© 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 1 Security TechUpdate André Lambertsen [email protected]

© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Security TechUpdateSecurity TechUpdate

André Lambertsen

[email protected]


The Cisco products, services or features identified in this document may not yet be available or may not be available in all areas and may be subject to change without notice. Consult your local Cisco business contact for information on the products or services available in your area. You can find additional information via Cisco’s World Wide Web server at http://www.cisco.com. Actual performance and environmental costs of Cisco products will vary depending on individual customer configurations and conditions.


ASA 5500–SSLVPN, , AnyConnect VPN Client v2.0, ASDM v6.0

NAC Appliance 4.1.x 2nd Generation MARS GET VPN

Agenda


ASA 5500 Series Adaptive Security Appliances


Integrates and extends the #1 deployed gateway content security technology to protect from viruses, spyware, spam, phishing, and employee productivity impacting websites

Market-Leading Anti-X Services

Integrates and extends the #1 deployed IPS and IDS technology from the Cisco IPS 4200 Series

Provides comprehensive security from directed attacks and many other threats

Market-Leading IPS Services

Integrates and extends the #1 deployed remote access VPN technology from Cisco VPN 3000 Concentrators and Cisco PIX Security Appliances, offering bothSSL and IPsec VPN services

Market-Leading VPN Services

Integrates and extends the #1 deployed firewall technology from Cisco PIX Security Appliances

Built upon the experience of overone million PIX deployed worldwideand 10+ years of innovation

Market-Leading Firewall Services

Cisco ASA 5500 Adaptive Security AppliancesDelivering Leading Threat Defense and VPN Services

Provides Converged Threat Defense, Flexible Secure Connectivity,Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats


Cisco ASA 5500 Series Enterprise EditionsA Family of Tailored Packages for Location Specific Needs

Enables standardization on the Cisco ASA 5500 Series to reduce costs in management, training, and sparing

Superior protection by providing the right services for the right location

Simplifies design and deployment by providing pre-packaged location-specific security solutions

Cisco ASA 5500

Firewall Edition

Cisco ASA 5500 Anti-X Edition

Cisco ASA 5500SSL & IPSecVPN Edition

Cisco ASA 5500

IPS Edition


Remote Access VPN


Secure Connectivity Everywhere Extending the Self-Defending Network

Public Internet

ASA 5500

Clientless SSL VPN

Clientless SSL VPN

Client-based SSL or IPsec VPN

Partners / Consultants

Controlled access to specific resources and applications

Mobile Workers

Easy access to corporate network resources

Roamers

Seamless access to applications from unmanaged endpoints

Day Extenders / Home Office

Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications

Client-based SSL or IPsec VPN


SSL VPN– Clientless– Thin Client– Full Tunnel


SSL VPN Clientless Login


SSL VPN Clientless


Uses standard browser Concentrator proxies HTTP(S) over SSL connection Limited to web pages

–HTML pages

–Web-based (webified) applications

For application translation, VPN appliance “webifies” application–Translates protocol to HTTP

–Requires detailed application knowledge

–Delivers HTML look-and-feel

–Expands use to some non-web applications

–CIFS (NT and Active Directory file sharing)

SSL VPN Clientless Content Rewriting and Application Translation


Local “thin” client acts as proxy–Tunnels and forwards application traffic

Often used with clientless SSL VPN as a helper application

Delivered via Java from VPN appliance Some system permissions may be required, particularly

for hostname mapping Use “Smart Tunnel” stub where port forwarding is not

desirable

SSL VPN: Smart Tunnel and Port Forwarding“Thin” or “Enhanced” Client


SSL VPN Tunnel ClientPersistent “Thick”, “Full Tunneling”, or “Tunnel” Client

Traditional-style client delivered via automatic download (Active X, Java, and/or EXE)

Requires administrative privileges for initial install

Stub-installer / MSI package Permanent or Temporal Provides similar access to

IPsec–Better accessibility over firewalls

and NAT

–Smaller installation package

No reboots required


For End-Users, Access for All ApplicationsCisco VPN - Client comparison

Cisco VPN ClientCisco

AnyConnect VPN Client

Cisco SSL VPN Client

Approximate size 10 MB 3 MB 400KB

Initial install Distributeauto download

distributeauto download

distribute

Admin rights required

Yes

Initial installation only

(MSI available – Windows)

Initial installation

only(Stub installer

available)

Protocol IPsecDTLS, TLS

(HTTPS) - AutoTLS (HTTPS)

OS Support multiple* multiple** 2000/XP

Head End ASA/PIX/3K/IOS ASA/IOS ASA/3K/IOS

* Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned (additive license) – Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ only


Clientless Application Support


Cisco ASA 5500 v8.0 Significant Enhancements in Clientless SSL VPN

Precise, granular access control to specific resources

Enhanced Portal Design–Localizable

–RSS feeds

–Personal bookmarks

–AnyConnect Client access

Drag and Drop file access and webified file transport

Transformation enhancements including Flash support

Head-end deployed applets for telnet, SSH, RDP and VNC, framework supports add’l plug-ins

Advanced port-forwarder for Windows (Smart Tunnel) accesses TCP applications without admin privileges on Client PC

Newin 8.0!


Support for number of common TCP applications via Java plugins such as

Windows Terminal Server (RDP)TELNET & SSHVNCCitrix Java Presentation Server Client (plug-in loaded by administrator)

Resource is defined as a URL with the appropriate protocol type, i.e.

rdp://server:port

Support for these third party applications exists in the form of packaged single archive files in the .jar file format.

Extensible plugin mechanism may provide support for additional applications in the future

Clientless SSL VPN: Client/Server Plug-ins Details


When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s).

The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.

The Java applet(s) are transparently cached in the ASA cache.

Clientless SSL VPN: Client/Server Plug-ins Details


Access for FTP file shares in addition to CIFS (Common Internet File System)

Webfolders for Internet Explorer (native Windows explorer file access)

Clientless SSL VPN Clientless file access


Clientless SSL VPN Smart Tunnel

Smart Tunnels are application level port forwarding

It is a connection between a Winsock 2, TCP-based application and the private site, using a clientless (browser-based) SSL VPN session.

You can specify client applications which you want to grant smart tunnel access (i.e., Sametime, SSH client, etc).

SSL VPN loads a stub into each process spawned by an authorized application, and intercepts socket calls to redirect via ASA.

This can be used where other methods such as AnyConnect or Port Forwarding cannot be used.

A browser with Active-X, Java or JavaScript support is required on 32-bit OS’s only, such as Windows XP & 2K

smart-tunnel list list application path [hash]


Clientless SSL VPN ActiveX relay

ActiveX relay is used to provide tunnel support for applications outside of the browser during a clientless SSL VPN session (on demand tunnel) without the necessary overhead of administrator pre-configuration.

ActiveX relay and Smart Tunnel share the same core technology


Clientless SSL VPN Application Profile Customization Framework (APCF)

Allows the security appliance to handle non-standard applications and web resources so they display correctly over a Clientless SSL VPN connection.

Profiles– An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what data to transform for a particular application.

– The script is in XML and uses sed (stream editor) syntax to transform strings/text.


Clientless SSL VPNVirtual Keyboard


Cisco AnyConnect VPN Client


Extends the in-office experience

LAN-like full-network access, supports latency sensitive apps like voice (via DTLS transport)

Access across platforms

Windows 2K / XP (x86/x64) / Vista (x86/x64)

Mac OS X 10.4 & 10.5, Linux Intel

Windows Mobile 5 Pocket PC Edition (Coming soon)

Always up to date

Remotely installable and configurable to minimize user demands

No-hassle Connections

No reboots required

Stand-alone, Web Launch, Portal Connection

Start Before Login (2K/XP)

MSI – Windows Pre-installation package

Cisco AnyConnect VPN ClientAccess for All Applications


Cisco AnyConnect VPN ClientGUI Details


Cisco AnyConnect VPN ClientGUI Details (Statistics)


Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels

TLS is used to tunnel TCP/IP over TCP/443

TCP requires retransmission of lost packets

Both application and TLS wind up retransmitting when packet loss is detected.

DTLS solves the TCP over TCP problem

DTLS replaces underlying transport TCP/443 with UDP/443

DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange)

Datagrams only are transmitted over DTLS

Other benefits

Low latency for real time applications

DTLS is optional and will automatically fallback to TLS (HTTPS)

Cisco AnyConnect VPN ClientDatagram Transport Layer Security (DTLS)


Authentication


For Administrators, Simple, Precise ControlEnhanced authentication choices

Ability to require users to authenticate with both a certificate as well as a username/password

Ability to prompt a user for internal (domain) username & password credential in addition to a One Time Password (OTP) or other dynamic credential. The internal credential is stored for subsequent use and is not validated at login time.

Generic LDAP support provides compatibility with both OpenLDAP and Novell


For Administrators, Simple, Precise ControlPer-user, fine-grained application and resource access

Flexible access control based on policy

Multi-factor authentication combines user, group, and device posture to determine appropriate resource access

Granular SSL VPN configuration restricts / allows access to specific resources per-user, per-login, per-policy

Embedded Certificate Authority (CA)

Assessment and control can use Start Before Login (SBL)

VLAN mapping leverages network policy

Control for unsecured devices

New onscreen (virtual) keyboard option

Cisco Secure Desktop (CSD) supports hundreds of products plus custom checks


Single Sign-on


Single Sign-on for Clientless VPN

Lets Clientless users enter username and password only once to access multiple protected services and web servers

Starts as part of the AAA-process or just after successful user authentication to an AAA server

Single Sign-on methods supported:

– SSO with WebVPN (Auth Web Server)

– SSO with CA eTrust SiteMinder (formerly Netegrity SiteMinder)

– SSO with HTTP Form Protocol

– SSO with NTMLv1 authentication


Remote Access Termination in VLAN


VLAN Mapping

Map users to group based on role

Use group policy to restrict egress VLAN

User/Group based policies

Internal Resources Shared Resources

vlan 10


VLAN Mapping, cont.

For more complex network topologies, note that ASA does not support more than one default with same metric out two different interfaces.

The workaround is to assign a different metric to each default route:

route (outside) 0.0.0.0 0.0.0.0 <Internet_rtr_IP> 1

route (vrf1) 0.0.0.0 0.0.0.0 <vrf1_IP> 2

route (vrf2) 0.0.0.0 0.0.0.0 <vrf2_IP> 3

route (vrf3) 0.0.0.0 0.0.0.0 <vrf3_IP> 4

route (vrf4) 0.0.0.0 0.0.0.0 <vrf4_IP> 5

route (vrf5) 0.0.0.0 0.0.0.0 <vrf5_IP> 6


ADSM 6.0


Cisco ASDM v6.0 Overview

Cisco ASDM v6.0 is the integrated graphical interface of the Cisco ASA and PIX Security Appliances

ASDM delivers full device management including:–Rapid Configuration enabled by an intuitive graphical user interface, wizards, and the ASDM Assistant

–Powerful Diagnostics including Real-Time Log viewer, Packet Tracer, and Packet Capture.

–Real-time Monitoring provided by dynamic Dashboards, Table Views, and Traffic Graphing.

Cisco Confidential – Controlled NDA Use Only


Cisco ASDM 6.0


Cisco ASDM Feature Highlights

Redesigned interface

Security Dashboards

Packet Tracer

Packet Capture Wizard

Upgrade Wizard




Security Dashboards

Packet Tracer


Upgrade Wizard




Security Dashboards

Packet Tracer


Upgrade Wizard


Cisco ASDM 6.0 Feature Highlights


Security Dashboards

Packet Tracer


Upgrade Wizard




Security Dashboards

Packet Tracer


Upgrade Wizard



In-place and Drag-and-drop rule editing



Real-Time Log Viewer


Cisco ASDM Packet TracerLive Tool to Determine Day In the Life of a Packet

PACKET TRACING: Enables the injection of virtual packets through the system to audit policy configuration and enforcement

Benefits

Enables policy tuning and refining

Enables rapid troubleshooting

Simplifies fault isolation in complex policy environments

First Pro-active Debugging Tool


Cisco ASDM Packet CapturePowerful protocol analysis with 3rd party tools


Cisco ASDM Packet CapturePowerful protocol analysis with 3rd party tools


Cisco ASDM Wizards

Startup Wizard

IPsec VPN Wizard

SSL VPN Wizard

High Availability & Scalability Wizard


Software upgrade Wizard


Cisco ASDM DashboardsDevice Dashboard


Cisco ASDM DashboardsFirewall Dashboard



Advanced policy creation for Cisco Secure Desktop


Cisco SSL VPN SummarySimple and Secure Access from Anywhere

Broad access from anywhere

User-friendly interfaces

World-class security

Flexible, controlled access options

Intuitive management

Fully integrated with the Cisco Self-Defending Network

www.cisco.com/go/sslvpn


Other New Features


Enterprise-Class Resilient SecurityMaximizes Uptime

Comprehensive multi-level resiliency protecting business continuity against component, link, or system failure

Now includes redundant interface support for greater availability Full state synchronization including multimedia and voice protocols

maxizes uptime for mission-critical applications Improved business continuity with zero-downtime upgrades Higher system reliability than software-on-server solutions

Cisco ASA has 2x the MTBF* than a server-based solution:–Typical server has MTBF of 50k – 65K hrs–Cisco ASA has MTBF of 100k – 150K hrs

* MTBF calculation based on Telcordia (Bellcore) SR-332.

Active

Active

Tightly integrated high availability services for firewall eases deployment and administration as opposed to third party approaches

Rapid deployment through the user-friendly High Availability Wizard

Newin 8.0!


Enhancing Cisco ASA 5500 Series High Availability with Redundant Interfaces

Pri/Active ASA Sec/Stand ASA

Network A

Network B

Before… After redundant interfaces

Pri/Active ASA Sec/Stand ASA

Network A

Network B

trunk

trunk


Intelligent Network IntegrationProvides Seamless Integration into Next-Gen Networks

Advanced Network Services Introduces multi-protocol object groups for

significantly simplified object management (TCP, UDP, and ICMP) – new in 8.0!

Supports EIGRP (new in 8.0), OSPF, and RIPv2 dynamic routing

Provides QoS traffic prioritization for improved handling of latency sensitive traffic

Adds IPv6 support for hybrid IPv4/IPv6 network environments

Delivers PIM sparse mode multicast support for improved support for streaming data delivery services, video conferencing, and other mission-critical real-time enterprise applications

V V VV V V

D D D D

Quality of Service

Newin 8.0!


New Hardware


New Cisco ASA “5G” and “10G” AppliancesHigh Performance Firewall / VPN for the 10GE World

Cisco ASA “10G”

Cisco ASA “5G”

Cisco’s Highest Performance Security

Appliances Ever!

Available: Early Fall 2007

Product Highlights: 5 and 10 Gbps of Firewall – 10

times the performance of existing ASA platforms!

10,000 SSL VPN user support Architecture designed for Scalable

Security Performance andHigh Availability

GigE and 10GigE support Millions of total connections and

policies (ACE’s)


5 and 10 Gbps of Firewall with Real World Traffic 100,000+ Connection Setup/Second Millions of packets per second at any traffic profile Maximum Connections: 2,000,000 Maximum Policies (ACE’s): 1,000,000 10,000+ VPN Tunnels at Multi-Gigabit Throughput Virtual Context Support

Cisco ASA “5G” and “10G” Platforms:Performance and Interface Specifications

Supports up to 24 GE Interfaces–Supports both Copper and Fiber Gigabit Ethernet

Supports up to 12 10GE SR interfaces Dedicated Management Interface

Interface Density

High Speed Real World Performance


Q and A


Documents

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 1 Security TechUpdate André Lambertsen [email protected]