Security TechUpdate
André Lambertsen
ala@cisco.com
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
The Cisco products, services or features identified in
this document may not yet be available or may not be
available in all areas and may be subject to change
without notice. Consult your local Cisco business
contact for information on the products or services
available in your area. You can find additional
information via Cisco’s World Wide Web server at
http://www.cisco.com. Actual performance and
environmental costs of Cisco products will vary
depending on individual customer configurations and
conditions.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Agenda
 ASA 5500
–SSLVPN, , AnyConnect VPN Client v2.0, ASDM v6.0
 NAC Appliance 4.1.x
 2nd Generation MARS
 GET VPN
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
ASA 5500 Series
Adaptive Security
Appliances
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Cisco ASA 5500 Adaptive Security Appliances
Delivering Leading Threat Defense and VPN Services
Provides Converged Threat Defense, Flexible Secure Connectivity,
Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats
Market-Leading Firewall Services
 Integrates and extends the #1 deployed
firewall technology from Cisco PIX
Security Appliances
 Built upon the experience of over
one million PIX deployed worldwide
and 10+ years of innovation
Market-Leading IPS Services
 Integrates and extends the #1
deployed IPS and IDS technology
from the Cisco IPS 4200 Series
 Provides comprehensive security from
directed attacks and many other threats
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Market-Leading VPN Services
 Integrates and extends the #1
deployed remote access VPN
technology from Cisco VPN 3000
Concentrators and Cisco PIX
Security Appliances, offering both
SSL and IPsec VPN services
Market-Leading Anti-X Services
 Integrates and extends the #1
deployed gateway content security
technology to protect from viruses,
spyware, spam, phishing, and
employee productivity impacting
websites
5
Cisco ASA 5500 Series Enterprise Editions
A Family of Tailored Packages for Location Specific Needs
 Enables standardization
on the Cisco ASA 5500
Series to reduce
costs in management,
training, and sparing
Cisco ASA 5500
Firewall Edition
Cisco ASA 5500
SSL & IPSec
VPN Edition
Cisco ASA 5500
IPS Edition
Cisco ASA 5500
Anti-X Edition
 Superior protection
by providing the right
services for the right
location
 Simplifies design
and deployment
by providing pre-packaged
location-specific security
solutions
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
Remote Access VPN
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
Secure Connectivity Everywhere
Extending the Self-Defending Network
Partners / Consultants
Controlled access to specific
resources and applications
Client-based SSL or IPsec VPN
Clientless SSL VPN
Mobile Workers
Easy access to corporate
network resources
Public
Internet
Clientless SSL VPN
ASA 5500
Client-based SSL or IPsec VPN
Roamers
Day Extenders / Home Office
Seamless access to applications
from unmanaged endpoints
Day extenders and mobile employees require
consistent LAN-like, full-network access, to corporate
resources and applications
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
SSL VPN
– Clientless
– Thin Client
– Full Tunnel
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
SSL VPN Clientless Login
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
SSL VPN Clientless
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
SSL VPN Clientless
Content Rewriting and Application Translation
 Uses standard browser
 Concentrator proxies HTTP(S) over SSL connection
 Limited to web pages
–HTML pages
–Web-based (webified) applications
 For application translation, VPN appliance “webifies”
application
–Translates protocol to HTTP
–Requires detailed application knowledge
–Delivers HTML look-and-feel
–Expands use to some non-web applications
–CIFS (NT and Active Directory file sharing)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
SSL VPN: Smart Tunnel and Port Forwarding
“Thin” or “Enhanced” Client
 Local “thin” client acts as proxy
–Tunnels and forwards application traffic
 Often used with clientless SSL VPN as a helper
application
 Delivered via Java from VPN appliance
 Some system permissions may be required, particularly
for hostname mapping
 Use “Smart Tunnel” stub where port forwarding is not
desirable
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
SSL VPN Tunnel Client
Persistent “Thick”, “Full Tunneling”, or “Tunnel” Client
 Traditional-style client
delivered via automatic
download
(Active X, Java, and/or EXE)
 Requires administrative
privileges for initial install
 Stub-installer / MSI package
 Permanent or Temporal
 Provides similar access to
IPsec
–Better accessibility over firewalls
and NAT
–Smaller installation package
 No reboots required
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
For End-Users, Access for All Applications
Cisco VPN - Client comparison
Cisco VPN Client
Approximate size
Initial install
Admin rights
required
Protocol
OS Support
Head End
Cisco
Cisco SSL VPN
AnyConnect VPN
Client
Client
10 MB
3 MB
400KB
Distribute
auto download
distribute
auto download
distribute
Yes
Initial installation
only
(MSI available –
Windows)
Initial
installation
only
(Stub installer
available)
IPsec
DTLS, TLS
(HTTPS) - Auto
TLS (HTTPS)
multiple*
multiple**
2000/XP
ASA/PIX/3K/IOS
ASA/IOS
ASA/3K/IOS
* Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris
** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned
(additive license) – Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ only
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Clientless Application
Support
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
Cisco ASA 5500 v8.0
Significant Enhancements in Clientless SSL VPN
 Precise, granular access control to
specific resources
 Enhanced Portal Design
–Localizable
–RSS feeds
–Personal bookmarks
–AnyConnect Client access
New
in 8.0!
 Drag and Drop file access and
webified file transport
 Transformation enhancements
including Flash support
 Head-end deployed applets for
telnet, SSH, RDP and VNC,
framework supports add’l plug-ins
 Advanced port-forwarder for
Windows (Smart Tunnel) accesses
TCP applications without admin
privileges on Client PC
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Clientless SSL VPN: Client/Server Plug-ins
Details
 Support for number of common TCP applications via Java plugins
such as
Windows Terminal Server (RDP)
TELNET & SSH
VNC
Citrix Java Presentation Server Client (plug-in loaded by
administrator)
 Resource is defined as a URL with
the appropriate protocol type, i.e.
rdp://server:port
 Support for these third party
applications exists in the form of
packaged single archive files in the
.jar file format.
 Extensible plugin mechanism may
provide support for additional
applications in the future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Clientless SSL VPN: Client/Server Plug-ins
Details
 When clicking on a resource link, a dynamic page is generated
that hosts the Java applet(s).
 The Java applet(s) are rewritten, re-signed, and automatically
wrapped with Cisco’s helper agent.
 The Java applet(s) are transparently cached in the ASA cache.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
Clientless SSL VPN
Clientless file access
 Access for FTP file shares in addition to CIFS (Common Internet
File System)
 Webfolders for Internet Explorer (native Windows explorer file
access)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
Clientless SSL VPN
Smart Tunnel
smart-tunnel list list application path [hash]
Smart Tunnels are application level port forwarding
It is a connection between a Winsock 2, TCP-based application
and the private site, using a clientless (browser-based) SSL
VPN session.
You can specify client applications which you want to grant
smart tunnel access (i.e., Sametime, SSH client, etc).
SSL VPN loads a stub into each process spawned by an
authorized application, and intercepts socket calls to redirect via
ASA.
This can be used where other methods such as AnyConnect or
Port Forwarding cannot be used.
A browser with Active-X, Java or JavaScript support is required
on 32-bit OS’s only, such as Windows XP & 2K
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
Clientless SSL VPN
ActiveX relay
ActiveX relay is used to provide tunnel support for applications
outside of the browser during a clientless SSL VPN session (on
demand tunnel) without the necessary overhead of
administrator pre-configuration.
ActiveX relay and Smart Tunnel share the same core
technology
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
Clientless SSL VPN
Application Profile Customization Framework (APCF)
 Allows the security appliance to handle non-standard
applications and web resources so they display
correctly over a Clientless SSL VPN connection.
 Profiles
– An APCF profile contains a script that specifies when (pre,
post), where (header, body, request, response), and what data
to transform for a particular application.
– The script is in XML and uses sed (stream editor) syntax to
transform strings/text.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Clientless SSL VPN
Virtual Keyboard
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Cisco AnyConnect
VPN Client
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
Cisco AnyConnect VPN Client
Access for All Applications
 Extends the in-office experience
LAN-like full-network access, supports latency
sensitive apps like voice (via DTLS transport)
 Access across platforms
Windows 2K / XP (x86/x64) / Vista (x86/x64)
Mac OS X 10.4 & 10.5, Linux Intel
Windows Mobile 5 Pocket PC Edition (Coming
soon)
 Always up to date
Remotely installable and configurable to
minimize user demands
 No-hassle Connections
No reboots required
Stand-alone, Web Launch, Portal Connection
Start Before Login (2K/XP)
MSI – Windows Pre-installation package
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
Cisco AnyConnect VPN Client
GUI Details
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
Cisco AnyConnect VPN Client
GUI Details (Statistics)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
33
Cisco AnyConnect VPN Client
Datagram Transport Layer Security (DTLS)
Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels
TLS is used to tunnel TCP/IP over TCP/443
TCP requires retransmission of lost packets
Both application and TLS wind up retransmitting when packet loss is
detected.
DTLS solves the TCP over TCP problem
DTLS replaces underlying transport TCP/443 with UDP/443
DTLS uses TLS to negotiate and establish DTLS connection (control
messages and key exchange)
Datagrams only are transmitted over DTLS
Other benefits
Low latency for real time applications
DTLS is optional and will automatically fallback to TLS (HTTPS)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
Authentication
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
35
For Administrators, Simple, Precise Control
Enhanced authentication choices
 Ability to require users to authenticate
with both a certificate as well as a
username/password
 Ability to prompt a user for internal
(domain) username & password
credential in addition to a One Time
Password (OTP) or other dynamic
credential. The internal credential is
stored for subsequent use and is not
validated at login time.
 Generic LDAP support provides
compatibility with both OpenLDAP and
Novell
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
36
For Administrators, Simple, Precise Control
Per-user, fine-grained application and resource access
 Flexible access control based on policy
Multi-factor authentication combines user,
group, and device posture to determine
appropriate resource access
Granular SSL VPN configuration restricts /
allows access to specific resources per-user,
per-login, per-policy
Embedded Certificate Authority (CA)
Assessment and control can use Start Before
Login (SBL)
VLAN mapping leverages network policy
 Control for unsecured devices
New onscreen (virtual) keyboard option
Cisco Secure Desktop (CSD) supports
hundreds of products plus custom checks
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
37
Single Sign-on
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
38
Single Sign-on for Clientless VPN
 Lets Clientless users enter username and password only once to
access multiple protected services and web servers
 Starts as part of the AAA-process or just after successful user
authentication to an AAA server
 Single Sign-on methods supported:
– SSO with WebVPN (Auth Web Server)
– SSO with CA eTrust SiteMinder (formerly Netegrity SiteMinder)
– SSO with HTTP Form Protocol
– SSO with NTMLv1 authentication
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
39
Remote Access
Termination in VLAN
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
40
VLAN Mapping
User/Group based policies
 Map users to group based
on role
 Use group policy to restrict
egress VLAN
vlan 10
Internal Resources
© 2007 Cisco Systems, Inc. All rights reserved.
Shared Resources
Cisco Confidential
41
VLAN Mapping, cont.
 For more complex network topologies, note that ASA does not
support more than one default with same metric out two different
interfaces.
 The workaround is to assign a different metric to each default
route:
route (outside) 0.0.0.0 0.0.0.0 <Internet_rtr_IP> 1
route (vrf1) 0.0.0.0 0.0.0.0 <vrf1_IP> 2
route (vrf2) 0.0.0.0 0.0.0.0 <vrf2_IP> 3
route (vrf3) 0.0.0.0 0.0.0.0 <vrf3_IP> 4
route (vrf4) 0.0.0.0 0.0.0.0 <vrf4_IP> 5
route (vrf5) 0.0.0.0 0.0.0.0 <vrf5_IP> 6
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
42
ADSM 6.0
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
43
Cisco ASDM v6.0 Overview
 Cisco ASDM v6.0 is the integrated graphical interface
of the Cisco ASA and PIX Security Appliances
 ASDM delivers full device management including:
–Rapid Configuration enabled by an intuitive graphical user
interface, wizards, and the ASDM Assistant
–Powerful Diagnostics including Real-Time Log viewer, Packet
Tracer, and Packet Capture.
–Real-time Monitoring provided by dynamic Dashboards, Table
Views, and Traffic Graphing.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Cisco Confidential – Controlled NDA Use Only
44
Cisco ASDM 6.0
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
45
Cisco ASDM Feature Highlights
 Redesigned interface
 Security Dashboards
 Packet Tracer
 Packet Capture Wizard
 Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
46
Cisco ASDM Feature Highlights
 Redesigned interface
 Security Dashboards
 Packet Tracer
 Packet Capture Wizard
 Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
47
Cisco ASDM Feature Highlights
 Redesigned interface
 Security Dashboards
 Packet Tracer
 Packet Capture Wizard
 Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
48
Cisco ASDM 6.0 Feature Highlights
 Redesigned interface
 Security Dashboards
 Packet Tracer
 Packet Capture Wizard
 Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
49
Cisco ASDM Feature Highlights
 Redesigned interface
 Security Dashboards
 Packet Tracer
 Packet Capture Wizard
 Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
50
Cisco ASDM Feature Highlights
 In-place and Drag-and-drop rule editing
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
51
Cisco ASDM Feature Highlights
 Real-Time Log Viewer
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
52
Cisco ASDM Packet Tracer
Live Tool to Determine Day In the Life of a Packet
PACKET TRACING:
Enables the injection of
virtual packets through
the system to audit policy
configuration and
enforcement
Benefits
 Enables policy tuning and
refining
 Enables rapid troubleshooting
 Simplifies fault isolation in
complex policy environments
 First Pro-active Debugging Tool
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
53
Cisco ASDM Packet Capture
Powerful protocol analysis with 3rd party tools
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
54
Cisco ASDM Packet Capture
Powerful protocol analysis with 3rd party tools
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
55
Cisco ASDM Wizards
 Startup Wizard
 IPsec VPN Wizard
 SSL VPN Wizard
 High Availability &
Scalability Wizard
 Packet Capture Wizard
 Software upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
56
Cisco ASDM Dashboards
Device Dashboard
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
57
Cisco ASDM Dashboards
Firewall Dashboard
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
58
Cisco ASDM Feature Highlights
 Advanced policy creation for Cisco Secure Desktop
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
59
Cisco SSL VPN Summary
Simple and Secure Access from Anywhere
 Broad access from anywhere
 User-friendly interfaces
 World-class security
 Flexible, controlled access
options
 Intuitive management
 Fully integrated with the Cisco
Self-Defending Network
www.cisco.com/go/sslvpn
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
60
Other New Features
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
61
Active
Enterprise-Class Resilient Security
Maximizes Uptime
 Comprehensive multi-level resiliency protecting business continuity
against component, link, or system failure
 Now includes redundant interface support for greater availability
 Full state synchronization including multimedia and voice protocols
maxizes uptime for mission-critical applications
 Improved business continuity with zero-downtime upgrades
Active
New
in 8.0!
 Higher system reliability than software-on-server solutions
Cisco ASA has 2x the MTBF* than a server-based solution:
–Typical server has MTBF of 50k – 65K hrs
–Cisco ASA has MTBF of 100k – 150K hrs
 Tightly integrated high availability services for
firewall eases deployment and administration as
opposed to third party approaches
 Rapid deployment through the user-friendly High
Availability Wizard
* MTBF calculation based on Telcordia (Bellcore) SR-332.
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
62
Enhancing Cisco ASA 5500 Series
High Availability with Redundant Interfaces
Before…
After redundant interfaces
Network A
trunk
Network
A
Pri/Active ASA
Sec/Stand ASA
Network
B
Pri/Active ASA
Sec/Stand ASA
trunk
Network B
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
63
Intelligent Network Integration
Provides Seamless Integration into Next-Gen Networks
Advanced Network Services
 Introduces multi-protocol object groups for
significantly simplified object management
(TCP, UDP, and ICMP) – new in 8.0!
New
in 8.0!
 Supports EIGRP (new in 8.0), OSPF,
and RIPv2 dynamic routing
 Provides QoS traffic prioritization for
improved handling of latency sensitive
traffic
 Adds IPv6 support for hybrid IPv4/IPv6
network environments
 Delivers PIM sparse mode multicast
support for improved support for streaming
data delivery services, video conferencing,
and other mission-critical real-time
enterprise applications
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
V
VV
D
V VV
D
D
D
Quality of Service
66
New Hardware
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
67
New Cisco ASA “5G” and “10G” Appliances
High Performance Firewall / VPN for the 10GE World
Product Highlights:
 5 and 10 Gbps of Firewall –
10 times the performance of
existing ASA platforms!
 10,000 SSL VPN user support
 Architecture designed for
Scalable Security
Performance and
High Availability
 GigE and 10GigE support
 Millions of total connections
and policies (ACE’s)
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
Cisco ASA
“10G”
Cisco ASA
“5G”
Cisco’s Highest
Performance Security
Appliances Ever!
Available:
Early Fall 2007
68
Cisco ASA “5G” and “10G” Platforms:
Performance and Interface Specifications
High Speed Real World Performance







5 and 10 Gbps of Firewall with Real World Traffic
100,000+ Connection Setup/Second
Millions of packets per second at any traffic profile
Maximum Connections: 2,000,000
Maximum Policies (ACE’s): 1,000,000
10,000+ VPN Tunnels at Multi-Gigabit Throughput
Virtual Context Support
Interface Density
 Supports up to 24 GE Interfaces
–Supports both Copper and Fiber Gigabit Ethernet
 Supports up to 12 10GE SR interfaces
 Dedicated Management Interface
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
69
Q and A
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
70
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
71