© 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential 1 Security TechUpdate André Lambertsen ala@cisco.com.
Post on 24-Dec-2015
218 Views
Preview:
Transcript
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Security TechUpdateSecurity TechUpdate
André Lambertsen
ala@cisco.com
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
The Cisco products, services or features identified in this document may not yet be available or may not be available in all areas and may be subject to change without notice. Consult your local Cisco business contact for information on the products or services available in your area. You can find additional information via Cisco’s World Wide Web server at http://www.cisco.com. Actual performance and environmental costs of Cisco products will vary depending on individual customer configurations and conditions.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
ASA 5500–SSLVPN, , AnyConnect VPN Client v2.0, ASDM v6.0
NAC Appliance 4.1.x 2nd Generation MARS GET VPN
Agenda
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
ASA 5500 Series Adaptive Security Appliances
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Integrates and extends the #1 deployed gateway content security technology to protect from viruses, spyware, spam, phishing, and employee productivity impacting websites
Market-Leading Anti-X Services
Integrates and extends the #1 deployed IPS and IDS technology from the Cisco IPS 4200 Series
Provides comprehensive security from directed attacks and many other threats
Market-Leading IPS Services
Integrates and extends the #1 deployed remote access VPN technology from Cisco VPN 3000 Concentrators and Cisco PIX Security Appliances, offering bothSSL and IPsec VPN services
Market-Leading VPN Services
Integrates and extends the #1 deployed firewall technology from Cisco PIX Security Appliances
Built upon the experience of overone million PIX deployed worldwideand 10+ years of innovation
Market-Leading Firewall Services
Cisco ASA 5500 Adaptive Security AppliancesDelivering Leading Threat Defense and VPN Services
Provides Converged Threat Defense, Flexible Secure Connectivity,Minimized Operation Costs, and Unique Adaptive Design to Combat Future Threats
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Cisco ASA 5500 Series Enterprise EditionsA Family of Tailored Packages for Location Specific Needs
Enables standardization on the Cisco ASA 5500 Series to reduce costs in management, training, and sparing
Superior protection by providing the right services for the right location
Simplifies design and deployment by providing pre-packaged location-specific security solutions
Cisco ASA 5500
Firewall Edition
Cisco ASA 5500 Anti-X Edition
Cisco ASA 5500SSL & IPSecVPN Edition
Cisco ASA 5500
IPS Edition
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Secure Connectivity Everywhere Extending the Self-Defending Network
Public Internet
ASA 5500
Clientless SSL VPN
Clientless SSL VPN
Client-based SSL or IPsec VPN
Partners / Consultants
Controlled access to specific resources and applications
Mobile Workers
Easy access to corporate network resources
Roamers
Seamless access to applications from unmanaged endpoints
Day Extenders / Home Office
Day extenders and mobile employees require consistent LAN-like, full-network access, to corporate resources and applications
Client-based SSL or IPsec VPN
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
SSL VPN– Clientless– Thin Client– Full Tunnel
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Uses standard browser Concentrator proxies HTTP(S) over SSL connection Limited to web pages
–HTML pages
–Web-based (webified) applications
For application translation, VPN appliance “webifies” application–Translates protocol to HTTP
–Requires detailed application knowledge
–Delivers HTML look-and-feel
–Expands use to some non-web applications
–CIFS (NT and Active Directory file sharing)
SSL VPN Clientless Content Rewriting and Application Translation
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Local “thin” client acts as proxy–Tunnels and forwards application traffic
Often used with clientless SSL VPN as a helper application
Delivered via Java from VPN appliance Some system permissions may be required, particularly
for hostname mapping Use “Smart Tunnel” stub where port forwarding is not
desirable
SSL VPN: Smart Tunnel and Port Forwarding“Thin” or “Enhanced” Client
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
SSL VPN Tunnel ClientPersistent “Thick”, “Full Tunneling”, or “Tunnel” Client
Traditional-style client delivered via automatic download (Active X, Java, and/or EXE)
Requires administrative privileges for initial install
Stub-installer / MSI package Permanent or Temporal Provides similar access to
IPsec–Better accessibility over firewalls
and NAT
–Smaller installation package
No reboots required
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
For End-Users, Access for All ApplicationsCisco VPN - Client comparison
Cisco VPN ClientCisco
AnyConnect VPN Client
Cisco SSL VPN Client
Approximate size 10 MB 3 MB 400KB
Initial install Distributeauto download
distributeauto download
distribute
Admin rights required
Yes
Initial installation only
(MSI available – Windows)
Initial installation
only(Stub installer
available)
Protocol IPsecDTLS, TLS
(HTTPS) - AutoTLS (HTTPS)
OS Support multiple* multiple** 2000/XP
Head End ASA/PIX/3K/IOS ASA/IOS ASA/3K/IOS
* Windows 2K / XP/ x86 / Vista x86, Mac OS X 10.4, Linux Intel 2.6.x, and Solaris** Windows 2K/ X P x86 & x64 / Vista x86 & x64, Mac OS X 10.4 & 10.5, Linux Intel 2.6.x, and Windows Mobile 5&6 support planned (additive license) – Non Windows support and alternate connection modes available, including DTLS for ASA 8.0+ only
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Cisco ASA 5500 v8.0 Significant Enhancements in Clientless SSL VPN
Precise, granular access control to specific resources
Enhanced Portal Design–Localizable
–RSS feeds
–Personal bookmarks
–AnyConnect Client access
Drag and Drop file access and webified file transport
Transformation enhancements including Flash support
Head-end deployed applets for telnet, SSH, RDP and VNC, framework supports add’l plug-ins
Advanced port-forwarder for Windows (Smart Tunnel) accesses TCP applications without admin privileges on Client PC
Newin 8.0!
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Support for number of common TCP applications via Java plugins such as
Windows Terminal Server (RDP)TELNET & SSHVNCCitrix Java Presentation Server Client (plug-in loaded by administrator)
Resource is defined as a URL with the appropriate protocol type, i.e.
rdp://server:port
Support for these third party applications exists in the form of packaged single archive files in the .jar file format.
Extensible plugin mechanism may provide support for additional applications in the future
Clientless SSL VPN: Client/Server Plug-ins Details
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
When clicking on a resource link, a dynamic page is generated that hosts the Java applet(s).
The Java applet(s) are rewritten, re-signed, and automatically wrapped with Cisco’s helper agent.
The Java applet(s) are transparently cached in the ASA cache.
Clientless SSL VPN: Client/Server Plug-ins Details
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Access for FTP file shares in addition to CIFS (Common Internet File System)
Webfolders for Internet Explorer (native Windows explorer file access)
Clientless SSL VPN Clientless file access
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Clientless SSL VPN Smart Tunnel
Smart Tunnels are application level port forwarding
It is a connection between a Winsock 2, TCP-based application and the private site, using a clientless (browser-based) SSL VPN session.
You can specify client applications which you want to grant smart tunnel access (i.e., Sametime, SSH client, etc).
SSL VPN loads a stub into each process spawned by an authorized application, and intercepts socket calls to redirect via ASA.
This can be used where other methods such as AnyConnect or Port Forwarding cannot be used.
A browser with Active-X, Java or JavaScript support is required on 32-bit OS’s only, such as Windows XP & 2K
smart-tunnel list list application path [hash]
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Clientless SSL VPN ActiveX relay
ActiveX relay is used to provide tunnel support for applications outside of the browser during a clientless SSL VPN session (on demand tunnel) without the necessary overhead of administrator pre-configuration.
ActiveX relay and Smart Tunnel share the same core technology
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Clientless SSL VPN Application Profile Customization Framework (APCF)
Allows the security appliance to handle non-standard applications and web resources so they display correctly over a Clientless SSL VPN connection.
Profiles– An APCF profile contains a script that specifies when (pre, post), where (header, body, request, response), and what data to transform for a particular application.
– The script is in XML and uses sed (stream editor) syntax to transform strings/text.
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Clientless SSL VPNVirtual Keyboard
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Extends the in-office experience
LAN-like full-network access, supports latency sensitive apps like voice (via DTLS transport)
Access across platforms
Windows 2K / XP (x86/x64) / Vista (x86/x64)
Mac OS X 10.4 & 10.5, Linux Intel
Windows Mobile 5 Pocket PC Edition (Coming soon)
Always up to date
Remotely installable and configurable to minimize user demands
No-hassle Connections
No reboots required
Stand-alone, Web Launch, Portal Connection
Start Before Login (2K/XP)
MSI – Windows Pre-installation package
Cisco AnyConnect VPN ClientAccess for All Applications
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Cisco AnyConnect VPN ClientGUI Details
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Cisco AnyConnect VPN ClientGUI Details (Statistics)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
Limitations of TLS (HTTPS/SSL) with SSL VPN tunnels
TLS is used to tunnel TCP/IP over TCP/443
TCP requires retransmission of lost packets
Both application and TLS wind up retransmitting when packet loss is detected.
DTLS solves the TCP over TCP problem
DTLS replaces underlying transport TCP/443 with UDP/443
DTLS uses TLS to negotiate and establish DTLS connection (control messages and key exchange)
Datagrams only are transmitted over DTLS
Other benefits
Low latency for real time applications
DTLS is optional and will automatically fallback to TLS (HTTPS)
Cisco AnyConnect VPN ClientDatagram Transport Layer Security (DTLS)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
For Administrators, Simple, Precise ControlEnhanced authentication choices
Ability to require users to authenticate with both a certificate as well as a username/password
Ability to prompt a user for internal (domain) username & password credential in addition to a One Time Password (OTP) or other dynamic credential. The internal credential is stored for subsequent use and is not validated at login time.
Generic LDAP support provides compatibility with both OpenLDAP and Novell
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
For Administrators, Simple, Precise ControlPer-user, fine-grained application and resource access
Flexible access control based on policy
Multi-factor authentication combines user, group, and device posture to determine appropriate resource access
Granular SSL VPN configuration restricts / allows access to specific resources per-user, per-login, per-policy
Embedded Certificate Authority (CA)
Assessment and control can use Start Before Login (SBL)
VLAN mapping leverages network policy
Control for unsecured devices
New onscreen (virtual) keyboard option
Cisco Secure Desktop (CSD) supports hundreds of products plus custom checks
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Single Sign-on for Clientless VPN
Lets Clientless users enter username and password only once to access multiple protected services and web servers
Starts as part of the AAA-process or just after successful user authentication to an AAA server
Single Sign-on methods supported:
– SSO with WebVPN (Auth Web Server)
– SSO with CA eTrust SiteMinder (formerly Netegrity SiteMinder)
– SSO with HTTP Form Protocol
– SSO with NTMLv1 authentication
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
Remote Access Termination in VLAN
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
VLAN Mapping
Map users to group based on role
Use group policy to restrict egress VLAN
User/Group based policies
Internal Resources Shared Resources
vlan 10
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
VLAN Mapping, cont.
For more complex network topologies, note that ASA does not support more than one default with same metric out two different interfaces.
The workaround is to assign a different metric to each default route:
route (outside) 0.0.0.0 0.0.0.0 <Internet_rtr_IP> 1
route (vrf1) 0.0.0.0 0.0.0.0 <vrf1_IP> 2
route (vrf2) 0.0.0.0 0.0.0.0 <vrf2_IP> 3
route (vrf3) 0.0.0.0 0.0.0.0 <vrf3_IP> 4
route (vrf4) 0.0.0.0 0.0.0.0 <vrf4_IP> 5
route (vrf5) 0.0.0.0 0.0.0.0 <vrf5_IP> 6
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
Cisco ASDM v6.0 Overview
Cisco ASDM v6.0 is the integrated graphical interface of the Cisco ASA and PIX Security Appliances
ASDM delivers full device management including:–Rapid Configuration enabled by an intuitive graphical user interface, wizards, and the ASDM Assistant
–Powerful Diagnostics including Real-Time Log viewer, Packet Tracer, and Packet Capture.
–Real-time Monitoring provided by dynamic Dashboards, Table Views, and Traffic Graphing.
Cisco Confidential – Controlled NDA Use Only
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
Cisco ASDM Feature Highlights
Redesigned interface
Security Dashboards
Packet Tracer
Packet Capture Wizard
Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
Cisco ASDM Feature Highlights
Redesigned interface
Security Dashboards
Packet Tracer
Packet Capture Wizard
Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
Cisco ASDM Feature Highlights
Redesigned interface
Security Dashboards
Packet Tracer
Packet Capture Wizard
Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
Cisco ASDM 6.0 Feature Highlights
Redesigned interface
Security Dashboards
Packet Tracer
Packet Capture Wizard
Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
Cisco ASDM Feature Highlights
Redesigned interface
Security Dashboards
Packet Tracer
Packet Capture Wizard
Upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
Cisco ASDM Feature Highlights
In-place and Drag-and-drop rule editing
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
Cisco ASDM Feature Highlights
Real-Time Log Viewer
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
Cisco ASDM Packet TracerLive Tool to Determine Day In the Life of a Packet
PACKET TRACING: Enables the injection of virtual packets through the system to audit policy configuration and enforcement
Benefits
Enables policy tuning and refining
Enables rapid troubleshooting
Simplifies fault isolation in complex policy environments
First Pro-active Debugging Tool
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54
Cisco ASDM Packet CapturePowerful protocol analysis with 3rd party tools
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55
Cisco ASDM Packet CapturePowerful protocol analysis with 3rd party tools
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
Cisco ASDM Wizards
Startup Wizard
IPsec VPN Wizard
SSL VPN Wizard
High Availability & Scalability Wizard
Packet Capture Wizard
Software upgrade Wizard
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
Cisco ASDM DashboardsDevice Dashboard
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
Cisco ASDM DashboardsFirewall Dashboard
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59
Cisco ASDM Feature Highlights
Advanced policy creation for Cisco Secure Desktop
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60
Cisco SSL VPN SummarySimple and Secure Access from Anywhere
Broad access from anywhere
User-friendly interfaces
World-class security
Flexible, controlled access options
Intuitive management
Fully integrated with the Cisco Self-Defending Network
www.cisco.com/go/sslvpn
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62
Enterprise-Class Resilient SecurityMaximizes Uptime
Comprehensive multi-level resiliency protecting business continuity against component, link, or system failure
Now includes redundant interface support for greater availability Full state synchronization including multimedia and voice protocols
maxizes uptime for mission-critical applications Improved business continuity with zero-downtime upgrades Higher system reliability than software-on-server solutions
Cisco ASA has 2x the MTBF* than a server-based solution:–Typical server has MTBF of 50k – 65K hrs–Cisco ASA has MTBF of 100k – 150K hrs
* MTBF calculation based on Telcordia (Bellcore) SR-332.
Active
Active
Tightly integrated high availability services for firewall eases deployment and administration as opposed to third party approaches
Rapid deployment through the user-friendly High Availability Wizard
Newin 8.0!
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63
Enhancing Cisco ASA 5500 Series High Availability with Redundant Interfaces
Pri/Active ASA Sec/Stand ASA
Network A
Network B
Before… After redundant interfaces
Pri/Active ASA Sec/Stand ASA
Network A
Network B
trunk
trunk
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66
Intelligent Network IntegrationProvides Seamless Integration into Next-Gen Networks
Advanced Network Services Introduces multi-protocol object groups for
significantly simplified object management (TCP, UDP, and ICMP) – new in 8.0!
Supports EIGRP (new in 8.0), OSPF, and RIPv2 dynamic routing
Provides QoS traffic prioritization for improved handling of latency sensitive traffic
Adds IPv6 support for hybrid IPv4/IPv6 network environments
Delivers PIM sparse mode multicast support for improved support for streaming data delivery services, video conferencing, and other mission-critical real-time enterprise applications
V V VV V V
D D D D
Quality of Service
Newin 8.0!
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 68
New Cisco ASA “5G” and “10G” AppliancesHigh Performance Firewall / VPN for the 10GE World
Cisco ASA “10G”
Cisco ASA “5G”
Cisco’s Highest Performance Security
Appliances Ever!
Available: Early Fall 2007
Product Highlights: 5 and 10 Gbps of Firewall – 10
times the performance of existing ASA platforms!
10,000 SSL VPN user support Architecture designed for Scalable
Security Performance andHigh Availability
GigE and 10GigE support Millions of total connections and
policies (ACE’s)
© 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 69
5 and 10 Gbps of Firewall with Real World Traffic 100,000+ Connection Setup/Second Millions of packets per second at any traffic profile Maximum Connections: 2,000,000 Maximum Policies (ACE’s): 1,000,000 10,000+ VPN Tunnels at Multi-Gigabit Throughput Virtual Context Support
Cisco ASA “5G” and “10G” Platforms:Performance and Interface Specifications
Supports up to 24 GE Interfaces–Supports both Copper and Fiber Gigabit Ethernet
Supports up to 12 10GE SR interfaces Dedicated Management Interface
Interface Density
High Speed Real World Performance
top related