SSL Remote Access VPNs

Jazib Frahim, CCIE No. 5459, Qiang Huang, CCIE No. 4937

Cisco Press

Contents at a Glance

Chapter 1 Introduction to Remote Access VPN Technologies
Chapter 2 SSL VPN Technology
Chapter 3 SSL VPN Design Considerations
Chapter 4 Cisco SSL VPN Family of Products
Chapter 5 SSL VPNs on Cisco ASA
Chapter 6 SSL VPNs on Cisco IOS Routers
Chapter 7 Management of SSL VPNs

e-books shop
SSL Remote Access VPNs

About the Authors
Jazib Frahim, CCIE No. 5459, has been with Cisco for more than nine years. Having a bachelor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer in the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers in resolving complicated security and VPN technologies. He is currently working as a technical leader in the Worldwide Security Services Practice of Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has been an active member on the Cisco online forum NetPro. He has presented at Networkers on multiple occasions and has taught many on-site and online courses to Cisco customers, partners, and employees. He has recently received his master of business administration (MBA) degree from North Carolina State University. He is also an author of the following Cisco Press books: Cisco Network Admission Control,
Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance.
Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Systems Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for Cisco marketleading modular Ethernet switching platforms. He has been with Cisco for almost ten years. During his time at Cisco, Qiang played an important role in a number of technology groups including the following: technical lead in the Cisco TAC security and VPN team, where he was responsible for troubleshooting complicated customer deployments in security and VPN solutions; a security consulting engineer in the Cisco Advanced Service Group, providing security posture assessment and consulting services to customers; a technical marketing engineer focusing on competitive analysis and market intelligence in
network security with specialization in the emerging SSL VPN technology. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and ISP dial. He is also one of the contributing authors of Internetworking Technologies Handbook, Fourth Edition. Qiang received a master’s degree in electrical engineering from Colorado State University.

About the Technical Reviewers
Pete Davis has been working with computers and networks since he was able to walk. By age 15, he was one of the youngest professional network engineers and one of the first employees at an Internet service provider. Pete implemented and maintained the systems and networks behind New England’s largest consumer Internet service provider, TIAC (The Internet Access Company). In 1997, Pete joined Shiva Corporation as a product specialist. Since 1998, Pete has been with Altiga Networks, a VPN concentrator manufacturer in Franklin, Massachusetts, that was acquired by Cisco on March 29, 2000. As product line manager, Pete is responsible for driving new VPN-related products and features. 
Dave Garneau is principal consultant and senior technical instructor at The Radix Group, Ltd., a consulting and training company based in Henderson, Nevada, and focusing on network security. As a consultant, he specializes in Cisco network security (including IronPort, now part of Cisco) and VPN technologies (both IPsec and SSL VPN). As an instructor, he has trained more than 2500 people in eight countries to earn certifications throughout the Cisco and IronPort certification programs. He has written lab guides used worldwide by authorized Cisco Learning Partners, as well as publishing papers related
to network security. Dave holds the following certifications: CCSP, CCNP, CCDP, CCSI, CCNA, CCDA, ICSP, ICSI, and CNE.

This book provides a complete guide to the SSL VPN technology and discusses its implementation on Cisco SSL VPN–capable devices. Design guidance is provided to assist you in implementing SSL VPNs in an existing network infrastructure. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices.
Toward the end of Chapters 5 and 6, common deployment scenarios are covered to assist you in deploying an SSL VPN in your network.

Who Should Read This Book?
This book serves as a guide for network professionals who want to implement the Cisco SSL VPN remote access solution in their network to allow users to access the corporate resources easily and safely. The book systematically walks you through the product or solution architecture, installation, configuration, deployment, monitoring, and troubleshooting the SSL VPN solution. Any network professional should be able to use this book as a guide to successfully deploy SSL VPN remote access solutions in their network. Requirements include a basic knowledge of TCP/IP and networking, familiarity with Cisco routers/firewalls and their command-line interface (CLI), and a general understanding of the overall SSL VPN solution.

How This Book Is Organized
Part I of this book includes Chapters 1 and 2, which provide an overview of the remote access VPN technologies and introduce the SSL VPN technology. The remainder of the book is divided into two parts.
Part II encompasses Chapters 3 and 4 and introduces the Cisco SSL VPN product lines, with guidance on different design considerations.
Part III encompasses Chapters 5 through 7 and covers the installation, configuration, deployment, and troubleshooting of the individual components that make up the SSL VPN solution.
• Part I, “Introduction and Technology Overview,” includes the following chapters:
Chapter 1, “Introduction to Remote Access VPN Technologies”: This chapter covers the
remote access Virtual Private Network (VPN) technologies in detail. Protocols, such as the
Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding
(L2F), Layer 2 Tunneling Protocol (L2TP) over IPsec, and SSL VPN, are discussed to
provide readers with an overview of the available remote access VPN technologies.
Chapter 2, “SSL VPN Technology”: This chapter provides a technology overview of the building
blocks of SSL VPNs, including cryptographic algorithms, SSL and Transport Layer Security
(TLS), and common SSL VPN technologies.
• Part II, “SSL VPN Design Considerations and Cisco Solution Overview,” includes the following
chapters: Chapter 3, “SSL VPN Design Considerations”: This chapter discusses the common design best practices for planning and designing an SSL VPN solution. Chapter 4, “Cisco SSL VPN Family of Products”: This chapter discusses the SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS routers and provides product specifications that are focused on SSL VPNs.
• Part III, “Deploying Cisco SSL VPN Solutions,” includes the following chapters:
Chapter 5, “SSL VPNs on Cisco ASA”: This chapter provides details about the SSL VPN functionality in Cisco ASA. This chapter discusses clientless and full tunnel SSL VPN client implementations and focuses on Cisco Secure Desktop (CSD). This chapter also discusses the Host Scan feature that is used to collect posture information about end workstations. The dynamic
access policy (DAP) feature, its usage, and detailed configuration examples are also provided.
To reinforce learning, many different deployment scenarios are presented along with their configurations.
Chapter 6, “SSL VPNs on Cisco IOS Routers”: This chapter provides details about the SSL
VPN functionality in Cisco IOS routers. It begins by offering design guidance and then discusses
the configuration of SSL VPNs in greater detail. The configurations of clientless, thin
client, and AnyConnect Client modes are discussed. The second half of the chapter focuses on
Cisco Secure Desktop (CSD) and offers guidance in setting up CSD features. To reinforce
learning, two different deployment scenarios are presented along with their configurations.
Toward the end of this chapter, SSL VPN monitoring through SDM is also discussed.
Chapter 7, “Management of SSL VPNs”: This chapter discusses the central management of
SSL VPN devices using Cisco Security Manager.

Table of Contents
Introduction xviii
Chapter 1 Introduction to Remote Access VPN Technologies 3
Remote Access Technologies 5
IPsec 5
Software-Based VPN Clients 7
Hardware-Based VPN Clients 7
L2TP 9
L2TP over IPsec 11
Summary 14
Chapter 2 SSL VPN Technology 17
Cryptographic Building Blocks of SSL VPNs 17
Hashing and Message Integrity Authentication 17
Hashing 18
Message Authentication Code 18
Encryption 20
RC4 21
DES and 3DES 22
AES 22
Diffie-Hellman 23
RSA and DSA 24
Digital Signatures and Digital Certification 24
Digital Signatures 24
Public Key Infrastructure, Digital Certificates, and Certification 25
SSL and TLS 30
SSL and TLS History 30
SSL Protocols Overview 31
OSI Layer Placement and TCP/IP Protocol Support 31
SSL Record Protocol and Handshake Protocols 33
SSL Connection Setup 34
Application Data 42
Case Study: SSL Connection Setup 43
Reverse Proxy Technology 50
URL Mangling 52
Content Rewriting 53
Port-Forwarding Technology 55
Terminal Services 58
SSL VPN Tunnel Client 58
Summary 59
References 60
Chapter 3 SSL VPN Design Considerations 63
Not All Resource Access Methods Are Equal 63
User Authentication and Access Privilege Management 65
User Authentication 66
Choice of Authentication Servers 66
AAA Server Scalability and High Availability 67
AAA Server Scalability 67
AAA Server High Availability and Resiliency 68
Resource Access Privilege Management 68
Security Considerations 70
Security Threats 71
Lack of Security on Unmanaged Computers 71
Data Theft 71
Man-in-the-Middle Attacks 72
Web Application Attack 73
Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal
Network 73
Split Tunneling 73
Password Attacks 74
Security Risk Mitigation 74
Strong User Authentication and Password Policy 75
Choose Strong Cryptographic Algorithms 75
Session Timeout and Persistent Sessions 75
Endpoint Security Posture Assessment and Validation 75
VPN Session Data Protection 76
Techniques to Prevent Data Theft 76
Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and
Network Admission Control Technologies 77
Device Placement 78
Platform Options 79
Virtualization 79
High Availability 80
Performance and Scalability 81
Summary 82
References 82
Chapter 4 Cisco SSL VPN Family of Products 85
Overview of Cisco SSL VPN Product Portfolio 85
Cisco ASA 5500 Series 87
SSL VPN History on Cisco ASA 87
SSL VPN Specifications on Cisco ASA 88
SSL VPN Licenses on Cisco ASA 89
Cisco IOS Routers 90
SSL VPN History on Cisco IOS Routers 90
SSL VPN Licenses on Cisco IOS Routers 90
Summary 91
Chapter 5 SSL VPNs on Cisco ASA 93
SSL VPN Design Considerations 93
SSL VPN Prerequisites 95
SSL VPN Licenses 95
Client Operating System and Browser and Software Requirements 96
Infrastructure Requirements 97
Pre-SSL VPN Configuration Guide 97
Enrolling Digital Certificates (Recommended) 98
Step 1: Configuring a Trustpoint 98
Step 2: Obtaining a CA Certificate 99
Step 3: Obtaining an Identity Certificate 100
Setting Up ASDM 101
Uploading ASDM 102
Setting Up the Appliance 103
Accessing ASDM 104
Setting Up Tunnel and Group Policies 106
Configuring Group-Policies 107
Configuring a Tunnel Group 110
Setting Up User Authentication 110
Clientless SSL VPN Configuration Guide 114
Enabling Clientless SSL VPN on an Interface 116
Configuring SSL VPN Portal Customization 117
Logon Page 118
Portal Page 123
Logout Page 125
Portal Customization and User Group 126
Full Customization 129
Configuring Bookmarks 134
Configuring Websites 135
Configuring File Servers 137
Applying a Bookmark List to a Group Policy 139
Single Sign-On 140
Configuring Web-Type ACLs 141
Configuring Application Access 144
Configuring Port Forwarding 144
Configuring Smart Tunnels 147
Configuring Client-Server Plug-Ins 150
AnyConnect VPN Client Configuration Guide 152
Loading the SVC Package 154
Defining AnyConnect VPN Client Attributes 155
Enabling AnyConnect VPN Client Functionality 155
Defining a Pool of Addresses 156
Configuring Traffic Filters 159
Configuring a Tunnel Group 159
Advanced Full Tunnel Features 159
Split Tunneling 159
DNS and WINS Assignment 161
Keeping the SSL VPN Client Installed 162
Configuring DTLS 163
Cisco Secure Desktop 164
CSD Components 165
Secure Desktop Manager 165
Secure Desktop 165
Cache Cleaner 166
CSD Requirements 166
Supported Operating Systems 166
User Privileges 167
Supported Internet Browsers 167
Internet Browser Settings 167
CSD Architecture 168
Configuring CSD 169
Loading the CSD Package 169
Defining Prelogin Sequences 170
Host Scan 182
Host Scan Modules 183
Basic Host Scan 183
Endpoint Assessment 183
Advanced Endpoint Assessment 184
Configuring Host Scan 184
Setting Up Basic Host Scan 184
Enabling Endpoint Host Scan 186
Setting Up an Advanced Endpoint Host Scan 187
Dynamic Access Policies 189
DAP Architecture 190
DAP Records 191
DAP Selection Rules 191
DAP Configuration File 191
DAP Sequence of Events 191
Configuring DAP 192
Selecting a AAA Attribute 193
Selecting Endpoint Attributes 195
Defining Access Policies 197
Deployment Scenarios 205
AnyConnect Client with CSD and External Authentication 206
Step 1: Set Up CSD 207
Step 2: Set Up RADIUS for Authentication 207
Step 3: Configure AnyConnect SSL VPN 208
Clientless Connections with DAP 209
Step 1: Define Clientless Connections 210
Step 2: Configuring DAP 211
Monitoring and Troubleshooting SSL VPN 212
Monitoring SSL VPN 212
Troubleshooting SSL VPN 215
Troubleshooting SSL Negotiations 215
Troubleshooting AnyConnect Client Issues 215
Troubleshooting Clientless Issues 217
Troubleshooting CSD 219
Troubleshooting DAP 219
Summary 220
Chapter 6 SSL VPNs on Cisco IOS Routers 223
SSL VPN Design Considerations 223
IOS SSL VPN Prerequisites 225
IOS SSL VPN Configuration Guide 226
Configuring Pre-SSL VPN Setup 226
Setting Up User Authentication 226
Enrolling Digital Certificates (Recommended) 229
Loading SDM (Recommended) 232
Initial SSL VPN Configuration 235
Step 1: Setting Up an SSL VPN Gateway 237
Step 2: Setting Up an SSL VPN Context 239
Step 3: Configuring SSL VPN Look and Feel 241
Step 4: Configuring SSL VPN Group Policies 245
Advanced SSL VPN Features 247
Configuring Clientless SSL VPNs 247
Windows File Sharing 253
Configuring Application ACL 257
Thin Client SSL VPNs 259
Step 1: Defining Port-Forwarding Lists 261
Step 2: Mapping Port-Forwarding Lists to a Group Policy 262
AnyConnect SSL VPN Client 264
Step 1: Loading the AnyConnect Package 264
Step 2: Defining AnyConnect VPN Client Attributes 266
Cisco Secure Desktop 276
CSD Components 277
Secure Desktop Manager 277
Secure Desktop 277
Cache Cleaner 278
CSD Requirements 278
Supported Operating Systems 278
User Privileges 279
Supported Internet Browsers 279
Internet Browser Settings 279
CSD Architecture 280
Configuring CSD 281
Step 1: Loading the CSD Package 282
Step 2: Launching the CSD Package 283
Step 3: Defining Policies for Windows-Based Clients 283
Defining Policies for Windows CE 298
Defining Policies for the Mac and Linux Cache Cleaner 298
Deployment Scenarios 301
Clientless Connections with CSD 301
Step 1: User Authentication and DNS 302
Step 2: Set Up CSD 303
Step 3: Define Clientless Connections 303
AnyConnect Client and External Authentication 304
Step 1: Set Up RADIUS for Authentication 305
Step 2: Install the AnyConnect SSL VPN 306
Step 3: Configure AnyConnect SSL VPN Properties 306
Monitoring an SSL VPN in Cisco IOS 307
Summary 311
Chapter 7 Management of SSL VPNs 313
Multidevice Policy Provisioning 314
Device View and Policy View 314
Device View 314
Policy View 318
Use of Common Objects for Multidevice Management 320
Workflow Control and Role-Based Access Control 322
Workflow Control 323
Workflow Mode 324
Role-Based Administration 326
Native Mode 326
Cisco Secure ACS Integration Mode 327
Summary 331
References 331
Index 332


e-books shop

Purchase Now !
Just with Paypal

Product details
 2,00 USD
 369 p
 File Size
 12,701 KB
 File Type
 PDF format
 2008 Cisco Systems, Inc 

═════ ═════

Loading... Protection Status