© 2007 cisco systems, inc. all rights reserved.cisco confidential 1 cisco secure remote...
TRANSCRIPT
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Cisco Secure Remote Architectures
Bobby Acker – CCIE #19310
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Session Topics
Client-Based Remote Access Using Anyconnect
Clientless Access Using WebVPN Portals
Endpoint Security Using Secure Desktop
New ASA 8.0/ASDM 6.0 Features
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Remote Access Using the Cisco Anyconnect Client
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Secure Connectivity Everywhere Extending the Self-Defending Network
Public Internet
ASA 5500
Clientless SSL VPN
Clientless SSL VPN
Client-based SSL or IPsec VPN
Partners / Consultants
Controlled access to specific resources and applications
Mobile Workers
Easy access to corporate network resources
Roamers
Seamless access to applications from unmanaged endpoints
Day Extenders / Home Office
Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications
Client-based SSL or IPsec VPN
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client for secure remote productivity
Extends the in-office experienceLAN-like full-network access, supports latency sensitive apps like voice (via DTLS transport)
Access across platformsWindows 2K / XP (x86/x64) / Vista (x86/x64)Mac OS X 10.4 & 10.5, Linux IntelWindows Mobile 5 Pocket PC Edition (Coming soon)
Always up to dateRemotely installable and configurable to minimize user demands
No-hassle ConnectionsNo reboots requiredStand-alone, Web Launch, Portal ConnectionStart Before Login (2K/XP)MSI – Windows Pre-installation package
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – GUI Details (Statistics)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
For End-Users, Access for All ApplicationsDatagram Transport Layer Security (DTLS)
Limitations of TLS (HTTPS/SSL) with SSL VPN tunnelsTLS is used to tunnel TCP/IP over TCP/443TCP requires retransmission of lost packetsBoth application and TLS wind up retransmitting when packet loss is detected.DTLS solves the TCP over TCP meltdown problemDTLS replaces underlying transport TCP/443 with UDP/443DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange)Datagrams only are transmitted over DTLSOther benefitsLow latency for real time applicationsDTLS is optional and will automatically fallback to TLS (HTTPS)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – XML Profile (Start Before Login)
…<ClientInitialization>
<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
<BackupServerList><HostAddress>cvc-asa-02.company.com</HostAddress>
<HostAddress>10.94.146.172</HostAddress></BackupServerList>
</ClientInitialization><ServerList><HostEntry>
<HostName>CVC-ASA-02</HostName><HostAddress>cvc-asa-02.company.com</HostAddress>
</HostEntry>
The Client Initialization section represents global settings for the client. In some cases (e.g. BackupServerList) host specific overrides are possible. The Start Before Logon feature can be used to activate the VPN as part of
the logon sequence.
Collection of one or more backup servers to be used in case the user selected one fails. Can be a FQDN or IP address.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – Troubleshooting
Windows will utilize the Windows Event Viewer. Review the log messages in Cisco AnyConnect VPN Client.Logging on Mac and Linux will utilize their ‘syslogs’
Linux default location /var/log/messagesMac location /var/log/system.log
Firewall port requirements – UDP Port 443 (DTLS)TCP Port 443 (HTTPS/SSL)
TLS will always be negotiated first, then it will further negotiate DTLS so you will see these messages in the log.
A SSL connection has been established using cipher xxxx.A DTLS connection has been established using cipher xxxx.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – Troubleshooting (Windows Event Viewer)
An example of how Windows Event Viewer will look.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
For End-Users, Access for All ApplicationsCisco VPN - Client comparison
Cisco VPN Client Cisco SSL VPN Client
Cisco AnyConnect VPN Client
Approximate size 10 MB 400KB 1.5-2 MB**
Initial install distributeauto download
distribute
auto download
distribute
Admin rights required yes
Initial installation only
(Stub installer available)
Initial installation only
(MSI available – Windows)
Protocol IPsec TLS (HTTPS) DTLS, TLS (HTTPS) - Auto
OS Support multiple* 2000/XP multiple**
Head End ASA/PIX/3K/IOS ASA/3K/IOS ASA
* Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned (additive license) – Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ only
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Clientless Access Using Cisco WebVPN Portals
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
For End-Users, Seamless Access Anywhere Personalized application and resource access
Personalized homepageLocalizable, RSS feeds, personal bookmarks, etc.
Delivers web-based and traditional applications
Sophisticated web and other applications delivered seamlessly to the browserSAML Single Sign-On (SSO) – verified with RSA Access Manager
Intuitive user experienceDrag and Drop file access and webified file transport
Delivers key applications beyond the browser
Smart Tunnels deliver more applications without admin privileges
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
For End-Users, Seamless Access Anywhere Enhanced clientless interface, highly customizable
Customizable Banner Graphic
Customizable Colors and Sections
Customizable Links, Network Resource
Access
Customizable Access Methods
Customizable Banner Message
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
For End-Users, Seamless Access Anywhere Clientless file access
Access for FTP file shares in addition to CIFS (Common Internet File System)
Webfolders for Internet Explorer (native Windows explorer file access)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
For End-Users, Seamless Access Anywhere Java Client/Server Plug-ins
Support for number of common TCP applications via Java plugins such as
Windows Terminal Server (RDP)TELNET & SSHVNCCitrix Java Presentation Server Client (plug-in loaded by administrator)
Resource is defined as a URL with the appropriate protocol type, i.e.
rdp://server:port
Support for these third party applications exists in the form of packaged single archive files in the .jar file format.
Extensible plugin mechanism may provide support for additional applications in the future
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
For End-Users, Seamless Access Anywhere Java Client/Server Plug-ins - Details
When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s).
The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.
The Java applet(s) are transparently cached in the ASA cache.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
For Administrators, Visual ManagementASDM – SSL & IPsec Wizards
For Administrators
Separate wizards for SSL and IPsec VPN configuration
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Specify authentication method
Specify group policy to use or create a new
one
Specify a bookmark list for the Portal page
Create or use an existing address pool
and specify the AnyConnect image
location
For Administrators, Visual ManagementNew SSL VPN Wizard - Details
For Administrators
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Endpoint Security Using Cisco Secure Desktop
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Unique Security Challenges on the Endpoint SSL VPN Brings New Points of Attack
Remote User
Employee at Home
Supply Partner
During SSL VPN Session
Is session data protected?
Are typed passwords protected?
Has malware launched?
Post SSL VPN Session
Browser cached intranet web pages?
Browser stored passwords?
Downloaded files left behind?
Before SSL VPN Session Who owns the endpoint? Endpoint security
posture: AV, personal firewall?
Is malware running?
Extranet Machine
Unmanaged Machine
Customer Managed Machine
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Comprehensive EndPoint Security Cisco Secure Desktop (CSD) now supports
checking for hundreds of pre-defined products, updated frequently
Anti-virus, anti-spyware, personal firewall, and more
Administrators can define custom checks including running processes
Posture policy presented visually to simplify configuration and troubleshooting (Pre-login sequence and Dynamic Access Policies)
Cisco Secure Desktop consists of four features:
Host Scan (Windows)
Advanced Endpoint Assessment provides remediation and periodic rechecking capabilities (licensed option)
Secure Vault (Windows 2K/XP)
Cache Cleaner (Windows, Mac OS X, and Linux)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Supported Checks–Registry check–File check–Certificate check–Windows version check–IP address check
Leaf Nodes–Login denied–Location–Subsequence
Visual policy simplifies administrative configuration
Pre-login Decision TreeCisco Secure Desktop
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Comprehensive EndPoint SecurityDynamic Access Policies (DAP)The Dynamic Access Policy
(DAP) is defined as a collection of access control attributes associated with a specific
tunnel or session.
The DAP is dynamically generated by selecting and/or
aggregating attributes from one or more DAP records.
The DAP records are selected
based on the endpoint security information of the
remote device and/or the AAA authorization information of
the authenticated user.
DAP will be generated and then applied to the user’s tunnel or
session.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Comprehensive EndPoint SecurityDynamic Access Policies (DAP)
Add AAA attributes
Add endpoint attributes
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Comprehensive EndPoint SecurityDynamic Access Policies (DAP)
Specific endpoint attributes
Note: These drop down menus will only show up after enabling CSD and enabling Host Scan Endpoint Assessment under CSD. You can disable CSD after enabling Host Scan and
applying it.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Cisco Secure Desktop (Secure Vault)How it Works
Step One: A user on the road connects with the concentrator and the Cisco Secure Desktopis pushed down to the endpoint automatically.
Step Four: At Logout the Virtual Desktop that the user has been working in is eradicated and the user is notified
Employee-Owned Desktop
www…
Clientless SSL VPN
Step Two: An encrypted sandbox or hard drive partition is created for the user to work in
Cisco Secure Desktop
Step Three: The user logs in
Note: CSD download and eradication is seamless to the user. If the user forgets to terminate the session auto-timeout will close the session and erase session information
ASA 5500
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Cisco Secure DesktopMachine Scan
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Cisco Secure DesktopLogin Page (After Scan)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Cisco Secure DesktopAccess Restricted
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Cisco Secure DesktopAccess Denied
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Onscreen (Virtual)Keyboard
Helps reduce the risk associated with keystroke loggers.
This can be applied to the password field on the clientless SSL VPN login page or on any page that requires username/password authentication.
This only applies to the password entry field.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise
CiscoASA 5520
CiscoASA 5540
CiscoASA 5550
CiscoASA 5510
CiscoASA 5505
Network Location
Max ConnectionsPackets/Sec
InternetEdge
InternetEdge
InternetEdge
130,000190,000
280,000320,000
400,000500,000
Internet EdgeCampus
650,000600,000
Teleworker / Branch Office /
SMB
25,00085,000
PerformanceMax FirewallMax Firewall + IPSMax IPsec VPNMax IPsec/SSL Peers
300 Mbps300 Mbps170 Mbps250/250
450 Mbps375 Mbps225 Mbps750/750
650 Mbps450 Mbps325 Mbps5000/2500
1.2 GbpsN/A
425 Mbps5000/5000
150 MbpsFuture
100 Mbps25/25
Platform Capabilities
Base I/OVLANs SupportedHA Supported
VPN Load Balancing
5 FE50/100
A/A and A/S (Sec Plus)
(Sec Plus/8.0)
4 GE + 1 FE150
A/A and A/S
Yes
4 GE + 1 FE200
A/A and A/S
Yes
8 GE + 1 FE250
A/A and A/S
Yes
8-port FE switch
3/20 (trunk)Stateless
A/S (Sec Plus)
No
CiscoASA 5580/20
CiscoASA 5580/40
Data CenterCampus
1,000,0002,500,000
Data CenterCampus
2,000,0004,000,000
6.5 GbpsN/A
1 Gbps10,000/10,000
14 GbpsN/A
1 Gbps10,000/10,000
10 GE + 2x10GE250
A/A and A/S
Yes
10 GE + 2x10GE250
A/A and A/S
Yes