Technologies:
SSLVPN
WebVPN
IPSecVPN
http://www.cisco.com/go/security
http://www.cisco.com/security
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Cisco ASA 5500 Series
Convergence of Robust, Market-Proven Technologies
Market-Proven Adaptive Threat Defense,
Technologies Secure Connectivity
Secure Connectivity
Network Intelligence IPSec & SSL VPN
Cisco Network
Services
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Cisco ASA 5500 Series: Threat Protected VPN Services
Leveraging On-Board Security to Protect the VPN Threat Vector
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
ASA VPN Configuration
The AnyConnect Configuration document at the url below is an excellent starting
place for any ASA VPN configuration.
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_exa
mple09186a00808efbd2.shtml
Configure
Step 1. Configure a Self-Issued Certificate
Step 2. Upload and Identify the SSL VPN Client Image
Step 3. Enable Anyconnect Access
Step 4. Create a new Group Policy
Configure Access List Bypass for VPN Connections
Step 6. Create a Connection Profile and Tunnel Group
for the AnyConnect Client Connections
Step 7. Configure NAT Exemption for AnyConnect
Clients
Step 8. Add Users to the Local Database
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
VPN Connection Flow Summary
During Client connection time Group Policy settings takes precedence over
Connection Profile settings.
If Connection Profile has a setting and Group Policy is set to "inherit" then
Connection Profile settings are used.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
AnyConnect Client Connection Config
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Client-Based
SSL VPN
(AnyConnect/
SSL VPN Client)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
ASA 5500 version 8.0 VPN Clientless Access
Precise, granular access
control to specific resources
Enhanced Portal Design
Localizable
RSS feeds
Personal bookmarks
AnyConnect Client access
Drag and Drop file access and
webified file transport
Transformation enhancements
including Flash support
Head-end deployed applets for
telnet, SSH, RDP, and VNC,
framework supports addl plug-
ins
Advanced port-forwarder for
Windows (Smart Tunnel)
accesses TCP applications
without admin privileges on
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Client PC 26
Enhanced Remote Access Security
Enhanced authorization using policies and
group information
Extended use of credentials
Always up to date via automatic updating
(no admin)
Virtual keyboard option
SAML Single Sign-On (SSO) verified with
RSA Access Manager (was ClearTrust)
Group/User-to-VLAN mapping support
Start before Login for Vista
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Current Snapshot of VPN Client Offerings
Cisco SSL VPN Cisco AnyConnect
Cisco VPN Client
Client VPN Client
DTLS, SSL
Protocol IPsec SSL (HTTPS)
(HTTPS) - Auto
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
AnyConnect VPN Client Installation
Dynamic or Manual Installation
ASA downloads
client to user based
on group policy.
ASA can
automatically
download client, or
prompt remote user
to download.
Client packages
provided for manual
install or distribution
via desktop
management
system
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
AnyConnect VPN Client
Local LAN Access (Split Tunnel Variant)
In this example,
only traffic to the
Local PC LAN Text
(192.168.100.0/24) All other traffic is
is sent in clear (no sent encrypted
VPN). over VPN to
ASA.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Defined in
AnyConnect VPN Client RFC 4347
Datagram Transport Layer Security (DTLS) Implemented as part of
the standard OpenSSL
package
Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels
TLS is used to tunnel TCP/IP over TCP/443
TCP requires retransmission of lost packets
Both application and TLS wind up retransmitting when packet loss is
detected.
DTLS solves the TCP over TCP problem
DTLS replaces underlying transport TCP/443 with UDP/443
DTLS uses TLS to negotiate and establish DTLS connection (control
messages and key exchange)
Datagrams only are transmitted over DTLS
Other benefits
Low latency for real time applications
DTLS is enabled by default; dynamically negotiated at connect time.
DTLS is optional and will automatically fallback to TLS (HTTPS)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Clientless
WebVPN
Features
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
For End-Users, Seamless Access Anywhere
Personalized application and resource access
Personalized homepage
Localizable, RSS feeds, personal
bookmarks, etc.
Delivers web-based and traditional
applications
Sophisticated web and other
applications delivered seamlessly
to the browser
SAML Single Sign-On (SSO)
verified with RSA Access
Manager
Intuitive user experience
Drag and Drop file access and
webified file transport
Delivers key applications beyond
the browser
Smart Tunnels deliver more
applications without admin
privileges
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
For End-Users, Seamless Access Anywhere
Enhanced clientless interface, highly customizable
Customizable Customizable
Banner Graphic Banner Message
Customizable
Access Methods
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
Clientless WebVPN
Personal Bookmarks
Specify personal
storage location
under Group
Policy
OR
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
Clientless WebVPN
Java Client/Server Plugins - Details
When clicking on a resource link, a dynamic page is generated
that hosts the Java applet(s).
The Java applet(s) are rewritten, re-signed, and automatically
wrapped with Ciscos helper agent.
The Java applet(s) are transparently cached in the ASA cache.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
Clientless WebVPN Plugins
RDP, VNC, Sametime, SSH, Telnet, Post
Remote Desktop Plugin for Windows Terminal Services
Native Windows support using ActiveX or ProperRDP client using Java
Virtual Network Computing (VNC) remote server access based on
TightVNC
SSH/Telnet Combined open source plugin provides either SSHv1 or
Telnet access to manage devices and servers
Lotus Sametime Secure instant messaging application from IBM
POST plugin Provides Portal Homepage with optional SSO
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Clientless WebVPN Plugins
Citrix Plugin
Link directly to Citrix applications from portal
Plugin supports all Citrix Java client parameters/features.
ASA optimizes performance by downloading components as needed.
Verify your Citrix EULA grants rights and permissions to deploy the client
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
Clientless WebVPN
Native Citrix Support (No Plugin)
ASA automatically intercepts web traffic with content type ICA from Web
Presentation Server and modifies return ICA file to client to ensure ASA
proxies session.
Java or ActiveX ICA Client is also pushed down to client if not running
standalone client on endpoint.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
Clientless WebVPN
Smart Tunnels
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
Clientless WebVPN
General Configuration Overview
Runs over Microsoft Windows Vista, Windows XP, and Windows 2000.
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
Cisco Secure Desktop
Login Page (After Scan)
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
Policy Inheritance
Overview
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
Policy Objects
Connection Profile / Tunnel Group
Pre-login attributes (inc. AAA, login page for Clientless, cert handling)
Group Policy (Internal and External)
Post-login attributes (inc. portal page, bookmarks, access policies)
User Policy (Internal and External)
User-specific attributes
Dynamic Access Policy
Dynamically created policies based on multiple inputs (Location,
Directory attributes, PC attributes)
User Attributes
DfltGrpPolicy Attributes
(System Default Group Policy)
User User/Group
Connect/Login Policy Selected
DefaultWEBVPNGroup DAP
Conn/Group URL (auto) User Attributes
Initial SSL Group Drop-Down List Group Attributes
Connection Certificate-based (auto) Connection Type
User login
Load balancing works with both IPSec clients and WebVPN sessions. All
other clients, including LAN-to-LAN connections, can connect to a security
appliance on which load balancing is enabled, but they cannot participate in
load balancing.
You can configure the number of IPSec and WebVPN sessions to allow, up
to the maximum allowed by your configuration and license.
With Release 7.1(1), IPSec and WebVPN sessions count or weigh equally in
determining the load that each device in the cluster carries.
Unmanaged Machine
Employee at Home
Anti-virus, anti-spyware,
personal firewall, and more
Administrators can define
custom checks including
running processes
CSD posture policy
presented visually to simplify
configuration and
troubleshooting
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
Cisco ASA 5500
Series Platforms and
Modules
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
Cisco ASA 5500 Series High-End Lineup
Data Center Solutions
New New
Cisco Cisco Cisco Cisco
ASA 5540 ASA 5550 ASA 5580-20 ASA 5580-40
Internet Campus
Target Market Campus Data Center
Edge Segmentation
Segmentation
/ Data Center
Performance
Max Firewall (Real-world HTTP) - - 5 Gbps 10 Gbps
Max Firewall (1400 byte) 650 Mbps 1.2 Gbps 6.5 Gbps 14 Gbps
Max Firewall (Jumbo frames) - - 10 Gbps 20 Gbps
Max IPSec VPN 325 Mbps 425 Mbps 1 Gbps 1 Gbps
Max IPSec/SSL VPN Peers 5000 / 2500 5000 / 5000 10,000 / 10,000 10,000 / 10,000
Platform Capabilities
Max Firewall Conns 400,000 650,000 1,000,000 2,000,000
Max Conns/Second 25,000 36,000 90,000 150,000
Packets/Second (64 byte) 500,000 600,000 2,750,000 5,500,000
Base I/O 4 GE + 1 FE 8 GE + 1 FE 2 Mgmt 2 Mgmt
Max I/O 8 GE + 1 FE 8 GE + 1 FE 24 GE / 12 10GE 24 GE / 12 10GE
VLANs Supported 200 250 250 250
HA Supported A/A and A/S A/A and A/S A/A and A/S A/A and A/S
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
Cisco ASA 5500 Series Product Lineup
Performance
Max Firewall 150 Mbps 300 Mbps 450 Mbps 650 Mbps 1.2 Gbps
Max Firewall + IPS 45Mbps 150/300 350/450 650 Mbps N/A
Max IPSec VPN 100 Mbps 170 Mbps 225 Mbps 325 Mbps 425 Mbps
Max IPSec/SSL VPN Peers 25/25 250/250 750/500 5000/2500 5000/5000
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61
Cisco ASA Adaptive Security Appliances
Industry Certifications and Evaluations
Common Criteria
Completed: EAL4, v7.0.6ASA 5510/20/40 (FW)
NewCompleted: EAL2, v6.0ASA SSM-10/20 (IPS)
In process: EAL4+, v7.2.2ASA Family (FW)
In process: EAL4, v7.2.2ASA Family (VPN)
FIPS 140
Completed: Level 2, v7.0.4ASA Family
Completed: Level 2, v7.2.2
In process: Level 2, v8.0.2
ICSA Firewall 4.1, Corporate Category
New Completed: v7.2.2ASA Family
ICSA IPSec 1.0D
Completed: v7.0.4ASA Family
ICSA Anti-Virus Gateway
Completed: v7.1ASA Family
NEBS Level 3
Completed: ASA 5510, 5520, and 5540
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66
Presentation_ID 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67