Cisco Secure
Remote
Architectures
Bobby Acker – CCIE #19310
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Session Topics
 Client-Based Remote Access Using Anyconnect
 Clientless Access Using WebVPN Portals
 Endpoint Security Using Secure Desktop
 New ASA 8.0/ASDM 6.0 Features
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Remote Access
Using the Cisco
Anyconnect Client
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Secure Connectivity Everywhere
Extending the Self-Defending Network
Partners / Consultants
Controlled access to specific
resources and applications
Client-based SSL or IPsec VPN
Clientless SSL VPN
Mobile Workers
Easy access to corporate
network resources
Public
Internet
Clientless SSL VPN
ASA 5500
Client-based SSL or IPsec VPN
Roamers
Day Extenders / Home Office
Seamless access to applications
from unmanaged endpoints
Day extenders and mobile employees require
consistent LAN-like, full-network access, to corporate
resources and applications
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client for secure remote productivity
 Extends the in-office experience
LAN-like full-network access, supports latency
sensitive apps like voice (via DTLS transport)
 Access across platforms
Windows 2K / XP (x86/x64) / Vista (x86/x64)
Mac OS X 10.4 & 10.5, Linux Intel
Windows Mobile 5 Pocket PC Edition (Coming
soon)
 Always up to date
Remotely installable and configurable to
minimize user demands
 No-hassle Connections
No reboots required
Stand-alone, Web Launch, Portal Connection
Start Before Login (2K/XP)
MSI – Windows Pre-installation package
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client – GUI Details (Statistics)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
For End-Users, Access for All Applications
Datagram Transport Layer Security (DTLS)
Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels
TLS is used to tunnel TCP/IP over TCP/443
TCP requires retransmission of lost packets
Both application and TLS wind up retransmitting when packet loss is
detected.
DTLS solves the TCP over TCP meltdown problem
DTLS replaces underlying transport TCP/443 with UDP/443
DTLS uses TLS to negotiate and establish DTLS connection (control
messages and key exchange)
Datagrams only are transmitted over DTLS
Other benefits
Low latency for real time applications
DTLS is optional and will automatically fallback to TLS (HTTPS)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client – XML Profile (Start Before
Login)
…
<ClientInitialization>
<UseStartBeforeLogon
UserControllable="false">false</UseStartBeforeLogon>
<BackupServerList>
<HostAddress>cvc-asa-02.company.com</HostAddress>
<HostAddress>10.94.146.172</HostAddress>
</BackupServerList>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>CVC-ASA-02</HostName>
<HostAddress>cvc-asa-02.company.com</HostAddress>
</HostEntry>
The Client Initialization section represents global settings for the client. In
some cases (e.g. BackupServerList) host specific overrides are possible.
The Start Before Logon feature can be used to activate the VPN as part of
the logon sequence.
Collection of one or more backup servers to be used in case the user selected
one fails. Can be a FQDN or IP address.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client – Troubleshooting
Windows will utilize the Windows Event Viewer. Review the log
messages in Cisco AnyConnect VPN Client.
Logging on Mac and Linux will utilize their ‘syslogs’
Linux default location /var/log/messages
Mac location /var/log/system.log
Firewall port requirements –
UDP Port 443 (DTLS)
TCP Port 443 (HTTPS/SSL)
TLS will always be negotiated first, then it will further negotiate
DTLS so you will see these messages in the log.
A SSL connection has been established using cipher xxxx.
A DTLS connection has been established using cipher xxxx.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
For End-Users, Access for All Applications
Cisco AnyConnect VPN Client – Troubleshooting (Windows
Event Viewer)
An example of how Windows Event Viewer will look.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
For End-Users, Access for All Applications
Cisco VPN - Client comparison
Cisco VPN Client
Cisco SSL VPN
Client
Cisco
AnyConnect
VPN Client
Approximate size
10 MB
400KB
1.5-2 MB**
Initial install
distribute
auto download
auto download
distribute
distribute
Initial installation
only
Initial installation
only
(Stub installer
available)
(MSI available –
Windows)
Admin rights
required
yes
Protocol
IPsec
TLS (HTTPS)
DTLS, TLS
(HTTPS) - Auto
OS Support
multiple*
2000/XP
multiple**
Head End
ASA/PIX/3K/IOS
ASA/3K/IOS
ASA
* Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris
** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned
(additive license)
– Systems,
Non Windows
support
alternate
connection modes available, including DTLS for ASA 8.0+ only
© 2007 Cisco
Inc. All rights
reserved. and
Cisco
Confidential
11
Clientless Access
Using Cisco WebVPN
Portals
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
For End-Users, Seamless Access Anywhere
Personalized application and resource access
 Personalized homepage
Localizable, RSS feeds, personal
bookmarks, etc.
 Delivers web-based and traditional
applications
Sophisticated web and other
applications delivered seamlessly
to the browser
SAML Single Sign-On (SSO) –
verified with RSA Access
Manager
 Intuitive user experience
Drag and Drop file access and
webified file transport
 Delivers key applications beyond
the browser
Smart Tunnels deliver more
applications without admin
privileges
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
For End-Users, Seamless Access Anywhere
Enhanced clientless interface, highly customizable
Customizable
Banner Message
Customizable
Banner Graphic
Customizable
Access Methods
Customizable Links,
Network Resource
Access
© 2007 Cisco Systems, Inc. All rights reserved.
Customizable
Colors and Sections
Cisco Confidential
14
For End-Users, Seamless Access Anywhere
Clientless file access
 Access for FTP file shares in addition to CIFS (Common Internet
File System)
 Webfolders for Internet Explorer (native Windows explorer file
access)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
For End-Users, Seamless Access Anywhere
Java Client/Server Plug-ins
 Support for number of common TCP applications via Java plugins
such as
Windows Terminal Server (RDP)
TELNET & SSH
VNC
Citrix Java Presentation Server Client (plug-in loaded by
administrator)
 Resource is defined as a URL with
the appropriate protocol type, i.e.
rdp://server:port
 Support for these third party
applications exists in the form of
packaged single archive files in the
.jar file format.
 Extensible plugin mechanism may
provide support for additional
applications in the future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
For End-Users, Seamless Access Anywhere
Java Client/Server Plug-ins - Details
 When clicking on a resource link, a dynamic page is generated
that hosts the Java applet(s).
 The Java applet(s) are rewritten, re-signed, and automatically
wrapped with Cisco’s helper agent.
 The Java applet(s) are transparently cached in the ASA cache.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
For Administrators
For Administrators, Visual Management
ASDM – SSL & IPsec Wizards
Separate
wizards for SSL
and IPsec VPN
configuration
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
For Administrators
For Administrators, Visual Management
New SSL VPN Wizard - Details
Specify authentication
method
Specify group policy
to use or create a new
one
Specify a bookmark
list for the Portal page
Create or use an
existing address pool
and specify the
AnyConnect image
location
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
Endpoint Security
Using Cisco Secure
Desktop
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
20
Unique Security Challenges on the Endpoint
SSL VPN Brings New Points of Attack
Supply Partner
Extranet Machine
Employee at Home
Unmanaged Machine
Remote User
Customer
Managed Machine
Before SSL VPN Session
During SSL VPN Session
Post SSL VPN Session
 Who owns the endpoint?
 Is session data
protected?
 Browser cached intranet
web pages?
 Are typed passwords
protected?
 Browser stored
passwords?
 Has malware launched?
 Downloaded files left
behind?
 Endpoint security
posture: AV, personal
firewall?
 Is malware running?
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Comprehensive EndPoint Security
 Cisco Secure Desktop (CSD) now supports
checking for hundreds of pre-defined
products, updated frequently
Anti-virus, anti-spyware, personal
firewall, and more
 Administrators can define custom checks
including running processes
 Posture policy presented visually to simplify
configuration and troubleshooting (Pre-login
sequence and Dynamic Access Policies)
 Cisco Secure Desktop consists of four
features:
Host Scan (Windows)
Advanced Endpoint Assessment
provides remediation and periodic
rechecking capabilities (licensed option)
Secure Vault (Windows 2K/XP)
Cache Cleaner (Windows, Mac OS X,
and Linux)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
Cisco Secure Desktop
Pre-login Decision Tree
 Supported Checks
–Registry check
–File check
–Certificate check
–Windows version check
–IP address check
 Leaf Nodes
–Login denied
–Location
–Subsequence
 Visual policy simplifies
administrative
configuration
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Comprehensive EndPoint Security
Dynamic Access Policies (DAP)
The Dynamic Access Policy
(DAP) is defined as a collection
of access control attributes
associated with a specific
tunnel or session.
The DAP is dynamically
generated by selecting and/or
aggregating attributes from one
or more DAP records.
The DAP records are selected
based on the endpoint
security information of the
remote device and/or the AAA
authorization information of
the authenticated user.
DAP will be generated and
then applied to the user’s
tunnel or session.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
Comprehensive EndPoint Security
Dynamic Access Policies (DAP)
Add AAA
attributes
© 2007 Cisco Systems, Inc. All rights reserved.
Add endpoint
attributes
Cisco Confidential
25
Comprehensive EndPoint Security
Dynamic Access Policies (DAP)
Specific endpoint
attributes
Note: These drop down menus will only show up
after enabling CSD and enabling Host Scan
Endpoint Assessment under CSD. You can
disable CSD after enabling Host Scan and
applying it.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
Cisco Secure Desktop (Secure Vault)
How it Works
Step One: A user on the road connects with the
concentrator and the Cisco Secure Desktop
is pushed down to the endpoint automatically.
Step Two: An encrypted sandbox or hard
drive partition is created for the user to
work in
Step Three: The user logs in
ASA 5500
Step Four: At Logout the Virtual Desktop
that the user has been working in is
eradicated and the user is notified
Cisco
Secure
Clientless
Desktop
SSL
VPN
Note: CSD download and
eradication is seamless to the
user. If the user forgets to
terminate the session autotimeout will close the session
www…
and erase session
information
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
EmployeeOwned Desktop
27
Cisco Secure Desktop
Machine Scan
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Cisco Secure Desktop
Login Page (After Scan)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Cisco Secure Desktop
Access Restricted
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
Cisco Secure Desktop
Access Denied
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
Onscreen (Virtual)
Keyboard
Helps reduce the risk
associated with keystroke
loggers.
This can be applied to the
password field on the
clientless SSL VPN login
page or on any page that
requires
username/password
authentication.
This only applies to the
password entry field.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
Cisco ASA 5500 Series Product Lineup
Solutions Ranging from SMB to Large Enterprise
Cisco
ASA 5505
Network Location
Max Connections
Packets/Sec
Teleworker /
Branch Office /
SMB
Cisco
ASA 5510
Cisco
ASA 5520
Cisco
ASA 5540
Internet
Edge
Internet
Edge
Internet
Edge
25,000
85,000
130,000
190,000
280,000
320,000
400,000
500,000
150 Mbps
Future
100 Mbps
25/25
300 Mbps
300 Mbps
170 Mbps
250/250
450 Mbps
375 Mbps
225 Mbps
750/750
5 FE
50/100
A/A and A/S
(Sec Plus)
Cisco
ASA 5550
Internet Edge
Campus
Cisco
Cisco
ASA 5580/20 ASA 5580/40
Data Center
Campus
Data Center
Campus
650,000
600,000
1,000,000
2,500,000
2,000,000
4,000,000
650 Mbps
450 Mbps
325 Mbps
5000/2500
1.2 Gbps
N/A
425 Mbps
5000/5000
6.5 Gbps
N/A
1 Gbps
10,000/10,000
14 Gbps
N/A
1 Gbps
10,000/10,000
4 GE + 1 FE
150
A/A and A/S
4 GE + 1 FE
200
A/A and A/S
8 GE + 1 FE
250
A/A and A/S
Yes
Yes
Yes
Performance
Max Firewall
Max Firewall + IPS
Max IPsec VPN
Max IPsec/SSL Peers
Platform
Capabilities
Base I/O
VLANs Supported
HA Supported
8-port FE
switch
3/20 (trunk)
Stateless
A/S
(Sec Plus)
10 GE + 2x10GE10 GE + 2x10G
250
250
A/A and A/S
A/A and A/S
(Sec Plus/8.0)
VPN Load Balancing
No
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Yes
Yes
33