Other versions by this Author
Author Biography
Jazib Frahim, CCIE No. 5459, has been with Cisco for more than nine years. Having a bachelor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer in the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers in resolving complicated security and VPN technologies. He is currently working as a technical leader in the Worldwide Security Services Practice of Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has been an active member on the Cisco online forum NetPro. He has presented at Networkers on multiple occasions and has taught many on-site and online courses to Cisco customers, partners, and employees.
He has recently received his master of business administration (MBA) degree from North Carolina State University. He is also an author of the following Cisco Press books: Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance.
Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Systems Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for Cisco marketleading modular Ethernet switching platforms. He has been with Cisco for almost ten years. During his time at Cisco, Qiang played an important role in a number of technology groups including the following: technical lead in the Cisco TAC security and VPN team, where he was responsible for troubleshooting complicated customer deployments in security and VPN solutions; a security consulting engineer in the Cisco Advanced Service Group, providing security posture assessment and consulting services to customers; a technical marketing engineer focusing on competitive analysis and market intelligence in network security with specialization in the emerging SSL VPN technology. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and ISP dial. He is also one of the contributing authors of Internetworking Technologies Handbook, Fourth Edition. Qiang received a master’s degree in electrical engineering from Colorado State University.
Table of Contents
| Introduction | |
| Introduction to Remote Access VPN Technologies | |
| Remote Access Technologies | p. 5 |
| IPsec | p. 5 |
| Software-Based VPN Clients | p. 7 |
| Hardware-Based VPN Clients | p. 7 |
| SSL VPN | p. 7 |
| L2TP | p. 9 |
| L2TP over IPsec | p. 11 |
| PPTP | p. 13 |
| Summary | p. 14 |
| SSL VPN Technology | |
| Cryptographic Building Blocks of SSL VPNs | p. 17 |
| Hashing and Message Integrity Authentication | p. 17 |
| Hashing | p. 18 |
| Message Authentication Code | p. 18 |
| Encryption | p. 20 |
| RC4 | p. 21 |
| DES and 3DES | p. 22 |
| AES | p. 22 |
| Diffie-Hellman | p. 23 |
| RSA and DSA | p. 24 |
| Digital Signatures and Digital Certification | p. 24 |
| Digital Signatures | p. 24 |
| Public Key Infrastructure, Digital Certificates, and Certification | p. 25 |
| SSL and TLS | p. 30 |
| SSL and TLS History | p. 30 |
| SSL Protocols Overview | p. 31 |
| OSI Layer Placement and TCP/IP Protocol Support | p. 31 |
| SSL Record Protocol and Handshake Protocols | p. 33 |
| SSL Connection Setup | p. 34 |
| Application Data | p. 42 |
| Case Study: SSL Connection Setup | p. 43 |
| DTLS | p. 48 |
| SSL VPN | p. 49 |
| Reverse Proxy Technology | p. 50 |
| URL Mangling | p. 52 |
| Content Rewriting | p. 53 |
| Port-Forwarding Technology | p. 55 |
| Terminal Services | p. 58 |
| SSL VPN Tunnel Client | p. 58 |
| Summary | p. 59 |
| References | p. 60 |
| SSL VPN Design Considerations | |
| Not All Resource Access Methods Are Equal | p. 63 |
| User Authentication and Access Privilege Management | p. 65 |
| User Authentication | p. 66 |
| Choice of Authentication Servers | p. 66 |
| AAA Server Scalability and High Availability | p. 67 |
| AAA Server Scalability | p. 67 |
| AAA Server High Availability and Resiliency | p. 68 |
| Resource Access Privilege Management | p. 68 |
| Security Considerations | p. 70 |
| Security Threats | p. 71 |
| Lack of Security on Unmanaged Computers | p. 71 |
| Data Theft | p. 71 |
| Man-in-the-Middle Attacks | p. 72 |
| Web Application Attack | p. 73 |
| Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal Network | p. 73 |
| Split Tunneling | p. 73 |
| Password Attacks | p. 74 |
| Security Risk Mitigation | p. 74 |
| Strong User Authentication and Password Policy | p. 75 |
| Choose Strong Cryptographic Algorithms | p. 75 |
| Session Timeout and Persistent Sessions | p. 75 |
| Endpoint Security Posture Assessment and Validation | p. 75 |
| VPN Session Data Protection | p. 76 |
| Techniques to Prevent Data Theft | p. 76 |
| Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and Network Admission Control Technologies | p. 77 |
| Device Placement | p. 78 |
| Platform Options | p. 79 |
| Virtualization | p. 79 |
| High Availability | p. 80 |
| Performance and Scalability | p. 81 |
| Summary | p. 82 |
| References | p. 82 |
| Cisco SSL VPN Family of Products | |
| Overview of Cisco SSL VPN Product Portfolio | p. 85 |
| Cisco ASA 5500 Series | p. 87 |
| SSL VPN History on Cisco ASA | p. 87 |
| SSL VPN Specifications on Cisco ASA | p. 88 |
| SSL VPN Licenses on Cisco ASA | p. 89 |
| Cisco IOS Routers | p. 90 |
| SSL VPN History on Cisco IOS Routers | p. 90 |
| SSL VPN Licenses on Cisco IOS Routers | p. 90 |
| Summary | p. 91 |
| SSL VPNs on Cisco ASA | |
| SSL VPN Design Considerations | p. 93 |
| SSL VPN Prerequisites | p. 95 |
| SSL VPN Licenses | p. 95 |
| Client Operating System and Browser and Software Requirements | p. 96 |
| Infrastructure Requirements | p. 97 |
| Pre-SSL VPN Configuration Guide | p. 97 |
| Enrolling Digital Certificates (Recommended) | p. 98 |
| Step 1: Configuring a Trustpoint | p. 98 |
| Step 2: Obtaining a CA Certificate | p. 99 |
| Step 3: Obtaining an Identity Certificate | p. 100 |
| Setting Up ASDM | p. 101 |
| Uploading ASDM | p. 102 |
| Setting Up the Appliance | p. 103 |
| Accessing ASDM | p. 104 |
| Setting Up Tunnel and Group Policies | p. 106 |
| Configuring Group-Policies | p. 107 |
| Configuring a Tunnel Group | p. 110 |
| Setting Up User Authentication | p. 110 |
| Clientless SSL VPN Configuration Guide | p. 114 |
| Enabling Clientless SSL VPN on an Interface | p. 116 |
| Configuring SSL VPN Portal Customization | p. 117 |
| Logon Page | p. 118 |
| Portal Page | p. 123 |
| Logout Page | p. 125 |
| Portal Customization and User Group | p. 126 |
| Full Customization | p. 129 |
| Configuring Bookmarks | p. 134 |
| Configuring Websites | p. 135 |
| Configuring File Servers | p. 137 |
| Applying a Bookmark List to a Group Policy | p. 139 |
| Single Sign-On | p. 140 |
| Configuring Web-Type ACLs | p. 141 |
| Configuring Application Access | p. 144 |
| Configuring Port Forwarding | p. 144 |
| Configuring Smart Tunnels | p. 147 |
| Configuring Client-Server Plug-Ins | p. 150 |
| AnyConnect VPN Client Configuration Guide | p. 152 |
| Loading the SVC Package | p. 154 |
| Defining AnyConnect VPN Client Attributes | p. 155 |
| Enabling AnyConnect VPN Client Functionality | p. 155 |
| Defining a Pool of Addresses | p. 156 |
| Configuring Traffic Filters | p. 159 |
| Configuring a Tunnel Group | p. 159 |
| Advanced Full Tunnel Features | p. 159 |
| Split Tunneling | p. 159 |
| DNS and WINS Assignment | p. 161 |
| Keeping the SSL VPN Client Installed | p. 162 |
| Configuring DTLS | p. 163 |
| Cisco Secure Desktop | p. 164 |
| CSD Components | p. 165 |
| Secure Desktop Manager | p. 165 |
| Secure Desktop | p. 165 |
| Cache Cleaner | p. 166 |
| CSD Requirements | p. 166 |
| Supported Operating Systems | p. 166 |
| User Privileges | p. 167 |
| Supported Internet Browsers | p. 167 |
| Internet Browser Settings | p. 167 |
| CSD Architecture | p. 168 |
| Configuring CSD | p. 169 |
| Loading the CSD Package | p. 169 |
| Defining Prelogin Sequences | p. 170 |
| Host Scan | p. 182 |
| Host Scan Modules | p. 183 |
| Basic Host Scan | p. 183 |
| Endpoint Assessment | p. 183 |
| Advanced Endpoint Assessment | p. 184 |
| Configuring Host Scan | p. 184 |
| Setting Up Basic Host Scan | p. 184 |
| Enabling Endpoint Host Scan | p. 186 |
| Setting Up an Advanced Endpoint Host Scan | p. 187 |
| Dynamic Access Policies | p. 189 |
| DAP Architecture | p. 190 |
| DAP Records | p. 191 |
| DAP Selection Rules | p. 191 |
| DAP Configuration File | p. 191 |
| DAP Sequence of Events | p. 191 |
| Configuring DAP | p. 192 |
| Selecting a AAA Attribute | p. 193 |
| Selecting Endpoint Attributes | p. 195 |
| Defining Access Policies | p. 197 |
| Deployment Scenarios | p. 205 |
| AnyConnect Client with CSD and External Authentication | p. 206 |
| Step 1: Set Up CSD | p. 207 |
| Step 2: Set Up RADIUS for Authentication | p. 207 |
| Step 3: Configure AnyConnect SSL VPN | p. 208 |
| Clientless Connections with DAP | p. 209 |
| Step 1: Define Clientless Connections | p. 210 |
| Step 2: Configuring DAP | p. 211 |
| Monitoring and Troubleshooting SSL VPN | p. 212 |
| Monitoring SSL VPN | p. 212 |
| Troubleshooting SSL VPN | p. 215 |
| Troubleshooting SSL Negotiations | p. 215 |
| Troubleshooting AnyConnect Client Issues | p. 215 |
| Troubleshooting Clientless Issues | p. 217 |
| Troubleshooting CSD | p. 219 |
| Troubleshooting DAP | p. 219 |
| Summary | p. 220 |
| SSL VPNs on Cisco IOS Routers | |
| SSL VPN Design Considerations | p. 223 |
| IOS SSL VPN Prerequisites | p. 225 |
| IOS SSL VPN Configuration Guide | p. 226 |
| Configuring Pre-SSL VPN Setup | p. 226 |
| Setting Up User Authentication | p. 226 |
| Enrolling Digital Certificates (Recommended) | p. 229 |
| Loading SDM (Recommended) | p. 232 |
| Initial SSL VPN Configuration | p. 235 |
| Step 1: Setting Up an SSL VPN Gateway | p. 237 |
| Step 2: Setting Up an SSL VPN Context | p. 239 |
| Step 3: Configuring SSL VPN Look and Feel | p. 241 |
| Step 4: Configuring SSL VPN Group Policies | p. 245 |
| Advanced SSL VPN Features | p. 247 |
| Configuring Clientless SSL VPNs | p. 247 |
| Windows File Sharing | p. 253 |
| Configuring Application ACL | p. 257 |
| Thin Client SSL VPNs | p. 259 |
| Step 1: Defining Port-Forwarding Lists | p. 261 |
| Step 2: Mapping Port-Forwarding Lists to a Group Policy | p. 262 |
| AnyConnect SSL VPN Client | p. 264 |
| Step 1: Loading the AnyConnect Package | p. 264 |
| Step 2: Defining AnyConnect VPN Client Attributes | p. 266 |
| Cisco Secure Desktop | p. 276 |
| CSD Components | p. 277 |
| Secure Desktop Manager | p. 277 |
| Secure Desktop | p. 277 |
| Cache Cleaner | p. 278 |
| CSD Requirements | p. 278 |
| Supported Operating Systems | p. 278 |
| User Privileges | p. 279 |
| Supported Internet Browsers | p. 279 |
| Internet Browser Settings | p. 279 |
| CSD Architecture | p. 280 |
| Configuring CSD | p. 281 |
| Step 1: Loading the CSD Package | p. 282 |
| Step 2: Launching the CSD Package | p. 283 |
| Step 3: Defining Policies for Windows-Based Clients | p. 283 |
| Defining Policies for Windows CE | p. 298 |
| Defining Policies for the Mac and Linux Cache Cleaner | p. 298 |
| Deployment Scenarios | p. 301 |
| Clientless Connections with CSD | p. 301 |
| Step 1: User Authentication and DNS | p. 302 |
| Step 2: Set Up CSD | p. 303 |
| Step 3: Define Clientless Connections | p. 303 |
| AnyConnect Client and External Authentication | p. 304 |
| Step 1: Set Up RADIUS for Authentication | p. 305 |
| Step 2: Install the AnyConnect SSL VPN | p. 306 |
| Step 3: Configure AnyConnect SSL VPN Properties | p. 306 |
| Monitoring an SSL VPN in Cisco IOS | p. 307 |
| Summary | p. 311 |
| Management of SSL VPNs | |
| Multidevice Policy Provisioning | p. 314 |
| Device View and Policy View | p. 314 |
| Device View | p. 314 |
| Policy View | p. 318 |
| Use of Common Objects for Multidevice Management | p. 320 |
| Workflow Control and Role-Based Access Control | p. 322 |
| Workflow Control | p. 323 |
| Workflow Mode | p. 324 |
| Role-Based Administration | p. 326 |
| Native Mode | p. 326 |
| Cisco Secure ACS Integration Mode | p. 327 |
| Summary | p. 331 |
| References | p. 331 |
| Table of Contents provided by Publisher. All Rights Reserved. |
Excerpts
Introduction IntroductionThis book provides a complete guide to the SSL VPN technology and discusses its implementation on Cisco SSL VPN-capable devices. Design guidance is provided to assist you in implementing SSL VPNs in an existing network infrastructure. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices.Toward the end of Chapters 5 and 6, common deployment scenarios are covered to assist you in deploying an SSL VPN in your network. Who Should Read This Book?This book serves as a guide for network professionals who want to implement the Cisco SSL VPN remote access solution in their network to allow users to access the corporate resources easily and safely. The book systematically walks you through the product or solution architecture, installation, configuration, deployment, monitoring, and troubleshooting the SSL VPN solution. Any network professional should be able to use this book as a guide to successfully deploy SSL VPN remote access solutions in their network. Requirements include a basic knowledge of TCP/IP and networking, familiarity with Cisco routers/firewalls and their command-line interface (CLI), and a general understanding of the overall SSL VPN solution. How This Book Is OrganizedPart I of this book includes Chapters 1 and 2, which provide an overview of the remote access VPN technologies and introduce the SSL VPN technology. The remainder of the book is divided into two parts.Part II encompasses Chapters 3 and 4 and introduces the Cisco SSL VPN product lines, with guidance on different design considerations.Part III encompasses Chapters 5 through 7 and covers the installation, configuration, deployment, and troubleshooting of the individual components that make up the SSL VPN solution.Part I, "Introduction and Technology Overview," includes the following chapters:Chapter 1, "Introduction to Remote Access VPN Technologies": This chapter covers the remote access Virtual Private Network (VPN) technologies in detail. Protocols, such as the Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP) over IPsec, and SSL VPN, are discussed to provide readers with an overview of the available remote access VPN technologies.Chapter 2, "SSL VPN Technology": This chapter provides a technology overview of the building blocks of SSL VPNs, including cryptographic algorithms, SSL and Transport Layer Security (TLS), and common SSL VPN technologies.Part II, "SSL VPN Design Considerations and Cisco Solution Overview," includes the following chapters:Chapter 3, "SSL VPN Design Considerations": This chapter discusses the common design best practices for planning and designing an SSL VPN solution.Chapter 4, "Cisco SSL VPN Family of Products": This chapter discusses the SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS routers and provides product specifications that are focused on SSL VPNs.Part III, "Deploying Cisco SSL VPN Solutions," includes the following chapters:Chapter 5, "SSL VPNs on Cisco ASA": This chapter provides details about the SSL VPN functionality in Cisco ASA. This chapter discusses clientless and full tunnel SSL VPN client implementations and focuses on Cisco Secure Desktop (CSD). This chapter also discusses the Host Scan feature that is used to collect posture information about end workstations. The dynamic access policy (DAP) feature, its usage, and detailed configuration examples are also provided. To reinforce learning, many different deployment scenarios are presented along with their con