Bobby Acker CCIE 19310 Session Topics ClientBased Remote Access Using Anyconnect Clientless Access Using WebVPN Portals Endpoint Security Using Secure Desktop New ASA 80ASDM 60 Features ID: 446663
Download Presentation The PPT/PDF document "Cisco Secure Remote Architectures" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cisco Secure Remote Architectures
Bobby Acker – CCIE #19310Slide2
Session TopicsClient-Based Remote Access Using
AnyconnectClientless Access Using WebVPN PortalsEndpoint Security Using Secure Desktop
New ASA 8.0/ASDM 6.0 FeaturesSlide3
Remote Access Using the Cisco Anyconnect ClientSlide4
Secure Connectivity Everywhere Extending the Self-Defending Network
Public
Internet
ASA 5500
Clientless SSL VPN
Clientless SSL VPN
Client-based SSL or IPsec VPN
Partners / Consultants
Controlled access to specific resources and applications
Mobile Workers
Easy access to corporate network resources
Roamers
Seamless access to applications from unmanaged endpoints
Day Extenders / Home Office
Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications
Client-based SSL or IPsec VPNSlide5
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client for secure remote productivity
Extends the in-office experience
LAN-like full-network access, supports latency sensitive apps like voice (via DTLS transport)
Access across platforms
Windows 2K / XP (x86/x64) / Vista (x86/x64)
Mac OS X 10.4 & 10.5, Linux Intel
Windows Mobile 5 Pocket PC Edition (Coming soon)
Always up to date
Remotely installable and configurable to minimize user demands
No-hassle Connections
No reboots required
Stand-alone, Web Launch, Portal ConnectionStart Before Login (2K/XP)
MSI – Windows Pre-installation packageSlide6
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client – GUI Details (Statistics)Slide7
For End-Users, Access for All Applications
Datagram Transport Layer Security (DTLS)
Limitations of TLS (HTTPS/SSL) with SSL VPN tunnelsTLS is used to tunnel TCP/IP over TCP/443
TCP requires retransmission of lost packets
Both
application
and
TLS
wind up retransmitting when packet loss is detected.
DTLS solves the TCP over TCP meltdown problem
DTLS replaces underlying transport TCP/443 with UDP/443
DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange)Datagrams only are transmitted over DTLSOther benefitsLow latency for real time applicationsDTLS is optional and will automatically fallback to TLS (HTTPS)Slide8
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client – XML Profile (Start Before Login)
…
<ClientInitialization>
<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
<BackupServerList>
<HostAddress>cvc-asa-02.company.com</HostAddress>
<HostAddress>10.94.146.172</HostAddress>
</BackupServerList>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>CVC-ASA-02</HostName>
<HostAddress>cvc-asa-02.company.com</HostAddress> </HostEntry>
The Client Initialization section represents global settings for the client. In some cases (e.g. BackupServerList) host specific overrides are possible. The Start Before Logon feature can be used to activate the VPN as part of the logon sequence.
Collection of one or more backup servers to be used in case the user selected one fails. Can be a FQDN or IP address.Slide9
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client – Troubleshooting
Windows will utilize the Windows Event Viewer. Review the log messages in Cisco AnyConnect VPN Client.
Logging on Mac and Linux will utilize their ‘syslogs’
Linux default location /var/log/messages
Mac location /var/log/system.log
Firewall port requirements –
UDP Port 443 (DTLS)
TCP Port 443 (HTTPS/SSL)
TLS will always be negotiated first, then it will further negotiate DTLS so you will see these messages in the log.
A SSL connection has been established using cipher xxxx.
A DTLS connection has been established using cipher xxxx.Slide10
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client – Troubleshooting (Windows Event Viewer)
An example of how Windows Event Viewer will look.Slide11
For End-Users, Access for All Applications
Cisco VPN - Client comparison
Cisco VPN Client
Cisco SSL VPN Client
Cisco AnyConnect VPN Client
Approximate size
10 MB
400KB
1.5-2 MB**
Initial install
distribute
auto download
distribute
auto download
distribute
Admin rights required
yes
Initial installation only
(Stub installer available)
Initial installation only
(MSI available – Windows)
Protocol
IPsec
TLS (HTTPS)
DTLS, TLS (HTTPS) - Auto
OS Support
multiple*
2000/XP
multiple**
Head End
ASA/PIX/3K/IOS
ASA/3K/IOS
ASA
* Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris
** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned (additive license) – Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ onlySlide12
Clientless Access Using Cisco WebVPN PortalsSlide13
For End-Users, Seamless Access Anywhere
Personalized application and resource access
Personalized homepage
Localizable, RSS feeds, personal bookmarks, etc.
Delivers web-based and traditional applications
Sophisticated web and other applications delivered seamlessly to the browser
SAML Single Sign-On (SSO) – verified with RSA Access Manager
Intuitive user experience
Drag and Drop file access and webified file transport
Delivers key applications beyond the browser
Smart Tunnels deliver more applications without admin privilegesSlide14
For End-Users, Seamless Access Anywhere
Enhanced clientless interface, highly customizable
Customizable Banner Graphic
Customizable Colors and Sections
Customizable Links, Network Resource Access
Customizable Access Methods
Customizable Banner MessageSlide15
For End-Users, Seamless Access Anywhere
Clientless file access
Access for FTP file shares in addition to CIFS (Common Internet File System)
Webfolders for Internet Explorer (native Windows explorer file access)Slide16
For End-Users, Seamless Access Anywhere
Java Client/Server Plug-ins
Support for number of common TCP applications via Java plugins such as
Windows Terminal Server (RDP)
TELNET & SSH
VNC
Citrix Java Presentation Server Client (plug-in loaded by administrator)
Resource is defined as a URL with the appropriate protocol type, i.e.
rdp://server:port
Support for these third party applications exists in the form of packaged single archive files in the .jar file format.
Extensible plugin mechanism may provide support for additional applications in the futureSlide17
For End-Users, Seamless Access Anywhere
Java Client/Server Plug-ins - Details
When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s).
The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.
The Java applet(s) are transparently cached in the ASA cache.Slide18
For Administrators, Visual Management
ASDM – SSL & IPsec Wizards
For Administrators
Separate wizards for SSL and IPsec VPN configurationSlide19
Specify authentication method
Specify group policy to use or create a new one
Specify a bookmark list for the Portal page
Create or use an existing address pool and specify the AnyConnect image location
For Administrators, Visual Management
New SSL VPN Wizard - Details
For AdministratorsSlide20
Endpoint Security Using Cisco Secure DesktopSlide21
Unique Security Challenges on the Endpoint SSL VPN Brings New Points of Attack
Remote User
Employee at Home
Supply Partner
During SSL VPN Session
Is session data protected?
Are typed passwords protected?
Has malware launched?
Post SSL VPN Session
Browser cached intranet web pages?
Browser stored passwords?
Downloaded files left behind?
Before SSL VPN Session
Who owns the endpoint?
Endpoint security posture: AV, personal firewall?
Is malware running?
Extranet Machine
Unmanaged Machine
Customer
Managed MachineSlide22
Comprehensive EndPoint Security
Cisco Secure Desktop (CSD) now supports checking for hundreds of pre-defined products, updated frequently
Anti-virus, anti-spyware, personal firewall, and more
Administrators can define custom checks including running processes
Posture policy presented visually to simplify configuration and troubleshooting (Pre-login sequence and Dynamic Access Policies)
Cisco Secure Desktop consists of four features:
Host Scan (Windows)
Advanced Endpoint Assessment provides remediation and periodic rechecking capabilities (licensed option)
Secure Vault (Windows 2K/XP)
Cache Cleaner (Windows, Mac OS X, and Linux)Slide23
Supported ChecksRegistry check
File checkCertificate checkWindows version check
IP address checkLeaf NodesLogin deniedLocation
Subsequence
Visual policy simplifies administrative configuration
Pre-login Decision Tree
Cisco Secure DesktopSlide24
Comprehensive EndPoint SecurityDynamic Access Policies (DAP)
The Dynamic Access Policy (DAP) is defined as a collection of access control attributes associated with a specific tunnel or session.
The DAP is dynamically generated by selecting and/or aggregating attributes from one or more DAP records.
The DAP records are selected based on the
endpoint security information
of the remote device and/or the
AAA authorization information
of the authenticated user.
DAP will be generated and then applied to the user’s tunnel or session.Slide25
Comprehensive EndPoint SecurityDynamic Access Policies (DAP)
Add AAA attributes
Add endpoint attributesSlide26
Comprehensive EndPoint SecurityDynamic Access Policies (DAP)
Specific endpoint attributes
Note: These drop down menus will only show up after enabling CSD and enabling Host Scan Endpoint Assessment under CSD. You can disable CSD after enabling Host Scan and applying it.Slide27
Cisco Secure Desktop (Secure Vault)How it Works
Step One: A user on the road connects with the concentrator and the Cisco Secure Desktop
is pushed down to the endpoint automatically.
Step Four: At Logout the Virtual Desktop that the user has been working in is eradicated and the user is notified
Employee-Owned Desktop
www…
Clientless SSL VPN
Step Two: An encrypted sandbox or hard drive partition is created for the user to work in
Cisco Secure Desktop
Step Three: The user logs in
Note: CSD download and eradication is seamless to the user. If the user forgets to terminate the session auto-timeout will close the session and erase session
information
ASA 5500Slide28
Cisco Secure Desktop
Machine ScanSlide29
Cisco Secure Desktop
Login Page (After Scan)Slide30
Cisco Secure Desktop
Access RestrictedSlide31
Cisco Secure Desktop
Access DeniedSlide32
Onscreen (Virtual)Keyboard
Helps reduce the risk associated with keystroke loggers.
This can be applied to the password field on the clientless SSL VPN login page or on any page that requires username/password authentication.
This only applies to the password entry field.Slide33
Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise
Cisco
ASA 5520
Cisco
ASA 5540
Cisco
ASA 5550
Cisco
ASA 5510
Cisco
ASA 5505
Network Location
Max Connections
Packets/Sec
Internet
Edge
Internet
Edge
Internet
Edge
130,000
190,000
280,000
320,000
400,000
500,000
Internet Edge
Campus
650,000
600,000
Teleworker /
Branch Office /SMB25,00085,000
PerformanceMax FirewallMax Firewall + IPSMax IPsec VPNMax IPsec/SSL Peers
300 Mbps300 Mbps170 Mbps250/250450 Mbps
375 Mbps225 Mbps750/750650 Mbps450 Mbps325 Mbps5000/2500
1.2 GbpsN/A425 Mbps5000/5000
150 MbpsFuture100 Mbps25/25
Platform Capabilities
Base I/OVLANs SupportedHA Supported
VPN Load Balancing
5 FE
50/100
A/A and A/S (Sec Plus)
(Sec Plus/8.0)
4 GE + 1 FE
150A/A and A/S
Yes
4 GE + 1 FE200
A/A and A/S
Yes
8 GE + 1 FE
250A/A and A/SYes8-port FE switch
3/20 (trunk)Stateless A/S (Sec Plus)No
Cisco
ASA 5580/20CiscoASA 5580/40
Data Center
Campus1,000,0002,500,000Data CenterCampus
2,000,0004,000,0006.5 GbpsN/A1 Gbps10,000/10,000
14 GbpsN/A1 Gbps10,000/10,00010 GE + 2x10GE250A/A and A/S
Yes10 GE + 2x10GE250A/A and A/S
Yes