Page

In addition to changing the appearance of the logon page, administrators can change how a portal is displayed to the user after he or she is authenticated. This includes designing their home pages as well as their application access windows when they launch an application. At high-level architecture, the web portal is broken into four elements the title panel, toolbar, navigation pane, and content area. Figure 5-16 illustrates these four elements. Figure 5-16 SSL VPN User Web Portal...

R

Authentication, 112, 207 configuring, 228 mapping to tunnel groups, 113 user authentication, 305 radius-server host command, 228 RC4 encryption, 21, 60 record protocols, 33, 42 records (DAP), 191 accessing, 204 actions, 198 functions, 200-201 network ACLs, 198 port-forwarding lists, 202 URL lists, 203 web-type ACLs, 199 registry endpoint attribute, 196 remote access protocols, 4 technologies IPsec, 5-7 L2TP, 9-10 L2TP over IPsec, 11-12 PPTP, 13 SSL VPN, 7-8 summary, 14 requirements (Secure...

Remote Access Technologies

Organizations are constantly under pressure to reduce costs by leveraging newer technology in their existing network infrastructure. With the growth of the Internet and greater focus on globalization, organizations are required to provide their employees with 24 7 access to organizational resources. The increasing number of mobile workers and telecommuters is a major factor in the exponential growth of remote access technologies. These users require the traditional LAN-based applications, such...

Resource Access Privilege Management

After user authentication, the remote access VPN device should be able to authorize the user with resource access privileges based on the user's attributes. As described earlier, because of the ubiquity of the SSL VPN, its design needs to ensure the integrity of the endpoint. Hence the resource authorization also goes beyond the standard user attributes to include other security attributes. The following is a list of attributes that can be used to determine resource access privilege Sign-in URL...

Role Based Administration

Role-based administration is an important concept in the security management of any large network. This is also true for central SSL VPN management. First, with CSM, several teams are working on security management, be it managing different security devices from different teams or managing the same security device from different aspects. Secondly, the single SSL VPN device can be used to support multiple customers or organization units, so it might be required to have multiple administrators,...

RSA and DSA

RSA and DSA are the two most common public key algorithms used in digital signature applications. RSA was designed by Ron Rivest, Adi Shamir, and Len Adelman (hence RSA) in 1977. Different from the Diffie-Hellman algorithm, the RSA algorithm is based on the fact that no efficient way exists to factor very large numbers. The common key size is 512-bit, 1024-bit, and 2048-bit. The performance of RSA is much slower than secret key algorithms such as DES. So RSA is normally not used for bulk data...

S

AAA servers, 67 design considerations, 81 SCEP (Simple Certificate Enrollment Protocol), 230 context configuration, 240 gateway configuration, 238 loading, 232-234 website, 233 Secure ACS Configuration Guide website, 331 Secure Desktop, 165 attributes, defining, 176-178, 292-293 AnyConnect client with CSD and external authentication deployment, 207 loading CSD package, 169-170 policies, assigning, 174 prelogin sequences, 170 Cache Cleaner policies, 180-181 host emulators, 175-176 keystroke...

Secure Desktop

Secure Desktop, also known as system detection process, is a module that creates an encrypted vault in the client computer and allows users to securely access local resources or even allows users to establish SSL VPN sessions. Files created in this vault are encrypted and cannot be accessed by the applications outside this secure desktop. After a user disconnects a session, the vault can be configured so that it is destroyed. By using Secure Desktop, users are given appropriate access to the...

Secure Desktop Manager

Secure Desktop Manager is a GUI-based application that allows administrators to define policies and locations for remote users. It currently supports two modules Secure Desktop and Cache Cleaner. Secure Desktop Manager can be launched by pointing your browser to where the gateway-ip-address is the IP address of the SSL VPN gateway for user connections. The default username to log in to Secure Desktop Manager is admin, and the default password is the enable password of the router.

Security Considerations

A remote access VPN extends the perimeter of your network to the remote endpoints. An SSL VPN has been an entry point for security threats to enter the network. The ubiquity, versatility, and clientless nature of the SSL VPN provide significant business benefits and cost savings, but they also pose additional security challenges compared to traditional remote access VPNs. The following sections first examine the security threats that need to be addressed in SSL VPN security design. The sections...

Selecting Endpoint Attributes

After defining the AAA attributes, you can optionally select the endpoint attributes. These attributes are collected by a number of sources, including Host Scans (basic, Endpoint, or Advanced Endpoint), Secure Desktop, and NAC. The AAA attributes are validated during user authentication, whereas the endpoint attributes are collected by the security appliance prior to user authentication. Table 5-11 presents all the available attributes that you can select and configure under endpoint...

Setting Up an Advanced Endpoint Host Scan

You can enable Advanced Endpoint Assessment by choosing Configuration > Remote Access VPN > Secure Desktop Manager > Host Scan and then selecting Advanced Endpoint Assessment ver w.x.y.z, where w.x.y.z is the version of Advanced Endpoint Host Scan you are using. After it is enabled, it allows you to update remote hosts that are noncompliant so that they can meet the configured security requirements. Configure the Advanced Endpoint Assessment by highlighting Advanced Endpoint Assessment...

Setting Up the Appliance

When the ASDM file is accessed, the Cisco ASA loads the first ASDM image that it finds from the local flash. If multiple ASDM images exist in the flash, use the asdm image command and specify the location of the ASDM image you want to load. This ensures that the appliance always loads the specified image when ASDM is launched. In Example 5-9, the appliance is set up to use asdm-603.bin as the ASDM image file. Example 5-9 Specifying the ASDM Location Chicago(config) asdm image disk0 asdm-603.bin...

Setting Up User Authentication

Cisco IOS routers support a variety of authentication servers, such as RADIUS, TACACS, and the local database. For small organizations, a local database can be set up for user authentication. For medium to large SSL VPN deployments, you should use an external RADIUS server as the user authentication database. If you are deploying the SSL VPN feature for a few users, you can use the local database, as shown in Example 6-1. Two accounts, sslvpnuser and adminuser, are configured for user...

Single SignOn

Optionally, you can add a single sign-on (SSO) server to ensure that clientless users do not get prompted again to enter their user credentials if they try to access windows-based shares. In SSO, the security appliance acts as a proxy between the clientless SSL VPN user and the authentication server. The security appliance uses users' cached credentials (an authentication cookie) when the user tries to access secure websites or shares within the private network. If you use NT LAN Manager (NTLM)...