Asa Remote Access VPN Technologies: SSLVPN Webvpn Ipsecvpn: Security Consulting Se Ccie, Cissp

ASA Remote Access VPN
Technologies:
SSLVPN
WebVPN
IPSecVPN
http://www.cisco.com/go/security
http://www.cisco.com/security
Tim Ryan tiryan@cisco.com

Security Consulting SE
CCIE, CISSP
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Cisco ASA 5500 Series
Convergence of Robust, Market-Proven Technologies
Market-Proven Adaptive Threat Defense,
Technologies Secure Connectivity
Firewall App Inspection, Use

Technology Enforcement, Web
Cisco PIX Control
Application Security
IPS Technology Malware/Content
Cisco IPS Defense,
Anomaly Detection
IPS & Content Security
Services
Content Security
Trend Micro
Traffic/Admission
Control,
Proactive Response
VPN Technology Network Containment
Cisco VPN 3000 and Control
Secure Connectivity
Network Intelligence IPSec & SSL VPN
Cisco Network
Services
Cisco ASA 5500 Series: Threat Protected VPN Services
Leveraging On-Board Security to Protect the VPN Threat Vector
Application Firewall and Access Control Threat Mitigation

Application Inspection/Control Incident Control Virus
Granular, Per-User/Group Access Control Detection
Protocol Anomaly Detection Worm Mitigation
Stateful Traffic Filtering Spyware Detection
Remote Access
VPN User
Worm/
Virus Spyware Exploit
Unwanted Illegal ASA 5500

Application Access
Comprehensive Endpoint Security Accurate Enforcement

Pre-Connection Posture Assessment Real-Time Correlation
Malware Mitigation Risk Rating
Session/Data Security Attack Drop
Post-Session Clean-Up Session Removal and Resets
Leverages Depth of Threat Defense Features to Stop Malicious Worms,

Viruses, and Moreand Without External Devices or Performance Loss!
VPN Technologies for Remote Clients
Encrypted Connection Protocols:
SSL tunnel uses the SSL protocol with RC4 or AES to
encrypt data
IPSec tunnel uses the IPSec protocol with DES, 3DES or
AES to encrypt data
Encrypted Client options supported by the ASA

AnyConnect VPN Client is an SSL based VPN client that is
installed on a desktop and can tunnel any traffic (aka SVC)
WEB VPN (aka Clientless VPN) uses the browser as the
Client with the ASA acting as a proxy. It can tunnel http,https
traffic and a limited number of other supported protocols
such as CIFS, OWA, RDP, VNC, SSH, Telnet via plugins
Cisco VPN Client is an IPSec client that can tunnel any
traffic except for multicast.
ASA VPN Configuration
The AnyConnect Configuration document at the url below is an excellent starting
place for any ASA VPN configuration.
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_exa
mple09186a00808efbd2.shtml
Configure
Step 1. Configure a Self-Issued Certificate
Step 2. Upload and Identify the SSL VPN Client Image
Step 3. Enable Anyconnect Access
Step 4. Create a new Group Policy
Configure Access List Bypass for VPN Connections
Step 6. Create a Connection Profile and Tunnel Group
for the AnyConnect Client Connections
Step 7. Configure NAT Exemption for AnyConnect
Clients
Step 8. Add Users to the Local Database
VPN Connection Flow Summary
During Client connection time Group Policy settings takes precedence over
Connection Profile settings.
If Connection Profile has a setting and Group Policy is set to "inherit" then
Connection Profile settings are used.
ANYCONNECT CLIENT Connection

Connection Profile (called tunnel group at CLI) = SSLClientProfile
Uses Group Policy = GroupPolicy1
Alias = SSLClient
IPSEC CLIENT Connection
Connection Profile (called tunnel group at CLI) = IPSecVPN
Uses Group Policy = IPSecClient
IPSec Client settings: Groupname=IPSecVPN , pre-shared
key=cisco123
WEBVPN - BROWSER CLIENT Connection
Connection Profile Clientless SSL VPN Access (tunnel group inCLI) = WebVPN
Uses Group Policy = WebGroup
Alias = WebVPN
AnyConnect Client Connection Config
ANYCONNECT CLIENT Connection Profile

SSLClientProfile
Alias = SSLClient
Authentication type = (local, AAA, Certs)
Uses Group Policy = GroupPolicy1
Connection Profile lock = SSL Client Profile
SSL VPN Client tunnelling protocol ONLY
Address pool = ECRU-1
10.199.0.1 10.199.7.254
DNS = 4.2.2.2
Default Domain = gtei.net
Split tunnel options = Default =
tunnel all networks
Test user: User1 pw=cisco123
Locked to SSL Client profile
Uses Group Policy1
Client-Based
SSL VPN
(AnyConnect/
SSL VPN Client)
ASA 5500 version 8.0 VPN Clientless Access
Precise, granular access
control to specific resources
Enhanced Portal Design
Localizable
RSS feeds
Personal bookmarks
AnyConnect Client access
Drag and Drop file access and
webified file transport
Transformation enhancements
including Flash support
Head-end deployed applets for
telnet, SSH, RDP, and VNC,
framework supports addl plug-
ins
Advanced port-forwarder for
Windows (Smart Tunnel)
accesses TCP applications
without admin privileges on
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Client PC 26
Enhanced Remote Access Security
Enhanced authorization using policies and
group information
Extended use of credentials
Always up to date via automatic updating
(no admin)
Virtual keyboard option
SAML Single Sign-On (SSO) verified with
RSA Access Manager (was ClearTrust)
Group/User-to-VLAN mapping support
Start before Login for Vista
Current Snapshot of VPN Client Offerings
Cisco SSL VPN Cisco AnyConnect
Cisco VPN Client
Client VPN Client
DTLS, SSL
Protocol IPsec SSL (HTTPS)
(HTTPS) - Auto
Approximate size 10 MB 400 KB 1.7 MB
auto download auto download

Initial install distribute
distribute distribute
Initial installation
Initial installation only
only
Admin rights required yes (Stub installer
(MSI available
available)
Windows)
2K/XP/Vista (32 &
2K/XP/Vista 32-bit,
64-bit), Linux, Mac
OS Support Linux, Mac OS X, 2000/XP
OS X, Win 2008
Solaris UltraSparc
Server, Mobile 5/6
Rebootless Installs No Yes Yes
Head End ASA/PIX/3K/IOS ASA/3K/IOS ASA/IOS

Tunneling Protocol Comparison
Cisco SSL VPN Client
HTTPS/SSL DTLS/SSL IPsec / IKEv1
Locked down FW via TCP
Yes No
Compatible tunneling
Proxy server
Yes No No
Compatible
High performance
No Yes Yes
transport
Protocol Fallback N/A HTTPS/SSL (TCP)

QoS Friendly (DSCP
No Possible Yes
Preservation)
No
Mobility Friendly Yes Yes (IKEv2/Mobile
IKE)
ESP, UDP, Fake
Transport TCP UDP
TCP
Perceived Customer
$$$ $$$ $
Value ($$s)
AnyConnect VPN Client Installation
Dynamic or Manual Installation
ASA downloads
client to user based
on group policy.
ASA can
automatically
download client, or
prompt remote user
to download.
Client packages
provided for manual
install or distribution
via desktop
management
system
AnyConnect VPN Client
Local LAN Access (Split Tunnel Variant)
To verify split tunnel configuration from remote PC,

open AnyConnect VPN icon in task tray, then select:
Statistics > Details > Route Details
In this example,
only traffic to the
Local PC LAN Text
(192.168.100.0/24) All other traffic is
is sent in clear (no sent encrypted
VPN). over VPN to
ASA.
Defined in
AnyConnect VPN Client RFC 4347
Datagram Transport Layer Security (DTLS) Implemented as part of
the standard OpenSSL
package
Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels
TLS is used to tunnel TCP/IP over TCP/443
TCP requires retransmission of lost packets
Both application and TLS wind up retransmitting when packet loss is
detected.
DTLS solves the TCP over TCP problem
DTLS replaces underlying transport TCP/443 with UDP/443
DTLS uses TLS to negotiate and establish DTLS connection (control
messages and key exchange)
Datagrams only are transmitted over DTLS
Other benefits
Low latency for real time applications
DTLS is enabled by default; dynamically negotiated at connect time.
DTLS is optional and will automatically fallback to TLS (HTTPS)
Clientless
WebVPN
Features
For End-Users, Seamless Access Anywhere
Personalized application and resource access
Personalized homepage
Localizable, RSS feeds, personal
bookmarks, etc.
Delivers web-based and traditional
applications
Sophisticated web and other
applications delivered seamlessly
to the browser
SAML Single Sign-On (SSO)
verified with RSA Access
Manager
Intuitive user experience
Drag and Drop file access and
webified file transport
Delivers key applications beyond
the browser
Smart Tunnels deliver more
applications without admin
privileges
For End-Users, Seamless Access Anywhere
Enhanced clientless interface, highly customizable
Customizable Customizable
Banner Graphic Banner Message
Customizable
Access Methods
Customizable Links, Customizable

Network Resource Colors and Sections
Access
Clientless WebVPN
Personal Bookmarks
Specify personal
storage location
under Group
Policy
User can add/delete

personal bookmarks
that are persistent
between WebVPN
sessions.
Clientless WebVPN Browsing Networks
Clientless File Access for CIFS and FTP
Click icon from web portal to browse networks
OR
Click Browse Entire

Network link under
Browse Networks
application
Clientless WebVPN
Java Client/Server Plugins - Details
When clicking on a resource link, a dynamic page is generated
that hosts the Java applet(s).
The Java applet(s) are rewritten, re-signed, and automatically
wrapped with Ciscos helper agent.
The Java applet(s) are transparently cached in the ASA cache.
Clientless WebVPN Plugins
RDP, VNC, Sametime, SSH, Telnet, Post
Remote Desktop Plugin for Windows Terminal Services
Native Windows support using ActiveX or ProperRDP client using Java
Virtual Network Computing (VNC) remote server access based on
TightVNC
SSH/Telnet Combined open source plugin provides either SSHv1 or
Telnet access to manage devices and servers
Lotus Sametime Secure instant messaging application from IBM
POST plugin Provides Portal Homepage with optional SSO
Clientless WebVPN Plugins
Citrix Plugin
Link directly to Citrix applications from portal
Plugin supports all Citrix Java client parameters/features.
ASA optimizes performance by downloading components as needed.
Verify your Citrix EULA grants rights and permissions to deploy the client
Clientless WebVPN
Native Citrix Support (No Plugin)
ASA automatically intercepts web traffic with content type ICA from Web
Presentation Server and modifies return ICA file to client to ensure ASA
proxies session.
Java or ActiveX ICA Client is also pushed down to client if not running
standalone client on endpoint.
Clientless WebVPN
Smart Tunnels
Smart Tunnels are application-level port forwarding

It is a connection between a Winsock 2, TCP-based application and
the private site, using a clientless (browser-based) SSL VPN session.
You can specify client applications which you want to grant Smart Tunnel
access including Telnet, SSH, RDP, VNC, Passive FTP, Outlook
Express, Lotus Notes, Sametime, Citrix Program Neighborhood client,
and Outlook via POP/SMTP/IMAP.
SSL VPN loads a stub into each process spawned by an authorized
application, and intercepts socket calls to redirect via ASA.
This can be used where other methods such as AnyConnect or Port
Forwarding cannot be used.
A browser with Active-X, Java or JavaScript support is required on 32-bit
OSs only, such as Windows XP & 2K
Clientless WebVPN
General Configuration Overview
1. Import Web Content (Optional)

2. Define Bookmarks and assign to Group Policies
3. Customize Login/Logout and Portal Pages and assign
to Connection Profiles and Group Policies, respectively
(Optional)
4. Import plugins and apply to bookmarks (Optional)
5. Define Smart Tunnels and enable in bookmarks or
Group Policies (Optional)
6. Review and tune User/Group Policies as required.
7. Apply Cisco Secure Desktop, Endpoint Assessment,
DAP, and enforcement policies (covered in later
training sessions
Secure Session (aka Secure Desktop or Vault)
Overview
Encrypts data and files associated with or downloaded during remote session
into a secure desktop partition
Provides tasktray icon to signify a safe environment for remote user to

work in.
Upon session termination, uses U.S. Department of Defense (DoD) sanitation

algorithm to remove the partition.
Typically used during clientless SSL VPN sessions--attempts to reduce the

possibility that cookies, browser history, temporary files, and downloaded
content remain after a remote user logs out, the session times out, or after an
abrupt termination occurs.
Runs over Microsoft Windows Vista, Windows XP, and Windows 2000.
If Prelogin policy is configured to install Secure Session, but remote OS does

not support Secure Session, then Cache Cleaner install attempted instead.
Cisco Secure Desktop
Login Page (After Scan)
Policy Inheritance
Overview
Policy Objects
Connection Profile / Tunnel Group
Pre-login attributes (inc. AAA, login page for Clientless, cert handling)
Group Policy (Internal and External)
Post-login attributes (inc. portal page, bookmarks, access policies)
User Policy (Internal and External)
User-specific attributes
Dynamic Access Policy
Dynamically created policies based on multiple inputs (Location,
Directory attributes, PC attributes)
Internal versus External

Internal attributes locally defined on ASA
External attributes returned as values from queries to external servers
(for example, RADIUS and LDAP)
User Attribute Primer
Start Here DAP Attributes
User Attributes
Group Policy Attributes
User Connection Profile/ Group Policy Attributes

Tunnel Group
DfltGrpPolicy Attributes
(System Default Group Policy)
Note: Individual Attributes may not be collected in sequence, but

resulting policy will always be a compilation based on above prioritization
Data Collection and Policy Assignment Flow
Connection Profile Selected
User User/Group
Connect/Login Policy Selected
DefaultWEBVPNGroup DAP
Conn/Group URL (auto) User Attributes
Initial SSL Group Drop-Down List Group Attributes
Connection Certificate-based (auto) Connection Type
User login
Pre- Post- User

Login Login Policy
SSL VPN Basic Host Scan

User Extended Host Scan DAP
Custom Checks Pre-Login Policy
CSD Pre-Login Scan Scan Results
Cisco OS Details
Secure Scan Results
Desktop
Resultant Policy is a collection of multiple data
Pre-login Policy
points and attributes, not necessarily collected in
(Location) Assigned
order, that are compiled based on policy
inheritance and prioritization hierarchy.
ASA VPN Load Balancing
Load balancing is supported on remote sessions initiated with the following:
Cisco AnyConnect VPN Client (Release 2.0 and later)
Cisco VPN Client (Release 3.0 and later)
Cisco VPN 3002 Hardware Client (Release 3.5 or later)
Cisco PIX 501/506E when acting as an Easy VPN client.
Load balancing works with both IPSec clients and WebVPN sessions. All
other clients, including LAN-to-LAN connections, can connect to a security
appliance on which load balancing is enabled, but they cannot participate in
load balancing.
You can configure the number of IPSec and WebVPN sessions to allow, up
to the maximum allowed by your configuration and license.
With Release 7.1(1), IPSec and WebVPN sessions count or weigh equally in
determining the load that each device in the cluster carries.
If using Certificates you must enable redirection using a fully-qualified

domain name in vpn load-balancing mode.
Use the command redirect-fqdn enable in global configuration mode.
This is disabled by default.
http://www.cisco.com/en/US/partner/docs/security/asa/asa81/config/gui
de/vpnsysop.html
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. 53
Cisco Confidential
Cisco ASA 5500 WebVPN/SSL VPN
WebVPN-SSLVPN License Options:

25,100,250,500,1000,2500,5000,10000
Additional End Point Assessment License includes:

Cisco Secure Desktop - For running Secure Applications on an In-Secure Device
End point Assessment (NAC Lite)To verify posture of device, enabling ASA to
assign client to a specific group with specific access rights.
Mobile VPN Client Support (ASA-MOBILE-VPN)
Presentation_ID
Phone Proxy EncryptedCiscoCall
2006 Cisco Systems, Inc. All rights reserved.
setup and Firewalling
Confidential 54
VPN Security Challenges
Extranet Machine
Supply Partner
Unmanaged Machine
Employee at Home
During SSL VPN

Remote User Session
Customer
Managed Machine Is session data
Before SSL VPN protected? After SSL VPN
Session Are typed passwords Session
Who owns the protected? Browser cached
endpoint? intranet web pages?
Has malware
Endpoint security launched? Browser stored
posture: AV, personal
firewall? passwords?
Is malware running? Downloaded files
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential left behind? 55
Comprehensive EndPoint Security
Cisco Secure Desktop (CSD)
now supports hundreds of
pre-defined products,
New
updated frequently in 8.0!
Anti-virus, anti-spyware,
personal firewall, and more
Administrators can define
custom checks including
running processes
CSD posture policy
presented visually to simplify
configuration and
troubleshooting
Cisco ASA 5500
Series Platforms and
Modules
Wide Range of Leading Solutions for Customers of All Sizes
Cisco ASA 5500 Series High-End Lineup
Data Center Solutions
New New
Cisco Cisco Cisco Cisco
ASA 5540 ASA 5550 ASA 5580-20 ASA 5580-40
Internet Campus
Target Market Campus Data Center
Edge Segmentation
Segmentation
/ Data Center
Starting at Starting at Starting at Starting at

List Price $16,995 $19,995 $59,995 $109,995
with-8GE With 8GE
Performance
Max Firewall (Real-world HTTP) - - 5 Gbps 10 Gbps
Max Firewall (1400 byte) 650 Mbps 1.2 Gbps 6.5 Gbps 14 Gbps
Max Firewall (Jumbo frames) - - 10 Gbps 20 Gbps
Max IPSec VPN 325 Mbps 425 Mbps 1 Gbps 1 Gbps
Max IPSec/SSL VPN Peers 5000 / 2500 5000 / 5000 10,000 / 10,000 10,000 / 10,000
Platform Capabilities
Max Firewall Conns 400,000 650,000 1,000,000 2,000,000
Max Conns/Second 25,000 36,000 90,000 150,000
Packets/Second (64 byte) 500,000 600,000 2,750,000 5,500,000
Base I/O 4 GE + 1 FE 8 GE + 1 FE 2 Mgmt 2 Mgmt
Max I/O 8 GE + 1 FE 8 GE + 1 FE 24 GE / 12 10GE 24 GE / 12 10GE
VLANs Supported 200 250 250 250
HA Supported A/A and A/S A/A and A/S A/A and A/S A/A and A/S
Cisco ASA 5500 Series Product Lineup
Cisco Cisco Cisco Cisco Cisco

ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550
Teleworker / SMB and Enterprise Medium Large

Target Market
Branch Office / SME Enterprise Enterprise
SMB
Starting at Starting at Starting at Starting at Starting at
List Price
$595 $3,495 $7,995 $16,995 $19,995
Performance
Max Firewall 150 Mbps 300 Mbps 450 Mbps 650 Mbps 1.2 Gbps
Max Firewall + IPS 45Mbps 150/300 350/450 650 Mbps N/A
Max IPSec VPN 100 Mbps 170 Mbps 225 Mbps 325 Mbps 425 Mbps
Max IPSec/SSL VPN Peers 25/25 250/250 750/500 5000/2500 5000/5000
Max Firewall Conns 10,000/25,000 50,000/130,000 280,000 400,000 650,000

Max Conns/Second 3,000 6,000 9,000 20,000 28,000
85,000 190,000 320,000 500,000 600,000
Packets/Second (64 byte)
Base I/O 8-port FE switch 5 FE
VLANs Supported 3/20 (trunk) 50/100 4 GE + 1 FE 4 GE + 1 FE 8 GE + 1 FE
HA Supported Stateless A/S A/A and A/S 150 200 250
(Sec Plus) (Sec Plus) A/A and A/S A/A and A/S A/A and A/S
Wide Range of Management Solutions
Provide Scalable, Cost Optimized Options for Businesses
Integrated Remote Management Capabilities Within ASA
Configuration: Auto Update, SSH, Telnet, XML/HTTPS, and ASDM

Real-time monitoring: Syslog, SNMP, HTTPS, and ASDM
Software updates: Auto Update, SCP, HTTP, HTTPS, and TFTP
Cisco Security Manager (CS-Manager)

Scalable management solution for wide range of Cisco security solutions
including routers, switches, blades, and appliances
Delivers centralized management of firewall, VPN, IPS/IDS, networking,
and other services via flexible user interface
Supports device grouping for simplified policy maintenance
Provides role-based admin access and workflow capabilities
Available on Windows (Linux version coming)
Cisco Monitoring and Response Solution (CS-MARS)

Family of high performance appliances designed to provide
automated analysis of security event information to help identify,
manage, and counter attacks
Supports getting events from wide range of Cisco and 3 rd party
solutionsand also analyzes NetFlow for additional intelligence
Offers event correlation, visualization, rules engine, and reporting
Web VPN Client Monitoring
Cisco ASA Adaptive Security Appliances
Industry Certifications and Evaluations
Common Criteria
Completed: EAL4, v7.0.6ASA 5510/20/40 (FW)
NewCompleted: EAL2, v6.0ASA SSM-10/20 (IPS)
In process: EAL4+, v7.2.2ASA Family (FW)
In process: EAL4, v7.2.2ASA Family (VPN)
FIPS 140
Completed: Level 2, v7.0.4ASA Family
Completed: Level 2, v7.2.2
In process: Level 2, v8.0.2
ICSA Firewall 4.1, Corporate Category
New Completed: v7.2.2ASA Family
ICSA IPSec 1.0D
Completed: v7.0.4ASA Family
ICSA Anti-Virus Gateway
Completed: v7.1ASA Family
NEBS Level 3
Completed: ASA 5510, 5520, and 5540

Asa Remote Access VPN Technologies: SSLVPN Webvpn Ipsecvpn: Security Consulting Se Ccie, Cissp

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Asa Remote Access VPN Technologies: SSLVPN Webvpn Ipsecvpn: Security Consulting Se Ccie, Cissp

Загружено:

Авторское право:

Доступные форматы

ASA Remote Access VPN

Tim Ryan tiryan@cisco.com

Firewall App Inspection, Use

Application Firewall and Access Control Threat Mitigation

Unwanted Illegal ASA 5500

Comprehensive Endpoint Security Accurate Enforcement

Leverages Depth of Threat Defense Features to Stop Malicious Worms,

Encrypted Client options supported by the ASA

ANYCONNECT CLIENT Connection

ANYCONNECT CLIENT Connection Profile

Approximate size 10 MB 400 KB 1.7 MB

auto download auto download

Rebootless Installs No Yes Yes

Head End ASA/PIX/3K/IOS ASA/3K/IOS ASA/IOS

Protocol Fallback N/A HTTPS/SSL (TCP)

To verify split tunnel configuration from remote PC,

Customizable Links, Customizable

User can add/delete

Click Browse Entire

Smart Tunnels are application-level port forwarding

1. Import Web Content (Optional)

Provides tasktray icon to signify a safe environment for remote user to

Upon session termination, uses U.S. Department of Defense (DoD) sanitation

Typically used during clientless SSL VPN sessions--attempts to reduce the

If Prelogin policy is configured to install Secure Session, but remote OS does

Internal versus External

Start Here DAP Attributes

Group Policy Attributes

User Connection Profile/ Group Policy Attributes

Note: Individual Attributes may not be collected in sequence, but

Pre- Post- User

SSL VPN Basic Host Scan

If using Certificates you must enable redirection using a fully-qualified

WebVPN-SSLVPN License Options:

Additional End Point Assessment License includes:

During SSL VPN

Wide Range of Leading Solutions for Customers of All Sizes

Starting at Starting at Starting at Starting at

Cisco Cisco Cisco Cisco Cisco

Teleworker / SMB and Enterprise Medium Large

Max Firewall Conns 10,000/25,000 50,000/130,000 280,000 400,000 650,000

Configuration: Auto Update, SSH, Telnet, XML/HTTPS, and ASDM

Cisco Security Manager (CS-Manager)

Cisco Monitoring and Response Solution (CS-MARS)

Вам также может понравиться