© 2007 cisco systems, inc. all rights reserved.cisco confidential 1 cisco secure remote...

© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Cisco Secure Remote Architectures

Bobby Acker – CCIE #19310


Session Topics

Client-Based Remote Access Using Anyconnect

Clientless Access Using WebVPN Portals

Endpoint Security Using Secure Desktop

New ASA 8.0/ASDM 6.0 Features


Remote Access Using the Cisco Anyconnect Client


Secure Connectivity Everywhere Extending the Self-Defending Network

Public Internet

ASA 5500

Clientless SSL VPN

Clientless SSL VPN

Client-based SSL or IPsec VPN

Partners / Consultants

Controlled access to specific resources and applications

Mobile Workers

Easy access to corporate network resources

Roamers

Seamless access to applications from unmanaged endpoints

Day Extenders / Home Office

Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications

Client-based SSL or IPsec VPN


For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client for secure remote productivity

Extends the in-office experienceLAN-like full-network access, supports latency sensitive apps like voice (via DTLS transport)

Access across platformsWindows 2K / XP (x86/x64) / Vista (x86/x64)Mac OS X 10.4 & 10.5, Linux IntelWindows Mobile 5 Pocket PC Edition (Coming soon)

Always up to dateRemotely installable and configurable to minimize user demands

No-hassle ConnectionsNo reboots requiredStand-alone, Web Launch, Portal ConnectionStart Before Login (2K/XP)MSI – Windows Pre-installation package


For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – GUI Details (Statistics)


For End-Users, Access for All ApplicationsDatagram Transport Layer Security (DTLS)

Limitations of TLS (HTTPS/SSL) with SSL VPN tunnelsTLS is used to tunnel TCP/IP over TCP/443TCP requires retransmission of lost packetsBoth application and TLS wind up retransmitting when packet loss is detected.DTLS solves the TCP over TCP meltdown problemDTLS replaces underlying transport TCP/443 with UDP/443DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange)Datagrams only are transmitted over DTLSOther benefitsLow latency for real time applicationsDTLS is optional and will automatically fallback to TLS (HTTPS)


For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – XML Profile (Start Before Login)

…<ClientInitialization>

<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>

<BackupServerList><HostAddress>cvc-asa-02.company.com</HostAddress>

<HostAddress>10.94.146.172</HostAddress></BackupServerList>

</ClientInitialization><ServerList><HostEntry>

<HostName>CVC-ASA-02</HostName><HostAddress>cvc-asa-02.company.com</HostAddress>

</HostEntry>

The Client Initialization section represents global settings for the client. In some cases (e.g. BackupServerList) host specific overrides are possible. The Start Before Logon feature can be used to activate the VPN as part of

the logon sequence.

Collection of one or more backup servers to be used in case the user selected one fails. Can be a FQDN or IP address.


For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – Troubleshooting

Windows will utilize the Windows Event Viewer. Review the log messages in Cisco AnyConnect VPN Client.Logging on Mac and Linux will utilize their ‘syslogs’

Linux default location /var/log/messagesMac location /var/log/system.log

Firewall port requirements – UDP Port 443 (DTLS)TCP Port 443 (HTTPS/SSL)

TLS will always be negotiated first, then it will further negotiate DTLS so you will see these messages in the log.

A SSL connection has been established using cipher xxxx.A DTLS connection has been established using cipher xxxx.


For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – Troubleshooting (Windows Event Viewer)

An example of how Windows Event Viewer will look.


For End-Users, Access for All ApplicationsCisco VPN - Client comparison

Cisco VPN Client Cisco SSL VPN Client

Cisco AnyConnect VPN Client

Approximate size 10 MB 400KB 1.5-2 MB**

Initial install distributeauto download

distribute

auto download

distribute

Admin rights required yes

Initial installation only

(Stub installer available)

Initial installation only

(MSI available – Windows)

Protocol IPsec TLS (HTTPS) DTLS, TLS (HTTPS) - Auto

OS Support multiple* 2000/XP multiple**

Head End ASA/PIX/3K/IOS ASA/3K/IOS ASA

* Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned (additive license) – Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ only


Clientless Access Using Cisco WebVPN Portals


For End-Users, Seamless Access Anywhere Personalized application and resource access

Personalized homepageLocalizable, RSS feeds, personal bookmarks, etc.

Delivers web-based and traditional applications

Sophisticated web and other applications delivered seamlessly to the browserSAML Single Sign-On (SSO) – verified with RSA Access Manager

Intuitive user experienceDrag and Drop file access and webified file transport

Delivers key applications beyond the browser

Smart Tunnels deliver more applications without admin privileges


For End-Users, Seamless Access Anywhere Enhanced clientless interface, highly customizable

Customizable Banner Graphic

Customizable Colors and Sections

Customizable Links, Network Resource

Access

Customizable Access Methods

Customizable Banner Message


For End-Users, Seamless Access Anywhere Clientless file access

Access for FTP file shares in addition to CIFS (Common Internet File System)

Webfolders for Internet Explorer (native Windows explorer file access)


For End-Users, Seamless Access Anywhere Java Client/Server Plug-ins

Support for number of common TCP applications via Java plugins such as

Windows Terminal Server (RDP)TELNET & SSHVNCCitrix Java Presentation Server Client (plug-in loaded by administrator)

Resource is defined as a URL with the appropriate protocol type, i.e.

rdp://server:port

Support for these third party applications exists in the form of packaged single archive files in the .jar file format.

Extensible plugin mechanism may provide support for additional applications in the future


For End-Users, Seamless Access Anywhere Java Client/Server Plug-ins - Details

When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s).

The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.

The Java applet(s) are transparently cached in the ASA cache.


For Administrators, Visual ManagementASDM – SSL & IPsec Wizards

For Administrators

Separate wizards for SSL and IPsec VPN configuration


Specify authentication method

Specify group policy to use or create a new

one

Specify a bookmark list for the Portal page

Create or use an existing address pool

and specify the AnyConnect image

location

For Administrators, Visual ManagementNew SSL VPN Wizard - Details

For Administrators


Endpoint Security Using Cisco Secure Desktop


Unique Security Challenges on the Endpoint SSL VPN Brings New Points of Attack

Remote User

Employee at Home

Supply Partner

During SSL VPN Session

Is session data protected?

Are typed passwords protected?

Has malware launched?

Post SSL VPN Session

Browser cached intranet web pages?

Browser stored passwords?

Downloaded files left behind?

Before SSL VPN Session Who owns the endpoint? Endpoint security

posture: AV, personal firewall?

Is malware running?

Extranet Machine

Unmanaged Machine

Customer Managed Machine


Comprehensive EndPoint Security Cisco Secure Desktop (CSD) now supports

checking for hundreds of pre-defined products, updated frequently

Anti-virus, anti-spyware, personal firewall, and more

Administrators can define custom checks including running processes

Posture policy presented visually to simplify configuration and troubleshooting (Pre-login sequence and Dynamic Access Policies)

Cisco Secure Desktop consists of four features:

Host Scan (Windows)

Advanced Endpoint Assessment provides remediation and periodic rechecking capabilities (licensed option)

Secure Vault (Windows 2K/XP)

Cache Cleaner (Windows, Mac OS X, and Linux)


Supported Checks–Registry check–File check–Certificate check–Windows version check–IP address check

Leaf Nodes–Login denied–Location–Subsequence

Visual policy simplifies administrative configuration

Pre-login Decision TreeCisco Secure Desktop


Comprehensive EndPoint SecurityDynamic Access Policies (DAP)The Dynamic Access Policy

(DAP) is defined as a collection of access control attributes associated with a specific

tunnel or session.

The DAP is dynamically generated by selecting and/or

aggregating attributes from one or more DAP records.

The DAP records are selected

based on the endpoint security information of the

remote device and/or the AAA authorization information of

the authenticated user.

DAP will be generated and then applied to the user’s tunnel or

session.


Comprehensive EndPoint SecurityDynamic Access Policies (DAP)

Add AAA attributes

Add endpoint attributes


Comprehensive EndPoint SecurityDynamic Access Policies (DAP)

Specific endpoint attributes

Note: These drop down menus will only show up after enabling CSD and enabling Host Scan Endpoint Assessment under CSD. You can disable CSD after enabling Host Scan and

applying it.


Cisco Secure Desktop (Secure Vault)How it Works

Step One: A user on the road connects with the concentrator and the Cisco Secure Desktopis pushed down to the endpoint automatically.

Step Four: At Logout the Virtual Desktop that the user has been working in is eradicated and the user is notified

Employee-Owned Desktop

www…

Clientless SSL VPN

Step Two: An encrypted sandbox or hard drive partition is created for the user to work in

Cisco Secure Desktop

Step Three: The user logs in

Note: CSD download and eradication is seamless to the user. If the user forgets to terminate the session auto-timeout will close the session and erase session information

ASA 5500


Cisco Secure DesktopMachine Scan


Cisco Secure DesktopLogin Page (After Scan)


Cisco Secure DesktopAccess Restricted


Cisco Secure DesktopAccess Denied


Onscreen (Virtual)Keyboard

Helps reduce the risk associated with keystroke loggers.

This can be applied to the password field on the clientless SSL VPN login page or on any page that requires username/password authentication.

This only applies to the password entry field.


Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise

CiscoASA 5520

CiscoASA 5540

CiscoASA 5550

CiscoASA 5510

CiscoASA 5505

Network Location

Max ConnectionsPackets/Sec

InternetEdge

InternetEdge

InternetEdge

130,000190,000

280,000320,000

400,000500,000

Internet EdgeCampus

650,000600,000

Teleworker / Branch Office /

SMB

25,00085,000

PerformanceMax FirewallMax Firewall + IPSMax IPsec VPNMax IPsec/SSL Peers

300 Mbps300 Mbps170 Mbps250/250

450 Mbps375 Mbps225 Mbps750/750

650 Mbps450 Mbps325 Mbps5000/2500

1.2 GbpsN/A

425 Mbps5000/5000

150 MbpsFuture

100 Mbps25/25

Platform Capabilities

Base I/OVLANs SupportedHA Supported

VPN Load Balancing

5 FE50/100

A/A and A/S (Sec Plus)

(Sec Plus/8.0)

4 GE + 1 FE150

A/A and A/S

Yes

4 GE + 1 FE200

A/A and A/S

Yes

8 GE + 1 FE250

A/A and A/S

Yes

8-port FE switch

3/20 (trunk)Stateless

A/S (Sec Plus)

No

CiscoASA 5580/20

CiscoASA 5580/40

Data CenterCampus

1,000,0002,500,000

Data CenterCampus

2,000,0004,000,000

6.5 GbpsN/A

1 Gbps10,000/10,000

14 GbpsN/A

1 Gbps10,000/10,000

10 GE + 2x10GE250

A/A and A/S

Yes

10 GE + 2x10GE250

A/A and A/S

Yes

© 2007 cisco systems, inc. all rights reserved.cisco confidential 1 cisco secure remote...

Documents