Cisco Secure Remote Architectures - PowerPoint Presentation

Slide1

Cisco Secure Remote Architectures

Bobby Acker – CCIE #19310

Slide2

Session Topics

Client-Based Remote Access Using

Anyconnect

Clientless Access Using

WebVPN

Portals

Endpoint Security Using Secure Desktop

New ASA 8.0/ASDM 6.0 Features

Slide3

Remote Access Using the Cisco Anyconnect Client

Slide4

Secure Connectivity Everywhere Extending the Self-Defending Network

Public

Internet

ASA 5500

Clientless SSL VPN

Clientless SSL VPN

Client-based SSL or IPsec VPN

Partners / Consultants

Controlled access to specific resources and applications

Mobile Workers

Easy access to corporate network resources

Roamers

Seamless access to applications from unmanaged endpoints

Day Extenders / Home Office

Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications

Client-based SSL or IPsec VPN

Slide5

For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client for secure remote productivity

Extends the in-office experienceLAN-like full-network access, supports latency sensitive apps like voice (via DTLS transport)Access across platformsWindows 2K / XP (x86/x64) / Vista (x86/x64)Mac OS X 10.4 & 10.5, Linux IntelWindows Mobile 5 Pocket PC Edition (Coming soon)Always up to dateRemotely installable and configurable to minimize user demandsNo-hassle ConnectionsNo reboots requiredStand-alone, Web Launch, Portal ConnectionStart Before Login (2K/XP)MSI – Windows Pre-installation package

Slide6

For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – GUI Details (Statistics)

Slide7

For End-Users, Access for All ApplicationsDatagram Transport Layer Security (DTLS)

Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels

TLS is used to tunnel TCP/IP over TCP/443

TCP requires retransmission of lost packets

Both

application

and

TLS

wind up retransmitting when packet loss is detected.

DTLS solves the TCP over TCP meltdown problem

DTLS replaces underlying transport TCP/443 with UDP/443

DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange)

Datagrams only are transmitted over DTLS

Other benefits

Low latency for real time applications

DTLS is optional and will automatically fallback to TLS (HTTPS)

Slide8

For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – XML Profile (Start Before Login)

…<ClientInitialization> <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon><BackupServerList> <HostAddress>cvc-asa-02.company.com</HostAddress> <HostAddress>10.94.146.172</HostAddress></BackupServerList></ClientInitialization><ServerList> <HostEntry> <HostName>CVC-ASA-02</HostName> <HostAddress>cvc-asa-02.company.com</HostAddress> </HostEntry>

The Client Initialization section represents global settings for the client. In some cases (e.g. BackupServerList) host specific overrides are possible. The Start Before Logon feature can be used to activate the VPN as part of the logon sequence.

Collection of one or more backup servers to be used in case the user selected one fails. Can be a FQDN or IP address.

Slide9

For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – Troubleshooting

Windows will utilize the Windows Event Viewer. Review the log messages in Cisco AnyConnect VPN Client.

Logging on Mac and Linux will utilize their ‘syslogs’

Linux default location /var/log/messages

Mac location /var/log/system.log

Firewall port requirements –

UDP Port 443 (DTLS)

TCP Port 443 (HTTPS/SSL)

TLS will always be negotiated first, then it will further negotiate DTLS so you will see these messages in the log.

A SSL connection has been established using cipher xxxx.

A DTLS connection has been established using cipher xxxx.

Slide10

For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – Troubleshooting (Windows Event Viewer)

An example of how Windows Event Viewer will look.

Slide11

For End-Users, Access for All ApplicationsCisco VPN - Client comparison

Cisco VPN ClientCisco SSL VPN ClientCisco AnyConnect VPN ClientApproximate size10 MB400KB1.5-2 MB**Initial installdistributeauto downloaddistributeauto downloaddistributeAdmin rights requiredyesInitial installation only(Stub installer available)Initial installation only(MSI available – Windows)ProtocolIPsecTLS (HTTPS)DTLS, TLS (HTTPS) - AutoOS Supportmultiple*2000/XPmultiple**Head EndASA/PIX/3K/IOSASA/3K/IOSASA

* Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris

** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned (additive license) – Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ only

Slide12

Clientless Access Using Cisco WebVPN Portals

Slide13

For End-Users, Seamless Access Anywhere Personalized application and resource access

Personalized homepageLocalizable, RSS feeds, personal bookmarks, etc.Delivers web-based and traditional applications Sophisticated web and other applications delivered seamlessly to the browserSAML Single Sign-On (SSO) – verified with RSA Access ManagerIntuitive user experienceDrag and Drop file access and webified file transportDelivers key applications beyond the browserSmart Tunnels deliver more applications without admin privileges

Slide14

For End-Users, Seamless Access Anywhere Enhanced clientless interface, highly customizable

Customizable Banner Graphic

Customizable Colors and Sections

Customizable Links, Network Resource Access

Customizable Access Methods

Customizable Banner Message

Slide15

For End-Users, Seamless Access Anywhere Clientless file access

Access for FTP file shares in addition to CIFS (Common Internet File System)Webfolders for Internet Explorer (native Windows explorer file access)

Slide16

For End-Users, Seamless Access Anywhere Java Client/Server Plug-ins

Support for number of common TCP applications via Java plugins such asWindows Terminal Server (RDP)TELNET & SSHVNCCitrix Java Presentation Server Client (plug-in loaded by administrator)

Resource is defined as a URL with the appropriate protocol type, i.e.

rdp://server:port

Support for these third party applications exists in the form of packaged single archive files in the .jar file format.

Extensible plugin mechanism may provide support for additional applications in the future

Slide17

For End-Users, Seamless Access Anywhere Java Client/Server Plug-ins - Details

When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s). The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.The Java applet(s) are transparently cached in the ASA cache.

Slide18

For Administrators, Visual ManagementASDM – SSL & IPsec Wizards

For Administrators

Separate wizards for SSL and IPsec VPN configuration

Slide19

Specify authentication method

Specify group policy to use or create a new one

Specify a bookmark list for the Portal page

Create or use an existing address pool and specify the AnyConnect image location

For Administrators, Visual Management

New SSL VPN Wizard - Details

For Administrators

Slide20

Endpoint Security Using Cisco Secure Desktop

Slide21

Unique Security Challenges on the Endpoint SSL VPN Brings New Points of Attack

Remote User

Employee at Home

Supply Partner

During SSL VPN Session

Is session data protected?

Are typed passwords protected?

Has malware launched?

Post SSL VPN Session

Browser cached intranet web pages?

Browser stored passwords?

Downloaded files left behind?

Before SSL VPN Session

Who owns the endpoint?

Endpoint security posture: AV, personal firewall?

Is malware running?

Extranet Machine

Unmanaged Machine

Customer

Managed Machine

Slide22

Comprehensive EndPoint Security

Cisco Secure Desktop (CSD) now supports checking for hundreds of pre-defined products, updated frequently

Anti-virus, anti-spyware, personal firewall, and more

Administrators can define custom checks including running processesPosture policy presented visually to simplify configuration and troubleshooting (Pre-login sequence and Dynamic Access Policies)Cisco Secure Desktop consists of four features:Host Scan (Windows)Advanced Endpoint Assessment provides remediation and periodic rechecking capabilities (licensed option)Secure Vault (Windows 2K/XP)Cache Cleaner (Windows, Mac OS X, and Linux)

Slide23

Supported ChecksRegistry checkFile checkCertificate checkWindows version checkIP address checkLeaf NodesLogin deniedLocationSubsequenceVisual policy simplifies administrative configuration

Pre-login Decision Tree

Cisco Secure Desktop

Slide24

Comprehensive EndPoint SecurityDynamic Access Policies (DAP)

The Dynamic Access Policy (DAP) is defined as a collection of access control attributes associated with a specific tunnel or session. The DAP is dynamically generated by selecting and/or aggregating attributes from one or more DAP records. The DAP records are selected based on the endpoint security information of the remote device and/or the AAA authorization information of the authenticated user. DAP will be generated and then applied to the user’s tunnel or session.

Slide25

Comprehensive EndPoint SecurityDynamic Access Policies (DAP)

Add AAA attributes

Add endpoint attributes

Slide26

Comprehensive EndPoint SecurityDynamic Access Policies (DAP)

Specific endpoint attributes

Note: These drop down menus will only show up after enabling CSD and enabling Host Scan Endpoint Assessment under CSD. You can disable CSD after enabling Host Scan and applying it.

Slide27

Cisco Secure Desktop (Secure Vault)How it Works

Step One: A user on the road connects with the concentrator and the Cisco Secure Desktopis pushed down to the endpoint automatically.

Step Four: At Logout the Virtual Desktop that the user has been working in is eradicated and the user is notified

Employee-Owned Desktop

www…

Clientless SSL VPN

Step Two: An encrypted sandbox or hard drive partition is created for the user to work in

Cisco Secure Desktop

Step Three: The user logs in

Note: CSD download and eradication is seamless to the user. If the user forgets to terminate the session auto-timeout will close the session and erase session

information

ASA 5500

Slide28

Cisco Secure Desktop

Machine Scan

Slide29

Cisco Secure Desktop

Login Page (After Scan)

Slide30

Cisco Secure Desktop

Access Restricted

Slide31

Cisco Secure Desktop

Access Denied

Slide32

Onscreen (Virtual)Keyboard

Helps reduce the risk associated with keystroke loggers.

This can be applied to the password field on the clientless SSL VPN login page or on any page that requires username/password authentication.This only applies to the password entry field.

Slide33

Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise

Cisco

ASA 5520

Cisco

ASA 5540

Cisco

ASA 5550

Cisco

ASA 5510

Cisco

ASA 5505

Network Location

Max Connections

Packets/Sec

Internet

Edge

Internet

Edge

Internet

Edge

130,000

190,000

280,000

320,000

400,000

500,000

Internet Edge

Campus

650,000

600,000

Teleworker /

Branch Office /

SMB

25,000

85,000

Performance

Max Firewall

Max Firewall + IPS

Max IPsec VPNMax IPsec/SSL Peers

300 Mbps300 Mbps170 Mbps250/250

450 Mbps375 Mbps225 Mbps750/750

650 Mbps450 Mbps325 Mbps5000/2500

1.2 GbpsN/A425 Mbps5000/5000

150 MbpsFuture100 Mbps25/25

Platform Capabilities

Base I/OVLANs SupportedHA SupportedVPN Load Balancing

5 FE50/100A/A and A/S (Sec Plus)(Sec Plus/8.0)

4 GE + 1 FE150A/A and A/SYes

4 GE + 1 FE200A/A and A/SYes

8 GE + 1 FE250A/A and A/SYes

8-port FE switch3/20 (trunk)Stateless A/S (Sec Plus)No

Cisco

ASA 5580/20

Cisco

ASA 5580/40

Data Center

Campus

1,000,000

2,500,000

Data Center

Campus

2,000,000

4,000,000

6.5 Gbps

N/A

1 Gbps

10,000/10,000

14 GbpsN/A1 Gbps10,000/10,000

10 GE + 2x10GE250A/A and A/SYes

10 GE + 2x10GE

250

A/A and A/S

Yes

Slide34