1 / 33

Cisco Secure Remote Architectures

Cisco Secure Remote Architectures. Bobby Acker – CCIE #19310. Session Topics. Client-Based Remote Access Using Anyconnect Clientless Access Using WebVPN Portals Endpoint Security Using Secure Desktop New ASA 8.0/ASDM 6.0 Features. Remote Access Using the Cisco Anyconnect Client.

traci
Télécharger la présentation

Cisco Secure Remote Architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cisco Secure Remote Architectures Bobby Acker – CCIE #19310

  2. Session Topics Client-Based Remote Access Using Anyconnect Clientless Access Using WebVPN Portals Endpoint Security Using Secure Desktop New ASA 8.0/ASDM 6.0 Features

  3. Remote Access Using the Cisco Anyconnect Client

  4. Secure Connectivity EverywhereExtending the Self-Defending Network Partners / Consultants Controlled access to specific resources and applications Client-based SSL or IPsec VPN Clientless SSL VPN Mobile Workers Easy access to corporate network resources Public Internet Clientless SSL VPN ASA 5500 Client-based SSL or IPsec VPN Day Extenders / Home Office Roamers Seamless access to applications from unmanaged endpoints Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications

  5. For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client for secure remote productivity • Extends the in-office experience • LAN-like full-network access, supports latency sensitive apps like voice (via DTLS transport) • Access across platforms • Windows 2K / XP (x86/x64) / Vista (x86/x64) • Mac OS X 10.4 & 10.5, Linux Intel • Windows Mobile 5 Pocket PC Edition (Coming soon) • Always up to date • Remotely installable and configurable to minimize user demands • No-hassle Connections • No reboots required • Stand-alone, Web Launch, Portal Connection • Start Before Login (2K/XP) • MSI – Windows Pre-installation package

  6. For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – GUI Details (Statistics)

  7. For End-Users, Access for All ApplicationsDatagram Transport Layer Security (DTLS) • Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels • TLS is used to tunnel TCP/IP over TCP/443 • TCP requires retransmission of lost packets • Both application and TLS wind up retransmitting when packet loss is detected. • DTLS solves the TCP over TCP meltdown problem • DTLS replaces underlying transport TCP/443 with UDP/443 • DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange) • Datagrams only are transmitted over DTLS • Other benefits • Low latency for real time applications • DTLS is optional and will automatically fallback to TLS (HTTPS)

  8. For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – XML Profile (Start Before Login) … <ClientInitialization> <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> <BackupServerList> <HostAddress>cvc-asa-02.company.com</HostAddress> <HostAddress>10.94.146.172</HostAddress> </BackupServerList> </ClientInitialization> <ServerList> <HostEntry> <HostName>CVC-ASA-02</HostName> <HostAddress>cvc-asa-02.company.com</HostAddress> </HostEntry> • The Client Initialization section represents global settings for the client. In some cases (e.g. BackupServerList) host specific overrides are possible. The Start Before Logon feature can be used to activate the VPN as part of the logon sequence. • Collection of one or more backup servers to be used in case the user selected one fails. Can be a FQDN or IP address.

  9. For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – Troubleshooting • Windows will utilize the Windows Event Viewer. Review the log messages in Cisco AnyConnect VPN Client. • Logging on Mac and Linux will utilize their ‘syslogs’ • Linux default location /var/log/messages • Mac location /var/log/system.log • Firewall port requirements – • UDP Port 443 (DTLS) • TCP Port 443 (HTTPS/SSL) • TLS will always be negotiated first, then it will further negotiate DTLS so you will see these messages in the log. • A SSL connection has been established using cipher xxxx. • A DTLS connection has been established using cipher xxxx.

  10. For End-Users, Access for All ApplicationsCisco AnyConnect VPN Client – Troubleshooting (Windows Event Viewer) • An example of how Windows Event Viewer will look.

  11. For End-Users, Access for All ApplicationsCisco VPN - Client comparison * Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris ** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned (additive license) – Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ only

  12. Clientless Access Using Cisco WebVPN Portals

  13. For End-Users, Seamless Access Anywhere Personalized application and resource access • Personalized homepage • Localizable, RSS feeds, personal bookmarks, etc. • Delivers web-based and traditional applications • Sophisticated web and other applications delivered seamlessly to the browser • SAML Single Sign-On (SSO) – verified with RSA Access Manager • Intuitive user experience • Drag and Drop file access and webified file transport • Delivers key applications beyond the browser • Smart Tunnels deliver more applications without admin privileges

  14. For End-Users, Seamless Access Anywhere Enhanced clientless interface, highly customizable Customizable Banner Message Customizable Banner Graphic Customizable Access Methods Customizable Links, Network Resource Access Customizable Colors and Sections

  15. For End-Users, Seamless Access Anywhere Clientless file access • Access for FTP file shares in addition to CIFS (Common Internet File System) • Webfolders for Internet Explorer (native Windows explorer file access)

  16. For End-Users, Seamless Access Anywhere Java Client/Server Plug-ins • Support for number of common TCP applications via Java plugins such as • Windows Terminal Server (RDP) • TELNET & SSH • VNC • Citrix Java Presentation Server Client (plug-in loaded by administrator) • Resource is defined as a URL with the appropriate protocol type, i.e. • rdp://server:port • Support for these third party applications exists in the form of packaged single archive files in the .jar file format. • Extensible plugin mechanism may provide support for additional applications in the future

  17. For End-Users, Seamless Access Anywhere Java Client/Server Plug-ins - Details • When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s). • The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent. • The Java applet(s) are transparently cached in the ASA cache.

  18. For Administrators, Visual ManagementASDM – SSL & IPsec Wizards For Administrators Separate wizards for SSL and IPsec VPN configuration

  19. For Administrators For Administrators, Visual ManagementNew SSL VPN Wizard - Details Specify authentication method Specify group policy to use or create a new one Specify a bookmark list for the Portal page Create or use an existing address pool and specify the AnyConnect image location

  20. Endpoint Security Using Cisco Secure Desktop

  21. Unique Security Challenges on the Endpoint SSL VPN Brings New Points of Attack Supply Partner Extranet Machine Employee at Home Unmanaged Machine Remote User Customer Managed Machine Before SSL VPN Session • Who owns the endpoint? • Endpoint security posture: AV, personal firewall? • Is malware running? During SSL VPN Session • Is session data protected? • Are typed passwords protected? • Has malware launched? Post SSL VPN Session • Browser cached intranet web pages? • Browser stored passwords? • Downloaded files left behind?

  22. Comprehensive EndPoint Security Cisco Secure Desktop (CSD) now supports checking for hundreds of pre-defined products, updated frequently Anti-virus, anti-spyware, personal firewall, and more Administrators can define custom checks including running processes Posture policy presented visually to simplify configuration and troubleshooting (Pre-login sequence and Dynamic Access Policies) Cisco Secure Desktop consists of four features: Host Scan (Windows) Advanced Endpoint Assessment provides remediation and periodic rechecking capabilities (licensed option) Secure Vault (Windows 2K/XP) Cache Cleaner (Windows, Mac OS X, and Linux)

  23. Supported Checks Registry check File check Certificate check Windows version check IP address check Leaf Nodes Login denied Location Subsequence Visual policy simplifies administrative configuration Cisco Secure Desktop Pre-login Decision Tree

  24. Comprehensive EndPoint SecurityDynamic Access Policies (DAP) • The Dynamic Access Policy (DAP) is defined as a collection of access control attributes associated with a specific tunnel or session. • The DAP is dynamically generated by selecting and/or aggregating attributes from one or more DAP records. • The DAP records are selected based on the endpoint security information of the remote device and/or the AAA authorization information of the authenticated user. • DAP will be generated and then applied to the user’s tunnel or session.

  25. Comprehensive EndPoint SecurityDynamic Access Policies (DAP) Add AAA attributes Add endpoint attributes

  26. Comprehensive EndPoint SecurityDynamic Access Policies (DAP) Specific endpoint attributes Note: These drop down menus will only show up after enabling CSD and enabling Host Scan Endpoint Assessment under CSD. You can disable CSD after enabling Host Scan and applying it.

  27. Cisco Secure Desktop (Secure Vault)How it Works Clientless SSL VPN Cisco Secure Desktop Step One: A user on the road connects with the concentrator and the Cisco Secure Desktop is pushed down to the endpoint automatically. Step Two: An encrypted sandbox or hard drive partition is created for the user to work in Step Three: The user logs in ASA 5500 Step Four: At Logout the Virtual Desktop that the user has been working in is eradicated and the user is notified Note: CSD download and eradication is seamless to the user. If the user forgets to terminate the session auto-timeout will close the session and erase session information Employee-Owned Desktop www…

  28. Cisco Secure DesktopMachine Scan

  29. Cisco Secure DesktopLogin Page (After Scan)

  30. Cisco Secure DesktopAccess Restricted

  31. Cisco Secure DesktopAccess Denied

  32. Onscreen (Virtual)Keyboard • Helps reduce the risk associated with keystroke loggers. • This can be applied to the password field on the clientless SSL VPN login page or on any page that requires username/password authentication. • This only applies to the password entry field.

  33. Cisco ASA 5500 Series Product LineupSolutions Ranging from SMB to Large Enterprise Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5550 Cisco ASA 5580/20 Cisco ASA 5580/40 Teleworker / Branch Office /SMB Internet Edge Internet Edge Internet Edge Campus Data CenterCampus Data CenterCampus Internet Edge Network Location Max Connections Packets/Sec 25,00085,000 130,000190,000 280,000320,000 400,000500,000 650,000 600,000 1,000,0002,500,000 2,000,0004,000,000 Performance Max Firewall Max Firewall + IPS Max IPsec VPN Max IPsec/SSL Peers 150 Mbps Future 100 Mbps 25/25 300 Mbps 300 Mbps 170 Mbps 250/250 450 Mbps 375 Mbps 225 Mbps 750/750 650 Mbps 450 Mbps 325 Mbps 5000/2500 1.2 Gbps N/A 425 Mbps 5000/5000 6.5 Gbps N/A 1 Gbps 10,000/10,000 14 Gbps N/A 1 Gbps 10,000/10,000 Platform Capabilities Base I/O VLANs Supported HA Supported VPN Load Balancing 8-port FE switch3/20 (trunk)Stateless A/S (Sec Plus) No 5 FE50/100A/A and A/S (Sec Plus) (Sec Plus/8.0) 4 GE + 1 FE150A/A and A/S Yes 4 GE + 1 FE200 A/A and A/S Yes 8 GE + 1 FE250 A/A and A/S Yes 10 GE + 2x10GE250 A/A and A/S Yes 10 GE + 2x10GE250 A/A and A/S Yes

More Related