© 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 1 Security TechUpdate André Lambertsen ala@cisco.com.

  • Published on
    24-Dec-2015

  • View
    212

  • Download
    0

Transcript

  • Slide 1
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 1 Security TechUpdate Andr Lambertsen ala@cisco.com
  • Slide 2
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 2 The Cisco products, services or features identified in this document may not yet be available or may not be available in all areas and may be subject to change without notice. Consult your local Cisco business contact for information on the products or services available in your area. You can find additional information via Ciscos World Wide Web server at http://www.cisco.com. Actual performance and environmental costs of Cisco products will vary depending on individual customer configurations and conditions. http://www.cisco.com
  • Slide 3
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 3 ASA 5500 SSLVPN,, AnyConnect VPN Client v2.0, ASDM v6.0 NAC Appliance 4.1.x 2nd Generation MARS GET VPN Agenda
  • Slide 4
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 4 ASA 5500 Series Adaptive Security Appliances
  • Slide 5
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 5 Integrates and extends the #1 deployed gateway content security technology to protect from viruses, spyware, spam, phishing, and employee productivity impacting websites Market-Leading Anti-X Services Integrates and extends the #1 deployed IPS and IDS technology from the Cisco IPS 4200 Series Provides comprehensive security from directed attacks and many other threats Market-Leading IPS Services Integrates and extends the #1 deployed remote access VPN technology from Cisco VPN 3000 Concentrators and Cisco PIX Security Appliances, offering both SSL and IPsec VPN services Market-Leading VPN Services Integrates and extends the #1 deployed firewall technology from Cisco PIX Security Appliances Built upon the experience of over one million PIX deployed worldwide and 10+ years of innovation Market-Leading Firewall Services Cisco ASA 5500 Adaptive Security Appliances Delivering Leading Threat Defense and VPN Services Provides Converged Threat Defense, Flexible Secure Connectivity, Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats
  • Slide 6
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 6 Cisco ASA 5500 Series Enterprise Editions A Family of Tailored Packages for Location Specific Needs Enables standardization on the Cisco ASA 5500 Series to reduce costs in management, training, and sparing Superior protection by providing the right services for the right location Simplifies design and deployment by providing pre-packaged location-specific security solutions Cisco ASA 5500 Firewall Edition Cisco ASA 5500 Anti-X Edition Cisco ASA 5500 SSL & IPSec VPN Edition Cisco ASA 5500 IPS Edition
  • Slide 7
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 7 Remote Access VPN
  • Slide 8
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 8 Secure Connectivity Everywhere Extending the Self-Defending Network Public Internet ASA 5500 Clientless SSL VPN Client-based SSL or IPsec VPN Partners / Consultants Controlled access to specific resources and applications Mobile Workers Easy access to corporate network resources Roamers Seamless access to applications from unmanaged endpoints Day Extenders / Home Office Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications Client-based SSL or IPsec VPN
  • Slide 9
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 9 SSL VPN Clientless Thin Client Full Tunnel
  • Slide 10
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 10 SSL VPN Clientless Login
  • Slide 11
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 11 SSL VPN Clientless
  • Slide 12
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 12 Uses standard browser Concentrator proxies HTTP(S) over SSL connection Limited to web pages HTML pages Web-based (webified) applications For application translation, VPN appliance webifies application Translates protocol to HTTP Requires detailed application knowledge Delivers HTML look-and-feel Expands use to some non-web applications CIFS (NT and Active Directory file sharing) SSL VPN Clientless Content Rewriting and Application Translation
  • Slide 13
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 13 Local thin client acts as proxy Tunnels and forwards application traffic Often used with clientless SSL VPN as a helper application Delivered via Java from VPN appliance Some system permissions may be required, particularly for hostname mapping Use Smart Tunnel stub where port forwarding is not desirable SSL VPN: Smart Tunnel and Port Forwarding Thin or Enhanced Client
  • Slide 14
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14 SSL VPN Tunnel Client Persistent Thick, Full Tunneling, or Tunnel Client Traditional-style client delivered via automatic download (Active X, Java, and/or EXE) Requires administrative privileges for initial install Stub-installer / MSI package Permanent or Temporal Provides similar access to IPsec Better accessibility over firewalls and NAT Smaller installation package No reboots required
  • Slide 15
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 15 SSL VPN Tunnel Client Establishment 1.Obtain server certificate chain from system library 2.Authenticate certificate chain and check revocation (except Root CA) 3.If revoked or severe error, tear down connection 4.If moderate error, ask user to view certificate and accept or deny 5.If user denies certificate chain, tear down connection Download SVC TCP Connect (Port x or Default 443) Initiate SSL Handshake SSL Server Certificate (Chain) Complete Handshake (SSL Client) VPN Appliance (SSL Server) Client SVC After Handshake Succeeds, Client Continues To:
  • Slide 16
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 16 For End-Users, Access for All Applications Cisco VPN - Client comparison Cisco VPN Client Cisco AnyConnect VPN Client Cisco SSL VPN Client Approximate size10 MB3 MB400KB Initial installDistribute auto download distribute auto download distribute Admin rights required Yes Initial installation only (MSI available Windows) Initial installation only (Stub installer available) ProtocolIPsec DTLS, TLS (HTTPS) - Auto TLS (HTTPS) OS Supportmultiple*multiple**2000/XP Head EndASA/PIX/3K/IOSASA/IOSASA/3K/IOS * Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris ** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned (additive license) Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ only
  • Slide 17
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 17 Clientless Application Support
  • Slide 18
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 18 Cisco ASA 5500 v8.0 Significant Enhancements in Clientless SSL VPN Precise, granular access control to specific resources Enhanced Portal Design Localizable RSS feeds Personal bookmarks AnyConnect Client access Drag and Drop file access and webified file transport Transformation enhancements including Flash support Head-end deployed applets for telnet, SSH, RDP and VNC, framework supports addl plug-ins Advanced port-forwarder for Windows (Smart Tunnel) accesses TCP applications without admin privileges on Client PC New in 8.0!
  • Slide 19
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 19 Clientless SSL VPN: Client/Server Plug-ins
  • Slide 20
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 20 Clientless SSL VPN: Client/Server Plug-ins Microsoft RDP
  • Slide 21
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 21 Clientless SSL VPN: Client/Server Plug-ins Telnet/SSH
  • Slide 22
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 22 Clientless SSL VPN: Client/Server Plug-ins VNC
  • Slide 23
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 23 Support for number of common TCP applications via Java plugins such as Windows Terminal Server (RDP) TELNET & SSH VNC Citrix Java Presentation Server Client (plug-in loaded by administrator) Resource is defined as a URL with the appropriate protocol type, i.e. rdp://server:port Support for these third party applications exists in the form of packaged single archive files in the.jar file format. Extensible plugin mechanism may provide support for additional applications in the future Clientless SSL VPN: Client/Server Plug-ins Details
  • Slide 24
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 24 When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s). The Java applet(s) are rewritten, re-signed, and automatically wrapped with Ciscos helper agent. The Java applet(s) are transparently cached in the ASA cache. Clientless SSL VPN: Client/Server Plug-ins Details
  • Slide 25
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 25 Access for FTP file shares in addition to CIFS (Common Internet File System) Webfolders for Internet Explorer (native Windows explorer file access) Clientless SSL VPN Clientless file access
  • Slide 26
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 26 Clientless SSL VPN Smart Tunnel Smart Tunnels are application level port forwarding It is a connection between a Winsock 2, TCP-based application and the private site, using a clientless (browser-based) SSL VPN session. You can specify client applications which you want to grant smart tunnel access (i.e., Sametime, SSH client, etc). SSL VPN loads a stub into each process spawned by an authorized application, and intercepts socket calls to redirect via ASA. This can be used where other methods such as AnyConnect or Port Forwarding cannot be used. A browser with Active-X, Java or JavaScript support is required on 32-bit OSs only, such as Windows XP & 2K smart-tunnel list list application path [hash]
  • Slide 27
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 27 Clientless SSL VPN ActiveX relay ActiveX relay is used to provide tunnel support for applications outside of the browser during a clientless SSL VPN session (on demand tunnel) without the necessary overhead of administrator pre-configuration. ActiveX relay and Smart Tunnel share the same core technology
  • Slide 28
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 28 Clientless SSL VPN Application Profile Customization Framework (APCF) Allows the security appliance to handle non-standard applications and web resources so they display correctly over a Clientless SSL VPN connection. Profiles An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what data to transform for a particular application. The script is in XML and uses sed (stream editor) syntax to transform strings/text.
  • Slide 29
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 29 Clientless SSL VPN Virtual Keyboard
  • Slide 30
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 30 Cisco AnyConnect VPN Client
  • Slide 31
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 31 Extends the in-office experience LAN-like full-network access, supports latency sensitive apps like voice (via DTLS transport) Access across platforms Windows 2K / XP (x86/x64) / Vista (x86/x64) Mac OS X 10.4 & 10.5, Linux Intel Windows Mobile 5 Pocket PC Edition (Coming soon) Always up to date Remotely installable and configurable to minimize user demands No-hassle Connections No reboots required Stand-alone, Web Launch, Portal Connection Start Before Login (2K/XP) MSI Windows Pre-installation package Cisco AnyConnect VPN Client Access for All Applications
  • Slide 32
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 32 Cisco AnyConnect VPN Client GUI Details
  • Slide 33
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 33 Cisco AnyConnect VPN Client GUI Details (Statistics)
  • Slide 34
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 34 Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels TLS is used to tunnel TCP/IP over TCP/443 TCP requires retransmission of lost packets Both application and TLS wind up retransmitting when packet loss is detected. DTLS solves the TCP over TCP problem DTLS replaces underlying transport TCP/443 with UDP/443 DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange) Datagrams only are transmitted over DTLS Other benefits Low latency for real time applications DTLS is optional and will automatically fallback to TLS (HTTPS) Cisco AnyConnect VPN Client Datagram Transport Layer Security (DTLS)
  • Slide 35
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 35 Authentication
  • Slide 36
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 36 For Administrators, Simple, Precise Control Enhanced authentication choices Ability to require users to authenticate with both a certificate as well as a username/password Ability to prompt a user for internal (domain) username & password credential in addition to a One Time Password (OTP) or other dynamic credential. The internal credential is stored for subsequent use and is not validated at login time. Generic LDAP support provides compatibility with both OpenLDAP and Novell
  • Slide 37
  • 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 37 For Administrators, Simple, Precise Control Per-user, fine-grained application and resource access Flexible access control based on policy Multi-factor authentication combines user, group, and device posture to determine appropriate resource access Granular SSL VPN configuration restricts / allows access to specific resources per-user, per-login, per-policy Embedded Certificate Authority (CA) Assessment and control can use Start Before Login (SBL) VLAN mapping leverages network policy Control for unsecured devices New onscreen (virtual) keyboard option Cisco Secure Desktop (CSD) supports hundreds of products plus custom checks
  • Slide 38
  • ...

Recommended

View more >