You are previewing SSL Remote Access VPNs.
O'Reilly logo
SSL Remote Access VPNs

Book Description

SSL Remote Access VPNs

An introduction to designing and configuring SSL virtual private networks

Jazib Frahim, CCIE® No. 5459

Qiang Huang, CCIE No. 4937

Cisco® SSL VPN solutions (formerly known as Cisco WebVPN solutions) give you a flexible and secure way to extend networking resources to virtually any remote user with access to the Internet and a web browser. Remote access based on SSL VPN delivers secure access to network resources by establishing an encrypted tunnel across the Internet using a broadband (cable or DSL) or ISP dialup connection.

SSL Remote Access VPNs provides you with a basic working knowledge of SSL virtual private networks on Cisco SSL VPN-capable devices. Design guidance is provided to assist you in implementing SSL VPN in existing network infrastructures. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices. Common deployment scenarios are covered to assist you in deploying an SSL VPN in your network.

SSL Remote Access VPNs gives you everything you need to know to understand, design, install, configure, and troubleshoot all the components that make up an effective, secure SSL VPN solution.

Jazib Frahim, CCIE® No. 5459, is currently working as a technical leader in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks, with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security.

Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for market-leading modular Ethernet switching platforms. During his time at Cisco, Qiang has played an important role in a number of technology groups, including the Cisco TAC security and VPN team, where he was responsible for trouble-shooting complicated customer deployments in security and VPN solutions. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and

ISP Dial.

  • Understand remote access VPN technologies, such as Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding (L2F), Layer 2 Tunneling (L2TP) over IPsec, and SSL VPN

  • Learn about the building blocks of SSL VPN, including cryptographic algorithms and SSL and Transport Layer Security (TLS)

  • Evaluate common design best practices for planning and designing an SSL VPN solution

  • Gain insight into SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS® routers

  • Install and configure SSL VPNs on Cisco ASA and Cisco IOS routers

  • Manage your SSL VPN deployment using Cisco Security Manager

  • This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

    Category: Networking: Security

    Covers: SSL VPNs

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Authors
    3. About the Technical Reviewers
    4. Acknowledgments
    5. Icons Used in This Book
      1. Command Syntax Conventions
    6. Introduction
      1. Who Should Read This Book?
      2. How This Book Is Organized
    7. 1. Introduction to Remote Access VPN Technologies
      1. Remote Access Technologies
      2. IPsec
        1. Software-Based VPN Clients
        2. Hardware-Based VPN Clients
      3. SSL VPN
      4. L2TP
      5. L2TP over IPsec
      6. PPTP
      7. Summary
    8. 2. SSL VPN Technology
      1. Cryptographic Building Blocks of SSL VPNs
        1. Hashing and Message Integrity Authentication
          1. Hashing
          2. Message Authentication Code
        2. Encryption
          1. RC4
          2. DES and 3DES
          3. AES
          4. Diffie-Hellman
          5. RSA and DSA
        3. Digital Signatures and Digital Certification
          1. Digital Signatures
          2. Public Key Infrastructure, Digital Certificates, and Certification
            1. Digital Certificates
            2. Certification
      2. SSL and TLS
        1. SSL and TLS History
        2. SSL Protocols Overview
          1. OSI Layer Placement and TCP/IP Protocol Support
          2. SSL Record Protocol and Handshake Protocols
          3. SSL Connection Setup
            1. Hello Phase
            2. Authentication and Key Exchange
            3. Key Derivation
            4. Finishing Handshake
          4. Application Data
          5. Case Study: SSL Connection Setup
        3. DTLS
      3. SSL VPN
        1. Reverse Proxy Technology
          1. URL Mangling
          2. Content Rewriting
            1. Server-Side and Client-Side Processing
            2. Proxy Bypass
            3. Customizable Rewriting
            4. Selective Rewriting
        2. Port-Forwarding Technology
        3. Terminal Services
        4. SSL VPN Tunnel Client
      4. Summary
      5. References
    9. 3. SSL VPN Design Considerations
      1. Not All Resource Access Methods Are Equal
      2. User Authentication and Access Privilege Management
        1. User Authentication
        2. Choice of Authentication Servers
        3. AAA Server Scalability and High Availability
          1. AAA Server Scalability
          2. AAA Server High Availability and Resiliency
          3. Resource Access Privilege Management
            1. Scenario 1: Salesperson Accesses the VPN from a Kiosk Computer at a Sales Conference
            2. Scenario 2: The Same Salesperson Accesses the VPN from a Corporate-Owned Laptop at Home
      3. Security Considerations
        1. Security Threats
          1. Lack of Security on Unmanaged Computers
          2. Data Theft
          3. Man-in-the-Middle Attacks
          4. Web Application Attack
          5. Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal Network
          6. Split Tunneling
          7. Password Attacks
        2. Security Risk Mitigation
          1. Strong User Authentication and Password Policy
          2. Choose Strong Cryptographic Algorithms
          3. Session Timeout and Persistent Sessions
          4. Endpoint Security Posture Assessment and Validation
          5. VPN Session Data Protection
          6. Techniques to Prevent Data Theft
          7. Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and Network Admission Control Technologies
      4. Device Placement
      5. Platform Options
      6. Virtualization
      7. High Availability
      8. Performance and Scalability
      9. Summary
      10. References
    10. 4. Cisco SSL VPN Family of Products
      1. Overview of Cisco SSL VPN Product Portfolio
      2. Cisco ASA 5500 Series
        1. SSL VPN History on Cisco ASA
        2. SSL VPN Specifications on Cisco ASA
        3. SSL VPN Licenses on Cisco ASA
      3. Cisco IOS Routers
        1. SSL VPN History on Cisco IOS Routers
        2. SSL VPN Licenses on Cisco IOS Routers
      4. Summary
    11. 5. SSL VPNs on Cisco ASA
      1. SSL VPN Design Considerations
      2. SSL VPN Prerequisites
        1. SSL VPN Licenses
        2. Client Operating System and Browser and Software Requirements
        3. Infrastructure Requirements
      3. Pre-SSL VPN Configuration Guide
        1. Enrolling Digital Certificates (Recommended)
          1. Step 1: Configuring a Trustpoint
          2. Step 2: Obtaining a CA Certificate
          3. Step 3: Obtaining an Identity Certificate
        2. Setting Up ASDM
          1. Uploading ASDM
          2. Setting Up the Appliance
        3. Accessing ASDM
        4. Setting Up Tunnel and Group Policies
          1. Configuring Group-Policies
          2. Configuring a Tunnel Group
        5. Setting Up User Authentication
      4. Clientless SSL VPN Configuration Guide
        1. Enabling Clientless SSL VPN on an Interface
        2. Configuring SSL VPN Portal Customization
          1. Logon Page
            1. Banner Area
            2. Logon Area
            3. Information Area
            4. Copyright Area
          2. Portal Page
            1. Title Panel
            2. Toolbar
            3. Navigation Pane
            4. Content Area
          3. Logout Page
          4. Portal Customization and User Group
            1. Customized Login Page and User Connection Profile
            2. Customized Portal Page and User Connection Profile
          5. Full Customization
            1. Full Customization of a Logon Page
            2. Full Customization of a User Portal Page
        3. Configuring Bookmarks
          1. Configuring Websites
          2. Configuring File Servers
          3. Applying a Bookmark List to a Group Policy
          4. Single Sign-On
        4. Configuring Web-Type ACLs
        5. Configuring Application Access
          1. Configuring Port Forwarding
            1. Step 1: Defining Port-Forwarding Lists
            2. Step 2: Mapping Port Forwarding Lists to a Group Policy
          2. Configuring Smart Tunnels
            1. Step 1: Defining a Smart Tunnel List
            2. Step 2: Mapping a Smart Tunnel List to a Group Policy
        6. Configuring Client-Server Plug-Ins
      5. AnyConnect VPN Client Configuration Guide
        1. Loading the SVC Package
        2. Defining AnyConnect VPN Client Attributes
          1. Enabling AnyConnect VPN Client Functionality
          2. Defining a Pool of Addresses
          3. Configuring Traffic Filters
          4. Configuring a Tunnel Group
        3. Advanced Full Tunnel Features
          1. Split Tunneling
          2. DNS and WINS Assignment
          3. Keeping the SSL VPN Client Installed
          4. Configuring DTLS
      6. Cisco Secure Desktop
        1. CSD Components
          1. Secure Desktop Manager
          2. Secure Desktop
          3. Cache Cleaner
        2. CSD Requirements
          1. Supported Operating Systems
          2. User Privileges
          3. Supported Internet Browsers
          4. Internet Browser Settings
        3. CSD Architecture
        4. Configuring CSD
          1. Loading the CSD Package
          2. Defining Prelogin Sequences
            1. Defining Prelogin Policies
            2. Assigning CSD Policy
            3. Identifying Keystroke Loggers and Host Emulators
            4. Defining Secure Desktop General Attributes
            5. Applying Secure Desktop Restrictions
            6. Defining Cache Cleaner Policies
            7. Defining Secure Desktop Browser Settings
      7. Host Scan
        1. Host Scan Modules
          1. Basic Host Scan
          2. Endpoint Assessment
          3. Advanced Endpoint Assessment
        2. Configuring Host Scan
          1. Setting Up Basic Host Scan
          2. Enabling Endpoint Host Scan
          3. Setting Up an Advanced Endpoint Host Scan
            1. Configuring Antivirus Host Scan
            2. Configuring Firewall Host Scan
            3. Configuring AntiSpyware Host Scan
      8. Dynamic Access Policies
        1. DAP Architecture
          1. DAP Records
          2. DAP Selection Rules
          3. DAP Configuration File
        2. DAP Sequence of Events
        3. Configuring DAP
          1. Selecting a AAA Attribute
          2. Selecting Endpoint Attributes
          3. Defining Access Policies
            1. Action Tab
            2. Network ACL Tab
            3. Web-Type ACL Tab
            4. Functions Tab
            5. Port Forwarding Lists Tab
            6. URL Lists Tab
            7. Access Method Tab
      9. Deployment Scenarios
        1. AnyConnect Client with CSD and External Authentication
          1. Step 1: Set Up CSD
          2. Step 2: Set Up RADIUS for Authentication
          3. Step 3: Configure AnyConnect SSL VPN
        2. Clientless Connections with DAP
          1. Step 1: Define Clientless Connections
          2. Step 2: Configuring DAP
      10. Monitoring and Troubleshooting SSL VPN
        1. Monitoring SSL VPN
        2. Troubleshooting SSL VPN
          1. Troubleshooting SSL Negotiations
          2. Troubleshooting AnyConnect Client Issues
            1. Initial Connectivity Issues
            2. Traffic-Specific Issues
          3. Troubleshooting Clientless Issues
            1. Issues with Websites
            2. Issues with CIFS
          4. Troubleshooting CSD
          5. Troubleshooting DAP
      11. Summary
    12. 6. SSL VPNs on Cisco IOS Routers
      1. SSL VPN Design Considerations
      2. IOS SSL VPN Prerequisites
      3. IOS SSL VPN Configuration Guide
        1. Configuring Pre-SSL VPN Setup
          1. Setting Up User Authentication
          2. Enrolling Digital Certificates (Recommended)
            1. Step 1: Configuring a Trustpoint
            2. Step 2: Obtaining a CA Certificate
            3. Step 3: Obtaining an Identity Certificate
          3. Loading SDM (Recommended)
        2. Initial SSL VPN Configuration
          1. Step 1: Setting Up an SSL VPN Gateway
          2. Step 2: Setting Up an SSL VPN Context
          3. Step 3: Configuring SSL VPN Look and Feel
            1. Customizing Login Page
            2. Customizing a Web Portal Page
          4. Step 4: Configuring SSL VPN Group Policies
      4. Advanced SSL VPN Features
        1. Configuring Clientless SSL VPNs
        2. Windows File Sharing
        3. Configuring Application ACL
        4. Thin Client SSL VPNs
          1. Step 1: Defining Port-Forwarding Lists
          2. Step 2: Mapping Port-Forwarding Lists to a Group Policy
        5. AnyConnect SSL VPN Client
          1. Step 1: Loading the AnyConnect Package
          2. Step 2: Defining AnyConnect VPN Client Attributes
            1. Enabling SVC Functionality
            2. Defining a Pool of Addresses
            3. Creating a Layer 3 Interface
            4. Traffic Filtering
            5. Split Tunneling
            6. DNS and WINS Assignment
            7. Keep SSL VPN Client Installed
      5. Cisco Secure Desktop
        1. CSD Components
          1. Secure Desktop Manager
          2. Secure Desktop
          3. Cache Cleaner
        2. CSD Requirements
          1. Supported Operating Systems
          2. User Privileges
          3. Supported Internet Browsers
          4. Internet Browser Settings
        3. CSD Architecture
        4. Configuring CSD
          1. Step 1: Loading the CSD Package
          2. Step 2: Launching the CSD Package
          3. Step 3: Defining Policies for Windows-Based Clients
            1. Defining Windows Locations
            2. Identifying Machines
            3. Enabling SSL VPN Features
            4. Identifying Keystroke Loggers
            5. Defining Secure Desktop General Attributes
            6. Applying Secure Desktop Restrictions
            7. Defining Cache Cleaner Policies
            8. Defining Secure Desktop Browser Settings
          4. Defining Policies for Windows CE
          5. Defining Policies for the Mac and Linux Cache Cleaner
      6. Deployment Scenarios
        1. Clientless Connections with CSD
          1. Step 1: User Authentication and DNS
          2. Step 2: Set Up CSD
          3. Step 3: Define Clientless Connections
        2. AnyConnect Client and External Authentication
          1. Step 1: Set Up RADIUS for Authentication
          2. Step 2: Install the AnyConnect SSL VPN
          3. Step 3: Configure AnyConnect SSL VPN Properties
      7. Monitoring an SSL VPN in Cisco IOS
      8. Summary
    13. 7. Management of SSL VPNs
      1. Multidevice Policy Provisioning
        1. Device View and Policy View
          1. Device View
          2. Policy View
        2. Use of Common Objects for Multidevice Management
      2. Workflow Control and Role-Based Access Control
        1. Workflow Control
        2. Workflow Mode
        3. Role-Based Administration
          1. Native Mode
          2. Cisco Secure ACS Integration Mode
      3. Summary
      4. References