Cisco Secure Remote Architectures - PowerPoint Presentation

Slide1

Cisco Secure Remote Architectures

Bobby Acker – CCIE #19310Slide2

Session TopicsClient-Based Remote Access Using

AnyconnectClientless Access Using WebVPN PortalsEndpoint Security Using Secure Desktop

New ASA 8.0/ASDM 6.0 FeaturesSlide3

Remote Access Using the Cisco Anyconnect ClientSlide4

Secure Connectivity Everywhere Extending the Self-Defending Network

Public

Internet

ASA 5500

Clientless SSL VPN

Clientless SSL VPN

Client-based SSL or IPsec VPN

Partners / Consultants

Controlled access to specific resources and applications

Mobile Workers

Easy access to corporate network resources

Roamers

Seamless access to applications from unmanaged endpoints

Day Extenders / Home Office

Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications

Client-based SSL or IPsec VPNSlide5

For End-Users, Access for All Applications

Cisco AnyConnect VPN Client for secure remote productivity

Extends the in-office experience

LAN-like full-network access, supports latency sensitive apps like voice (via DTLS transport)

Access across platforms

Windows 2K / XP (x86/x64) / Vista (x86/x64)

Mac OS X 10.4 & 10.5, Linux Intel

Windows Mobile 5 Pocket PC Edition (Coming soon)

Always up to date

Remotely installable and configurable to minimize user demands

No-hassle Connections

No reboots required

Stand-alone, Web Launch, Portal ConnectionStart Before Login (2K/XP)

MSI – Windows Pre-installation packageSlide6

For End-Users, Access for All Applications

Cisco AnyConnect VPN Client – GUI Details (Statistics)Slide7

For End-Users, Access for All Applications

Datagram Transport Layer Security (DTLS)

Limitations of TLS (HTTPS/SSL) with SSL VPN tunnelsTLS is used to tunnel TCP/IP over TCP/443

TCP requires retransmission of lost packets

Both

application

and

TLS

wind up retransmitting when packet loss is detected.

DTLS solves the TCP over TCP meltdown problem

DTLS replaces underlying transport TCP/443 with UDP/443

DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange)Datagrams only are transmitted over DTLSOther benefitsLow latency for real time applicationsDTLS is optional and will automatically fallback to TLS (HTTPS)Slide8

For End-Users, Access for All Applications

Cisco AnyConnect VPN Client – XML Profile (Start Before Login)

…

<ClientInitialization>

<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>

<BackupServerList>

<HostAddress>cvc-asa-02.company.com</HostAddress>

<HostAddress>10.94.146.172</HostAddress>

</BackupServerList>

</ClientInitialization>

<ServerList>

<HostEntry>

<HostName>CVC-ASA-02</HostName>

<HostAddress>cvc-asa-02.company.com</HostAddress> </HostEntry>

The Client Initialization section represents global settings for the client. In some cases (e.g. BackupServerList) host specific overrides are possible. The Start Before Logon feature can be used to activate the VPN as part of the logon sequence.

Collection of one or more backup servers to be used in case the user selected one fails. Can be a FQDN or IP address.Slide9

For End-Users, Access for All Applications

Cisco AnyConnect VPN Client – Troubleshooting

Windows will utilize the Windows Event Viewer. Review the log messages in Cisco AnyConnect VPN Client.

Logging on Mac and Linux will utilize their ‘syslogs’

Linux default location /var/log/messages

Mac location /var/log/system.log

Firewall port requirements –

UDP Port 443 (DTLS)

TCP Port 443 (HTTPS/SSL)

TLS will always be negotiated first, then it will further negotiate DTLS so you will see these messages in the log.

A SSL connection has been established using cipher xxxx.

A DTLS connection has been established using cipher xxxx.Slide10

For End-Users, Access for All Applications

Cisco AnyConnect VPN Client – Troubleshooting (Windows Event Viewer)

An example of how Windows Event Viewer will look.Slide11

For End-Users, Access for All Applications

Cisco VPN - Client comparison

Cisco VPN Client

Cisco SSL VPN Client

Cisco AnyConnect VPN Client

Approximate size

10 MB

400KB

1.5-2 MB**

Initial install

distribute

auto download

distribute

auto download

distribute

Admin rights required

yes

Initial installation only

(Stub installer available)

Initial installation only

(MSI available – Windows)

Protocol

IPsec

TLS (HTTPS)

DTLS, TLS (HTTPS) - Auto

OS Support

multiple*

2000/XP

multiple**

Head End

ASA/PIX/3K/IOS

ASA/3K/IOS

ASA

* Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris

** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned (additive license) – Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ onlySlide12

Clientless Access Using Cisco WebVPN PortalsSlide13

For End-Users, Seamless Access Anywhere

Personalized application and resource access

Personalized homepage

Localizable, RSS feeds, personal bookmarks, etc.

Delivers web-based and traditional applications

Sophisticated web and other applications delivered seamlessly to the browser

SAML Single Sign-On (SSO) – verified with RSA Access Manager

Intuitive user experience

Drag and Drop file access and webified file transport

Delivers key applications beyond the browser

Smart Tunnels deliver more applications without admin privilegesSlide14

For End-Users, Seamless Access Anywhere

Enhanced clientless interface, highly customizable

Customizable Banner Graphic

Customizable Colors and Sections

Customizable Links, Network Resource Access

Customizable Access Methods

Customizable Banner MessageSlide15

For End-Users, Seamless Access Anywhere

Clientless file access

Access for FTP file shares in addition to CIFS (Common Internet File System)

Webfolders for Internet Explorer (native Windows explorer file access)Slide16

For End-Users, Seamless Access Anywhere

Java Client/Server Plug-ins

Support for number of common TCP applications via Java plugins such as

Windows Terminal Server (RDP)

TELNET & SSH

VNC

Citrix Java Presentation Server Client (plug-in loaded by administrator)

Resource is defined as a URL with the appropriate protocol type, i.e.

rdp://server:port

Support for these third party applications exists in the form of packaged single archive files in the .jar file format.

Extensible plugin mechanism may provide support for additional applications in the futureSlide17

For End-Users, Seamless Access Anywhere

Java Client/Server Plug-ins - Details

When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s).

The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.

The Java applet(s) are transparently cached in the ASA cache.Slide18

For Administrators, Visual Management

ASDM – SSL & IPsec Wizards

For Administrators

Separate wizards for SSL and IPsec VPN configurationSlide19

Specify authentication method

Specify group policy to use or create a new one

Specify a bookmark list for the Portal page

Create or use an existing address pool and specify the AnyConnect image location

For Administrators, Visual Management

New SSL VPN Wizard - Details

For AdministratorsSlide20

Endpoint Security Using Cisco Secure DesktopSlide21

Unique Security Challenges on the Endpoint SSL VPN Brings New Points of Attack

Remote User

Employee at Home

Supply Partner

During SSL VPN Session

Is session data protected?

Are typed passwords protected?

Has malware launched?

Post SSL VPN Session

Browser cached intranet web pages?

Browser stored passwords?

Downloaded files left behind?

Before SSL VPN Session

Who owns the endpoint?

Endpoint security posture: AV, personal firewall?

Is malware running?

Extranet Machine

Unmanaged Machine

Customer

Managed MachineSlide22

Comprehensive EndPoint Security

Cisco Secure Desktop (CSD) now supports checking for hundreds of pre-defined products, updated frequently

Anti-virus, anti-spyware, personal firewall, and more

Administrators can define custom checks including running processes

Posture policy presented visually to simplify configuration and troubleshooting (Pre-login sequence and Dynamic Access Policies)

Cisco Secure Desktop consists of four features:

Host Scan (Windows)

Advanced Endpoint Assessment provides remediation and periodic rechecking capabilities (licensed option)

Secure Vault (Windows 2K/XP)

Cache Cleaner (Windows, Mac OS X, and Linux)Slide23

Supported ChecksRegistry check

File checkCertificate checkWindows version check

IP address checkLeaf NodesLogin deniedLocation

Subsequence

Visual policy simplifies administrative configuration

Pre-login Decision Tree

Cisco Secure DesktopSlide24

Comprehensive EndPoint SecurityDynamic Access Policies (DAP)

The Dynamic Access Policy (DAP) is defined as a collection of access control attributes associated with a specific tunnel or session.

The DAP is dynamically generated by selecting and/or aggregating attributes from one or more DAP records.

The DAP records are selected based on the

endpoint security information

of the remote device and/or the

AAA authorization information

of the authenticated user.

DAP will be generated and then applied to the user’s tunnel or session.Slide25

Comprehensive EndPoint SecurityDynamic Access Policies (DAP)

Add AAA attributes

Add endpoint attributesSlide26

Comprehensive EndPoint SecurityDynamic Access Policies (DAP)

Specific endpoint attributes

Note: These drop down menus will only show up after enabling CSD and enabling Host Scan Endpoint Assessment under CSD. You can disable CSD after enabling Host Scan and applying it.Slide27

Cisco Secure Desktop (Secure Vault)How it Works

Step One: A user on the road connects with the concentrator and the Cisco Secure Desktop

is pushed down to the endpoint automatically.

Step Four: At Logout the Virtual Desktop that the user has been working in is eradicated and the user is notified

Employee-Owned Desktop

www…

Clientless SSL VPN

Step Two: An encrypted sandbox or hard drive partition is created for the user to work in

Cisco Secure Desktop

Step Three: The user logs in

Note: CSD download and eradication is seamless to the user. If the user forgets to terminate the session auto-timeout will close the session and erase session

information

ASA 5500Slide28

Cisco Secure Desktop

Machine ScanSlide29

Cisco Secure Desktop

Login Page (After Scan)Slide30

Cisco Secure Desktop

Access RestrictedSlide31

Cisco Secure Desktop

Access DeniedSlide32

Onscreen (Virtual)Keyboard

Helps reduce the risk associated with keystroke loggers.

This can be applied to the password field on the clientless SSL VPN login page or on any page that requires username/password authentication.

This only applies to the password entry field.Slide33

Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise

Cisco

ASA 5520

Cisco

ASA 5540

Cisco

ASA 5550

Cisco

ASA 5510

Cisco

ASA 5505

Network Location

Max Connections

Packets/Sec

Internet

Edge

Internet

Edge

Internet

Edge

130,000

190,000

280,000

320,000

400,000

500,000

Internet Edge

Campus

650,000

600,000

Teleworker /

Branch Office /SMB25,00085,000

PerformanceMax FirewallMax Firewall + IPSMax IPsec VPNMax IPsec/SSL Peers

300 Mbps300 Mbps170 Mbps250/250450 Mbps

375 Mbps225 Mbps750/750650 Mbps450 Mbps325 Mbps5000/2500

1.2 GbpsN/A425 Mbps5000/5000

150 MbpsFuture100 Mbps25/25

Platform Capabilities

Base I/OVLANs SupportedHA Supported

VPN Load Balancing

5 FE

50/100

A/A and A/S (Sec Plus)

(Sec Plus/8.0)

4 GE + 1 FE

150A/A and A/S

Yes

4 GE + 1 FE200

A/A and A/S

Yes

8 GE + 1 FE

250A/A and A/SYes8-port FE switch

3/20 (trunk)Stateless A/S (Sec Plus)No

Cisco

ASA 5580/20CiscoASA 5580/40

Data Center

Campus1,000,0002,500,000Data CenterCampus

2,000,0004,000,0006.5 GbpsN/A1 Gbps10,000/10,000

14 GbpsN/A1 Gbps10,000/10,00010 GE + 2x10GE250A/A and A/S

Yes10 GE + 2x10GE250A/A and A/S

Yes