SSL Remote Access VPNs

SSL Remote Access VPNs An introduction to designing and configuring SSL virtual private networks Jazib Frahim, CCIE (R) No. 5459 Qiang Huang, CCIE No. 4937 Cisco (R) SSL VPN solutions (formerly known as Cisco WebVPN solutions) give you a flexible and secure way to extend networking resources to virtually any remote user with access to the Internet and a web browser. Remote access based on SSL VPN delivers secure access to network resources by establishing an encrypted tunnel across the Internet using a broadband (cable or DSL) or ISP dialup connection. SSL Remote Access VPNs provides you with a basic working knowledge of SSL virtual private networks on Cisco SSL VPN-capable devices. Design guidance is provided to assist you in implementing SSL VPN in existing network infrastructures. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices. Common deployment scenarios are covered to assist you in deploying an SSL VPN in your network. SSL Remote Access VPNs gives you everything you need to know to understand, design, install, configure, and troubleshoot all the components that make up an effective, secure SSL VPN solution. Jazib Frahim, CCIE (R) No. 5459, is currently working as a technical leader in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks, with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security. Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for market-leading modular Ethernet switching platforms. During his time at Cisco, Qiang has played an important role in a number of technology groups, including the Cisco TAC security and VPN team, where he was responsible for trouble-shooting complicated customer deployments in security and VPN solutions. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and ISP Dial. Understand remote access VPN technologies, such as Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding (L2F), Layer 2 Tunneling (L2TP) over IPsec, and SSL VPN Learn about the building blocks of SSL VPN, including cryptographic algorithms and SSL and Transport Layer Security (TLS) Evaluate common design best practices for planning and designing an SSL VPN solution Gain insight into SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS (R) routers Install and configure SSL VPNs on Cisco ASA and Cisco IOS routers Manage your SSL VPN deployment using Cisco Security Manager This security book is part of the Cisco Press (R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. Category: Networking: Security Covers: SSL VPNs

Introduction Chapter 1: Introduction to Remote Access VPN Technologies Remote Access Technologies 5 IPsec 5 Software-Based VPN Clients 7 Hardware-Based VPN Clients 7 SSL VPN 7 L2TP 9 L2TP over IPsec 11 PPTP 13 Summary 14 Chapter 2: SSL VPN Technology Cryptographic Building Blocks of SSL VPNs 17 Hashing and Message Integrity Authentication 17 Hashing 18 Message Authentication Code 18 Encryption 20 RC4 21 DES and 3DES 22 AES 22 Diffie-Hellman 23 RSA and DSA 24 Digital Signatures and Digital Certification 24 Digital Signatures 24 Public Key Infrastructure, Digital Certificates, and Certification 25 SSL and TLS 30 SSL and TLS History 30 SSL Protocols Overview 31 OSI Layer Placement and TCP/IP Protocol Support 31 SSL Record Protocol and Handshake Protocols 33 SSL Connection Setup 34 Application Data 42 Case Study: SSL Connection Setup 43 DTLS 48 SSL VPN 49 Reverse Proxy Technology 50 URL Mangling 52 Content Rewriting 53 Port-Forwarding Technology 55 Terminal Services 58 SSL VPN Tunnel Client 58 Summary 59 References 60 Chapter 3: SSL VPN Design Considerations Not All Resource Access Methods Are Equal 63 User Authentication and Access Privilege Management 65 User Authentication 66 Choice of Authentication Servers 66 AAA Server Scalability and High Availability 67 AAA Server Scalability 67 AAA Server High Availability and Resiliency 68 Resource Access Privilege Management 68 Security Considerations 70 Security Threats 71 Lack of Security on Unmanaged Computers 71 Data Theft 71 Man-in-the-Middle Attacks 72 Web Application Attack 73 Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal Network 73 Split Tunneling 73 Password Attacks 74 Security Risk Mitigation 74 Strong User Authentication and Password Policy 75 Choose Strong Cryptographic Algorithms 75 Session Timeout and Persistent Sessions 75 Endpoint Security Posture Assessment and Validation 75 VPN Session Data Protection 76 Techniques to Prevent Data Theft 76 Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and Network Admission Control Technologies 77 Device Placement 78 Platform Options 79 Virtualization 79 High Availability 80 Performance and Scalability 81 Summary 82 References 82 Chapter 4: Cisco SSL VPN Family of Products Overview of Cisco SSL VPN Product Portfolio 85 Cisco ASA 5500 Series 87 SSL VPN History on Cisco ASA 87 SSL VPN Specifications on Cisco ASA 88 SSL VPN Licenses on Cisco ASA 89 Cisco IOS Routers 90 SSL VPN History on Cisco IOS Routers 90 SSL VPN Licenses on Cisco IOS Routers 90 Summary 91 Chapter 5: SSL VPNs on Cisco ASA SSL VPN Design Considerations 93 SSL VPN Prerequisites 95 SSL VPN Licenses 95 Client Operating System and Browser and Software Requirements 96 Infrastructure Requirements 97 Pre-SSL VPN Configuration Guide 97 Enrolling Digital Certificates (Recommended) 98 Step 1: Configuring a Trustpoint 98 Step 2: Obtaining a CA Certificate 99 Step 3: Obtaining an Identity Certificate 100 Setting Up ASDM 101 Uploading ASDM 102 Setting Up the Appliance 103 Accessing ASDM 104 Setting Up Tunnel and Group Policies 106 Configuring Group-Policies 107 Configuring a Tunnel Group 110 Setting Up User Authentication 110 Clientless SSL VPN Configuration Guide 114 Enabling Clientless SSL VPN on an Interface 116 Configuring SSL VPN Portal Customization 117 Logon Page 118 Portal Page 123 Logout Page 125 Portal Customization and User Group 126 Full Customization 129 Configuring Bookmarks 134 Configuring Websites 135 Configuring File Servers 137 Applying a Bookmark List to a Group Policy 139 Single Sign-On 140 Configuring Web-Type ACLs 141 Configuring Application Access 144 Configuring Port Forwarding 144 Configuring Smart Tunnels 147 Configuring Client-Server Plug-Ins 150 AnyConnect VPN Client Configuration Guide 152 Loading the SVC Package 154 Defining AnyConnect VPN Client Attributes 155 Enabling AnyConnect VPN Client Functionality 155 Defining a Pool of Addresses 156 Configuring Traffic Filters 159 Configuring a Tunnel Group 159 Advanced Full Tunnel Features 159 Split Tunneling 159 DNS and WINS Assignment 161 Keeping the SSL VPN Client Installed 162 Configuring DTLS 163 Cisco Secure Desktop 164 CSD Components 165 Secure Desktop Manager 165 Secure Desktop 165 Cache Cleaner 166 CSD Requirements 166 Supported Operating Systems 166 User Privileges 167 Supported Internet Browsers 167 Internet Browser Settings 167 CSD Architecture 168 Configuring CSD 169 Loading the CSD Package 169 Defining Prelogin Sequences 170 Host Scan 182 Host Scan Modules 183 Basic Host Scan 183 Endpoint Assessment 183 Advanced Endpoint Assessment 184 Configuring Host Scan 184 Setting Up Basic Host Scan 184 Enabling Endpoint Host Scan 186 Setting Up an Advanced Endpoint Host Scan 187 Dynamic Access Policies 189 DAP Architecture 190 DAP Records 191 DAP Selection Rules 191 DAP Configuration File 191 DAP Sequence of Events 191 Configuring DAP 192 Selecting a AAA Attribute 193 Selecting Endpoint Attributes 195 Defining Access Policies 197 Deployment Scenarios 205 AnyConnect Client with CSD and External Authentication 206 Step 1: Set Up CSD 207 Step 2: Set Up RADIUS for Authentication 207 Step 3: Configure AnyConnect SSL VPN 208 Clientless Connections with DAP 209 Step 1: Define Clientless Connections 210 Step 2: Configuring DAP 211 Monitoring and Troubleshooting SSL VPN 212 Monitoring SSL VPN 212 Troubleshooting SSL VPN 215 Troubleshooting SSL Negotiations 215 Troubleshooting AnyConnect Client Issues 215 Troubleshooting Clientless Issues 217 Troubleshooting CSD 219 Troubleshooting DAP 219 Summary 220 Chapter 6: SSL VPNs on Cisco IOS Routers SSL VPN Design Considerations 223 IOS SSL VPN Prerequisites 225 IOS SSL VPN Configuration Guide 226 Configuring Pre-SSL VPN Setup 226 Setting Up User Authentication 226 Enrolling Digital Certificates (Recommended) 229 Loading SDM (Recommended) 232 Initial SSL VPN Configuration 235 Step 1: Setting Up an SSL VPN Gateway 237 Step 2: Setting Up an SSL VPN Context 239 Step 3: Configuring SSL VPN Look and Feel 241 Step 4: Configuring SSL VPN Group Policies 245 Advanced SSL VPN Features 247 Configuring Clientless SSL VPNs 247 Windows File Sharing 253 Configuring Application ACL 257 Thin Client SSL VPNs 259 Step 1: Defining Port-Forwarding Lists 261 Step 2: Mapping Port-Forwarding Lists to a Group Policy 262 AnyConnect SSL VPN Client 264 Step 1: Loading the AnyConnect Package 264 Step 2: Defining AnyConnect VPN Client Attributes 266 Cisco Secure Desktop 276 CSD Components 277 Secure Desktop Manager 277 Secure Desktop 277 Cache Cleaner 278 CSD Requirements 278 Supported Operating Systems 278 User Privileges 279 Supported Internet Browsers 279 Internet Browser Settings 279 CSD Architecture 280 Configuring CSD 281 Step 1: Loading the CSD Package 282 Step 2: Launching the CSD Package 283 Step 3: Defining Policies for Windows-Based Clients 283 Defining Policies for Windows CE 298 Defining Policies for the Mac and Linux Cache Cleaner 298 Deployment Scenarios 301 Clientless Connections with CSD 301 Step 1: User Authentication and DNS 302 Step 2: Set Up CSD 303 Step 3: Define Clientless Connections 303 AnyConnect Client and External Authentication 304 Step 1: Set Up RADIUS for Authentication 305 Step 2: Install the AnyConnect SSL VPN 306 Step 3: Configure AnyConnect SSL VPN Properties 306 Monitoring an SSL VPN in Cisco IOS 307 Summary 311 Chapter 7: Management of SSL VPNs Multidevice Policy Provisioning 314 Device View and Policy View 314 Device View 314 Policy View 318 Use of Common Objects for Multidevice Management 320 Workflow Control and Role-Based Access Control 322 Workflow Control 323 Workflow Mode 324 Role-Based Administration 326 Native Mode 326 Cisco Secure ACS Integration Mode 327 Summary 331 References 331 1587052423 TOC 5/13/2008