ASA Remote Access VPN Technologies:SSLVPNWebVPNIPSecVPN http://www.cisco.com/go/security http://www.cisco.com/security Tim Ryan – firstname.lastname@example.org Security Consulting SE CCIE, CISSP
Cisco ASA 5500 SeriesConvergence of Robust, Market-Proven Technologies Market-Proven Technologies Adaptive Threat Defense, Secure Connectivity App Inspection, Use Enforcement, Web Control Application Security Firewall Technology Cisco PIX Malware/Content Defense, Anomaly Detection IPS & Content Security Services IPS Technology Cisco IPS Content Security Trend Micro Traffic/Admission Control, Proactive Response Network Containment and Control VPN Technology Cisco VPN 3000 Secure Connectivity IPSec & SSL VPN Network Intelligence Cisco Network Services
Application Firewall and Access Control Application Inspection/Control Granular, Per-User/Group Access ControlProtocol Anomaly Detection Stateful Traffic Filtering Threat Mitigation Incident Control Virus DetectionWorm Mitigation Spyware Detection Comprehensive Endpoint Security Pre-Connection Posture Assessment Malware MitigationSession/Data Security Post-Session Clean-Up Accurate Enforcement Real-Time Correlation Risk RatingAttack Drop Session Removal and Resets Leverages Depth of Threat Defense Features to Stop Malicious Worms, Viruses, and More…and Without External Devices or Performance Loss! Cisco ASA 5500 Series: Threat Protected VPN ServicesLeveraging On-Board Security to Protect the VPN Threat Vector Remote Access VPN User Worm/Virus Spyware Exploit UnwantedApplication Illegal Access ASA 5500
VPN Technologies for Remote Clients Encrypted Connection Protocols: SSL tunnel uses the SSL protocol with RC4 or AES to encrypt data IPSec tunnel uses the IPSec protocol with DES, 3DES or AES to encrypt data Encrypted Client options supported by the ASA AnyConnect VPN Client is an SSL based VPN client that is installed on a desktop and can tunnel any traffic (aka SVC) WEB VPN (aka Clientless VPN) uses the browser as the Client with the ASA acting as a proxy. It can tunnel http,https traffic and a limited number of other supported protocols such as CIFS, OWA, RDP, VNC, SSH, Telnet via plugins Cisco VPN Client is an IPSec client that can tunnel any traffic except for multicast.
ASA VPN Configuration The AnyConnect Configuration document at the url below is an excellent starting place for any ASA VPN configuration. http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808efbd2.shtml ConfigureStep 1. Configure a Self-Issued CertificateStep 2. Upload and Identify the SSL VPN Client ImageStep 3. Enable Anyconnect AccessStep 4. Create a new Group PolicyConfigure Access List Bypass for VPN ConnectionsStep 6. Create a Connection Profile and Tunnel Group for the AnyConnect Client ConnectionsStep 7. Configure NAT Exemption for AnyConnect ClientsStep 8. Add Users to the Local Database
VPN Connection Flow Summary During Client connection time Group Policy settings takes precedence over Connection Profile settings. If Connection Profile has a setting and Group Policy is set to "inherit" then Connection Profile settings are used. ANYCONNECT CLIENT Connection Connection Profile (called tunnel group at CLI) = SSLClientProfile Uses Group Policy = GroupPolicy1 Alias = SSLClient IPSEC CLIENT Connection Connection Profile (called tunnel group at CLI) = IPSecVPN Uses Group Policy = IPSecClient IPSec Client settings: Groupname=IPSecVPN , pre-shared key=cisco123 WEBVPN - BROWSER CLIENT Connection Connection Profile Clientless SSL VPN Access (tunnel group inCLI) = WebVPN Uses Group Policy = WebGroup Alias = WebVPN
AnyConnect Client Connection Config ANYCONNECT CLIENT Connection Profile SSLClientProfile Alias = SSLClient Authentication type = (local, AAA, Certs) Uses Group Policy = GroupPolicy1 Connection Profile lock = SSL Client Profile SSL VPN Client tunnelling protocol ONLY Address pool = ECRU-1 10.199.0.1 – 10.199.7.254 DNS = 18.104.22.168 Default Domain = gtei.net Split tunnel options = Default = tunnel all networks Test user: User1 pw=cisco123 Locked to SSL Client profile Uses Group Policy1
ASA 5500 version 8.0 VPN Clientless Access • Precise, granular access control to specific resources • Enhanced Portal Design • Localizable • RSS feeds • Personal bookmarks • AnyConnect Client access • Drag and Drop file access and webified file transport • Transformation enhancements including Flash support • Head-end deployed applets for telnet, SSH, RDP, and VNC, framework supports add’l plug-ins • Advanced port-forwarder for Windows (Smart Tunnel) accesses TCP applications without admin privileges on Client PC
Enhanced Remote Access Security • Enhanced authorization using policies and group information • Extended use of credentials • Always up to date via automatic updating (no admin) • Virtual keyboard option • SAML Single Sign-On (SSO) verified with RSA Access Manager (was ClearTrust) • Group/User-to-VLAN mapping support • Start before Login for Vista
Tunneling Protocol Comparison Cisco SSL VPN Client
AnyConnect VPN Client InstallationDynamic or Manual Installation • ASA downloads client to user based on group policy. • ASA can automatically download client, or prompt remote user to download. • Client packages provided for manual install or distribution via desktop management system
AnyConnect VPN ClientLocal LAN Access (Split Tunnel Variant) To verify split tunnel configuration from remote PC, open AnyConnect VPN icon in task tray, then select: Statistics > Details > Route Details In this example, only traffic to the Local PC LAN (192.168.100.0/24) is sent in clear (no VPN). Text All other traffic is sent encrypted over VPN to ASA.
AnyConnect VPN Client Datagram Transport Layer Security (DTLS) Defined in RFC 4347 Implemented as part of the standard OpenSSL package • Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels • TLS is used to tunnel TCP/IP over TCP/443 • TCP requires retransmission of lost packets • Both application and TLS wind up retransmitting when packet loss is detected. • DTLS solves the TCP over TCP problem • DTLS replaces underlying transport TCP/443 with UDP/443 • DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange) • Datagrams only are transmitted over DTLS • Other benefits • Low latency for real time applications • DTLS is enabled by default; dynamically negotiated at connect time. • DTLS is optional and will automatically fallback to TLS (HTTPS)
For End-Users, Seamless Access Anywhere Personalized application and resource access • Personalized homepage • Localizable, RSS feeds, personal bookmarks, etc. • Delivers web-based and traditional applications • Sophisticated web and other applications delivered seamlessly to the browser • SAML Single Sign-On (SSO) – verified with RSA Access Manager • Intuitive user experience • Drag and Drop file access and webified file transport • Delivers key applications beyond the browser • Smart Tunnels deliver more applications without admin privileges
For End-Users, Seamless Access Anywhere Enhanced clientless interface, highly customizable Customizable Banner Message Customizable Banner Graphic Customizable Access Methods Customizable Links, Network Resource Access Customizable Colors and Sections
Clientless WebVPN Personal Bookmarks • Specify personal storage location under Group Policy • User can add/delete personal bookmarks that are persistent between WebVPN sessions.
Clientless WebVPN Browsing Networks Clientless File Access for CIFS and FTP • Click icon from web portal to browse networks OR • Click Browse Entire Network link under Browse Networks application
Clientless WebVPN Java Client/Server Plugins - Details • When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s). • The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent. • The Java applet(s) are transparently cached in the ASA cache.
Clientless WebVPN PluginsRDP, VNC, Sametime, SSH, Telnet, Post • Remote Desktop Plugin for Windows Terminal Services • Native Windows support using ActiveX or ProperRDP client using Java • Virtual Network Computing (VNC) remote server access based on TightVNC • SSH/Telnet – Combined open source plugin provides either SSHv1 or Telnet access to manage devices and servers • Lotus Sametime – Secure instant messaging application from IBM • POST plugin – Provides Portal Homepage with optional SSO
Clientless WebVPN PluginsCitrix Plugin • Link directly to Citrix applications from portal • Plugin supports all Citrix Java client parameters/features. • ASA optimizes performance by downloading components as needed. • Verify your Citrix EULA grants rights and permissions to deploy the client
Clientless WebVPN Native Citrix Support (No Plugin) • ASA automatically intercepts web traffic with content type ICA from Web Presentation Server and modifies return ICA file to client to ensure ASA proxies session. • Java or ActiveX ICA Client is also pushed down to client if not running standalone client on endpoint.
Clientless WebVPN General Configuration Overview Import Web Content (Optional) Define Bookmarks and assign to Group Policies Customize Login/Logout and Portal Pages and assign to Connection Profiles and Group Policies, respectively (Optional) Import plugins and apply to bookmarks (Optional) Define Smart Tunnels and enable in bookmarks or Group Policies (Optional) Review and tune User/Group Policies as required. Apply Cisco Secure Desktop, Endpoint Assessment, DAP, and enforcement policies (covered in later training sessions
Secure Session (aka Secure Desktop or Vault)Overview • Encrypts data and files associated with or downloaded during remote session into a secure desktop partition • Provides tasktray icon to signify a safe environment for remote user to work in. • Upon session termination, uses U.S. Department of Defense (DoD) sanitation algorithm to remove the partition. • Typically used during clientless SSL VPN sessions--attempts to reduce the possibility that cookies, browser history, temporary files, and downloaded content remain after a remote user logs out, the session times out, or after an abrupt termination occurs. • Runs over Microsoft Windows Vista, Windows XP, and Windows 2000. • If Prelogin policy is configured to install Secure Session, but remote OS does not support Secure Session, then Cache Cleaner install attempted instead.
Policy Objects • Connection Profile / Tunnel Group • Pre-login attributes (inc. AAA, login page for Clientless, cert handling) • Group Policy (Internal and External) • Post-login attributes (inc. portal page, bookmarks, access policies) • User Policy (Internal and External) • User-specific attributes • Dynamic Access Policy • Dynamically created policies based on multiple inputs (Location, Directory attributes, PC attributes) • Internal versus External • Internal attributes – locally defined on ASA • External attributes – returned as values from queries to external servers (for example, RADIUS and LDAP)
User Attribute Primer Start Here DAP Attributes User Attributes Group Policy Attributes User Connection Profile/ Tunnel Group Group Policy Attributes DfltGrpPolicy Attributes (System Default Group Policy) Note: Individual Attributes may not be collected in sequence, but resulting policy will always be a compilation based on above prioritization
Data Collection and Policy Assignment Flow Connection Profile Selected User Connect/Login User/Group Policy Selected • DAP • User Attributes • Group Attributes • Connection Type • DefaultWEBVPNGroup • Conn/Group URL (auto) • Group Drop-Down List • Certificate-based (auto) Initial SSL Connection User login User Policy Post-Login Pre-Login SSL VPN User Basic Host Scan Extended Host Scan Custom Checks • DAP • Pre-Login Policy • Scan Results • OS Details CSD Cisco Secure Desktop Pre-Login Scan Scan Results Resultant Policy is a collection of multiple data points and attributes, not necessarily collected in order, that are compiled based on policy inheritance and prioritization hierarchy. Pre-login Policy (Location) Assigned
ASA VPN Load Balancing Load balancing is supported on remote sessions initiated with the following: • Cisco AnyConnect VPN Client (Release 2.0 and later) • Cisco VPN Client (Release 3.0 and later) • Cisco VPN 3002 Hardware Client (Release 3.5 or later) • Cisco PIX 501/506E when acting as an Easy VPN client. Load balancing works with both IPSec clients and WebVPN sessions. All other clients, including LAN-to-LAN connections, can connect to a security appliance on which load balancing is enabled, but they cannot participate in load balancing. You can configure the number of IPSec and WebVPN sessions to allow, up to the maximum allowed by your configuration and license. With Release 7.1(1), IPSec and WebVPN sessions count or weigh equally in determining the load that each device in the cluster carries. If using Certificates you must enable redirection using a fully-qualified domain name in vpn load-balancing mode. Use the command “redirect-fqdn enable” in global configuration mode. This is disabled by default. http://www.cisco.com/en/US/partner/docs/security/asa/asa81/config/guide/vpnsysop.html
Cisco ASA 5500 WebVPN/SSL VPN WebVPN-SSLVPN License Options: 25,100,250,500,1000,2500,5000,10000 Additional End Point Assessment License includes: Cisco Secure Desktop - For running Secure Applications on an In-Secure Device End point Assessment – (NAC Lite)To verify posture of device, enabling ASA to assign client to a specific group with specific access rights. Mobile VPN Client Support (ASA-MOBILE-VPN) Phone Proxy – Encrypted Call setup and Firewalling
VPN Security Challenges Extranet Machine Supply Partner Unmanaged Machine Employee at Home During SSL VPN Session • Is session data protected? • Are typed passwords protected? • Has malware launched? Remote User Customer Managed Machine Before SSL VPN Session • Who owns the endpoint? • Endpoint security posture: AV, personal firewall? • Is malware running? After SSL VPN Session • Browser cached intranet web pages? • Browser stored passwords? • Downloaded files left behind?
Newin 8.0! Comprehensive EndPoint Security • Cisco Secure Desktop (CSD) now supports hundreds of pre-defined products, updated frequently • Anti-virus, anti-spyware, personal firewall, and more • Administrators can define custom checks including running processes • CSD posture policy presented visually to simplify configuration and troubleshooting
Cisco ASA 5500 Series Platforms and Modules Wide Range of Leading Solutions for Customers of All Sizes
Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5540 Cisco ASA 5580-40 CampusSegmentation/ Data Center InternetEdge CampusSegmentation Data Center New New Starting at$19,995 Starting at $59,995 with-8GE Starting at$16,995 Starting at $109,995 With 8GE - 1.2 Gbps - 425 Mbps 5000 / 5000 5 Gbps 6.5 Gbps 10 Gbps 1 Gbps 10,000 / 10,000 - 650 Mbps - 325 Mbps 5000 / 2500 10 Gbps 14 Gbps 20 Gbps 1 Gbps 10,000 / 10,000 650,00036,000 600,0008 GE + 1 FE 8 GE + 1 FE250 A/A and A/S 1,000,00090,000 2,750,0002 Mgmt 24 GE / 12 10GE250A/A and A/S 400,00025,000 500,0004 GE + 1 FE 8 GE + 1 FE200 A/A and A/S 2,000,000150,000 5,500,000 2 Mgmt24 GE / 12 10GE 250 A/A and A/S Cisco ASA 5500 Series High-End Lineup Data Center Solutions Target Market List Price Performance Max Firewall (Real-world HTTP) Max Firewall (1400 byte) Max Firewall (Jumbo frames) Max IPSec VPN Max IPSec/SSL VPN Peers Platform Capabilities Max Firewall Conns Max Conns/Second Packets/Second (64 byte) Base I/O Max I/O VLANs Supported HA Supported
Teleworker / Branch Office /SMB SMB and SME MediumEnterprise LargeEnterprise Enterprise Target Market Starting at$595 Starting at$3,495 Starting at$7,995 Starting at$16,995 Starting at$19,995 List Price Performance Max Firewall Max Firewall + IPS Max IPSec VPN Max IPSec/SSL VPN Peers 150 Mbps 45Mbps 100 Mbps 25/25 300 Mbps 150/300 170 Mbps 250/250 450 Mbps 350/450 225 Mbps 750/500 650 Mbps 650 Mbps 325 Mbps 5000/2500 1.2 Gbps N/A 425 Mbps 5000/5000 Max Firewall Conns Max Conns/Second Packets/Second (64 byte) Base I/O VLANs Supported HA Supported 280,0009,000 320,000 4 GE + 1 FE150A/A and A/S 400,00020,000 500,000 4 GE + 1 FE200 A/A and A/S 650,00028,000 600,000 8 GE + 1 FE250 A/A and A/S 10,000/25,0003,00085,000 8-port FE switch3/20 (trunk)Stateless A/S (Sec Plus) 50,000/130,0006,000 190,000 5 FE50/100A/A and A/S (Sec Plus) Cisco ASA 5500 Series Product Lineup Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5550
Wide Range of Management SolutionsProvide Scalable, Cost Optimized Options for Businesses Integrated Remote Management Capabilities Within ASA • Configuration: Auto Update, SSH, Telnet, XML/HTTPS, and ASDM • Real-time monitoring: Syslog, SNMP, HTTPS, and ASDM • Software updates: Auto Update, SCP, HTTP, HTTPS, and TFTP Cisco Security Manager (CS-Manager) • Scalable management solution for wide range of Cisco security solutions including routers, switches, blades, and appliances • Delivers centralized management of firewall, VPN, IPS/IDS, networking, and other services via flexible user interface • Supports device grouping for simplified policy maintenance • Provides role-based admin access and workflow capabilities • Available on Windows (Linux version coming) Cisco Monitoring and Response Solution (CS-MARS) • Family of high performance appliances designed to provide automated analysis of security event information to help identify, manage, and counter attacks • Supports getting events from wide range of Cisco and 3rd party solutions—and also analyzes NetFlow for additional intelligence • Offers event correlation, visualization, rules engine, and reporting
New New Cisco ASA Adaptive Security AppliancesIndustry Certifications and Evaluations • Common Criteria • Completed: EAL4, v7.0.6—ASA 5510/20/40 (FW) • Completed: EAL2, v6.0—ASA SSM-10/20 (IPS) • In process: EAL4+, v7.2.2—ASA Family (FW) • In process: EAL4, v7.2.2—ASA Family (VPN) • FIPS 140 • Completed: Level 2, v7.0.4—ASA Family • Completed: Level 2, v7.2.2 • In process: Level 2, v8.0.2 • ICSA Firewall 4.1, Corporate Category • Completed: v7.2.2—ASA Family • ICSA IPSec 1.0D • Completed: v7.0.4—ASA Family • ICSA Anti-Virus Gateway • Completed: v7.1—ASA Family • NEBS Level 3 • Completed: ASA 5510, 5520, and 5540