SSL Remote Access VPNs
An introduction to designing and configuring SSL virtual private networks
Jazib Frahim, CCIE® No. 5459
Qiang Huang, CCIE No. 4937
Cisco® SSL VPN solutions (formerly known as Cisco WebVPN solutions) give you a flexible and secure way to extend networking resources to virtually any remote user with access to the Internet and a web browser. Remote access based on SSL VPN delivers secure access to network resources by establishing an encrypted tunnel across the Internet using a broadband (cable or DSL) or ISP dialup connection.
SSL Remote Access VPNs provides you with a basic working knowledge of SSL virtual private networks on Cisco SSL VPN-capable devices. Design guidance is provided to assist you in implementing SSL VPN in existing network infrastructures. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices. Common deployment scenarios are covered to assist you in deploying an SSL VPN in your network.
SSL Remote Access VPNs gives you everything you need to know to understand, design, install, configure, and troubleshoot all the components that make up an effective, secure SSL VPN solution.
Jazib Frahim, CCIE® No. 5459, is currently working as a technical leader in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks, with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security.
Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for market-leading modular Ethernet switching platforms. During his time at Cisco, Qiang has played an important role in a number of technology groups, including the Cisco TAC security and VPN team, where he was responsible for trouble-shooting complicated customer deployments in security and VPN solutions. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and
ISP Dial.
- Understand remote access VPN technologies, such as Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding (L2F), Layer 2 Tunneling (L2TP) over IPsec, and SSL VPN
- Learn about the building blocks of SSL VPN, including cryptographic algorithms and SSL and Transport Layer Security (TLS)
- Evaluate common design best practices for planning and designing an SSL VPN solution
- Gain insight into SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS® routers
- Install and configure SSL VPNs on Cisco ASA and Cisco IOS routers
- Manage your SSL VPN deployment using Cisco Security Manager
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Networking: Security
Covers: SSL VPNs
Table of Contents:
Introduction
Chapter 1: Introduction to Remote Access VPN Technologies
Remote Access Technologies 5
IPsec 5
Software-Based VPN Clients 7
Hardware-Based VPN Clients 7
SSL VPN 7
L2TP 9
L2TP over IPsec 11
PPTP 13
Summary 14
Chapter 2: SSL VPN Technology
Cryptographic Building Blocks of SSL VPNs 17
Hashing and Message Integrity Authentication 17
Hashing 18
Message Authentication Code 18
Encryption 20
RC4 21
DES and 3DES 22
AES 22
Diffie-Hellman 23
RSA and DSA 24
Digital Signatures and Digital Certification 24
Digital Signatures 24
Public Key Infrastructure, Digital Certificates, and Certification 25
SSL and TLS 30
SSL and TLS History 30
SSL Protocols Overview 31
OSI Layer Placement and TCP/IP Protocol Support 31
SSL Record Protocol and Handshake Protocols 33
SSL Connection Setup 34
Application Data 42
Case Study: SSL Connection Setup 43
DTLS 48
SSL VPN 49
Reverse Proxy Technology 50
URL Mangling 52
Content Rewriting 53
Port-Forwarding Technology 55
Terminal Services 58
SSL VPN Tunnel Client 58
Summary 59
References 60
Chapter 3: SSL VPN Design Considerations
Not All Resource Access Methods Are Equal 63
User Authentication and Access Privilege Management 65
User Authentication 66
Choice of Authentication Servers 66
AAA Server Scalability and High Availability 67
AAA Server Scalability 67
AAA Server High Availability and Resiliency 68
Resource Access Privilege Management 68
Security Considerations 70
Security Threats 71
Lack of Security on Unmanaged Computers 71
Data Theft 71
Man-in-the-Middle Attacks 72
Web Application Attack 73
Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal Network 73
Split Tunneling 73
Password Attacks 74
Security Risk Mitigation 74
Strong User Authentication and Password Policy 75
Choose Strong Cryptographic Algorithms 75
Session Timeout and Persistent Sessions 75
Endpoint Security Posture Assessment and Validation 75
VPN Session Data Protection 76
Techniques to Prevent Data Theft 76
Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and Network Admission Control Technologies 77
Device Placement 78
Platform Options 79
Virtualization 79
High Availability 80
Performance and Scalability 81
Summary 82
References 82
Chapter 4: Cisco SSL VPN Family of Products
Overview of Cisco SSL VPN Product Portfolio 85
Cisco ASA 5500 Series 87
SSL VPN History on Cisco ASA 87
SSL VPN Specifications on Cisco ASA 88
SSL VPN Licenses on Cisco ASA 89
Cisco IOS Routers 90
SSL VPN History on Cisco IOS Routers 90
SSL VPN Licenses on Cisco IOS Routers 90
Summary 91
Chapter 5: SSL VPNs on Cisco ASA
SSL VPN Design Considerations 93
SSL VPN Prerequisites 95
SSL VPN Licenses 95
Client Operating System and Browser and Software Requirements 96
Infrastructure Requirements 97
Pre-SSL VPN Configuration Guide 97
Enrolling Digital Certificates (Recommended) 98
Step 1: Configuring a Trustpoint 98
Step 2: Obtaining a CA Certificate 99
Step 3: Obtaining an Identity Certificate 100
Setting Up ASDM 101
Uploading ASDM 102
Setting Up the Appliance 103
Accessing ASDM 104
Setting Up Tunnel and Group Policies 106
Configuring Group-Policies 107
Configuring a Tunnel Group 110
Setting Up User Authentication 110
Clientless SSL VPN Configuration Guide 114
Enabling Clientless SSL VPN on an Interface 116
Configuring SSL VPN Portal Customization 117
Logon Page 118
Portal Page 123
Logout Page 125
Portal Customization and User Group 126
Full Customization 129
Configuring Bookmarks 134
Configuring Websites 135
Configuring File Servers 137
Applying a Bookmark List to a Group Policy 139
Single Sign-On 140
Configuring Web-Type ACLs 141
Configuring Application Access 144
Configuring Port Forwarding 144
Configuring Smart Tunnels 147
Configuring Client-Server Plug-Ins 150
AnyConnect VPN Client Configuration Guide 152
Loading the SVC Package 154
Defining AnyConnect VPN Client Attributes 155
Enabling AnyConnect VPN Client Functionality 155
Defining a Pool of Addresses 156
Configuring Traffic Filters 159
Configuring a Tunnel Group 159
Advanced Full Tunnel Features 159
Split Tunneling 159
DNS and WINS Assignment 161
Keeping the SSL VPN Client Installed 162
Configuring DTLS 163
Cisco Secure Desktop 164
CSD Components 165
Secure Desktop Manager 165
Secure Desktop 165
Cache Cleaner 166
CSD Requirements 166
Supported Operating Systems 166
User Privileges 167
Supported Internet Browsers 167
Internet Browser Settings 167
CSD Architecture 168
Configuring CSD 169
Loading the CSD Package 169
Defining Prelogin Sequences 170
Host Scan 182
Host Scan Modules 183
Basic Host Scan 183
Endpoint Assessment 183
Advanced Endpoint Assessment 184
Configuring Host Scan 184
Setting Up Basic Host Scan 184
Enabling Endpoint Host Scan 186
Setting Up an Advanced Endpoint Host Scan 187
Dynamic Access Policies 189
DAP Architecture 190
DAP Records 191
DAP Selection Rules 191
DAP Configuration File 191
DAP Sequence of Events 191
Configuring DAP 192
Selecting a AAA Attribute 193
Selecting Endpoint Attributes 195
Defining Access Policies 197
Deployment Scenarios 205
AnyConnect Client with CSD and External Authentication 206
Step 1: Set Up CSD 207
Step 2: Set Up RADIUS for Authentication 207
Step 3: Configure AnyConnect SSL VPN 208
Clientless Connections with DAP 209
Step 1: Define Clientless Connections 210
Step 2: Configuring DAP 211
Monitoring and Troubleshooting SSL VPN 212
Monitoring SSL VPN 212
Troubleshooting SSL VPN 215
Troubleshooting SSL Negotiations 215
Troubleshooting AnyConnect Client Issues 215
Troubleshooting Clientless Issues 217
Troubleshooting CSD 219
Troubleshooting DAP 219
Summary 220
Chapter 6: SSL VPNs on Cisco IOS Routers
SSL VPN Design Considerations 223
IOS SSL VPN Prerequisites 225
IOS SSL VPN Configuration Guide 226
Configuring Pre-SSL VPN Setup 226
Setting Up User Authentication 226
Enrolling Digital Certificates (Recommended) 229
Loading SDM (Recommended) 232
Initial SSL VPN Configuration 235
Step 1: Setting Up an SSL VPN Gateway 237
Step 2: Setting Up an SSL VPN Context 239
Step 3: Configuring SSL VPN Look and Feel 241
Step 4: Configuring SSL VPN Group Policies 245
Advanced SSL VPN Features 247
Configuring Clientless SSL VPNs 247
Windows File Sharing 253
Configuring Application ACL 257
Thin Client SSL VPNs 259
Step 1: Defining Port-Forwarding Lists 261
Step 2: Mapping Port-Forwarding Lists to a Group Policy 262
AnyConnect SSL VPN Client 264
Step 1: Loading the AnyConnect Package 264
Step 2: Defining AnyConnect VPN Client Attributes 266
Cisco Secure Desktop 276
CSD Components 277
Secure Desktop Manager 277
Secure Desktop 277
Cache Cleaner 278
CSD Requirements 278
Supported Operating Systems 278
User Privileges 279
Supported Internet Browsers 279
Internet Browser Settings 279
CSD Architecture 280
Configuring CSD 281
Step 1: Loading the CSD Package 282
Step 2: Launching the CSD Package 283
Step 3: Defining Policies for Windows-Based Clients 283
Defining Policies for Windows CE 298
Defining Policies for the Mac and Linux Cache Cleaner 298
Deployment Scenarios 301
Clientless Connections with CSD 301
Step 1: User Authentication and DNS 302
Step 2: Set Up CSD 303
Step 3: Define Clientless Connections 303
AnyConnect Client and External Authentication 304
Step 1: Set Up RADIUS for Authentication 305
Step 2: Install the AnyConnect SSL VPN 306
Step 3: Configure AnyConnect SSL VPN Properties 306
Monitoring an SSL VPN in Cisco IOS 307
Summary 311
Chapter 7: Management of SSL VPNs
Multidevice Policy Provisioning 314
Device View and Policy View 314
Device View 314
Policy View 318
Use of Common Objects for Multidevice Management 320
Workflow Control and Role-Based Access Control 322
Workflow Control 323
Workflow Mode 324
Role-Based Administration 326
Native Mode 326
Cisco Secure ACS Integration Mode 327
Summary 331
References 331
1587052423 TOC 5/13/2008
About the Author :
Jazib Frahim, CCIE No. 5459, has been with Cisco for more than nine years. Having a bachelor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer in the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers in resolving complicated security and VPN technologies. He is currently working as a technical leader in the Worldwide Security Services Practice of Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has been an active member on the Cisco online forum NetPro. He has presented at Networkers on multiple occasions and has taught many on-site and online courses to Cisco customers, partners, and employees.
He has recently received his master of business administration (MBA) degree from North Carolina State University. He is also an author of the following Cisco Press books: Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance.
Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Systems Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for Cisco marketleading modular Ethernet switching platforms. He has been with Cisco for almost ten years. During his time at Cisco, Qiang played an important role in a number of technology groups including the following: technical lead in the Cisco TAC security and VPN team, where he was responsible for troubleshooting complicated customer deployments in security and VPN solutions; a security consulting engineer in the Cisco Advanced Service Group, providing security posture assessment and consulting services to customers; a technical marketing engineer focusing on competitive analysis and market intelligence in network security with specialization in the emerging SSL VPN technology. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and ISP dial. He is also one of the contributing authors of Internetworking Technologies Handbook, Fourth Edition. Qiang received a master’s degree in electrical engineering from Colorado State University.
