Asa sslvpn security

ASA Remote Access VPN
Technologies:
SSLVPN
WebVPN
IPSecVPN

http://www.cisco.com/go/security
http://www.cisco.com/security

Tim Ryan – tiryan@cisco.com
Security Consulting SE
CCIE, CISSP

Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Cisco ASA 5500 Series
Convergence of Robust, Market-Proven Technologies
Market-Proven Adaptive Threat Defense,
Technologies Secure Connectivity

Firewall App Inspection, Use
Technology Enforcement, Web
Cisco PIX Control
Application Security
IPS Technology Malware/Content
Cisco IPS Defense,
Anomaly Detection
IPS & Content Security
Services
Content Security
Trend Micro
Traffic/Admission
Control,
Proactive Response
VPN Technology Network Containment
Cisco VPN 3000 and Control

Secure Connectivity
Network Intelligence IPSec & SSL VPN
Cisco Network
Services

Cisco ASA 5500 Series: Threat Protected VPN Services
Leveraging On-Board Security to Protect the VPN Threat Vector

Application Firewall and Access Control Threat Mitigation
Application Inspection/Control Incident Control Virus
Granular, Per-User/Group Access Control Detection
Protocol Anomaly Detection Worm Mitigation
Stateful Traffic Filtering Spyware Detection
Remote Access
VPN User Worm/
Virus Spyware Exploit

Unwanted Illegal ASA 5500
Application Access

Comprehensive Endpoint Security Accurate Enforcement
Pre-Connection Posture Assessment Real-Time Correlation
Malware Mitigation Risk Rating
Session/Data Security Attack Drop
Post-Session Clean-Up Session Removal and Resets

Leverages Depth of Threat Defense Features to Stop Malicious Worms,
Viruses, and More…and Without External Devices or Performance Loss!

VPN Technologies for Remote Clients
Encrypted Connection Protocols:
SSL tunnel uses the SSL protocol with RC4 or AES to
encrypt data
IPSec tunnel uses the IPSec protocol with DES, 3DES or
AES to encrypt data

Encrypted Client options supported by the ASA
AnyConnect VPN Client is an SSL based VPN client that is
installed on a desktop and can tunnel any traffic (aka SVC)
WEB VPN (aka Clientless VPN) uses the browser as the
Client with the ASA acting as a proxy. It can tunnel http,https
traffic and a limited number of other supported protocols
such as CIFS, OWA, RDP, VNC, SSH, Telnet via plugins
Cisco VPN Client is an IPSec client that can tunnel any
traffic except for multicast.


ASA VPN Configuration
The AnyConnect Configuration document at the url below is an excellent starting
place for any ASA VPN configuration.
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_ex
ample09186a00808efbd2.shtml

Configure
Step 1. Configure a Self-Issued Certificate
Step 2. Upload and Identify the SSL VPN Client Image
Step 3. Enable Anyconnect Access
Step 4. Create a new Group Policy
Configure Access List Bypass for VPN Connections
Step 6. Create a Connection Profile and Tunnel Group
for the AnyConnect Client Connections
Step 7. Configure NAT Exemption for AnyConnect
Clients
Step 8. Add Users to the Local Database


VPN Connection Flow Summary
During Client connection time Group Policy settings takes precedence over
Connection Profile settings.
If Connection Profile has a setting and Group Policy is set to "inherit" then
Connection Profile settings are used.

ANYCONNECT CLIENT Connection
Connection Profile (called tunnel group at CLI) = SSLClientProfile
Uses Group Policy = GroupPolicy1
Alias = SSLClient
IPSEC CLIENT Connection
Connection Profile (called tunnel group at CLI) = IPSecVPN
Uses Group Policy = IPSecClient
IPSec Client settings: Groupname=IPSecVPN , pre-shared
key=cisco123
WEBVPN - BROWSER CLIENT Connection
Connection Profile Clientless SSL VPN Access (tunnel group inCLI) = WebVPN
Uses Group Policy = WebGroup
Alias = WebVPN


AnyConnect Client Connection Config

ANYCONNECT CLIENT Connection Profile
SSLClientProfile
Alias = SSLClient
Authentication type = (local, AAA, Certs)
Uses Group Policy = GroupPolicy1
Connection Profile lock = SSL Client Profile
SSL VPN Client tunnelling protocol ONLY
Address pool = ECRU-1
10.199.0.1 – 10.199.7.254
DNS = 4.2.2.2
Default Domain = gtei.net
Split tunnel options = Default =
tunnel all networks
Test user: User1 pw=cisco123
Locked to SSL Client profile
Uses Group Policy1


Client-Based
SSL VPN
(AnyConnect/
SSL VPN Client)


ASA 5500 version 8.0 VPN Clientless Access
 Precise, granular access control to
specific resources
 Enhanced Portal Design
Localizable
RSS feeds
Personal bookmarks
AnyConnect Client access
 Drag and Drop file access and webified
file transport
 Transformation enhancements including
Flash support
 Head-end deployed applets for telnet,
SSH, RDP, and VNC, framework supports
add’l plug-ins
 Advanced port-forwarder for Windows
(Smart Tunnel) accesses TCP
applications without admin privileges on
Client PC


Enhanced Remote Access Security
 Enhanced authorization using
policies and group information
 Extended use of credentials
 Always up to date via
automatic updating (no admin)
 Virtual keyboard option
 SAML Single Sign-On (SSO)
verified with RSA Access
Manager (was ClearTrust)
 Group/User-to-VLAN mapping
support
 Start before Login for Vista

Current Snapshot of VPN Client Offerings
Cisco SSL VPN Cisco AnyConnect
Cisco VPN Client
Client VPN Client
DTLS, SSL
Protocol IPsec SSL (HTTPS)
(HTTPS) - Auto

Approximate size 10 MB 400 KB 1.7 MB

auto download auto download
Initial install distribute
distribute distribute
Initial installation
Initial installation only
only
Admin rights required yes (Stub installer
(MSI available –
available)
Windows)
2K/XP/Vista (32 &
2K/XP/Vista 32-bit,
64-bit), Linux, Mac
OS Support Linux, Mac OS X, 2000/XP
OS X, Win 2008
Solaris UltraSparc
Server, Mobile 5/6

Rebootless Installs No Yes Yes

Head End ASA/PIX/3K/IOS ASA/3K/IOS ASA/IOS

Tunneling Protocol Comparison
Cisco SSL VPN Client
HTTPS/SSL DTLS/SSL IPsec / IKEv1
Locked down FW via TCP
Yes No
Compatible tunneling
Proxy server
Yes No No
Compatible
High performance
No Yes Yes
transport

Protocol Fallback N/A HTTPS/SSL (TCP)
QoS Friendly (DSCP
No Possible Yes
Preservation)
No
Mobility Friendly Yes Yes (IKEv2/Mobile
IKE)
ESP, UDP, Fake
Transport TCP UDP
TCP
Perceived Customer
$$$ $$$ $
Value ($$s)


AnyConnect VPN Client Installation
Dynamic or Manual Installation

 ASA downloads
client to user based
on group policy.
 ASA can
automatically
download client, or
prompt remote user
to download.
 Client packages
provided for manual
install or distribution
via desktop
management
system


AnyConnect VPN Client
Local LAN Access (Split Tunnel Variant)

To verify split tunnel configuration from remote PC,
open AnyConnect VPN icon in task tray, then select:
Statistics > Details > Route Details

In this example,
only traffic to the
Local PC LAN Text
(192.168.100.0/24) All other traffic is
is sent in clear (no sent encrypted
VPN). over VPN to
ASA.


Defined in
AnyConnect VPN Client RFC 4347
Datagram Transport Layer Security (DTLS) Implemented as part of
the standard OpenSSL
package
Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels
TLS is used to tunnel TCP/IP over TCP/443
TCP requires retransmission of lost packets
Both application and TLS wind up retransmitting when packet loss is
detected.
DTLS solves the TCP over TCP problem
DTLS replaces underlying transport TCP/443 with UDP/443
DTLS uses TLS to negotiate and establish DTLS connection (control
messages and key exchange)
Datagrams only are transmitted over DTLS
Other benefits
Low latency for real time applications
DTLS is enabled by default; dynamically negotiated at connect time.
DTLS is optional and will automatically fallback to TLS (HTTPS)

Clientless
WebVPN
Features


For End-Users, Seamless Access Anywhere
Personalized application and resource access
 Personalized homepage
Localizable, RSS feeds, personal
bookmarks, etc.
 Delivers web-based and traditional
applications
Sophisticated web and other
applications delivered seamlessly
to the browser
SAML Single Sign-On (SSO) –
verified with RSA Access
Manager
 Intuitive user experience
Drag and Drop file access and
webified file transport
 Delivers key applications beyond
the browser
Smart Tunnels deliver more
applications without admin
privileges


For End-Users, Seamless Access Anywhere
Enhanced clientless interface, highly customizable

Customizable Customizable
Banner Graphic Banner Message

Customizable
Access Methods

Customizable Links, Customizable
Network Resource Colors and Sections
Access


Clientless WebVPN
Personal Bookmarks
 Specify personal
storage location
under Group
Policy

 User can add/delete
personal bookmarks
that are persistent
between WebVPN
sessions.


Clientless WebVPN Browsing Networks
Clientless File Access for CIFS and FTP
 Click icon from web portal to browse networks

OR

 Click Browse Entire
Network link under
Browse Networks
application


Clientless WebVPN
Java Client/Server Plugins - Details
 When clicking on a resource link, a dynamic page is generated
that hosts the Java applet(s).
 The Java applet(s) are rewritten, re-signed, and automatically
wrapped with Cisco’s helper agent.
 The Java applet(s) are transparently cached in the ASA cache.


Clientless WebVPN Plugins
RDP, VNC, Sametime, SSH, Telnet, Post
 Remote Desktop Plugin for Windows Terminal Services
Native Windows support using ActiveX or ProperRDP client using Java
 Virtual Network Computing (VNC) remote server access based on
TightVNC
 SSH/Telnet – Combined open source plugin provides either SSHv1 or
Telnet access to manage devices and servers
 Lotus Sametime – Secure instant messaging application from IBM
 POST plugin – Provides Portal Homepage with optional SSO


Clientless WebVPN Plugins
Citrix Plugin
 Link directly to Citrix applications from portal
 Plugin supports all Citrix Java client parameters/features.
 ASA optimizes performance by downloading components as needed.
 Verify your Citrix EULA grants rights and permissions to deploy the client


Clientless WebVPN
Native Citrix Support (No Plugin)
 ASA automatically intercepts web traffic with content type ICA from Web
Presentation Server and modifies return ICA file to client to ensure ASA
proxies session.
 Java or ActiveX ICA Client is also pushed down to client if not running
standalone client on endpoint.


Clientless WebVPN
Smart Tunnels

 Smart Tunnels are application-level port forwarding
 It is a connection between a Winsock 2, TCP-based application and the private site,
using a clientless (browser-based) SSL VPN session.
 You can specify client applications which you want to grant Smart Tunnel access including
Telnet, SSH, RDP, VNC, Passive FTP, Outlook Express, Lotus Notes, Sametime, Citrix
Program Neighborhood client, and Outlook via POP/SMTP/IMAP.
 SSL VPN loads a stub into each process spawned by an authorized application, and
intercepts socket calls to redirect via ASA.
 This can be used where other methods such as AnyConnect or Port Forwarding cannot
be used.
 A browser with Active-X, Java or JavaScript support is required on 32-bit OS’s only, such
as Windows XP & 2K


Clientless WebVPN
General Configuration Overview

1. Import Web Content (Optional)
2. Define Bookmarks and assign to Group Policies
3. Customize Login/Logout and Portal Pages and assign
to Connection Profiles and Group Policies, respectively
(Optional)
4. Import plugins and apply to bookmarks (Optional)
5. Define Smart Tunnels and enable in bookmarks or
Group Policies (Optional)
6. Review and tune User/Group Policies as required.
7. Apply Cisco Secure Desktop, Endpoint Assessment,
DAP, and enforcement policies (covered in later
training sessions

Secure Session (aka Secure Desktop or Vault)
Overview

 Encrypts data and files associated with or downloaded during remote session
into a secure desktop partition

 Provides tasktray icon to signify a safe environment for remote user to
work in.

 Upon session termination, uses U.S. Department of Defense (DoD) sanitation
algorithm to remove the partition.

 Typically used during clientless SSL VPN sessions--attempts to reduce the
possibility that cookies, browser history, temporary files, and downloaded
content remain after a remote user logs out, the session times out, or after an
abrupt termination occurs.

 Runs over Microsoft Windows Vista, Windows XP, and Windows 2000.

 If Prelogin policy is configured to install Secure Session, but remote OS does
not support Secure Session, then Cache Cleaner install attempted instead.


Cisco Secure Desktop
Login Page (After Scan)


Policy Inheritance
Overview


Policy Objects
 Connection Profile / Tunnel Group
 Pre-login attributes (inc. AAA, login page for Clientless, cert handling)
 Group Policy (Internal and External)
 Post-login attributes (inc. portal page, bookmarks, access policies)
 User Policy (Internal and External)
 User-specific attributes
 Dynamic Access Policy
 Dynamically created policies based on multiple inputs (Location,
Directory attributes, PC attributes)

 Internal versus External
 Internal attributes – locally defined on ASA
 External attributes – returned as values from queries to external servers
(for example, RADIUS and LDAP)

User Attribute Primer
Start Here DAP Attributes

User Attributes

Group Policy Attributes

User Connection Profile/ Group Policy Attributes
Tunnel Group

DfltGrpPolicy Attributes
(System Default Group Policy)

Note: Individual Attributes may not be collected in sequence, but
resulting policy will always be a compilation based on above prioritization

Data Collection and Policy Assignment Flow
Connection Profile Selected

User User/Group
Connect/Login Policy Selected
• DefaultWEBVPNGroup DAP
• Conn/Group URL (auto) • User Attributes
Initial SSL • Group Drop-Down List • Group Attributes
Connection • Certificate-based (auto) • Connection Type
User login

Pre- Post- User
Login Login Policy

SSL VPN Basic Host Scan
User Extended Host Scan DAP
Custom Checks • Pre-Login Policy
CSD Pre-Login Scan • Scan Results
Cisco • OS Details
Secure Scan Results
Desktop
Resultant Policy is a collection of multiple data
Pre-login Policy
points and attributes, not necessarily collected in
(Location) Assigned
order, that are compiled based on policy
inheritance and prioritization hierarchy.

ASA VPN Load Balancing
Load balancing is supported on remote sessions initiated with the following:
• Cisco AnyConnect VPN Client (Release 2.0 and later)
• Cisco VPN Client (Release 3.0 and later)
• Cisco VPN 3002 Hardware Client (Release 3.5 or later)
• Cisco PIX 501/506E when acting as an Easy VPN client.

Load balancing works with both IPSec clients and WebVPN sessions. All
other clients, including LAN-to-LAN connections, can connect to a security
appliance on which load balancing is enabled, but they cannot participate in
load balancing.

You can configure the number of IPSec and WebVPN sessions to allow, up
to the maximum allowed by your configuration and license.
With Release 7.1(1), IPSec and WebVPN sessions count or weigh equally in
determining the load that each device in the cluster carries.

If using Certificates you must enable redirection using a fully-qualified
domain name in vpn load-balancing mode.
Use the command “redirect-fqdn enable” in global configuration mode.
This is disabled by default.
http://www.cisco.com/en/US/partner/docs/security/asa/asa81/config/gui
de/vpnsysop.html
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. 53
Cisco Confidential

Cisco ASA 5500 WebVPN/SSL VPN

WebVPN-SSLVPN License Options:
25,100,250,500,1000,2500,5000,10000

Additional End Point Assessment License includes:
Cisco Secure Desktop - For running Secure Applications on an In-Secure Device
End point Assessment – (NAC Lite)To verify posture of device, enabling ASA to
assign client to a specific group with specific access rights.
Mobile VPN Client Support (ASA-MOBILE-VPN)
Presentation_ID
Phone Cisco Systems, Inc. All rights reserved. Cisco Confidential
© 2006
Proxy – Encrypted Call setup and Firewalling 54

VPN Security Challenges
Extranet Machine
Supply Partner

Unmanaged Machine
Employee at Home

During SSL VPN
Remote User Session
Customer
Managed Machine  Is session data
Before SSL VPN protected? After SSL VPN
Session  Are typed passwords Session
 Who owns the protected?  Browser cached
endpoint? intranet web pages?
 Has malware
 Endpoint security launched?  Browser stored
posture: AV,
personal firewall? passwords?
 Is malware running?  Downloaded files
Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
left behind? 55

Comprehensive EndPoint Security
 Cisco Secure Desktop (CSD)
now supports hundreds of
pre-defined products,
New
updated frequently in 8.0!

Anti-virus, anti-spyware,
personal firewall, and more
 Administrators can define
custom checks including
running processes
 CSD posture policy
presented visually to simplify
configuration and
troubleshooting

Cisco ASA 5500
Series Platforms and
Modules

Wide Range of Leading Solutions for Customers of All Sizes


Cisco ASA 5500 Series High-End Lineup
Data Center Solutions
New New
Cisco Cisco Cisco Cisco
ASA 5540 ASA 5550 ASA 5580-20 ASA 5580-40

Internet Campus
Target Market Campus Data Center
Edge Segmentation
Segmentation
/ Data Center

Starting at Starting at Starting at Starting at
List Price $16,995 $19,995 $59,995 $109,995
with-8GE With 8GE

Performance
Max Firewall (Real-world HTTP) - - 5 Gbps 10 Gbps
Max Firewall (1400 byte) 650 Mbps 1.2 Gbps 6.5 Gbps 14 Gbps
Max Firewall (Jumbo frames) - - 10 Gbps 20 Gbps
Max IPSec VPN 325 Mbps 425 Mbps 1 Gbps 1 Gbps
Max IPSec/SSL VPN Peers 5000 / 2500 5000 / 5000 10,000 / 10,000 10,000 / 10,000

Platform Capabilities
Max Firewall Conns 400,000 650,000 1,000,000 2,000,000
Max Conns/Second 25,000 36,000 90,000 150,000
Packets/Second (64 byte) 500,000 600,000 2,750,000 5,500,000
Base I/O 4 GE + 1 FE 8 GE + 1 FE 2 Mgmt 2 Mgmt
Max I/O 8 GE + 1 FE 8 GE + 1 FE 24 GE / 12 10GE 24 GE / 12 10GE
VLANs Supported 200 250 250 250
HA Supported A/A and A/S A/A and A/S A/A and A/S A/A and A/S

Cisco ASA 5500 Series Product Lineup

Cisco Cisco Cisco Cisco Cisco
ASA 5505 ASA 5510 ASA 5520 ASA 5540 ASA 5550

Teleworker / SMB and Enterprise Medium Large
Target Market
Branch Office / SME Enterprise Enterprise
SMB
Starting at Starting at Starting at Starting at Starting at
List Price
$595 $3,495 $7,995 $16,995 $19,995

Performance
Max Firewall 150 Mbps 300 Mbps 450 Mbps 650 Mbps 1.2 Gbps
Max Firewall + IPS 45Mbps 150/300 350/450 650 Mbps N/A
Max IPSec VPN 100 Mbps 170 Mbps 225 Mbps 325 Mbps 425 Mbps
Max IPSec/SSL VPN Peers 25/25 250/250 750/500 5000/2500 5000/5000

Max Firewall Conns 10,000/25,000 50,000/130,000 280,000 400,000 650,000
Max Conns/Second 3,000 6,000 9,000 20,000 28,000
85,000 190,000 320,000 500,000 600,000
Packets/Second (64 byte)
Base I/O 8-port FE switch 5 FE
VLANs Supported 3/20 (trunk) 50/100 4 GE + 1 FE 4 GE + 1 FE 8 GE + 1 FE
HA Supported Stateless A/S A/A and A/S 150 200 250
(Sec Plus) (Sec Plus) A/A and A/S A/A and A/S A/A and A/S

Wide Range of Management Solutions
Provide Scalable, Cost Optimized Options for Businesses
Integrated Remote Management Capabilities Within ASA

 Configuration: Auto Update, SSH, Telnet, XML/HTTPS, and ASDM
 Real-time monitoring: Syslog, SNMP, HTTPS, and ASDM
 Software updates: Auto Update, SCP, HTTP, HTTPS, and TFTP

Cisco Security Manager (CS-Manager)
 Scalable management solution for wide range of Cisco security solutions
including routers, switches, blades, and appliances
 Delivers centralized management of firewall, VPN, IPS/IDS, networking,
and other services via flexible user interface
 Supports device grouping for simplified policy maintenance
 Provides role-based admin access and workflow capabilities
 Available on Windows (Linux version coming)

Cisco Monitoring and Response Solution (CS-MARS)
 Family of high performance appliances designed to provide
automated analysis of security event information to help identify,
manage, and counter attacks
 Supports getting events from wide range of Cisco and 3 rd party
solutions—and also analyzes NetFlow for additional intelligence
 Offers event correlation, visualization, rules engine, and reporting

Web VPN Client Monitoring


Cisco ASA Adaptive Security Appliances
Industry Certifications and Evaluations

 Common Criteria
Completed: EAL4, v7.0.6—ASA 5510/20/40 (FW)
New
Completed: EAL2, v6.0—ASA SSM-10/20 (IPS)
In process: EAL4+, v7.2.2—ASA Family (FW)
In process: EAL4, v7.2.2—ASA Family (VPN)
 FIPS 140
Completed: Level 2, v7.0.4—ASA Family
New Completed: Level 2, v7.2.2
In process: Level 2, v8.0.2
 ICSA Firewall 4.1, Corporate Category
Completed: v7.2.2—ASA Family
 ICSA IPSec 1.0D
Completed: v7.0.4—ASA Family
 ICSA Anti-Virus Gateway
Completed: v7.1—ASA Family
 NEBS Level 3
Completed: ASA 5510, 5520, and 5540

Asa sslvpn security

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Asa sslvpn security

Similar a Asa sslvpn security (20)

Asa sslvpn security

Notas del editor