SNAA Securing Networks with Cisco ASA Advanced Volume 3 Version 1.0 Student Guide Tout Pant Number 97-2731-0}Table of Contents Volume 3 SSL VPNs. 54 Overview BA Module Objectives Bt Understanding SSL VPN Technology 5.3 Overview 53 Objectives 53 SSL Overview 54 ‘Server-Side Authentication 57 Client-Side Authentication 59 WebVPN Overview 5-40 ‘Types of SSL VPN Connections 5-11 Clientiess SSL VPN 5413 Clientiess SSL VPN Pros and Cons. 5-14 How Does Clientless SSL VPN Work? 515 Content Rewriting (Content Mangiing) 546 Common Internet File System 5-17 Port-Forwarding SSL VPN 5.21 Port-Forwarding SSL VPN Pros and Cons 5.22 TCP-Based Port-Forwarding Applications 5.23 E-Mail Proxy 5.24 Outlook Web Access: Webmail 5-25 Port-Forwarding SSL VPN End-User Systems Requirements 5-26 ‘Smart Tunnels 5-27 ‘SSL VPN Client Full Network Access 5-28 Cisco SVC SSL VPN Client vs. Cisco AnyConnect SSL VPN Client 5.29 Full Network Access SSL VPN Pros and Cons 531 Cisco Secure Desktop 5-32 Cisco Secure Desktop: How it Works 5-34 Cisco Secure Desktop: Comprehensive Endpoint Security 5-36 Cisco Secure Desktop: Cache Cleaner 5-37 Cisco Secure Desktop: Onscreen Keyboard 5-38 Summary 5.39 Configuring Clientless SSL VPNs 5-41 Overview 5-41 Objectives Sat Configuring Clientiess SSL VPN 5-42 Choose the SSL VPN Wizard 544 Choose Clientless SSL VPN Access. 5-45 Configure the SSL VPN Interface 5-46 Configure User Authentication 547 Configure User Group Policy 5-48 Configure a Bookmark List 5-49 Verity Clientiess SSL VPN Wizard Configuration 5-52 Verifying Clientless SSL VPN Operation 5:55 Log Into the Clientless SSL VPN 5-56 Access Configured Network Resources 558 Verify SSL VPN Operation with the Cisco ASA CLI 562 Verity SSL VPN Operation with the Cisco ASDM GUI 563 ‘Configuring Port-Forwarding SSL VPN 5.66 Create a Port-Forwarding List 5-68 Modify the Clientiess SSL VPN Group Policy 569 Verifying Port-Forwarding SSL VPN 572 Log In to the Port-Forwarding SSL VPN 5-73 ‘Access Configured Network Applications Using Port Forwarding 574 Verity SSL VPN Operation with the Cisco ASA CLI 5.76 Verify SSL VPN Operation with the Cisco ASDM GUI 57Configuring Additional SSL VPN Features 5-79 Client-Server Plug-Ins Overview 5-80 Client-Server Plug-Ins Configuration 5-82 User Interface Customization Overview 5-87 User Interface Customization Configuration 5-89 Caching and Content Rewrting 5-99 ‘Smart Tunnels Overview 5-103 E-Mail Proxy Se Troubleshooting Clientiess and Port-Forwarding SSL VPNs 5-116 ‘Adding the Cisco ASA as a Trusted Network Site 5-117 Clearing the Web Browser Cache 5119 Clearing the Java Cache 5-120 Removing the Relay dll File and ActiveX Control from the Client System 5-121 Debug WebVPN 5-123 Debug AAA 5-126 Problem Resolution 5-129 Summary 5-132 Configuring Full Network Access SSL_VPN 5-133 Overview 5-133, Objectives 5-133 Cisco Full Network Access SSL VPN Overview 5-134 Cisco AnyConnect SSL VPN Client 5-136 Configuring Cisco AnyConnect SSL VPN 5141 ‘Choose the SSL VPN Wizard 5-142 ‘Choose Cisco SSL VPN Client 5-143, Configure the SSL VPN Interface 5-144 Configure User Authentication 5-145 Configure a User Group Policy 5-146 Configure a Bookmark List 5-147 Configure an IP Address Pool 5-148, Configure Cisco AnyConnect SSL VPN Client Location 5149 Verify SSL VPN Connection Wizard Configuration 5-151 Modify the Cisco AnyConnect SSL VPN Group Policy 5-153, Verifying Cisco AnyConnect SSL. VPN Operation 5-154 Download Cisco AnyConnect SSL VPN Client 5-155 Venfy Client Operation by Using Cisco ASDM 5-161 Verify Client Operation by Using Cisco ASA CLI 5-163, Configuring Advanced Features for the Cisco AnyConnect SSL VPN Client 5-166 Cisco AnyConnect SSL VPN Client Installer Option 5-187 Keepalives and Dead Peer Detection 5-169 DTLS and DTLS-to-TLS Fallback 5173 Split Tunneling S477 Configuring Certificate-Based Authentication for the Cisco AnyConnect SSL VPN 5-184 Enable Local CA Server 5-186 Create Self-Signed Identity Certificate 5-187 Create a User Account 5-189 Configure SSL VPN Access Interface 5-191 Assign Identity Certificate to SSL VPN Interface 5-192 Modify SSL VPN Connection Profle 5194 Create Certificate to SSL VPN Profile Mapping 5-195 Verify Certificate-Based Authentication for Cisco AnyGonnect SSL VPN 5-201 ‘Troubleshooting the Cisco AnyConnect SSL VPN Client Operation 5-209 Troubleshooting Commands—debug webvpn 5.210 Troubleshooting Commands—debug aaa 5214 Troubleshooting Commands—debug crypto ca 5-216 Troubleshooting Commands—show crypto ca 5.218 Troubleshooting Procedures—Check User Privileges 5-220 Troubleshooting Procedures—Check ActiveX Settings 5-221 Troubleshooting Procedures—Check Java Settings 5-222 Troubleshooting Scenario 1—Cannot Download Cisco AnyConnect SSL VPN Client 5-223 ‘Securing Networks with ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, IncTroubleshooting Scenario 2—Cannot Connect to the Cisco AnyConnect SSL VPN Network5-224 Summary 5208 Using Cisco Secure Desktop_ 5-227 ‘Overview 5.227 Objectives 5.227 Cisco Secure Desktop Overview 5-228 Cisco Secure Desktop Features 5.233 Additional Features in Cisco Secure Desktop 3.2.1 5.241 Cisco Secure Desktop Operation 5-243 Cisco Secure Desktop Interoperability 5-247 Operating System 5.247 Web Browser 5-248 Clientiess SSL VPN 5-249 Preparing the Cisco ASA Appliance for Cisco Secure Desktop 5-253 Upload or Import Cisco Secure Desktop 5-254 Enable Cisco Secure Desktop 5-256 Enter an Activation Key to Support Advanced Endpoint Assessment 5.267 Removing Cisco Secure Desktop 5-258 ‘Summary 5-260 Securing the Desktop with Cisco Secure Desktop and DAP. 5-261 ‘Overview 5.261 ‘Objectives 5.261 Cisco Secure Desktop Workflow 5-262 Prelogin Assessment 5-265 Secure Session 5276 Cache Cleaner 5-282 Host Emulation and Keystroke Logger Detection 5-285 Host Scan 5-289 Dynamic Access Policy 5301 DAP Testing 5318 Summary 5-323 Module Summary 5-324 Security Services Modules ue ae th ‘Overview 64 Module Objectives: 64 Examining the Cisco SSMs 63 ‘Overview 63 Objectives 63 Business Challenges 64 Cisco SSMs 65 Cisco CSC-SSM 67 Cisco AIP-SSM 611 Cisco AIP-SSM or CSC-SSM G22 ‘Summary 6.23 Cisco CSC-SSM: Getting Started 6-25 Overview 6-25 Objectives: 6:25 Cisco CSC-SSM Overview 6-26 CSC-SSM Software Loading 6-30 Initial CLI Cisco CSC Configuration 6-38 Initial Configuration of the CSC-SSM with Cisco ASDM CSC Setup Wizard 6-44 Summary 6-56 (© 2008 Cisco Systems, Ine Securing Networks with ASA Advanced (SNAA) vinSISCOAIP-SSM:GettingStarted gg Overview 657 Objectives 657 AIP-SSM Overview 6.58 AIP-SSM Software Loading 6-62 Initial Cisco IPS ASDM Configuration 6-75 Configure @ Cisco IPS Security Policy 681 ‘Summary 6-88 Module Summary 6-89 ‘Securing Networks with ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, incModule 5| SSL VPNs Overview Secure Sockets Layer (SSL) virtual private networks (VPNs) provide an easily deployed remote-access solution for companies that are looking for an alternative to remote-access IP Security (IPsec) VPNs. SSL VPNs allow for clientless and full-network-a connections, allowing a company to deploy remote access fo the remot ess client mote users and customers when PC may or may not be under company control. The Cisco ASA adaptive security appliance is a feature-rich SSL. VPN server for clientless and full-network-access clients. Module Objectives 12 this module, you will be able to explain the SSL VPN features and jpabilities of the security appliance. This ability includes being able to meet these objectives: = List the steps needed to configure the Cisco WebVPN Services Module functionality of the appliance Identify the basic clientless SSL VPN features of the security appliance Configure full-network-aceess SSL VPNs, using the Cisco AnyConneet VPN Client List the feature and functionality of Cisco S scure Desktop Configure Ciseo Secure Desktop and DAP for SSL. VPN connections on the Cisco ASA52 Securing Networks with Cisco ASA Advanced (SNA) v1.0, (© 2008 cisco Systems, nc.Lesson 1 Understanding SSL VPN Technology Overview This lesson introduces Secure Sockets Layer (SSL) virtual private network (VPN) technology its purpose, and several deployment methods that can be used when deploying SSL. VPNs. Objectives Upon completing this lesson, you will be able to describe SSL, its use in SSL VPNs and how they can be deployed in an enterprise network. This ability includes being able to my objectives: = Describe the characteristics of SSL = Describe SSL. VPN components = Describe the Cisco Se e DesktopSSL Overview ‘This topic discusses an overview of the SSL protocol, Comprehensive Secure Connectivity Power ee a peeecee pert Cent Based SSI. or Peec VPN ' ees CChentiess SSL VEN ecraee te peat Wet tcp ie or cui There are two primary methods for deploying remote-access VPNs: IP Security (IPsec) and SSL. Each method has its advantages, based on the access requirements of your users anid your organization’s IT processes. While many solutions only offer one or the other, SSL-based VPNs provide remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. SSL is a protocol that is designed to enable secure communications on an insecure network such as the Internet. SSL provides encryption and integrity of communications along with strong authentication, using digital certificates. The SSL protocol does not require any special-purpose client software to be preinstalled on the system; this makes SSL VPNs capable of “anywhere” connectivity from company-managed desktops and non-company-managed desktops, such as employee-owned PCs, contractor or business partner desktops, and Internet kiosks. Any software that is required for application access across the SSL VPN connection is dynamically downloaded on an as-needed basis, thereby minimizing desktop software maintenance IPsec or SSL, Cisco remote-access VPN solutions integrate both technologies on a single platform with unified management, Offering both IPsec and SSL technologies enables ‘organizations to customize their remote-access VPN without any additional hardware or ‘management complexity 54 Securing Networks win Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IncRemote-Access Technology Comparison IPsec and SSL VPNs IPsec VPN > Full Tunnel Access \Psec—Welt-proven technology Operates well for extending access to employees using company ‘managed desktops IPsee-based VPNs are the deployment-proven remote-aecess te SSL VPN Full Tunnel Access Option ‘SSL—Welt proven technology ‘Simplifies access for business. partner access, Provides “anywhere” access from nonmanaged desktops Enables customized access portals Reduces operations costs, fssocated th man ‘software mat wology used by most organizations today. IPsec VPN connections are established by using preinstalled VPN client software on the user desktop; thus focu based remote access also offers tremendous ver nt software. modification of the VPN cli ng primarily on company-managed desktops. IPsec- ity and customizability through Using application programming interfaces (APIs) in IPsec client software, organizations can control the appearance and funtetion of the VPN client for use in applications such as unattended kiosks, i tegration with other desktop applications, and other special use eases, Both IPsec and SSL VPN technologies offer access to virtually any network application or resource, SSL VPNs offer additional features such as easy connectivity fh sm nior-company managed desktops, little or no desktop software maintenance, and user-customized web portals upon lo Although SSL VPNs ean provide increased flexibility based on the client’s location, itis, important to ensure that all VPN endpoints are secured. Failure to secure endpoints can introduce viruses, malware, or spyware and can lead to the destruction or theft of corporate information Note In the event thatthe security ofthe client platform cannot be completely verified, the Cisco [ASA adaplive security appliance platform provides intrusion prevention, antivirus, application-aware firewall, and VPN endpoint security capabilities to help secure VPN endpoints. {© 2008 Cisco Systems, nc. SSLVPNS 55SSL Operation SSL is designed to: + Authenticate server to client * Select joint erypto algorithms * Authenticate cient to server (optional) + Generate shared secrets » Establish encrypted SSL connection SSL provides endpoint authentication both for the client and the server, data encryption to censure that itis only readable by the intended recipient, and data integrity to ensure that the data has not been modified in transit. These services allow traffic to be secured a public network segments such as the Internet raverses SSL is designed to do the following: = Auther icate the server to client Select joint crypto algorithms Authenticate client to server (optional) erate shared secrets Establish encrypted SSL connection 56 Securing Networks with Cisco ASA Advanced (SNAA} v1.0, © 2008 Cisco Systems, neServer-Side Authentication SSL server-side authentication is used for a client to verify a server's identity. This type of authentication is commonly used for servers that require secured transactions to protect user data or account information for online purchases. SSL Operation—Server-Side Authentication acta Servo Sevestieiodone cy SSL-Enabled - Fie Server crangocigherSpee Fevsned The client starts the exchange by sending a Client Hello message to the server to let the server know that the client wants to establish secure communications. It also proposes a list of security parameters (cipher suites) that the client would like to use. ‘The server sends a Server Hello message that informs the client of the preferred cipher suite. In addition, it tells the client that the server is willing to proceed with the SSL negotiation, The server replies immediately with a Certificate message (carries the server's public key certificate), ‘A trusted certificate authority (CA), such as VeriSign, typically issues this server-side certificate. The client must verify the certificate to ensure that it has been issued by a trusted CA, has not expired, or has not been revoked. The server then sends a Server Hello Done message to the client. This message tells the elient that the server has finished its part of the initial negotiations. The client generates random numbers to use as a shared session key. In a Client Key Exchange message the elient encrypts the session key with the server's public key and sends the result to the server. The client depends on the server's ability to decipher the Cli ‘message to verify the server's identity nt Key Exchange © 2008 Cisco Systems, Inc SSLVPNS 57The client now sends a Change Cipher Spec message that tells the server to activate the negotiated cipher suite. From now on, all messages from the client are encrypted using the algorithm from the Server Hello and the session key in the client key exchange, The client sends an encrypted Finished message, which ensures that both parties use the same cryptographic algorithms and parameters. The negotiation is considered to be successful when the message that follows the client's Change Cipher Spec is successfully decrypted as a Finished message. The server sends a Change Cipher Spec message that tells the client that all subsequent messages from the server will use the negotiated security. The server then sends its own Finished message, which enables the client to confirm that the negotiated security is in place. 58 ‘Securing Networks with Gisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, IneClient-Side Authentication Optionally, the server can authenticate the client, in addition to the server being authenticated. Authenticating the client ensures that the user is allowed to connect to the requested network resource. Client-side authentication is common when connecting end users to a remote-access VPN using SSL. SSL. Operation—Client-Side Authentication entHeo Service Ceniate Coentnguat Senvetotodone. 3 crenvkeyExcnange ‘SSL-Enabled File Server Crangecipnes Finshea Fnsnea When an SSL client must be authenticated in addition to the server, the protocol flow is almost the same. There are only a few additional required exchanges. Afier the server sends its certificate to the client, the server will request that the client send its certificate in return. After the client sends the ClientKeyExchange, the elient sends a CertificateVerify message. The client encrypts a known piece of plaintext by using its private key. The server uses the client certificate to decrypt the message. Successful decryption of the message indicates to the server that the client has the proper private key. {© 2008 Giseo Systems, Ine SSLVPNS 58WebVPN Overview SSL-based VPN, also known as Cisco IOS WebVPN, is an emerging technology that provides remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. What Is Web (SSL-Based) VPN? Noncorporate PC Cisco WebVPN wan Wee Browser ‘Gateway ee renal Resouces Enon Tratic Uneneated Tate = A Cisco WebVPN gateway is inserted in the SSL VPN connection path. = A Cisco WebVPN gateway provides secure SSL “proxied’ access to “internal network” resources. = SSL-based VPN can provide network access to users from almost any Internet-connected system With an [Psec remote access VPN, a user receives an IP address di tly on an internal network and then can generally access any available application on the system that worked on the LAN. With SSL VPN, the user never has direct access to resource on the internal network. The only ‘mechanisms to access applications are through web proxying through the SSL VPN gateway. Although application accessibility is constrained relative to IPsec VPNs, SSIL-based VPNs allow for access to a growing set of common software applications, including web page access, web-enabled services such as file access, e-mail, and “webified” TCP-based applications (by way of a downloadable thin-client applet). SSL-based VPN requires slight changes to user workflow as some applications are presented through a web browser interface, not through their native GUI Client/server application support generally requires specific and sometimes browser-dependent applets to be dynamically downloaded to the remote system. Using web technology for connectivity allows accessibility from almost any Intemet-conn. install additional desktop software, = Traffic between the “outside,” noncorporate, PC and the “inside” servers is sent over an SSL-based connection, The client never talks directly with the server. The connect proxied by the WebVPN gateway ted system without ing to 510 Securing Networks witn Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, neTypes of SSL VPN Connections SSL VPN technology can be deployed to fit several different se user need. ios, depending on network Deployment Example: Using SSL VPN to Reach Diverse User Populations Supply Partner Extranet ‘Account Manager Mobile User Gi Software Engineer |Piinternet Doctor at Home QF unemss besten Engines-Many servers and 2908, needs hate app oma VO, equa acess ang ‘comet tna ‘roan Mar age—Dhvere aps, heme gow pps, nays woes Kom eerpisesanaged ‘earn SSL VPNs provide three different types of access: = Clientless = Thin client = Full network access Clicntless (Layer 7) access requires no specialized VPN software on the user desktop, All VPN traffic is transmitted and delivered through a standard web browser; no other software is, required or downloaded. Since all applications and network resources are accessed through a web browser, only web-enabled and some client-server applications—stch as intranet applications with web interfaces, e-mail, calendaring, and file servers—can be accessed by using a clientless connection This limited access, however, is often a perfect fit for business partners or contractors who should only have aceess to a very limited set of resources on the organization network, Furthermore, delivering all connectivity through a web browser eliminates provisioning and ‘support issues because no special-purpose VPN software has to be delivered to the user desktop. Thin client, or port forwarding, enables select TCP applications to go over an SSL. tunnel to the SSL VPN gateway; in turn, the SSL VPN gateway decrypts the data and sends it to its destination on a specified port. Port forwarding provides access to TCP-based applications by ‘mapping application-specific ports on the PC of the end user to application-specific ports on servers behind the gateway. Port forwarding requires a downloaded Java applet to be able to {© 2008 Cisco Systems, Inc SSLVPNS Satlisten to ports on the elient machine and then to forward the connection to the gateway. The Java applet must be running for TCP port forwarding to take place Full network SSL VPN (Layer 3) access enables access to virtually any application, server, or resource available on the network. Full network access is delivered through a lightweight VPN client that is dynamically downloaded to the user desktop (through a web-browser connection) uupon connection to the SSL. VPN gateway. This VPN elient, because it is dynamically downloaded and updated without any manual software distribution or interaction from the end user, requires little or no desktop support by IT organizations, thereby minimizing deployment and operations costs, Like clientless access, full network access offers full access control customization based on the access privileges of the end user. Full network access is a natural choice for employees who need remote access to the same applications and network resources that they use when in the office or for any client-server application that cannot be delivered across a web-based clientless connection. 5:12 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, ine.Clientless SSL VPN This topic discusses clientless SSL VPN and how it works in an enterprise Clientless SSL VPN Chentiess Web Browser Secure Access * Clientless SSL VPN lets users establish a secure, remote-access VPN tunnel fo a security appliance, using a web browser © Users do not need a sofware or hardware client + Clientiess SSL VPNs provide access to Internal websites Web-enabled applications. INT or Active Directory fle shares ‘= With an additional Java applet “helper” E-mail proxies, including POP3S, IMAP4S, and SMTPS MS Outlook Web Access Port forwarding for other TCP-based applications ‘Smart tunnels Clientless, browser-based SSL VPN lets users establish a secure, remote-access VPN tunnel to the security appliance by using a web browser. After authentication, users access a portal paze and can access specific, supported internal resources. The network administrator provides access to resourees by users on a group basis. Users have no direct access to resources on the internal network. Users do not need a software or hardware client Clientless SSL. VPN provides secure and easy acc esand web-enabled applications from almost any compu sto a broad range of web resour ron the Internet. T Jude these: = Internal websites = Web-enabled applications 1 Microsoft Windows NT and Active Directory file shares With an additional Java applet “helper” application, they include these: = E-mail proxies, inc! ‘Access Protocol ver (SMTPS) = Microsoft Outlook Web Access (OWA) Post Office Protocol version 3 Secure (POP3S), Internet Message n 4 Secure (IMAP4S), and Simple Mail Transfer Protocol Secure = Port forwarding for other TCP-based applications © Smart tunnels SSL VPN provides secure access to internal web applications and file servers with just a standard browser. It is well suited for clientless remote access from kiosks or for business ppariners who need secure access to a defined set of resources. {© 2008 Gisco Systems, Ine. ‘SSL VPNs 513Clientless SSL VPN Pros and Cons As with any technology, there are certain pros and cons associated with the use of clientless SSL VPNs. Clientless SSL VPN Pros and Cons PROS CONS + Strong multiplatform system + No support for “thick” (Cisco ‘compatibility ‘AnyConnec!) cent applications «= True dlientless, anywhere access = No endpoint security scanning * Security benefit from the fact that no routed access is permitted * Most appropriate for non-corporate- owned assets Pros and Cons for Clientless SSL VPNs Pros ‘Strong multiplatform system compatibility True clientless, anywhere access Security benefit from the fact that no routed access is permitted. Most appropriate for noncorporate-owned assets. Cons 'No support for thick (Cisco AnyConnect) ent applications No endpoint security scanning 5-14 Securing Networks with Cieeo ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncHow Does Clientless SSL VPN Work? Clientless SSL VPN works by manipulating the client into direeting all HTTP requests to the WebVPN gateway rather than to actual web resources, How Does Clientless SSL VPN Work? Noncorporate PC weovPn with Web Browser Gaeway RequestResponse yy Over ssi — Request —— ——— Responee -}- HTTPS HTTPSIMTTP ‘The client's web browser is manipulated into directing all HTTP requests to the WebVPN gateway rather than to actual web resources, The WebVPN gateway terminates HTTPS client connections and forwards the HTTPIHTTPS requests to the appropriate web resources, The HTTP/HTTPS response from the server is sent back to the client over HTTPS(443), ‘This functionality is instrumented through the use of "Content Rewiiting WebVPN gateway “proxies” URL requests on behalf of clients to remote servers that are transforming HTTP and HTTPS URLs only. The WebVPN gateway terminates HTTPS cli connections and forwards the HTTP/HTTPS requests to the appropriate web resou HTTP/HTTPS response from the server will be returned by the W over HTTPS ces. The ebVPN gateway to the clie '© 2008 Cisco Systems, Inc SSLVPNS 5-15Content Rewriting (Content Mangling) The client’s web browser is manipulated into directing all HTTP requests to the WebVPN ‘gateway rather than to actual web resourees. Content Rewriting “Mangling” * Manipulates the protocol, host, port, and path within the URL reference hitp:iwww.cisco.com (original request) https:/1.2.3.4/http/O/wenw.cisco.com (rewritten request) | | Webven Destination Gateway URL Server URL = The web browser of the client is manipulated into directing all HTTP requests to the WebVPN gateway rather than to actual web resources, = Accomplished by modifying the URL references (IP address or DNS name) ‘The “original” URL is transformed. Content Transformation applies to the clientless mode only. The original URL is rewritten to include a “pre-fix URL,” the address of the WebVPN gateway Some example URLs being transformed (assuming that the WebVPN gateway address is, 1.2.3.4) are as follows: = Before Content Transformation — http://www yahoo.com — —hups:/www.abe.com/d/indes. hint hhap:/Avww.abe.conv/x.exi2a=b = After Content Transformation — —hittps:/1.2.3.4mup/O/ww yahoo.com hutps:/1.2.3.4/tntps0/wow.abe.convdindex.huml b — —_https:/1.2.3.4¢nup/O/www-abe.com/s.cuit 5-16 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, ncCommon Internet File System ‘Common Internet File System (CIFS) is a file-sharing mechanism used by Microsoft operating systems that provides access to files and network shares over a network. IP address to name resolution for network resources is handled either through the Windows Intemet Name Service (WINS) or the Domain Name System (DNS). Common internet File System * Allows browsing of file shares, = Uses WINS or DNS for host-to-IP address mapping + The File Access page will allow users to: ‘Access files on preconfigured file servers, ‘Allow user to type in a file server. — Allow user to browse the network to find files. * The administrator can configure whether or not a user can type in a file server or browse the network. The administrator ean configure whether or not a user can type in a file server, and also whether of not a user can browse the network. Depending on the access granted by the administrator, the file access page can allow users to do the following: m Access files on preconfigured file servers m= Type in a file server Browse the network to find files. {© 2008 isco Systems, ne ‘SSLVPNS 5:17Clientless Directory and File Access ‘When the user is browsing, the user dependin n view lists of servers, shares, directories, or files, oon the level that they are on. Clientless Directory and File Access + While browsing, the user can view lists of servers, shares, directories, or files, depending on the level that they are on, The user will be able to do the following during fle access: ~ View or download a file = Upload or update a fle ~ Rename a file ~ Delete a fle ~ Add a new folder The user will be able to do the following during file access: = View or download a file Upload or update a file Rename a file Delete a file Add a new folder Users who log into a network file share by using clientless SSL. VPN will enter any req authentication credentials through the web browser. After they are auther able to access the requested network resources. ted 5-18 Securing Networks with Cisco ASA Advanced (SNAA} vt 0 © 2008 Cisco Systems, IneClientless Web Folder Access Clientless SSL VPN users can view and modify web folders based on permissions set by the network administrator. Clientless Web Folder Access = Enables browser-based SSL VPN users to perform the following web folder operations: View folders lew folder and fle properties Create Move Copy Copy from the local host to the remote host Copy fom the remote host othe local host Delete ~ Drag and drop fle access and ‘webitie fe wenspert = Internet Explorer incieates when a web folders accessible + Accessing tis folder aunches another window, proviing a view ofthe Shared folder on which users can perform web folder functions, assuming thatthe properties of the folders and documents permit them. Based on permissions, the users can perform any of the following actions on web folders: View folders m= View folder and file properties = Create = Move = Copy = Copy from the local host to the remote host © Copy from the remote host to the local host = Delete Drag and drop file access and “webified” file transport When a user selects an available web folder, the folder is opened in a separate window, providing access to any of the content that the user has permissions to modify. move, or delete. {© 2008 Cisco Systoms, nc SSLVPNs 5-19Clientiess SSL VPN-—Operating System and Browser Support OS Support » MS Windows * Linux * Solaris = Macintosh Browser Support * Internet Explorer = Netscape » Mozilla « Firefox Cisco recommends the following browsers for clientless SSL VPN. Other browsers might not fully support clientless SSL VPN features. ‘On Microsoft Windows, these browsers are supported: = Internet Explorer version 6.0 Netscape version 7.2 = Mozilla version 1.7 and later = Firefox Lx On Linux, these browsers are supported: = Mozilla version 1.7 = Netscape version 7.2 ® Firefox Lx On Solaris, these browsers are supported: = Netscape version 7.2 ‘On Macintosh OS X, these browsers are supported: m= Safari version 1.0 = Firefox Lx ‘On Macintosh OS X, these browsers are supported: Safari version 1.0 fm Firefox Lx 520 ‘Securing Networks with Cisco ASA Advanced (SNA) vi.0 © 2008 Cisco Systems, InePort-Forwarding SSL VPN This topic discusses the use of port-forwarding SSL. VPNs, also know as thin-client SSL VPNs. SSL VPN: Port Forwarding “Thin” or “Enhanced” Client * Provides access to applications that are not directly supported by Clientiess SSL VPN, * Local thin client acts as proxy, ‘Tunnels and forwards application traffic. * Often used with Clientless SSL VPN as a helper application, * Some system permissions may be required, particularly for hostname mapping. * Maintains native application look and feel. Port forwarding is an effective technique, but it also has some limitations. For port forwarding to work, the applications need to be well behaved and predictable in their network connectivity patterns and needs. ActiveX or Java applet support is required on the client machine, along with the permissions in the browser to run them, Thin client—A small applet or application (generally under 100 KB) would be downloade, would provide access to a subset of resources, generally TCP. and often outbound and static ports. Port forwarding supports only TCP applications that use static TCP ports. Examples of applications that are not web-enabled but can be addressed with port forwarding are common ‘mail protocols, including Simple Mail Transfer Protocol (SMTP), POP3, and Messaging, Application Programming Interface (MAPI), and remote shell programs, such as Telnet. {© 2008 Cisco Systems, Ine ‘SSLVPNs 6:21Port-Forwarding SSL VPN Pros and Cons Port-forwarding SSL VPNs provide additional functionality over clientless SSL. VPNs, but still do not provide full network access. Port-Forwarding SSL VPN Pros and Cons Pros Cons ‘Access to many popular TCP-based = Generally requires sufficient Java appicatons version (Sun 1 4+) + Smal dstnbution size (generally * Sun JVM is not installed wth default ‘under 100K) ‘opereting system distribution + Dynamically instaled or uninstaled + Administrative permission often Fequited for functonaity to operate more transparently Pros and Cons for Port-Forwarding SSL VPNs Pros Cons ‘Access to many popular TCP-based applications, | Generally requires sufficient Java version (Gun 1.44) ‘Small distribution size (generally under 100K). | Sun JVMis not installed with default operating system distribution Can be dynamically installed or uninstalled ‘Administrative permission often required for functionality to operate more transparently 522 Securing Networks with Cisco ASA Advanced (SNA) vi.0 © 2008 Cisco Systems, neTCP-Based Port-Forwarding Applications Port forwarding provides access to several TC! connection, -based applica ions over a clientless SSL VPN Port-Forwarding Applications * Port forwarding lets users access TCP-based applications over a CClientless SSL VPN connection, * Works with predictable nonweb applications: Generally outbound, TCP-based applications. Only applications that use static singlo TCP ports can use port forwarding, ~ Other TCP-based applications may also work, but have not been tested. Protocols that use UDP do not work. + Supported applications include the following = Lotus Notes: Secure FTP (FTP over SSH) = Outlook Express ssH = Outlook “Telnet Sametime - Windows Terminal Service Port forwarding supports only ‘TCP applications that use static TCP ports. Applications that w dynamic ports or multiple TCP ports are not supported. For example, Secure FTP, which uses port 22, works over clientless SSL VPN port forwarding, but standard FTP, which uses ports 20 and 21, does not. ‘TCP-based applications supported include these: © Lotus Notes = Outlook Express Outlook Lotus Sametime Secure FTP (FTP over Secure Shell [SSH]) SSH Telnet Windows Terminal Service {© 2008 Cisco Systems, nc SSLVPNs 6:25E-Mail Proxy E-mail proxies can be used to extend the remote e-mail capability t0 users of elientless SSL VPNs. E-Mail Proxy E-Mail Request j over SSL. E-Mail Client WebVPN Gateway E-Mail Server E-Mail Request j + E-mail proxies extend remote e-mail capability of remote users. * E-mail Client communicates with the WebVPN Gateway through secure e-mail protocols, + The WebVPN Gateway authenticates the session, decrypts it, and proxies the unencrypted session to the e-mail server. = Three e-mail proxies are supported SMTPS, ~ IMAP4S ~ POP3S Three ail proxies are implemented. The proxies are for SMTPS, IMAP4S, and POP3S. The <-mail proxies will require that users create a second mail service in their e-mail reader that will allow access to their IFthe administrator and users choose to have only one method to access e-mail, then the configuration that points to the WebVPN gateway will be their sole e- mail service The e-mail proxies will each listen on their own SSL/Transport Layer Security (TLS) port These ports can be modified and the proxy can be disabled, The e-mail proxy sessions will be distinct sessions from HTTP sessions. These sessions will be much shorter lived, and the session terminates when the socket closes. Each proxy will establish the SSL/TLS connect before starting the protocol processing. The WebVPN gateway will not open a connection to the mail server until authentication has taken place. This will prevent outsiders from performing denial of service (DoS) on the internal mail server. Note By default, SMTPS, IMAP4S, and POP3S proxies are disabled. Supported mail applications are as follows | Microsoft Outlook | Microsoft Outlook Express versions 5.5 and 6.0 Netscape Mail version 7 = Eudora 4.2 for Windows 2000 5:24 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, neOutlook Web Access: Webmail Webmail refers to the impl 10 access their e-mail through a web browser, as an alt such as Microsoft Outlook. tation of an e-mail client as a web application that allows users f native to using a desktop-based cli Outlook Web Access OWA is a web-based client for exchange e-mail server No specific WebVPN Gateway configuration is required beyond web browsing Web e-mail supports MS OWA for Exchange 2000, Exchange 5.5, and Srehange 2008 . ne ‘OWA login types supported ~ WA 2003 ‘= Forms-based authentication. Uses an authentication cookie for secu * Basic authentication over HTTP = Basic authentication over HTTPS ‘OWA 2000 * Basic authentication over HTTP and HTTPS is supported — OWASS: * Basic authentication over HTTP is the only method. Outlook Web Access (OWA) is commercial webmail software. OWA is used to access c calendars, contacts, tasks, and other mailbox contents when not having access to Outlook Microsoft provides OWA as part of Exchange Server to allow users to connect remotely through a web browser. Some of the functionality in MS Outlook is also available in this web look-alike.” The most important difference is that MS Outlook lets you work with e-mail, calendars, and so on, even when you do not have a network connection, while OWA requires a network connection to funetion, © 2008 Cisco Systems, ine SSLVPNE 5.25Port-Forwarding SSL VPN End-User Systems Requirements = TCP-based applications to be used with the SSL VPN must use static port assiz Port-forwarding SSL VPNs must support the requirements described for clientless SSL VPNs. Port-Forwarding SSL VPN End-User System Requirements OS Support » MS Windows, ee , , * * End-user system must pe support Java version and * Solaris Thin-Client in addition to = Macintosh operating system and web browser requirements Browser Support * TCP-based applications to be used with the SSL VPN must * Internet Explorer Use static port assignments = Netscape * Mozilla " Firefox Additionally, port-forwarding SSL VPNs must support the following end-user requirements End-user system must support Java version and thin-elient in addition to operating system nd web browser requirements sents, 526 ‘Securing Networks wih Cisco ASA Advanced (SNAA) v1.0, © 2008 Cisco Systems, IncSmart Tunnels A sinart tunnel is a connection between an application and a remote site, using a browser-based SSL VPN session with the adaptive security appliance as the pathway Smart Tunnels = Assmart tunnel is a connection between an application and a remote site, using a browser-based SSL VPN session with the adaptive securty appliance as the pathway * Smart tunnels are only supported on Microsoft Windows Vista, Windows XP, or Windows 2000, * Smart tunnels require that web browsers are enabled with Java or ‘Activex. A'smart tunnel improves upon port forwarding by not requiring a Connection to the local application port thereby removing the requirement for administrator access. Cisco ASA Adaptive Security Appliance Software version 8.0(2) and later allows you to identify the applications to which you want to grant smart tunnel access. It also lets you specity the path to the application and the Secure Hash Algorithm (SHA)- hash of its checksum to check before granting access to the application, Lotus Sametime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel a ess. The remote host originating the smart tunnel connection must be running Microsolt Windows Vista, Windows XP, or Windows 2000, and the browser must be enabled with Java, Microsoft ActiveX, or both. Note ‘Compared to the legacy technology, port forwarding, smart tunnel access simplifies the remote-user experience by not requiring the user connection of the local application to the local port, Therefore, smart tunnels do not require users to have administrator privileges, '© 2008 Cisoo Systems, nc. SSLVPNS 527SSL VPN Client: Full Network Access This topic will discuss the use of the Cisco SSL VPN client to enable full network access for remote users. Cisco SSL VPN Client: Full Network Access * SSLVPN client is required when users nocd full application access sss + Two Cisco versions: sc ~ SSL VPN Client (SVC) eee Cisco AnyConnect SSL | ea VPN Client = — For full network access, an SSL VPN tunneling client is used to provide access to all network resources and applications. The users would be able to use applications such as MS Outlook, Cisco IP Communicator, Meeting Maker, Telnet, SSH, X-Windows, and many others, but Without having to install and administer an IPsec VPN software package. SSL VPN clientless and port forwarding are incapable of this level of functionality. The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote users with full VPN tunneling to corporate resources. Note ‘This client is delivered through a web page (the device that the user is connecting to) and never needs to be manually distributed or installed. ‘There are wo versions of the Cisco SSL VPN “thick” elient m= SSL VPN Client (SVC) @ Cisco AnyConneet SSL VPN Client ASA operating system version 7.X uses the SVC (no Cisco AnyConnect support), while 8.X and later use the Cisco AnyConnect SSL VPN Client by default, 528 Securing Networks with C:sco ASA Advanced (SNA) vi 0 © 2008 Cisco Systems, IncCisco SVC SSL VPN Client vs. Cisco AnyConnect SSL VPN Client The two versions of the Cisco SSL VPN cli ts depend 0 the version of the Cisco ASA security appliance software and Cisco ASDM software being run on the customer network Cisco SVC vs, Cisco AnyConnect SSL VPN Client Cisco SVC + Package size 400 KB = Uses TLSvt Cisco AnyConnect * Package size 23 MB + Uses a virtual adapter ‘= Provides no addtional support for « Uses DTLS, built on Open SSL time-sensitive applications = No Start Before Logon (SBL) ‘support + Provides addtional support for time- ‘sensitive applications through DTLS + Supports Start Before Logon (SBL) = Supports only MS Windows 2000» Supports MS Windows, Macinosh ‘and Windows XP + Uses Cisco ASA 7X and Cisco ASDM 5.x OS x, and Linux + Uses Cisco ASA 8X and Cisco ASDM6x. Comparison of the Cisco SVC and the Cisco AnyConnect SSL VPN Client Cisco SVC Cisco AnyConnect SSL VPN Client Package size 400 KB Package size 23MB Uses TLSv1 Uses a virtual adapter Provides no additional support for time-sensitive applications. ‘Uses Datagram Transport Layer Security (OTLS), bull on Open SSL ‘No Start Before Logon (SBL) _| Provides additional suppor for time-sensitive applications support through DTLS ‘Supports only MS Windows 2000 | Supports MS Windows, Macintosh OS X, and Linux and Windows XP Uses Cisco ASA 7X and Cisco ASOM 5X Uses Cisco ASA 8X and Cisco ASDM 6 X Note ‘The Cisco AnyConnect SSL. VPN Client provides suppor for 64-bit operating system architectures, {© 2008 Cisco Systems. ne SSLVPNS 529‘The following features are added with the use of the Cisco AnyConnect SSL VPN Client: = Datagram Transport Layer Security (DTLS) with SSL connections: Avoids latency and bandwidth problems associated with some SSL-only connections and improves the performance of real-time applications that are sensitive to packet delays, DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. For detailed information about DTLS, see RFC 4347 (http://www ietf.org/rfe/rfe4347.1xt), ™ Standalone Mode: Allows a Cisco AnyConnect VPN Client to be established as a PC application without the need to use a web browser to establish a connection = Command Line Interface (CLI): Provides direct access to client commands at the ‘command prompt. = Microsoft Installer (MSI): Gives Windows users a preinstall package option that provides installation, maintenance, and removal of Cisco AnyConneet Client software on Windows systems, | IPV6 VPN access: Allows access to IPV6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OS X, and Linux only) = Start Before Login (SBL): Allows for login scripts, password caching, drive mappin more, for Windows, and © Certificate-only authenticati provide a user ID and password. Allows users to conneet with a digital certificate and not '™ Simultaneous Cisco AnyConnect client and clientless, browser-based connections: Allows a user to have both a Cisco AnyConnect (standalone) connection and a elientless SSL VPN connection (through a browser) at the same time to the same IP address. Each connection has its own tunnel = Compression: Increases the communications performance between the security appliance and the client by reducing the size of the packets being transferred. Compression works only for TLS, = Fallback from DTLS to TLS: Provides a way of falling back from DTLS to TLS if DTLS. is no longer working, = Language Translation (localization): Provides a way of implementing translation for user ‘messages that appear on the client user interface. = Dynamic Access Policies feature of the security appliance: Lets you configure authorization that addresses the security for VPN conn iables of multiple group membership and endpoint Cisco Secure Desktop support: Validates the security of client computers requesting access to your SSL VPN, helps ensure that they remain secure while they are connected, and attempts to remove traces of the session after they disconnect. The Cisco AnyConnect VPN Client supports the Secure Desktop functions of Ciseo Secure Desktop for Windows 2000 and Windows XP. = Rekey: Specifics that SSL. renegotiation takes place during rekey Note Cisco recommends the use of Cisco ASA adaptive security appliance software version 8 x with Cisco ASOM 6.x for SSL VPN deployments, 5.30 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, IneFull Network Access SSL VPN Pros and Cons Deploys Full Network Access Pros and Cons Pros * Provides full network resource and application access through an SSL VPN connection, = Does not require a web browser after the SSL VPN Client has been installed on the host system, « Provides enhanced suppor for time. sensitive network applications. = May be dynamically installed or uninstalled as necessary. of the Cisco AnyConnect SSL VPN Client has both ber ts and drawbacks. SSL VPN Cons Requires installation of the SSL VPN ‘Client on the user end station with administrator access rights. Provides increased flexibility. ‘Software upgrade may be required to provide additional operating system and enhanced protocot ‘support. The table lists some of the pros and cons associated with full network access SSL. VPNs. Pros and Cons for Full Network Access SSL VPNs Pros Provides full network resource and application ‘access through an SSL VPN connection, Does not require a web browser after the SSL \VPN client has been installed on the host system. Provides enhanced support for time-sensitive network applications Can be dynamically installed or uninstalled as necessary. Cons ‘Requires installation of the SSL VPN Client on the user end station with administrator access, fights, Provides increased flexibility, Software upgrade may be required to provide ‘additional operating system and enhanced protocol support © 2008 Cisco Systems, ine. SSLVPNS 531Cisco Secure Desktop This topic will discuss the features and use of the Cisco Secure Desktop on end-user systems in an enterprise network. SSL VPN: Security Challenges Ww ‘Unmanaged Machine 4 Rercte User Sy Claman 3 enaged Maccine ee ane atcy Riatcarie CO uaa Cisco Secure Desktop seeks to minimize the risks posed by the use of remote devives to establish a Cisco Clientless SSL VPN or Cisco AnyConnect Client session. Cisco Secure Desktop provides a number of features that you can configure to work independently or together, Cisco SSL VPN solutions provide organizations with robust and flexible products for protecting the security and privacy of information and can play an important part in an organization's compliance strategies. No single technology today addresses all security requirements under the proposed standards. In addition, given operating system limitations, no technology that interoperates with an operating system can ensure the total removal of all data, especially from an untrusted system with potentially malicious third-party software installed However, deployments using Cisco Secure Desktop, when combined with other security controls and mechanisms within the context of an e policy, can help to reduce risks associated with u ng such technologies. Some SSL VPN security challenge = Before SSL VPN session include these: — Who owns the endpoint? — Endpoint security posture: antivirus, personal firewall? — Is malware running? 532 Securing Networks with Cisco ASA Advanced (SNA) vi 0 © 2008 Cisco Systems, Inc= During SSL VPN session — Is session data protected? Are typed passwords protected? — Has malware launched? = fier SSL VPN session — Browser cached intranet web pages? — Browser stored passwords? — Downloaded files left behind? These security concerns associated with SSL VPN clients can now be addressed with the implementation of Cisco Secure Desktop. Cisco Secure Desktop checks now include the following: = Operating system m= File presence m= Registry |= Active processes Additional omniplatform security with access technologies (OPSWAT) provides checks for the presence and validity of the following: = Antivirus Personal firewall = Antispyware The WebVPN gateway makes remote-access policy decisions. {© 2008 Cisco Systems, nc SSLVPNS 5:33Cisco Secure Desktop: How it Works The Cisco Secure Desktop provides a way for network administrators to provide security to remote-user systems. ‘A.user on the road connects with the WebVPN Gateway and cierjess logs in SSL VPN ‘The WebVPN Gateway pushes down the Cisco Secure Desktop, The Cisco Secure Desktop (v.32) performs client-side reconnect assessment, ‘An encrypted hard drive pation is created for the user to work in ‘At logout, the virtual desktop that the user has been working inis removed, and the user is notified Employee Ownes Desktop A typical login scenario looks like the following: = A user on the road connects with the WebVPN gateway and logs in. = The WebVPN gateway pushes down the Cisco Secure Desktop. = The Cisco Secure Desktop (v3.2) performs client-side preconnect assessment ‘An encrypted hard-drive partition is created for the user to work in At logout, the virtual desktop that the user has been working in is removed and the user is notified, Note ‘The Cisco Secure Desktop download and removal is seamless to the user. Ifthe user {forgets to terminate the session, aulo-timeout will ose the session and erase all session information, 5-34 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IneCisco Secure Desktop: Comprehensive Endpoint Security for SSL VPN vith Desktop Guest Permission: No Admin Privages Requived Preconnect Assessment ‘Asa condition for the completion of a Cisco clientless SSL. VPN or a Cisco AnyConnect connection, the remote computer scans for a large collection of antivirus and antispyware applications, firewalls, operating systems, and associated updates. It also scans For any registry entries, filenames, and process names, collectively called a basic host scan, which you specify. With an Advanced Endpoint Assessment License, Cisco Secure Desktop uses optional crit as conditions for granting access rights. Additional inspection ea detect the presence of antivirus, personal firewalls, and antispyware utilities. Information will include: vendor, product, version, and revision. Instead of making policy decisions on the client side, Cisco Secure Desktop inspectors will gather the “defined” information on the endpoint and send it to the WebVPN gateway. The WebVPN gateway uses the user's login credentials, the computer scan results, and profile match to assign a Dynamic Access Policy (DAP). Session Protection Cisco Secure Desktop encrypts data and files assox VPN sessi partition. ied with, or downloaded, during the SSL Cisco Secure Desktop stores session information in the secure vault desktop Postsession Cleanup When the session closes, Ciseo Secure Desktop secks to minimize the risk posed by leaving information after a Cisco clientless SSL VPN or a Cisco AnyConnect session terminates. The goal of Cisco Secure Desktop is to reduce the possibility that cookies, browser history, temporary files, and downloaded content will remain on a system after a remote user logs out or an SSL VPN session times out. Cisco Secure Desktop overwrites and att session data by using a U.S. Department of Defense (DoD) sanitation algorithm to provide ndpoint security protection. npts to remove ‘© 2008 Cisco Systems, Inc SSLVPNS 5.36Cisco Secure Desktop: Comprehensive Endpoint Security Cisco now supports hundreds of p Cisco Secure Inspections * Cisco Secure Desktop now supports hundreds of predefined products, updated frequently Antivirus Antispyware Personal firewall ‘Administrators can define custom reconnect assessment checks including running processes + Cisco Secure Desktop posture Policy presented visually to simplify configuration and troubleshooting Operating system Location profile (also called a policy) Registry key File Process Antivirus application Personal rewall application Antispy -¢ application 5-36 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 Desktop: Client-Side defined products that are updated frequently 2008 Cisco Systems, neCisco Secure Desktop: Cache Cleaner Cisco Secure Desktop is supported on Windows systems only. Cache Cleaner can be deployed ‘on Windows, Mac, and Linux desktops. Cisco Secure Desktop: Cache Cleaner ee > a _ Remote Machine -<-. » The Cache Cleaner provides for the disabling or erasing of all data that was downloaded, input, or created in the browser. = The Cache Cleaner can be used with: ~ Macintosh (Mac OS X)—Safari 1.0 or later Red Hat Linux vo—Mozilla 1.1 oF tater ~ Windows 98, ME, NT4, 2000, and XP—Explorer 5.0 or later * Cisco Secure Desktop is generally used for Windows systems, though Cache Cleaner can be deployed to standardize functionality with Mac and Linux desktops. The Cache Cleaner is used for postsession cleanup. It provides for the disabling or erasing of all data that was downloaded, input, or created in the browser, i wched browser information, passwords downloads, cluding, ntered, and autocomplete information. The Cache Cleaner can be used with the Following: | Macintosh (Mac OS X): Safari 1.0 or later = Red Hat Linux v9: Mozilla 1.1 or later = Windows 98, ME, NT4, 2000, and XP: Explorer 5, {© 2008 Cisco Systems, ne SSLVPNS 5:37Cisco Secure Desktop: Onscreen Keyboard ‘The Cisco Secure Desktop provides additional features to protect user data and account information. Cisco Secure Desktop: Onscreen Keyboard ‘When accessing a website from a kiosk, the public PC may have keystroke logging software resident on the machine. Hackers use the keystroke logging sofware to capture usernames and passwords. To combat this, a WebVPN gateway administrator can enable a downloadable ‘onscreen keyboard. This keyboard provides additional security by eliminating the need to enter keystrokes on a physical keyboard for passwords when users log in or otherwise authenticate. 538 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 © 2008 Ciseo Systems, ne.Summary This topic summarizes what you have learned in this lesson, Summary © SSL provides a standards-based architecture for deploying remote-access VPNs = SSL increases VPN flexibility by using the builtin SSL. framework of web browsers. * SSL VPNs include the following deployment methods: Clientless SSL VPN Port-forwarding SSL VPN - Cisco AnyConnect SSL VPN * The Cisco Secure Desktop allows the enforcement of network security policies on remote SSL VPN users. {© 2006 Cisco Systems, Ine ‘SSL VPNe 639‘5.40 Securing Notworks with Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems. IncLesson 2 Configuring Clientless SSL VPNs Overview This lesson introduces the use of Cisco ASA Clientless Secure Sockets Layer (SSL) virtual private networks (VPNs) in an enterprise network. The lesson will cover the configuration of these topies as well as many of the new features available in the Cisco ASA Adaptive Security Appliance Software version 8... Objectives Upon completing this lesson, you should be able to describe and configure a Cisco ASA adaptive security appliance for Clientless SSL VPN connections from remote us includes being able to meet these objectives: Configure Clientless SSL VPN rs. This ability = Configure Clientless SSL. VPNs to use port forwarding = Configure additional features for Clientless SSL VPNs = Configure smart tunnels for non-plug-in supported applications Use debug and show commands to verify Clientless SSL VPN configurationConfiguring Clientless SSL VPN This topic will discuss how to configure Clientless SSL VPN access using the SSL VPN. Wizard, Configuring Clientless SSL VPN Complete the following tasks to create a Clientless SSL VPN in your configuration: Task 1: Choose the SSL VPN Wizard. Task 2: Choose Clientless SSL VPN Access. Task 3: Configure the SSL VPN interface. Task 4: Configure user authentication Task 5: Configure user group policy Task 6: Configure a bookmark list. Task 7: Verify the Clientless SSL VPN wizard configuration ‘You must complete the following tasks to create a Clientless configuration, using the SSL VPN Wizard Task 1: Choose the SSL VPN Wi SL VPN connection your Task 2: Choose Clientless SSL VPN Access, m= Task 3: Configure the SSL VPN interface. = Task 4: Configure user authentication . Task 5: Configure user group policy = Task 6: Configure a bookmark list. = Task 7: Verily Clientless SSL VPN configuration, 5-42 Securing Networks with Cisco ASA Advanced (SNA) v1 0 {© 2008 Cisco Systems, IncClientless SSL VPN Configuration Topology Corporate Office 10049 freee 5 ‘The example represents the network topology used for the configuration of the Clientless SSL VPN within this lesson. ‘© 2008 Cisco Systems, Ine SSLVPNS 5-43Choose the SSL VPN Wizard The first task is to choose the SSL VPN Wizard, A AA a aN Choose the SSL VPN Wizard To choose the SSL VPN Wizard, complete the following steps: Step1 Choose the Wizards menu. Step2 Choose SSL VPN Wizard. In this figure, the SSL VPN wizard was chosen from the Wizards menu to begin SSL VPN configuration on the Cisco ASA security appliance. 5-44 Securing Networks with Cisco ASA Advanced (SNAA)vi.0 © 2008 Cisco Systems, ineChoose Clientless SSL VPN Access ‘The next task requires you to choose Clientless SSL VPN access, Seegreycerec Clientless SSL VPN Access: Enables clientless, browser-based connections for specific supported intemal resources through a portal page. Cisco SSL VPN Client (AnyConnect VPN Client) full network access. It enables the security appli Client to remote users. to download the Cisco AnyConnect VPN The first screen for the SSL VPN wizard allows you to select which type of SSL. VPN connection you would like to create Step 1 Choose Clientless SSL VPN Access. Note CClientiess SSL. VPN Access will be used for Clientless and Por-Forwarding SSL VPN connections. In his figure, the Clientless SSI. VPN Access box is checked to configure the Cisco ASA security appliance for Clientless SSL VPN. {© 2008 Cisco Systems, Inc SSLVPNS 5-45Configure the SSL VPN Interface ‘The next task requires that you configure the SSL. VPN interface. Dp Comat By default, the Cisco ASA security appliance will use a self-signed certi client for authentication. If required, the security appliance can be configured to use a certificate purchased from a well-known certificate authority, such as VeriSign, for use with connecting clients. Ifa certificate is purchased, it can be chosen in the Digital Certificate drop- down menu. Configuring aliases within the Connection Group Alias/URL option always requires end users to choose their connection group based on an alias when they attempt a connection such as Engineer, Sales, or Operations. te 10 send to the To configure the SSL. VPN interface, complete the following steps: Step 1 Enter a name for the Clientless . VPN connection in the Connection Nam Step2 Choose the interface to be used with Clientless SSL VPN with the SSL VPN Interface drop-down menu Step 3. Optional) Choose a third-party certificate that has been installed on the security appliance for use with connecting SSL VPN clients. Note The SSL VPN interface screen in the SSL VPN wizard provides several links in the Information section. These links identify the URLs that need to be used for the SSL VPN Service access (login) and for Cisco Adaptive Security Device Manager (ASDM) access (to access the Cisco ASDM software download), In this figure, the Clientless SSL. VPN connection is given the name “ClientlessSSLVPN," the outside interface is selected as the termination interface for SSL. VPN, and certificates are currently not configured 546 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, IneConfigure User Authentication ‘The next task requires that you configure user authentication for access Configure User Authentication User authentication can be handled by external authentication servers (such as RADIUS) or it can be handled locally using the local user database of the security appliance. To configure user authentication usin the local user database, complete the following steps: Step1 Choose the Authen ite Using the Local User Database radio button, Step2 Configure a username and password for the desired user Step3 Click Add to add the user to the local user database. In this figure, several user accounts were added to the security appliance local authentication database of the security appliance. The user accounts added were student] and student2, © 2008 Cisco Systems, Inc SSLVPNS 5.47Configure User Group Policy ‘The next task requires that you configure a use Configure User Group Policy You can select an existing user group policy to modify or you can add a new user group policy for the Clientless SSL VPN connection. To create a new user group policy, complete the following steps: Step1 Choose the Create New Group Poliey radio button, Step2 Cor igure a name for the new user group policy. Note By default, the created user group policy wil inherits settings from the DIGrpPolicy. You ‘can modify hese settings after the wizard has been completed by navigating to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies ‘submenu In this figure, a new group policy is created using the name ClientlessS LVPN-Group, 5-48 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 2008 Cisco Systems, ineConfigure a Bookmark List The next task requires that you configure a bookmark list to be used with the Clientless SSL. VPN users. Configure a Bookmark List: Create a Bookmark List ‘A bookmark list is a set of URLs that is configured to be used in the Clientless SSL_VPN web portal. By default, there are no configured bookmark lists, and the network admin configure them tor must To create a bookmark list, complete the following steps: Step Choose Manage to create a new bookmark list step 2 Add to add a bookmark list based on the included template Step 3 Configure the bookmark list name and click Add to create bookmarks for tl The Add Bookmark Entry window opens. The ereation of a bookmark entry is covered next. In this figure, a new bookmark list is ereated fi Student-Bookmark m the default template and given the name {© 2008 isco Systems, ne SSLVPNs 5.49Step 1 Step 2 Step 3 Step 4 Step 5 Configure a Bookmark List: Create Bookmark Entry—-HTTP Server ire the URL value for the bookmark as HTTP. The following list of URL, values is displayed: = HTTP = HTTPS = CIPS = FTP Configure the server destination IP address or hostname to be used with the bookmark entry (Optional) Configure the bookmark subtitle, The subtitle will appear under the bookmark entry on the web portal (Optional) Configure the thumbnail to be used with this bookmark entry Note To use thumbnails with bookmarks, they must frst be uploaded to the Cisco ASA security appliance, In this figure, a HTTP bookmark named Cisco Switch has been created. The book Khas been given an IP address of 10.0.4.3 and has been assigned a Cisco logo thumbnail. The logo will appear next to the link in the web porta. 5-50 Securing Networks win Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneConfigure a Bo: Bookmark Entr okmark List: Create y—CIFS Server To create a CIFS server bookmark in the bookmark list, complete the following steps Step 1 Step 2 Step 3 Step 4 Step 5 ‘Configure the URL val ure a name for the bookmark in the Bookmark Title box ue for the bookmark as CIFS. Configure the server destination IP address or hostname to be used with the bookmark entry. (Optional) Configure t he bookn bookmark entry on the web portal 1k subtitle, The subtitle will appear under the (Optional) Configure the thumbnail to be used with this bookmark entry Note To use thumbnails with bookmarks, the thumbnails must frst be uploaded to the security appliance, In this figure, a CIFS bookmark named Microsoft File Server has been created. The target file server is using the 10,0.4.10 IP address, and. has been assigned a Microsoft logo thumbnail (© 2008 Cisco Systems, Ine. ‘SSLVPNS 551Verify Clientless SSL VPN Wizard Configuration ‘The last task associated with Clientless SSL VPN configuration is the veri VPN configuration from the SSL VPN Wizard. Verify Clientless SSL VPN Wizard Configuration Verify that the information configured in SSL VPN wizard is corre finish the wizard and send the configuration to the Cisco ASA security nd choose Finish to 552 Securing Networks with Cigco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, ncCommands Sent to the Cisco ASA from , the Cisco ASDM cernone etdent] paroword LQOW2MUSjovetel encrypted privilege Note: Apply changes to security appliance and save configuration, Based on the SSL. VPN wizard, the following commands are appliance: webvpn to the Cisco ASA security SSL VPN Interface: enable outeide Configured Bookmark List: import webvpn url-List Student -Bookmark di sk0:/tmpAcdmimportri1e1077933939, delete /noconfirm disko: /tmpasdmimportFi1e1077933939, Configured Clientless SSL VPN Group Using Internal Authentication: group-policy ClientiessSsiVPN-Group internal group-policy Client lessssLVPN-Group attribute ypn-tunnel-protocol webvpn webvpn lurl-list value Student -Bookmark Configured User Accounts: username student password LqURV2sUSjuvrKwi encrypted privilege 0 username studenti attributes ‘vph-group-policy Client lesssSLVeN-Group. username student? password LqURV2sUSjuvriw1 encrypted privilege 0 Username student2 attributes vpn-group-policy ClientlessSSLVPN-Group Configured Clientless SSL VPN Connection Profile: tunnel-group ClientlessSSLVPN type renote-access tunnel-group ClientlesaSSLVPN general-attributes default-group-policy ClientlessssLVPN-Group (© 2008 Cisco Systems, Inc SSLVPNS 5.53Note After you have finished configuring the Clientless SSL VPN connection using the wizard, make sure to apply the changes tothe secunty appliance by using he Apply button at the bottom ofthe Cisco ASDM window. CTRL¥S wil save the running configuration into the flash ofthe Cisco ASA security appliance 5-54 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 © 2008 Cisco Systems, neVerifying Clientless SSL VPN Operation This topic will discuss what should be done to verify the proper operation of Clientless SSL VPNs. Verifying Clientless SSL VPN Complete the following tasks to verify Clientless SSL VPN operation: * Task 1: Log in to the Clientless SSL VPN. * Task 2: Access configured network resources, » Task 3: Verify SSL VPN operation with the Cisco ASA CLI = Task 4: Verify SSL VPN operation with the Cisco ASDM GUL You must complete the following tasks to verify that the configured Clientless SSL VPN connection is working properly = Task 1: Log into the Cl ntless SSL VPN. Task 2: Access configured network resources. m= Task 3: Verify SSL VPN oper n with the Cisco ASA command-line interf m= Task 4: Verify SSL VPN operation with the Cisco ASDM GUL. e (CLI), {© 2008 Cisco Systems, Inc ‘SSLVPNs 5:55Log In to the Clientless SSL VPN To verify Clientless SSL. VPN operation, you must first log in to the created SSL VPN. network Log In to the Clientiless SSL VPN In order to log in to the Clientless SSL VPN, you must complete the following task: Step 1 Open a compliant web browser and enter the login URL for the SSL VPN into the address field. The addresses entered should be the address URL listed in Step 2 of 6 in the SSL VPN wizard, Note ‘The prefix to the path changes depending on whether or not you require authentication The security appliance uses /+CSCOE4/ for objects that require authentication, and /+CSCOUW/ {or objects that do not. The security appliance displays /+CSCOE+/ objects on the portal age only, while /CSCOU+/ objects are visible and usable in either the logon or the portal pages. Step2 Enter the previously con! tured username and password and choose Login, In this figure, the previously configured username of student] and password of Ciseo was ‘entered to log in to the Clientless SSL VPN. 5-58 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 © 2008 Cisco Systems, nefier the user has logged in, the main portal page will be displayed. The default home page will display configured Web Application bookmarks and CIFS bookmarks, In the event that a lot of bookmarks are available, one or the other type of bookmarks can be chosen for display by using the buttons on the left pane, To the left of each configured bookmark is the imported image file used by the bookmark. If there are other sites that must be accessed that are not configured as bookmarks, they can be -cessed by using the address bar at the top of the portal page. In this figure, the user has logged into the created web portal, and the bookmarks that are configured for the Clientless SSL VPN are available for navigation. (© 2008 Cisco Systems, Inc. SSLVPNS 557Access Configured Network Resources ‘The next task in verifying Clientless SSL VPN operation is to aecess the network resources that are configured for use with the SSL VPN. Access Configured Network Resources: HTTP Bookmark (Caco System To access configured network resources, complete the following steps: Step 1 From the main portal page, click the configured Web Application bookma y get device, and you should notice that the yee has mangled the target address. All traffic should be proxied co ASA security apy The security appli through the Ci By default, a floating task bar resides in the top right comer of the main display page. This menu can be used to navigate back to the main portal page, enter a new address to access, move the floating task bar, or log out of the Clientless SSL. VPN. In this figure, the bookmark used to provide this image was Cisco Switch. It was configured during the Clientless SSL VPN Wizard. 5-58 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, IneAccess Configured Network Resources: CIFS Bookmark Login RECA | 1a alten =n Afier the HTTP bookmark has been aecessed, complete the following steps to acess the CIFS bookmark: Step2 To access a network server share, choose the link that is associated with one of the CIFS shares configured on the security appliance, under Browse Networks. After a brief pause, you should be asked to log into the network resource because Single Sign On (SSO) has not been configured. Step 3 Log into the network share by using the required username ancl password. The username and password for this share will be based on user accounts on the target system, not on the security appliance. In this figure, the user chooses the configured CIFS bookmark, The bookmark will display an authentication window for the user to log in to the remote file server. In this case, the user logs in with the username of administrator and password of {© 2006 Cisco Systems, Inc ‘SSLVPNs 5-59Access Configured Network Resources: CIFS Bookmark Access After you have logged into the network share, you will be able to access files and folders that your user account has access to. In this case, the user has full access to the network share as an ‘Administrator account 5-60 Securing Networks with Cisco ASA Advanced (SNAA)vi.0 '© 2008 Cisco Systems, ne.Access Configured Network Resources: CIFS Bookmark Menu one Lever With full access, the network share menu includes the following menu buttons: Up One Level* Favorites Delete Copy Cut Paste New folder Upload Network = Web Folder Note “The use of the Up One Level menu button may requite additional authentication for access, 1 2008 Cisco Systems, Ine SSLVPNs 56IVerify SSL VPN Operation with the Cisco ASA CLI This task requires you to enter several commands in the Cisco ASA CLI to ensure that the SSL. VPN is functioning properly. Verify SSL VPN Operation with the Cisco ASA CLI RSRSSTD contig) # show webupn atatiaticn tac calculation regacste: 2228 ‘To verify SSL VPN operation by using the security appliance CLI, complete the following steps: Step 1 Enter the show webypn statistics command in the security appliance CLI Step 2 Enter the show erypto protocol stat ies ssl command in the security appliance CLL ASAS520(config)# show webvpn statistics Total number of objects served 4 html 13 is ° cas a vb ° java archive ° java class ° image ° undetermined ° ASAS520(config)# show exypte protocol statistics ssl [SSL statistics] Encrypt packet requests: 8575 Encapsulate packet requests: 8575 562 Securing Networks with Cisco ASA Advanced (SNAA) v0 2008 Cisco Systems, neDecrypt packet requests: 653 Decapsulate packet requests: 653 HMAC calculation requests: 9228 SA creation requests: 135 SR rekey requests: 0 SA deletion requests: 133 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0 Verify SSL VPN Operation with the Cisco ASDM GUI The last task for verifying the operation of a Clientless SSL. VPN will require you to use the Cisco ASDM GUL Verify SSL Operation with the Cisco ASDM GUI: Crypto Statistics To verify Clientless S following steps: L. VPN operation by using the Cisco ASDM GUI, complete the Step1 Navigate to the Monitoring > VPN > VPN Statisties > Crypto Statistics submenu and choose the SSL protocol from the drop-down menu Verify that the eneryption and decryption is functioning for the SSL. protocol In this figure, SSL. protocol statistics shows proper SSL. operation for encryption and decryption of SSL traffic. © 2008 Cisco Systems, Inc SSLVPNs 5-63Verify SSL Operation with the Cisco ASDM GUI: Compression Statistics Next, verify the SSL compression statistics by completing the following task: Step2 Navigate to Monitoring > VPN > VPN Stat view Clientless SSL VPN compression inform: ies > Compression Statistic a {In this figure, compression statistics for Clientless SSL VPN are shown. 5:64 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, neVerify SSL Operation with the Cisco ASDM GUI: Sessions Next, verify SSL operation with the Cisco ASDM GUI by using session details. Step 3 Step 4 Navigate to Monitoring > VPN > VPN Statistics > Sessions to view Clientless SSL ‘VPN session information. If multiple connection types are currently connected to the security appliance, you can filter the view by choosing Clientless SSL VPN from the Filter menu, You can further filter by the Username, IP, or Eneryption method. ‘After the filter has selected the Clientless SSL VPN connection desired, you can look at more detailed information about the connection by using the Details button. The Details button will give you very specific information about the requested sessi In this figure, student] is connected to the Clientless SSL VPN group by using the ClientlessSSLVPN-Group from IP address 192.168,250.1. No network a control profile hhas been configured for this user. {© 2008 Cisco Systems, Ine SSLVPNS 5.65Configuring Port-Forwarding SSL VPN This topie will discuss the configuration of Port-Forwarding SSL VPN. Configuring Port-Forwarding SSL VPN Complete the following tasks to configure port-forwarding SSL VPNs: * Task 1: Create a port-forwarding list. = Task 2: Modify the Clientless SSL VPN group policy. It is possible to configure a new SSL VPN connection specifically for Port-Forwarding VPNs, and additional groups or users can be configured as well. However, this is not a requirement, and you can simply add the Port-Forwarding configuration to the Clientless SSL VPN configuration that has been already completed. To configure a Port-Forwarding SSL VPN, you must complete the following tasks: Task 1: Create a port-forwarding list m= Task 2: Modify the Clientless SSL VPN group policy. Note The configuration of the Port-Forwarding SSL VPN will build upon the same configuration used for the Clientiess SSL. VPN. 5.65 Securing Networks with Cisco ASA Advanced (SNA) v1 0 © 2008 Ciseo Systems, IncPort-Forwarding SSL VPN Configuration Topology Remote User Corporate Office "Teiptie oe nowt rettowardedio | "ib Sener (arooiyenter soa 3onTePpot| 10040 ont 2500 E 192 1682501 The example represents the network topology that is used for the configuration of the Port- Forwarding SSL VPN. In this example, an administrator is accessing the switch that is protected by the Cisco ASA security appliance through port forwarding. The administrator ‘enables the port-forwarding application within the Clientless SSL. VPN portal, and establishes a Telnet connection to localhost (127.0.0.1) on TCP port 2300. The port-forwarding application forwards the connection to the security appliance, which, in turn, forwards the connection request to the switch at IP address 10.0.4.3 1 2008 Cisco Systems, Inc SLVPNs 567Create a Port-Forwarding List The first task that must be completed for Port-Forwarding SSL. VPNs is to configure a port- forwarding list fe ibe On Qe Pt Forward, > fon patos Groom ‘To configure a port-forwarding list, complete the following steps: Step 1 Step 2 Step 3 Step 4 Navigate to the Configuration > Remote Aecess VPN > Clientless SSL VPN Access > Portal > Port Forwarding submenu and click Add to add a new port- forwarding list Configure a list name and then click Add to add a port-forwardin; ny Configure the port-forwarding list entry with the following information: = Local TCP Port: The port that the local application will listen on for port forwarding of this entry = Remote Server: = Remote TCP Port network connectior femote network server address, The port that the remote network server will listen on for = Description: Description of the port-forwarding entry Click OK twice to accept the new port-forwarding entry and port-forwarding list. Note Remember that the connection is only secured to the Cisco ASA secunty appliance. fan ‘unsecured protocol (such as Telnet) is used with port forwarding, the traffic leaving the security appliance wil not be encrypted, In this figure, a port-forwarding entry for Telnet to IP address 10.0.4.3 has been created with a local listening port of 2300 and a target listening port of 23. 5.68 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, neModify the Clientless SSL VPN Group Policy less SSL VPN group policy that was ‘The next task requires that you modify the Cli previously configured using the SSL VPN wizard. Modify Clientless SSL VPN Group Policy: Edit Existing Group Policy To modify the existing Clientless SSL VPN group policy. complete the following steps: Step1 Navigate to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies submenu and choose the previously configured Clientless SSL VPN group policy. Step2 Choose Edit to edit the Clientless SSL VPN group policy. ired group policy, ClientlessSSLVPN-Group, is being selected for In this figure, the cor editing {© 2008 Cisco Systems, Inc SSLVPNs 560Modify Clientless SSL VPN Group Policy: Select Port-Forwarding List Note Apply changes to Cisco ASA secuity appliance and save configuration Afier the group policy has been chosen for edit select the port-forwarding list. {you must complete the following tasks to ‘Step 3 Choose the Portal submenu from the left pane and uncheck Inherit from the Port- Forwarding List and Applet Name fields. Step4 Choose Port-Forwarding from the drop-down menu and click the Auto Applet Download box. The Auto Applet Download will autostart the configured port- forwarding application afier the user logs into the system. Step 5 (Optional) Configure an applet name for the application to be used with the Port= Forwarding SSL VPN Step6 Click OK and Apply the changes to the Cisco ASA secur configuration to the security appliance. appliance. Save the In this figure, the port-forwarding list name Por ClientlessSSLVPN-Group group policy. In ad the Auto-Applet Download box has been chosen. ‘orwarding has been associated with nto associating with the port-forwarding lis, 5:70 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, ineModify Clientless SSL VPN Group Policy: Select Port-Forwarding List (Cont.) Note: Apply changes to Cisco ASA secunty anplance and save configuration The following is an example of the commands that were sent to the Cisco ASA security appliance from the Cisco ASDM afier the settings for Port-Forwarding SSL VPNs were added to the Clientless SSL VPN configuration: webvpn Configured Port-Forwarding List: port-forward Port-Forwarding 2300 10.0.4.3 23 Telnet to Cisco 3550 Switch Add the Port-Forwarding List to the ClientlessSSLVPN-Group Attributes: group-policy ClientlessssLVPN-Group attributes webvpn port -forward-name value Switch ‘Telnet file-entry enable file-browsing enable url-entry enable port-forward auto-start Port-Forwarding configure terminal '© 2006 Gisco Systems, Inc SSLVPNS 5-71Verifying Port-Forwarding SSL VPN This topie will discuss the tasks required to VPNs. fy the proper operation of Port-orwarding SSL Verifying Port-Forwarding SSL VPN Complete the following tasks to verify port-forwarding SSL VPNs: * Task 1: Log in to the Clientless SSL VPN. = Task 2: Access configured network applications using port forwarding, » Task 3: Verify SSL VPN operation withthe Cisco ASA CLL + Task 4: Verify SSL VPN operation with the Cisco ASDM GUI To verify the operation of the configured Port-Forwarding SSL. following tasks: VPN, you must complete the Task 1: Log in to the Clientless SSL VPN. Task 2: Access configured network applications using port forwarding. = Task 3: Verify VPN operation with the Ciseo ASA CLI = Task 4: Verify SSL VPN operation with the Cisco ASDM GUL 5:72 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, ineLog In to the Port-Forwarding SSL VPN ‘To verify Clientless SSL VPN operation, you must first lo in to the created SSL VPN network. To log in to the Clientless SSL VPN, you must complete the following tasks: Step1 Open a compliant web browser and enter the login URL for the SSL VPN into the address field. Step2 Enter the previously «d username and password and Choose Login In this figure, the user is logging in to the Clientless SSL VPN by pointing a compliant web browser to the SSL VPN interface on the Cisco ASA security appliance (192.168.4.2) and by centering the username of student! and the password of eiseo. (© 2008 Cisco Systems, Inc SSLVPNS 5:73Access Configured Network Applications Using Port Forwarding The next task that is required to verify the operation of a Port-Forwar access the applications that are configured for port forwarding. ng SSL VPN is to Access Configured Network Applications Using Port Forwarding ‘To access the applications that are configured for the Port-Forwarding SSL. VPN, complete the following steps: Accept any warnings from Java asking you to accept the applet from the Cisco ASA security appliance The Java applet should launch automatically. The Java applet window identifies that the security appliance is listening on the configured ports for the applications configured. In this case, the security appliance is listening on port 2300 for Telnet traffic that is to be forwarded to 10.0.4.3 on port 23. ‘574 Securing Networks with Gisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, IncAccess Configured Network Applications Using Port Forwarding (Cont.) * Telnet session will be opened to 127.0.0.1 on port 2300 Opening a Telnet session to the main Cisco ASA IP address will ot work (192,168.42) Next, open an appli on session that corresponds to the configured port-forwarding list entry Step 3 Open a Telnet session to the 127.0.0.1 using port 2300, as configured in the port- forwarding list. A Telnet session to the main IP address of the Cisco ASA security appliance will not provide port-forwarding functionality fier the Telnet session has connected, you should see the Java Applet window counters increasing. This idemtifies that the Telnet session is being forwarded properly to the remote client, inthis figure, the Telnet session to 127.0.0,1:2300 is port forwarded to the target IP address of 10.0.4.3:23. © 2008 Cisco Systems, Inc SSLVPNS 5:75Verify SSL VPN Operation with the Cisco ASA CLI The Ciseo ASA CLI can be used to verily proper operation of the Port-Forwarding SSL VPN. Verify SSL Operation with the cu Cisco ASA fe 192.168,250.1:2084 in 192.260.4,2:442 idle 0:00;05 bytes 62237 fags Wo, Ter out 10.0.4.2:23 dn 20.0,4.1:1024 idle 0:00:13 bytes 94 flags 0 To verify the operati following: n of a Port-Forwarding SSL VPN using the Cisco ASA CLI, do the Stop 1 fier the user has logged into the Port-Forwarding SSL. VPN and has accessed the configured application, typing the command show conn all will identity incoming SSL connections to the security appliance and an outbound (proxied) Telnet connection to the configured network device. Of the included output, the following line identifies the outbound port-torwardi arget |0.0.4.3, using Telnet: TOP out 10. 3:23 im 10.0.4.1:2024 idle 0: bytes 94 flags vo 576 Securing Networks wth Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, ncVerify SSL VPN Operation with the Cisco ASDM GUI The Cisco ASDM GUI can be used to verify proper operation of the Port-Forwarding § VPN. Verify SSL VPN Operation with the Cisco ASDM GUI: Sessions [CREAT RNR RINE URIRET so meg —— Sees = ES Cleese Fo To verify the operation of the Port-Forwardis following steps: SSL. VPN using the Cisco ASDM, complete the ‘Step1 Navigate to Monitoring > VPN > VPN Statisties > Sessions and filter for the Clientless SSL VPN sessions, The Protocol Encryption field should identify the encryption as Clientless Port- Forwarding RC4. Step2 To gather further information about the session, choose the Details button after the session has been chosen in the main window. Details will give information about the clientless SSL VPN session as well as any port forwarding being performed The highlighted portion of the figure provides port-forwarding information for the session. This information includes, but is not limited to the following: = Encryption Method: RC4 Tunnel 1D: 12.2 TCP Source Port: 443 ‘TCP Destination Port: 2135 User Authentication Mode: userPassword Idle Timeout Client Type: Web Browser = Client Version: Client web browser version information, (© 2008 Cisco Systems, Inc SSLVPNS 5.77Verify SSL VPN Operation with the Cisco ASDM GUI: Protocol Statistics To view the protocol statistics, the following step must be completed: Step 3 Navigate to the Monitoring > VPN > VPN Statisti submenu to view available port-forwarding statist > Protocol Statistics Two sessions are identified on this screen, The first session is for the elientl sto the SSL. VPN. After the user has successfully logged in, a Port-Forwarding session is created after the user has launched the appropriate network application that is forwarded by the Cisco ASA security appliance 5-78 Securing Networks with Cisco ASA Advanced (SNA) v1 0 © 2008 Cisco Systems, IneConfiguring Additional SSL VPN Features This topic will discuss the configuration and use of several additional features that are available to SSL VPN deployments. Configuring Additional SSL VPN Features The following are additional Clientless SSL VPN features: Client-server plug-ins User interface customization Caching and content rewriting ‘Smart tunnels E-mail proxy ‘These are additional clientless SSL. VPN features: m= Client-server plug-ins User interface customization = Caching and e: tent rewriting, = Smart tunnels, = E-mail proxy {© 2006 Cisco Systems, Inc SSLVPNs 5-73Client-Server Plug-Ins Overview The Cisco ASA security appliance supports the use of several clien used to provide additional functionality to the Cli server plug-ins that ean be niless SSL VPN web portal experience. Client-Server Plug-ins: Client-Server Plug-Ins Overview = Older code releases did not support a number of common client- type applications such as — Windows Terminal Server (limited functionality in 7.2) ~ Telnet and SSH, including VT 320, IBM 3270, xterm, and so on Citrix (Full) Client NC * Additional support for these third-party applications are in Packaged, single-archive files in the ar file format. Older code releases did not have support for a number of common client-type applications such as the following: Windows Terminal Server (limited functionality in 7.2) = Telnet/SSH, including VT 320, IBM 3270, xterm, and so on = Citrix (Full) Client m= Virtual Network Computing (VNC) The addition of support for these third-party applications will exist in the form of packazed, single-archive files in the ,jar file format, he existing capabilities of Java rewriting and the use of Application Profile Customization Framework (APCP) files with the ACPF Active-X port forwarder lends itself well to the techniques used to both extend these capabilities and to add support for additional content types stich as Adobe SVG, MHTML, XML/XSL 5-60 Securing Networks with Cisco ASA Advanced (SNAA) v7.0 © 2008 Cisco Systems, incClient-Server Plug-Ins: Client Plug-Ins Overview (Cont.) * The Cisco CLI and Cisco ASDM experience now allows the Creation of plug-in protocol resources, *» Resources are defined as a URL, similar to the http(s):// and cifs.// resources with the appropriate protocol type, for example ‘dp:/iserver port/?width=9008height=700. * Clicking on a resource link generates a dynamic page that hosts the ActiveX Java applet » The Java applet is transparently cached in the gateway cache ‘The Cisco CLI and Cisco ASDM experience has been automatically extended to allow creation of the resources, resource lists, or direct URL bars for the added protocol, and adding them to the portal page, subject to access control lists (ACL), policies, and so on. Resource is defined as a URL, similar to the htp(s):/ and cifS:/ resources with the appropriate protocol type; for example, rdp://server:port’?width=900&height=700. When clicking on a resource link, a dynamic page is generated that hosts the ActiveX Java applet, which is rewritten by the content transformer. The Java applet is rewritten and re- signed, ActiveX parameters are rewritten, and the helper port forwarder ActiveX is injected if needed. The Java applet is transparently cached in the gateway cache. Note Cisco does not provide direct suppor for nor does it recommend any particular third-party plug-ins. As a provider of Clientless SSL VPN services, you are responsible for reviewing ‘and complying with any license agreements that are required to use third-party plug-ins Plugins that are sourced from third-parties cannot be modified without agreement from those third-parties, © 2008 Cisco Systems, Inc SSLVPNS 5-81Client-Server Plug-Ins Configuration For plug-ins to be used by the Clientless SSL VPN, they must be imported into the Cisco ASA security appliance. Client-Server Plug-ins Configuration: Importing Plug-Ins Using Cisco ASDM To import plug-ins into the security appliance, complete the following steps: Step1 Navigate to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Client-Server Plug-Ins submenu and choose the Import button Step 2 Choose the type of plug-in that is to be imported and then choose Browse Local Files to choose any plug-ins that are installed on the local machine. Step3 After the plug-in has been by the security appliance. hose joose Import Now to import the plug-in for use In this figure, the VNC plug-in is being imported into the memory of the security appliance for use with the SSL VPN. 582 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, ncClient-Server Plug-ins Configuration: List of Imported Plug-Ins fier you have imported all ofthe desired pl they will be listed in the main Clie Plug-ins window. In this figure, the RDP, SSH, Telnet, and VNC plug-ins have been loaded. Client-Server Plug-Ins Configuration: Manual Navigation = Once imported, plug-ins can be used to manually navigate to target servers or they can be used in configured bookmarks. Any of the plug-ins ean be used to manually navigate to a target network resource or they can be configured as the protocol used by a configured bookmark. SSLVPNS 5-83 (© 2008 Giseo Systems, IncClient-Server Plug-Ins Configuration: Manual Navigation—-VNC eae The Telnet SSH plug-in will launch a secondary web browser window as it contacts the requested network server. Afier the server has been contacted, the Telnet SSH session will be displayed as a Java window inside the new browser page. This example illustrates the use of the VNC plu, network resource with an IP address of 10.0.4.3. in to provide a VNC session to a target 5-84 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, IneConfiguring Bookmarks to Use Plug-Ins im Contquaton tes Step 2 Step 3 re bookmarks to use imported plug-ins, you must complete the following steps: Navigate to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks and click Add to add a new bookmark, The Add Bookmark Entry opens, To configure a bookmark title, choose the desired plug-in protocol, and then configure the target server address, Click OK to add the bookmark to the security appliance con choose Apply to send the configuration to the security appli iguration and then In this figure, using the VNC application protocol for IP address 10.0.4.3 creates a bookmark. {© 2008 Cisco Systems, Inc. SSLVPNS 5.85Client-Server Piug-ins Configuration: Bookmark Navigation—-VNC ‘After the bookmark has been configured and saved to the security appliance, it will be available for use 0 the web portal page. In this figure, the bookmark VNC to Server is available for use nder the VNC Bookmarks subsection. Client-Server Plug-Ins Configurai Bookmark Navigation—-VNC (Cont.) a In this example, the bookmark that is associated with the target VNC server was chosen from the Clientless SSL_VPN web portal. After chosen, the VNC plug-in launches a new window for the user that will provide access to the desired VNC-based network resource. 5-86 Securing Networks with Cisco ASA Advanced (NAA) v1.0 (© 2008 Cisco Systems, IncUser Interface Customization Overview The user interface is made up of the pages, panes, images, and links that the user will see and interact with when accessing the SSL VPN system. These pages can be modified, based on corporate requirements. User Interface Customization: Overview = SSL VPN page customization allows for greater flexibility to ‘customize the WebVPN content = SSL VPN allows the customer to upioad an XML file for a custom page layout * Custom panes can be added for additional network information, images, and RSS feeds. * User interface customization screens can be accessed by using the Cisco ASDM SSL VPN page customization allows for greater flexibility to customize SSL VPN content. An embedded editor allows administrators to customize login, portal, and logout pages for use with the Clientless SSL VPN deployment, Custom panes can be added to provide additional network formation, images, and Really Simple Syndication (RSS) feeds for streaming media. In addition, the Cisco ASA security appliance allows the administrator to import XML pages for completely customized web portals. {© 2008 Gisco Systems, Ine. SSLVPNS 5.87User Interface Customization: Onscreen Keyboard * Used to hep protect systems against Key logers by requting a user interact with the Java keyboard to enter a password. * Configured on the Object Customization page. * May be configured to show only when logging into the SSL VPN system fr anytime authentication is required. The Cisco ASA security appliance supports the use of a Java-based onscreen keyboard to provide an additional layer of security and helps protect users from security threats such as key loggers, The onscreen keyboard is enabled on the Object Customization page. It can be configured to show only when logging into the SSL VPN system, or anytime that network authentication is required. 5.88 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneUser Interface Customization Configuration ‘This section will describe the customization of the user interface, using the Cisco ASDM. Ul Customization Configuration: Create New Customization Template [tec are The next several figures illustrate how to configure a customized user interface, using the Cisco ASDM. When configuring a customized user interface, the user has the option of either editing the default user interface or creating a new user interface. In the examples to follow, the user will be instructed how to customize a user interface by ereating a new user interface template. To configure a customized user interface, complete the following steps: Step 1 Navigate to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Customization submenu. In the Customization Objects pane, choose Template, and click Add to create a new customization object, The Add Customization Object window opens. Step 2 Configure the Customization Object Name and choose OK to add the new customization object. ‘Step3 Enable the on-screen keyboard by choosing the appropriate radio button at the bottom of the main customization pane, In this example, it has been configured to show up only when logging into the Clientless SSL VPN system. Note ‘You must save the configuration to the security appliance before you willbe able to edit the newly created customization object In this figure, a new customization template is created from the default template and given @ name of ClientlessSSLVPN. © 2008 Cisco Systems, Inc SSLVPNs 5.88Next, complete the following tasks to edit the new customization template: Step4 —_Alicr the configuration has been saved to the security applia ‘customization object from the list, Clientless SSLVPN. Click Edit to launch the SSL. VPN Customization Editor in a secondary web browser window, se, choose the new 5-90 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, IneUl Customization Configuration: Main UI Customization Window After the user has chosen the newly created user i erface Customization template and clicked Edit, the main user interface customization window for the SSL VPN Customization Editor will be displayed. The SSL VPN Customization Editor is split into three distinct areas for user interface configuration: = Logon page = Portal page = Logout page Note ‘Any time changes are made to the template pages using the SSL VPN Customization Editor, the user must click the Save button to save the changes to the appropriate page This figure illustrates the default screened as viewed after the customization editor has been launched, {© 2008 Cisco Systems, Inc SSLVPNS 5.91UI Customization Configuration: Edi UI Pages. . 24" Al all’ —~ = « * Page text, graphics, and colors can be modified for each page * Title panels can also be modified by using style sheets (CSS) When cne of the customization submenus is chosen on the left side of the editor, the corresponding configuration menu for that selection will be displayed on the right side. From these configuration menus, the user can change page text, graphics, and colors. You can modify colors by using a color selector that is available wherever colors can be modified. Title panels also have the option of being configured using cascading style sheets (CSS). In the figure, the Clienti2ss SSLVPN: Logon Page > Title panel was selected 5a ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 © 2008 Cisco Systems, IneUl Customization Configuration: Example Logon Page ‘The following items can be modified when configuring the Logon page: = Browser Window: Changes the text shown in the main browser title bar. le Panel: Changes the title shown on the main page of the SSL. VPN logon sereen as well as available colors m= Languages: Selects the default language used for the Logon page. m= Language Selector: Provides a drop-down selector for other available Logon page. wes to the = Logon Form: Changes the text and colors displayed in the Logon bos. = Information Panel: The information panel is an optional panel that can be enabled and placed to either side of the Logon form, The information panel can include required text and graphics as needed for the Logon page = Copyright Panel: Adds copyright information to the Logon page. = Full Customization: Configures the security appliance to use a fully customized web page that you can choose from previously uploaded media in the Web Contents submenu. In this figure, a completed portal Logon page is being displayed after it has been customized. In ‘addition to the customized menu bars, there is a customized login pr configured text message for users who connect to the SSL VPN istom image, and a {© 2008 Giseo Systems, Inc SSLVPNS 5.93UI Customization Configuration: Exampie Portal Page iggy Motte nezean SSL VPM Paral am ap ‘The following items ean be modified when configuring a portal page: © Browser Window: Changes the text shown in the main browser title bar. Title Panel: Changes the title shown on the main page of the SSL VPN portal page as well as available colors. = Toolbar: Configures the text shown for the address bar and the floating toolbar shown when navigating pages. = Applications: Configures the order and name of available application buttons. Application buttons can also be disabled from this menu = Home Pa; + Configures the use of a custom page for the web portal = Custom Panes: Allows the creation of custom pi the web portal. The following panes are available 1s to provide additional fw Wet — HTML — Image — RSS Feed Columns: Configures the number of columns to be displayed on the web portal Note The red box included on the example portal page identifies the model of the security appliance in use by the example network and holds no other significance, In this figure, an example customized web portal page is shown. In addition to headers, there is a custom column that has been added to provide room for addi information on the web portal. 5.94 Securing Networks wih Cisco ASA Advanced (SNA) vi.0 '© 2008 Cisco Systeme, neNote More examples of portal customization can be found under the SSL VPNMWeb VPN section atthe following URL: hitp://www.cisco com/en/US/products/ps6120/prod_configuration_ex fi nples list UI Customization Configuration: Example Logout Page The following items can be modified when configuring the Logout page: = Logout For “onfigures the text and colors to be displayed in the logout form. Note Its important to remember to save the changes to the customized user interface so that it will reflect the desired modifications In this figure, an example Logout page is shown, Customized headers are shown in addition to a customized Logout window. {© 2008 Gisco Systems, ne. ‘SSLVPNS 5.95UI Customization Configuration: Assigning a Custom Object to a Group Policy After the desired mo ications have been made to the user interface, the following steps must be completed to assign the new customization object to a Clientless SSL VPN group policy: Step5 Navigate to the Configuration > Remote Access VPN > C Access > Group Policy submenu, choose the previously configured group policy ClientlessSSLVPN-Group, and choose Edit. (Not shown.) The Edit Internal Group Policy: Clientless SSLVPN Group window opens. (Not shown.) Step6 After the group policy window opens, navigate to the More Options > Customization submenu, Step7 Uncheck Inherit next to the Portal Customization configuration and choose the previously configured customization object from the drop-down menu. Click OK and save the configuration to the security appliance. In this example, the previously configured Clientless SSLVPN custom object is chosen from the Portal Customization drop-down menu. This will assign the newly created custom user interface to the group policy 5-95 Secunng Networks with Cisco ASA Advanced (SNAA) v0 © 2008 Cisco Systems, ineCommands Sent to the Cisco ASA from the Cisco ASDM ‘export webvpn customization bfltcustonization disk0: /tmpAsdmImportFi101606675343 import. webvpn customization ClientlesassLven disk0: /tmpAsdnImportFi1e1606875343 delete /noconfirm disk0: /tmpAsdmImportFile1606875343, group-policy ClientlessSSLVPN-Group attributes webvpa ‘customization value ClientlessssivPN onscreen-Keyboard logon configure terminal The following is example output sent from the Cisco ASDM to the Cisco ASA security ‘appliance to finish the customization of the user interface: Configured customized user interface: export webypn customization DEltCustomi zation isk0: /tmpAsdnimportFile1606875343 import. webvpn customization ClientiessssLven disko: /tmpasdnimportFile1606875343 delete /noconfirn disk: /tmpAsdnimport File1606875343 Assigned customized user interface (o ClientlessSSLVPN-Group: group-policy ClientlessSSLVPN-Group attributes ‘webvpn customization value ClientlessssLvPN onscreen-Keyboard logon configure terminal (© 2008 Cisco Systems, Inc SSLVPNS 5.97Ul Customization Configuration: Clientless SSL VPN Web Portal This image displays the functional customized web portal after the user has successfully logged into the Cisco ASA security appliance over a Clientless SSL VPN. 5-98 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 ‘© 2008 Cisco Systems, neCaching and Content Rewriting Caching enhances the performance of Clientless SSL VPN. It stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. The use of the cache reduces traffic, with the result that many applications run more efficiently Clientless SSL VPN processes application traffic through a content transformation and rewriting engine that includes advanced elements such as JavaScript, VBScript, Java, and multibyte characters to proxy HTTP traffic, which can have different semantics and access control rules, depending on whether the user is using an application within or independently of an SSL VPN device. Caching and Content Rewriting: Overview * Caching enhances the performance of Clientless SSL VPN ~ The web browser stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content ‘The use of the cache reduces traffic, with the result that many applications run more efficiently. * Content transformation or “rewriting” processes application traffic through a content transformation engine. Rules can be created to allow access to some websites without having to go through the Cisco ASA security appliance ‘You might not want some applications and web resources, for example, public websites, to £0 through the security appliance. The security appliance, therefore, lets you create rewrite rules that let users browse certain sites and applications without going through the security appliance. i ing in an IPsec VPN connection, You can create multiple rewrite rules. The rule number is important because the security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matehes. {© 2008 Gisco Systems, Inc SSLVPNS 5:99The content cache configuration fields include these: m= Enable cache: Check to enable caching, The default value is Disable. = Parameter + Lets you define the terms for caching, — Maximum Object Size: Enter the maximum size in kilobytes of a document that the security appliance can cache. The security appliance measures the original content length of the object, not rewritten or compressed content. The range is 0 10 10,000 KB; the default is 1000 KB — Minimum Object Size: Enter the minimum size in KB of a document that the security appliance can cache, The security appliance measures the original content length of the object, not rewritten or compressed content. The range is 0 t0 10,000 KB; the default is 0 KB. The Maximum Object Size must be greater than the Minimum Object Size. — Expiration Time: Enter an integer between 0 and 900 to set the number of minutes. to cache objects without revalidating them. The default is one minute. Th ‘expiration time sets the amount of time for the security appliance to cache objects that have neither a last-modified time stamp nor an explicit server-set expiry time. — LM Factor: Enter an integer between | and 100; the default is 20. The LM Factor sets the policy for caching objects that have only the last-modified time stamp. This revalidates objects that have no server-set change values. The security appliance estimates the length of time since the object has changed, also called the expiration time, The estimated expiration time equals the time elapsed since the last change, multiplied by the LM Factor. Setting the LM Factor to 0 forces immediate revalidation, while setting it to 100 results in the longest allowable time until Content caching is enabled by default. If caching is not desirable, unclick the Enable Cache check box. 5-100 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Gisco Systems, IneCaching and Content Rewriting: Content Rewriting Configuration Ceatgraten By default, all sites are processed by using the default content rewriting rule. To configure a site for no content rewriting, complete the following steps: Step1 Navigate to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Content Rewrite submenu and click Add to add a new content rewrite rule, The Add Content Rewrite Rule window opens, In this figure, the default content rewriting rule is displayed. The Add button is chosen to configure a new rule for which traffic should be applied to content rewriting. (© 2008 Cisco Systems, Inc. SSLVPNS 5-101Caching and Content Rewriting: Content Rewriting Configuration (Cont.) sey of — fuse nea jovs numba ncaa) I ‘To configure a site for no content rewriting, continue with the following steps: Step2 Uncheck the Enable Content Rewrite box to disable content rewriting for the target site. Unchecking this box will identify to the Cisco ASA security appliance that the listed URLs in the rule will not go through the security appliance. As previously stated, this is similar to split tunneling, Step 3 Configure a rule number. The default rule of 65,535 will be processed last, based on number, and it cannot be modified. The acceptable range is | t0 65,534. ‘Step 4 Configure a rule name. The name cannot contain any spaces. Step § Configure a resource mask for the content rewriting rule. In this example, *.cisco.com/* is used to denote that no content rewriting should be performed on any websites associated with cisco.com, Example output sent to the Cisco ASA security appliance from the Cisco ASDM. webepa rewrite order 1 disable resource-mask *.cisco.con/* name Cisco-Keb i destined for the In this figure, a rule was created called Cisco-Web to prevent cont *.cisco.com space from going through the content rewriting engine. 5102 Securing Networks with Cisco ASA Advanced (SNA) vi 0 1© 2008 Cisco Systoms, neSmart Tunnels Overview ‘A smart tunnel is a connection between a Winsock 2, TCP-based application and a private site, using a clientless (browser-based) SSL VPN session with the security appliance as the and the security appliance as a proxy server. You can identify applications to which you want to grant smart tunnel access, and specify the local path to each application and the Secure Hash Algorithm (SHA) hash of its checksum to check before granting Smart Tunnel: Overview = Available in Cisco ASA software version 8.X. = A smart tunnel is a connection between a Winsock 2, TCP-based application and a private site = The use of smart tunnels provides access to additional applications that are not otherwise supported by the Clientless SSL VPN. » Smart tunnels can be configured as a smart tunnel application list that specifies desired executables, or they can be used in Conjunction with preconfigured bookmarks. = Smart tunnels improve upon port forwarding because they do not require users to have administrator privileges. Port forwarding makes use of a local Java helper applet to provide access 10 certain applications that are not supported by Clientless SSL VPN by default. The helper application requires a connection to the local host to provide port-forwarding functionality; for example. a Telnet connection to the loopback address 127.0.0.1 port 2300 as shown previously in this lesson Local connections many times will require additional operating system privileges to provide the port-forwarding functionality. This can be problematic on systems that are not corporate controlled. ‘Smart tunnels do not require connections to the local host to provide connectivity; therefore, smart tunnels do not require users to have administrator privileges, and they impose fewer requirements on the client station. Note Lotus Sametime, Microsoft Outlook, and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access. {© 2008 Cisco Systems, ne. ‘SSLVPNS 5-103Smart Tunnel: Configure a Smart Tunnel App i To configure an application list for smart tunnels, you must complete the following steps: Step 1 Step 2 Step 3 Step 4 Navigate to the Configuration > Remote Access VPN > Clientless SSL Access > Portal > Smart Tunnels submenu and click Add to create a new application list. The Add Smart Tunnel List window opens, pN Configure a list name and click Add to add a sinart tunnel entry. The Add Smart Tunnel Entry opens. Configure the applic jon ID, which is an identifier for the smart tunnel entry Configure the process name or full path to the desired application Note Step 5 In this figui amed Out Ifa full path is specified, the smart tunnel entry wil only apply to the application at the ‘specified path. I the process name is specified without full path, smart tunneling will be applied based on the executable file, regardless of location on the target system. (Optional) To obtain this value, enter the checksum of the application (that is, the checksum of the executable fie) into a utility that calculates a hash using the SHA-1 algorithm, One example of such a utility is the Microsoft File Checksum Integrity Verifier (FCIV), which is avaitable at http://support.mierosoft.com/kb/84 1290/, After installing FCIY, place a temporary copy of the application that is to be ha ‘on a path that contains no spaces (for example, c:/feiv.exe), and then enter feiv.exe -shal application at the command line (for example, feiv.exe -shal e:\msimn.exe) to display the SHA-I hash. ire, a smart tunnel list was created named ClientlessSSLVPN. In that list, nent look Express has becn created to provide smart tunnel functionality for the Outlook ‘xpress application, 5-104 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 [© 2008 Cisco Systems, neSmart Tunnel: Configuring a Smart Tunnel Application List (Cont.) fier the smart tunnel application list has been created, it can be associated to an SSL group policy. To associate the smart tunnel application list to an SSL group policy, you must complete the following tasks: Step6 Navigate to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies submenu, choose the previously configured group policy. and click Edit. The Edit Internal Group Policy: ClientlessSSLVPN-Group window opens. Step7 Choose the Portal submenu, uncheck the Inherit check box associated with the smart tunnel list, and choose the configured smart tunnel list from the available drop-down menu. ‘step (Optional) If you choose the Auto Start check box, the smart funnel process will be started when the user logs into the Clientless SSL VPN. Otherwise, the user must ‘manually start the smart tunnel process on the Application Access web page in the web portal In this figure, the ClientlessSSLVPN-Group is chosen and the newly created ClientlessSSLVPN smart tunnel application list is associated to the SSL VPN group policy {© 2008 Cisco Systems, Inc 'SSLVPNS 5-105Smart Tunnel: Smart Tunnel Bookmark Modification ture bookmarks to be used with sn it tunnels, you must complete the Following steps ‘Step 1 Navigate to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks submenu, choose the previously configured bookmark list, and click Edit, The Edit Bookmark List window opens, Step 2 Choose one of the previously configured bookmarks and click Edit, The Edit Bockmark Entry window opens. Step 3 In the Edit Bookmark Entry window, choose the Advanced Options drop-down ‘menu for the configured bookmark and click Yes for the radio button associated with the Enable Smart Tunnel Option. Stop 4 Click OK twice to accept bookmark changes and choose Apply to save the configuration changes to the Cisco ASA security appliance. In this figure, the Cisco Switch bookmark is enabled to use smart tunneling when itis used through the SSL VPN web portal. 5-106 Securing Networks wih Cisco ASA Advanced (SNAA) vi.0 (© 2008 Cisco Systems, neCommands Sent to the Cisco ASA from the Cisco ASDM Tapert vebvpe url list Geadeat-fookary aiteb: aphedntaporeriiei97905700%. Gelete fnocontirn diets /tupasdatnport?i101970057882, Ee roup st triouces rai The following commands are sent to the Cisco ASA security applianee from the Cisco ASDM Modified bookmarks to use smart tunnels are included in the Student-Bookmark bookmark list: import webvpn url-List Student -Booknark iskO: /tempasdnImportFi1e197005 7682, delete /nocontirm disko: /tmpAsdminport File1s70057881 ‘group-policy ClientlessSSLVPN-Group attributes ‘The configured smart tunnel list is assigned to the ClientlessSSLVPN profile: webvpn ‘smart-tunnel list Client leseSSLVPN Outlook-Exprese "C:\Program Files\Outlock Express\mainn.exe" ‘smart-tunnel enable Clientlesssstven configure terminal {© 2008 Cisco Systems, ne SSLVPNS 5-107Smart Tunnel: Bookmark Verification SSS + Log into the Clientless SSL. VPN portal e * Select the bookmark that is configured for memngy Sart tunnel access. te aS. + Bookmark wil open in a new window. + ASA will call relayocx him to handle bookmark configured for smart tunnel --" = Bookmark is redirected to target network resource. ‘To verify the operation of a bookmark that is conti following steps: ured for smart tunnel access, ¢ Step 1 Log in to the Clientless SSL VPN portal Step 2 Choose the bookmark that is configured for smart tunnel access. The bookmark will ‘open in a new web browser window. The smart tunnel process will call a relayocx.htm! file to handle the bookmark, Step 3 The secondary web browser window will be redirected to the target network resource identified by the bookmark. In this figure, the bookmark enabled for smart tunneling opens a new window when the ‘bookmark is chosen from within the portal, The web management interface of the switch opens afier the user authenticates. Because this bookmark was associated with a smart tunnel, the interaction of the user with the web management interface will be handled through the smart tunnel, which will allow access to the links on the web management page. Had this link not been placed within a smart tunnel, it would have needed more administrator involvement to work properly ‘5108 Securing Networks wth Cisco ASA Advanced (SNAA) v1.0 '© 2008 Gisco Systems. neE-Mail Proxy wail proxies extend remote e-mail capability to users of Clientless SSL VPN. When users I session through e-mail proxy, the e-mail client establishes a tunnel by using rere Comcian POPs ahs, TP * E-mail client is configured to point to the Cisco ASA as the server that is using secure protocol ports and an encrypted session * User is authenticated locally or through an off-box AAA ‘mechanism. * Cisco ASA terminates the encrypted session and proxies requests, to the target e-mail server. The client-side tunnel is terminated at the Cisco ASA security appliance and the security appliance then proxies e-mail communications to the requested e-mail server by using well- known protocols over an unencrypted session. The security appliance receives e-mail traffic from the server and then retums it to the user over the enerypted protocol tunnel, {© 2008 Cisco Systems, In. ‘SSL VPNs 5-109POP3S IMAP4S SMTPS, E-mail Proxy: Overview (Cont.) + POP3S: By default, the Cisco ASA security appliance listens to port 995, and connections are automatically allowed to port 995 or to the configured port * IMAP4S: By default, the Cisco ASA security appliance listens to port 993, and connections are automatically allowed to port $93 or to the configured port + SMTPS: By default, the Cisco ASA seourity appliance listens to port 988, and connections are automatically allowed to port 988 or to the configured port. Post Office Protocol version 3 Secure (POP3S) is one of the e-mail proxies that the Clientless SSL VPN supports, By default, the Cisco ASA security appliance listens to port 995, and connections are automatically allowed to port 995 or to the configured port. The POP3 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the POP3 protocol starts, and then authentication occurs. POP3S is for receiving e-mail Internet Message Access Protocol version 4 Secure (IMAP4S) is one of the e-mail proxies that the Clientless SSL VPN supports. By default, the Cisco ASA security appliance listens to port 993, and connections are automatically allowed to port 993 or to the configured port. The IMAP4 proxy allows only SSL connections on that port. After the SSL tunnel establishes, the IMAP4 protocol starts, and then authes ing e-mail ‘Simple Mail Transfer Protocol Secure (SMTPS) is one of the e-mail proxies that the Clientless SSL VPN supports. By default, the Cisco ASA security appliance listens to port 988, and connections automatically are allowed to port 988 or to the configured port. The SMTPS proxy allows only SSL connections on that port, After the SSL tunnel establishes, the SMTPS protocol starts, and then authentication occurs. SMTPS is for sending e-mail Of the listed protocols for e-mail proxy support, POP3S and IMAP4S are used to receive &- ‘mail, while SMTPS is used to send e-mail over a secured Transport Layer Security (TLS) connection ‘5-110 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, neE-Mail Proxy: Configuration To configure the Clientless SSL. VPN to support E-mail Proxy access, complete the following steps: Step 1 Navigate to the Configuration > Remote Access VPN > Advanced > E-Mail Proxy > Access E-Mail Proxy submenu, choose the interface for which you want E-mail Proxy support, and click Edit, Step2 After the interface windows opens, choose the desired protocols for E-mail Proxy Step 3 Click OK to accept the changes to the interface. In this figure, all three secure e-mail protocols are chosen for the outside interface of the Cisco ASA security appliance. The outside interface is configured for SSL VPN termination {© 2008 Cisco Systems, Ine SSLVPNs 5-11E-Mail Proxy: Configuration (Cont.) After the secure e-mail protocols have been chosen for the SSL VPN interface, you must complete the following tasks to configure the default e-mail proxy servers: Step4 Navigate to the Configuration > Remote Access VPN > Advanced > E-Mail Proxy > Default Servers submenu. Configure the Name or IP Address for the destination e-mail server for each desired protocol as well as for the port that the security appliance will listen on fe jons using that protocol Step 5 (Optional) Modify the number of allowed nonauthenticated sessions. The menu options are as follows = Name or IP Address: Enter the DNS name or IP address for the default e-mail proxy = Port: Enter the port number on which the security appliance listens for e-mail proxy traffic Connections are automatically allowed to the configured port. The e-mail proxy allows only SSL. connections on this port, After the SSL tunnel establishes, the e-mail proxy start and authentication occurs, Note For POP3S, the default port is 995; for IMAPAS, itis 993; and for SMTPS, itis 988 Enable non-authenticated session limit: Choose to restrict the number of nonauthenticated e-mail proxy sessions. nail proxy connections have three states: = A new e-mail connection enters the unau mticated state. m= When the connection presents a username, it enters the authenticating state, = When the security appliance authenticates the connection, it enters the authenticated state. 5-112 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, Inc.This feature lets you seta limit for sessions that are in the process of authenticating, thereby preventing denial of service (DoS) attacks. When a new session exceeds the set limit, the security appliance terminates the oldest nonauthenticating connection. If there are no nonauthenticating connections, the oldest authenticating connection is terminated. This action does not terminate authenticated sessions, In this figure, the default e-mail proxy servers are configured to communicate with the server located at 10.4.0.10. E-Mail Proxy: Configuration (Cont.) cotonten — patentee ares aaron ‘fier the default e-mail servers have been configured, you must complete the following tasks to ‘configure the desired authentication method to be used with the e-mail proxy feature: Step6 Next, navigate to the Configuration > Remote Access VPN > Advanced > E- Proxy > Authentication submenu and choose the preferred method of authentication for each protocol being used for E-mail Proxy POP3S, IMAPSS, and SMTPS Authentication: Let you configure auth each of the e-mail proxy types. You can choose mu tion methods for iple methods of authentica The following methods are available for use with the e-mail proxy Choose to require authentication, authorization username, server, and password. Users mu: usernain« each other. present both the VPN username and the e-mail pparated by the VPN Name Delimiter, only if the usernames are different from = Certificate: Certificate authentication does not work for e-mail proxies in the cur ASA security appliance software release. ant Cisco (© 2008 Giseo Systems, Inc. SSLVPNs 54113= Piggyback HTTPS: Choose to require piggyback authentication. This authentication scheme requires a user to have already established a Clientless SSL VPN session. The user presents an e-mail usemame only. No password is required. Users must present both the VPN username and the e-mail username, separated by the VPN Name Delimiter, only if the usernames are different from each other. | Mailhost: (SMTPS only) Choose to require mail host authentication. This option appears, for SMTPS only because POP3S and IMAP4S always perform mail host authentication, It requires the user's e-mail username, server, and password, SMIPS e-mail most often uses piggyback authentication because most SMTP servers do not allow users to log in. In this figure, Piggyback HTTPS authentication is used Note IMAP generates a number of sessions that are not limited by the simultaneous user count but which do count against the number of simultaneous logins allowed for a username. Ifthe ‘number of IMAP sessions exceeds this maximum and the Clientless SSL. VPN connection expires, a user cannot subsequently establish a new connection ‘There are several solutions: = The user can close the IMAP application to clear the sessions with the security appliance and then establish a new Clientless SSL VPN connectior = The administrator can increase the simultaneous logins for IMAP users (Configuration > Features > VPN > General > Group Policy > Edit Group Policy > General), = You can disable Piggyback HTTPS authentication for e-mail proxy. Step7 Click Apply to apply configuration changes for E-Mail Proxy. Step 8 Open the user e-mail client and ensure thatthe client has the proper server IP acldress and port numbers configured to communicate with the Cisca ASA security appliance. a4 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, ncCommands Sent to the Cisco ASA from the Cisco ASDM ‘The following is sample output of the commands sent from the Cisco ASDM to the Cisco ASA security appliance for e-mail proxy configuration: Enable the desired e-mail protocols on the necessary interface: pop3s enable outside imap4s ‘enable outside smeps enable outeide Configured e-mail server settings per protocol: pop3s Server 10.0.4,10 defaule-group-policy Client lesssstven-croup, authentication piggyback imapte Server 10.0.4.10 default-group-policy ClientlessSsLVpN-Group authentication piggyback antps ‘server 10.0.4.10 default-group-policy Client lesssSLvPN-Group authentication piggyback (© 2008 Cisco Systems, ne SSLVPNS 5-115Troubleshooting Clientless and Port-Forwarding SSL VPNs ‘This topic will discuss some of the options that can be used to aid in troubleshooting Clientless and Port-Forwarding SSL VPNs. Troubleshooting Commands and Procedures * Several procedures exist to aid in troubleshooting Clientless SSL VPN problems — Adding the Cisco ASA as a trusted network site Clearing the web browser cache Clearing the Java cache — Removing the Relay dll and ActiveX control file from the client system = The debug webvpn command is used to provide information about the WebVPN service, based on SSL VPN traffic through the Cisco ASA security appliance. * The debug aaa command is used to provide information about ‘AAA communication, either using the internal server or an extemal server ‘There are several procedures that are useful in assisting with the troubleshooting process of SSL VPN connectivity and use of applications: asa trusted network site = Adding the Cisco ASA security applianes = Clearing the web browser cache = Clearing the Java cache = Removing the ActiveX control and relay.dil file from the client system Allso, the Cisco ASA security appliance provides several debugging commands that can be used to help identify problems that are associated with Clientless or Port-Forwarding SSL VPNs, The following commands are available through the CLI = debug webvpn = debug aaa 54116 Securing Networks with Cisco ASA Advanced (SNA) vi 0 © 2008 Cisco Systems, IncAdding the Cisco ASA as a Trusted Network Site In some eases, applications may have trouble launching properly or calling JavaScript or ActiveX as helpers if the Cisco ASA security appliance is not configured on the client web browser as a trusted network site, Troubleshooting Procedures—Adding the Cisco ASA as a Trusted Network Site To configure the security appliance as a trusted network site, complete the following steps: d then choose Internet Step1 For Internet Explorer, choose the Tools drop-down men Options. chosen from the web browser to add In this figure, the Internet Options control panel is bei the Cisco ASA security appliance as a trusted network site to the J-user system, {© 2008 Cisco Systems, Inc. SSLVPNS 51117Troubleshooting Procedures—Adding the ASA as a Trusted Network Site (Cont.) After you have launched the Internet Options control panel, you must complete the following tasks to add the security appliance as a trusted network site: Step2 Choose the Security tab, choose Trusted Sites, and then choose Sites to add the security appliance as a trusted network site. The Trusted Sites window opens. Step3 Enter the address for the security appliance in the Add this Web site to the zone box and click Add. Click OK twice to accept the changes on the client system. Note ‘The browser vill prompt the user for permission because of binary file modifications. tis, therefore, recommended thatthe user add the headend gateway as a trusted site fr Internet Explorer. In this figure, the security appliance has been added as a trusted network site using the address of hitps://192.168.4.2. 5-118 Securing Networks with Cisco ASA Advanced (SNA) v1.0 '© 2008 Cisco Systems. ncClearing the Web Browser Cache Inthe ‘event that files have become stale and are not displaying properly, you can clear the web browser cache in an attempt to have the requested pages display properly To cle: Step 1 Step 2 Step 3 step 4 Step 5 step 6 Step7 In this Troubleshooting Procedures—Clearing the Web Browser Cache ar your web browser cache, complete the following steps: For Internet Explorer, choose the Tools drop-down menu and then choose Internet Options. (Not shown.) The Internet Options window opens. Choose the General fab and locate the Temporary Internet Files subsection. Choose the Delete Files button, A dialog box will ask you if you want to delete all files in the Temporary Internet Files folder. Click the OK button to delete the cached files. You can also delete all of the offline content by choosing the Delete OMine Content check box before clicking OK. In the History subsection of the General tab, choose the Clear History button. A dialog box will appear that says, “Are you sure you want Windows to delete your history of visited Web sites?” Click the Ves button Click OK to leave Internet Options. Click the Refresh button at the top of the browser. figure, all offline content was deleted from the end-user station, and the browsing, history was cleared, {© 2008 Cisco Systems, Inc. SSLVPNS 5-119Clearing the Java Cache ‘The Java cache can be cleared to help alleviate any issues encountered with misbehaving Java plug-ins. the Java Cache Hensel soe ees cei Catan Lee Troubleshooting Procedures—Clearing cee | onmai Faimeenocivnin oniatinacararsnel El ‘To clear the client system Java cache (v1.4) on Windows XP, complete the following steps: Step 1 Qpen the Windows Control Panel by navigating to Start > Settings > Control Panel in the lows menu. Step 2 Open the Java Plug-in control panel and choose the Cache tab. Step3 Click Clear to clear the Java cache. Step 4 Clove the Java Plug-in control panel In this figure, the Java eache was eleared for the user John Doe. 5.120) ‘Secunng Neworks with Cisco ASA Advanced (SNAA) v1 0| (© 2008 Cisco Systems, InRemoving the Relay.dll System The use of certain features, smart tunnels in particular, requires the use of an ActiveX control and relay.dll file on the client system, Ifthe client system is not functioning properly with smart tunnels, you may have to remove the ActiveX control and relay cll file so that they can be reinstalled, and ActiveX Control from the Client Troubleshooting Procedures—Removing the Relay.dil File and ActiveX Control = Smart tunnels use an ActiveX control and Relay dil file to provide the connection between a Winsock 2, TCP-based application and the private site * Ifthe smart tunnel is not working correctly, you may have to remove the ActiveX control and Relay dil file so that they can be reloaded by the Cisco ASA security appliance * The Relay. ail file can be found at ‘C:\Documents and Settings\iLocal Settings\Temp. To delete the relay all file from the client system, complete the following step: Step1 Na lo igate to the C:\Documents and Seti fe the relay.dil file, and delete it s\\Local Settings\Temp directory, © 2008 Cisco Systems, ne SSLVPNs 5-121Troubleshooting Procedures—Removing the Relay.dil File and ActiveX Control = Select the Tools drop-down menu from Internet Explorer and then select Manage Add- ons, * Inthe Manage Add-ons window, select the Cisco ‘Systems WebVPN Relay Loader and disable it » Remove the add-on To remove the Cisco Systems WebVPN Relay Loader add-on, complete the following steps: Step 1 Choose the Tools drop-down menu from Internet Explorer and then choose Manage ‘Add-ons. (Not shown.) Step2 Inthe Manage Add-ons window, choose the Ciseo Systems WebVPN Relay Loader and then choose Disable Step 3 Accept the pop-up warming. Step4 After the add-on has been disabled, you can safely remove it at CAWINDOWS\Downloaded Program Files\Cisco Systems WebVPN Relay Loader. In this figure, the Cisco Systems WebVPN Relay Loader is disabled. The add-on must be disabled before it can be removed from the client system. 5122 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, ineDebug WebVPN The debug webypn command is used to provide informati security appliance, about the WebVPN service on the Troubleshooting Commands and Procedures—debug webvpn debug webvpn [chunk | cifs | citrix | failover | htm! | javascript | request | response | svc | transformation | url | util | xm] [level] ASAS520# debug webvpn cifs INFO: debug webvpn cifs enabled at level 1 ASAS520# show debug debug webvpn cifs enabled at level 1 To log WebVPN debug messages, use the debug webvpn command in privileged EXEC mode. To disable the logging of WebVPN debug messages, use the no form of this command, debug webvpn [chunk | cifs | citrix | failover | html | Javascript | request | response | eve | transformation | url | util | xml] [levet) no debug webvpn [chunk | cifs | citrix | failover | html | Javascript | request | response | sve | transformation | url | util | xml] [level] {© 2008 Cisco Systems, ne SSLVPNS 5-123debug webvpn ‘Command Description debug webvpn option | Enables logging of WebVPN commands. chunk Displays debug messages about memory blocks that are used to ‘support WebVPN connections. cits Displays debug messages about connections between GIFS ‘servers and WebVPN users. citrix Displays debug messages about connections between Citi MetaFrame Servers and Citrix Independent Computing Architecture (ICA) cients over WebVPN failover Displays debug messages about equipment falovers that affect WebVPN connections hem Displays debug messages about HTML pages that are sent over WebVPN connections Javascript Displays debug messages about JavaScript that is sent over WebVPN connections request Displays debug messages about requests that are issued over ‘WebVPN connections, response Displays debug messages about responses that are issued over WebVPN connections. eve Displays debug messages about connections to SSL VPN clients over WebVPN, transformation Displays debug messages about WebVPN content transformation. url Displays debug messages about wobsite requests that are issued ‘over WebVPN connections, util Displays debug messages about CPU use that is dedicated to ‘support connections to WebVPN remote users, xm. Displays debug messages about JavaScript that is sent over, WebVPN connections level (Optional) Sets the debug message level to display, between 1 ‘and 255, The default is 1. To display additional messages at higher levels, set the level to a higher number Caution Debugging at higher levels will impact device performance. Do not increase the debugging level during high network activity tis important to properly observe and maintain window testing and debugging. The following is example output from a Clie debug webypn 255: webvpn_auth.c:webvpn_auth [424] webvpn_session.c:http_webypn_find_session [153] WebVPN? session has béen autient icated. webvpn_portal.c:http_webvpn_kill_cockie [627] webvpn_auth.c:webypn_auth [424] webvpn_session.c:http_webvpn_find_session 153] WebVPN; session has been authenticated. webvpn_session.c:http_webvpn_dest roy _session(1165] less SSL_VPN session login, using the command 5-124 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, Inc.Login form for WebVPN authentication submitt webvpn_portal.c:evaFormsubmit_webvpn_login{1808] ewaFormSubast_webvpn_login: tgCookie - 0 ewaFornsubmit_webvpnlogin: cookie = e94cSabo ewaFornsubmit_webvpn login: tgCookieset = 0 ewaFornsubmit_webvpn_login: tgroup = NULL webvpn_portal.c:http_webvpn_kill_cookie (6271 Begin internal AAA authentication method: webvpn_auth.c:http_webvpn_pre_authent ication {1905} WebVPN? calling AAA with ewaContext (-919280440) and nh (-917744992) 1 WebVEN: started user authentication. webvpn_auth.c:webvpn_aaa_callback [430] WebVEN: AAA status = (ACCEPT) webvpn_portal..c:ewaFornSubmit_webvpn_login (1808) ewaForiSubmit_webvpn_login: tgCookie = 0 ‘ewaFormSubmit_webvpn_login: cookie = ¢94cSdb0 ewaFormSubmit_webvpn_login: tgcookieset = 0 evaFormSubmit™webvpn_login: tgroup = NULL webvpn_auth.cihttp_webvpn_post_authentication (1180) Username authenticated (student): Webven: user: (atudenti) authenticated. ebypn_auth.c:http webvpn auth accept (2330) webvpn_session.c:http_webypn_cFeate session (175) Webvpn_session-c:http_webvpn_find_session(153] WeDvPN session created! webypn_session.c:http_webypn_find_session{153] ebvpn_db.c:webvpn_get_serveF_db First (161) hetp.renove_auth handle(): handle 30 not found! webvpn_portal .c:eaFornserve webvpn_cookie (1600) webvpa_auth-ciwebvpn_auth 424) webvpn_eession c:http webvpn_find session(153] Webypa_session.c.webvon update idie_time (1253) WebvbN; session has been authenticated. webvpn_session.c:heep.webvpn_find_session(1531 Webvpn_sesaion.c:http_webvpn_find session 153} Nebvpn_session c:http_webvpn_f ind session [153] webvpn_session c:webvpn update _idfe_tine [1253] {© 2008 Cisco Systems, ne SSLVPNS 5-125Debug AAA The debug aaa command is used to debug AAA funetions on the Cisco ASA secur appliance, whether authenticating to the internal user database or to an external A A server: Troubleshooting Commands and Procedures—debug aaa debug aaa [ accounting | authentication | authorization | internal | common [ level }] ASA5520# debug aaa internal debug aaa internal enabled at level 1 ASAS520# debug aaa common 255 debug aaa common enabled at level 255 ASAS520# show debug debug aaa internal enabled at level 1 debug aaa common enabled at level 255 ‘To show debug messages for AAA, use the debug aaa command in privileged EXEC mode. To stop showing AAA messages, use the no form of th -ommand. debug aaa [ accounting | authentication | authorization | internal | common [level] 1 no debug aaa debug aaa ‘Command debug aaa option Description Enables logging of AAA commands. accounting (Optional Show debug messages for accounting only. authentication (Optional) Show debug messages for authentication only authorization | (Optional Show debug messages for authorization only, Er internal (Optional) Show debug messages for AAA functions supported by the local database only (Optional) Show debug messages for VPN-related AAA functions only 155126 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 isco Systems, neThe following is example output from a Clientless SSL. VPN session login using the command debug aaa internal and debug aaa common 25s: AAA authentication start: ‘ASASS20# AAA API: Tn aaa_open AAA seasion opened: handle = 33 ARA API: In aaa_process async aaa _process_asyhc: sending ARA_MSG_PROCESS ARA task: aaa_process_msg(c75fa720) received message type 0 ARA PSH: In AAA StartAAATransaction ARA FSM: In AAA_InitTrangact ion ever (Svr Grp: LOCAL) Initiating authentication to primary AKA ESM: In AAA Bindserver AAA BindServer: Using server: AAA FSM: In AAA SendMeg User: student Resp Tn localauth_ioct1 Local authentication of user student callback aaa_task: status - 1, msg BAA FSM: In Baa_backend_callback aaa_packend_ callback: Handle = 33, pAcb = c#a9v47c aaa_backend_callback: Error: AMA task: aaa process _msg(c75fa720) received message type 1 AAR FSM: In AKA_ProcsurResp Back-end response: Authentication Status: 1 (ACCEPT) AAR FSM: In AAA Next Function AAA NextFunction: i_fsm_state = ISM PRIM AUTHENTICATE, auth status - ACCEPT AAANextFunction; authen evr - LOCAL, author evr = AAA FOM: In AAA Senditsg User: ClientlesaSsLVPN-Group Resp. grp_policy ioctl (9921100, 114698, c7Sf9ca8) gxp_policy ioctl: Locking up ClientlessSSLVPN-Group Callback aaa_task: status = 1, msg ‘AAA FSM: In aaa backend callback Saa_backend callback: Handle = 23, pach = cBa9947c AAA task: aaa_process_msg(c75ta720) received message type 1 AAA FSM: In AAR ProcSvrResp Back-end response: sr Group Policy Status: 1 (ACCEPT) Resetting 0.0.0.0's nuntries AAA ESM: In AAA NextPunction AAA NextPunction: i fsm_state = ISM_USER GRP_POLICY, auth status = ACCEPT (© 2008 Cisco Systems, Inc. ‘SSLVPN 5.127AAA NextPunction: authen svr = LOCAL, author evr = , user pol - ClientlessSSLVeN-Group, tunn pol = DficGrppolicy AAA NextPunction: New i_fsm_state = IPSM_TUNN GRP POLICY, AAA FSM: In AAA InitTransaction aaai_policy_namé_to_server_id(D£1tGrpPol icy) Got Server 3D 0 for group policy DB Initiating tunnel group policy leokup (Svr Grp: GROUP_POLICY_pB) AAA FSM: In AAA BindServer AAA BindServer: Using server: AAA PSM: Th AAA Sendisg User: D£ltarpPolicy Resp: gep_policy_ioct1(9921100, 114698, e75£9ca8) grprpolicy-ioct1: Looking up Dfltarprolicy callback aaa_task: status = 1, msg = AAA Fsi:"In aaa backend callback aaa_backend_calTback: Handle = 33, pAcb - c#a9947c BAK task: ada_process_nsg(c75fa720) received message type 1 ABA FSM: In AA ProcsvrReep Back-end response: ‘Tunnel Group Policy Status: 1 (ACCEPT) Resetting 0.0.0.0's numtries ABA FSM: In AAA NextPunction AAA NextFunction: i_fsm_state = TFSM TUNN GRP POLICY, auth status = ACCEPT AAA Next Function: autheh svr = LOCAL, author avr = , user pol - ClientlessSsiven-Group, tunn pol ~ DéltGrpFolicy AAA NextFunction: New i_fsm state = 1FSM_DONE, ABA-PSM: In AAA_ProcessFinal Checking time simultaneous login restriction for user student1 ABA FSM: In AAA_Callback user attributs 1” Service-Type (6) es: 2 Claes(25)-22——*Clent lessSSLVPN-Group" 3 Tunnelling-protocol (4107) ame 4 Forwarded ports (4168) 15 "Port -Forwarding* 5 Application Access Name(4175) _-13.—= “Switch Telnet 6 Privilege Level (4316) OG ye policy attribut 1 Tunnelling-Protocol (4107) tons 2 URL List name(4i67) 16 "Student -Bookmark* 3 Forwarded ports(4168) 15 "Port-Forwarding* 4 WebVPW URL Entry enable (4189) Cheat 5 WebVPN File Server Entry enable(4191) 4 2 6 MebVPN File Server Browsing enable (4192) ata 7 WebVPN Port Forwarding enable (4193) Res 8 —WebVPN Customization(4209) 16 *Clientlesassiven* 9 CIF hidden shares(4222) 20 20 WeDVPN Smart Tunnel(4232) «16 "Client lessssLvPN* 11 Webvpw activex Relay (4233) 20 32 WebVPN Smart Tunnel Auto Download enable (4234) ae ay tunnel policy attributes: a Filter-ra(12) eo 2 Session-Timeout (27) 40 3 Tdle-Timeout (28) 4 30 4 Access-Hours (4097) 0 oxcs1a0a68** Unresolved Attribute ** 5 Simultaneous-Logina (4098) ee 6 Primary-DNs (4103) 4 IP: 0.0.0.0 7 Secondary-DNs (4102) 4 TP: 0.0.0.0 8 Primary-WINs (4103) 4 IP: 0.0.0.0 9 Secondary-WINS (4104) 4 1p: 0.0.0.0 10 --‘Tunnelling-Protocol (4107) 228 5-128 Securing Networks with Cisco ASA Advanced (SNAA) v0 {© 2008 Cisco Systems, ncsnip=- Auth Status = ACCEPT AAA API: In aaa_close AAA APT: In aaa_send_acct_start AMA task: aaa_pYocess_msgic75£a720) received message type 3 Tn aaai_close_session (33) Problem Resolution There are two common scenarios that are involved with troublesho Forwarding SSL VPNs. ing Clientless and Port. Problem Resolution—User Cannot Connect to Clientless SSL VPN * Ifthe client cannot connect by using the Clientless SSL VPN: Verity that the SSL VPN (WebVPN) is enabied on the proper network interface ~ Verify thatthe Clientless SSL VPN is selected as an allowed protocol under the SSL VPN group policy. ~ Verify that the user is associated with the proper group policy. ~ I using local authentication, verify the username and password. ~ Ifusing a remote AAA server, verify the username and password ‘as well as the server configuration and communication to the AAA server * The following debug commands are useful debug webvpn 255 ~ debug aaa internal debug aaa common 255 If the client cannot connect to the Clientless SSL VPN, follow these procedures: = Verify that the Clientless SSL VPN (WebVPN) is e1 ibled on the proper network interface, = Verify that the Clientless SSL VPN is chosen as an allowed protocol under the SSL_VPN_ group policy m= Verify that the user is associated with the proper group policy = [fusing local authentication, verify the username and password, m= [fusing a remote AAA server, verify the usemame and password as well as the server configuration and communication to the AAA server. The following debug commands are useful = debug webypn 255 = debug aaa internal debug aaa common 255 '© 2008 Gisco Systems, nc. ‘SSL VPNs 5-129Problem Resolution—Application Not Working Through Clientiess SSL VPN If the application is not working through the Clientless SSL VPN: += Verify that the configured path to the application is executable. = Import any available plug-ins for the desired application. “ Verify that the application used for port-forwarding uses static, ‘TCP-based ports, = Ifthe application does not work with port-forwarding, try ‘configuring it as a smart tunnel ~ Smart Tunnel Application List ‘Smart Tunnel option for bookmark: * Verify that other applications are working through the SSL VPN. * Verify that the Cisco ASA has been listed as a trusted site = Try using a different browser, if available Ifthe application is not working through the Clientless SSL. VPN, follow these procedures: = Verify that the configured path to the application is executable. = Import any available plug-ins for the desired application, = Verify that the application t is used for port forwarding uses static, TCP-based ports. = [Fthe application does not work with port forwarding, try configuring it as a smart tunnel. — Smart Tunnel Application List — Smart Tunnel option for bookmark © Verify that other applications are working through the SSL VPN, Verify that the Cisco ASA secu appliance has been listed as a trusted site. = Try using a different browser ‘available, 5-130 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, IneProblem Resoiution—Application Not Working Through Clientiess SSL VPN (Cont.) + Ifthe application is not working through the Clientless SSL. VPN: Clear the web browser cache Clear the Java cache. View the operating system event logs for any application errors, Delete Activex control and relay dil The following debug commands are useful: debug webvpn 255 - debug webvpn javascript trace Ifthe application is not working through the Clientless SSL. VPN, follow these procedures: m= Clear the web browser cache Clear the Java cache, View the operat 1g system event logs for any application errors, Delete ActiveX control and relay dl The following debug commands are usefia: = debug webypn 255 = debug webypn javascript trace © 2008 Cisco Systems, Inc SSLVPNS 5-131Summary This topic summarizes the key points learned in this lesson, Summary + Cliontiess SSL. VPNs use end-station web browsers to connect to the SSL VPN * By using a thin-client Java helper, Port-Forwarding SSL VPNs provide upper fr applications that are not directly supported by Clentless SSL vi * Clientless SSL VPNs can be configured on the Cisco ASA security appliance by using the SSL VPN Wizard in the Cisco ASDM, * Port Forwarding is configured as a port-forwarding list that is then ‘assigned to an SSL VPN group policy. ‘Additional SSL VPN features, such as user interface customization or e- mail proxy, can be configured by using their respective configuration Sections under the Clientless SSL VPN Access and Advanced submenus. Summary (Cont.) = Smart tunnels provide access for applications that are not Supported by Clientless SSL VPN. = Smart tunnels improve upon Port Forwarding by not requiring a local connection to the local application = debug webvpn and debug aaa provide useful information for troubleshooting clientiess and port-forwarding SSL VPN connections ‘Several troubleshooting steps include adding the Cisco ASA security appliance as a trusted network site, clearing the web browser cache, and clearing the Java cache. 132 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneLesson 3| Configuring Full Network Access SSL VPN Overview This lesson introduces the configuration of Full Network Access Secure Sockets Layer (SSL) Virtual private networks (VPNs), using the Cisco AnyConnect SSL. VPN Clicnt. In addition to its con ion and troubleshooting of the Ciseo AnyConnect SSL VPN Client will be covered as well Objectives Upon completing this lesson, you should be able to describe and configure the Cisco ASA adaptive security appliance for Full Network Access SSL VPN, using the Cisco AnyConnect SSL VPN Client. This ability includes being able to meet these objectives: & Describe the features of the Cisco AnyConnect SSL VPN Client ‘© Describe the different installation methods available for the Cisco AnyConnect SSL VPN Client = Config DILS for the Cisco AnyConnect SSL VPN Client = Configure the advanced features of the Cisco AnyConnect SSL VPN Client = Configure Cert --Based Authentication for the Ciseo AnyConnect SSL VPN Client = Verify the Cisco AnyCo SSL VPN Client operation ‘© Troubleshoot the Cisco AnyConnect SSL VPN Client operationCisco Full Network Access SSL VPN Overview ‘This topic will di SSL VPN Client cuss the features that are available when deploying the Cisco AnyCom Remote-Access Networks Using SSL. VPNs + Lower deployment requirements + Limited network access * Additional security concems Por Fomsrtng fotg Pes = sie ea sone oe fcr ceeaeien nding network resources and applications to remote users. When using a Clientless SSL VPN deployment model, corporations have the additional flexibility of providing access to corporate resources even when the remote device is not corporate managed. In this deployment model, the Cisco ASA security appliance is using a proxy device to network resources, and it provides a web portal interface with which remote devices can navigate the network. Additionally, the remote device system only requires a supported web browser with built-in SSL functionality to access the SSL VPN network. Although more flexible than client-based SSL VPNs, Clientless SSL VPNs provide onl limited network application or resource access and include additional security risks when using hnon-corporate-managed clients. Full Network Access SSL VPNs operate much like standard IP Security (IPsec) VPN clients in the way that they provide network access. In comparison to the Clientless SSL VPN deployment model, there are no network access restrictions for resources or applications. Full Network Access SSL VPNs require more planning for network deployment because they require that a client be installed on the remote systems. This requirement makes it difficult to deploy on non-corporate-managed systems because most SSL VPN clients require administrator privileges to install. The use of corporate-managed systems provides a tighter control on endpoint security Note Its very important that all client systems, including corporate-managed systems, are secured. Failure to do so may result in network penetration because tunneled clients will bypass external network security measures, 5-134 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, neRemote-Access VPN Clients: Client Comparison Approximate size ~10MB 2508 400 KB ‘Aulogownload —_Autodownioad distroute distribute ‘Admin rights s Yes required Init install only Stub instal avai Protocat ons. 1s, ms Initia insta Distribute 0S Suppor Mutiples* Headend Cisco ASA Cchent reboot requred No No + WaHxP 132, Vata 32, Mac OSX 10.410., Linux Kamel 26, Solas UtraSpare “Wak x82, XP 13204, Visa 3204, Mac OS X 104/105 Lx Kemal 2.6 The following table compares the available VPN clients from Cisco. The clients listed inelude the IPsec VPN Client, the Cisco AnyConnect SSL VPN Client, and the legacy SSL VPN Client SVC) associated with Cisco ASA Adaptive Security Appliance Software 7.X Remote-Access VPN Client Comparison IPsec Client ‘AnyConnect SSL. | SVC SSL VPN VPN Client Client Approximate size ~10 MB ~25MB 400 KB Initial install Distribute ‘Autodownload | Autodownload distribute distnbute ‘Admin rights Yes Yes Yes required Initia install only | Stub install only Protocol IPsec. TLS, DTLS. Ts Operating system Mutiple™| Multiple" 2000/KP support Headend ASAIPIX ASA ASA Client reboot Yes No No Fequired * W2K/XP x32, Vista x32, Mac OS X 10.4/10.5, Linux Kemels 2.6, Solaris UltraSpare ** W2K x32, XP x32/n64, Vista x32/s64, Mac OS X 10.4/10.5, Linux Kernels 2.6 "© 2008 Cisco Systems, Inc ‘SSLVPNs 6-195Cisco AnyConnect SSL VPN Client The Cisco AnyConnect SSL VPN Client is the next-generation VPN client, providing remote users with secure VPN connections to the Cisco ASA $500 Series Adaptive Security Appliance running version 8.0 and higher or Cisco Adaptive Security Device Manager (ASDM) 6.0 and higher. It does not work with a Cisco PIX device or with a Cisco VPN 3000 Series, Concentrator. = Does not work with Cisco PIX or Cisco 3000 Series VPN Concentrators += Traditional-style client delivered through automatic download * Requires administrative privileges for initial install only * Can use TLS or DTLS as transport * Can be upgraded from a previous version upon connection As the network administrator, you configure the Cisco AnyConnect Client features on the security appliance. Then, you can load the client software on the sceurity appliance and have it automatically download to remote users when they log in, or you can manually instal the elie software as an application on PCs. The client allows user profiles that are displayed in the user interface and defines the names and addresses of host computers. The network administrator ean assign particular features to individual users oF proups, Initial installation of the SSL VPN Client requires administrator privileges after the user has connected to the security appliance. Additionally, the client can be configured to use legacy ‘Transport Layer Security (TLS) SSL connectivity or can be configured to use Datagram Transport Layer Security (DTLS), Note The Cisco PIX security appliance does not support SSL VPN connections, either clientiess (Cisco AnyConnect, 5-196 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 © 2008 Cisco Systems. ncCisco AnyConnect SSL VPN Client Features ‘The Cisco AnyConnect Client includes features that enh Ciseo AnyConnect ice the client VPN experience eatures * Datagram Transport Layer Securit (OTLS) in i Fallback from DTLS to TLS * Start Before Logon (SBL) * Certificate-only authentication * Simultaneous Cisco AnyConnect Client and clientiess, browser-based connections. = Compression * Language translation (localization) * DAP support * Cisco Secure Desktop support Rekey * IPv6 VPN access L. VPN Clie! features include the follo Datagram Transport Layer Security (DTLS) with SSL connections: Avoids latency and bandwidth problems that are associated with some SSL-only connections and improves the performance of real-time applications that are sensitive to packet delays. DTLS isa standards-based SSL. protocol that provides a low-latency data path using UDP. F detailed information about DTLS, see RFC 4347 (http://www ietf org/rte/etoA 347 tN0). Fallback from DTLS to TLS: Provides a way of falling back from DTLS to TLS if TLS is no longer working, Standalone mode: Allows a Cisco AnyConnect VPN Client to be established as a PC application without the need to use a web browser to establi ha connection. Command-line interface (C! command prompt. Provides direct access to client commands at the Microsoft Installer (M! installation, maintenance, systems, dives Windows users a preinstall package option that provides | removal of Cisco AnyConnect Client software on Windows IP version 6 (IPV6) VPN access: Allows access to IPV6 resources over a public [Pv connection (Windows XP SP2, Windows Vista, Mac OS X, and Linux only), Start Before Logon (SBL): Allows for login scripts, password caching, drive mapping, and mote, for Windows. 1 2008 Cisco Systems, Inc SSLVPNS 5-137Note ‘SBL cannot be used in conjunction with the Cisco AnyConnect SSL. VPN Client ifthe Cisco ‘ASA security appliance has enabled Cisco Secure Desktop for the user and is running Cisco ASA software version 8.0(2). Integration ofthese features is implemented in Cisco ASA ‘software version 8.0(3) and Cisco AnyConnect SSL. VPN Giient version 2.1 = Certificate-only authentication: Allows users to connect with a digital certificate and not provide a user ID and password. multaneous Cisco AnyConnect Client and clientless, browser-based connections: Allows a user to have both a Cisco AnyConnect (standalone) connection and a Clientless ‘SSL VPN connection (through a browser) at the same time to the same IP address. Each connection has its own tunnel = Compression: Increases the communications performance between the security appliance and the client by reducing the size of the packets being transferred. Compression works only for TLS. = Language translation (localization); Provides a way of implementing translation for user ‘messages that appear on the client user interface. = Dynamic Access Policy (DAP): Lets you configure authorization that addresses the Variables of multiple group membership and endpoint security for VPN connections. 0 Secure Desktop support: Validates the security of client computers th requesting access to your SSL VPN, helps ensure that they remain secure while th connected, and attempts to remove traces of the session after they disconnect. The AnyConnect VPN Client supports the Secure Desktop functions of Cisco Secure Desktop for Windows 2000 and Windows XP. = Rekey: Specifies that SSL renegotiation takes place during rekey. Note ‘The Cisco AnyConnect VPN Client can coexist with the IPsec Cisco VPN Client. but they cannot be used simultaneously. 5-138 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 2008 Cisco Systems, neCisco AnyConnect SSL VPN Client Installation Options ‘The Cisco AnyConnect SSL VPN Clie supported list of elient operating systems. be installed several different ways on the Cisco AnyConnect SSL VPN Client installation Options + Supported Operating 2h ces arcana 0 cat ‘Systems | Wiedows Vista Windows xP ~ Windows 2000 ~ Macintosh OS X 10.4 o later Fed Hat Linux 9 later + Web Launch inate through a wed browser tog in though portal ‘Auodownioad (AciveXlava) Manval downioad * Manual Mstinstater The Cisco AnyConnect SSL VPN Client packages can be downloaded from the Cisco websi and uploaded to the Cisco ASA security appliance so that clients ean download the SSL_ VPN Client as needed. ‘The Cisco AnyCon 4 Client supports the following operating systems: | Windows Vista Windows XP Windows 2000 Mac OS X (Version 10.4 or later) oF ther Intel or PowerPC Red Hat Linux (Version 9 or later) See the Release Notes for the full set of platform requirements and supported versions. Web Launch ‘The web launch installation method requires that the client system connect to the C security appliance by using a compliant web browser over an SSL connection. After being connected and authenticated, the security appliance will redirect the user to the Cisco \yConneet SSL VPN Client successfully installed the new software, the Cisco AnyConnect SSL VPN Client will automatically log the user onto the network using the credentials originally supp! web session. istallation through ActiveX or Java. After the remote device has ed during the '© 2008 Cisco Systems, Inc. ‘SSL VPNs,Manual installation In addition to the autodownload packages available from the Cisco ASA security appliance, the remote device can also install the Cisco AnyConnect SSL VPN Client manually by using an MSI installer on Windows-based systems. This installer is not a downloaded package from the security appliance, and the client will not be required to use a web browser for initial access to the network. After itis installed, the SSL VPN Client can be used to access the desired network resources, Cisco AnyConnect SSL VPN Client Connection Options The Cisco AnyConnect SSL VPN Client can be u different ways. aS RARER ARLEN Cisco AnyConnect SSL VPN Client Connection Options * Standalone Mode id to connect to the network in several ‘Command Line * Web-Based Initiation Web Portal (Manual or Autoconnect) The following are the supported connection options when using the Cisco AnyConnect SSL VPN Client: Web-based initiation: The web-based initiation can take pl web portal on the security appliance or through an autoconn been configured (for example, Clientless SSL. VPN was not interface), the security appliance will automatically start the Cisco AnyConnect SSL VPN. Client after the user logs into the main page. The Cisco AnyConnect Client will use the credentials that are supplied for the web page to attempt to log the user into the network through either a configured method. If no web portal has nabled on the security appliance Standalone mode: The standalone method involves the use of the Cisco AnyConnect SSL VPN Client without using a web browser to navigate to the security appliance first. The client system ean use the shortcut or Start menu to access the software GUI or a CLI interface that is located in the default install directory. The default location of the CLI software instal location is C:\Program Files\Cisco\Cisco AnyConnect VPN Client\xpnelivexe. ‘Securing Networks with Clo ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems IncConfiguring Cisco AnyConnect SSL VPN This topic will discuss the steps that are required to configure the Cisco AnyConnect SSL_ VPN Client for remote access VPNs. Configuring Cisco AnyConnect SSL VPN Complete the following tasks to create a Cisco AnyConnect SSL VPN in your configuration: Task 1: Choose the SSL VPN wizard, Task 2: Choose the Cisco SSL VPN Client. Task 3: Configure the SSL VPN interface. Task 4: Configure user authentication. Task 5: Configure a user group policy Task 6: Configure a bookmark list Task 7: Configure an IP address pool Task 8: Configure Cisco AnyConnect SSL VPN client location Task 9: Verify SSL VPN Connection wizard configuration, Task 10: Modify the Cisco AnyConnect SSL VPN group policy Complete the following tasks to create a Cisco AnyConnect SSL VPN in your configuration: mt Task 1: Choose the SSL VPN wizard. m= Task 2: Choose the Cisco SSL VPN Client = Task 3: Configure the S SL VPN interface Task 4: Configure user authentication, ‘Task 5: Configure a user group policy. ‘Task 6: Configure a bookmark list. ‘Task 7: Configure an IP address pool Task 8: Configure the Cisco AnyConnect SSL VPN Client location, Task 9; Verify the SSL VPN Connection wizard con! ration. Task 10: Modify the Cisco AnyConnect SSL VPN group policy. {© 2008 Cisco Systems, inc. SSLVPNS 5-141,Choose the SSL VPN Wizard The first task requires that you choose the SSL VPN wizard, Choose the SSL VPN Wizard To choose the SSL VPN wizard, complete the following step: Stop 1 Navigate to the Wizards menu and select SSL VPN Wizard In this figure, the SSL VPN wizard was selected from the Wizards menu. 5-142 Securing Networks with Cisco ASA Advancad (SNAA) v1.0 1 2008 Cisco Systems, neChoose Cisco SSL VPN Client The next task requires that you choose the Cisco SSL. VPN Client (Gpuer = Clientless SSL VPN Access: Enables clientless, browser-based connections for specific. supported internal resources through a portal page. Cisco SSL VPN Client (AnyConnect VPN Client): Enables SSL VPN Client connections for full network access. Enables the security appliance to download the Cisco AnyConnect Client to remote users. ‘To choose the Cisco SSL VPN Client, complete the following steps: Step1 Click the isco SSL VPN Client (AnyConnect VPN Client) check bos. Step 2 (Optional) Click Clientless SSL VPN Access. Choose Clientless SSL VPN Access if your deployment requires users to log into a web portal to launch the Cisco AnyConnect SSL VPN Client (Web Launch). If you do not choose Clientless SSL VPN Access, users who log in by using the SSL page on the security appliance ally be redirected for the download or launch of the Ci Step3 Click Next to continue. In this figure, both Clientless SSL VPN Access and Cisco SSL. VPN Client (AnyConnect VPN Client) check boxes are selected. The Clientless SSL. VPN Access box is selected so that a web portal will be available to the users of the Cisco AnyConnect SSL VPN {© 2008 Ciseo Systems, ne SSLVPNS 5-149Configure the SSL VPN Interface The next task requires that you identify which interface will be used for t Configure the SSL VPN Interface er By default, the Cisco ASA security appliance will use a self-signed certificate to send to the for authentication. If required, the security appliance ean be configured to use a certificate that is purchased from a well-known certificate authority, such as VeriSign, for use with connecting clients. If you purchase a certificate, you can choose it in the Digital Certificate drop-down mer ure the SSL VPN Interface, complete the following steps: Enter a name for the Clientless SSL VPN connection in the Connection Name field. From the SSL VPN Interface drop-down menu, choose the interface that is to be used with Clientless SSL VPN. Step (Optional) From the Certificate drop-down menu, choose a third-party certificate that has been installed on the security appliance for use with connecting SSL VPN Clients, Step4 Click Next to continue with the SSL VPN wizard, Note ‘As with Glientless SSL VPN configurations, the Information field on this screen identifies the access URLS for specific services, such Cisco ASDM and SSL VPN, . VPN interface was given a name of “AnyConnect,” the outside interface was chosen as the SSL VPN interface, and because certificates are not currently in use, “None” 5-144 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IneConfigure User Authentication The next task requires that you configure user authentication. Cemecten ane ery en se Z cea, seumanammteenaty User authentication may be handled by external authentication servers (such as RADIUS) or it may be handled locally using the Cisco ASA local user database. To configure user authentication using the local user database, complete the following steps: Step1 Click the Authenticate Using the Local User Database radio button. Step2 Configure a username and password for the desired user. Step 3 Click Add to add the user to the local user database. Step4 Click Next to co ue with the SSL VPN wizard. In this figure, two user accounts have been created: student! and student2 {© 2008 Cisco Systems, Ine SSLVPNS 54145Configure a User Group Policy ‘The next task requires that you eithei odify the default user group policy or create a new one. You can choose an existing user group policy to modify, or you can add a new user group policy for the Clientless SSL. VPN connection To create a new user group policy, complete the following steps: radio button, Step1 Click the Create New Group Poli Step2 Configure a name for the new user group policy Note By default, the created user group policy wil inherit its settings from the DAtGrpPolicy These settings can be modified after the wizard has been completed by navigating to the Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies ‘submenu In this figure, a new group policy is created named AnyConneetPolicy 146 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 '© 2008 Cisco Systems ncConfigure a Bookmark List The one, ext task requires that you choose a previously configured bookmark list or create a new Configure a Bookmark List Sone RS he eer Refer to “Clientless and Port-Forwarding SSL VPN Configuration” in the “Conf Clientless SSL VPNs" lesson for more information on bookmark lists and how to configure them, To choose a previously configured bookmark list, complete the following steps: Step 1 Choose a previously configured bookmark from the Bookmark List drop-down Step2 Click Next to continue with the SSL. VPN wizard, In this figure, no bookmark list was created. The bookmark list configured during the “Configuring Clientless SSL VPNs” lesson was selected for use. © 2008 Cisco Systems, ine SSLVPNS 5-147Configure an IP Address Pool ‘The next task requires that you configure an IP address pool to be used for client address assignment. Remote PCs are assigned addresses from the pool when they connect to the security appliance through the Ciseo AnyConnect Client. see The IP address pool configuration is required for successful client-based SSL VPN connectivity. Without an available IP address pool, the connection to the security appliance will fail Stop 1 Either choose a preconfigured IP address pool from the IP Address Pool drop-down menu, or click New to create a new one. The following items must be included in the IP address pool configuration: m= Name: A name to be associated with the IP address pool. m= Starting IP Address: Starting IP address of the range to be assigned to client SSL VPN connections = Ending IP Address: Ending IP address of the ran SSL VPN connections Subnet Mask: Choose the desired subnet mask of the IP address pool from the drop-down menu. ge to be assigned to the client Step 2 Click OK to accept the newly configured IP Address Pool In this figure, the connecting AnyConnect SSL VPN Clients will use the newly pool. The address range used by the configured IP address pool is 172.26.104.101 172.26.104.110/24 ated address = 5-148 Securing Networks with Cieco ASA Advanced (SNAA) v1.0 2008 Cisco Systems, incConfigure Cisco AnyConnect SSL VPN Client Location The next task will require you to select the location of the Cisco AnyConneet SSL VPN Client Configure the Location of the Cisco AnyConnect SSL VPN Client For client systems to download the Cisco AnyConnect SSL VPN Client automatically from the security appliance, specify the location of the SSL. VPN Client in the con iguration, To configure the location of the Cisco AnyConnect SSL. VPN Client, complete the following steps: Step Browse to identify the location of the image. Step2 Browse Flash if the image file is already located on the Cisco ASA security appliance or Upload if you have a copy on the local machine to upload to the security appliance. Step3 Browse to the location of the co AnyConnect SSL VPN Client in the flash memory and click OK. Step4 Click OK again to accept the location of the Cisco AnyConnect SSL VPN Client In this figure, the Cisco AnyConnect SSL. VPN Client location has been selected through the Cisco ASDM wizard. In this ease, the image already resides on the security appliance, but the location of the image must still be for autodownload to work properly 1 2008 Cisco Systems, Ine. SSLVPNS 5-149Completed IP Address Pool and Image Location Configuration > Step5 After you have finished the configuration of the IP address pool and the SSL VPN. Client location, click Next to continue with the SSL VPN wizard. Note ‘A warning will pop up reminding you to configure a Network Address Translation (NAT) ‘exemption rue for the configured IP address pool if NAT is currently in use, Like IPsec, SSL client address pools must be exempt from the NAT process because NAT translation occurs. prior to encryption functions, In this figure, the location of the AnyConnect SSL VPN Client has been identified, and the LP address pool for the clients has been configured. This screen shows the pop-up received alter you click Next to continue with the wizard. 5-150 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Sysioms, IncVerify SSL VPN Connection Wizard Configuration The next task requires that you verify the configuration that the SSL VPN wizard will send to the Cisco ASA security appliance. Verify SSL VPN Connection Wizard Configuration Verify that the information that is configured in SSL VPN wizard is correct, and click Finish to finish the wizard and send the configuration to the security appliance. 1 2008 Gisco Systems, Inc ‘SSLVPNS 5.151Commands Sent to the Cisco ASA from the Cisco ASDM “Sie ootsige ie studene persoor’ LQUNYSOUS) WERK encrypted privitege 0 Ssertace state Strlintes stoweolicy Myceumecttolicy iatersal ae Soup teltcy Mconmectolicy ss bsen ‘ed group Aiyoranct, gmmeah atv fontee SSarecs post” Anyeonnect Doct Note: Apply changes fo the Gisco ASA secu appEance and eave dhe configuration The following is output sent from the Cisco ASDM to the Cisco ASA security appliance, based ‘on the configuration from the SSL VPN wizard: webvpn enable outside SSL VPN Client Location: svc image disko: /anyconnect -win: svc enable 0.0343-k9.pkg 1 User Authentication Configuration: username student? password LqURV2sUSjuvrkw1 encrypted privilege 0 username student2 attributes vpn-group-policy AnyConnectPolicy username student} password LqURV2SUSjuvrkwi encrypted privilege 0 username student) attributes vpn-group-policy AnyConnect Policy Local IP Address Pool ip local pool AnyConnectPool 172.26.104.101-172.26.104.110 mask 255.255.255.0 group-policy AnyConnectPol icy internal group-policy AnyConnectPolicy attributes vpn- tunnel -protecol sve webypn webvpn. url-list value Student -Bookmark ‘svc enable configure terminal tunnel-group AnyConnect type rencte-access Assigned Group Policy and Local IP Address Pool: tunnel-group AnyConnect general-attributes default-group-pol icy AnyConnect Pol icy address-pool AnyConnect Pool 5-152 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 (© 2008 Cisco Systems, IneModify the Cisco AnyConnect SSL VPN Group Policy ‘The final task requires that you modify the newly created user group policy that is associated with the Cisco AnyConnect SSL VPN. Modify AnyConnect SSL VPN Group Policy sesenoey SE feces T i The IP address pool that was created by the SSL VPN wizard is not automatically associated ‘with the group policy. You must assign the IP address poo! to the group policy for the Cisco AnyConnect SSL VPN Client to connect successfully to the security appliance ‘To assign the configured IP address pool to the group policy, complete the following steps: Step 1 Navigate to the Configuration > Remote Access VPN > Network (Client) Access 1up Policies pane. Choose the AnyConnectPolicy and click Edit. The Edit Internal Group Policy: AnyConneetPolicy window opens, Step2 From the Edit Internal Group Policy: AnyConnectPolicy navigation pane, choose the General submenu and uncheck the Inherit box to choose an IP address pool Step3 Click Seleet to choose the IP address poo! to associate to this group policy In this figure, the SSL VPN group policy, AnyConnectPoliey. is selected to be edited. After you open the editing window, configure the address poo! that will be used with this group policy, and the proper SSL VPN protocols will be enabled for use with the SSL VPN connections 1© 2008 Cisco Systems, inc SSLVPNS 5.159Verifying Cisco AnyConnect SSL VPN Operation This topic will discuss the tasks required to verify the Cisco AnyConnect SSL. VPN Client operation. Verifying Cisco AnyConnect SSL VPN Operation Complete the following tasks to verify Cisco AnyConnect SSL VPN operation = Task 1: Download the Cisco AnyConnect SSL VPN Client. * Task 2: Verify client operation by using Cisco ASDM. + Task 3: Verify client operation by using the Cisco ASA CLI Complete the following tasks to verify the Cisco AnyConnect SSL VPN operation: = Task 1: Download the Cisco AnyConnect SSL VPN Client = Task 2: Verify client operation by using Cisco ASDM. m= Task 3: Verify client operation u the Cisco ASA CLL. 5-154 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, ineDownload Cisco AnyConnect SSL VPN Client The first task for verifying the Cisco AnyConnect SSL VPN operation is to download the Cisco AnyConnect SSL VPN Client to the target elient system. Download Cisco AnyConnect S Client Log ut a a 2 To download the Cisco AnyCon following steps SSL. VPN Client 10 1 host system, complete the Step1 Open a compliant web browser and enter the login URL for the SSL. VPN into the address field. Note The prefix to the path changes depending on whether or not you require authentication, The security appliance uses /«CSCOE+/ for objects that require authentication, and /*CSCOUW/ for objects that do not. The security appliance displays I+CSCOE+/ objects on the portal page only, while /4CSCOU+/ objects are visible and usable in either the logon or the portal pages. Step2 Enter the previously configured usemmame and password and click Login, In this figure, the configured username of student! and the Cisco AnyConnect SSL. VPN. sword of cisco are used t0 log in 10 ‘© 2008 Cisco Systems, nc SSLVPNS 5.156Download Cisco AnyConnect SSL VPN Client (Cont.) cuoetseteet, EE aoe on To start the Ciseo AnyConnect SSL VPN Client download process, complete the following tasks: Step3 Navigate to the AnyConneet tab on the lefi menu pane. After you have logged into the SSL VPN web portal, this page can be displayed by default, Notice the use of a previously configured SSL VPN web portal with additional support for Cisco AnyConnect SSL VPN. Step4 To begin download of the Cisco AnyConnect AnyConneet link from the web browser. VPN Client, choose the Start Note It the Cisco AnyConnect SSL VPN Client has already been downloaded to the target client ‘system, this link can be used to connect to the SSL VPN, using the installed client. Ifthe tless SSL VPN Access box is not selected during the SSL VPN wizard configuration, the web portal will not be displayed. Instead, the user will automatically be redirected to the download/connection page. This figure illustrates the Cisco AnyConnect submenu that is located on the main web portal page. The AnyConnect submenu provides a Start AnyConnect link that can be used to download and install the Cisco AnyConnect SSL. VPN Client or to start the Cisco AnyConnect SSL VPN session after installation. ‘5-156 Securing Networks with Cisco ASA Advanced (SNA) vi 0 1© 2008 Cisco Systoms, IneDownload Cisco AnyConnect SSL VPN Client (Cont.) After you choose the Start AnyConneet link, the autodownload process will begin a series of ‘compliance checks for the target system. The following items are checked on the host system: | Platform Detection: The security appliance first queries the client system in an at identify the type of client that is connecting to the security appliance. Based on the platform identified, the proper software package can be autodownloaded pt to ActiveX: Detects whether ActiveX is available on the host system for client download, For ‘ActiveX to operate properly with the Cisco ASA security appliance, it is important that the security appliance is added as a trusted network site. ActiveX will be used for client download if a web portal is not in use. = Java Detection: Detects whether a supported version of Java is available on the host system for client download. Java will be used for client download if a web portal page has been configured, In this figure, the Cisco AnyConnect SSL VPN Client is inthe process of downloading to the host system. (© 2008 Cisco Systems, Inc ‘SSLVPNS 5.157Download Cisco AnyConnect SSL VPN Client (Cont.) Web session os ses into he SSL VPN netwrk by using new stale cen + Chent conection detais After the client completes the autodownload of the Cisco AnyConnect SSL VPN Client, the web session will automatically launch the Cisco AnyConnect SSL VPN Client and attempt to log the user into the network by using the same credentials supplied when logging into the web portal After the connection has established, an icon will appear in the system tray identifying that the client has successfully connected to the SSL VPN network. Double-clicking on the icon in the system tray will show additional connection statisties and information. This client interface can also be used to log the user out. Future SSL VPN sessions can be launched through the web portal or through the installed Cisco AnyConnect SSL VPN Client. 5-158 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, neManual Cisco AnyConnect SSL VPN Client Installation ‘The Cisco AnyConnect SSL VPN Client can be manually installed if'a web portal is not configured or desired, based on network policy Manual Cisco AnyConnect SSL VPN Client Installation = The Cisco AnyConnect SSL VPN Client can be manually installed if'a web portal is not configured. * The following operating system install types are supported for ‘manual installation Microsoft XP, 2000, or Vista—installation by using MSI file. ~ Macintosh OS X 10.4 (or later)—Installation by using DMG file. Linux—Installation by using shell script. = Allclient software installation packages can be downloaded from Cisco.com. Installing the Cisco AnyConnect Client Using the Microsoft Windows Installer on a PC that is Running Windows To install the Cisco AnyConnect Client on a PC r steps: 1g Windows, complete the following Note Vista users must add the security appliance to the trusted zone for automatic installation by the security appliance to work (CSCsh23752) Step 1 Exit all Windows programs, and disable any antivirus software (recommended). Step2 Download the AnyConnect Client MSI file from the Cisco site; for example, anyconnect-win-2,0.xXX.msi, where AXx represents the current build number. S Release Notes for the current release for the full set of operating-system-specific download sites. step3 Double-click the MSI file, The welcome sereen fr the Cisco AnyConnect VPN Client Setup wizard displays, Step4 Click Next. The End-User License Agreement displays. Accept the lic agreement and click OK. The Select Installation Folder sereen display StepS Accept the default folder or enter a new folder and click Next, The Ready to Install screen displays. © 2008 Cisco Systems, ine. SSLVPNS 5-159Step6 Click Install. The client installs and displays the status bar during installation. After installing, the Completing the Cisco AnyConnect VPN Client Setup Wizard screen splays. Step7 Click Next. The wizard disappears and the installation is complete MSI gives Windows users a preinstall package option that provides installation, maintenance. and removal of Cisco AnyConnect Client software on Windows systems, Cisco suggests that ‘you accept the defaults unless your system administrator has instructed otherwise. Installing the Cisco AnyConnect Client on a PC that is Running MAC OS X The Cisco AnyConneet Client image for Mac OS X is a DMG disk image installation package. To install the Cisco AnyConneet Client on a system that is running MAC OS X, follow these steps: Step 1 Transfer the installation p: one of the following files: wwe file to the desktop and double-click the file, Choose = anyconnect-macosx-i386-2.0.xxx.dmg © anyconnect-macosx-powerpe-2.0.xxx.dmg This creates a VPN icon representing the installation package file Step 2 Double-click the VPN icon to initiate the installation. Follow the sequence of the vpnelient installer, accepting the licensing agreement, selecting the destination volume, and then choosing the Upgrade option to perform a basic installation, Installing the Cisco AnyConnect Client on a PC that is Run 1g Linux To install the Cisco AnyConnect Client on a PC that is running Linux, follow these steps: Step 1 For Linux, the client files are contained in a tar/gz file, Unpack the archive with a tar command. For example: tar xvef AnyConnect-Linux-Release-2.0.0xxx.tar.gz Note ‘The files necessary for installation are placed in the folder ciscovpn. Step2 Change to the ciscovpn folder. As a root u For example: ; Fun the script named vpn_install sh [rootelimixnost) # ed ciscovpn [roctelinuxhost]# ./vpn_install .sh The client installs in the directory /opt/cisco/ypn. This script also installs the daemon vpnagentd and sets it up as a service that is automatically started when the system boots, ing the client, you can start the elient manually from the user interface with the Linux command /opt/ciseo/¥pa/bin/ypaui or with the client CLI command Jopt/cisco/vpu/bin/ypn 5-160 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncVerify Client Operation by Using Cisco ASDM This task requires that you use the fy client operation Verify Client Operation Using Cisco ASDM Motes To verify Cisco AnyC the following step ct SSL VPN Client operation by using the C 0 ASDM, complete Step 1 Navigate to the Monitoring > VPN > VPN Statistics > Crypto Statistics submenu ‘and choose the SSL Protocol from the drop-town menu. You will see SSL. protocol statistics, but no session-level statistics for the connection. This figure illustrates the Crypto Statisties for a given protocol. In this case, the SSL. protocol is, chosen. {© 2008 Cisco Systems, Ine. SSLVPNs 5-161Verify Client Operation Using Cisco ASDM (Cont.) To view specific tunnel information, complete the following tasks: Step 2 Additionally, you can view session level statistics by navigating to the Monitoring > VPN > VPN Statistics > Sessions submenu. ‘Step 3 Choose SSL VPN Client from the drop-down menu to view currently active Cisco ‘AnyConnect SSL VPN sessions. Step4 For further information about the session, click the Details button, This additional information provided will include session information about SSL tunnels, DTLS tunnels, and user NAC policies in use. In this figure, the session information for the connect Ciseo AnyConnect SSL VPN tunnel is shown. The window provides detailed information on the Cisco AnyConneet SSL VPN tunnel ‘and the DTLS tunnel (if used). 5-162 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 1 2008 Cisco Systems, neVerify Client Operation by Using Cisco ASA CLI the last task for the verif information by using the 0 ASA CLL. Verify Client Operation Using Cisco ASA CLI nt operation requires that the user gather connec show vpn-sessiondb detail webvpn | sve + Shows detailed remote-access VPN session information similar to the Cisco ASDM session monitoring panel. May be shown in detailed or summary views. show crypto protocol statistics ssl * Shows SSL protocol statistics for the crypto engine that provides tencryption and decryption processing information show compression sve + Shows detailed information about session compression. Statistics will not ‘populate for encryption while DTLS is in use with the Cisco AnyConnect SSL VPN Client ‘The following is sample output from the Cisco ASA CLI to ver VPN operation: ASASS20 (config) # show vpn-sessiondd detail eve Session Type: SVC Detailed fy Cisco AnyConnect SSL Username student 3 Assigned TP: 172.26.104.101 192,168,207.127 Protocol _—: Clientless SSt-Tunnel DTLS-Tunnel Enoryption + RC4 ARS128 Hashing sHAL Bytes. Tx 362753 Bytes Rx 298019 Pkts Tx 2031 Pkts Rx 183 Pkts Tx Drop : 0 PRUS RX Drop : 0 Group Policy : AnyConnectPolicy Tunnel Group : DefaultWEBVPNGroup Login Time + 17:46:37 UTC Mon Feb 11 2008) Duration oh:t4m:238 NAC Result: Unkn VLAN Mapping : N/A viaw none Clientlese Tunnels: 1 SSt-Tunnel Tunnels: 1 DTLS-Tunnel Tunnela: 1 Clientiess Tunnel 1D 13.1 Public IP 192,168.207.127 Encryption +: RCA Hashing rep Det Port : 443 Auth Mode ile Time Out: 30 Minutes Tdle TO Lett + 16 Minutes Client Type + Web Browser Client Ver : Mozilla/4.o (compatible; MSIE 6 CLR 1.1.4322; .NET ; Windows NT 5.1; SV1; .NET © 2008 Gisco Systems, Inc SSLVPNS 5-163Bytes Tx 362305 Bytes Rx 284343, S8L-Tunnel: Tunnel ID 13.2 Assigned IP: 172.26.104.101 Public IP + 192.168.207.127 Encryption: RC& Hashing © SHAL TCP Src Port : 2372 TCP Det Port : 443 Ruth Mode userPassword Idle Time Out: 30 Minutes Idle 70 Left : 16 Minutes Client Type : SSL VPN Client Client Ver: Cisco AnyConnect VPN Client 2, 0, 0343 Bytes Tx 448 Bytes Rx ° Pkts Tx 1 Pkts Rx 0 Pkts Tx Drop : 0 PktS Rx Drop : 0 DTLS-Tunnel: Tunnel ID: 13.3 Assigned IP: 172.26.104.102 Public IP 192.168.207.127 Encryption + AESI28 Hashing 2 SHAL ube Src Port : 2375 UDP Det Port : 443 ‘Auth Mode userPassword Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Client Type : DTLS ven Client Client Ver: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET Bytes Tx 0 Bytes Rx 33676 Pkts Tx ° PktS RX im Pkts Tx Drop : 0 Pkts Rx Drop : 0 a Reval Int (7): 0 Seconds Reval Left(T): 0 Seconds SQ Int () + 0 Seconds BoU Age(T) —: 863 Seconds Hold Left (r) Redirect URL : © Seconds Posture Token ‘The command shows detailed remote access VPN session information similar to the ASDM session monitoring panel. This command can be shown in detailed or summary views. ASA5520(config)# show crypto protocol statistics ssl [ssi statistics] Bnerypt packet requests Encapsulate packet requests Decrypt packet requests: 1273 16908 Decapsulate packet requests: 1273 10181 HMAC calculation requests SA creation requests: 246 5A rekey requests: 0 SA deletion requests: 244 Next phase key allocation requests Random number generation requests Failed requests: 0 16908, o This command shows SSI. protocol statistics for the crypto engine that provides encryption and decryption processing information, ASASS20(config)# show compr Compression SVC Sessions Compressed Franes Compressed Data In (bytes) Compressed Data out (bytes) Expanded France Compression Errors Compression Reset Compression Output Buf Too snail Compression Ratio Decompressed Francs Decompressed Data In Deconpressed Data Out Decompression CRC Errors 5-164 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IncDecompression Errors ° Decompression Resets ° Decompression Ratio 3.20 Block Allocation Failures ° The command shows detailed information about session compression. Statisties will not populate for compression while DTLS is in use with the Cisco AnyConnect SSL VPN Client {© 2008 Cisco Systems, inc. SSLVPNS 5-165Configuring Advanced Features for the Cisco AnyConnect SSL VPN Client This topic will discuss the configuration of some of the advanced features that can be used with the Cisco AnyConnect SSL VPN Client Configuring Advanced Features for the Cisco AnyConnect SSL VPN Client Complete the following tasks to configure advanced features for the Cisco AnyConnect SSL VPN Client: = Task 1: AnyConnect SSL VPN Client Installer option = Task 2: Keepalives and dead peer detection » Task 3: DTLS and DTLS-to-TLS Fallback = Task 4: Split tunneling Complete the following tasks to configure the advanced features for the Ciseo AnyConnect SSL VPN Client: = Task 1: Cisco AnyConnect SSL VPN Client Installer option Task 2: Ke lives and dead peer dete = Task 3: DTLS and DTLS-to-TLS Fallback m= Task 4: Split tunneling 5-166 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, neCisco AnyConnect SSL VPN Client Installer Option This task will discuss how to configure the Cisco AnyConnect Client installer to either remain ‘on the client system or to be uninstalled afier disconnect Without a previously installed client, remote users enter the IP address in their browser of an interface that is configured to accept SSL VPN connections. Unless the security appliance is configured to redirect http:!/ requests to https:/, users must enter the URL. in the form hutps://

. AnyConnect SSL VPN Client Installer Option Configuration conaqsoun —fogen | _ la After entering the URL, the browser connects to that interface and display’ the lo} the user sai p sereen. If ies the login and authentication, and the security appliance identifies the user as requiring the client, it downloads the client that matches the operating system of the remote computer. Afier downloading, the client installs and configures itself, establishes a secure SSL. connection, and either remains or uninstalls itself (depending on the security appliance ration) when the connection terminates. Keep Installer on Client System: Enable to allow permanent client installation on the remote computer. Enabling disables the automatic uninstalling feature of the client. The installed on the remote computer for subsequent connections, reducing the conne the remote user jent remains n time for ‘To configure the Ciseo AnyConneet SSL VPN Cli steps: {installer option, complete the following Step1 Navigate to the Configurat > Group Policies submenu, Edit. n> Remote Access VPN > Network (Client) Access joose the group policy that you want to edit and elick Step2 __Inside the group policy, navigate to the Advanced > SSL VPN Client submenu and heck the box next to Inherit for Keep Installer On Client System. {© 2008 Cisco Systems, nc SSLVPNS 5.167Step3 Click OK and Apply the changes to the Cisco ASA security appliance. To test this setting, connect to the Cisco AnyConnect SSL VPN by using a system that does not have the Cisco AnyConnect SSL. VPN Client installed. After the client is connected, the Cisco AnyConnect SSL VPN Client will be downloaded to the target system, and the client will connect to the Ciseo AnyConnect SSL VPN. Upon termination of the session with the Cisco AnyConnect SSL VPN, the client will be uninstalled. After disconnect, it will take a few ‘moments to uninstall the client. In this figure, the Cisco ASA security appliance is configured to remove the Cisco AnyConnect VPN Client from the remote host system. 5-168 Securing Networks with Cisco ASA Advanced (SNA) v1 0 {© 2008 Cisco Syetoms, nc.Keepalives and Dead Peer Detection The next task requires that you configure keepalives and dead peer detection (DPD) for the Cisco AnyConnect SSL. VPN. Dead Peer Detection Overview VPN Appliance ‘Application ‘Sener Worry Timer DPD Message (R-U-There) expres » DPD is a special type of keepalive for Remote-Access IPsec or SSL VPN clients, = Make sure that the headend devices support the same type of keepalives For resiliency purposes, some mechanism is required to keep track of the headend. Keepalives and DPD allow you to do just that. Keepalives are Hello and ACK messages with configurable time periods between hellos. Bidirectional Internet Key Exchange (IKE) keepalives do not scale well, as there are too many messages and timers to negotiate. They do not take into consideration any other traffic that may be passing through the negotiated connection. SSL VPN-based DPD uses unidirectional hello and ACK messages. Passaze of SSL. traffic is proof of connection liveliness so the endpoints do not need to send anything. In contrast t0 IKE keepalives, SSL VPN-based DPD is asy itto scale better, The worry metr no DPDs are sent. hronous with its own set of worry metrics, allowing, an “idle time” between data and DPD traffic before wh Enabling keepative: Both the Cisco SSL VPN Client (SVC) and the € Client (CVC) can send keepalive messages when they establish SSL VPN connections to the security appliance. You can adjust the frequency of keepalive messages to ensure that an SSL VPN connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the client does not disconnect and reconnect when the remote user is not actively running a socket- based application, such as Microsoft Outlook or Microsoft Internet Explorer. 9 AnyConnect VPN Enabling DPD: DPD ensures that the security app! detect a condition where the peer is not responding, 1© 2008 Cisco Systems, Ine. SSLVPNS 5-169To enable DPD on the security appliance or client for a specific group or user, and to set the frequency with which either the security appliance or the client performs DPD, use the sve dpd-interval command from group-policy or the usemame webvpn mode: sve dpd-interval {[gateway {seconds | none}] | [elient {seconds | none} } no sve dpd-interval {[gateway {seconds | none} || [elient {seconds | none} |} gateway seconds enables DPD that is performed by the security appliance (gateway) and specifies the frequency, from 5 to 3600 seconds, with which the security appliance (gateway) performs DPD. ‘= gateway none disables DPD that is performed by the security appliance. = client seconds enables DPD that is performed by the client, and spec from 5 to 3600 seconds, with which the client performs DPD. the frequer client none disables DPD that is performed by the client. Note I you enable DTLS, enable DPD also. OPD enables a failed DTLS connection to fall back to TLS. Otherwise, the connection terminates. 170 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, ncContauston yp Sau 7 To configure keepalives for the Cisco AnyConneet Step 4 Step 2 Stop 3 VPN, complete the following steps: Navigate to Configuration > Remote Access VPN > Network (Client) Access > Group Policies submenu, choose the policy that you want to edit, and click Edit. From the Edit Internal Group Policy window, navigate to the Advaneed > SSL. VPN Client submenu and uncheck the Inherit check box next to Keepalive Messages. If checked, uncheck the check box next to Disable and enter a value between 15 and 6600 seconds in the Interval field for keepalives. 1 network and application requirements. his value will cl nge based on In this figure, keepalive messages are configured for an interval of 300 seconds. (© 2008 Cisco Systems, nc SSLVPNs 54171Keepalives and DPD Configuration To the DPD gateway and client side parameters, complete the following steps: Step 4 Navigate to the Configuration > Remote Access VPN > Network (Client) Access > Group Policies submenu, choose the policy you want to edit, and click Kait. Step § From the Edit Internal Group Policy window, navigate to the Advanced > SSL VPN Client > Dead Peer Detection submenu and uncheck the Inherit check box for Gateway Side Detection and Client Side Detection. = Gateway Side Detection: Uncheck the Disable check box to specily that dead peer detection is to be performed by the security appliance (gateway), Enter the interval, from 30 to 3600 seconds, with which the security appliance performs dead peer detection Client Side Detection: Uncheck the Disable check box to specify that dead peer detection is to be performed by the client. Enter the interval, from 30 to 3600, seconds, with which the client performs dead peer detection. Note ‘When using the Cisco AnyConnect Client with DTLS on the secunty appliance, Dead Peer Detection must be enabled in the group policy on the security appliance to allow the Cisco ‘AnyConnect Client to fll back to TLS, if necessary. Fallback to TLS occurs ifthe Cisco ‘AnyConnect Client cannot send data over the UPD/DTLS session, and the DPD mechanism is necessary for fallback to occur 1 enable DPD on the security appliance or client for a specific group or user, and to set the frequency with which either the security appliance or client performs dead peer detection, use the Dead Peer Detection dialog box for either group policy or username In this figure, the client and gateway DPD intervals are both set to 30 seconds. 5-172 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 © 2008 Cisco Systeme, IneDTLS and DTLS-to-TLS Fallback Datagram Transport Layer Security avoids latency and bandwidth problems that are associated with some SSL-only connections, including Cisco AnyConnect connections, and improves the performance of real-time applications that are sensitive to packet delays. TLS is a based SSL protocol that provides a low-lateney data path, using UDP. DTLS and DTLS-to-TLS Fallback Overview © Limitations of TLS with SSL VPN tunnels: ~ TLS is used to tunnel traffic over TOP 443, TCP requires retransmission of lost packets. Both application and TLS retransmit when packet loss is detected DTLS solves the TCP-over-TCP problem ~ DTLS replaces underlying transport TCP 443 with UDP 443, DTLS uses TLS to negotiate and establish DTLS connection (controt ‘messages and key exchange) Datagrams only are transmitted over DTLS. Other benefits: Low latency for real-time applications, TLS is optional and can fall back to TLS if required No specific additional configuration for faliback to TLS other than the requirement that DPD be configured for the AnyConnect SSL VPN. DTLS allows the Cisco AnyConnect Client that is establishing an SSL VPN connection to use ‘two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS for datagrams avoids latency, bandwidth problems associated with some SSL c and improves th performance of real-time applications that are sensitive to packet delays, such as voice and. video applications. Note By default, this feature is enabled when configuring the Cisco AnyConnect SSL VPN by using the SSL VPN wizard, If you do not enable DTLS, Cisco AnyConnect SSL VPN connections connect with an SSL ‘VPN tunnel only. Furthermore, you cannot enable DTLS globally with Cisco ASDM. The following section describes how to enable DTLS for any specific interface {© 2008 Cisco Systems, Inc SSLVPNS 64173DTLS and DTLS-to-TLS Fallback Configuration: Connection Profile ‘To configure DYLS, complete the following steps: Step1 Navigate to the Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles submenu and locate the interface that is configured for SSL VPN. Step2 Choose the check box under the Enable DTI column for the desired interface. Note By default, the SSL VPN wizard will enable DTLS on the interface that is configured for Cisco AnyConnect SSL VPN service. DTLS can also be configured based on group policy. This is helpful if some groups need to be configured for DTLS where others may be required to use compression. DTLS and compression are mutually exclusive, and if both are enabled, DTLS will not work for that connection, In this figure, the outside interface is con VPN sd to use DILS with the Cisco Anyi 5-174 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, neDTLS and DTLS-to-TLS Fallback Configuration: Group Policy ‘To configure DTLS at the group policy level, complete the following steps: Stop1 Navigate to the Configuration > Remote Access VPN > Network (Client) Access > Group Policies submenu, choose the policy you want to edit, and then elick the Edit button, (Not shown.) Step2 Inside the group policy configuration, navigate to the Advaneed > SSL VPN Client submenu and uncheck the Inherit check box that is associated with Datagram TLS. Step3 Choose Enable or Disable, based on group policy requirements. The parameter was set to Disable (not shown). The administrator does not want this group to use DTLS. Note I DTLS is configured at the group policy level, it wil take precedence over the OTLS configuration that was applied at the SSL VPN Connection Profile level In this figure, DTLS has been enabled on the SSL VPN group policy named AnyConneetPolicy. '© 2008 Cisco Systems, ne SSLVPNS 5:75rie Conguaion In this example, the SSL VPN Connection Profile was configured to use DTLS, and the group policy (AnyConnectPolicy) associated with the user who logged on was configured to have DTLS enabled. The group policy takes precedence over the connection profile, so if DTLS. were disabled in the group policy, it would be disabled for the user. 5-178 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 1 2008 Cisco Systems, neSplit Tunneling This topic will discuss the configuration of split tunneling for the Cisco AnyConnect SSL. VPN. Split Tunneling Overview * Spiit tunneling allows traffic that is destined for the Internet to proceed directly to the Internet. + Split tunneling saves resources at the hub site Spit tunneling can use IPsec or SSL. * Decisions on what trafic to encapsulate is handled by the configuration of an ACL on the Cisco ASA security appliance and passed down to the Cisco AnyConnect SSL VPN Client = Split tunneling raises additional network security concems = Split tunneling allows traffic that is destined for the Internet to proceed directly to the Internet. © Split tunneling saves resources at the hub site. SL. = Split tunneling can use IPsec or ™ Decisions on what traffic to encaps Cisco ASA si late is handled by the configuration of an ACL on the surity appliance and passed down to the Ciseo AnyConnect SSL VPN Client Split tunneling raises additional network security concerns, {© 2008 Cisco Systems, Ine ‘SSLVPNS 5.177g—Configuration e o = To configure split tunneling for Cisco AnyConnect SSL VPN, complete the following steps: Step1 Navigate to the Configuration > Remote Access VPN > Network (Client) Access > Group Policies submenu, choose the policy you want to edit, and then click the Edit button. (Not shown.) Step 2 Navigate to the Advanced > Split Tunneling submenu inside the group policy configuration sereet Step 3 Uncheck the Inherit check box next to the Policy and the Network List parameters ‘and choose the desired policy from the drop-down menu. The following options are available for split tunneling policies: = Tunnel All Networks: All traffic will be t ineled through the SSL VPN. = Tunnel Network tunneled, Other de: t Below: Configured network list will be encrypted and, inations will be sent in cleartext and will not be tunneled. = Exclude Network List Below: Configured network list will be sent in cleartext and not be tunneled. Other destinations will be encrypted and tunneled. Step 4 Choose the desired Network List from the drop-down menu or choose Ma add a new network list. ge to In this ure, the Tunnel Network List Below drop-down menu is selected prior to the configuration of the network list to associate with spit tunneling. 5-178 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneTo configure a new ACL, complete the following steps: Step Once inside the ACL Manager, click Add to add a new ACL, Step6 Give the new ACL a name and click OK to add the ACL entry In this figure, a new ACL named Corporate has been created for use with split tunneling © 2008 Cisco Systems, Inc SSLVPNs 5.179sgn — (Goma After the ACL has been added, add an access control entry (ACE) to the ACL for policy enforcement Step7 Right-click the ACL and click Add ACE. Step 8 Configure the Action, Address, and an optional Dese this example, the preeai ields for the ACE. In internal network was selected as the target network, Step9 Click OK to accept the ACE and then OK again to accept the ACL M changes. In this igure, the inside network is chosen as the network to tunnel through the Cisco ASA security appliance, using the Cisco AnyConneet SSL VPN Client 5-180 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems. IncStep 10 Verify that Corporate is chosen in the Network List drop-down to accept changes to the group policy nu and click OK Step 11 Apply the changes to the group policy and save the configuration to the Cisco ASA security appliance. With this example, all traffic destined for the corporate network will be enerypted and go through the tunnel. Other traffic will be not be tunneled and be sent as clear text through the network, {© 2008 Cisco Systems, ne. ‘SSLVPNe 5-181Split Tunneling—Vei Operation To verify the split tunneling configuration, complete these additional steps: Step 12 Log into the Cisco AnyConnect SSL VPN and open the elient. Step 13 After the client has been opened, choose the Statisties tab and then click the Details button. Step 14 Choose the Routes Details tab and verify that the proper network routes to be protected by split tunneling show up on the client, In this figure, the route details illustrate the networks that are configured as Secured Routes. Secured routes are the routes that are configured to go through the tunnel. In this case, it i the inside network on the Cisco ASA security appliance. 5-182 Securing Networks wih Gisco ASA Advanced (SNA) v1 0 2008 Cisco Systems, IncCommands Sent to the Cisco ASA From the Cisco ASDM ~ AnyConnet SSL. VPN Ct star opton = Dead Poor Detection (OPO) Tp falvey yore ATES fe og: inerea gaenny 30 TTL w TLS Fatback > Spt uring The following is output from the Cisco ASDM to the Cisco ASA security appliance for the advanced feature configuration: = AnyConnect SSL VPN Client Installer option group-policy AnyConnectPolicy attributes webvpn svc keep- installer none configure terminal = Keepalives group-policy AnyConnect Policy attributes webvpn vc keepalive 300 configure terminal = Dead peer detection (DPD) group-policy AnyConnect Policy attributes webvpn ‘eve dpd-interval gateway 20 sve dpd-interval élient 30 Svc ask enable default webvpn configure terminal = DILS-to-TLS Fallback group-pol icy AnyConnectPol icy attributes vebwpn eve dtls configure terminal junneling, access-list Corporate renark Corporate Network Access access-list Corporate atandard permit 10.0.4.0 255.255.255.0 Group-policy AnyConnect Policy attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value Corporate configure terminal © 2008 Cisco Systems, inc SSLVPNS 5-183Configuring Certificate-Based Authentication for the Cisco AnyConnect SSL VPN This topic will discuss the configuration of certificate-based authenticatic AnyConnect SSL VPN. or the Cisco Configuring Certificate-Based Authentication for AnyConnect SSL VPN Complete the following tasks to configure certificate-based authentication for AnyConnect SSL VPN: = Task 1: Enable the local CA server. * Task 2: Create a self-signed identity certificate * Task 3: Create a user account * Task 4: Configure the SSL VPN access interface. * Task 5: Assign the identity certificate to the SSL VPN interface * Task 6: Modify the SSL. VPN connection profile. * Task 7: Create a certificate to SSL VPN profile mapping, + Task 8: Verify the certificate-based authentication for Cisco ‘AnyConnect SSL VPN, Complete the following tasks to configure certifi AnyConnect SSL VPN: based authentication for Cisco = Task 1; Enable the local CA server m= Task 2: Create a self-signed identity certificate = Task 3: Create a user account = Task 4: Configure the SSL VPN access int = Task 5: Assign the identity certificate to the SSL VPN interface. = Task 6: Modify the SSL VPN connection profile m= Task 7: Create a certificate to SSL VPN profile mapping. m= Task 8: Verify the certificate-based authentication for Cisco AnyConnect SSL VPN. 5-184 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, IncCertificate-Based Authentication Overview cco car $8. 0H * Certificates are assigned to the Cisco ASA interface and remote VPN Clients to authenticate the Cisco AnyConnect SSL. VPN session. Clients are no longer required, but are highly recommended, to send a ‘username and password to authenticate to the Cisco AnyConnect SSL. VPN. * The security appliance can be used as the CA to issue and manage certificates, tion, You can specify whether you want users to authenticate by using authenti thorization, and accounting (AAA) with a username and password or by using a digital certificate (or both). ‘When you configure certificate-only authentication, users ean connect with a digital certificate and are not required to provide a user ID and password. {© 2008 Gisco Systems, Inc. SSLVPNS 5-105Enable Local CA Server The first task requires that you enable the local certificate authority (CA) server on the Cisco ASA security appliance. Although it is not a requirement to configure the Cisco ASA security appliance for CA Seve Psp nooner asaCA server crtifieate-based authentication, a certificate server is necessary to issue and manage client certificates. This example will use the Cisco ASA security appliance as the CA server for the network To configure the Cisco ASA security appliance as a local CA server, complete the Following steps: Step 1 Step 2 Step 3 Step 4 Step 5 In this Navigate to the Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > CA Server submenu and choose the check box next to Create Certificate Authority Server. Click the Enable radio button. Configure a passphrase to be used with the CA server (Optional.) Configure the SMTP Server & Ema CA with the information that is required to e-mail items to cli password (OTP) to be used with client enrollment. Click Apply to send the configur the local CA server. ion changes to the security appliance and enable figure, a local CA server is created on the security appliance, and the passphrase is configured as cisco123. 5-186 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1 0 © 2008 Cisco Systems, ineCreate Self-Signed Identity Certificate The next task requires that you create a self-signed certificate to be used by the Cisco ASA security appliance for client-based authentication. Create Self-Signed Id tity Certificate ‘To configure the self-signed certificate, complete the following tasks: Step 1 Navigate to the Configuration > Remote Access VPN > Certificate Management > Identity Certificates submenu and click Add. jeate radio button and click New to create a ied certificate. Step2 Click the Add a New Identity Ce new key pair for use with the selfs Step3 Click the Emter New Key Pai pair. Name radio button and configure a name forthe key Step 4 Click Generate Now fo generate the new key pair, In this figure, a new key pair is generated to be used for a self-signed certificate ‘© 2008 Cisco Systems, ne SSLVPNS 5-187Create Self-Signed Identity Certificate (Cont.) To create a self-signed certificate, complete the following tasks: Stop 5 Choose the newly generated key pair from the Key Pair drop-down menu. Step 6 1ed Certificate check box and click Add Certificate. Step 7 ty appliance will generate a self-signed certificate and provide an Enrollment Status window. Click OK to conti In this figure, using the previously generated key pair generat a self-signed certificate. 5-188 Securing Networks wih Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneCreate a User Account ‘The next task requires that you erea ASA security appliance. ‘This user account will be used to allow a remote client to authenticate to the CA enrollment server to acquire a certificate for use with the SSL VPN, The user account can be configured with standards-based X.509 attributes that describe the user account, and these attributes will be added to the generated certificate for the account. Step 1 Navigate to the Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority > Manage User Database submenu and click Add to add a new user account Step 2 Configure a username for the account and click the Seleet button to provide attribute descriptors to be used with the certificate Step3 Choose an attribute from the drop-down menu and provide the value for each, aitribute that is configured, After the attribute has been configured, click Add to add the attribute to the user account. Click OK to accept the attributes for the user account The following attributes can be configured: = CN=Common name = OU = Department = Company name © = Country ST = State or province L = Location EA = E-mail address "© 2008 Gisco Systems, ne SSLVPNS 5.109In this figure, a user named student! is ereated so that the remote system ean log in to obta certificate, Sutct Facto e oaetr cen eee mere ete tae ees > oe Certo Enc To be allowed to log in to the certificate en the Cisco ASA security appliance. To obiai ollment process, the user must obtain an OTP from an OTP manually, complete the Following tasks: Step4 Click the Allow Enrollment check box. Step5 — Click Add User to add the user to the local user database, Note Ifthe CA server is not configured to use an e-mail server, the OTP must be manually ‘etrieved from the user configuration so that the user can complete the enrollment process, Step Click the View/Re-generate OTP button to view or regenerate the OTP for the user account, This is the OTP that will be required to log in to the enrollment server and the OTP that will be required to decrypt the client certificate, In this figure, an OTP is manually obtained fio configured user named student] isco ASA security appliance fora 5190 Securing Networks with Cisco ASA Aavanced (SNAA) v1.0, 1© 2008 Cisco Systems, IneConfigure SSL VPN Access Interface The next task requires that you configure the SSL. VPN access interface. Configure SSL VPN Access Interface Contgra008 —pa am ie oie 5 ewe Cher ees To configure the SSL VPN access interface to require client cc steps: Step1 Navigate to the Con > SSL VPN Connection Profiles submenu and c! Certificate check box. ck the Require Client Step2 If the Cisco ASDM and the Cisco AnyConnect, based authentication are using the same interfac same TCP port 443. In this example, the se to use port 4430 for that reason. In this figure, the Cisco ASA security appliance is configured to require client cert authentication, and the access port is configured to use TCP 4430, complete the following, iguration > Remote Access VPN > Network (Client) Access SL VPN that are using certficate- they will be unable to share the ty appliance access port is con! © 2008 Cisco Systems, In. SSL VPNsAssign Identity Certificate to SSL VPN Interface The next task requires that you assign the previously co desired SSL VPN interface ured identity certificate to the Assign Identity Certificate to SSL VPN Interface To configure the Cisco ASA security appliance to assign an iden interface, complete the following steps: certificate to the Note There is a link to assign a certificate to the desired interface on the SSL VPN Connection Profiles page. The link will redirect you to the SSL. Settings submenu, Step 1 Navigate to the Configuration > Remote Access VPN > Advanced > SSL Settings submenu and choose the interface that is to be used for the SSL VPN connection. Step 2 1e previously cor ured identity certificate to the interface, Step3 Click OK to accept the changes to the interface, In this figure, the self-signed identity certificate is assigned to the outside interface of the security appliance. 5-182 Securing Networks win Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems. IncAssign Identity Certificate to SSL VPN Interface (Cont.) suse ——l es ‘may enna fier the certificate has been applied to the desire aformation should appear below the ID Certificate col {© 2008 Cisco Systems, Inc SSLVPNS 5-193Modify SSL VPN Connection Profile The next task requires that you modify the SSL VPN connection profile to allow certficate- based authentication To modify the SSL VPN connection profile, Step 1 Step 2 In this figure, the Cisco AnyConneet VPN profile was con Modify SSL VPN Connection Profile centgaten Sesh mplete the following tasks: Navigate to the Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles submenu, choose the profile that is configured for use with the Cisco AnyConnect SSL VPN, and click Edit, Under the Basie > Authe and click OK to accept the cha ion subcolumn, choose Certificate for the method wes. ured to require certificate-based authentication, 5-104 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 © 2008 Cisco Systems, IneCreate Certificate to SSL VPN Profile Mapping ‘The next task requires you to configure a centficate to SSL VPN profile mapping Create Certificate-to-SSL VPN Profile Mapping = a : By default, all users are initially applied to the DefaultWebVPNGroup connection profile when ‘a user connects to the Cisco ASA security appliance. After the user logs in, the proper group policy is applied, based on the user configuration. If'a custom SSL VPN profik ured, the se ea way to map users to the appropriate profile so that profile-specific actions can be taken (such as certificate~ based authentication), There are several ways to accomplish this: = Configure aliases for each configured connection profile and allow the user to choose the desired profile at login. © Configure group-URLs for each configured connection profile and allow the user to choose the desired URL at login. For example, https:!/connection | asa.comn oF Itpsi/comnection? asa.com = Configure a certificate to § iteria to map the L VPN profile mapping to match certain el jent to the proper connection profile. (© 2008 Cisco Systems, Ine SSLVPNS 5.195To create a certificate to SSL. VPN profile mapping, complete the following steps: Step 1 Navigate to the Configuration > Remote Access VPN > Advanced > Certificate to SSL VPN Connection Profile Maps submenu and click Add uncer the Certificate to Connection Profile Maps area. Step2 Click the New radio button under Map and provide a name for the connection profile map. Step3 Configure the rule priority and then choose the desired connection profile from the Mapped to Connect Profile drop-down menu. Step 4 Click OK to accept the profile map. The following items can be configured on this screen: = Priority: Type a decimal to specify the sequence with which the security’ appliance ‘evaluates the map when it receives a connection request. For the first rule defined, the default priority is 10. appliance evaluates each connection against the map with the lowest priority number frst = Mapped to Connection Profile: Choose the connection profile, formerly called a "tunnel group,” to map to this rule Note you do not assign a rule criterion to the map, as described in the next section, the security appliance ignores the map entry. figure, anew SSL VPN Profile Mapping named AnyConnect was created with a priority ‘54186 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneCreate Certificate-to-SSL VPN Profile Mapping (Cont.) Goncamncen | re tng After the profile map has been configured, configure the rule criterion to identify to the security applianice what will be used to map the connecting users to the desired connection profile. Step5 Under the same submenu, click the Add button under the Mapping Criteria area Step Configure the Field, Component, Operator, and Value fields for the mapping criteria and click OK to accept the changes. Note This example uses the OU that is associated with the client certificate for profile mapping (Remote Access) The following items can be selected under the Mapping Criteria Field: Choose the part of the certificate to be evaluated from the drop-down list. — Subject: The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same. — Alternative Subject: The subject altemative names extension allows additional identities to be bound to the subject of the certificate — Issuer: The CA or other ent ficate, ¥y Gurisdiction) that sued the = Component: (Applies only if Subject or Issuer is selected.) Choose the distinguished name ‘component used in the rule: — Country (C); The two-letter country abbreviatic 3166 country abbreviations — Common Name (CN): The name of a person, system, or other lowest (most specific) level in the identification hierarchy DN Qualifier (DNQ): A specific DN attribute. n. These codes conform to ISO ity. This is the © 2008 Cisco Systems, Ine SSLVPNS 5.197E-mail Address (EA): The e-mail address of the person, system or entity that owns the certificate. Gene tional Qualifier (GENQ): A generational qualifier such as Jr., Sr. or IIL Given Name (GN): The first name of the certificate owner. — Initials (1): The first letters of each part of the certificate ow 's name. Locality (L): The city or town where the organization is located. Name (N): The name of the certificate owner. ‘Organization (0): The name of the company, institution, agency, association, or other entity Organizational Unit (OU): The subgroup within the organization Serial Number (SER): The serial number of the certificate. Surname (SN): The family name or last name of the certificate owner. State/Province (S/P): The state or province where the organization is located. Title (T): The title of the certificate owner, su ‘as Dr. User ID (UID): The identification number of the certificate owner. Unstructured Name (UNAME): The unstructuredName attribute type specifies the name or names of a subject as an unstructured ASCII string. IP Address (IP): IP address field, |= Operator: Choose the operator that is used in the rule: Equals: The distinguished name field must exactly match the value. Contains: The distinguished name field st include the value within it Does Not Equal: The distinguished name field must not match the value. Does Not Contain: The distinguished name field must not include the value within it Value: Enter up to 255 characters to specify the object of the operator. 5-198 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IneCertificate-to-SSL VPN Profile Mapr Complete SON eit ois —$— aes ree This certificate-to of Remote Access connection profil. SSL VPN profile mapping identifies the Subject field should be r hat a certificate that has an OU value ped to the AnyConnect SSL. VPN Note tis usually more efficient o map to something such as an organization (0) or organizational Unit (OU) to a connection profile. These fields will generally require less mapping criteria entries in VPN profile mappings to associate the user withthe correct connection profile Mapping 2 more specific value in the subject field of the digital certificate, like the common ‘name (CN), would require more mappings and administrative overhead {© 2008 Cisco Systems, in SSLVPNS 5-199Commands Sent to the Cisco ASA from the Cisco ASDM a Yoypait wocatvencseeven crypto ea truatpoint ASDM TrustPaintD fubject-name CHAASASS20 enrolment self crypto ca enroll ASDM TrustPointd nocontimm jT cereiticate-authestication intartace outside port 4420 nL encryption re4-shal nesiz#-ehel ees25¢-ahal Jdes-2hal 2 trust -point ASDM TrusePointo outa: Sunel-geevp AnyComect wabrpa-ateributs ichantication certificate exypto en certificate map AnyComnect ‘Dubject-nane attr ou eg Renote Acces erp cortisicate-group-map AnyConnect 10 AnyConnect The follow appl 18 is sample output sent from the Cisco ASDM to the 0 ASA security Configure the local CA server: crypto ca server crypto ca trustpoint LOCAL-CA-SERVER keypair LOCAL-CA-SERVER crl configure crypto ca trustpoint ASDM TrustPointo keypair Anyconnect id-usage ss1-ipsec no client-types fqdn ASASS20 subject-name ch enrollment self crypto ca enroll ASDM_TrustPoint noconfirm Assign identity certificate to the outside interface: ssl certificate-authentication interface outside port 4420 #81 encryption re4-shal aes128-shal aes256-shal 3des-shal S21 trust-point ASDM_TrustPointo cuteide Configure the tunnel group for certificate-based authenticatior tunnel-group AnyConnect webvpn-at tributes NO authentication aaa Guthenticat ion certificate Certificate to SSL VPN profile mapping: crypto ca certificate map AnyConnect 10 Supject-name ater ou eq Remote Access webvpn certificate-group-nap AnyConnect 10 AnyConnect 5-200 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 (© 2008 Cisco Systems, IneVerify Certificate-Based Authentication for Cisco AnyConnect SSL VPN This task includes the steps required to verify the operation of the certificate-based authentication for Cisco AnyConneet SSL VPN. Verifying Certificate-Based Authentication for AnyConnect SSL VPN: Instali Root CA Certificate * Connecting to the Cisco ASA will generate a certificate warning * Allow Windows to install the certificate to the proper store automatically. = Verity installation of the root CA certificate To verify the certificate-based authentication for tl the following steps: Cisco AnyConnect SSL VPN, complete Step 1 Open a compliant web browser and enter the address of the Cisco ASA security appliance. Ensure that you are entering the proper port information if it modified. For example, enter https://192.168.4.2:4430. Step 2 Afier it is connected to the security appliance, it will generate a certificate warning, Click the View Certifieate button to view the root CA certificate Step3 Click the Install Certificate button to ‘operating system to install the certificate stall the root CA certificate, Allow the ito the proper store automatically Step4 After the certificate is ready to be installed, from the operating system. ick Yes to any certificate w: nings In this figure, the remote host system is installing the certificate from the security appliance. © 2008 Cisco Systems, inc SSLVPNS 5.201Install Client Certificate After the root ficate has been installed, the main authentication window will appear in the it will be notified that “Client certificate validation failed. Click Verifying Certificate-Based Authentication for AnyConnect SSL VPN: Install Client Certi = Client crtiicte validation wi fail Solct the link to obtain a new certificate Log into the local Cisco ASA CA by using the username and OTP generated for he user by the Soar Securiy appliance ‘After authentication, the user wil be provided a cerfcate ‘Allow Windows to install the certificate automatically. When asked for a password during the cetcate insta, enter the OTP as the password To installa certificate from the CA server (Ciseo ASA security appliance) on the remote host, complete the following tasks: Step 1 Choose the link that is to be redirected to the ASA—Local Cert login page. Authority Step 2 Enter the username and previously obtained OTP for the user and click Submit. Afier authentication has completed successfully, the user will be provided with a eertifieate from the local CA. Step3 Click Open to open the certificate and begin the certificate-importing procedure. Allow Windows to install the certifi lly mo the proper store autom: Step 4 When prompted for the password for the certificate encryption, enter the previously obtained OTP to continue. In this figure, the user logs into the seeurity appliance local CA to obtain a certificate for use with the Cisco AnyConnect SSL VPN. 5-202 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 1 2008 Cisco Systems, neVerifying Certificate-Based Authentication for AnyConnect SSL VPN: Restart Client Browser » Restart the client web browser and enter the address of the Cisco ASA, ‘security appliance that is used for AnyConnect SSL VPN, * The client wed browser should og directly into the web portal without ‘prompting the user for a username or password. * Ifalready installed, the Cisco AnyConnect SSL VPN Client will ‘automatically log in without prompting the user for a usemname or password once launched, After the cert ite has been installed, you will be required to restart the web browser, Step 5 After the client certificate installation is complete, close the web browser and open a new session to the Cisco ASA SSL VPN address and port number. For example, Intps:/192.168.4.2:4430. Step6 The user should automatically be logged into the Cisco AnyConnect SSL. VPN and the web portal that is configured for the Group Policy should be displayed ‘Step 7 When the user launches the previously downloaded Cisco AnyConneet SSL. VPN. Cliemt, the client will log the user into the SSL. VPN without requesting a usemame or password In this figure, the user restarts the web browser and again points it to the Cisco AnyConneet SSL VPN address (192.168.4.2:4430). The user will automatically log in to the system by using the newly obtained ate, and the SSL VPN Profile Mapping will map the user to the previously configured customized user interface template. (© 2008 Cisco Systems, Inc SSLVPNS 5203Cisco ASDM Monitoring Cisco ASDM provides several useful screens of information that will allow you to verify that the SSL VPN connection is using certificate-based authentication. cate-Based Authentication for AnyConnect SSL VPN: ASDM Monitoring To verify certificate-based authentication by using the Cisco ASDM, complete the following tasks: Step 1 Navigate to the Monitoring > VPN > VPN. choose SSL VPN Client to filter for the ses tatistics > Sessions submenu and on information. Step2 Under the Group Policy Connection, the session details will identify the connection profile that is mapped by the Cettificate-to-VPN Connection Profile Map, In this figure, the configured VPN Connection Profile Mapping (AnyConnect) shows that the connection is mapped to the proper group policy (AnyConneetPolicy). 5-204 Securing Networks with Cisco ASA Advanced (SNAA)vi.0 © 2008 Gisco Systems, IneVerifying Certificate-Based Authentication for AnyConnect SSL VPN: ASDM Monitoring (Gont.) To verify that the connection used the intended authentication mechanism, complete the following task: ‘Step3 Choose the desired session and click the Details button to view more information about the session. The listed authentication mode should be Certificate In this figure, the details of the SSL VPN connection show that the user connected to the Cisco AnyConnect SSL. VPN by using certificate-based authentication "© 2008 Cisco Systems, Inc. SSLVPNS 5205Verifying Operation Using the Cisco ASA CLI ‘You can use these show and debug commands to obtain information about the SSL_ VPN. connection, using the Cisco ASA CLI Verify Operation by Using Cisco ASA CLI show vpn: siondb detail webvpa | ave * Shows detailed remote-access VPN session information similar to the Cisco ASDM session monitoring panel. May be shown in detailed or summary views, show crypto protocol statistics sel * Shows SSL protocol statistics forthe crypto engine thal provides ‘encryption and decryption processing information, ‘show compression sve * Shows detailed information about session compression. Statistics will not ‘Bopulate for encryption while DTLS is in use with the Cisco AnyConnect SSL VPN Client debug crypto ca 5 * Shows the detailed certificate exchange and negotiation between the Cisco ASA security appliance and the remote clients. Note ASAS520 (config) # show vpn- performance. Do not run debugs during peak network trafic times, iond> detail ave sion Type: SVC Detailed Username: etudent1 Index 6 Assigned 1P + 172.26.104.101 Public IP; 192 Protocol Clientiess ssi-Tunnel om! Eneryption + RC4 AESI28 Has! SHAI Bytes Tx 279819 Bytes Rx 227213 Pets Tx + 265 Pkts Rx 1936 PkUS Tx Drop : 0 Pkts Rx Drop : 0 sroup Policy : AnyConnectPolicy Tunnel Group : AnyConnect Login Time + 0119112 EST Wed Feb 13 2008 Duration 2h:16m:298 NAC Result + Unknown VLAN Mapping : N/A VLAN + none Tunnel Tunnels: 1 Tunnel Tunnels: 2 5-206 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1 0 ‘Always observe caution when using show commands or debugs that could impact, 168.207.127 © 2008 Cisco Systems, ne.Connection to the web portal Clientless: ‘Tunnel 1D 6a Public IP. 192.168.207.127 Encryption : RCA Hashing TCP st Port : 4430 Auth Node Tdle Time Out: 30 Minutes Idle TO Lett Client Type + Web Browser Client ver + AnyConnect Windows 2.0.0343 Bytes Tx 279326 Bytes Rx SHAL Certificate © minutes 73065 Cisco AnyConnect SSL VPN Client connection to Cisco ASA security appliance: 8sb-Tunnel: Tunnel ID: 6.2 Assigned IP: 172.26.104.101 Public IP. Encryption : RC4 Hashing ‘Ter Sre Port : 1852 TCP Dat Port ¢ Auth Mode certiticate Idle Tine Out: 30 Minutes Idle TO Left Client Type: SSL VPN Client Client ver: Cisco AnyConnect VPN Client 2, Bytes Tx 493 Bytes Rx Pkes Tx 1 Pkts Rx. Pkts Tx Drop : 0 Pkts Rx Drop DTLS tunnel (enabled by default): DTLs- Tunnel Tunnel ID: 6.3 Assigned IP: 172.26.104.101 Public IP. Eneryption : AESI28 Hashing UDP Src Port + 1955 unP Dst Port Auth Mode Certificate Idle Time out Client Type 30 Minutes. DTLS VPN Client Idle TO Left Client Ver: AnyConnect Windows 2.0.0343 Bytes Tx ° nytes Rx Pkts T% ° Pkts Rx Pkts Tx Drop : 0 Pkts Rx Drop Nac: Reval Int (7): 0 Seconds Reval Left (7) SQ Int (tT): 0 Seconds EoU Age (7) Hold Left (T) Redirect URL 3 Seconds ‘ASA5520(config)# show crypto protocol statistics ssl ISL statistics] Posture Token: 192.168.207.127 SHAL 4430 0 Minutes: + 0343 98 1 ° 192.166,207.127 443 30 Minutes 154129 1930 ° 0 Seconas 8197 Seconds SSL protocol successfully encrypting and decrypting tunnel traffic: Encrypt packet requests: 10191 Encapsulate packet requests: 10192 Decrypt packet requests: 5808 Decapsulste packet requests: 5808 HMAC checks based on encrypted and decrypted SSL traffic: HMAC calculation requests: 15999 SA creation requests: 178 SA rekey requests: 0 5A deletion requests: 175 Next phase key allocation requests: 0 Random nusber generation requests: 0 Failed requests: 0 © 2008 Cisco Systems, nc. ‘SSLVPNs 5207ASAS520 (config) # show compr Compression Svc Sessions Compressed Franes Compressed Data In (bytes) Compressed Data out (bytes) Expanded Franes Compression Errore Compression Resets Compression Output Buf Too Small Compression Ratio Decompressed Frames Successful Xmit and Rey of decompressed data; Decompressed Data In 90 Decompressed Data Out 96 Decompression CRC Errors ° Decompression Errors ° Decompression Resets ° Decompression Ratio 1.06 Block Allocation Failures ° 9R5520 (config) # debug crypto ca 5 CRYPTO_PKI: Checking to see if an identical cert is already in the database... CRYPTO PKI: looking for cert in handle-cs2a9076, digest~ 33 e4 £9 be 55 ad 51 4f Be ff 96 4d cd a6 e3 14 3...U.00...m. CRYPTO PKI: Cert record not found, returning & NoT_FOUND CRYPTO PKI: Cert not found in database. Duplicate certificate not found, so the CA server will be queried for certificate status: CRYPTO_PKI: Looking for suitable trustpoints. ©RYPTO PKI: Found a suitable authenticated trustpoint LOCAL-CA-SERVER CRYPTO PKI (make trustedcerts 1ist) CRYPTO PKI: Certificate validation: successful, status: 0. Attempting to Fetrieve revocation statue if necessary Certificate validated: =SNIP=- CRYPTO PKI:Certificate validated. serial number: 02, subject name: cnestudent CRYPTO_PKI: Certificate validated without revocation check Match remote system certificate to configured profile may CRYPTO PKI: Attempting to find tunnel group for cert with serial number: 02 subject name: cnestudenti, issuer name: cneASA5520.cis. cRYPTO_PKI: Processing map rules for AnyConnect cryPTO_PKI: Processing map AnyConnect sequence 10 CRYPTO-PKI: Match of subject-name attr field to map PASSED. Peer cert field. ch = studenti, map rule: subject-nane. attr cn eq stud. CRYPTO PKI: Peer cert has been authorized by map: AnyConnect sequence: 10 CRYPTO PKI: Tunnel Group Match on map AnyConnect sequence #10, Group name is ‘AnyConhect 208 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 ‘© 2008 Gisco Systems, neTroubleshooting the Cisco AnyConnect SSL VPN Client Operation This topic will discuss methods for troubleshooting Cisco AnyConnect SSL VPN Client operatio Verify Operation by Using Cisco ASA CLI ‘show vpn-sessiondb detail webvpn | sve = Shows detailed remote-access VPN session information similar to the Cisco ASDM session monitoring panel. May be shown in detailed or summary views. show crypto protocol statistics ssl * Shows SSL protocol statistics for the crypto engine that provides. encryption and decryption processing information show compression sve + Shows detailed information about session compression. Statistics will not populate for encryption while OTLS is in use with the Cisco AnyConnect, SSL VPN Client debug crypto ca 5 * Shows the delailed certificate exchange and negotiation between the Cisco ASA security appliance and the remote clients, The Cisco ASA security appliance provides several troubleshooting commands to help identify issues with Cisco AnyConnect SSL VPN connections, These include: The show running-configuration command is used to provide the system configuration to help identify any potential con = The debug webypn command is used to provide information about the WebVPN servie that is based on SSL VPN traffic through the security appliance. = The debug aaa command is used to provide information about AAA comm using the internal server or an extemal server ication either = The debug crypto ca command is used to provide information about certificate-based funetions from within the security appliance The show erypto ca cert command is used to view the certificate that is assigned to the security appliance. This command will allow you to verify the attributes and other pertinent stificate information {© 2008 Cisco Systems, Ine SSLVPNs 5209Troubleshooting Commands—debug webvpn ‘The debug webvpn command is used to provide information about the WebVPN service on the Cisco ASA security appli Troubleshooting Commands—debug webvpn debug webvpn [chunk | cifs | citrix | failover | html | javascript | request | response | svc | transformation | url | util | xml] [level] ASAS520 (config) # debug webvpn sve 255 INFO: debug webvpn svc enabled at level 255 ASASS20(config)# show debug debug webvpn svc enabled at level 255 To log WebVPN debug messages, use the debug webvpn command in privileged EXEC mode To disable the logging of WebVPN debug messages, use the no form of this command. debug webvpn [chunk | cifs | citrix | failover | html | javascript | request | response | svc | transformation | url | ued | xml] [level] no debug webvpn [chunk | cifs | citrix | failover | html | javaseript | request | response | ave | transformation | url | util | xml) [level] 5.210 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, inc.debug webvpn Command Description debug webvpn option Enables logging of WebVPN commands, chunk Displays debug messages about memory blocks that are used to support WebVPN connections cits Displays debug messages about connections between Common Internet File System (CIFS) servers and WebVPN users. citrix Displays debug messages about connections between Citrix MetaFrame Servers and Citrix Independent Computing Architecture (ICA) clients over WebVPN, failover Displays debug messages about equipment faiovers that are affecting WebVPN connections. html Displays debug messages about HTML pages that are sent over WebVPN connections javascript Displays debug messages about JavaScript that is sent over WebVPN connections, request Displays debug messages about requests that are issued over, WebVPN connections response Displays debug messages about responses issued over WebVPN connections, ave Displays debug messages about connections to SSL. VPN Clients ‘over WebVPN’ transformation Displays debug messages about WebVPN content transformation url Displays debug messages about website requests that are issued over WebVPN connections. util Displays debug messages about CPU use dedicated to support ‘connections to WebVPN remote users, xml Displays debug messages about JavaScript that is sent over WebVPN connections. level (Optional) Sets the debug message level to display, between 1 ‘and 255, The defauit is 1. To display addtional messages at higher levels, set the level to a higher number Note Debugging at higher levels will impact device performance. Do not increase the debugging level during high network activity. Proper observance of maintenance window testing and debugging is important. The following is sample output from a debug webypn sve 255 command: webvpn_rx_data_tunnel_connect (stv state = HEADER PROCESSING hetp_parse_catp method () Gnput: "CONNECT /CSCOSSLC/tunnel HTTP/1.1* webvpn_cstp_parse_request_ficld( inpat: "Host: 192.168.4.2" brocessing CSTP header ling: ‘Host: 192.168.4.2 webvpn_cstp_parse_request_field() isco AnyConnect SSL. VPN session logi using the (© 2008 Cisco Systems, nc ‘SSLVPNs 5211Client will be using Cisco AnyConnect SSL VPN Client: .-input: ‘User-agent: Cisco AnyConnect VPN Client 2, 0, 0343' Processing CSTP header line: ‘User-Agent: Cisco AnyConnéct VEN Client 2, 0, 0343" Setting user-agent to: ‘Cisco AnyConnect VPN Client 2, 0, 0343' webvpn_cstp_parse_request_field() --Anpit: ‘Cookie webvpn=2144315540573440120289647690S0D37E79E639919871A4A94674 6RDEDA34EDK61" Processing CSTP header line: ‘Cookie webvpn=2144315584057344012028964 76005003 779263991 9871A4A9487468DEDAI4aDF91' Found WebVPN cookie ' webvpn=2144315584057344012028964769050D27E79863991987 1A4A948746EDEDA34BDF81" WebVPN Cookie ' webvpn=2144315584957344012028964769050D37E79E639919E71A4A9487468DEDA34BDF81" TPADDR: '2144315584', INDEX: '57344', LOGIN: '1202896476" webvpn_cetp_parse_request_field() -input: "R-cstP-Version; 1" Processing CSTP header line: 'X-cSTP-Version: 1* Setting version to '1" webvpn_cstp_parse_request_field() User end-station host name: input: 'X-CSTP-Hostname: jdoe-wxp! Processing CSTP header line: ‘X-CSTP-Hostname: jdoe-wxp! Setting hostnane to: 'jdoe-wxp! DTLS negotiation: webvpn_cstp_parse request_field() inpit: "K-CSTP-Aceept-Encoding: deflate;q-1.0' Processing CSTP header line: 'X-cSTP-Accept-Encoding: deflate;q=1.0! webvpn_cstp_parse request field() input: "K-cSTe-wTU: 1206" Processing CSTP header line: ‘X-cSTP-MTU; 1206" webvpn_cstp_parse request field() input: "K-CSTP-Address“Type: IPvs' Processing CSTP header line: 'X-CSTP-Address-Type: Ibva! webvpn_cotp parse request tield() « inpit: "K-DTLS-Master-Secret (CEDSB29ERODSASACF3051471968C1 38698BE3 9AFES041097A449055531D888027DBABAOSFIEZFE AE2D1CBEOE?7A6R093" Processing CSTP header line: ‘X-DILS-Master-Secret (CEDSH29EHODEASSCP305147196HC% 38698BF39AFEGG41D97A44 9055511036802 70BAR409F7E2FE a webvpn_cstp_parse_request_field() input: \X-DILS-Ciphersiite: AES256~SWA:AES128-SHA:DES-CBC3 -SHA:DES-CSC-SHA’ Processing CStP header Line: 'X-DTLS-CipherSulte: ARS256-SHA:AES!28-SHA DES CBC3-SHA:DES-CBC- SHA" 5212 ‘Seouring Networks with Cisco ASA Advanced (SNA) vt 0 © 2008 Cisco Systems, ncAddress assignment to host: validating address: 0.0.0.0 CSTP state - WAIT FOR ADDRESS webvpn_cstp_accept_address: 172.26 104.102/255.255.255.0 CsTP state = HAVE_ADDRESS SVC: NP setup Ap_svc_create_session(0x#000, 0xC7561810, TRUE) webvpn_sve_np_setup SVC ACE Najie: NULL SVC ACL ID: -1 SVC ACL ID: -1 ‘vpn_put_uauth success! SVC PVE ACL Name: NULL SVC IPV6 ACL ID: SVC: adding to sessmgnt SVC: Sending response NAC not in use by current configuration: Unable to initiate NAC, NAC might not be enabled or invalid policy CSTP state = CONNECTED webvpn_rx_data_cstp Webvpn_rxdata_cstp: got internal message Unable to initiate NAC, NAC might not be enabled or invalid policy (© 2008 Cisco Systems, Ic SSLVPNS 5213Troubleshooting Commands—debug aaa The debug aaa command is used to debug AAA functions on the Cisco ASA security appliance, whether authenticating to the intemal user database or to an external AAA server Troubleshooting Commands—debug aaa debug aaa [ accounting | authentication | authorization | internal | common [ level } ] ASASS20# debug aaa internal debug aaa internal enabled at level 1 ASAS520# debug aaa common 255 debug aaa common enabled at level 255 ASAS520# show debug debug aaa internal enabled at level 1 debug aaa common enabled at level 255 To show debug messages for AAA, use the debug ana command in privileged EXEC mode. To stop showing AAA messages, use the mo form of this command. debug aaa { accounting | authentication | authorization | internal | conmon [level] } no debug aaa debug aaa ‘Command Description debug aaa option Enables logging of AAA commands accounting (Optional) Show debug messages for accounting ony authentication (Optional) Show debug messages fr authentication only. authorization (Optional) Show debug messages fr authorization only. internal (Cptional) Show debug messages for AAA functions that are Supported by the local database only ‘common a (Cptona ‘Show debug messages for VPNrelated AAA functions only 5214 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 © 2008 Cisco Systems, In‘The following is example output from a Cisco AnyConnect SSL VPN session login, using the debug aaa internal and debug aaa common 255 commands: AAA API: In aaa_open AAA session opened: handle = 15 AAA API: Tn aaa_process_async aaa_process_asyhc: sending ARA_MSG_PROCESS ARA task: aga process msg(c75f2720) received message type 0 ABA FSM: In AKA StartAAATransaction ‘AAA PSM: In AAA InitTransaction aaai_policy_namé_to_server_id(AnyConnectPolicy) Got Server 3D 0 for group policy DB Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY DB) AMA ESM: In AAA Bindserver AKA BindServer: Using server: AAA"ESM: In AAA SendMsg User: AnyConnectPolicy Resp: grp_policy ioctl (9921100, 114698, c75£9ca8) grp_policy ioctl: Looking up AnyConnectPol icy Galiback_aaa_task: status = 1, msg = AMA FSM: In aaa_backend callback aaa_backend callback: Handle = 15, pacb = cedosaas AAA task: aaa_process_meg(c75fa720) received message type 1 AAA FSN: In AAA ProcSvrResp Back-end response: ‘Tunnel Group Policy Status: 1 (ACCEPT) Resetting 0,0.0.0's numtries AAA FSM: In ARA Next Function AAA NextPunction: i_fsm_state - IFSM_TUNN GRP POLICY, auth status = ACCEPT AAALNextPunction: althen svr = , author svr = , user pol = , tunn pol = AnyConnect Policy BAA NextFunction: New i_fsm_state = IFSM_DONE, AAA FSM: In ARA ProcessFinal ABA PSM: In AAR_Callback user attributes: Wone user policy attributes: None tunnel policy attribute: 1‘ Tunnelling-Protocol (4107) 48 2 Split-Tunnel-Inclusion-List (4123) Corporate" 3 Split-Tunneling-Policy (4151) a 4 URL List name (4167) “Student -Bookmark* 5 MebVPN SVC Keep enable (4201) 2 6 _-ReDVEN SVC Keepalive interval (4203) 300 7 WebVPN GVC Client DPD period (4204) 30 & —-WeBVPN SVC Gateway DPD period (4205) 30 8 WebVPN Customization (4209) “clientiesessLven* 10 WebVPN SVC DTLS enable (4219) 2 11 cvc-Ask (4227) i 12 CVC-Ask-Timeout (4228) ° 13. List of address pools to assign addresses from(4313) 14 "anyConnectPool* AAA API: In aaa close BAR task: aaa_process_msg(c75fa720) received message type 3 In aaai_close_session (15) AAR APT: In aga_send_acct_start {© 2008 Cisco Systems, Inc SSLVPNS 5215Troubleshooting Commands—debug crypto ca ‘The debug erypto ea command is used to display certifi engine. te-related messages from the crypto Troubleshooting Commands—debug crypto ca debug crypto ca | messages | server | transactions [ level ] ASAS520(config)# debug crypto ca 5 ASASS20 (config) # debug crypto ca transaction 5 ASAS520 (config) # debug crypto ca message 5 ASAS520 (config) # show debug debug crypto ca enabled at level 5 debug crypto ca messages enabled at level 5 debug crypto ca transactions enabled at level 5 To show debug messages for PKI activity (used with CAs), use the debug erypto ca command in privileged EXEC mode. To stop showing debug messages for public key infrastructure (PKI), use the no form of this command. debug crypto ca [messages | transactions] [level] no debug crypto ea [messages | transactions] [level] debug crypto ca Command Description debug crypto ca Enables debug command. messages (Optional) Shows only debug messages for PKI input and output messages. transactions (Optional Shows only debug messages for PKI transactions level (Optional Sets the debug message level to display, between 1 ‘and 255. The defaults +. To display additional messages at higher levels, st the level to a higher number. Level tthe default) shows messages only when errors occur. Level 2 shows warnings. Level 3 shows informational messages. Levels 4 and Lup show aditional information for troubleshooting 5.216 Securing Networks with Cisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systems, neThe following is example output from a Cisco AnyConnect SSL. VPN session login using the debug crypto ea 5, debug erypto ca transaction, and debug erypto ea message 5 commands: CRYPTO_PKI: Sorted chain size is: 1 CRYPTO_PKT: Found ID cert. serial number: 02, subject name: cnsstudenti CRYPTO_PKI: Verifying certificate with serial number: 02, subject nawe cnestudentl, issuer_name: cn-ASASS20.cisco.com CRYPTO_PKI: Checking to see if an identical cert is already in the database CRYPTO_PKI (Cert Lookup) issuer="cn-ASA5S20.cisco.com* serial mumber=02 | CRYPTO PKI; looking for cert in handle-c#2ae078, digest~ 33 e4 £9 be 55 ad $1 af Be FF 96 ddcdage3 14 | 3...U.00...M. CRYPTO_PKI: Cert record not found, returning &_NOT_FOUND CRYPTO_PKI: Cert not found in database. GRYPTO_PKI: Looking for suitable trustpoints. CRYPTO_PKI; Found a suitable authenticated trustpoint LOCAL-CA-SERVER CRYPTO_PKL (make trustedCerts list) GRYPTOLPKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary CRYPTO_PKI:Certificate validated. serial number: 02, subject name en-student1 CRYPTO PKI; Certificate validated without revocation check CRYPTO_PKI: valid cert with warning CRYPTO_PKI: valid cert status. cRYPTO_PKI: Sorted chain size is: 1 CRYPTOLPKI; Found ID cert. serial number: 02, subject nane: cn-student1 CRYPTO PRI: Verifying certificate with serial number: 02, subject name: tudenti, issuer name: cn-ASA5520.cisco.com. ssnip- CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 02, subject name: cn-studentl, issuer_name: cn-=ASASS20.cis, Match client certificate to configured map rule: Processing map rules for AnyConnect PKI: Processing map AnyConnect sequence 10... CRYPTO PKI; Match of subject-name attr field to map PASSED. Peer cert field: cn = atudenti, map rule: subject-name attr on eq stud. CRYPTO PKI: Peer cert has been authorized by map: AnyConnect sequence: 10. CRYPTO_PKI; Tunnel Group Match on map AnyConnect sequence # 10. Group name is AnyConnect CRYPTO_PKI; Attempting to find tunnel group for cert with serial number: 02, subject name: cn-student!, issuer name: cnsASA5S20.cis. CRYPTO_PKI: Processing map rules for Anyconnect CRYPTO_PKI: Processing map AnyConnect sequence 10 CRYPTOLPKI. Match of subject-name attr field to map PASSED. Peer cert field. en = studenti, map rule: subject-name attr cn eq stud Cryer. PRT: Peer cert has been authorized by map: AnyConnect sequence: 10 CRYPTO_PKI; Tunnel Group Match on map AnyConnect sequence # 10. Group name is Anyconfiect {© 2008 Cisco Systems, ne SSLVPNS 5217Troubleshooting Commands—show crypto ca The show crypto ca command is used to show information about the configured local certificate and certificate authority settings. Troubleshooting Commands—show crypto ca show crypto ca [ certificates | cris | server | trustpoint show crypto ca Command Description show crypto ca certificates | Displays the corficates associated with a specific ttustpoint or displays all the certificates that are installed ion the system, show crypto ca cris Displays all cached CRLs or displays all GRLs that are cached for a specified trustpoint show crypto ca ever | Displays the status of the local cerieate authonty (CA) configuration on the security appliance show crypto ca vex cext-db | Displays all ora subset of ocal CA server certificates, including those that are issued to a specific user show crypto ca server cert-db [user useramo | allowed | enrolled | expired | on-hold] [serial certiicate-sena-number| show crypto ca server Displays the certificate forthe local CA server in base64 certificate format show crypto ca server cr Displays the current certificate revocation ist (CRL) of | the local CA show crypto ca server user-db | Displays users that are included in the local CA server [user database 5218 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 2008 Cisco Systems IneThe following is the output from the show erypto ca certificates co 1ASAS520 (config) # show crypto ca certifical Identity certificate: certificate Status: Available Certificate Serial Number: 31 Certificate Usage: General Purpose Public Key Type: RSA (1024 bits) Tesuer Nane: ‘hostname=ASA5520 ‘on=ASAS520 LsCorporate Office Subject Name: hostname=ASAS520 con-ASASS20 LsCorporate Office validity bate start date: 21:15:33 EST Feb 12 2008 end date: 21:15:33 EST Feb 9 2018 Associated Trustpoints: ASDM TrustPointo CA certificate: Statua: Available Certificate Serial Number: 01 Certificate Usage: Signature Public Key Type RSA (1024 bits) Issuer Name: cnsASAS520.cisco.com Subject Name ‘en-ASA5520..cisco. com validity Date: Start date: 21:08:26 EST Feb 12 2008 end date: 21:08:26 EST Feb 11 2011 Associated Trustpoints: LOCAL-CA-SERVER ‘The following is example output from the show crypto ca server and show crypto ca server tuser-db commands: ASAS520(config)# show crypto ca server certificate Server LOCAL-CA-SERVER Status: enabled State: enabled Server's configuration is locked (enter "shutdown Issuer name: CN=ASAS520.cisco.com cA certificate fingerprint /thumbprint : (MDS) 2a2i6adi Sdediscc cbB04cL2 #dS68022 CA certificate fingerprint/thunbprint: (SHAL) eedcibes B57adst8 35165261 Oc23dt9B 4fa0s4al Lact certificate issued serial number: 0x2 GA certificate expiration timer: 21:00:26 EST Peb 11 201 CRL NextUpdate timer: 09:07:28 EST Feb 13 2008 Current primary storage dir: flash:/LOCAL-CA-SERVER/ to unlock it) Auto-Rollover configured, overlap period 30 days Autorollover timer: 21:07:56 EST Jan 12 2011 1ASRS520 (config) # show crypto ca server user-db ueername: student) email: an: tudent1,OUsRenote Access, 0=Cisco Systems Inc. ,C-US,St=CA allowed, 0:25 EST Fri Feb 15 2008, notified: 1 tim enrollment status 2008, --enip=- Bnrolled, Certificate valid until 21:37:54 EST Wed Feb 12 '© 2008 Cisco Systems, nc SSLVPNSs 5218Troubleshooting Procedures—Check User Privileges User settings are important when deploying Cisco AnyConnect SSL VPN, because downloading the Cisco AnyConnect SS VPN Client requires administrative permission. Troubleshooting Procedures—Check User Privileges ‘Check user privileges on the system by using the Users control panel Select the users by double-clicking them, and then find out to which group they belong With Groups, Administrators, and Power Users, both Activex and Java are enabled by default * The Users group has more restrictions applied, and only Java is allowed to run with default privileges Privilege levels can also be obtained by using cacls in a ‘command shell, You can check user privilege levels in several ways: ™ Check user privileges on the system by using the Users control panel = Choose the users by double-clicking on them, and then find out to which group they belong = With Groups, Admi default istrators, and Power Users, both ActiveX and Java are enabled by The Users group has more restrictions applied, and only Java is allowed to run with default privileges. ‘= Privilege levels can also be obtained by using cacls in a command shell 5220 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 {© 2008 Cisco Systems, ncTroubleshooting Procedures—Check ActiveX Settings ActiveX must have the appropriate privileges to autodownload the VPN Client to the elient syste Troubleshooting Procedures—Check ActiveX Settings Lee | ai fee | = = Run the Global Ptcy Editor to check and configure the AcWeX conrls + Ensure tha! the fllowing are enabled Run ActiveX Controls and Pigins ‘Script Activex Controle Marked Sate for Sxping Allow Aetive Sergting Note Prior to following these steps for ActiveX, ensure that the Cisco ASA security appliance is part ofthe trusted zone within the web browser. To ensure that ActiveX has the appropriate permissions to run on the client system, complete the following steps Step Run the Global Policy Editor by choosi ire the ActiveX controls, tart > Run > gpedit.mse to check and Step2 After the Group Policy Editor opens, navigate to the User Configurat Administrative Templates > Windows Components > Internet Explorer > Internet Control Pane > Security Page > Trusted Sites Zone submenu, step3 veX controls are enabled: re that the following A m= Run ActiveX Controls and Plugins = Script ActiveX Controls Marked Safe for Scripting © Allow Active Scripting This figure illustrates the ActiveX verification process, {© 2008 Cisco Systems, nc SSLVPNS 5221Troubleshooting Procedures—Check Java Settings Java support is required for client access to the Cisco AnyConnect SSL VPN client software through the web portal. Troubleshooting Procedures—Ensure Web Browser Selected in Java | tem json oon Drs | Oem CHM hashes * Verity that the compliant version is running (1.4 or later). « Verity that the web browser is selected in the Java Plug-in control panel uration: You can verify Java con =. Verify that the compliant version is running (1.4 or later). | Verify that the web browser is selected in the Java Plug-in control panel This figure illustrates the applet that is used to verify which web browser is associ configured version of Java. 5-222 Securing Networks with Gisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IncTroubleshooting Scenario 1—Cannot Download Cisco AnyConnect SSL VPN Client Follow these troubleshooting steps if you are unable to download the Cisco AnyConnect SSL VPN Client software package. Scenario 1—-Cannot Download the Cisco AnyConnect SSL VPN Client ‘Check user privileges on the system by using the Users control panel Verify that the security appliance is configured as a trusted site. Verify that ActiveX has permission to run and that the proper Activex controls are enabled ‘Verify that the web browser is selected by the Java plug-in and that the system is running a compliant version of Java, the chont system gets to the AnyConnect SSL VPN Client download and fails: Ensure that the client image is valid Ensure that no network fters are in place that could block trafic ~ Try to manually instal using the MSI file, Ifyou cannot download the Cisco AnyConnect SSL VPN Client, you should use these procedures: = Check user privileges on the system by using the Users control panel. | Verify that the Cisco ASA security appliance is configured as a trusted site, Verify that ActiveX has permission to r enabled. n and that the proper ActiveX controls are = Verify that the web browser is selected by the Java plug-in and that the system is running a compliant version of Java Ifthe cient system gets to the Cisco AnyConnect SSL VPN Client download and fails: — Ensure that the client image is valid Ensure that no network filters are in place that could block traffic — Try to manually install by using the .msi file (© 2008 Cisco Systems, ne SSLVPNS 5223Troubleshooting Scenario 2—Cannot Connect to the Cisco AnyConnect SSL VPN Network Follow these troubleshooting steps if you are unable to connect to the SSL VPN network. Scenario 2—Cannot Connect to the AnyConnect SSL VPN Network * Check device configuration, user credentials, and client configuration and Permissions. un previously discussed debugs and show commands to help identify the cause of failure ~ Ensure that the security appliance is configured as a trusted site. * If custom group policy was configured. ensure that the client address Bool has been assigned to the policy. Without an address, the connection val fail + If certficates are being used for authentication and the security appliance is root CA: Ensure thatthe rot certificate is insale from the securty appliance, Ensure thatthe cent certificate is installed Verity that users are being mapped tothe proper VPN connection profte by using aliases, group-URL, cr ceticate to vpn connection profle maps If you cannot connect to the Cisco AnyConnect SSL VPN network, you should use these proced = Check device configuration, user credentials, and client configuration and permissions. Run previously discussed debugs and show commands to help identify cause of failure . = Ensure that the Cisco ASA security appliance is configured as a trusted site. . Ifa custom group policy was configured, ensure that the client address pool has been assigned to the policy. Without an address, the connection will fai ‘= If certificates are being used for authentication, and the Ciseo ASA security appliance is root CA, use these procedures: — Ensure that the root certificate is installed from the ASA security appliance, nsure that the client certificate is installed — Verify that users are being mapped to the proper VPN connection profil aliases, group-URLs, or certificate to VPN connection profile maps. by using 5.224 Securing Networks wath Cisco ASA Advanced (SNAA) v1 0 {© 2008 Cisco Systems, ncScenario 2—Cannot Connect io the AnyConnect SSL VPN Network (Cont.) « In the event of a client failure or crash, collect the following information ‘System and Application event logs ~ SetupApi.og ~ winmsd info e:\system.nfo ~ agent exe. mdmp file * Contact Cisco customer suppor. Here are several additional procedures to use if you eannot connect to the Cisco AnyConneet SSL VPN network: m= Inthe event of a client failure or erash, collect the following information: — System and application event logs, — — SetupApi-log — — winmsd /nfo e:\system.nfo — —agent.exe.mdmp file = Contact Cisco customer support 1 2008 Cisco Systems, Inc SSLVPNS 5.225Summary This topic summarizes what you have learned in this lesson. Summary ‘The Cisco AnyConnect SSL VPN Client provides full network access, to corporate resources by using a standalone software package The Cisco AnyConnect SSL VPN Client can be installed by ‘accessing a configured web portal on the Cisco ASA securty ‘appliance or by using a standalone installation MSI, By default, DTLS is enabled when using the Cisco AnyConnect SSL ‘VPN Client, but can be disabled in the SSL VPN connection profile, ‘group policy, or user policy Configuration of DPD is required for DTLS fallback to TLS. Certificate-based authentication can be configured by using the local CA server to assign certificates to clients and then authenticating each client connection request. The SSL. VPN operation can be verified with the Cisco ASDM or Cisco ASA CLI by using commands such as debug webvpn, debug aaa, and debug crypto ca. 5-228 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 1 2008 Cisco Systems, ineLesson 4| Using Cisco Secure Desktop Overview This lesson introduces the use of Cisco Secure Desktop in an enterprise network. Cisco Secu Desktop seeks to minimize the risks that are posed by the use of remote devices to establish a Cisco clientles ckets Layer (SSL) virtual private network (VPN) or Cisco AnyConnect Client session. Cisco Secure Desktop provides a number of features that you can configure to work independently or together. Cisco SSI. VPN solutions provide ot protecting their se il pri nizations with robust and flexible products for of information, and they can play an important part in the compliance strategies of an organization. No single technology today addresses all security requirements under the proposed standards. In addition, given operating system limitations, no technology that interoperates with an operating system can ensure the total especially from an untrusted system with potentially malicious thitd noval of all data, party software installed. However, deployments using Cisco Secure Desktop, when combined with other security controls and mechanisms within the context of an effective risk-management strategy and policy, can help to reduce risks that are associated with using such technologies. Objectives Upon completing this lesson, you should be able to deseribe the features that are available for Cisco Secure Desktop, how Cisco Secure Desktop interacts with other Cisco clients, and what steps are required to install the Cisco Secure Desktop image. This ability inclu ble to meet these objectives: © Describe the functionality of Cisco Secure Desktop ® Describe the interoperability of the Ciseo AnyConneet SSL VPN client = Install or upgrade the Cisco Secure Desktop image List the steps necessary to install Cisco Secure DesktopCisco Secure Desktop Overview This topic will discuss the security risks that are facing companies that deploy remote access VPNs, as well as the Cisco Secure Desktop operation and features that mitigate these risks. Security Concerns for a VPN ce aaa Cricket fn Session ais Seen eee Be parser SSL VPNs provide the flexibility to deploy secured remote access to corporate resources from any location that can provide a compliant web browser with the proper SSL support. These deployments include access for customers, partners, and employees from systems that are not necessarily corporate managed. Additional security threats are introduced without direct control ‘over the systems that are used to access corporate resources | Before the SSL VPN session ‘Who owns the endpoint? — Endpoint security posture: Does the system have antivirus or a personal firewall? —_Isthe system already ru = During the SSL VPN session ng malware? —__Isthe session data protected? — Are locally typed passwords protected? — Has malware been launched during the session? = After the SSL VPN session Has the browser cached intranet web pages? — Has the browser stored any passwords? — Are there any downloaded files left behind on the system? 5-228 Securing Networks with Cisco ASA Advanced (SNAA} v1.0 {© 2008 Cisco Systems IncSSL VPN Security: Protection of Confidential Information = Cookies ~ Usernames and = passwords E * URL history * Page caches ~ Sensitive corporate data = Downloaded files, — Design documents Product specifications Protection of confidential information should always be a concern for network security However, SSL VPN deployments present a new set of problems that may not be at the forefront of the network security design. When deploying SSL VPN, the following items should also be taken into account: = Cookies — Usernames and passwords — URL history m= Page caches — Sensitive corporate data = Downloaded files, a= co fidential documents — Product specifications The Cisco ASA adaptive security appliance provides a number of security measures that can be applied to SSL VPN deployments, whether they are using a Clientless model or the Cisco "© 2008 Cisco Systems, Inc SSLVPNS 5229Cisco ASA Endpoint Control for Clientless SSL VPN te rane va + Policies for Clientless SSL VPN users and groups. ~ Restrict access to VLAN Apply web ACL filter ~ Control URL entry = Control fie server entry and browsing * Policies applied based on end-station criteria Cisco Secure Desktop ~ Dynamic Access Policy (DAP) Clientless SSL VPN deployments rely on the client systems to use the SSL functionality built into their installed web browsers. Since no client is required on the elient system, users can connect to the SSL VPN by using systems that are not managed corporate resources. This increased flexibility comes at a price. If clients connect by using public access systems, which can provide an entry point into the corporate network, there is no control over the security posture forthe elient system, The Cisco ASA security appliance can provide the following security mechanisms for Clientless SSL VPN users to help mitigate the security risk: = Policies for Clientless SSL VPN users and groups — Restrict access to VLAN — Apply web access control list (ACL) filter — Control URL entry — Control file server entry and browsing = Policies applied based on end-station criteria — Cisco Secure Desktop unic Access Policy (DAP) 5.230 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 [© 2008 Cisco Systems, ncCisco ASA Endpoint Control for Cisco AnyConnect SSL VPN * Policies for Cisco AnyConnect Client users and groups — Assign IP address based on user or group identity ‘Apply network ACL fiter ~ Restrict access to VLAN * Policies applied based on end-station criteria Cisco Secure Desktop Dynamic Access Policy (DAP) ‘Assign NAC policy ‘The Cisco ASA security appliance also supports the deployment of Cisco AnyConnect SSL VPNs. The Cisco AnyConnect SSL VPN provides full network access for remote clients, similar to that of IP Security (IPsec) clients. Afier the user connects to the security appliance web portal, the Ciseo AnyConnect SSL VPN client can be automatically downloaded to the client system and connected to the corporate network. The requirement for Administrator privileges on the client system all but rules out the use of nnon-corporate managed resources. However, it is important to point out that clients connecting to Cisco AnyConneet SSL VPNs must also be secured and the proper network policy enforced. is a corporate managed system does not make it any less of a threat to the ‘The Cisco ASA security appliance can provide the following security mechanisms for Cisco ‘AnyConnect SSL VPN users to help mitigate the security risk = Policies for Cisco AnyCom Client users and groups — Assign IP address based on user/group identity — Apply network ACL filter — Restrict aceess to VLAN = Policies applied based on end station criteria — Cisco Secure Desktop, — Dynamic Access Policy (DAP) — Assign NAC policy 1© 2008 Cisco Systems, Inc SSLVPNs 5231Additionally, the Cisco ASA security appliance provides integration with a new or existing Cisco NAC framework when used with the IPsec or Cisco AnyConnect SSL VPN client, The NAC framework provides policy enforcement on the network, based on client requirements that are specified by the network security policy. Its use requires the security appliance to act as an authentication client to a Cisco Secure Access Control Server (ACS) that is configured on the network Cisco Secure Desktop Integration into Dynamic Access Policies The Cisco ASA security appliance integrates the Cisco Secure Desktop features into DAPs. Depending on the configuration, the security appliance uses one or more endpoint attribute values in combination with optional, authentication, authorization, and accounting (AAA) attribute values as conditions for assigning a DAP. The Cisco Secure Desktop features that are supported by the endpoint attributes of DAPS include operating system detection, prelogin policies, basic host scan results, and endpoint assessment, (The sections that follow describe these features.) Asan administrator, you can specify a single attribute or combine attributes that together form, the conditions required to assign a DAP to a session. The DAP provides network access at the level that is appropriate for the endpoint AAA attribute value. The security appliance applies a DAP when all ofits configured endpoint criteria are satisfied. If, after the assignment of a DAP, a remote device later satisfies the conditions that are required by another DAP, the security appliance replaces the previous DAP assignment with the new one. A change to the security of the remote device during the session is one example that shows the advantages of the flexibility of DAPs. 5232 ‘Securing Networks with Cisco ASA Advanced (SNAA) vt 0 © 2008 Cisco Systems, neCisco Secure Desktop Features Cisco Secure Desktop is a multifunctional component of the Cisco SSL VPN solution. oe eee Goose Reese eee rr oa ne eee ‘The main features of Cisco Secure Desktop include these: Host Sean Secure Session Cache Cleaner Keystroke Loguer Detect ‘© 2008 Cisco Systems, Ine SSLVPNS 5233Host Scan Host Sean is a new feature that checks for watermarks on a remote computer. These watermarks can signify whether of not the computer is eorporate-owned. The watermark ‘options include a registry value, a filename and optional hash to validate the file, and a digital certificate. Host Scan ~ Host Scan is a feature that checks for watermarks on a remote computer. = The watermark checks include Registry value Filename and optional hash to validate the file Digital certificate * Host Scan can be used to check for the presence of required end- system software. = Cisco Secure Desktop 3.2.1 adds support for Macintosh and Linux-based systems You can also use Host Sean to configure a check for the presence of required end-system software, including antivirus, personal firewall, and antispyware applications and updates. With the introduction of Host Scan, the Cisco Secure Desktop is enhanced in this release to support hundreds of versions of these applications, is available for Microsoft Windows Vista and XP, and is integrated with the DAP feature in Cisco ASA Adaptive Security Appliance Software Version 8.0, Note ‘Support for Macintosh and Linux-based systems is added in Cisco Secure Desktop 3.2 1 and later. Host Sean is a module that installs on the remote device after the user connects to the security appliance, before the user logs in, In Version 3.2.1, Host Scan runs on Microsoft Windows Vista, Windows XP, and Windows 2000. Host Scan consists of any combination of the following modules (Basic Host Scan, Endpoint Assessment, and Advanced Endpoint Assessment), as configured by the Cisco Secure Desktop administrator Basic Host Scan automatically identities operating systems and service packs on connecting computers. It also lets you configure inspections for specific process names and filenames, and it keys on those that are running Microsoft Windows operating systems. Thus, you can use this feature to configure checks for watermarks on remote computers to determine whether or not they are corporate-owned. You can use the Basic Host Scan results when configuring different DADs to distinguish corporate computers, home computers, and public computers. 5-234 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 © 2008 Cisco Systems, ncIf Cisco Secure Desktop is enabled on the security appliance, Basic Host Sean attempts to run ‘on any remote device that is establishing a Cisco Clientless SSL VPN or Cisco AnyConnect Client session. The operating system detection automatically qualifies or disqualifies the remote device from running Endpoint Assessment, Secure Session, and Cache Cleaner, whichever is configured to run. Use Cisco Secure Desktop Manager to explicitly configure the process name, filename, and registry key checking that Basic Host Sean will perform. Basic Host Scan returns the name of the operating system and service pack, and the results of any configured checks to the security appliance. Endpoint Assessment, a Host Scan extension, exam collection of antivirus and antispyware application firewalls. You can use this feature to combine appliance assigns a spe 1s the remote computer for a large associated definitions updates, and \dpoint criteria to satisfy your requirements DAP to the session Advanced Endpoint Assessment, another Host Scan extension, lets you configure an attempt to update noncompliant computers. For example, you can use this feature to attempt to fo updates of a specific antivirus application version and its antivirus definitions file. This feature requires an Advanced Endpoint Assessment license. (© 2008 Cisco Systems, Inc ‘SSLVPNS 5235Secure Session Secure Session provides a secured workspace for users of the Clientless or Cisco AnyConneet SSL VPN. Secure Session ‘Also known as Secure Desktop or Vault Secure Session encrypts the data and fles that are associated with cor downloaded during a remote session into a secure partion, Presents a graphical representation of the desktop on the remote device to signify a safe environment for the remote user to work in ‘A sanitation algorithm is used at session termination to remove the partition Uf the host system does not support Secure Session, Cache Cleaner attempts to install instead Secure Session, also called Secure Desktop or Vault, encrypts the data and files that are associated with or downloaded during the remote session into a secure desktop partition, and Presents a graphical representation of a desktop that includes an image of a lock to signify a safe environment for the remote user to work in. Upon session terinination, it uses a U.S, Department of Defense (DoD) sanitation algorithm to remove the partition ce the it remain after tation occurs. Typically used during clientless SSL VPN sessions, Secure Session attempts to red possibility that cookies, browser history, temporary files, and downloaded cont 4a remote user logs out, the session times out, or afier an abrupt termi Secure Session runs over Microsoft Windows XP and Windows 2000. If a prelogin policy is configured to install Secure Session, but the operating system on the remote computer does not support Secure Session, Cache Cleaner attempts to install instead. Note As of Cisco Secure Desktop 3.2.1, Windows Vista is still nt supported for Secure Desktop. 5236 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncCache Cleaner Cache Cleaner, an alternative to Secure Desktop, is functionally more limited than Secure ession, but has the flexibility to support more operating systems Cache Cleaner = Cache Cleaner, an alternative to Secure Session, attempts to eliminate information in the browser cache at the end of a session. + Ths information includes Entered passwords ‘Autocompleted text ~ Files cached by the browser Browser configuration changes » Cache Cleaner has limited features as compared to Secure ‘Session, but it provides support operating systems that Secure Session does not It attempts to eliminate the information from the browser cache at the end of'a Clientless SSL. VPN or Cisco AnyConneet Client session. This information includes entered passwords, auto- completed text, files cached by the browser, and browser configuration changes made during the session. Cache Cleaner runs on Microsoft Windows Vista, Windows XP, and Windows 2000; Apple Mac OS X 10.4 (PowerPC or Intel); and Linux, No technology that interoperates with an operating system can ensure the total removal of all data, especially from an untrusted system with potentially malicious third-party software installed, However, deployments of Cisco SSL VPN, using Cisco Secure Desktop, when combined with other security controls and mechanisms within the context of an effective risk- ‘management strategy and policy, can help to reduce risks that are associated with using such technologies. (© 2008 Cisco Systems, lc SSLVPNS 5257Web Browsers Compat le with Cache Cleaner Web Bowser Internet Explorer 6.0, Service Pack 1 Internet Explore 7.0 Mozilla 1.7 10 1.7.13 Mozila Firefox 1 Mozilla Firefox 1 °o 5 Mozilla Firefox 2.0 Safari 101013 Safari20 Cache Cleaner Compatible 5.238 Securing Networks with Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, ncKeystroke Logger Detection Keystroke logger detection and host emulation detection let you deny access based on the presence of a suspected keystroke logging application or a host emulator. Keystroke Logger Detection Keystroke logger detection policy lets, the administrator deny access based ‘on the presence of a suspected keystroke logging application or a host emulator. At session initiation, CSD checks the host system for abnormal drivers, indicating the presence of keystroke logaing programs. CSD can prompt the user to choose land terminate the suspicious ‘modules or terminate them based on policy before loading the Secure Desktop. User is notified during the session if ‘a keystroke logger is attempting install from within the secure desktop, As the administrator, you can use Cisco Secure Desktop Manager to specify the keystroke logging applications that are safe or let the remote user interactively approve of the applications, that the scan identifies. Both keystroke logger detection and host emulation detection are available with Cache Cleaner for Microsoft Windows or Secure Session, You can configure each prelogin policy to scan for keystroke logging applications and deny access if'a suspected keystroke logging application is present. You can use Secure Desktop Manager to enable or disable this feature and specity the keystroke logging applications that are safe, or let the remote user interactively approve the applications that the sean identifies. By default, keystroke logger detection is disabled for each prelogin policy. I'you enable it it downloads with Secure Desktop, Cache Cleaner, or Host Scan onto the remote computer. Following the download, keystroke logger runs first. The associated module runs only if the scan is clear, or only if you assign administrative control to the user, and the user approves of the applications that the scan identities. {© 2008 Cisco Systems, Inc. SSLVPNe 6200Advanced Endpoint Assessment If network security policy requires that client systems be scanned before they are allowed access to the network, Advanced Endpoint Assessment can be used Advanced Endpoint Assessment Supported endpoint components Antivirus ~ Personal firewall Antispyware Licensed feature Regular updates provided DAPs are optional Advanced Endpoint Assessment, another Host Scan extension, lets you configure an attempt to update noncompliant computers, For example, you can use this feature to attempt to force updates of a specific antivirus application version and its antivirus definitions file. Note This feature requires an Advanced Endpoint Assessment license. 5-240. Secunng Networks with Cisco ASA Advanced (SNA) v4.0 © 2008 Cisco Systems, InAdditional Features in Cisco Secure Desktop 3.2.1 Ther are several important features added in Cisco Si cure Desktop Release 3.2.1 Additional Cisco Secure Desktop Features in Software 3.2.1 Integration with Cisco AnyConnect Client Start Before Logon Host Scan support for Mac OS and Linux Remediation of multiple applications * Policy and Cache Cleaner support for Mac OS and Linux = Keystroke Logger and Host Emulation Detection on Vista = Secure Desktop list of allowed applications * Secure Desktop session disconnection timer Integration with AnyConnect Client Start Before Logon Release 3.2.1 supports Release 2.1 of the Cisco AnyConnect Client, with the Start Before Logon (SBL) feature of Cisco AnyConnect Client enabled or disabled. The Cisco Secure Desktop modules are not interoperable with Cisco AnyConnect Cl Release 2.0 if SBL is enabled. Host Scan Support for Mac OS and Linux As a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection, the remote computer installs the Cisco Secure Desktop Host Scan module, which scans for a greatly expanded collection of antivirus and antispyware applications, associated definitions updates, and firewalls. It also scans for sry entries, filenames, and process names that you specify. It sends the scan results to the security appliance. The security appliance uses both the user login credentials and the computer scan results to assign a Dynamic Access Policy War). With an Advanced Endpoint Assessment License, you can enhance Host an attempt to update noncompliant computers to meet version requi conditions required for assignment of prelogin policies, fan by configuring ements so that they met Release 3.2 introduced Host Scan support for remote computers running Microsoft Windows Vista, Windows XP, and Windows 2000. Release 3.2.1 adds Host Scan support for remote computers running Mac OS X 10.4 and Linux. The Host Sean extensions let you configure separate enforcement settings for Microsoft Windows, Mac OS, and Linux. © 2008 Cisco Systems, Inc SSLVPNE 6207Remediation of Multiple Applications Advanced Endpoint Assessment now lets you configure remediation of more than one application for each type supported (antivirus, antispyware, and firewall). If you specify more than one application of a given type, Host Scan attempts to remediate the one that is present on the connecting computer. Policy and Cache Cleaner Support for Mac OS and Linux The prelogin assessment includes checks for Mac OS X 10.4 and Linux, as well as Microsoft Windows Vista, Windows XP, and Windows 2000. The Cache Cleaner settings assigned to each Cisco Secure Desktop policy now support all five of these operating systems, so the Mac and Linux Cache Cleaner option is no longer present on the Secure Desktop Manager menu, Keystroke Logger and Host Emulation Detection on Vista The detection of keystroke loggers and host emulators as part of each Cisco Secure Desktop policy now works for Microsoft Windows Vista, as well as Windows XP and Windows 2000. Secure Desktop List of Allowed Applications ions that ean run on a Secure Desktop wating browser. To do so, choose Secure Desktop Settings under the policy name in the Secure Desktop Manager menu, check Restrict Application Usage to the Web Browser Only and enter the names of the executable files into the list box that opens, or click Add and choose the options from a preconfigured list. You ca also specify a hash to help ensure that the executable file that is specified is authentic: howe if you do this, you should add an entry for each version of the application that you want to allow. Secure Desktop Session Disconnection Timer Secure Session displays a countdown when nine seconds are left for the "Enable Secure Desktop inactivity timeout,” accompanied by an optional audible timer that beeps each second. The user can restart the timer by moving the mouse, 5-242 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 isco Systems, IncCisco Secure Desktop Operation When fully configured, Cisco Secure Desktop works with the Cisco ASA security appliance to protect the corporate network Cisco Secure Desktop Operation + When fully configured, the Cisco Secure Desktop works with the Cisco ASA secunty appliance to protect the user session information in several phases Phase 1: Prelogin assessment Phase 2: Login ~ Phase 3: Postlogin and session cleanup Cisco Secure Desktop protection of client systems takes place over a series of policy enforcement checks at the beginning ofa client session, after the client has authenticated to the network, and after the client has terminated the session. Cisco Secure Desktop operation is split into three separate phases. (© 2006 Cisco Systems, Inc SSLVPNS 5265Phase 1: Prelogin Assessment The first phase of Cisco Secure Desktop operation includes all of the tasks leading up to user login and assessment of the user's system. Prelogin Assessment Step 1. A remote user connects Enterprise HC tothe VPN appliance through SSL Step 2! Operating System detection module downloaded and running Step 3: Prelogin assessment module downloaded and running Step 4: Based on prelogin assessment module result, login denied or Cisco Secure Desktop policies applied Step1 A remote user connects to the VPN appliance through SSL Step2 ‘The operating system detection module is downloaded and runs, Step3 The prelogin assessment module is downloaded and runs. Step4 Based on the prelogin assessment module result, Login De Desktop policies are applied. ied or Cisco Secure I the remote computer passes a prelogin assessment that is associated with a particular prelogin policy that is configured on the security appliance, a scan of the antivirus, antispyware, personal firewall, and other optional key logger, file, registry, and process checks occurs. This sean ean be turned on or off by the systen Secure Session or Cache Cleaner installs on a particular preloy are enabled fi if the prelogin assessment that is associated with n policy passes, and only if the Secure Desktop or Cache Cleaner parameters the matched prelogin policy If both the prelogin assessment for a particular prelogin policy and the Host Scan checks pass, and the prelogin policy has both Secure Desktop and Cache Cleaner disabled (typically for a corporate computer login), only the DAP determines the user experience after authentication 5.244 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, nc‘The second phase of Cisco Secure Desktop operation includes all of the tasks associated with user login to the SSL. VPN network ‘Step 5: Check for keystroke logger and host emulation Step 6: Host Scan with Secure Session or Cache Cleaner downloaded and running Step 7: User authentication and initiation of VPN session Step§ Check for keystroke logger and host emulation, Step 6 Host Scan with Secure Session or Cache Cleaner is downloaded and runs. Step7 The user is authenticated and a VPN session is initiated. ‘After the prelogin assessment is complete, the Cisco Secure Desktop application lets the user begin the network authentication process. During the user authentication process, a secured session desktop is created for the user to switch to in order to provide a secured workspace during the VPN session. (© 2008 Ciseo Systems, Ine. SSLVPNS 5.286Phase 3: Postlogin and Session Cleanup The third phase of Cisco Secure Desktop operation includes all of the tasks that are assigned to postlogin support and session management, including session cleanup. Postlogin and Session Cleanup ‘Step 8: DAP checks applied Step 9: VPN connection active Step 10: Postsession cleanup aliabe suaetucator isco) evieevin' as Step& DAP checks are applied. Step9 A VPN connection becomes active. Step 10 Postsession cleanup occurs. vier the user has logged into the network and has an actively managed the SSL. VPN network session, the user will be allowed to access network resources, based on the configured policy for that user, After the user terminates the SSL VPN connection (or the idle timeout expires), the Secure Desktop postsession cleanup will initiate 5-245 Securing Net rks with Cisco ASA Advanced (SNA) vi.0 {© 2008 Cisco Systems, IncCisco Secure Desktop Interoperability This topic will include information on the interoperability of Cisco Secure Desktop. Operating System Cisco $4 fe Desktop has been expanded in Release 3.2.0 and pro ‘operating systems other than just Microsoft Windows. Operating System Operating System Interoperal Operating Syste Windows Vieta ‘Windows XP Wedows 2000 ‘Apple Macintosh 08x 104 Linux es even more features for Operating System Prelogin | Host S ache | Keystroke Logger ‘Assess Cleaner | Detection Windows Vista Yes Yes Yes 324 Windows XP aves Yes Yes Yes Yes Windows 2000 Yes Yes Yes Yes Yes ‘Apple Macintosh OS X_— 324 yes | 104 (PowerPC or Inte Linu 324 Yes {© 2008 Cisco Systems, Ine SSLVPNS 5287Web Browser Cisco Secure Desktop works with many of the mainstream web browsers that are available on the market. Web Browser Intemet Explorer 6.0 Service Pack 1 Internet Explorer 7.0 Morita 17.10 17.13 Mozita Firefox 10 Mozita Fiefox 15 Mazita Fiefox 2.0 Safad 100013 Safari20 Web Browser Interoperability Pricgin Host Eon aes x x x x x x Browsers Secure | Cache Session | Cleaner Internet Explorer 60 Service | Yes Yes Pack 1 Internet Explorer 7.0 Yes Yes Mozila 17.10 17.13 Yes Yes Mozila Firefox 1.0 Yes Moziia Firefox 1.5 Yes Mozilla Ficefox2.0__ Yes Safari 101013 i Yes Safa 20 Yes 5-248 Securing Networks with Cisco ASA Advanced (SNAA) v1.0, (© 2008 Cisco Systems, neClientless SSL VPN This section provides the information on the teroperability of the Cisco Secure Desktop modules on remote computers establishing clientless (browser-based) SSL VPN sessions. Clientiess SSL. VPN Operating Syston Windows Vista Windows XP Widows 2000 ‘Apple Macintosh OS X 10.4 Linux Clientless SSL VPN Interoperability Operating System | Pretogin | Host Scan Secure Session | Cache Cleaner Assessment Windows Vista Yes Yes Yes ‘Windows XP Yes Yes Yes ce Windows 2000 Yes Yes Yes Yeo Macintosh OS X 10.4 328 Yes Linux 324 Yes {© 2008 Cisco Systems, in. SSLVPNs 5249Cisco AnyConnect SSL VPN Client This section provides information about the interoperability of the Ciseo AnyConneet Client nodes with Cisco Secure Desktop modules on remote computers. Cisco AnyConnect SSL VPN Client (Standalone) nam eae ea aa eae 7 fase Caicos Windows Vista Windows xP Windows 2000 ‘Apple Macintosh OS X 10.4 Lux Cisco AnyConnect SSL VPN Client interoperability (Standalone) Genoa Bel] sea | ier soan | soeus soot | ache Gane aioe ee a Windows XP_ = Yes Yes Yes (igeses or | Yan Ve ves Macintosh OS X 10.4 R- Gi iw lashes 5-250 Securing Networks with Cisco ASA Advances (SNAA) v1.0 {© 2008 Cisco Systems, ncCisco AnyConnect SSL VPN Client (Web Launch) Operating Syste Windows Vista Woodows xP Weds 2000 ‘Apple Macintosh OS X 10.4 iow Cisco AnyConnect SSL VPN Client Interoperability (Web Launch) Operating System | Prelogin Host Scan Secure Session | Cache Cleaner Assessment ‘Windows Vista Yes Yes Yes Windows XP_ Yes Yes Yes Yes a ‘Windows 2000 Yes Yes Yes Yes Macintosh OS X 10.4 324 Yes Linux z 324 : Yes '© 2008 Cisco Systems, nc ‘SSLVPNS 5.251Cisco Security Agent Ifyour remote users have Cisco Security Agent installed, you must import new Cisco Security Agent policies to the remote users to enable the Cisco AnyConnect VPN elient and Cisco Secure Desktop to interoperate with the security appliance. Cisco Security Agent + Interoperability with Cisco Security Agent requires a policy update for Cisco Security Agent 5.0 and higher * The policy update can be found at two different locations The CD that came with the security appliance (On the web at * After download, the policy must be imported into the Cisco Security Agent Manager to generate new rules to push down to Cisco Secunty Agent clients. To enable the Cisco AnyConnect VPN cli Agent, perform the following steps: and Cisco Secure Desktop for the Cisco Security Step1 Retrieve the Cisco Security Agent policies for the Cisco AnyConnect client and Cisco Secure Desktop. You can get the files from these sources: = The CD that shipped with the security appliance The software download page for the ASA 5500 Series Adaptive Security Appliance at http://www.ciseo.com/pegi-bin/tablebuild,pl/asa Step 2 The filenames are AnyConnect-CSA.zip and Cisco Secure Desktop-for-CSA- Uupdates.zip. Extract the .export files from the .zip package files. Step 3 Choose the correct version of the export file to import. The Version work for Ciseo Security Ag Cisco Security Agent Versi .2 export files 5.2 and higher. The 5.x export files are for Step 4 Import the file, using the Maintenance > Export/Import tab on the CSA Management Center. Step 5 Attach the new rule module to your VPN policy and generate rules. For more information, see the Cisco Security Agent document Using Management Center for Cisco Security Agents 5.2. Specific information about exporting policies is located in the section Exporting and Importing Configurations. 5-262 Securing Networks with Gisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IncPreparing the Cisco ASA Appliance for Cisco Secure Desktop This topic will discuss the tasks that are required to prepare a network for the deployment of Cisco Secure Desktop. Preparing the Cisco ASA for Cisco Secure Desktop “Thin” or “Enhanced” Client = Complete the following tasks to prepare the network for Cisco Secure Desktop: ~ Task 1: Upload or import Cisco Secure Desktop. Task 2: Enable Cisco Secure Desktop. Task 3: Enter an activation key to support Advanced Endpoint Assessment ~ Task 4: Remove Cisco Secure Desktop. Complete the following tasks to prepare the network for Cisco Secure Desktop: = Task 1: Install or upgrade Cisco Secure Desktop. = Task nable or disable Cisco Secure Desktop. ‘Task 3: Enter an activation key to support Advanced Endpoint Assessment ‘ask 4: Uninstall Cisco Secure Desktop. {© 2008 Cisco Systems, inc SSLVPNS 5.253Upload or Import Cisco Secure Desktop Cisco Secure Desktop Release 3.2 requires Cisco ASA Adaptive Security Appliance Release 8.0(2). You do not need to restart the security appliance after you install or upgrade Ciseo Secure Desktop; however, you must exit and restart your Cisco Adaptive Security Device Manager (ASDM) connection to access Secure Desktop Manager. Uptoad or Import Cisco Secure Desktop Note Archive and delete the Cisco Secure Deskiop sdesktop/data.xmi configuration file before ‘Upgrading to Cisco Secure Desktop 32. To create a clean configuration fle, uninstall Cisco, Secure Desktop before reinstaling i The expanded flexibility provided by a prelogin assessment sequence editor, and replacement of the Cisco Secure Desktop feature policies with a dynamic access policy (DAP) configured fon the security appliance, are incompatible with Cisco Secure Desktop 3.1.1 configurations. Cisco Secure Desktop automatically inserts a new default configuration file when it detects that cone is not present. To install or upgrade Cisco Secure Desktop, you must complete the following steps: Step 1 Use your Internet browser securedesktop_asa hup://www. 0 access the following URL and download the >_* pkg file to My Documents on your PC: n/pegi-bin/tablebuild.pl/securedeshtop. Note ‘Make sure to verify thatthe version of Cisco Secure Desktop that is downloaded is. ‘compatible wih the version of the Cisco ASA security appliance software that you are running. For example, Cisco Secure Desktop 3.2.1 requires 8 0(3) oF later to run 5.254 Securing Networks wth Cisco ASA Advanced (SNAA) v1 0 © 2008 Ciseo Systems neStep2 Navigate to the Configuration > Remote Access VPN > Secure Desktop Manager > Setup submenu and click Upload to upload the Cisco Secure Desktop system file from a local system folder. Choose the path on the local computer and click Upload File. The Uninstall Cisco Secure Desktop dialog box opens if you upgraded from of Cisco Secure Desktop and displays the following message: earlier version Do you want to delete disko:securedesktop_asa_.pkg? Step3 Click Yes to remove the previous version from the flash memory Proceed in the Refiesh Needed window rd, and click, Ifyou choose to downgrade later, you can use the same method that you used to upgrade (that is, upload and instal it), ‘The ASDM Restart Confirmation window displays the following message: The Secure Desktop image is successfully updated. The new features can be accessed after ASDM is restarted Step4 Apply configuration changes and save the configuration to the security appliance. Step 5 —_Restart the Cisco ASDM to refresh the Cisco Secure Desktop configuration menu, Caution The default size of the cache file system (20 Mb) is not enough to support all four versions of the Cisco AnyConnect packages (Windows, Linux, Mac OS X arch386, Mac OS X ppc) and Cisco Secure Desktop. If you want to install al five client packages on the security appliance, you should frst increase the maximum size of the cache filesystem. The recommended size of the cache file system is 22 Mb {© 2008 Cisco Systems, ne SSLVPNS 5.255Enable Cisco Secure Desktop Enabling Cisco Secure Desktop loads the Cisco Secure Desktop configuration file (data.xml) from the flash device to the running configuration. If you transfer or replace the data.xml, disable and then enable Cisco Secure Desktop to load the fie. After the Cisco Secure Desktop image has been loaded, you will notice additional configuration menus and submenus that are located under Configuration > Remote Access VPN > Secure Desktop Manager. To enable or disable Cisco Secure Desktop, complete the following steps: Step Navigate to the Configuration > Remote Access VPN > Secure Desktop Manager > Setup submenu and click the Enable Secure Desktop check box. ‘Step2 Click Apply to apply the configuration changes to the security appl the configuration to memory. ce and save Note Disabling Cisco Secure Desktop does not alter the Cisco Secure Desktop configuration. 5-286 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, neEnter an Activation Key to Support Advanced Endpoint Assessment Advanced Endpoint Assessment includes all of the Endpoint Assessment features, and lets you configure an attempt to update noncompliant computers to meet version requirements. You c use Cisco ASDM to activate a key to support Advanced Endpoint Assessment after acquiring it from Cisco. Enter an Activation Key to Support Advanced Endpoint Assessment ftom age tT To configure the security appliance to use a key for Advanced Endpoint Assessment, complete the following steps Step1 Navigate to the Configuration > Device Management > System Image/Configuration > Activation Key submenu, Step2 Enter the new activation key for the security appliance in the provided field and click Update Activation Key Note ‘The activation key is based on the serial number that is assigned to the security appliance. Providing Cisco with the output of show version is normally sufficient to acquite your activation key with the desired new features, {© 2008 Cisco Systems, Inc SSLVPNS 5257Removing Cisco Secure Desktop Uninstalling Cisco Secure Desktop removes the Cisco Secure Desktop configuration file (data.xml) from the sdesktop directory on the flash card. If you want to retain the file, copy it by using an altemative name or download it to your workstation before you uninstall Cisco Secure Desktop, To uninstall Cisco Secure Desktop from the security appliance, complete the following steps: Step1 Navigate to the Configuration > Remote Access VPN > Secure Desktop Manager > Setup submenu, Step 2 Click the Uninstall button and click Yes when prompted to remove Ci Desktop and all ofits files from the security appliance, 0 Secure Step3 Click Apply to apply the changes to the security appliance and save the configuration 5-258 Secunng Networks wth Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, neCommands Sent from Cisco ASDM to the Cisco ASA Security Appliance = Import ge, GLE: /amcuredeshtop-an4-3-2.0.336-K9.pkg » Remove = Import webypn ‘ead image disk0: /securedesktop-asa-3.2.0.136-K9.pkg eache-f Limit 22 ced enable m= Remove webvpn ‘no esd enable no esd image ‘© 2008 Cisco Systems, ne ‘SSLVPNs 5259Summary This topic summarizes what you have learned in this lesson Summary + Cisco Secure Desktop provides remote client assessment, content protection, and postsession cleanup for SSL VPN users * Cisco Security Agent can be deployed in conjunction with Cisco Secure Desktop, but a Cisco Security Agent policy update is required for versions 5.0 and later. * The following steps are required to install or upgrade Cisco Secure Desktop Upload a Cisco Secure Desktop image to the Cisco ASA security appliance or browse the Cisco ASA flash for image location Enable the Cisco Secure Desktop. Enter an activation key to use Advanced Endpoint Assessment, 5-280 Securing Networks with Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, ineLesson 5| Securing the Desktop with Cisco Secure Desktop and DAP Overview This lesson discusses the Cisco Secure Desktop and Dynamic Access Policy (DAP). It be with an overview of the Cisco Secure Desktop workflow. Then it discusses the configuration of Cisco Secure Desktop, including Prelogin Assessments, Secure Desktop, Cache Cleaner, and Host Scan, The lesson coneludes with DAP configuration and testi Objectives Upon completing this lesson, you will be able to configure Cisco Secure Desktop and configure DAPs for Secure Sockets Layer (SSL) virtual private network (VPN) client and clientless connections. This ability includes being able to meet these objectives: Describe the Cisco Secure Desktop Workflow for SSL VPN client and clientless connections = Configure Cisco Secure Desktop for SSL VPN client and clientless connections = Configure Advanced Endpoint Assessment for SSL VPN client and clientless conneetions = Configure DAP for SSL VPN client and clientless connectionsCisco Secure Desktop Workflow This topic describes the Cisco Secure Desktop workflow for SSL VPN connections Cisco Secure Desktop Workflow Step 1 Connection ‘Attempt Step 3 Pretogin Assessment Step 4 Login Denied or i" Prelogin Policy ‘Applied When con! isco Secure Desktop works with the C to protect the corporate network from SSL_VPN control. It uses the following process: Step1 The remote user attempts to establish an SSL VPN connection with the Cisco AnyConnect Client or with a web browser (clientless). Step2 The operating system detection module downloads runs and reports to the security appliance the operating system of the remote user. Step3 ‘The prelogin assessment module downloads and checks the computer of the remote user for any files, digital certificates, the operating system version, IP address, and Microsoft Windows registry keys that are configured in the Prelogin Assessment within the Cisco Secure Desktop configuration. This step only applies to remote systems that can run the Prelogin Assessment module. Step4 Based on the outcome of Step 3, one of the followi responses occurs: = A Login Denied message appears if the remote computer runs the Prelogin Assessment and fails the assessment policy. At this point, the security appl and the remote device end all interaction. m= Ifthe remote computer ru assessment policy, the prelogin assessment ass the remote device and reports the name of the prelogin policy to the security appliance. 5.262 ‘Seeuring Networks wih Cisco ASA Advanced (SNAA) v1.0 ASA adaptive security appliance nections that may not be under corporate the Prelogin Assessment and successfully passes the ns the prelogin policy name to (© 2008 Cisco Systems, Inc‘Step 5 Keystroke Logger and ‘ost Emulation Detecton Step 6 Host Sean wn ‘Secure Session Cache Cleanes, The security appliance can use the prelogin policy alone, or in combination with other endpoint attribute values, such as the operating system, to assign a DAP to the session, =r" Step 7 ae ie Ee Hye te] The Cisco Secure Desktop process continues withthe following steps: Step 5 Step 6 Step 7 ‘The Keystroke Logger and Host Emulation detection module downloads and runs. If keystroke loggers or host emulation is running on the remote system, the keystroke Jogger and host emulation policy is enforced ‘The Host Sean module with Secure Desktop or Cache Cleaner downloads and runs. Whether or not these modules are downloaded and running depends on| whether or not they are enabled in the prelogin policy that is assigned to the remote device. If no module is chosen with the prelogin policy, neither will be downloaded. If Host Scan is enabled but it cannot run on the operating system that is detected, only Cache Cleaner will nun, The user authenticates and logs in. {© 2008 Cisco Systems, inc SSLVPNs 5263Cisco Secure Desktop Workflow (Cont.} Step 8: DAP Applied | Step 10 Session Closed (seoze Season er amre The Cisco Secure Desktop process continues with the following steps: Step8 — DAP is applied if configured. The security appliance uses the authentication information along with any configured endpoint attribute eriteria to apply an access policy. Step9 ‘The SSL VPN session becomes active and the user has access to resources arid services based on policy. Step 10 Following the end of the user session, Host Scan terminates, and Cache Cleaner or Secure Desktop performs its cleanup functions. 5.264 Securing Networks wth Gisco ASA Advanced (SNA) vt 0 {© 2008 Gisco Systems, IncPrelogin Assessment This topic describes how to configure the prelogin assessment feature of the Cisco Secure desktop. Prelogin Assessment S ae c The prelogin assessment module is downloaded and installed after the Connection is established but user is not authenticated, ‘The module can check for files, digital certificates, the operating system version, IP address, and Microsoft Windows registry Keys, ‘Assessments determines the applicable prelogin policy. The prelogin policies determines how remote systems that are running Windows operating systems connect to the Cisco ASA security appliance for SSL VPNs, and how they will be protected after they are connected. Prelogin policies specify the remote user experience, and restrictions. You create prelogin policies when you configure the prelogin assessment ‘module. The prelogin assessment module downloads and runs during the SSL VPN connection request. The results of the checks determine whether or not the prelogin assessment module assigns a particular prelogin poli (© 2008 Cisco Systems, inc. SSLVPNS 5265Configuring Prelogin Assessments Pracon ‘The graphical sequence editor with the prelogin assessment module allows for the creation of policy, and the Secure Desktop Manager adds a menu and assigns the name of the policy to the Cisco Secure Desktop menu. By default, the graphical sequence editor end node contains a prelogin poliey named “Default.” Thus, by default, menu ure Desktop Manager also contains a uned Default. This menu and the menus for any other prelogin policies created allow the assignment of the Secure Desktop module, Cache Cleaner module, or neither module to the remote device. Typically, administrators assign these modules to noncorporate computers to Prevent access to corporate data and files after the session is over. By default, the Prelogin Policy pane under the Cisco Secure Desktop Manager menu option displays the following elements: Start: Displayed in blue, this node provides a visual indication of the beginning of the sequence of checks that are to be performed. You cannot edit the start node. \dication of the conditional relationship of the node to its left and to the one that follows. You cannot move or remove a line. = Plus sign: Click to Default: Displayed in green, this end node assigns the prelogin policy named Default. By default, Cisco Secure Desktop assigns this profile to every remote computer that is run Windows Vista, XP, and 2000. © Line: Provides a visual ert a prelogin check between the nwo nodes on either side of the line If you insert a check before an end node, least one instance of each of the following: ture Desktop Manager automatically assigns at Success tag: A line leading from the new check to the prelogin policy that is already present = Failure tag: A second line leading from the new check to a Login Denied node. This node, displayed in red, signifies that a “Loy denies the user access to the secu 5-266 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems. Inc‘The name or type of any node can be changed except for the Start node. An end node following 4 Success tag can be changed to a Login Denied node, and the end node following a Failure tag can be changed to a prelogin policy. Fither type of end node can also be changed to a subsequence node, which is displayed in blue. This node indicates a continuation to another blue node that is vertically aligned under the Start node. The subsequence node can have a set of conditions that are assigned to it, but each subsequence node must have a unique name. Secure Desktop Manager assigns the name to both instances of the subsequence node, the one at the end of the branch and the one at the beginning of the new branch. To reuse a subsequence, type the name of the subsequence that is already present when you are changing an end node to a subsequence node. Any prelogin policy. including the one named Default, can be renamed. To rename the policy, choose the node and replace the text in the Label field with the new name. It is useful to be descriptive in the naming of prelogin policies; for example, renaming the Default policy to “Secure” to indicate that the profile applies to corporate PCs (that is, those that meet the most stringent requirements, as determined by the checks to be inserted). Secure Desktop Manager automatically renames the node in the associated {© 2008 Cisco Systems, ne SSLVPNs 5267Add Prelogin Policy Check fo ce Sg [ame] ‘argc A Ses ea ots ‘The following example illustrates the configuring of the prelogin asses example, remote systems are allowed to have the Default policy applied if the file example.dat is found on the root of the c drive. Ifthe file is found with the e:\securty directory, the poliey update-needed is applied. This is just an example to demonstrate the functionality of the prelogin assessment module. Ultimately, the network security policy of your company will dictate the configuration of the prelogin assessment policy. Configure the prelogin assessment module for this example using the following steps: ‘Step 1 Choose the Prelogin Policy option within the Secure Desktop Manager section of the Remote Access VPN menu that is under the Configuration icon. The Prelogin Policy pane is displayed. Step 2 Click the Plus symbol that is next to the Default node, A default pop-up window appears allowing you to choose the type of check that you would like to insert Step 3 From the Check drop-down list, choose the type of check to be preformed. In this example, File Check is chosen. (Not shown.) The Check drop-down list has the following options: = Registry: Lets you detect the presence or absence of a registry key Lets you specify the presence or absence of a particular file, its version, checksum. | Windows Version: Creates two login checks; Windows 2000, XP, and Vista; and Win 9x (for Windows 98). The editor inserts a Failure line and Login Denied end node for remote connections that fail both operating system checks. = IP Address: Lets you specify an IP address range or subnet mask, Certificate: Lets you specify the issuer ofa certificate and one cert attribute and value to match, Step4 Click Add. 5-268) ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IncStep 9 Step 10 Click the Fi ‘Cheek node. Enter the path and filename in the File Path text box. In this example, *C:example.dat” is entered. Click the radio button for the File Check condition. The options are Exist or Does Not Exist. In this example, Exist is chosen. (Optional) Check the Version check box to compare the version of the file as a criterion. Use this criterion to require that a specific application is or is not a particular version, An option (<, < 1 specify the relationship of the Version of the file o the string to be entered is to the right. You ean enter a string in the text box against which to compare the version of the file. (Optional) Check the Checksum check box. Check to specify a checksum to authenticate the filename in the Path field. You can enter a checksum in hexadecimal format, beginning with Ox, or, if you click the Compute CRC32 Checksum button, the security appliance can calculate the checksum for a can be browsed to locally that Click Update (© 2008 Cisco Systems, ine ‘SSLVPNs 5-209= mary The end node of the failure branch for the Default policy is changed from Login Denied to a subsequence node. In this example, the subsequence node is added by using the following steps: Step 11 Click the end node that is to be changed, and the end node label window appears. In this example, the Login Denied end node is clicked. Step 12 Click the Subsequence radio button. A subsequence ereates an additional check The subsequence is only checked when the outcome leads to it. In this example, the failure of the file check will cause the subsequence check to happen. Step 13 Enter a label for the subsequence in the Label text box. In this example, the label Other Location is entered. Step 14 Click Update. 5.270 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems. IncAdditional Prelogin Check ‘The new subsequence node appears under the Start node. A subsequenice node is an additional policy check for another verifiable attribute that the Prelogin Assessment module can check Sequence checks are usually associated with the failure of the preceding check, but can be associated with the success of the preceding check. In this example, the subsequence check will be configured for an alternative location for the previous file check. The file check is added by completing the following steps: Step 15 Click the Plus symbol next to the Login Denied node. The default pop-up window appears with the check set to Registry Check, Step 16 From the Check drop-down list, choose the type of check to be preformed. In this, example, File Check is chosen. (Not shown.) (© 2008 Cisco Systems, ine SSLVPNS 5271The subsequent file check is configured. The File Check node is now inserted, and Success and Failure tags are added to the subsequence. The secondary File Check node is configured with the following steps: Step 17 Click the File Check node. Step 18 Enter the path and filename in the File Path text box. In this example, :\security\example dat” is entered. Step 19 Click the radio button for the file check condition. In this example, Exist is chosen. 5.272 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneAdd Additional Policy ‘The end node for the success branch of the subsequence is changed from Login Denied to a new policy by completing these steps: Step 20 Click the end node of the success branch of the subsequence and the end node label window appears. Step 21 Click the Policy radio button. A new policy for Cisco Secure Desktop will appear within the Cisco Secure Desktop men Step 22. Enter label for the policy in the Label text box. This label is the name that is given to the policy. This name will appear in the Cisco Secure Desktop menu. In this ‘example, the label “updated-needed” is entered. Step 23. Click Update. {© 2008 Cisco Systems, In. SSLVPNS 5273Prelogin Policies Complete n policy for the example that was configured in the previous steps. In this example, a file check is configured. Ifthe file check attributes are met, the Default policy is applied. If they are not met, a subsequence check is applied for the existence of the file in an alternative directory. If the file check for the subsequence is met, the policy update-needed is applied. Otherwise, the login is denied. The final step to apply this prelogin policy assessment to SSL VPN connections is to click the Apply All button The prelogin assessment policy configuration is not stored with the running configuration of the Cisco ASA security appliance but within an extended mark-up language (XML) data store on the flash file system. 5.274 Securing Networks wth Cisco ASA Advanced (SNAA) v1 0 '© 2008 Cisco Systems, InePrdogn Pees Sa seees Meas esi the prelogin policy is applied to the Cisco ASA appliance for SSL VPN connections, the security appliance automatically adds any newly created policies as menu ‘options under the Secure Desktop Manager. The figure shows the Default and updated-needed polices that were defined in the previous steps. Each of these policies has the configuration options for Secure Desktop and Cache Cleaner. and the configuration of each policy options is independent of the other and is determined by the prelogin assessment modu (© 2008 Cisco Systems, nc SSLVPNS 5275Secure Session This topie describes how to configure the Secure Desktop feature of the Cisco Secure Desktop. Secure Session ee set —iycr Windows XP and 2000 suppor only cosa Windows 20007 New temporary desktop environment created ‘Access to normal Temporary Desktop esktop denied by ene aie ‘efaut Alldisk wites ace to newly created encrypted pattton Upon session close everything overwriten Using O90 algorttm Secure Desktop, also called Vault, encrypts the data and files that are associated with or downloaded during the remote session into a partition that is separate from the normal partitions that are used by the normal desktop. It presents a graphical representation of the desktop on the remote device to signify a safe environment for the remote user to work from When the session is terminated, it uses a U.S. Department of Defense (DoD) sa algorithm to remove the partition it overwrites the partition with a series of ones based on the configuration tation ind Zeros, When Clientless SSL VPN sessions are used, Secure Desktop attempts to reduce the possibility that files used during the SSL VPN session, such as cookies, browser history, temporary files, and downloaded content, do not remain after a remote user sessions end due to closure. time out, or an abrupt termination. If a prelogin policy is configured for Secure Desktop on the remote device, and if the operating system that is identified by the operating system det ‘module does not support Secure Desktop, Cisco Secure Desktop attempts to install Cache Cleaner on the remote device instead Secure Desktop runs on Microsoft Windows 2000 nd XP operating systems. S does not ene! rypt or clean system memory information, including informat re Desktop. in the syste printing from within a user session, This may be important in som local printing is perm 5276 ‘Securing Networks with Cisco ASA Advanced (SNAA) vt 0 {© 2008 Cisco Systems. ner Sahai clans The following is an example configuration for Secure Desktop. The settings for Secure Desktop are ultimately determined by network security policy of your company. In this example, complete the following steps configure Secure Desktop General settings: Step 1 Step 2 Check the Enable Switching Between Secure Desktop and Local Desktop check box to allow remote users to switch between the Secure Desktop and the local desktop. It is strongly recommend that you check this attribute to let users switeh between Secure Desktop and the untrusted desktop. This feature provides users with the flexibility that they might need to respond to other applications requit attention to let Secure Desktop continue processing, This does create a security risk because there is a potential for a user to leave traces of the SSL VPN session on the usted desktop. Unchecking this attribute minimizes this potential security risk In this example, switching between desktops is enabled. Check the Enable Vault Reuse check box to allow users to close Secure Desktop and open it again at a later time. This allows Secure Deskiop to become a persistent desktop that is available from one session to the next. If this option is enabled, users must enter a password of up to 127 characters in length to restart Secure Desktop. This option is useful if users are running Secure Desktop on remote PCs that are likely to be reused, stch as a home PC. When a user closes Secure Desktop, it does not perforin session cleanup. If you do not enable this option, Secure Desktop omatically performs session cleanup upon termination. In this example, this option is not chosen, Ifthe Enable Vault Reuse check box is unchecked, the Suggest Application Uninstall upon Secure Desktop Closing check bo: lable. This option prompts the user and recommends that Secure Desktop be uninstalled when it closes. In this example, this option is not chosen. Note Checking this option uninstalls Secure Desktop from the remote PC when the user session loses, £0 leave this option disabled if access to the Secure Desktop is important, (© 2008 Cisco Systems, Inc SSLVPNS 5277= Ifthe Enable Vault Reuse check box is unchecked, the Force Application Uninstall upon Secure Desktop Closing check box is available. This option removed Secure Desktop on untrusted PCs after users finish using it. Secure Desktop uninstalls when it closes. In contrast to the preceding option, the user does not have the choice to refuse the uninstallation, In this example, this option is not selected. Note Step 3 Step 4 Step 5 Stop 6 Step7 Checking this option uninstalls Secure Desktop from the remote PC when the session Closes, so leave this option disabled if access to Secure Desktop is important. Check the Enable Secure Desktop Inaetivity Timeout check box to close Desktop automatically after a period of inactivity. Secure Desktop detects in and closes to avoid leaving anything behind. In this example, Secure Desktop timeout is enabled. | With the Enable Secure Desktop Inactivity Timeout check box, the Timeout fier drop-down list is enabled. Choose the number of minutes (1, 2, 5, 10, 15, 30, oF 60) to set the timeout period for the Enable Secure Desktop Inactivity Timeout attribute. This attribute works with the inactivity timer. In this example, the timeout value is set to 15 minutes Check the Open Following Web Page After Secure Desktop Closes check box and enter a URL in the field to make Secure Desktop automatically open a web page when it closes. In this example, this option is not chosen. Choose the number of passes that the DoD sanitation algorithm will use in the Secure Delete drop-down list for the cleanup of the encrypted partition that Secure Desktop writes itself to the remote PC disk. This happens upon termination. The default setting is three passes. Following the completion of the task after the number of times specified, Secure Desktop removes the pointer to the file. In this example, five passes are chosen. Check the Launch the Following Application After Installation check box to have Secure Desktop launch an application alter it has been installed. Enter the application name and path from the Program Files directory on the remote system. In this example, the acme-db-start.exe is chosen. This application is in the root of the Program Files directory Apply Alllto save the running Cisco Secure Desktop configuration. 5278 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, InIn this example, the following steps configure Secure Desktop settings Step 8 Step 9 Step 10 Step 14 Check the Restriet Application Usage to the Web Browser Only check box to let ‘only the originating browser run on Secure Desktop. IF this option is chosen, the browser that initiated the connection (Internet Explorer, Netscape, Firefox, and so ‘on) is the only browser that is permitted to run, Choosing this option limits the ability of the user to use other applications, but increases the level of security. In this ‘example, this option is not chosen, Check the Disable Access to Network Drives and Network Folders check box to prevent the user from accessing network resources and network drives while running Secure Desktop. The network resources are those that use the Server Message Block (SMB) client server, request-response protocol to share resources such as, printers, and APIs, For maximum security, it is recommended that this attribute be checked If the Disable Access to Network Drives and Network Folders check box is not checked, the Do Not Enerypt Files on Network Drives check box is available. This lets the user save files to network drives that are not enerypted. With this attribute tunchecked, Secure Desktop encrypt the files that the user saves to network drives, then removes them upon Secure Desktop termination. This attribute is not available if the previous attribute is chosen. In this example, this option is not chosen. Check the Disable Access to Removable Drives and Removable Folders check box to prevent the user from accessing portable drives while running Secure Desktop. With this attribute uncheeked, the user can save files to a removable drive and remove the drive before closing the session. After closing the session, the user could forget to take the removable drive. For maximum security, always check this attribute (© 2008 Cisco Systems, Inc SSLVPNs 5279Step 12 Step 13 Step 14 Step 15 Step 16 If the Disable Access to Removable Drives and Removable Folders check box is not checked, the Do Not Encrypt Files on Removable Drives check box is available to let the user save files to portable drives that Microsoft names “Removable” in the Windows Explorer My Computer window. Secure Desktop does not enci files and leaves the files behind after the session ends. In this example, t chosen, IFboth the Disable Access to Removable Drives and Removable Folders and Do Not Encrypt Files on Removable Drives attributes are unchecked, Secure Desktop encrypts the files thatthe user saves to portable drives, then removes them upon session termination. Secure Desktop Manager dims this attribute if you check the previous attribute. Check the Disable Registry Modification check box to prevent the user from modifying the registry from within Secure Desktop. For maximum security, itis recommended that this attribute be checked. In this example, this option is not chosen. Check the Disable Command Prompt Access check box to prevent the user from running the DOS command prompt from within Secure Desktop. For maximum security, itis recommended that this attribute be checked Check the Disable Printing check box to prevent the user from printing while using Secure Desktop. For maximum security of sensitive data, itis recommended this attribute be checked. In this example, this option is not chosen. Check the Allow Email Applications to Work Transparently check box to let the user open e-mail while on Secure Desktop and to prevent it from deleting e-mail Uupon the termination of the session. The use of the term “transparent” means that Secure Desktop handles e-mail the same way that the local desktop handles it Transparent handling works for the following e-mail applications: = Microsoft Outlook Express = Microsoft Outlook = Eudora = Lotus Notes If this attribute is checked and the remote user uses a attachment to the My Documents folder, itis visible from both Secure Desktop and. the local desktop. Similarly, deleting such a file from within the e-mail appli that is running over Secure Desktop removes the file from both desktops. ‘e-mail application to save an Note Step 17 Deleting transparent or nontransparent files from outside of Outlook (such as from a Windows Explorer window) while in a Secure Desktop removes the file only from the Secure Desktop, Click Apply All to save the Ci 0 Secure Desktop running configuration. 5-280 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncSecure Desktop Browser = eae cor In this example, the following steps configure Secure Desktop Browser settings: Step 18 Enter the URL in the Home Page field that the remote users will open when Secure Desktop starts. In this example, the URL hitp://wwwin.acmetrans.com is entered Step 19 ‘The Customize Bookmarks pane lists the folders and URLs that populate the browser Bookmarks or Favorites menu when a remote user starts Secure Desktop, The Customize Bookmarks can be configured with the Add Bookmark. Add Folder, Edit, and Delete buttons on the right side of the pane. In this example, the Add Bookmark button is chosen, and the URL. hitp://sales.acmetrans.com is added, although this is not visible in the example. {© 2008 Cisco Systems, Inc. SSLVPNS 5.261Cache Cleaner This topic describes how to configure the Cache Cleaner feature of the Cisco S wre Desktop. Cache Cleaner = oY cor * Access from within web browser » More OS: interoperability than Secure Session Upon Session end, cache overwritten using DoD algorithm SSL VPN Session Cache Cleaner is an alternative to Secure Desktop. It attempts to eliminate sensitive information from the browser cache at the end of a Clientless SSL VPN or Cisco AnyConnect Client session by using the same DoD sanitation that is used by Secure Desktop. The information that it overwrites includes entered passwords, autocompleted text, files that are cached by the browser, and browser configuration changes. Although it is functionally more limited than Secure Desktop, it has more flexibility to support different operating systems. Cache Cleaner supports Microsoft Windows Vista, XP, and 2000; Apple Macintosh OS X 10.4 (PowerPC or Intel); and Linux 5-282 Securing Networks with Cisco ASA Advanced (SNA) v4.0 (© 2008 Cisco Systems, neCache Cleaner Configuration =< ee Ss i orm Caruso Cone ees fT as his topic uses an example configuration for Cache Cleaner. The settings for Cache Clea 8 wer are ultimately determined by network security policy of your company. In this example, the following steps configure Cache Step 4 Step 2 Step 3 Step 4 Step 5 step 6 “leaner settings: Check the Launch Hidden URL After Installation check box to use a hidden URL for administrative purposes that identifies the remote host as having Cache Cleaner installed. One possible way to use this is to place a cookie on the remote system Later on in the session, the Host Scan module could check for the presence of the cookie to let the administrators know who is using Cache Cleaner. In this example, the option is selected and the URL of http:/Avwwin.aemetrans,com/ce is entered. ‘Check the Show Success Message at the End of Successful Install: heck box to display a dialog box on the remote PC informing the user when the installation is successful. This option is not selected. ‘ache Cleaner Check the Launch Cleanup upon Timeout Based on Inactivity check box to set a specific timeout period after which the cleanup begins. This option is selected. With the Launch Cleanup upon Timeout Based on Inactivity check box selected, select the time from the Timeout After drop-down list. The available choives are |, . 5, 10, 15, 30, oF 60 minutes. This attribute is the is 5. In this example, the time value is set to 15 minutes. vity timer. Its default value Check the Launch Cleanup upon Closing of All Browser Instances or SSL VPN Connection check box to clean up the eache when all browser windows are closed. Check the Clean the Whole Cache in Addition to the Current Session Cache (IE Only) check box to remove data from the Internet Explorer cache. Upon activation, che Cleaner attempts to remove the files generated, browsing history, and typed ficlds and passwords that were retained before the session began. (© 2008 Cisco Systems, inc. SSLVPNS 5285‘Step 7 Choose the number of passes that the DoD sanitation algorithm will use in the Secure Delete drop-down list for cache clean up. The default setting is three passes. Following the completion of the task the number of times specified, Secure Desktop removes the pointer to the file, In this example, the number of passes is set to five. Step8 Click Apply All to save the ning Cisco Secure Desktop configuration. 5-284 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, nc.Host Emulation and Keystroke Logger Detection This topic describes how to configure keystroke logger detection and host emulation for the Cisco Secure desktop. Safety Checks a pec ras gr oases] slap i Detection for keystroke loggers running as a process or kernel module Provide precautionary warning for “good” applications that are capturing keystrokes. ~ Does not detect hardware-based keystroke loggers * Host emulation detection Detection host emulation or virtualization of the connecting SSL VPN. ent Configurable to disallow virtualized host from connecting With the SSL VPN productivity benefit of providing remote access from any endpoint device ‘comes security concerns. Extending remote access to uncontrolled endpoint devices provides additional security risks to corporate resources. Security administrators and corporate IT security departments need to be concemied not only with authenticating the user, but also with how secure the endpoint remote-aecess environment is. For examph ‘transactions that are necessary to establish an SSL VPN tunnel can be intercepted whil user is entering input into the keyboard. Therefore, an end-user acces through a remote kiosk or an uncontrolled endpoint with unknown se loggers, will compromise privacy and can induce ther security th A keystroke logger is a process or kemel module that records keystrokes that are entered by the user. The keystrokes are stored in some nonobvious location and later retrieved by an attacker, who then reconstructs the sequence of keys that the vietim has typed du information can include sensitive information such as passwords. file locations and names, or host names or IP addresses. The keystroke logger detector within Secure Desktop looks for these processes and, depending on the specified policy, cautions users about the potential threat session. Such (© 2008 Cisco Systems, inc SSLVPNS 5285Scoure Desktop keystroke logger detector can detect both user mode and kernel mode loggers as long as the end-user is logged in with administrator privileges. The detector examines all modules that process keystrokes, including any modules that process keystrokes for nonmalicious purposes; for example, Pretty Good Privacy (PGP) captures keystrokes for PIN entry. PGP is an application that intercepts keystrokes for a security purpose, but the keystroke logger module flags as a precaution, On the other hand, Secure Desktop does not detect hardware-based loggers. There is a filed Cisco Product Security Incident Response Team (PSIRT) acknowledgment for this warning. Note ‘The methods that Cisco uses to detect keystroke loggers are propriety and highly efficient. Host emulation detection, a feature of prelogin policies, determines whether or not the remote operating system is running over virtualization software. Secure Desktop can be configured to enable detect host emulation and to deny access, By default, host emulation detection is disabled for each prelogin policy. If you enable it, it downloads with Secure Desktop or Cache Cleaner onto the remote device. Following the download, host emulation detection runs, along with the keystroke detection if it, too, is enabled. Secure Desktop or Cache Cleaner runs only ifthe scan is elear or if' you enable host emulation but you do not enable it to deny access. 5-286 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, neKeystroke Logger and Host Emulation Detection The keystroke logger detection module runs once at startup of Secure Desktop and includes multiple inspections. By default, the host emulation check is disabled, but when enabled, once at startup of Secure Desktop as well. To configure the keystroke logger d emulation detection, complete the following steps: runs. jon and host Step1 Check the Cheek for Keystroke Loggers check box to enable the keystroke logger detection module to run. I jous software is detected, depending on the administrator-specified policy, the user is presemted with the binary name of the suspected module (exe, dil, or sys). Ironly this option is enabled, the user is given the choice to either accept the module in question as acceptable, or reject it as malicious. If the module or process in question is rejected, Secure Desktop terminates the connection immediately. In this example, the Check for Keystroke Loggers check box is selected Step2 Check the Foree Admin Control on List of Safe Modules check box to enable a list of acceptable or safe modules or processes that are allowed to run. With this ‘option chosen, the Add, Edit, and Delete buttons become available. These butions allow the administrator to add, edit, or delete modules or processes that are acceptable from the list. Ifa keystroke module is detected and not within this list, ire Desktop will immediately terminate the connection process. In this example, Force Admin Control on List of Safe Modules check bos is not selected. Step3 Check the Check for Host Emulation to enable Secure Desktop to determine if the operating system is running over virtualization software, such as VMware. In this example, the Check for Host Emulation check box is selected, {© 2008 Cisco Systems, ine SSLVPNS 5267step 4 Step 5 Check the Always Deny Access if Running Within Emulation check box to prevent Secure Session or Cache Cleaner from installing if Secure Desktop detects that the operating system is running over virtualization software. Uncheck this attribute to alert the user about the host emulation software, and let the user opt to prevent Secure Session or Cache Cleaner from installing. In this example, the Always Deny Access if Running Within Emulation check box is not selected. Click Apply All to save the running Cisco Secure Desktop configuration. 5-288 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, neHost Scan This topic describes how to configure the Host Scan feature of the Cisco Secure Desktop, Host Scan ‘Module installs on remote device and is used as part of DAP. Host Scan runs periodically during SSL VPN session to determine if changes have occurred Host Scan includes Basic Host Scan, Endpoint Assessment, and Advanced Endpoint Assessment. ‘Advanced Endpoint Assessment checks for personal firewall, antivirus, ‘and antispyware and can force updates. Basic Host Scan includes some of the same tests for prelogin ‘assessment to enable robust DAP. The Host Scan module installs on the remote device and is used as part of the Dynamic Access, Policy. In Cisco Secure Desktop Version 3.2.0, Host Scan runs on Microsoft Windows Vista, XP, and 2000 only. It consists of the Basic Host Sean, Endpoint Assessment, and Advanced Endpoint Assessment. The Host Scan module can be configured with any combination of these components with the exception that Advanced Endpoint Assessment enables Endpoint Assessment. Basic Host Sean inspects computers for any registry entries, process names, and filenames and associated hash values that are specified within the configuration, This feature can be used to configure checks for watermarks on a remote computer or for malware, Watermarks can signify whether the computer is a company-owned asset or not. This increases the access policy flexibility when configuring DAPs for corporate computers, home computers, and public computers. Although Basic Host Sean includes ehecks that are also available in the prelogin assessment module, configuring these checks in the Basic Host Sean module provides for a more robust DAP assignment than the checks that are a part of a prelogin policy. Th because the Host Scan module runs periodically. The prelogin assessment module runs only once, Endpoint Assessment is an extension of the Host Sean module. It examines the remote computer for a large collection of antivirus, firewall, and antispyware applications, operating systems, and associated updates. This feature can be used to combine endpoint criteria to satisfy policy requirements before the Cisco ASA security appliance assizns a specific DAP to the session, {© 2008 Cisco Systems, in SSLVPNS 5.289Advanced Endpoint Assessment is another Host Scan module extension. It allows an administrator to configure an attempt to update noncompliant computers. For example, this feature could be used to attempt to force updates of a specific antivirus application version and its antivirus definitions file, This extension of the Host Scan module requires an Advanced Endpoint Assessment license that is licensed separately from the Cisco ASA security appliance license. 5290 Securing Networks with Cisco ASA Advanced (SNAA) vi O (© 2008 Cisco Systems, neBasic Host Scan ‘The following is an example configuration for Host Sean, The settings for Host Sean are ultimately determined by the network security policy of your company. In this example, the following steps configure Basic Host Scan settings: Step 1 Click the Add button. The File scan, Registry scan, and Process sean options are displayed. In this example, the file scan option is selected and the Add File Scan window appears. Step2 Inthe Add File Sean window, enter the endpoint ID in the Endpoint ID text box. The Endpoint 1D is a unique and meaningful string to serve as an index to this entry After completing the Host Scan configuration, this same index is used to associate the file scan as an endpoint attribute when configuring a DAP. Ifa string is used, it is case-sensitive. In this example, the endpoint ID of 10 is entered Step 3 Enter the filename and path in the File Path test box. In this example. the filename and path C:\security\example.dat is entered. Step4 Click OK. 1© 2008 Cisco Systems, Inc. ‘SSLVPNS 5.201Enable Endpoint Assessment = 2 7 z * Endpoint assessment is further defined and configured with DAP. In this example, the Host Sean extensi following step: n for Endpoint Assessment is enabled with the Step Check the Endpoint Assessment check box. This option enables the Host Sean of the remote PC for a large collection of antivirus, antispyware, and personal firewall applications, and associated updates, Note ‘The Endpoint Assessment option is not configurable within the Host Scan pane except to ‘enable or disable it. Endpoint Assessment is further configured within the endpoint attributes of DAP. 5.202 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 1© 2008 Cisco Systems, neie Yo 1n this example, the Host Scan extension Advanced Endpoint Assessment is configured with the following steps: Step6 Check the Advanced Endpoint Assessment check box. If the check box was not checked, it becomes checked, and the Conf available, ndpoint Assessment e button is now step? Click Configure. (© 2008 Cisco Systems, Inc SSLVPNS 5.203‘The Advanced Endpoint Assessm Endpoint Assessment window ow open. In this example, the Advanced ‘configured for antivirus scans with the following steps: Step 8 Click the Windows tab, Step 9 Click the Add button within the AntiVirus sec window appears jon of the window. The Add Products Step 10 Choose the antivirus software product from the Add Products window. In this, example, the TrendMicro OfficeScan Client 8.x is chosen, Step 11 Click OK. 5.294 Securing Networks with Cisco ASA Advanced (SNA) v1 0 (© 2008 Cisco Systems, Ineace Ups oe tem In this example, the Advanced Endpoint Assessment configuration is continued fora rules enforcement with the following steps: Step 12 Stop 13 Check the Force File System Protection check box to turn on ongoing by kyround scanning by the antivirus application. The application checks files as they are received and blocks access 10 enabled only if the selected ant les that are likely to contain viruses. This feature is itus application supports this feature. In this jons Update check box to require the remote host t0 check for a virus definitions update for the selected application. If you check this option, you must specify the number of days in the If not updated in last _ days text box for the last update that triggers a new update. In this example, this option is selected and the number of days entered is 7. (© 2008 Cievo Systoms, Inc SSLVPNS 5295[E In this example, the Advanced Endpoint Assessment configuration for Personal Firewall scans is completed with the following steps: Step 14 Click the Add button within the Personal Firewall section of the window. The Add Products window appears. Step 15 Choose the Personal Firewall software product from the Add Products windows, In this example, the Microsoft Windows Firewall XP SP2+ is chosen, step 16 Click OK. 5-206 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 {© 2008 Cisco Systems. nc‘eS rienl} — In this example, the Advanced Endpoint Assessment cont firewall rules enforcement with the following steps: ration is continued for personal Step 17 Choose the action to take with the personal firewall from the Firewall Action drop- down list. The available options are Select None, Force Enable, which enables the firewall, or Force Disable, which disables the firewall. These features depend on the ‘options that are available to the chosen personal firewall. In this example, the aetion taken is Force Enable. Step 18 With the personal firewall enabled, rules ean be configured that are pushed to the firewall during the Advanced Endpoint Assessment, Rules are added to the table by clicking the Add button. The window that appears allows for rule configuration based on applications and ports for which the firewall allows or blocks ports. It ean also block the execution of applications. This feature is available only ifthe se personal firewall supports rules. In this example, a rule is added to block the execution of the peer-to-peer application Limewire ied (© 2008 Cisco Systems, in. SSLVPNS 5.297@ " L ES In this example, the Advanced Endpoint Assessment configuration for antispyware scans is, completed with the following steps: Step 19. Click the Add button within the AntiSpyware section of the window. The Add Products window appears, Step 20 Choose the antispyware software produet from the Add Products windows. In this, example, the McAfee AntiSpyware 2.x is chosen, Step 21 Click OK. 5-298 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems. neIn this example, the Advanced Endpoint Assessment configuration is continued for ispy ware rule enforcement with the following steps: Step 22 Check the Fore Spyware Definitions Update check box to require the remote host to check for a spyware definitions update for the selected application, If you check this option, you must specify the number of days in the If Not Updated in Last Days text box for the last update that triggers a new update. In this example, this ‘option is selected and the number of days entered is 7. (© 2008 cisco Systems, ne SSLVPNS 6209Advanced Endpoint Assessment Review Sere memmees The figure shows the Advanced Endpoint Assessment that was configured, based on the example. Antivirus with rules, personal firewall with rules, and antispyware with rules were configured. To complete the Advanced Endpoint Assessment configuration for this example, complete the following steps: Step 23 Click OK in the Advanced Endpoint Assessment window Step 24 Within the Host Scan pane, click Apply All to save the running Cisco Secure Desktop configuration. 5-300 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Ciseo Systems, IncDynamic Access Policy This topic describes how to configure the DAP for SSL VPN connections. Dynamic Access Policy = ESL VPN Tune} —-— & er] * Defined as a collection of access control attributes that are associated with a specific tunnel or session. * Dynamically generated by selecting or aggregating attributes from fone or more DAP records. » Selected records are based on the endpoint security information of the remote device or the AAA authorization information of the authenticated user. = Generated and then applied to the user's tunnel or session. Remote access VPN headend operate in dynamic environn each VPN connection such as intranet configurations that frequently change, the various roles each user can inhabit within an organization, and logins from remote-access sites with different configurations and levels of security. The task of authorizing users is more complicated in a VPN environment than itis in a network with a static configuration, DAP on the Cisco ASA security appliance allows for configuration of the authorization that addresses these many variables. Setting a collection of access control attributes that are associated with a specific user tunnel or session can ereate a dynamic access policy. These attributes address issues of multiple group membership and endpoint security. By doing this, the security appliance can grant access to a particular user for a particular session, based on the configured policies. It generates a DAP at the time that the user connects by selecting oF ‘aggregating attributes from one or more DAP records. It selects these DAP records based on the endpoint security information of the remote device and the auth: and accounting (AAA) information for the authenticated user. It then applies the DAP record to the user tunnel or sess (© 2008 Cisco Systems, Ine SSLVPNs 5201The DAP system includes two components that require administrator attention. DAP Selection Configuration File is a text file containing criteria that the Cisco ASA security appliance uses for selecting and applying DAP records during session establishment. The files are stored on the Cisco ASA security appliance. Cisco Adaptive Security Device Manager (Cisco ASDM), can be used to modify it and upload it to the security appliance in extended mark-up language (XML) data format. DAP selection configuration files include all of the attributes that are configured. These can include AAA attributes, endpoint attributes, and access policies a configured in network and web-type access control list (ACL) filter, port-forwarding, and URL lists. The DfltAccess Policy is always the last entry in the DAP summary table, always with a priority of 0. You jure Aecess Policy attributes for the default access policy, but it does not contain—and you cannot configure—AA or endpoint attributes. You cannot delete the DfltAccessPolicy, and it must be the last entry in the summary table. DAP applies to both IP Security (IPsec) and SSL VPNs. In this section, DAP is discussed as it is applied to SSL VPN connections. nen Foal) ——_f- "20" [Sere ‘The next section of this topic presents an example of DAP cot iw DAP is ultimately determined by the network security policy of your company and the environmental variables for SSL VPN connections to your Cisco ASA security appliance, In this example, DAP is configured by the following steps: Step1 From the Network (Client) Access or Clientless SSL. VPN Access section of the Remote Access VPN menu under the Configuration icon, choose Dynamic Access Policies. The Dynamic Access Policies pane is displayed. Step2 Click the Add button to add a DAP. 5902 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems. IneDAP Name and Priority The Add Dynamic Access Policy window is displayed. In this example. DAP settings are configured by the following steps: Step3 Enter the name of the policy in the Policy Name text box. In this example, the policy name “update” is entered, Step 4 (Optional) Enter a description for the poli ‘example, the description * User PC needs update” is entered in the Description text box. In this Step 5 Enter priority in the Priority field. This sets a priority for the dynamic access policy. The security appliance applies access policies in the order that you set here, the highest number having the highest priority. In the case of DAP records with the same priority setting and conflicting ACL rules, the most restrietive rule applies. In this example, the priority of 10 is set. (© 2008 Cisco Systems ne SSLVPNS 5303‘ewer i oe | eas a In this example, the administrator is defining the match criteria for the AAA attributes that are used by the Cisco Secure Desktop. DAP settings are configured by the following steps: Step6 Inthe Selection Criteria section of the window, select the AAA match eriteria from the drop-down list. The available options are match User has Any/All/None of the following AAA Attribute values configured to use this dynamic access po! Step7 Click the Add button to add AAA attributes. The Add AAA Attribu appears. s window Step 8 Choose the Attribute type and the appropriate options for that type Step9 C k OK in the Add AAA Attribute window The following AAA attribute options are configurable for each AAA attribute type: & Cisco: Refers to user authorization attributes that are stored in the AAA hierarchical model, You can specify a small subset of these attributes for the AAA selection attributes in the DAP record, including these: — Class: The AAA group name that is associated with the user. Maximum 64 characters. — IP Address: The assigned IP address. — Member of: A comma separated string of group policy names that apply to the user This attribute lets you indicate multiple group membership. Maximum 128 characters. ‘Tunnel Group: The connection name, Maximum 64 characters. — Username: The username of the authenticated user. Maximum 64 characters. + Equal to/Not equal to 5.304 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi.0| 1© 2008 Cisco Systems, Ine= LDAP: The Lightweight Directory Access Protocol (I.DAP) client stores all native LDAP. response attribute value pairs in a database that is associated with the AAA session for the user. The LDAP client writes the response attributes to the database in the order in which it receives them. It discards all subsequent attributes with that name, This scenario might ceur when a user record and a group record are both read from the LDAP server. The user record attributes are read first and always have priority over group record attributes. To support Active Directory group membership, the AAA LDAP client provides special handling of the LDAP memberOf response attribute. The AD memberOF attribute specities the distinguished name (DN) string of a group record in Active Directory. The name of the group is the first common name (CN) value in the DN string. The LDAP client extracts the group name from the DN string and stores it as the AAA memberOf attribute and in the response attribute database as the LDAP memberOf attribute. If there are additional ‘memberOf attributes in the LDAP response message, then the group name is extracted from those attributes and is combined with the earlier AAA memberOf attributes to form a comma-separated string of group names. The group name is also updated in the response attribute database. LDAP attributes consist of an attribute name and attribute value pair in the DAP record, LDAP attributes include these: — Attribute ID: Names and nbers of the attribute; maximum 64 characters. — Value: The value of the attribute 1D + Equal to/Not equal to RADIUS: The RADIUS client stores all native RADIUS response attribute value pairs in a database that is associated with the AAA session for the user. The RADIUS client writes the response attributes to the database in the order in which it receives them. It discards all subsequent attributes with that name. This scenario might occur when a user record group record are both read from the RADIUS server. The user record attributes are read first and always have priority over group record attributes, RADIUS Attributes consist of an attribute number and a record. LDAP attributes include these: In this example, the Cisco AAA attribute for the tunnel group equal to “Sale: tusename equal to “john” are set (© 2008 Cisco Systems, ne SSLVPNS 5-305DAP Add Endpoint Attribu In this example, the administrator is defining the endpoint attributes that must be satisfied by the previously configured AAA attributes, Tunnel Group = Sales and Username = john, in order for the DAP to be applied. In this example, DAP endpoint attributes are configured by the following steps: Step 10 Click the Add button to add endp window appears. utes. The Add Endpoint Attribute Step 14 Choose the endpoint attribute type from the Endpoint Attribute Type drop-down list. The options include Antispyware, Antivirus, Application, File, NAC, Operating System, Personal Firewall, Process, Registry, VLAN, and Priority Step 12 Choose the appropriate options for the endpoint attribute type chosen, Step 13 Click OK. Endpoint attributes include these components, but not all attributes include all components. The following descriptions show (in parentheses) the attributes to which each component applies = Exists/Does Not Exist buttons (Antispyware, Antivirus, Application, File, NAC, Operating System, Personal Firewall, Process, Registry, VLAN, and Priority): Click the appropriate button to indicate whether the chosen endpoint attribute and its accompanying, qualifiers (fields below the Exists/Does not exist buttons) should be present or not & Vendor ID (Antispyware, Antivirus, and Personal Firewall): Identify the application vendor. = Vendor Description (Antispyware, Antivirus, and Personal Firewall): Provide text that describes the application vendor. = Version (Antispyware, Antivirus, and Personal Firewall): Identify application, and specify if you the version of the ant the endpoint attribute to be equal to/niot equal to that 5-306 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cieco Syetoms, IneLast Update (Antispyware, Antivirus, and File): Specify the number of day’ update, You might want to indicate that an update should occ than (>) the number of days that you enter here e the last ) oF more in fess than ‘Client Type (Application): Indicate the type of remote-access connection, AnyConnect Clientless, Cut-through Proxy, IPsec, or L2TP. © Checksum (File): Choose the file and click the Compute Checksum button to arrive at this value. = Compute CRC32 Checksum (File): Use thi ofa file, alculator to determine the checksum value Posture Status (NAC): Contains the posture token string re Access Control Server (ACS), ived from the Cisco Secure OS Version (Operating System): Windows (various), Macintosh, inux, and Pocket PC | Service Pack (Operating System): Identify the service pack for the operating system. = Endpoint ID (File, Process, Registry): A string that identifies an endpoint for files, processes, or registry entries. DAP uses this ID to match Cisco Secure Desktop Host Scan attributes for DAP selection. You must configure Host Sean before you configure this attribute. You can choose the Host Sean configuration that is displayed in this pane, the! reducing possible errors in typing or syntax. by = Path (Process, Policy): Configure Host Scan before you configure this attribute. When you configure Host Scan, the configuration display’ in this pane, so that you can select it thereby reducing the possibility of errors in typing or syntax. = Value (Registry): dword or string. % Caseless (Registry): Choose to disregard case VLAN ID (VLAN): A valid 802.1q number ra ng from | to 4094 || VLAN Type (VLAN): Possible values include the following: — ACCESS: Posture assessmei passed — STATIC: No posture assessment applied — TIMEOUT: Posture assessment failed due to no response — AUTH: Posture assessment still active — GUEST: Posture assessment passed, switeh to guest VLAN QUARANTINE: Posture assessment failed, switch to quarantine VLAN — ERROR: Posture assessment failed due to fatal error Policy (Location): Enter the Cisco Secure Desktop Microsoft Windows location profile, case sensitive, In this example, th This endpoint attr Secure Desktop. tribute type File is chosen to exist with the endpoint ID of 10. viously configured within the Host Scan configuration of Cisco (© 2008 cisco Systems, ne ‘SSLVPNS 5-307DAP Policy Attributes are used to configure a specific policy for a user or group of users that ‘match the selection criteria defined in the previous steps. DAP policy attributes can be obtained from an external AAA server, in which ease the attributes defined in Cisco ASDM override those from the AAA server. DAP policy attributes can also be defined from within Cisco ASDM. Ultimately, DAP policy attributes from your remote-access VPN users are dictated and. defined based on the network security policy of your company. In this example, DAP settings, are configured from within Cisco ASDM, using the following steps: Step 14 From the Access Policy Attributes section of the window, select the Aetion tab, Step 15 Choose the Action to take. The options are Continue or Terminate. Continue applies to the access policy attributes to the session. Terminate terminates the session. In this example, the continue action is chosen. ‘Step 16 _ In the User Message text box, enter a message that will be displayed when the record is chosen. A user message displays as a yellow orb. When a user logs on, it blinks three times to attract attention, and then it is still. Ifseveral DAP records are chosen and each of them has a user message, all of the user messages display. In this example, the message “You must update your software. Follow the link provided or call the help desk.” 5.308 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, neAccess Policy—Network ACL se al In this example, DAP settings for the Network ACL tab are configured by the following steps: Step 17 Step 18 Step 19 From the Access Policy Attributes section of the window, choose the Network ACL, Filters tab. This tab allows the selection and configuration of network ACLs to apply to this DAP record, An ACL for DAP can contain permit or deny rules, but not both. [fan ACL contains both permit and deny rules, the security appliance reject Choose a preconfigured Network ACL from the Network ACL drop-down list, the ACL does not exist, click the Manage button to open a window to add, edit, oF delete the ACLs. Click the Add button to add the selected Network ACL to the list. In this example, the previously ured network ACL “web-to-update-site-onl lected. (© 2008 Cisco Systems, ine SSLVPNS 5309Access Policy—-Web-Type ACL In this example, DAP settings for the Web-Type ACL tab are configured by the following steps: Step 20 From the Access Policy Attributes section of the window, select the Web-Type ACL Filters tab. This tab allows the selection and configuration of web-type ACLs to apply to this DAP record. An ACL for DAP can contain permit or deny rules, but not both. Ifan ACL contains both permit and deny rules, the security appliance rejects it Step 21 Choose a preconfigured Web-Type ACL from the Web-Type ACL drop-down list Ifthe ACL does not exist, click the Manage button to open a window to add, edit, or delete the ACLs. Step 22 Click the Add button to add the selected Web-Type ACL to the list. In this e the previously configured web-type ACL. web-acl is selected. nple, 5.310 Securing Networks with Cisco ASA Advanced (SNA) v1.0 (© 2008 Cisco Systems, IncAccess Policy—Functions re egies cig ee] ss In this example, DAP settings for the Fun Step 23 Step 24 ions tab are configured by the follow steps: Click the Functions tab from the Access Policy Attributes section of the window. This tab allows for the configuration of file server entry and browsing, HTTP proxy and URL entry for the DAP record. the File Server Browsing radio button, This enables or disables Common Internet File System (CIFS) browsing for file servers or shared features. Browsing requires NetBIOS Name Service (NBNS) (Master Browser or Windows Internet Service [WINS] . If that fails or is not configured, use Domain Name System In this example, file server browsing is disabled, Note Step 25 ‘The CIFS browse feature does not support intemnationalization ick the File Server Entry radio button. This allows or prohibits a user from centering file server paths and names on the portal page. When enabled, it places the file server entry drawer on the portal page. Users can enter pathnamies to Windows files directly. They can download, edit, delete, rename, and move files. They can also add files and folders. Shares must also be configured for user aceess on the applicable Windows servers. Users might have to be authenticated before aceessing files, depending on network requirements. In this example, File Server Entry is disabled. (© 2008 Cisco Systems, ne SSLVPNS 5317Step 26. Click the HTTP Proxy radio button. This affects the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the old proxy configuration of the browser automatically and redirects all HITTP and HTTPS requests to the new proxy configuration. It supports virtually all client-side technologies, including HTML, cascading style sheets (CSS), JavaScript, VBScript, ActiveX, and Java. The only browser that it supports is Microsoft Internet Explorer. In this example, HTTP proxy is disabled. Step 27 Click the URL Entry radio button. This allows or prevents a user from entering, HTTP/HTTPS URLS on the portal page. If this feature is enabled, users can ‘web addresses in the URL entry box and use Clientless SSL VPN to access those websites. In this example, the URL entry is disabled Using SSL. VPN does not ensure that communication with every site is secure, SSL. VPN ensures the security of data transmission between the remote user's PC or workstation and the security appliance on the corporate network. Ifa user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured. In aclientless VPN connection, the security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server SSL certificate. The end-user browser never receives the presented certificate and, therefore, canniot examine and validate the certificate, ‘The current implementation of SSL VPN does not permit communication with sites that present expired certificates. Neither does the security appliance perform trusted certificate authority (CA) certificate validation, Therefore, users cannot analyze the certificate that an SSL-enabled web server presents before communicating with it, To limit Internet access for users, select Disable for the URL Entry field. This prevents SSL VPN users from surfing the web during a clientless VPN connection. Unchanged is the default setting for these function settings from the group policy that applies to this session. 5312 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi O| (© 2008 Cisco Systoms, neAccess Policy—Port-Forwarding Lists nce tm ves fet Pua Frerng-tntone FB ba ta at ary Paes In this example, DAP settings for the Functions tab are configured by the following steps: ‘Step 28 Click the Port Forwarding tab from the Access Policy Attributes section of the window. This allows the selection and configuration of port-forwarding lists for user sessions, Port forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application. Cisco has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over Secure Shell [SSH)), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work, but they have not been tested, Step 29 Choose the appropriate option for port forwarding. The other attributes in this field are enabled only when you set port forwarding to Enable or Auto-start Note Por forwarding does not work with some SSLITLS versions. The following options are available for the Port Forwarding tab: | Unchanged: Click to remove the attributes from the running configuration = Enable: Click to enable port forwarding, Disable: Click to disable port forwarding, Click to enable port forwarding and to have the DAP record automatically start warding applets that are associated with its port-forwarding lists {n this example, port forwarding is disabled. If port forwarding is enabled or set to auto-start, the Port Forwarding drop-down list is available to select a preconfigured port-forwarding list. If the list does not exist, you can create it by clicking the New button, (© 2008 Cisco Systems, ne SSLVPNS 5.313Access Policy—URL Lists t ee er t=! In this example, DAP settings for the URL Lists tab are configured by the following steps: Step 30 Click the URL Lists tab from the Access Policy Attributes section of the window This allows for the selection and configuration of URL lists for user sessions. Step31 Check the Enable URL Lists check box. When this box is not selected, no URL lists display on the portal page for the connection Step 32 Choose a preconfigured URL list from the URL List drop-down box. If the list does not exist, click the Manage button to add, import, export, and delete URL. lists, Step 33. Click the Add button to add the selected URL list from the drop-down box to the URL list box on the right. In this example, the URL list update-sec is selected 5-314 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 Cisco Systems, ncAccess Policy—Access Method Si’ — iyo sa" | In this example, DAP settings for the Access Method tab are configured by the following steps: ‘Stop 34 Click the Access Method tab from the Access Policy Attributes section of the window. This allows configuration of the types of remote access that are permitted ‘Step 35 Select the appropriate Access Method from the list. In this example, the access chosen is Both-default-AnyConnect Client ‘Step 36. Click OK in the Add Dynamic Access Policy Window. (Not shown.) Step 37 Click Apply in the Dynamic Access Policies Pane. (Not shown.) The follow ess methods are available (not shown) © Unchanged: Continue with the current remote-access method. = AnyConneet Client: Connect, using the Ciseo AnyConnect VPN Client =| Web-Portal: Cont ct with clientless VPN. © Both-default-Web-Portal: Connect through either elientless or the AnyConneet client, with a default of clientes. ® Both-default-AnyConnect C client, with a def ant: Connect through either elientless or the AnyConneet fault of AnyConnect. (© 2008 isco Systems, nc SSLVPNS 6315Additional DAP ee Pobcy ‘i Jes ‘Sg ——— a a ee L In this example, another DAP is configured with the name “Eng-aecess,” and the priority is set to 5. The Cisco AAA attribute for the Tunnel Group equal to “Eng” is chosen along with the endpoint attribute for the application that is equal to “Clientless.” The action access policy attribute is set to Terminate and the User is sent the message “Clientless access for en team not authorized. Try connecting with AnyConnect Client.” ring 5.316 Secuneg Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Giseo Systoms, InCisco Secure Desktop and DAP Commands ‘The figure shows the resulting CLI commands that are sent to the Ciseo ASA, based on the DAP policies that are configured with Cisco ASDM. The URL List is imported from a temporary file that is used to store it during configuration. The DAP Eng-aecess is set with priority 5 and policy action of terminate. The DAP update is configured priority 10, and policy actions are set to only allow access to the update site if it is applied. The DAP AAA and ‘endpoint attribute configuration is not shown here, but itis stored in flash memory as an XML file for each DAP record {© 2008 Cisco Systems, ine ‘SSLVPNE 5317DAP Testing This topic describes the test feature available for dynamic access policies. aa AEE AR CN LET | Access Policy Testing The Dynamic Access Policies pane allows for the testing of DAP records c device by specifying authorization attribute value pairs. To test a DAP record, complete the following steps: Step1 Click the Test Dynamic Access Policies button within the Dynamic Access Policies pane. The Test Dynamic Access Policies window appears. (Not shown.) 5-318 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneTest Configuration a Within the Test Dynamic Access Policies windows, continue with these steps: Step 2 Click the Add button within the AAA attributes section of the window. This allows, for the selection of AAA attributes that were described previously in this topic. In this example, the Cisco AAA attribute for tunnel groups equal to “Eng” is selected, Stop 3 Click the Add button within the Endpoint attribute section of the window. This allows for the selection of Endpoint attributes that also were described previously this topic. In this example, the Endpoint attribute for application that is equal to “Clientless” is selected, Step 4 Click the Test button and the results are shown in the Test Results section of the window. In this example, the DAP policy that is applied terminates the connection, based on the Cisco AAA and Endpoint attributes, because it matches a DAP record that has the attributes action ~ terminate and a user n Step 5 Click Close to return to the Dynamic Access Policies pane. {© 2008 Cisco Systems, ne SSLVPNe 53195-320 Testing Default WebVPN Tunnel Group In this test, the Cisco AAA attribute for the tunnel group that is equal to the Default WebVPN group is selected. The Endpoint attribute for appli jon that is equal to “Clientless” is selected. The actionable result of the testis “continue” because these atributes only match the Default DAP. ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Gisco Systems, ncIn the test, the Cisco AAA attributes f¢ ‘the usermame that is equal to “john” and the tunnel ‘group that is equal {0 “Sales” are selected. The Endpoint attributes for the application that is ‘equial to “Clientless,” for the file with the endpoint ID of 10 that is equal to exist, and for the (OS that is equal to “Windows XP” are selected. The result from the testis that the DAP update is applied because of matching AAA and endpoint atributes. This DAP applies the policy access that is listed with the results that restriet the end user to accessing the update-see website is found at the internal IP address of 10.0.1.150 that was pushed through the URL list. (© 2008 Cisco Systems, ne SSLVPNs 5:21cepa re Ewart In this test, the Cisco AAA attribute for the username is changed to “tom,” and the other AAA ‘and endpoint attributes remain the same, The results are that the Default DAP is applied and the end-user connection is allowed with the aecess policies of the Default DAP. 5-322 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, neSummary This topic summarizes the key points that were discussed in this lesson. Summary * Cisco Secure Desktop, when configured, downloads and runs modules to assess the remote system that is attempting SSL VPN ‘connections to the Cisco ASA security appliance to ensure the security of data that resides on the remote system. *» The Secure Session and Cache Cleaner modules assist in securing data that is downloaded to remote systems during SSL ‘VPN connections. The Advanced Endpoint Assessment extension of the Host Scan module allows administrator to assess the antivirus, personal firewall, and antispyware applications that are running on remote systems during SSL VPN connections, = Dynamic Access Policies use AAA and Endpoint Attributes to determine which access policy is applied to VPN connection to the Cisco ASA security appliance (© 2008 Cisco Systems, inc SSLVPNS 5325Module Summary This topic summ: izes the key points that were discussed in this module Module Summary + The SSL VPN capabilities of the Cisco ASA secunty appliance provide standards-based SSL functionalty that ublzes wed browser-based SSL for {ployment of clentless or clent-based SSL VPNs ‘The Cisco ASA appliance can be configured to provide clentiess SSL VPN connections through its customizable SSL VPN poral, allowing access to network resources and enabling pot forwarding of applications as well as smart {Unines for applications that do net support chentiass SSL VPNE + The Cisco ASA clentless SSL VPN connection features can allow access to network resources and enable port forwarding of aplicabone, a¢ well as mat tunnels for applications that do nat suppod cientless SSL VPNs, “The Cisco AnyConnect client provides full network accoss to remote users from the Cisco ASA by ether allowing the cient tobe installed locally ox pushing the client tothe remote users on SSL VPN connection Cisco Secure Desktop provides a secure desktop environment for SSL VPN users when the PC Being used may or may not be @ company-contrled asset. “The configuration of Cisco Secure Desklop provides network administrators with the flexibiy to assess the remote PC and user to enforce poly tough the Cisco ASA Dynamic Access Policy ‘5324 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 '© 2008 Cisco Systems, Inc.Module 6 Security Services Modules Overview As the use of the Internet has expanded, so has the complexity of the network security requirements of companies to meet the challenges of a dynamic security pol or threats grow, the security managers, administrators, and engineers require more capabilities from the Cisco ASA adaptive security appliance. In this module, we will examine the Cisco ASA security services modules and their capabilities. Asneeds arise Module Objectives Upon completing this module, you will be able to explain the features and capabilities of the security services modules of the security appliance. This ability includes being able to meet these objectives: Identify and list the character appliance ics of the services modules for the Cisco ASA security = Identify the steps that are needed to configure, inspect, and filter traffic with the Cisco Content Security and Control Security Services Module = Identify the steps needed to conti against attacks re the security applian to identify, alert, and defend62 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 "© 2008 Cisco Systems, incLesson 1 | Examining the Cisco SSMs Overview This lesson will give an overview of the Cisco ASA $500 Series Adaptive Security Appliance Security Services Modules (SSMs). It will describe some of the business needs that are driving the expansion of the ASA 5500 Series capabilities. It will examine the Cisco Content Security and Control Security Services Module (CSC-SSM) and the Cisco Adv Prevention Security Services Module (AIP-SSM). The lesson ends with a comparison of these two modules Objectives Upon completing this lesson, you will be able to identify and list the characteristics of the services modules for the Cisco ASA security appliance. This ability includes being able to 1 these objectives: = Identify the hardware characteristics of the Cisco SSM = Explain the business needs for deploying a Cisco SSM = List the security functions of the different types of application Cisco SSMsBusiness Challenges This topic describes the business challenges wit Critical Concerns Businesses Face Today Business resiliency and efficiency + Stop dsrupton of business systems + ingate eect on employee proovetty Manimse network etioeney Legal lability ‘Sto inapropse conten + Ertrce roper une poles Operational costs + Reduce managerient compen + Consohdate senons + minze rotaring an spanag Cleanup costs Prevent eats, fects, and ‘Stop hem al he edge of he (ter consist protection “Spam, viruses, spyware, and phishing all have one thing in ‘common—they make profitable businesses. And these profits Create incentive for innovation on the part of the perpetrators. Peter 8. Danzig, PhD University of Southern Catfornia Within business today another magnitude. Bi -ompanies face a gauntlet of network security challenges that permeate almost every facet of doing business. As attackers become more eff software vulnerabilities and exploits the level of security that must be provided nesses face network security threats to re icated jereased by ney that nt with sop! yy and ef can lead to legal liability. These threats can also lead to increased operational expenses and even to unforeseen costs that are required to minimize intrusion or attacks and the cost of restoring busi Spammers, phishers, and coders of viruses and of spyware are exploiting vuln operations to normaley. ilities and poor security practices to leverage some part of the businesses they are attacking. Sometimes that leverage is for nothing more than notoriety and fame within the “black hat” world. However, there are increasi attempts to use these levers for financial gain, And according to ry experts, itis a billion dollar black-market industry 6-4 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, neCisco SSMs This topic describes the hardware characteristies and versions of the Cisco SSMs. Cisco ASA SSM Overview “Diss (asisbasec) design oc improved selabty Gigabit Ethernet por for out-of “Thumbscrews for easy _insertion and removal _ Cisco envisioned the need to give customers from small commercial business to large es the ability to combat security challenges and to allow their customers to focus on iness, This lead to the development of the Cisco ASA 5500 Series Advanced Security ty Services Modules, Partnering with Trend Micro, Cisco used n Prevention System (IPS) to provide Ciseo CSC software within the Cisco ASA security appliance SSM. ‘The Cisco ASA SSM is a high-performance module for additional security services that slides into the ASA 5500 Series-compatible hardware. It relies on a diskless design to increase reliability because it lacks moving parts that are found in appliances that use hand disk drives for data and operating system storage. The Cisco SSM can be managed from the Cisco ASA security appliance; the Cisco Adaptive Security Device Manager (ASDM); the Cisco Security Manager and the Cisco Security Monitoring, Analysis, and Response System (MARS). The Cisco SSM also has a Gigabit Ethernet port to enable out-of-band management of the module. ‘© 2008 Cisco Systoms, ne Securty Services Modules 6-5Cisco ASA SSM Hardware Versions 4GE-SSM * Four Gigabit Ethernet interfaces * UTP or fiber SSM-10 = 2.0-GHz processor = 1GBof RAM SSM-20 = 2.4-GHz processor » 2GBof RAM There are three hardware versions of the Cisco SSM. The 4GE-SSM enhances the port density of the security appliance by adding four Gigabit Ethernet ports that can accept unshielded twisted-pair (UTP) or fiber connections. There are also two versions of the Cisco SSM that support the Cisco CSC and Cisco AIP modules. The Cisco SSM-10 has a 2.0-GHz processor with a gigabyte of RAM. The Cisco SSM-20 has a more powerful processor, 2.4 GHz, and twice the memory of the Cisco SSM-10. This allows ito handle nearly twice the capacity throughput and connections as the Cisco SSM-10. 66 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0| (© 2008 Cisco Systems, IncCisco CSC-SSM ‘This topic describes the Ci 0 CSC-SSM. Cisco Content Security and Control Security Services Module CEASA So Soon Renner “sO users As: Anam, ETRE Arvius,antsoyna Srpising, URL a const const ees . "500 users ‘Aad: Antispam, ee AEE - Antivirus, antispyware, ‘antiphishing, URL eed neers” blocking and fitering, ‘and content contro ~ maxim numberof suprened vers ‘The CSC-SSM is available on the Cisco SSM-10 and SSM-20 modules. The number of users as well as the security appliance platform dictate which module should be used. These modules can seale from a small- to a medium-size company as the company grows, The CSC-SSM-10 Base Services supports 50 users and can be upgraded to support up to 300 users. The CS ‘SSM-20 Base Services supports 500 users and can be upgraded to support 1000 users. The base feature set on both modules supports antivirus, antispyware, and file blocking. With the Plus License, more features are added such as antispam, content control, antiphisl dURL filtering and blocking, The CSC-SSM ean block or clean malicious traffic from Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), HTTP, and FTP network traffic. © 2008 Cisco Systems, ne Securty Services Modules 67Base Services Features Tren AS oa nso seat Antwvinis Reabtime detection and cleanup of file-based viruses and malicious code atthe gateway for SMTP, HTTP, Webmal, and FIP Intemet traffic Antisnysvave: Comprehensive protection from dangerous spyware that can «rain productivity or steal personal and corporate data File blocking. Prevent downloads of certain file types using true-type file matching With the Base Services license, real-time virus and malicious code detection and cleanup ean bbe controlled at the company gateways before the intruder reaches the desktop. This includes SMTP, HTTP, webmail, and FTP traffic gateways. The base services license also enables protection from spyware that ean be detrimental to productivity or can steal personal or company data. The Cisco CSC-SSM can block or delete access to known spyware files. The file-blocking feature can be used to block types from being transferred. True fi type check is performed on files. For example if'a Microsoft Word file is renamed from doe to timp, its still treated as a doe file 62 Seouring Networks with Cleco ASA Advanced (SNAA) v1.0 1© 2008 Cisco Systems, IncPlus License—Content Control: Web Browsing S ge recy ea aS URL filleting Block inappropriate and non-work-related content to improve productivity, optimize network resources, and protect proprietary information, More than 50 categories of URLs are included URI. blocking: Prohibit browsing to sites per company Internet usage policy. Auilichishing Guard against identity theft and protect confidential company information by blocking outbound data to known phishing-related website With the Plus license, administrators can configure web browsing to match their security policy and procedures. This allows for blocking of inappropriate and non-work-related content that can improve productivity, optimize network resources, and protect intellectual property. Blocking sites that are not allowed can enforce the usage section of the security policy. File downloads from websites can also be blocked to prohibit unauthorized content within the company network. Antiphishing technology can be used to prohibit access to URLs that could expose users to fraudulent websites, spyware, and other Internet security risks. {© 2008 Cisco Systems, nc Security Sewices Modules 6.9.Plus License—Content Control: Electronic Mail Trend_abs ote 2 ual-stage antispam, Remove most unsolicited e-mail before it reaches the ‘mail server, increasing employee productivity and preventing waste of network bandwidth and storage E-mail content filtering: Fier both inbound and outbound messages on size, attachment type (using true type), subject, body, and attachment name The Plus license also provides content control in the form of anti-spam and content filtering for electronic mail. The Cisco CSC accomplishes antispam in a two-stage approach, The first stage provides repudiation of the message. With this stage, the message is verified that the source is actually the domain from which the messaged originated. Or itis verified against a list of know spamming sites. This stage eliminates 40 to 80 percent of spam. The second stage filters messages based on the Trend Micro antispam engine. This engine looks for keywords or pattern matching with the message as well as heuristics. ‘The Plus license also gives administrators the ability to remove 99 percent of unsolicited before it reaches the mail server. This prevents wasted network bandwidth and storage issues. Administrators can also filter both outbound and inbound messages, based on various attributes of the message such as size, attachment type, subject, body. and attachment name. 610 ‘Securing Networks wih Cisco ASA Advanced (SNAA) vi 0 {© 2008 Cisco Systems, neCisco AIP-SSM ‘This topic describes the Cisco AIP-SSM. Cisco Advanced Inspection and Prevention Security Services Moduie Cisco AIP-SS Pity pa Bo enya ee ice aes eran any yh Route eae The AIP-SSM provides companies with the Cisco Intrusion Prevention System (IPS) within the Cisco ASA security appliance. The AIP-SSM comes on the Cisco SSM-10 and SSM-20 modules. Desired Cisco IPS throughput and the Cisco ASA security appliance dictate the type of Cisco SSM that fits a customer's needs. The AIP-SSM is a fully functioning IPS sensor that is capable of running Cisco IPS 6.x software as well as all of the features that Cisco IPS 6.x has. such as sensor virtualization, ‘The Cisco IPS license for the Cisco AIP-SSM is a separately purchased license from the Cisco ASA license. (© 2008 Cisco Systoms, nc ‘Security Services Modules 6-11Cisco Advanced Inspection and Prevention Security Services Module A Cisco AIP-SSM can detect and prevent misuse and abuse of, and unauthorized access to, network resources. A Cisco AIP-SSM can detect misuse and abuse of, and unauthorized access to, networked resources. The AIP-SSM is a member of the Cisco [PS product portfolio, which consists of a variety of devices called sensors, all of which can monitor traffic from a particular network segment, analyze it, detect malicious activity, and take a response action if the traffic is deemed malicious. A Cisco AIP-SSM is a dedicated appliance that monitors the security appliance traf detects anomalies based on certain criteria, These criteria can be a database of signature: statistical knowledge of what represents normal network traffic, or an admin security policy. nd strator-specified The following attacks are the most commonly detected attacks by a AIP-SSM. = The AIP-SSM can detect network sweeps and scans, which can indicate network reconnaissai = Common network anomalies on most Open Systems Interconnection (OSI) layers, which include the following, can be detected by the AIP-SSM: — Malformed Address Resolution Protocol (ARP) requests or replies — Invalid IP datagrams (for example, a “Christmas tree” packet) Invalid TCP packets (For example, a source or destination port is 0.) — Malformed application-layer protocol units (for example, an HTTP request that does not begin with Group Encrypted Transport (GET), power-on self-test (POST), HEAD, or other valid HTTP command) = Flooding denial of service (DoS) attacks can come in the form of a very large amount of Internet Control Message Protocol (ICMP) packets, or TCP synchronization (SYN) packets, These attacks can impact the resources of a system and severely degrade performance. It is even possible that the attack could force the system to consume all of its memory, as in the case with a TCP SYN flood, because the system must reserve a certain amount of memory for each connection setup. 12 Securing Networks wih Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc.= Application layer content attacks can come in the form of buffer overflow attempts in URLs or Multipurpose Internet Mail Extensions (MIME)-type headers. Signature-Based IPS ‘Sting Maen! leg tmp alowed by ‘eoshadow e | im {GET cp-tnphraname=sstoactsetnnadow Observes a system and sends an alarm if a known malicious event is detected, = Requires a database of known malicious patterns * The database must be continuously updated A signature is a set of rules that pertain to typical intrusion activity. Highly skilled network engineers research known attacks and vulnerabilities and develop signatures to detect these attacks and vulnerabilities, A signature-based Cisco IPS monitors the network traffic and compares the data in the flow against a database of known attack signatures. To determine an attack signature, which is usually a well-known pattern of attacks, a signatu based IPS looks at the packet headers or data payloads. For example, a signature might be a sequence or a string of bytes in a certain context, Here are some examples: Attacks against a web server are usually in the form of specially crafted URLs, Therefore. the IPS looks for the signature at the start of the data flow, which b can be in the form of a buffer overflow in the mail from ‘command of the SMTP session. The IPS looks for an attack signature in the SMTP session that starts with the mail from command and includes the signature before the end of the line. | Anattack on the mail client can be in the form of a buffer overflow in the MIME header of the message itself, The IPS looks for the sequence of bytes that iden MIME part in the following it fies the start of a new e and a sequence of bytes that compose a buffer overflow (© 2008 Cisco Systems. Ine Securty Services Modules 6:13These examples illustrate the fact that a signature-based IPS detects only attacks that a vendor or IPS administrator has entered into a database. Usually, a signature-based IPS is unable to detect undiscovered or unreported attacks. Therefore, all signature-based IPSs place a certain amount of burden on the administrators, because they will have to regularly update the signature database. Usually, the manufacturers publish database updates: however, the administrator must still monitor the updates, be continually aware of the new types of attacks, ‘and confirm that the latest database can detect these attacks. If not, the administrator must create custom signatures that will cover these attacks. ‘The patterns in a network IPS can be based on the following: ‘Data matching and stateful (session-aware) data matehi 1: for example, st ng matching = Pull protocol decodes, wher € a pattern in the protocol itself is being examined © Heuristic analysis, where a rough description of the attack is the signature 6-14 Seauring Networks wih Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, Inc.Anomaly-Based IPS & Observes a system and sends an alarm if an event outside known normal behavior is detected: + Two types: statistical and nonstatistical anomaly detection * Requires a definition of “normal” An anomaly-based IPS monitors the network for events and content that represent an anomaly (that is, a departure from normal behavior). This anomaly ean be an unusual increase in a certain type of traffic, an occurrence of some type of traffic not usually present on a monitored network, or a malformed message of a known protocol. Here are the two types of anomaly-based IPSs: = Statistical anomaly detection: This approach learns abo network (traffic pattems) fro this approach can detect ifs the ustal patter and t the profile of the monitored the network itself over a period of time. After that period, | properties of the network traffic deviate enough from ers an alarm. |= Nonstatistical approach: This approach has a predefined definition ofa known good behavior, usually coded in by the vendor, and triggers when an event outside, such as a profile, occurs. The quality of such an IPS depends on the expertise of the vendor and may not suit the specific network setup of the customer. The following are examples of nnonstatistical anomalies, — _ Acommunication between two devices using the Internetwork Packet Exchange (1PX) protocol in a network where TCPAP is the only protocol used — Anoceurrence of a routing protocol originating from a user device An anomalous packet, such as a Christmas tree packet, or a TCP packet where the source and destination addresses and ports are equal {© 2008 Cisco Systems, Inc Securty Services Modules 6-15.Policy-Based IPS eye Fae eae Observes a system and sends an alarm if an event outside the configured policy is detected: * Requires a policy database A policy-based IPS will trigger ifa violation of a configured policy occurs. Therefore, a policy based IPS provides a very popular method of detection, especially if unknown attacks must be detected ‘A policy-based IPS has to have a clear representation of what the security policy is. For ‘example, an administrator can write a network access policy in terms of permissions (which networks can communicate with which networks, using which protocols). Some security policies are hard to incorporate into the IPS. If, for example, browsing of pornographic, hacker, or “warez” sites is not allowed, the IPS must be able to communicate with some type of blacklist database to check if'a policy violation has occurred. Whether this communication is possible depends on the implementation of the IPS. 6-16 Securing Networks with Cisco ASA Advanced (SNAA) vt 0 (© 2008 Cisco Systems, ncProtocol Analysis Intrusion detection analysis is performed on the protocol specified in the data stream « Examines the protocol to determine the validity of the packet * Checks the content of the payload (pattern matching) * Performs nonstatistical anomaly detection Protocol analysis-based intrusion detection is similar to signature-based intrusion detection, but it performs a more in-depth analy sis of the protocols that are specified in the packets. For ‘example, an attack is launched against a server. The attacker sends an IP packet with a protocol type that, according to an RFC, should not contain any data in the payload. A protocol analysis based IPS is able to detect this type of attack, based on the knowledge of the protocol (© 2008 Cisco Systems, nc Securty Services Modules 6-17IDS vs. IPS An IDS has the capability to detect misuse and abuse of, and unauthorized access to, network resources, An IPS has the capability to detect and prevent misuse and abuse of, and unauthorized access to, network resources. Cisco AIP-SSM supports two forms of intrusion prevention: Ciseo IDS and Cisco IPS. A Cisco. IDS can detect misuse and abuse of, and unauthorized access to, networks. In Cisco IDS mode, the AIP-SSM is in parallel with the data path. It analyzes a copy of the data packets. A Cisco IPS can detect and prevent misuse and abuse of, and unauthorized access to, networks. In IPS mode, the AIP-SSM is in line with the data traffic. It is analyzing data in real time. 6-18 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 (© 2008 Cisco Systems, nePromiscuous-Mode Protection: IDS & Te Cisco ASA vende copes of packets {o'he Cea AP fr ana, ce Aga 0 Se The Caco AIP can send an alam 1b management conte and lake’ response acion such a Fesoting the connocson The Cisco AIP-SSM can perform in promiscuous mode. In this mode, the Cisco ASA security appliance sends a duplicate stream of traffic to the AIP-SSM. This mode is less secure, but has little impact on traftic throughput. Unlike the in can only block traffic by instructing the Ciseo ASA security appliance to shun the traffie or by resetting a connection on the security appliance, The Cisco AIP can send the alarm to a management console. Also, while the AIP-SSM is analyzing the traffic, a small amount of traffic might pass through the security appliance before the AIP-SSM can shun it. In this, nple, the Cisco AIP-SSM sends a shun message to the security appliance for traffic that it identified as a threat (© 2008 Cisco Systems, Inc ‘Secunty Services Modules 6-19Wapocet topes Srahze canbe ‘ope beore Feaches is target, j Fae canbe . ‘management console seman rn Eton ‘The Cisco AIP-SSM can also perform in inline mode. In inline mode, the AIP-SSM resides with the path of the packet as packets are forwarded, Because the AIP-SSM resides in the data path, no traffic that you identified for IPS inspection can continue through the security appliance without first passing through, and being inspected by, the Cisco AIP-SSM. This ‘mode is the most secure because every packet that you identify for inspection is analyzed before being allowed through. Also, the AIP-SSM ean implement a blocking policy on a packet-by-packet basis. This mode, however, can affect throughput. When a signature fires, an alert is sent to a management console. In this example, the packet that caused the signature to fire is dropped, and the management system is notified. 620 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, InCisco AIP-SSM: IPS 6.0 Features IPS Sensor Software Version 6 0 features * Suppor for vitualization * External management interface + New signature engines (SMB, TNS) = Enhanced password recovery «= Passive operating system fingerprinting = Improved IPS Device Manager * Riskithreat rating system * Anomaly detection ‘The Cisco AIP-SSM supports the full feature set of the Cisco IPS 6.x software code. AIP-SSM can be configured for sensor virtualization, which allows one AIP-SSM to function as two or ‘more sensors providing inspection and prevention services for specific paths of incoming or outgoing data packets. The Cisco IPS 6.x software code added two new signature engines for server message block (SMB) and Transparent Network Substrate (TNS). ‘The AIP-SSM can provide passive operating system fingerprinting, With this feature, the sensor can identify the operating system with a high-level of accuracy, and it can increase or lower the severity of alarms, based on the relevance of the attack. This means that an attack on ‘a Microsoft Internet Information Services (IIS) server sent to an Apache web server can be configured to generate a lower severity alarm because the attack will not work. The sensor still reports the attempted attack to the management console as it is still under attack and further investigation must be performed. The ALP-SSM can also detect anomalies within the normal network traffic flows, based on usage through the sophisticated network mapping algorithms that passively monitor the connection rates and targets. When a statistically significant deviation from the baseline is, detected, the triggering traffic can be blocked, based on configured policy (© 2008 Cisco Systems, inc Securty Services Modules G21Cisco AIP-SSM or CSC-SSM This topic describes the differences between the Cisco AIP-SSM and CSC-SSM. Cisco AIP and Cisco CSC Comparison [Capabilities (Cisco ASA 8500 Series | Cisco ASA 6500 Series /AIP-SSM (IPS) CSC-SSM (Ant-x) Target customer Latge enterprise ‘Small to medium enterorse, commercial, remote-ffices Primary function Critical asset protection | Internet edge securty |Preteive focus Server security ‘Glenvenapoint security ‘Deployment location "| Server farms, DMZ, data | Internet gateway, remote offices center with Intemet connectivity Capacity —__ [Upto 450 mors Te eat Types Optimized For: Viruses ae eee Worms x Spyware, adware, and grayware Explot-based atacks Vulnerabity-based alacks The figure displays a table that contrasts the general applications of the AIP-SSM versus the CSC-SSM. The primary function of AIP-SSM jis to provide protection of critical network assets, while that of the CSC-SSM is to provide client or endpoint security at the edge of the network. AIP-SSMS are most often deployed to protect servers such as in front of a demilitarized zone (DMZ), server farm, or data center. CSC-SSMs are most often deployed on the edge of small to mid-size networks such as Internet gateways and remote offices with Internet connectivity. The AIP-SSM and CSC-SSM also differ in the throughput capacity, The AIP-SSM has a throughput up to 450 Mb/s white the CSC-SSM has a throughput of up to 120 Mb/s because of the complexity of its content filtering and control 1622 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncSummary This topic summarizes the key points that were discussed in this lesson, Summary = The ASA 5500 Series Adaptive Security Appliance has three hardware versions of the security services module, 4GE-SSM, ‘SSM-10, and SSM-20, that differ based on customer need and use of the Cisco SSM * The ASA 5500 Series Adaptive Security Appliance supports the Cisco AIP-SSM and Cisco CSC-SSM on the SSM-10 or SSM-20 module hardware. = The Cisco AIP-SSM protects a critical server that is found in DMZs, data centers, or server farms with a customer network. «= By filtering at the edge of the network, the Cisco CSC-SSM protects endpoints and desktops by controlling the content that is sent to these systems {© 2008 Cisco Systems, Ine Security Services Modules 623624 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IncLesson 2 Cisco CSC-SSM: Getting Started Overview This lesson describes the Cisco ASA Adaptive Security Appliance Content Security and Control Security Services Module (CSC-SSM). It describes how traffic flows through the Cisco CSC-SSM. It explains how to load new operating software on the Cisco CSC-SSM with the hw ‘module 1 recover command. The module concludes by describing how to initialize the Cisco CSC-SSM from the command-line interface (CLI) by using the Ciseo Adaptive Security Device Manager (ASDM), Objectives Upon completing this lesson, you will be able to describe how to configure the Ciseo CSC- SSM for content control. This ability includes being able to meet these objectives: SM. 1g system from the CLI = Describe the how to ini ¢ the Cisco CSC. SSM with the new operat Initialize and activate the Cisco CSC-SSM from the CLI = Configure the Cisco CSC-SSM to scan, using Cisco CSC Setup wizard from Cisco ASDMCisco CSC-SSM Overview This topie describes how the Cisco CSC-SSM fum appliance. the Cisco ASA security ssw Ethernet The Cisco CSC-SSM has two hardware versions available: the CSC-SSM-10 and the CSC- SSM-20. Both modules appear identical, but the CSC-SSM-20 has a faster processor and more memory than the CSC-SSM-10. Only one module can populate the slot ata time. On the front bezel of the CSC-SSM module are four LEDs and one 10/10/1000 Ethernet port. The Ethernet port can be used for out-of-band management. The table lists the states of the CSC-SSM LEDs. States of Cisco CSC-SSM LEDs 2 LED Color | State | Deseription Power [Green | On ‘The security appliance has power. “staus | Green | Flashing | The power-up diagnostics are running or the system is booting Solid __| The system has passed power-up diagnostics. ‘Amber_| Sold The power-up diagnostics have failed 4 Speed | Green | Flashing | There is network activity : Linkiact | Green | Solid Data is passing through the interface. Caution Remove power to the ASA 6500 Adaptive Security Appliance before installing or removing the CSC-SSM module, 6.28 Securing Networks with Cisco ASA Advanced (SNAA] v1.0 (© 2008 Cisco Systems, neCisco CSC-SSM Ethernet Connections alias Cisco esc <1 Data cxannet cscssul Cortat +1 channel ‘Software Download ‘and Cisco ASDM. The ASA 5500 Adaptive Security Appliance supports an internal Gigabit Ethernet and an internal 10/100 Ethernet interface to the Cisco CSC-SSM module. The internal Gigabit Ethernet interface is the primary data channel. Packets to be inspected by the CSC-SSM module flow over this internal data channel. The internal 10/100 Ethernet interface provides a control channel. The administrator can issue the session ind to “session” into the CSC- SSM from the ASA 5500 Adaptive Secuirty Appliance through the internal control channel The extemal 10/100/1000 Ethernet interface is primarily used for downloading CSC-SSM software and for management access to the Cisco SSM module through the internal web ‘management interface of the Cisco CSC-SSM. (©2008 Cisco Systems, ine ‘Security Sewvices Modules 627Cisco CSC-SSM: Failure Modes Endpoint Clients Fail-open © Ifthe module fails, trathe Endpoint Clients wll continue to flow Fail-closed [}-— * Ifthe module fails. traffic will cease to flow You also need to configure what action to take if the Cisco CSC-SSM module fails. “Fail- open” or “fail-closed” refers to what should happen to the traffic low if the CSC-SSM fails for any reason, whether for a hardware or a sofiware malfunction. With fail-open configured, ifthe CSC-SSM module fails, traffic will continue to flow. With fail-closed enabled, traffic will cease flowing if the CSC software fails for any reason, Each of these operating modes has its advantages, and the intemal network security policy for a company should be used to determine which is appropriate for the CSC-SSM operating environment. 628 ‘Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IncCisco CSC-SSM Scanned Traffic Flow HTTP Request Sent HTTP Request Forwarded TWITP Reply Sent wath Spyware TTP Reply Forwarded wh Spyware Removes ‘The Cisco ASA CSC-SSM provides protection against viruses, spyware, spam, and other malware from unwanted traffic. It accomplishes this by scanning the FTP, HTTP, Post Office Protocol version 3 (POP3), and Simple Mail Transfer Protocol (SMTP) traffie sent to it by the Cisco ASA security appliance. In this figure, an incoming packet stream is copied from the Cisco ASA security appliance to the CSC-SSM, based on the selected traffic that is configured by the modular policy framework of the security appliance. After the packet is received by the CSC-SSM, the content is scanned is found, the offending content is stripped or marked appropriately before the content is forwarded along its path. for security policy violations. Ifa policy match or “violatior Although this is an example of an HTTP request and reply, the client could be a network user who is accessing an FTP site or retrieving e-mail from a POP3 server. SMTP scans differ that you configure the CSC-SSM to scan SMTP traffic sent from the outside to an internal (© 2008 Cisco Systems, nc ‘Security Services Modules 6.29.CSC-SSM Software Loading This topic describes how to load new operating software on the Cisco CSC-SSM Initializing the Cisco CSC-SSM Module Bootstrapping the Cisco CSC-SSM: * Load new Cisco CSC software (if necessary) + Venty security appiance clock setngs for Cisco CSC-SSM operation * Configure intial setup of Cisco GSC-SSM module from CLI ‘or tun Content Setup Wizard from Cisco ASM. * Confgure a security policy on Cisco ASA secunty appliance (fusing CL!) + Review the Cisco CSC-SSM secunty policy settings Before the Cisco ASA C ccan protect against unwanted traffic, it must go through an initial setup or initializing. To initialize the CSC-SSM, you should have the following information readily available before you start © Activation codes for Base and Plus licenses The IP address that is assigned to the Cisco ASA CSC-SSM management interface, its network mask, and the default gateway IP address = Primary and secondary Domain Name System (DNS) servers Address and port of proxy server, if applicable = Hostname and domain name = Incoming e-mail domain name = E-mail address for notifications and the IP address and listening port of the e-mail server | Management network or host IP addresses and the network subnet mask © Current password and new password if you wish to change it Ifthe Cisco ASA CSC-SSM did not come preinstalled in the Cisco ASA security appliance, install the module and connect the management interface to the network. The Cisco ASA CSC- ‘SSM uses its management interface for syslog and e ation and software updates. It should be connected to the network on which network management is performed. Refer to the Trend Micro InterScan for Cisco CSC-SSM Administrator Guide for more information at hup:lwww.cisco.com/gorasa, ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems. IneTo retrieve the product authorization key (PAK) if you did not receive it, go to the Cisco ASA Licensing website at http://www cisco.com/goilicense. Cisco CSC-SSM Module: Software Update show module fall | slot [details | recover]} icmewrete ais” Soc miai See ae sr omens tet ‘Sime See BE ne sn cnc net te Serene oe Hise” bom Poor From the security appliance CLI command prompt, you can use the show module 1 det command to view module I configuration. You can view such statistics as ha software version, firmware version, and status of the C the parameters of the command Iwate version, co CSC-SSM module. The table lists, show module [all | slot [details | recover] ] all ‘Shows information for Cisco SSM, slot 1 ‘Shows additional version information ‘Shows the seltings for the hw-module module recover command, ‘slot ‘Specifies the Cisco SSM slot information ‘The output fields of the show module command are as follows: = Model: The model of this SSM Serial Number the serial number of the SSM. = Hardware Version: The hardware version of the SSM . Firmware Version: The firmware version of the SSM Software Version: The software version of the Status: The status of the module, as follows — Initializing: The SSM is being detected and the control eomn initialized by the system. nication is being — Up: The SSM has completed initialization by the system. (© 2008 Cisco Systems, ne Security Sewvieos Modules 6.31~ _Unresponsive: The system encountered an error communicating with this SSM. Reloading: The SSM is reloading — Shutting: ‘The SSM is shutting down, — Shut Down: The SSM is shut down, Recover: The SSM is atte ting to download a recovery image In the example in the figure, the CSC-SSM present is an SSM-10 model. Notice that the application status is down and that the CSC-SSM software has not been activated. Also, the version of operation software is not current. 6-32 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systoms, ncTFTP Download Information (csc goy SPEER — tment = FTP aa coe Te TFTP server IP address and image path * SSM Ethernet port IP address SSM Ethernet port 802.1q VLAN ID * SSM Ethernet port default gateway address bw module slot recover {hoot | stop | configure furl tfp url | ja | gateway gateway sp address | vian vlan 1a) eaceiGin es estate i acoree contin RL tetepe//10-0-1-10/eacs.1-b1519 ban cout TP address f20-0r1asj. 400.415, wou 19 el Gateway I Asdcene (0:0.0.01 ‘You can use the hw module 1 recover command to load a software image to the Cisco CSC- SSM from a Trivial File Transfer Protocol (TFTP) server. This is a two-step process. You must first define the SSM interface and TFTP server network parameters, and then initiate the download. In the example in the figure, the administrator is defining the TFTP download information, Adding the configure keyword to the command enables you to define the CSC-SSM and TETP server network parameters. In the example in the figure, the TPTP server IP address is 10.0.1.10, and the external CSC-SSM Bthernet connector IP address is 10.0.1.15. The TPTP server will download the ese6.2.1599.0.bin image file to the CSC-SSM. Installing new operating software using the hw module I recover command results in the ‘CSC-SSM being completely re-imaged. The CSC-SSM must be initialized with the relevant information Users are strongly advised to save a copy of the current CSC-SSM configuration settings prior to upgrading. This can be accomplished from the Cisco CSC Web Management Interface. Click Administration > Configuration Backup to view the Configuration Backup window. The Configuration Backup window allows you to save (export) your configuration settings into a configuration The full syntax for the hw module s/or recaver command is as follows: hw module slot recover (boot | etop | configure [url tfp_url | ip port_ip_address | gateway gateway ip address | vlan vian_id]} (© 2008 Cisco Systems, inc Securty Services Modules 633,boot Initiates recovery of his Cisco SSM and downloads a Fecovery image according tothe coniiguration settings The Cisco SSM then reboots from the new image configure Configures the network parameters to download @ Fecovery image. If you do not enter any network parameters after the configure keyword, you are prompted forthe information. gateway Sets the gateway IP address for access to the TFTP server through the Cisco SSM management interface p address ip port_ip_address Sets the IP address ofthe Cisco SSM management interface, slot Specifies the Cisco SSM slot number. stop ‘Stops the recovery action, and stops downloading the recovery image. The Cisco SSM boots from the original image. url tfp_unt ‘Sets the URL for the image on a TFTP server, in the following format: ttp:liserver/ipathijilename. vlan vian_id ‘Sets the VLAN 10 for the management interface. 6-34 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, ncRecover Cisco CSC Image Corpara (contig) aavug mania Sorpaca(coatign’ ty mullet rwccver boot Recover module in slot 1? leontire) cers ee ft Recover Lesued for medule An slot toe nite type of cac-ssu You can use the hw module I recover boot command to initiate the TF TP download of the image defined in the hw module 1 recover configure command. To aid in the download, you can enable the debug module command, A sample of the debug output is displayed as an example in the figure. The full debug output was truncated to fit into two windows. In the figure, the first half of the sample output from the CLI reiterates how the module is configured. Notice the highlighted Cisco CSC-SSM configuration information, Slot-1 100> Ci 10 Systems ROMMON Version (1.0(11)2) — Firmware version Slot-1 101> Platform ASA- SM-CSC-10 — Type of CSC-SS M Slot-1 102> GigabitEthernet0/0 Slot-1 103 Link is UP is uP Slot-1 104> MAC Address: 0018.19eb.2a37 Slot-1 105> ROMMON Variable Settings: Slot 106> ADDRESS=10.0.1.15 cs SM IP Address Slot-1 107> SERVE! 0.0.1.10 — TFTP Server IP Address Slot-1 108> GATEWAY=0.0.0.0 Slot-1 109> PORT=GigabitEthernet0/0 Slot-I 10> VLAN=untagged Sloe 11> IMAG! csc6.2.1599.0.bin 'SC Image The actual downloading of the image is shown 1 ‘© 2008 Cisco Sysiems, In. Security Services Modules 635,Downloading and launching the image, launching the bootloader, and recovering the module takes approximately ten minutes to complete. In the example in the figure, the image was successfully downloaded. Notice the following: Slot-1 116> tftp esc6.2.1599.0.bin@)10.0. 0 Image/Server Address SSlot-1 11 7>1/ 1/110 ueinnnnnnennnannannannannannnay Traage »wnloading Slot-l 11> pursue euuenenie Slot-1 119> |1Nn1Nn1E1NNNNNNNIUUNEENNNNNE Slot-L 194> suunnannavneyetenterteree Slot-1 195> Received 60835523 bytes ‘Transfer size Slot-1 196> Launehing TFTP Image... Launching image Slot-1 197> Cisco Systems ROMMON Version (1,0(10)0) #0: Slot-1 198> Platform ASA-SSM- Slot-1 199> Launching BootLoader... nching bootloader corpasa(config)# The transferring and booting of the new image takes approximately 10 minutes. 6-36 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, neCisco CSC-SSM Module Software Updated Afier the Cisco SSM module software is updated, you can use the show module s/or detail command to verify that you have sucessfully loaded Cisco CSC-SSM with the new operating sofware and to verify that you have the correct version, From the “show module 1” window, you can view the model type, MAC address, serial number, hardware version, firmware version, and software version of the CSC-SSM module, You can also determine the status of the module. In the example in the figure, notice that the module status is Up, but the application status is Down, This is because the CSC-SSM has niot been activated, and initialization is not complete. {© 2008 Cisco Systems, In ‘Securty Sewices Modules 6-37Initial CLI Cisco CSC Configuration This topic describes how to initialize the Cisco CSC from the CLL. ie Cisco SSM is in the Up status, you can open a session with the module through the security appliance CLI. To initiate a session, enter the session { command at the CLI command prompt, Entering the session 1 command for the first time, you are prompted for the defi login prompt, username eisco and password eisco. After entering the default login and password, you are immediately prompted to change the password. In the example in the figure, the password was changed to training. After changing the password, the Trend Micro Interst for Ciseo CSC Setup wizard starts, To end a session, enter Ctrl + ¢ key and click Exit, Ifthe Cisco CSC-SSM is enabled, the administrator can reset the password to the password on the hardware module to the default value, “cisco,” use the hw-module module slot password-reset command, Th trator must be out of session mode and must be in the ASA 5500 Adaptive Security Appliance CLI privileged EXEC mode cisco.” To reset hw-module module s/or! password-reset ‘This command is only valid when the hardware module is in the Up state and supports password reset. On the CSC-SSM, running this command results in the rebooting of the module. The module is offline until the rebooting is finished, which may take several minutes. You can nun the show module command to monitor the module state The command always prompts for confirmation. Ifthe command succeeds, no other output appears. To continue the Cisco CSC- take you through a se M initialization, press the Enter key, and the Setup wizard will -s of menus to enter the needed information, 638 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 cisco Systems, ncCisco CSC-SSM CLI Network Settings Euter gateway TP addvend. 20.6102 After you press Enter during the first login to the Cisco CSC-SSM, the Setup wizard prompts for network settings. The CSC-SSM uses these settings to communicate with network ‘management devices and to configure the IP address that the web management console will use. After you enter the information, the Setup wizard displays the information entered asks if itis correct, If itis correct, select y, and the network settings are applied. In this figure, the Cisco CSC-SSM card is assigned IP address 10.0.1.15 with a network mask of 255.255.255.0. It is given the hostname of “esc-ssm” on the “eiscotraining.com” domain. A primary DNS is configured, and the secondary DNS is omitted. The default gateway for the CSC-SSM card is defined, and no proxy server is configured. (© 2008 Cisco Systems, In. Security Sewices Modules 6.39.Cisco CSC-SSM CLI Network Settings (Cont.) ‘Do you want to confirm the network sartings using ping? lal ¥ 64 bytes fron 1000.11 After the network settings are configured and applied, the Setup wizard asks to confirm the network settings by using ping. This allows verification of the network IP parameters settings. If the ping is successful, the wizard continues. If itis not successful, the wizard prompts you to remedy the problem by changing the network IP parameters, In this figure, the IP address of the default gateway for the CSC-SSM, the IP address of the “inside” interface, is chosen, By choosing the inside interface, the ping can test for connectivity to the gateway as well as the local network 6-40 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 (© 2008 Cisco Systems, neCisco CSC-SSM CLI Configuration Rotiticatton enail server tb: 40.01.10 Administrator email addons, cac-adaineoincotvaining.com Ire the notification sett nae correct? (yin) ¥ The CSC-SSM Setup wizard will also verify the date and time settings of the CSC-SSM that ‘were pulled from the security appliance. Having accurate time stamps is essential to security log monitoring, The incoming e-mail domain is entered for spam content filtering. The wizard also asks for the e-mail address of the administrator and the IP address and TCP port of the notification e-mail server. This information is used to send alerts and notifications to the administrators, so the Setup wizard asks to verify this information. (© 2008 Cisco Systems, nc Securty Services Modules 6-41Cisco CSC-SSM CLI Activation Configuration ret your Plus License Act ivaticn Cos’ PR-RTHN.TRXNB-P3QP2-LMGXS. UNCHS PDR “isco CSC-SSM Setup wizard is to enter the activation codes for the Base license and Plus license. These codes are based on the serial number of the CSC- SSM and are specific to each CSC-SSM. As soon as the license is entered, the Setup wizard verifies it. After the Base license or the Base license ai Plus license are entered, they are activated, id the CSC-SSM services are stopped and restarted. At this point the CSC-SSM Setup wizard is finished. The CSC-SSM logs you out and you must initiate another “session” to log back into it a2 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, IneCisco CSC-SSM Module Activated 2 (Cecsca STOR ca) The figure shows the show module s/or detail command after the Cisco CSC-SSM has been activated, Notice that the status is up and the application status is up. Also notice that the CSC- SSM is reporting that is it activated. At this point, the CSC-SSM is running a default security policy, and no traffic is selected to be passed to it from the security appliance. To configure traffic, use CLI or Cisco ASDM to define ‘class map for the type of traffic that you want to filter. Apply that class map to a Cisco CSC policy and service maps to have the selected traffic copied to the CSC-SSM. To accomplish this, follow the steps described in the “Advanced Protocol Handling” module of this course. (© 2008 Cisco Systems, nc. ‘Securty Servees Modules 6-43Initial Configuration of the CSC-SSM with Cisco ASDM CSC Setup Wizard This topic describes how to configure the CSC-SSM by using the CSC Setup wizard from the Cisco ASDM. Cisco CSC Access Soy TG — tment. 0 Jrmim emi = After the Cisco CSC-SSM is installed, you ean use the CLI to initialize it, a previous section. You can also initialize by using the CSC Setup wizard fi itialize the CSC-SSM with Cisco ASDM, click the Content Security tab under the Home ‘on. If the CSC-SSM has been initialized previously, this where you can monitor the health and activity of the Cisco CSC. If the CSC initialized, SM has not been pop-up window will be displayed explaining that the Cisco CSC is not activated and that you must run the Trend Micto Content Security CSC Setup wizard Setup to continue. Clicking OK within the pop-up window opens the Trend Micro Content Security Configuration menu under the Configuration icon. The CSC Wizard Setup pane is displayed 6-44 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 {© 2008 Cisco Systems, Inc.Cisco CSC Setup Wizar ration menu, the Wizard Setup option is selected and the CSC Setup Wizard pane is displayed. To start the Setup wizard, click the Launch Setup Wizard button, This opens the CSC Setup wizard. ‘The first step in the C' window, the Base li figure, both the Base > Setup wizard is in the Activation Codes Configuration window. In this, ¢ activation code and Plus license activation code are entered. In this se and Plus license codes are entered to enable the full functionality {© 2008 Cisco Systems, Inc Securty Services Modules 6-45,Cisco CSC Setup Wizard: IP Configuration iguration window. This information is needed by the Cisco CSC-SSM to be able to communicate with management devices and to allow administrators to connect to the web management console. The window sets the IP address, mask, and gateway for the CSC-SSM. The primary and secondary DNS servers are entered here to allow the CSC-SSM to resolve domain names when needed. Also, any proxy server information is supplied in this window as well In this figure, the IP address of the CSC-SSM js set to 10.0.1.15 with a network mask of 255.255.255.0 and a default gateway of 10.0.1.1, The primary DNS of 192.168.1.20 is entered as well. The secondary DNS and proxy server information is omitted. 6-45 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncCisco CSC Setup Wizard: Host Configuration The third step in the Cisco CSC Setup wizard is the Host Configuration window. Providing this information allows the Cisco CSC to notify administrators of alerts and any other notification by e-mail this window, the CSC hostname and domain name are entered along with the incoming e-mail domain. Entering the incoming e-mail domain name lets the CSC know which domain incoming SMTP traffic will use, as well as which domain the outgoing SMTP traffic will use. The window also asks for the administrator e-mail address and the e-mail server and port to use to send e-mail. This is the e-mail address to which the Cisco CSC will send alerts and notification In this figure, the hostname of the Cisco CSC is set to “ese-ssm’ and it belongs to the “ciscotraining.com” domain. The “ciscotraining.com” domain is the domain used by incoming e-mail. Alerts and notifications will be sent to “ese-admin@eiscotraining.com” on the e-mail server at 10.0.1.10, (© 2008 Cisco Systems, nc. Securty Sevices Modules 6.47Cisco CSC Setup Wizard: Management Access ACL The fourth step in the Ciseo CSC Setup wizard is the Management Access Configuration window. This window allows the configuration of an access control list (ACL) that will specify which IP address or IP addresses can access the web management console. To configure an ACL, enter the IP address and the mask and click the Add button. The IP Address field will pt IP network addresses with the appropriate masks, In this figure, the network 10.0.1,0/24 was added. This permits access to the web management console to any host within an IP address within the 10.0.1.0/24 network. 6-48 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 isco Systems, IncCisco CSC Setup Wizard: Password Configuration The fifth step for the Cisco CSC Setup wizard is the Password Configuration window. This, window allows you to set the administrator password for the CSC-SSM. This password is used for logins from the CLI or the web management console. The default user is “cisco,” and the default password is “cisco.” To change the password for the CSC-SSM, enter the old password. In this example the old password is the default password, “cisco.” The and confirm the new password. In this example, the new password was set fo “training.” {© 2008 Cisco Systems, Inc ‘Securty Services Modules 6-49,Cisco CSC Setup Wizard: Traffic Selection Somos The sixth step for the Cisco CSC Setup wizard is the Traffic Selection for CSC Sean window. In this step of the CSC Setup wizard, a modular policy is ereated. In this window, the traffic that will have the Cisco CSC content filters applied to itis selected. To specify traffic, click the Add button. The Specity traffic for CSC Scan windows appears. Use this window to enter traffic specifies. You can enter the interface on which the traffic arrives as well as the source and destination addresses. The default interface is “Global” of all configured interfaces. The default source and destination is to match “any” IP address. You can enter the service that content filtering will be applied to as well. The CSC-SSM supports content filtering on HTTP, FTP, SMTP, and POP3. These services are the default services for the Service field. A description can be added to provide specific information about the traffic being selected. This can be useful to other administrators that may need to review or change the configuration of the selected trafic. Lastly, you much choose the fail mode of operation. This defines the mode of operation in case of software or hardware failure of the CSC-SSM. If the fail mode of “permit” is selected, the CSC-SSM will allow traffic to pass if a failure occurs. If the fail mode of “close” is selected, the CSC-SSM will block traffic from passing if a failure occurs, This is the default action that is taken for failure. As mentioned earlier in this lesson, each of advantages. The internal network s which is appropriate for the CSC- hese oper ty policy for a company should be u SM operating environment, 1g modes has its id to determine In this example, the “any” traffic from all interfaces that are HTTP, FTP, POP3, or SMTP is selected for content filtering, The fail mode of operation is set to pern policy dictates this behavior for device failure where applicable. because the security ‘Securing Networks with Cisco ASA Advanced (SNAA) vi.0 {© 2008 Cisco Systems, neThe Cisco CSC-SSM can scan FTP, HTTP, POPS, and SMTP traffic only when the destination port of the packet that is requesting the connection is the well-known port for the specified protocol. The CSC-SSM ean sean only the following connections: = FTP connections opened to TCP port 21 '® HTTP connections opened to TCP port 80, = POP3 connections opened to TCP port 110 = SMTP connections opened to TCP port 25 ‘You can choose to sean traffic for all of these protocols or any combination of then example, if you do not allow network users to receive POP3 e-mail, then do not con adaptive security appliance to divert POP3 traffic to the Cisco CSC-SSM. Instead, block this waffic ‘To maximize performance of the adaptive security appliance and the Cisco CSC-SSM, divert to the CSC-SSM only the traffic that you want the CSC-SSM to scan, Needlessly diverting traffic that you do not want to scan, such as traffic between a trusted source and destination, can adversely affect network performance. Therefore, itis advisable to use access lists to further limit the traffic that is selected by the class maps of Cisco CSC-SSM service policies. Specifically, use access lists that match the following: = HTTP connections to outside networks = FTP connections from clients inside the adaptive security appliance to servers outside the adaptive security applian = POP3 connections from clients inside the security appliance to servers o security appliance fe the adaptive = Incoming SMTP connections destined to inside mail servers (© 2008 Cisco Systems, ine ‘Securty Services Modules 6.51The seventh step for the Cisco CSC Setup wizard is the Summary window. In this window. summary of the information that is provided in the previous steps is displayed. You can review the activation codes, IP parameters, host and domain names, and the management access list. If the information is incorrect, click the Back button to return to the appropriate window to make corrections. Ifthe information is correct, click the Finish button. Then click the Apply button the CSC Setup Wizard pane. 652 Securing Networks with Cisco ASA Advanced (SNAA) vi.0 © 2008 Gio Systems, neCisco CSC Setup Wizard: Commands cheeses soi “inno ae ‘The figure shows the commands that are sent to the Cisco ASA security app! the Cisco CSC-SSM. The session 1 commands are issued to initialize the CSC-SSM. The activation codes, IP parameters, host and domain names, and the management access list were configured through the CSC Setup wizard. The other commands listed define which traffic the CSC-SSM scans, The object-group command defines the protocols to scan, The access-list ‘command defines the traffic to scan. The service-poliey command applies the CSC service policy to all interfaces. If the Cisco CSC module should fail, traffic will continue to flow. (© 2008 Cisco Systems, Inc. Securty Services Modules 653,Cisco CSC Management Login TREND MICRO InterScan for Cisco C! To access the web management console of the Trend Micro CSC-SSM, use the URL hupsi/CSC-SSM_ip_address:8443. Then enter the administrator password. Or, from within Cisco ASDM, click the Home icon and select the CSC Content tab. The Cisco ASDM opens the CSC Content tab and a pop-up window appears. This window asks for the administrator password. Enter the administrator password and press Enter. Either action launches the Cisco CSC web management console. 6-54 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, nc.Cisco CSC Summary Page cE ‘The figure shows the Cisco CSC web management console Summary page. From this page, the status of the Cisco CSC-SSM can be monitored as well as the different content filtering that is configured. This page provides access to the Content Filtering Configurations and Device Management menus. For more informa Administration C n about the Trend Micro CSC-SSM administrator, refer to the CSC-SSM ide on www.cisco.com/go/a (© 2008 Cisco Systems, Ine Socurty Services Modules 655Summary This topic summarizes the key points that were discussed in this lesson. Summary « The show module command provides status and configuration information about the Cisco CSC-SSM. Use the hw module 4 recover command to update the software image for the Cisco CSC-SSM. Initial Cisco CSC-SSM can be accomplished from the CLI with the session command or from within Cisco ASDM using the Cisco CSC Setup wizard Using Cisco ASDM to configure the Cisco CSC-SSM configures a ‘modular policy for traffic selection by the Cisco ASA CSC-SSM. {© 2008 Cisco Systems, Inc 86 Securing Networks with Cisco ASA Advanced (SNAA) v1.0Lesson 3 | Cisco AIP-SSM: Getting Started Overview This lesson describes the Cisco Adaptive Security Appliance Advanced Inspection and Prevention Security Services Module (ASA AIP-SSM). It also describes how to load Cisco Intrusion Prevention System (IPS) sofiware on the Cisco ASA AIP-SSM, how to initialize the module with the setup command, and how to define a Cisco IPS modular poliey on a security appliance, using the Cisco Adaptive Security Device Manager (ASDM). Objectives Upon completing this lesson, you will be le to initialize a AIP-SSM module. This ability includes being able to meet these objectives: = Explain how the Cisco SSM modules operates within ¢ Cisco ASA security appliance | Upload the Cisco IPS image to the Cisco ASA AIP-SSM = Perform the initial configuration of the Cisco ASA AIP-SSM Configure an IPS security policy using Cisco ASDMAIP-SSM Overview This topic provides on overview of the Cisco ASA AIP-SSM modules. som Ethernet Port Power Status The Cisco ASA AIP-SSM has two hardware versions available, the AIP-SSM-10 and the AIP- SSM-20. Both modules appear identical, but the AIP-SSM-20 has a faster processor and more memory than the AIP-SSM-10. Only one module can populate the slot at a time. On the front bezel of the AIP-SSM module are four LEDs and one 10/100/1000 Ethernet port. The table lists the states of the AIP-SSM LEDs. States of AIP-SSM LEDs LED [eater [emo | Deeriton oar | Gaal oN (a eaw NS SiS [cl foe mace ering eran Bee Solid The system has passed power-up diagnostics. eae Abor_| Seid | The poner diagnostic have aed Speed | Green Flashing There is network activity. ee Linket [Gren [Sekt | alas pss tow he eave Caution Remove power to the ASA 5500 Adaptive Security Appli the AIP-SSM module, 1ce before installing or removing 6-58 Securing Networks with Cisco ASA Advanced (SNAA) v3.0 (© 2008 Cisco Systems, ncCisco AIP-SSM Ethernet Connections AP-SSM ‘Software Download ‘and Cisco ASOM The ASA 5500 Adaptive Security Appliance supports an internal Gigabit Ethernet and a 10/100 Ethernet interface to the AIP-SSM module. The Gigabit Ethernet interface is the primary data channel. Packets to be inspected by the AIP-SSM module flow over the internal data cha The internal 10/100 Ethernet interface provides a control channel. The administrator can “session” into the AIP-SSM from the ASA 5500 Adaptive Security Appliance through the internal control channel. The external 10/10/1000 Ethernet interface is primarily used for downloading AIP-SSM IPS sofiware and for Cisco ASDM access to the Cisco SSM module. (© 2008 Cisco Systems, ie ‘Seaunty Services Modules 659.Cisco AIP-SSM: Modes of Operation : he Intrusion detection * In promiscuous mode, @ ‘copy ofthe traffic is sent to the module Intrusion prevention ® In inline mode, the actual traffic flows through the module ‘SSM can be configured to operate in one of two IPS modes, promiscuous or inline, In jous mode, the IPS module is not in the traffic packet flow. You can configu security policy (using standard rules and access control lists [ACLs]) to identify traffic that will be copied and passed to the AIP-SSM module. The AIP-SSM module performs analysis of the traffic. A significant benefit of operating an IPS module in promiscuous mode is that the IPS module does not affect the packet low. There are no performance or operational reliability issues with the forwarded traffic. The drawback to operating in a promiscuous mode, however, is that the AIP-SSM module may not stop malicious traffic from reaching its intended target. The response actions implemented by modules in promiscuous mode are typically post-event responses and often require assistance from other networking devices, such as routers and firewalls, to respond to an attack. The argument can be successfully made that modules that are ‘operating in promiscuous mode cannot prevent an attack, but can only reaet, Most IPS products ‘on the market today operate in promiscuous mode. Operating in an inline mode, the IPS module is inserted directly into the traffic flow. You configure a security policy, using standard rules and ACLs, to identify traffic that will be passed directly to the AIP-SSM module. An inline IPS module sits in the data path, allowing the sensor to stop attacks by dropping malicious traflic before it reaches the intended target. The AIP-SSM module not only processes information on the packet “envelope” (Layers 3 and 4), but also analyzes the contents, or payload, of the packets for more sophisticated embedded attacks (Layers 3 to 7). This deeper analysis allows the system to identify and block attacks that would normally pass through a traditional firewall device. 660 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1 O| (© 2008 Cisco Systems, Inc.Fail-open © ifthe module fails, traffic wil continue to flow Fail-closed «If the module fails, traffic will cease to flow You also need to configure what action to take if the AIP-SSM module fails. *Fail-open” or “fail-closed” refers to what should happen to the traffic flow if the AIP-SSM fails fora reason, either a hardware of a software malfunetion. With fail-open configured, ifthe AIP-SSM module fails, traffic will continue to flow. When operating in promiscuous mode, AIP ‘modules are typically configured for fail-open. With fail-closed enabled, traffic will cease flowing if the IPS software fails for any reason. {© 2008 Cisco Systems, ine ‘Secunty Services Modules 661AIP-SSM Software Loading This topic describes the loading and verifying of AIP-SSM software, Bootstrapping the Cisco ASA AIP-SSM: * Load the IPS software (it necessary) * Configure intial setup of AIP-SSM module, + Configure a securty policy on Cisco ASA securty appliance Before the AIP-SSM module can start to inspect and analyze traffic, three steps must be performed. You should verity, or load and verify, the IPS operating software on the AIP-SSM module, After verifying the IPS software, you should configure the initial setup of the AIP- SSM module. Lastly, you should configure an IPS policy for the ASA 5500 Adaptive Security Appliance. Each of these steps is discussed in more depth later in this lesson. 6-62 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IncAIP-SSM Module: No IPS Software Fo- - — stot show module [all | slot (details | recover! ] You can use the show module I detail command to view module | configuration. You ean view such statistics as hardware version, software version, firmware version, and status of the AIP-SSM module. The table lists the parameters of the command. show module [all | slot [details | recover]) all ‘Shows informati {or Cisco SSM, slot etaits ‘Shows additional version information, — recover ‘Shows the settings for the hwsmadule module recover command "slot | ‘Specifies the Cisco SSM slot information. The output fields of the show module command are as follows: = Model: ‘The model of this SSM = Serial Number: The serial number of the SSM © Hardware Version: The hardware version of the SSM = Firmware Version: The firmware version of the SSM | Software Version: The software version of the SSM Status: The status of the module, as follows: — _ Initializing: The SSM is being detected and the control communication is being initialized by the system, — Up: The SSM has completed the initialization by the system — Unresponsive: The system encountered an error communicating with this SSM. — Reloading: The SSM is reloading. — Shutting: The SSM is shutting down, (© 2008 Cisco Systems, Inc ‘Secunty Senioes Modules 663SS SS — Shut Down: The SSM is shut down Recover: The SSM is attempting to download a recovery image. {i the example in the figure, the AIP-SSM that is present is an SSM-10 model. Notice that there is no software present on the module, and that the module is in the status of trying to initialize. seo Systems, Inc 6-64 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 '© 2008 Cisco SystTFTP Download Information p-ssu ud W010 cover 4 TFTP server IP address and image path + SSM Etheret por IP address ‘+ SSM Ethernet port 802 1q VLAN 1D + SSM Ethemnet port default gateway adress. hw module {uri tfp ur Sp port ip address | gate [Neian vian_sa) ) eaai (config) bv novi 3 secs sontlaure nage Unb {efep:/70-0-0.0/1" €€eps//10.8-2-10/IPS-89N-RS-aye-2.2-8- ore IP Aagveas 0.0.0.0]: 10.0,1.20 vas 10 (0) Geteway {P Address (0.0.0.0 You can use the hw module 1 recover command to load a recovery software image to the AIP- SSM from a Trivial File Transfer Protocol (TPTP) server. This is a two-step process. You must first define the Cisco SSM interface and TETP server network parameters, and then initiate the download. In the example in the figure, the administrator is defining the TFTP download information ‘Adding the configure keyword to the command enables you to define the AIP-SSM and TFTP server network parameters, In the example in the figure, the TFTP server IP address is 10.0.1.10, and the external AIP-SSM Ethernet connector IP address is 10.0.1.20. The TFTP server will download the AIP-SSM-K9-sys-I. I-a-6.0-2-E1 img image file to the Cisco ASA AIP-SSM. This Service Pack includes the S280 Signature Update Installation of the 6.0(2)E1 service pack results in a complete re-imaging of the sensor. While the sensor configuration settings are maintained, all data written to the event store as well as any unsupported customizations will be lost. Users are strongly advised to save a copy of the sensor's current eo server prior o upgrading their sensors, juration settings to an fip The full syntax for the hw module s/or recover command is as follows: hw module slot recover (1 port_ip_address | gateway gateway ip address | vlan vlan_id)} (© 2008 Cisco Systems, nc Securty Services Modules 655boot Initiates recovery ofthis Cisco SSM and downloads a fecovery image according to the configuration settings, The Cisco SSM then reboots from the new image. configure Configures the network parameters to download a recovery image. If you do not enter any network parameters after the configure keyword, you are prompted forthe information gateway Sets the gateway IP address for access to the TFTP server through the Cisco SSM management interface, gateway_jp_address ip port_ip_address Sets the IP address of the SSM management interface, slot Specifies the Cisco SSM slot number. ‘Stops the recovery action, and stops downloading the recovery image. The Cisco SSM bools from the original image. wel tip_uit ‘Sets the URL for the image on a TFTP server. in the following format: tftp:/iserverfipathijilename, vlan vian_id Sets the VLAN ID for the management interface. 6-65 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, neRecover IPS Image Recover nodule in alot 1? {confiral cer> 1109s Cisco cystens ROWOW Veraton (2.0(20)0) €--~ Firma 101 platform Agn-8oN-10 ET ype ot niP-caM 30s Lae de © Link $0 oP > MNoorits-t0-0. 1.20 oo azr-son a0 address Seevenea0-0-i-i0 EI Seever' tp addres IMAGE=1P5-B6N-K9-sye-2.1-a-6.0-2-El.ieg €--- 1PS Image You can use the hw module 1 recover boot command to initiate the TFTP download of the image that is defined in the hw module 1 recover configure command. To aid in the download, you can enable the debug module command. A sample of a download is displayed in the example in the figure, The full debug output was truncated to fit into two windows. In the graphic in the figure, the first half of the sample reiterates how the module is configured Notice the highlighted Cisco ASA AIP-SSM configuration information, Slot-1 100 Cisco Systems ROMMON Version (1,0(10)0) - Slot-1 101> Platform ASA-SSM-10 Slot-1 102> GigabitEthemet0/0 Slot-1 103> Link is UP — Link is UP Slot-1 104> MAC Address: 0016,4687.0520 Slot-1 105> ROMMON Variable Set Slot-1 106» ADDRESS=10.0.1.20 -— AIP-SSM IP Address Slot-1 107> SERVER=10.0.1.10 -— Server IP Address Slot-1 108> GATEWAY=0.0.0.0 Slot-1 109> Slot-1 10> Slot-L 11> IMAGE=IPS. SM-K9-sys-1. a-6.0-2-ELimg ~~ IPS Image The actual downloading of the image is shown next (© 2008 Cisco Systems, inc Security Services Modules 657Taage/ Sever AaGrere Sie 1 198! Reclvea anneze6 bye Downloading and launching the image, launching the bootloader. and recovering the module takes approximately five ininutes to complete. In the example in the figu successfully downloaded. Notice the following: the image was Slot-1 1 16> tftp IPS-SSM-K9-sys-1. 1-6.0-E 14@10.0.1.10 Image/Server Address Slot-b |) 7>1INIENIN 1 synpnanngyragnente Image is downloading SloteL 18> Tener anne Slotel 11> LUHUENUENUEN un unannantannantantent Slot-1 194> eunnsannevenengnnnverennennanennennt Slot-] 195> Received 25302666 bytes ‘Transfer size Slot-) 196> Launching TFTP Image... Launching image Slot-I 197> Cisco Systems ROMMON Version (1.0(10)0) #0: Slot} 198> Platform ASA-SSM-10 Slot-I 199> Launching BootLoader... 1g bootloader asal (config) The transferring and booting of the new image takes approximately 5 minutes. 6-68 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, IneTecatlgit hoy wodhle od 88M Applteation wane statue Application Veraton Afier the Cisco SSM module is initialized, you can use the show module s/or details command to verify that you have initialized the AIP-SSM and to verify that you have the correct software version. From the show module 1 window, you can view the model type, MAC address, serial number, hardware version, firmware version, and software version of the AIP-SSM module You can also determine the status of the module. In the example in the figure, notice that the module is in the Up status and that the Cisco IPS software version 6.0(2)E1 is loaded on the module. ‘©2006 Cisco Systems, Inc Security Sewvices Modules 669,equived £9 change your password imediately (password aged Ifthe Cisco SSM is in the Up status, you can open a session with the security appliance command-line interface (CLI). To initiate a session, enter the session 1 command at the CLI command prompt. Entering the session 1 command for the first time, you are prompted for the default login prompt, username eiseo and password cisco. After entering the default login and password, you are immediately prompted to change the password, In the example in the figure, the password was changed to training. After changing the password, the default sensor# command prompt is displayed. To end a session, enter exit or the Ctrl-Shift-6- x key combination Ifthe Cisco AIP-SSM is enabled, the administrator can reset the password to “eisco.” To reset the password on the hardware module to the default value, “cisco,” use the hw-module module slot# password reset command, The administrator must be out of session mode and must be in the ASA 5500 Adaptive Security Appliance CLI privileged EXEC mode. hy-module module s/or! password-reset This command is only valid when the hardware module is in the Up state and supports password reset. On the AIP SSM, running this command results in the rebooting of the module. The module is offline until the rebooting is finished, which may take several minutes. You ean run the show module command to monitor the module state, The command always prompts for confirmation. If the command succes appears. is, no other output 6-70 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, ncSession Setup Default rip 20-1-3:201/24,10.1.9.1 ‘After installing and loading software on the AIP-SSM module, you must initialize the AIP- SSM module using the setup command. With the setup command, you can configure basic AIP-SSM settings, including the hostname, |P interfaces, Telnet server, web server port, ACLs, and time zone settings. The example in the figure displays the default setup parameters. Notice that the default IP address of the external AIP-SSM Ethernet connector is 10.1.9.1 (© 2008 Cisco Systems, inc ‘Security Services Modules 6:71Session setup Command -ssm : 20-0,9.315 10.0.1.20/24,20.0.4.2 webveerver pore la) nf guration? {no} {0} Go to ehe comand proapt without IG} Recuea beck to the setup without 12} Save this contiguration and exit To communicate with Cisco ASDM, you may need to change some of the default setup parameters such as the IP interface and current access list. A description of the setup co parameters is as follows: and = Enter host name [sensor]: Name of the sensor. The hostname can be a string of | to 64 characters that matches the pattern “[A-Za-70-9 /-]+. The default is sensor. You receive aan error message if the name contains a space or exceeds 64 alphanumeric characters, © Enter IP interface{10.1.9.201/24, 10.1.9.1]: IP address of the external AIP-SSM Ethernet interface and the default gateway. The default external interface IP address is 10.1.9.201 ‘The default mask corresponding to the IP address is /24, or 255.255.255,0. The default gateway address is 10.0.1.1 Enter telnet-server status|disabled|: Enables or disables Telnet for remote access to the sensor. Telnet is not a secure access service and therefore is disabled by default = Enter web-server port/443]: TCP port used by the web server. The default is 443 for HTTPS. You receive an error message if you enter a value out of the range of | 10 65535. = Modify current access list?|no|: IP address of the hosts or to access the sensor. By default, there are no entries. works that have permission In the example in the figure, the IP address of the extemal Ethernet connector was changed to 10.0.1.20/24. Hosts on the 10.0.1.0/24 subnet are permitted to access the module through HTTPS, 6-72 Securng Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Incshow module detail Command Apso t eee no ieseres € seria water ian foie: € 178 a version Sep! Staeus oy 4 Appticetion statue $B aoe cst 248 version outer . © AIP-SSM scatus eases You can use the show module I detail command to view AIP-SSM hardware and software details, including the remote-management configuration. In the example in the figure, notice the highlighted entries. A device manager can access the AIP-SSM module through the AIP- SSM external interface at IP address 10.0.1.20, the AIP-SSM web server port is 443, and management Transport Layer Security (TLSySecure Sockets Layer (SSL) is enabled. asal# show module I detail Getting details from the Service Module, please wait... ASA 5500 Series Security Services Modu 10 ' Model: ASA-SSM-10 € AIP-SSM Model Hardware version: 1.0 Serial Number: 123456789 € Serial Number Firmware version: 1,0(10)0 Software version: 6.0(2)E1 € IPS SW version MAC Address Range: 0016.4687.0520 to 0016.4687.0520 ‘App.name: IPS App. Status: Up € Application Status App. Status Dese: App. version: 6.02)E1 (© 2008 Cisco Systems, Inc ‘Security Sewvices Modules 672Data plane Status: Up Status: Up € AIP-SSM status MamtIP addr: 10.0.1.20 € External IP address Mamt web ports: 443 Mgmt TLS enabled: true 6-74 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems. IncInitial Cisco IPS ASDM Configuration This topic describes how to access the Cisco ASA AIP-SSM with Cisco ASDM. Cisco IPS Access ie ssi Intrusion Prevention E : t aA Management aadess Afier installing the AIP-SSM module, you initialized the module using the setup command from the CLI. With the setup command, you configured basic sensor settings, ineluding the hostname, IP interfaces, web server port, ACLs, and time settings. After initializing the AIP- SSM module, you ean now communicate with the module, using Cisco ASDM and the Cisco IPS Device Manager (IDM). The IPS device information under the Intrusion Prevention tab and icon under the Configuration icon will not be present in Ciseo ASDM until the IPS. installed and configured on the AIP-SSM module and the Cisco ASDM is able to te with the AIP-SSM through the external AIP-SSM Ethernet connector. ‘The Cisco ASDM uses Cisco IDM to configure the Cisco ASA AIP SSM. Ifthe AIP SSM is running Cisco IPS Version 6.0 or later, Cisco ASDM retrieves Cisco IDM from the AIP SSM and displays it as part of the Cisco ASDM interface. To access the AIP-SSM module from the Cisco ASDM, click the IPS Tab under the Home icon, The Connecting to the IPS pop-up window appears. The IP address that is referenced by the Management IP Address prompt in the pop-up window refers to the IP address of the extemal Ethernet interface of the AIP-SSM module. An option is provided in this dialog box to enter a different IP address, in case you are accessing the IPS sensor from behind a Network Address Translation (NAT) device. The Cisco ASDM can only manage the AIP-SSM card in the same chassis as the security appliance from which that Cisco ASDM is started. Click the Management IP Address button and then click Continue. Ifa route exists between the Cisco ASDM PC and the extemal Ethernet interface on the AIP-SSM module, the AIP-SSM session login prompt should open, (© 2008 cisco Systems, ne Securty Services Modules 675Cisco IPS Login Ifeonnectivity exists between the PC and the AIP-SSM, you are prompted for your Cisco IPS username and password. The Cisco IPS software requires separate authentication. This allows for separation of security appliance management and IPS management. Enter your IPS username and password. Click Yes to continue. {676 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 {© 2008 Cisco Systems, neIntrusion Prevention Tab A high-level view of the state of the Cisco AIP-SSM Ifthe login was successful, the Cisco IDM device detail pane appears in the Cisco ASDM window. The Home window provides a high-level view of the state of the sensor and contains the following system information: Displays the hostname, the IPS software version, the IDM version, ss mode is enabled or disabled, the missed packets percentage, the IP address, the device type, the amount of memory, the amount of data storage, and the number of sensing interfaces. whether byp | System Resources Status: Displays the CPU and memory usage of the sensor. = Interface Status: Displays the status of the management and sensing interfaces. Choose the entry in the Interface Status table to view the received and transmitted packets count for An interface. = Alert Summary: Displays how many Informational, Low, Medium, and High alerts the sensor has and how many alerts have a threat rating value above 80. Alarm counts grow Until you clear the Event Store or until the Event Stor = Alert Profile: buffer is overwritten, Displays a graphical view of the number of alerts at each severity level. The Ciseo IDM constantly retrieves status infor default, the Auto Refresh Every 10 5 every 10 seconds. nation to keep the Home window updated. By ‘ons check box is checked, and the window is refreshed (© 2008 Cisco Systems, Ine Security Services ModulesCisco IPS Network Configuration i ne ee Or * Specify network and communication parameters for the AIP-SSM module Use the Network window to specify network and communication parameters for the AIP-SSM. module, After you use the setup command to initialize the sensor, the network ancl communication parameter values appear in the Network window. If yo parameters, you can do so from the Network window red to change these To verify AIP-SSM network parameters from the Cisco ASDM, click IPS and choose the Network option. The following fields and buttons are found on the Network panel. ‘These are the field descriptions: = Hostname: Name of the sensor. The hostname can be a string of | to 64 characters that matches the pattern *[A-Za-70-9 /-]+. The default is sensor. You receive an error message if the name contains a space or exceeds 64 alphanumeric characters, = IP Address: IP address of the sensor. The default is 10.1.9.201 = Network Mask: Mask corresponding to the IP address. The default is 255.255.255.0. = Default Route: Default gateway address. The default is 10.1.9.1 © FTP Timeout: Sets the amount of time in seconds that the FTP client waits before timing out when the sensor is communicating with an FTP server. The valid range is | to 86400 seconds. The default is 300 seconds. Allow Password Recovery: Enables password recovery = Web Server Settings: Sets the web server security level and port. — Enable TLS/SSL: Enables TLS and SSL. in the web server. The default is enabled We strongly recommend that you enable TLS and SSL. — Web server port: TCP port used by the web server. The default is 443 for HTTPS. ‘You receive an error message if you enter a value out of the range of | to 65535. 6.78 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, ne= Remote Access: Enables the sensor for remote access, — Enable Telnet: Enables or disables Telnet for remote access to the sensor. Telnet is not a secure access service and therefore is disabled by default. Allowed Hosts Usa On *» Specify hosts or networks that have permission to access the Cisco AIP-SSM module Use the Allowed Hosts window to specify hosts or networks that have permission to access the AIP-SSM module. After you use the setup command to initialize the AIP-SSM module, the allowed hosts parameter values that you entered through the setup command appear on the Allowed Hosts window. If you need to change these parameters, you can do so from the Allowed Hosts window. To verify AIP-SSM allowed hosts parameters from the Cisco ASDM, click IPS and choose the Allowed Hosts option. In the example in the figure, hosts from the 10,0.1.0/24 subnet are allowed access to the AIP-SSM. un (© 2008 Cisco Systems, nc. ‘Securty Sewvices Modules 6.79.* Create, edit, and remove users from the AIP-SSM The Cisco ASDM permits only one user to log in at a time. IPanother user tries to log message says that the first user is logged in, You can ereate and remove users from the AIP- SSM. Each user is associated with a role that controls what that user can and cannot modify ‘There are four user roles = Viewers: Can view configuration and events, but cannot modify any configuration data except their user passwords. = Operators: Can view everything and ean modify the following options: — Signature tuning (priority, disable, or enable) Virtual sensor definition — Managed routers — Their user passwords n view everything and can modify all oj modify, in addition to the following: ns that operators ean Sensor addressing configuration List of hosts allowed to connect as configuration or viewing agents Assignment of physical sensing interfaces interfaces — Add and delete users and passwords — Generate new SSH host keys and server certificates = Servi mnly one user with service privileges can exist on a Cisco ASA AIP-SSM module. The service role is a special role that allows a service user to bypass the CLI if needed. Only one service account is allowed. 80 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, InConfigure a Cisco IPS Security Policy This topic describes the steps needed to configure a Ciseo IPS security policy on the Cisco ASA security appliance. Create a Security Policy i, Ce tle vies Saver i= Intrusion prevention * Inline mode + FaiLopen Create a security policy Ident a class of traffic Associate IPS policy with a class of traffic ‘Activate the policy globally or on an interface. In previous steps, Cisco IPS software was added to the AIP-SSM module, A session was established, and basic setup information was configured through the CLI. Afte communications were established with the outside interface of the AIP-SSM module, Cisco IDM was used to verify the initial setup configuration cries the Cisco ASA Adaptive Security ‘The last step in the process is to create a security policy on the Cisco ASA 5500 Adaptive Security Appliance. A security policy enab) Appliance to prefilter, and ss selected traffic to the Cisco ASA AIP-SSM for inspection and analysis. This level of interaction between the Cisco ASA security appliance and Cisco ASA AIP-SSM enables the Cisco IPS system to operate at greater efficiency. The Cisco ASA AIP-SSM analyzes only a subset of the total bandwidth, the relevant traffic, and filters out nonrelevant traffic, You can apply a security policy to an interface or globally to every interface. {In the example in the figure, the administrator wants to screen Internet HTTP traffic that is bound for the Corporate Web Server with the AIP-SSM card. A policy will be activated on the outside interface. Web traffic that is traveling from the Internet to the corporate web server will be identified. This traffic will be forwarded to AIP-SSM for inspection. (© 2008 Cisco Systems, ne. ‘Security Sewices Modules 6-81Create a Service Policy FES ae Oe Add Service Policy Rule Wizard dialog box = Apply a new security policy rule to the outside interface To create a Cisco IPS service policy from the Cisco ASDM, click Security Policy from the Firewall menu and choose the Service Policy Rules option, The Add Service Policy Rule Wizard dialog box guides you through the addition of a new service policy rule. You can apply the new security policy rule to a specific interface, such as the outside or inside interface, or you can apply it globally to all of the interfaces. Descriptions of the fields in the Create a Service Policy and Apply To group box are as follows: = Interface radio button: This applies the rule to a specific interface. This selection is required if you want to match traffic that is based on the source or destination IP address using an ACL. Interface drop-lown list: This spe the interface to which the rule applies. = Description field: This provides a text deseription of the policy. = Global - Applies to All Interfaces radio butto terfaces, his applies the rule to all of the = Policy Name field: This specifies the name of the global service policy. Only one global service policy is allowed, and it cannot be renamed = Description field: This provides a text description of the pol In the example in the figure, a poli is “Outside-policy.” is created on the outside interface, Ths une of the policy 6-82 Securing Networks with Cisco ASA Advanced (SNAA) v1 0 (© 2008 cisco Systems, neAfter you define a service policy, you define a traffic class. You det Identify a Class of Traffic * Define the criteria that is used by the Cisco ASA to identify which traffic is routed to the AIP-SSM for inspection and analysis ne the eriteria used by the Cisco ASA Adaptive Security Appliance to identify which traffic is routed to the Cisco ASA AIP-SSM for inspection and analy sis. The Traffic Classi specify the erit tion Criteria dialog box lets you to match traffic to the security policy to which the rule applies. Deseriptions of the fields are as follows. = Create a New Traffic Class: This identifies the name of the new traffic class, = Description: This provides a text description of the new traffic class, = Traffic Match Criteria: The available matching criteria choives are as follows: Default Inspection Traffic: This uses the criteria that are specified in the default inspection traffic policy. ‘Source and Destination IP Address (Uses ACL): This matches traffic that is based ‘on the source and destination IP addresses, using an ACL. This selection is available only if you apply the rule to a specific interface by using an interface servi ce policy ‘Tunnel Group: This matches traffic that is based on the tunnel group. Ifa tunnel group is chosen as one-match criterion, a second criterion can also be chosen. ‘TCP or UDP Destination Port: This matches traffic that is based on the TCP or User Datagram Protocol (UDP) destination port RTP Range: This 1 Protocol (RTP) ports. IP DiffServ CodePoints (DSCP): This matches traffic that is based on th differentiated services code point (DSCP) model of quality of service (Qo hes traffic that is based on a range of Real-Time Transport (© 2008 Cisco Systems, Inc Securty Services Modules 6.83,IP Precedence: This matches traffic that is based on the IP precedence model of Qos. — Any Traffic: This matches all traffic regardless of the traffic type. {In the example in the figure, the “Outside-class” is created and defined traffic is based on its souree and destination IP address criteria, Traffic Match * Enables you to define the source, destination, and service matching criteria ‘The Source and Destination Address dialog box appears when you check the Source and Destination IP Address (Uses ACL) check box on the Traffic Match Criteria dialog box. This dialog window enables you to identify the traffic to which a service policy rule applies, based ‘on the IP address of the sending or receiving host. In the example in the figure, the traffic criteria is HTTP packet flows with any source IP address from the outside destined to host 172.16.1.10. 684 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems ncDefine Traffic Matching Criteria Seven «= Identifies the service ofthe tratfic to which the inspection and analysis action applies The default service type was IP. The administrator only wants to inspect and analyze HTTP traffic. Browse Service lets you choose the type of service to be inspected and analyzed by the AIP-SSM, including the following protocols: TCP, UDP, TCP-UDP, and the Internet Control Message Protocol (ICMP). In the example in the figure, HTTP was selected. The traffic class criteria are narrowed down to matching any HTTP Internet traffic that is flowing to host IP address 172.16.1.10. (© 2008 Cisco Systems, ne Securty Services Modules 685Define IPS Policy * Configure the IPS action to take on the selected traffic class The Intrusion Prevention tab lets you configure the IPS action to take on the selected traffic class. This window appears only if Cisco IPS Sensor Sofware and Cisco ASA AIP-SSM hardware are installed in the security appliance. The fields on the Intrusion Prevention tab are as follows: = Enable IPS for This Traffic Flow: This check box enables or disables intrusion prevention for the traffic flow. When this check box is chosen, the other parameters in this window become active. = Mod hese radio buttons configure the operating mode for intrusion prevention. — Inline Mode: This option directs a packet to the Cisco IPS dropped because of the Cisco IPS operation. ‘The packet might be — Promiscuous Mode: With this option, IPS operates on a duplicate of the original packet. The original packet cannot be dropped = IfIPS Card Fail inoperable. ‘These radio buttons configure the action to take if the IPS card becomes — Pen ‘Traffic: This option permits traffic ifthe Cisco ASA ALP-SSM card fails. — Close Traffic: This option blocks traffic if the Cisco ASA Al M card fails In the example in the figure, the Cisco ASA AIP-SSM will be inline with the traffic flow and permit traffic to flow if the module fails, 6-85 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 “© 2008 Cisco Systems, neApply or View Service Policy Rule ‘corporate fc matching "Source ~ any * Destination 172.16.1.10 * Service ~ HTTP Rule actons * Forwa'd to inline IPS. * Permit tafe Cisco AIP-SSM fois To view an IPS service policy rule from the Cisco ASDM, click Firewalll and choose the Service Policy Rules option. In the example in the figure, a new policy named “Outside- policy” was created. Any HTTP traffic from the Internet that is bound to host 172.16.1.10 will be inspected and analyzed inline with the AIP-SSM module. Ifthe module should fail, the traffic will still be permitted to flow. (© 2008 Cisco Systems, ine Securty Services Modules 6.87a Summary This topic summarizes the key points that were discussed in this lesson. Summary = There are two Cisco ASA AIP-SSM models: the SSM-10 and SSM-20 modules. * If there is no Cisco IPS software on the Cisco AIP-SSM, or if itis corrupted, use the hw module 1 recover command to load the intial Cisco IPS software image. * Use the session CLI command to configure the initial AIP-SSM setup. * Use Cisco IDM through the Cisco ASDM console to configure and. venfy the inital AIP-SSM configuration, = Use Cisco ASDM to configure a modular policy for packet Inspection by the AIP-SSM. 6-85 Securing Networks with Cisco ASA Advanced (SNAA) vi 0 (© 2008 Cisco Systems, IncModule Summary This topic summarizes the key points that were discussed in this module. TEE ELT TTT Module Summary * The Cisco ASA security appliance has two security services modules: Cisco CSC-SSM and AIP-SSM. = The CSC-SSM is designed for small to medium-size businesses and can inspect traffic that is passing through the security appliance for content and security that is related to spam, spyware, malware, and virus + The AIP-SSM is designed to be a fully functioning IPS sensor that is capable of running the latest IPS code to add another layer of defense to the Cisco ASA secunty appliance (© 2008 Cisco Systems, Inc. Security Services Modules 6.69.