Embed Size (px)
Citation preview
SSL Remote Access VPNs
Jazib Frahim, CCIE No. 5459 Qiang Huang, CCIE No. 4937
Cisco Press
Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
X
Contents Introduction xviii
Chapter 1 Introduction to Remote Access VPN Technologies 3
Remote Access Technologies 5
IPsec 5 Software-Based VPN Clients 7 Hardware-Based VPN Clients 7
SSL VPN 7
L2TP9
L2TP over IPsec 11
PPTP 13
Summary 14
Chapter 2 SSL VPN Technology 17
Cryptographic Building Blocks of SSL VPNs 17 Hashing and Message Integrity Authentication 17
Hashing 18 Message Authentication Code 18
Encryption 20 RC4 21 DES and 3DES 22 AES 22 Diffie-Hellman 23 RSA and DSA 24
Digital Signatures and Digital Certification 24 Digital Signatures 24 Public Key Infrastructure, Digital Certificates, and Certification 25
SSL and TLS 30 SSL and TLS History 30 SSL Protocols Overview 31
OSI Layer Placement and TCP/IP Protocol Support 31 SSL Record Protocol and Handshake Protocols 33 SSL Connection Setup 34 Application Data 42 Case Study: SSL Connection Setup 43
DTLS 48
xi
SSL VPN 49 Reverse Proxy Technology 50
URL Mangling 52 Content Rewriting 53
Port-Forwarding Technology 55 Terminal Services 58 SSL VPN Tunnel Client 58
Summary 59
References 60
Chapter 3 SSL VPN Design Considerations 63
Not All Resource Access Methods Are Equal 63
User Authentication and Access Privilege Management 65 User Authentication 66 Choice of Authentication Servers 66 AAA Server Scalability and High Availability 67
AAA Server Scalability 67 AAA Server High Availability and Resiliency 68 Resource Access Privilege Management 68
Security Considerations 70 Security Threats 71
Lack of Security on Unmanaged Computers 71 Data Theft 71 Man-in-the-Middle Attacks 72 Web Application Attack 73 Spread of Virases, Worms, and Trojans from Remote Computers to the Internal
Network 73 Split Tunneling 73 Password Attacks 74
Security Risk Mitigation 74 Strong User Authentication and Password Policy 75 Choose Strong Cryptographic Algorithms 75 Session Timeout and Persistent Sessions 75 Endpoint Security Posture Assessment and Validation 75 VPN Session Data Protection 76 Techniques to Prevent Data Theft 76 Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and
Network Admission Control Technologies 77
Device Placement 78
Platform Options 79
xii
Virtualization 79
High Availability 80
Performance and Scalability 81
Summary 82
References 82
Chapter 4 Cisco SSL VPN Family of Products 85
Overview of Cisco SSL VPN Product Portfolio 85
Cisco ASA 5500 Series 87 SSL VPN History on Cisco ASA 87 SSL VPN Specifications on Cisco ASA 88 SSL VPN Licenses on Cisco ASA 89
Cisco IOS Routers 90 SSL VPN History on Cisco IOS Routers 90 SSL VPN Licenses on Cisco IOS Routers 90
Summary 91
Chapter 5 SSL VPNs on Cisco ASA 93
SSL VPN Design Considerations 93
SSL VPN Prerequisites 95 SSL VPN Licenses 95 Client Operating System and Browser and Software Requirements 96 Infrastructure Requirements 97
Pre-SSL VPN Configuration Guide 97 Enrolling Digital Certificates (Recommended) 98
Step 1: Configuring a Trustpoint 98 Step 2: Obtaining a CA Certificate 99 Step 3: Obtaining an Identity Certificate 100
Setting Up ASDM 101 Uploading ASDM 102 Setting Up the Appliance 103
Accessing ASDM 104 Setting Up Tunnel and Group Policies 106
Configuring Group-Policies 107 Configuring a Tunnel Group 110
Setting Up User Authentication 110
Clientless SSL VPN Configuration Guide 114 Enabling Clientless SSL VPN on an Interface 116
Configuring SSL VPN Portal Customization 117 Logon Page 118 Portal Page 123 Logout Page 125 Portal Customization and User Group 126 Full Customization 129
Configuring В ookmarks 134 Configuring Websites 135 Configuring File Servers 137 Applying a Bookmark List to a Group Policy 139 Single Sign-On 140
Configuring Web-Type ACLs 141 Configuring Application Access 144
Configuring Port Forwarding 144 Configuring Smart Tunnels 147
Configuring Client-Server Plug-Ins 150
AnyConnect VPN Client Configuration Guide 152 Loading the SVC Package 154 Defining AnyConnect VPN Client Attributes 155
Enabling AnyConnect VPN Client Functionality 155 Defining a Pool of Addresses 156 Configuring Traffic Filters 159 Configuring a Tunnel Group 159
Advanced Full Tunnel Features 159 Split Tunneling 159 DNS and WINS Assignment 161 Keeping the SSL VPN Client Installed 162 Configuring DTLS 163
Cisco Secure Desktop 164 CSD Components 165
Secure Desktop Manager 165 Secure Desktop 165 Cache Cleaner 166
CSD Requirements 166 Supported Operating Systems 166 User Privileges 167 Supported Internet Browsers 167 Internet Browser Settings 167
CSD Architecture 168 Configuring CSD 169
Loading the CSD Package 169 Defining Prelogin Sequences 170
XIV
Host Scan 182 Host Scan Modules 183
Basic Host Scan 183 Endpoint Assessment 183 Advanced Endpoint Assessment 184
Configuring Host Scan 184 Setting Up Basic Host Scan 184 Enabling Endpoint Host Scan 186 Setting Up an Advanced Endpoint Host Scan 187
Dynamic Access Policies 189 DAP Architecture 190
DAP Records 191 DAP Selection Rules 191 DAP Configuration File 191
DAP Sequence of Events 191 Configuring DAP 192
Selecting a AAA Attribute 193 Selecting Endpoint Attributes 195 Defining Access Policies 197
Deployment Scenarios 205 AnyConnect Client with CSD and External Authentication 206
Step 1: Set Up CSD 207 Step 2: Set Up RADIUS for Authentication 207 Step 3: Configure AnyConnect SSL VPN 208
Clientless Connections with DAP 209 Step 1: Define Clientless Connections 210 Step 2: Configuring DAP 211
Monitoring and Troubleshooting S SL VPN 212 Monitoring SSL VPN 212 Troubleshooting SSL VPN 215
Troubleshooting SSL Negotiations 215 Troubleshooting AnyConnect Client Issues 215 Troubleshooting Clientless Issues 217 Troubleshooting CSD 219 Troubleshooting DAP 219
Summary 220
Chapter 6 SSL VPNs on Cisco IOS Routers 223
SSL VPN Design Considerations 223
IOS SSL VPN Prerequisites 225
IOS SSL VPN Configuration Guide 226 Configuring Pre-SSL VPN Setup 226
Setting Up User Authentication 226 Enrolling Digital Certificates (Recommended) 229 Loading SDM (Recommended) 232
Initial SSL VPN Configuration 235 Step 1: Setting Up an SSL VPN Gateway 237 Step 2: Setting Up an SSL VPN Context 239 Step 3: Configuring SSL VPN Look and Feel 241 Step 4: Configuring SSL VPN Group Policies 245
Advanced SSL VPN Features 247 Configuring Clientless SSL VPNs 247 Windows File Sharing 253 Configuring Application ACL 257 Thin Client SSL VPNs 259
Step 1: Defining Port-Forwarding Lists 261 Step 2: Mapping Port-Forwarding Lists to a Group Policy 262
AnyConnect SSL VPN Client 264 Step 1: Loading the AnyConnect Package 264 Step 2: Defining AnyConnect VPN Client Attributes 266
Cisco Secure Desktop 276 CSD Components 277
Secure Desktop Manager 277 Secure Desktop 277 Cache Cleaner 278
CSD Requirements 278 Supported Operating Systems 278 User Privileges 279 Supported Internet Browsers 279 Internet Browser Settings 279
CSD Architecture 280 Configuring CSD 281
Step 1: Loading the CSD Package 282 Step 2: Launching the CSD Package 283 Step 3: Defining Policies for Windows-Based Clients 283 Defining Policies for Windows CE 298 Defining Policies for the Mac and Linux Cache Cleaner 298
Deployment Scenarios 301 Clientless Connections with CSD 301
Step 1: User Authentication and DNS 302 Step 2: Set Up CSD 303 Step 3: Define Clientless Connections 303
XVI
Chapter 7
AnyConnect Client and External Authentication 304 Step 1: Set Up RADIUS for Authentication 305 Step 2: Install the AnyConnect SSL VPN 306 Step 3: Configure AnyConnect SSL VPN Properties 306
Monitoring an SSL VPN in Cisco IOS 307
Summary 311
Management of SSL VPNs 313
Multidevice Policy Provisioning 314 Device View and Policy View 314
Device View 314 Policy View 318
Use of Common Objects for Multidevice Management 320
Workflow Control and Role-Based Access Control Workflow Control 323 Workflow Mode 324 Role-Based Administration 326
Native Mode 326 Cisco Secure ACS Integration Mode 327
Summary 331
References 331
322
Index 332
