Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
CCNP Security-VPN
1. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 1
DEPLOYING CISCO ASA
VPN SOLUTIONS (VPN)
Agenda:
• Overview of CCNP Security VPN v2.0 Exam
• VPN v2.0 Topics
• ASA VPN Architecture and Fundamentals
• VPN Fundamentals
• IPSec Site to Site
• IPSec Remote Access
• AnyConnect VPN
• Clientless SSL VPN
2. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 2
Overview of the CCNP Security
• All four CCNP Security exams required
• SECURE – 642-637
• IPS – 642-627
• FIREWALL – 642-618
• VPN – 642-648
• ~90 minutes with 60-70 questions
• 60-70 questions
• Register with Pearson Vue
• http://www.vue.com/cisco
• Exam cost is $200.00 US
• Preparing for the VPN v2.0 Exam:
• Recommended reading
• CCNP Security VPN 642-648 Official Cert Guide
• Cisco ASA 8.4 Configuration Guide
• Recommended training via Cisco Learning Partners
• Deploying Cisco ASA VPN Solutions
• Cisco Learning Network – Exam Blueprints
• www.cisco.com/go/learnnetspace
• Practical experience
• Real equipment
• ASDM in demo mode
3. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 3
Cisco ASAArchitecture and VPN
Fundamentals
• ASA VPN Overview
• ASA Design Considerations
• AAA and PKI Refreshers
• VPN Configuration Basics
Virtual Private Networks (VPNs):
• Virtual Private Networks (VPNs) are a way to establish
private connections over another network
• VPN Capabilities
4. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 4
ASA Virtual Private Network Options
ASA Virtual Private Networks (VPNs):
• Site-to-Site VPN
• Connects two separate networks using two VPN gateway devices
such as an ASA
• Utilizes Ipsec
• Remote Access VPN
• Connects single user to a remote network via gateway such as an ASA
• Utilizes IPsec or Secure Sockets Layer (SSL)
5. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 5
Remote Access VPN:
• Client-based VPN
• Remote access using an installed VPN client like AnyConnect
• Permits “full tunnel” access
• Clientless VPN
• Remote access through a web browser that leverages the
browser’s SSL encryption for protection
• Permits limited access but no footprint required
Choosing Remote Access VPN Method:
• IPsec VPN
–Traditional IPsec access
–Cisco VPN Client
• AnyConnect VPN
–Recommended next generation remote access – Windows 7 supported
–SSL VPN or IPSec
–Hostscan and other advanced features
• Clientless SSL VPN (WebVPN)
–Recommended for thin, flexible access from any computer
–Web browser based using SSL encryption – no software required
–Permits network access via HTTP/S, plug-ins, and port forwarding
–Cisco Secure Desktop
6. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 6
EasyVPN:
• EasyVPN can be used for Remote Access or Site-to-Site
VPNs
–Uses IPSec as transport
–Remote Access uses Cisco VPN Client
–Site-to-Site uses hardware VPNs such as an ASA 5505 or Cisco
router
• Benefits
–Minimizes configuration for deploying software and hardware clients
–Centralizes configuration on the ASA head end
Choosing an ASA for Site-to-Site VPN:
• Model considerations
–VPN throughput
–Number of VPN peers
• No licenses required for IPSec
–ASA 5505 Security Plus license increases session max
–3DES/AES license
7. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 7
Choosing an ASA for Remote Access VPN:
• Model considerations
–VPN throughput
–Number of Remote Access User Sessions (combined)
Remote Access VPN Licensing:
• Other VPN – IPSec IKEv1
• AnyConnect Essentials
–AnyConnect client provides full tunnel connectivity
–Windows, Mac, Linux, iOS, and Android
• AnyConnect Premium
–Adds Clientless (Web VPN) and Hostscan features
–Adds additional AnyConnect client features
http://www.cisco.com/en/US/docs/security/asa/asa84/li
cense/license_management/license.html
8. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 8
Remote Access Licensing:
ASA License Keys:
• Two types – Permanent and Time-Based
• One Permanent license
• Time-Based licenses can be stacked
• Some licensed features use higher value but some
combine
• Understand the rules:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/lic
ense/license_management/license.html
9. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 9
VPN Configuration:
VPN Configuration Components:
VPN Group Policy:
• Internal (ASA) or External (RADIUS)
• Sample of various settings:
–WINS, DNS, DHCP, web proxy settings
–VPN access hours, idle timeout, network filter, permitted VPN
protocols
–Split tunneling
• Default Group Policy is called DfltGrpPolicy. Can be
modified but NOT deleted.
• Settings are inherited:
–User ==> Connection Profile’s Group Policy ==> Default Group Policy
10. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 10
External Group Policy:
• Stored on a RADIUS server as a special user account
• RADIUS user includes Vendor-Specific Attributes (VSAs)
for Group Policy settings
• Group Policy configuration includes the RADIUS
username and password
VPN Group Policy:
11. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 11
VPN Connection Profile:
• Formerly called Tunnel Group. Command line still uses
tunnel-group terminology.
• Core VPN Service Attributes
–VPN Type (IPsec Site-to-Site, IPsec Remote Access, SSL VPN,
Clientless)
–Authentication, authorization, and accounting servers
–Default group policy
–Client address assignment method
–VPN type specific attributes for IPsec and SSL VPN
• Default Connection Profiles. They can be modified but
NOT deleted.
‒ DefaultRAGroup – Remote Access connections
‒ DefaultWEBVPNGroup – Clientless SSL VPN connections
‒ DefaultL2LGroup – IPsec site-to-site connections
• Settings are inherited
12. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 12
VPN Configuration Methods:
• Command line
• ADSM with Connection Profiles and Group Policies
• ASDM VPN Wizard
13. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 13
AAA and PKI Refreshers:
AAA Refresher:
• Authentication, Authorization, and Accounting (AAA)
–Authentication: Proving the identity of the user
–Authorization: Granting permissions to the user
–Accounting: Logging the user’s session
• AAA servers are used to perform one or more of the AAA
functions
–Supported AAA servers include RADIUS, TACACS+, RSA/SDI, NT,
Kerberos, LDAP, HTTP Forms, and LOCAL database
–Server example – Cisco ACS for RADIUS or TACACS+
Public Key Infrastructure (PKI) Refresher:
• Pre-Shared Key (PSK) deployments do not scale
(symmetric keys)
• PKI scale better with improved security and management
• Uses Digital Certificates and public key cryptography
• Asymmetric Cryptography
–Encryption with the public key is decrypted with the private
–Encryption with the private key is decrypted with the public
14. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 14
• Each device has a public key, private key, and certificate
signed by the Certificate Authority
• Certificates are issued:
–Manually
–Certificate Signing Requests (CSR)
–Simple Certificate Enrollment Protocol (SCEP)
• Validation steps
–Check validity of the certificate based on date/time and certificate
attributes
–Check the certificate using the stored Certificate Authority certificate
–Ensure certificate has not been revoked (optional)
• Check the Certificate Revocation List (CRL)
• Online Certificate Status Protocol (OCSP)
• Enrollment options
–Manually enroll ASA and endpoints by creating certificates and
loading them
–ASA can also utilize SCEP to enroll directly with the CA
–VPN Clients can enrollment online with the ASA using Simple
Certificate Enrollment Protocol (SCEP) proxy
15. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 15
IPSec:
• IPSec is a open standard (IETF)
• Network layer protocol
• It provide Data security and tunneling services
• It is a framework of many open standard
• Scales from small to very large networks
• It can Work only for IP unicast traffic
• IPSec over GRE is used for protecting non-IP or Multicast
traffic
IPSec Mode:
• Tunnel or transport mode
• In transport mode,
• Security is provided only for the transport layer and above.
• Protects the payload of the packet but leaves the original IP
address in the clear.
• Original IP address is used to route the packet through the Internet.
• Tunnel mode
• Provides security for the whole original IP packet.
• Original IP packet is encrypted.
• Encrypted packet is encapsulated in another IP packet.
16. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 16
IPSec Protocols:
• Negotiation protocol
• IKE
• Security Protocol
• ESP
• AH
17. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 17
• Encryption
• DES
• 3DES
• AES
• Authentication
• MD5
• SHA
• Protection (Diffie-Hellman for password exchange)
• DH 1
• DH 2
• DH 5
• DH 7
Internet Key Exchange:
• IKE solves the problems of manual and unscalable
implementation of IPSec by automating the entire key
exchange process:
• Negotiation of SA characteristics
• Automatic key generation
• Automatic key refresh
• Manageable manual configuration
18. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 18
• In IKE Phase One, in main or aggressive mode, the peers
will:
• Negotiate an IKE protection suite
• Authenticate each other
• Exchange keying material to protect the IKE session
• Establish the IKE SA
• Then in IKE Phase Two, in quick mode, peers:
• Negotiate IPsec policies
• Exchange keying material of IPsec SAs
• Establish IPsec SAs
IKE Phase One:
• Runs in main or aggressive mode.
• Mode used is implementation and situation dependent.
• The IKE main mode - ISAKMP uses six messages to establish the
IKE SA.
• SA negotiation, Diffie-Hellman key exchange, and authentication of peers.
• Hides the identity of IKE peers from eavesdroppers
• Can use the protocol’s negotiation capabilities to the fullest.
• Aggressive mode takes half the number of messages
• Offers less negotiating flexibility.
• Initiating peer proposes a list of policies, and the responder accepts a
policy or rejects the offers
• Does not provide peer identity protection.
• Much faster than an IKE main mode
• Used mainly when security policies are well known on both peers,
19. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 19
IKE Phase Two:
• Used to negotiate and establish SAs of other protocols, such as AH
and ESP for IPSec,
• Only operates in one defined mode - quick mode.
• IKE initiator presents a list of IPSec policy proposals and the IKE
responder chooses an acceptable proposal
• Quick mode is quite fast, with almost no noticeable delay associated
• Once an IKE SA is in place only quick mode exchanges are used to
negotiate additional IPsec SAs or to rekey established IPsec SAs.
20. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 20
IKE Negotiation:
Copyright Zoom Technologies ®
Head Office
IP
/
Internet
Branch X
Branch Y
3800
2600
2500
Policy 1
Encryption: AES
Hash: SHA
Authentication: Pre Share
DH 2
Policy 2
Encryption: 3DES
Hash: SHA
Authentication: Pre Share
DH 2
Policy 3
Encryption: DES
Hash: MD5
Authentication: Pre Share
DH 2
Policy 1
Encryption: 3DES
Hash: SHA
Authentication: Pre Share
DH 2
Policy 2
Encryption: DES
Hash: MD5
Authentication: Pre Share
DH 2
Policy 1
Encryption: DES
Hash: MD5
Authentication: Pre Share
DH 2
ESP and AH:
• ESP protocol ID 50
• Provides framework for encrypting, authenticating and
data integrity. Optional Anti-replay
21. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 21
Authentication Header:
• AH protocol ID 51
• Provides framework for authenticating and data integrity.
Optional Anti-Replay
Digital signatures and certificates:
22. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 22
IPSec and SSL Encryption Fundamentals
IPsec Connection Overview:
1.Interesting Traffic
2.Phase 1 (ISAKMP)
3.Phase 1.5 (ISAKMP)
4.Phase 2 (IPSec)
5.Data Transfer
6.IPSec Tunnel Termination
1.Match Interesting Traffic
–Access Control List (ACL) defines matching source/destination
addresses to protect
–Both sides have mirrored ACLs
–Internet Key Exchange (IKE) kicks off when a packet matches the
ACL
23. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 23
2.Phase 1 – ISAKMP
–Main Mode or Aggressive Mode exchange
–ISAKMP policies matched
–Diffie-Hellman exchange – Creates shared key
–Identities exchanged and authenticated
–ISAKMP Security Association (SA) created
–Negotiate Phase 2 parameters
3.Phase 1.5 – Xauth and mode config
–Additional user authentication
–Client configuration – IP Address, DNS Server, etc.
24. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 24
4.Phase 2 – IPSec Security Associations (SA)
–SA is a unidirectional data channel
–Negotiated encryption and hashing
–Re-keyed after time or byte limit
5.Data transfer over IPSec SAs
6.Tunnel termination
–Lack of interesting traffic
–Peer quits responding
–Admin termination
–Re-keyed after time or byte limit
25. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 25
IKEv1 Details:
• Main Mode
–Three 2-way exchanges (6 messages) for:
• ISAKMP policy
• Diffie-Hellman exchange
• Verifying the IPSec peer’s identity
–Protects identities by exchanging them in secure tunnel
• Aggressive Mode
–Performs the 3 exchanges in a single exchange
–Faster than Main Mode due to less messages (3 total)
–Exposes identities
–3 total exchanges
–Required in some cases! Dynamic peers with Pre-Shared Key
(Easy VPN)
26. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 26
IKEv2:
• Internet Key Exchange version 2 – RFC 4306
• Introduced in ASA 8.4 and AnyConnect 3.0
• Benefits
–Denial of Service prevention using cookies
–Fewer negotiation messages
–Built-in Dead Peer Detection
–Built-in Configuration Payload and User Authentication (using EAP)
–Allows unidirectional authentication
–Built-in NAT Traversal
–Better rekeying and collision handling
IPSec Details:
• Phase 2 – Quick Mode
–Exchange protected by Phase 1 IKE Security Association (SA)
–Negotiates IPSec SA parameters
–Creates IPSec SAs
–Periodically renegotiates the IPSec SAs
–(optional) Performs Diffie-Hellman exchange for Perfect Forward
Secrecy (PFS)
27. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 27
Phase 1 Configuration – Diffie-Hellman:
SSL and TLS :
• TLS is the evolution of SSL (developed by Netscape
Communications)
• Server and client (optional) are authenticated via X.509
certificates
• Cryptographic algorithms and shared secrets are negotiated
• SSL VPN use the TLS encryption to protect tunneled IP traffic
• Standard browsers and AnyConnect use TLS for SSL VPNs
28. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 28
VPN Ports and Protocols:
Debugging Basics:
• Enable logging
• Issue relevant debug commands
• Utilize ASDM Log Viewer, CLI, or syslog
29. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 29
ASDM Real-Time Log Viewer:
ASDM VPN Monitoring:
30. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 30
Debugging VPN Connections:
• Debugging commands
–debug crypto [ ikev1 | ikev2 ] (Phase 1 debugs)
–debug crypto ipsec (Phase 2 debugs)
–debug [ webvpn | aaa | radius | dap ]
• Common IPSec VPN problems
http://www.cisco.com/en/US/products/ps6120/products_tec
h_note09186a00807e0aca.shtml
• IPSec debug guide
http://www.cisco.com/en/US/tech/tk583/tk372/technologies
_tech_note09186a00800949c5.shtml
IPSec Site-to-Site VPNs:
• Site-to-site VPNs are used to connect two sites together
• They are often used to connect a branch offices to the main
office
• Used instead of private WAN connections
31. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 31
Site-to-Site IPsec Connection Creation:
• Key configuration choices:
–Peer IP Address
–Authentication type (Pre-Shared Key or certificate)
–IKE Policy (Phase 1)
–IPsec Policy (Phase 2)
–Interesting traffic ACL – Local and Remote networks
Site-to-Site IPsec Configuration:
1.Enable IKEv1 or IKEv2 on interface
2.Create Connection Profile
–Specify parameters such as peer address, protected networks, IKE
parameters, and IPSec parameters
32. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 32
IPSec Wizard Configuration:
IPSec Manual Configuration:
33. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 33
Site-to-Site IPsec IKEv2:
• ASA supports fallback to IKEv1 for easy migration
• Similar to a standard IPSec IKEv1 configuration
–Enable IKEv2 on the interface
–Configure and use IKEv2 Policies
–Configure and use IKEv2 Tunnel Group settings
Debugging Site-to-Site Connections:
• Ensure Phase 1 (ISAKMP) Policies match
• Ensure Phase 2 (IPSec) Transforms match
• Ensure crypto Access Control Lists match
• Ensure Pre-Shared Keys Match or Certificates are valid
–Ensure clocks are synchronized if using certificates
• Ensure IPSec traffic reaches the ASA (sysopt connection
permit-vpn)
• Debugging commands
–debug crypto [ ikev1 | ikev2 ] (Phase 1 debugs)
–debug crypto ipsec (Phase 2 debugs)
34. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 34
IPSec Remote Access VPN:
• Easy VPN Remote Access VPN:
• Traditional IPsec VPN utilizing client software on the endpoint
• Minimal client configuration for simplified deployment
• Also works with hardware clients such as an ASA or Cisco router
• Traffic can be tunneled over UDP or TCP for easier firewall and NAT
traversal
• Numerous authentication options. PSK, username/password,
certificates, and combinations.
IPSec Remote Access Configuration:
1.Enable IKEv1 or IKEv2 on interface
2.Create Connection Profile with IPSec enabled
–Configure group authentication
–Configure user authentication
–Configure IPSec parameters
–Configure user network settings
3.Customize group policy or create a custom group policy
–Configure user network settings
4.Configure Cisco VPN Client or Cisco AnyConnect
35. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 35
Certificate Authentication for Easy VPN:
Full EZVPN certificate configuration example:
http://www.cisco.com/c/en/us/support/docs/security/as
a-5500-x-series-next-generation-firewalls/100413-
asavpnclient-ca.html
Deploying an Easy VPN Hardware Client:
• Utilizes hardware such as Cisco ASA or Cisco ISR in two
modes:
–Client Mode performs Port Address Translation (PAT) for hosts
behind client
–Network Extension Mode (NEM) connects the client network to the
head-end
36. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 36
Easy VPN Hardware Authentication:
• Authentication options for Phase 1.5 Xauth:
–Default authentication: Interactive CLI authentication
–No authentication (beyond group authentication during Phase 1)
–Secure Unit Authentication (SUA): Single user behind Client
authenticates once
–Individual User Authentication (IUA): Each user behind Client must
authenticate
• HTTP redirection intercepts web traffic to permit
interactive SUA or IUA authentication
Deploying an Easy VPN Server:
• Uses a Dynamic Crypto Map
–Only IPSec Transform set defined (encryption and hashing)
–Peers are unknown due to Remote Access clients with dynamic
addresses
• Easy VPN attributes are stored in the Group Policy and
User attributes
• Sample Group Policy settings
–Enable/disable NEM: nem
–Secure Unit Authentication: secure-unit-authentication
–Split Tunnel ACL: split-tunnel-network-list
–Split Tunnel Policy: split-tunnel-policy [ excludespecified | tunnelall |
tunnelspecified ]
–VPN Filter: vpn-filter
37. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 37
AnyConnect IKEv2 Remote Access:
• IKEv2 permits use of AnyConnect instead of Cisco VPN
Client
• Uses WebVPN attributes (not IPSec attributes) in
Connection Profile
• Allows Client Services features which run over SSL
–If services are disabled, provides basic IPSec IKEv2 tunnel
–Services: AnyConnect update, AnyConnect profile update,
Hostscan, etc.
IPSec Certificate Authentication:
• Utilizes certificate for authentication instead of PSK
• Certificates can be revoked to disable a client if
stolen/compromised
• Can be enabled with AAA to provide 2-factor
authentication
38. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 38
IPSec Certificate Authentication Configuration:
• Configure a trustpoint (CA certificate) and ASA certificate
• Configure Certificate for IKE Authentication in the
Connection Profile
• Configure clients to use a Client Certificate instead of PSK
Debugging Remote Access Connections:
• Ensure Phase 1 (IKE / ISAKMP) policies match
• Ensure Phase 2 (IPSec) Transforms match
• Ensure address pools are valid and not exhausted
• Ensure Pre-Shared Keys Match or Certificates are valid
–Ensure clocks are synchronized if using certificates
• Ensure AAA servers are reachable and functional
• Utilize ASDM Monitoring VPN functionality
• Ensure connections are mapping to correct group policy and
connection profile
• Debugging commands
–debug crypto [ ikev1 | ikev2] (Phase 1 and 1.5 debugs)
–debug crypto ipsec (Phase 2 debugs)
–debug aaa
–debug radius
39. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 39
AnyConnect SSL VPN:
• AnyConnect Secure Mobility Client
• Complete client solution for secure connectivity
–VPN, 3G/4G, WiFi hotspot, trusted WiFi, 802.1x, MACSEC
• Components
–IPSec IKEv2 VPN
–SSL VPN
–Posture Assessment (HostScan)
–Web Security (ScanSafe)
–Telemetry (Ironport integration)
–Network Access Manager (Wireless, 802.1x, MACSEC)
AnyConnect Remote Access Overview:
• Provides full tunnel access similar to IPsec remote access
• AnyConnect Profiles allow client settings pushed from head-
end
• Provides extra security with Cisco Secure Desktop
functionality
• Requires the use of AnyConnect client
• Client can be pre-loaded or downloaded from the ASA using
WebVPN
40. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 40
• Actual protocol is Transport Layer Security (TLS v1.0) or
Datagram Transport Layer Security (DTLS)
• TLS uses TCP 443, DTLS uses UDP 443
• DTLS functions over UDP to provide better performance
for real-time applications (voice) that are sensitive to
packet delays and jitter
–Uses TLS first to negotiate and establish DTLS connections
–Uses DTLS to transmit datagrams
AnyConnect Configuration:
• Key design and configuration choices:
–Client deployment: pre-deploy and/or web deployment
–VPN Protocol: TLS or IPSec IKEv2
–Authentication type: password, one-time-password, certificate, or
two methods
–Split tunneling policy
–Cisco Secure Desktop requirements
–AnyConnect Profile options
41. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 41
AnyConnect Profiles:
• Profiles are XML files stored on the ASA flash and pushed
to clients
• Profile settings configure the client to simplify user
interaction
• Profiles are edited via ASDM
• Sample profile settings
• Load uploaded profiles for user with Group Policies
42. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 42
Troubleshooting AnyConnect Client:
Debugging AnyConnect SSL VPN:
• Utilize ASDM Monitoring VPN functionality
• Ensure connections are mapping to correct group policy
and connection profile
• Debugging commands
–show webvpn ?
–debug webvpn ?
–debug aaa
–debug radius
43. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 43
Advanced Cisco AnyConnect Solutions:
AnyConnect Certificate Authentication:
• Certificate authentication can enable simplified
authentication, 2-factor authentication, and on-demand
VPN (mobile)
• Configuration:
1.Select ASA Device Certificate from Connection Profile screen
2.Enable Certificate or Both authentication methods in Connection
Profile
3.Configure clients with valid certificates or enable SCEP Proxy
44. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 44
AnyConnect Double Authentication:
Allows the use of two AAA servers
1.Configure first AAA server as normal
2.Configure Secondary Authentication Server Group
Benefits of a full-tunneling remote-access SSL VPN include the
following:
■ It supports transparent access to any IP application.
■ Just basic user training is required, only for creating and terminating the VPN tunnel.
■ It supports low-latency forwarding of sensitive applications, such as IP voice, because of
Datagram Transport Layer Security
(DTLS) encapsulation.
■ Because it uses regular HTTPS port 443, it traverses firewalls and NAT devices
transparently.
■ VPN termination on ASA is restricted to AnyConnect clients (thus adding a layer of
security).
■ Auto-updates for AnyConnect clients are pushed from the ASA.
Drawbacks of a full-tunneling remote-access SSL VPN include the
following:
■ It requires installation of AnyConnect software on client machines.
■ It requires administrative privilege on the client machine for the initial install but not for
updates.
45. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 45
Benefits of a clientless SSL VPN include the following:
■ Because it uses regular HTTPS port 443, it traverses firewalls and NAT devices
transparently.
■ It does not require any software installation on client devices and is therefore compatible
with any device for which
AnyConnect is not available.
■ It does not require any administrative privileges on client device.
Drawbacks of a clientless SSL VPN include the following:
■ It does not support full native-application access (for example, only those supported by
port forwarding and smart tunnel, with respective restrictions).
■ It might require user training for optimum web portal usage.
■ It does not support low-latency forwarding and real-time applications.
■ The login portal on ASA could be accessed by anyone, and therefore additional security
measures are needed.
Benefits of a full-tunneling IPsec VPN include the following:
■ It supports transparent access to any IP application.
■ Just basic user training is required (only creating and terminating the VPN tunnel).
■ It supports low-latency forwarding of sensitive applications like IP voice, because
IPsec is a connectionless protocol.
■ VPN termination on ASA is restricted to only Cisco VPN clients.
■ It does not require licensing for IKEv1IPsec sessions.
Drawbacks of a full-tunneling IPsec VPN include the following:
■ It requires installation of Cisco VPN IPsec software on client machines for IKEv1
IPsec sessions.
■ It requires installation of Cisco AnyConnect Secure Mobility Client on client
machines for IKEv2 IPsec sessions.
■ It requires administrative privilege on the client machine for both initial installment
and updates; AnyConnect updates do not
require administrative privileges.
■ It can experience connectivity problems over firewalls and NAT devices because
IPsec(ESP) and IKEv1/IKEv2 might be
restricted along the path between clients and VPN gateway.
46. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 46
Simple Certificate Enrollment Protocol (SCEP):
• SCEP Proxy allows clients to self provision certificates
• The ASA proxies requests from clients to CA
Cisco Secure Desktop:
• Advanced endpoint analysis, security, and remediation
• Downloaded and executed when AnyConnect or
Clientless session is initiated
• Works on Windows, Mac, and Linux (varying capabilities)
• Results of host analysis can be used with Dynamic
Access Policies
• Capabilities:
–Host scan – Checks for OS, patch levels, registry entries,
processes, and files
–Endpoint assessment – Checks and remediates Anti-Virus, Anti-
Spyware, and Personal Firewall
–Cache cleaner – Securely delete web browsing data remnants
–Keystroke logger detection
–Onscreen keyboard – Mitigate keystroke logger threat
47. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 47
Cisco Secure Desktop Setup:
• CSD ASDM installation
1.On CSD Setup page, upload CSD image
2.Click ‘Enable Secure Desktop’
• Enable features needed like pre-login policy, onscreen
keyboard, etc.
Pre-login Policy Decision Tree:
48. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 48
Onscreen Keyboard Configuration:
Keystroke Logger Configuration:
49. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 49
There are two major components in the process of VPN configuration:
1. Connection profiles , also known as tunnel groups from the CLI, which define
the prelogin requirements of a VPN session. A connection profile separates all
VPN sessions into groups based on requirements such as AAA method used or
connection method/protocol used, to apply different security policies on each
group or user.
2. Group policies , which define the postlogin security policies applied, such as
traffic filtering (authorization) or time restrictions.
Policy priority philosophy, starting from the highest priority:
1. DAP rules
2. User profiles (local or remotely pushed from the AAA server)
3. Group policy attached to user profile
4. Group policy attached to connection profile
5. DfltGrpPolicy group policy settings
For example, if you assign a group policy at both user profile and connection profile
levels for the respective user and VPN session, settings from both policies are
combined to form a final set of rules. If two policies have conflicting settings, settings
from the group policy applied at the user profile are preferred (in accordance with the
priority chart).
Dynamic Access Policies (DAP):
• Create powerful rules that enable dynamic access
• DAP selection criteria are combined with logical
expressions
–AAA attributes from LDAP or RADIUS
–Endpoint attributes from Endpoint Assessment and Host Scan
50. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 50
Dynamic Access Policies Configuration:
• If criteria met, Access and Authorization Policies can be set
–Permit, Quarantine, or Terminate connection and display message to
user
–Apply a Network ACL
–Apply a Web ACL (clientless)
–Enable/disable file browsing, file server entry, HTTP proxy, and URL
entry (clientless)
–Enable/disable/auto-start port forwarding lists (clientless)
–Enable bookmark lists (clientless)
–Permit or deny access methods such as AnyConnect and/or
Clientless
51. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 51
Selection Hierarchy for VPN Attributes:
Clientless SSL VPN:
Clientless SSL VPN Overview:
• Provides network access using a standard web browser.
No client.
• Secure access through multiple methods
–Internal websites – delivering internal websites over HTTPS
–Windows file shares – web-based file browsing capabilities
–Plug-ins – Java applets for telnet, SSH, RDP, VNC, and Citrix (ICA)
–Smart Tunnels – Automatic tunneling of application traffic through
the SSL VPN
–Port Forwarding – Opening local ports to be forwarded over the
SSL VPN
• Provides extra security with Cisco Secure Desktop
functionality
52. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 52
Clientless SSL VPN Configuration:
• Key design and configuration choices:
–Which access methods to permit (web, file browsing, plug-ins, etc.)
–Bookmarks for users
–Different web portals for different groups
–Authentication type: password, one-time-password, certificate, or
two methods
–Cisco Secure Desktop requirements
Clientless ASDM Configuration:
1.Upload Plug-ins and CSD to flash if needed
2.Configure AAA servers for required user authentication methods
3.Install an SSL certificate on the ASA for secure remote
connections
4.Configure Trustpoint if needed for client certificate authentication
5.Create Group Policy
•Define most of the Clientless options
6.Create Connection Profile
•User authentication type
•Associate Group Policy
•Create Connection Aliases and Group URLs for users to access this
Clientless SSL VPN
7.Enable SSL VPN on the appropriate interface
53. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 53
Clientless SSL VPN Bookmarks:
• Methods for assigning bookmarks
–Group policy
–User attributes
–LDAP or RADIUS attributes
–Dynamic Access Policy (DAP) result
• URL Variables for Single Sign On
–CSCO_WEBVPN_USERNAME — User login name
–CSCO_WEBVPN_PASSWORD — Obtained from user login password
–CSCO_WEBVPN_INTERNAL_PASSWORD — Obtained from the
Internal password field. You can use this field as Domain for Single
Sign-on operations.
–CSCO_WEBVPN_CONNECTION_PROFILE — User login group drop-
down
–CSCO_WEBVPN_MACRO1 — Set via Radius or LDAP vendor specific
attribute
–CSCO_WEBVPN_MACRO2 — Set via Radius or LDAP vendor specific
attribute
54. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 54
Clientless Smart Tunnels:
• Allows a TCP-based application to tunnel through the
clientless VPN
• Benefits
–Better performance than plug-ins
–Simplifies user experience compared to forwarding local ports
–Does not require administrative privileges like port forwarding
• Available for Windows (using Internet Explorer) and Mac
• Configuring Smart Tunnels in Group Policy
55. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 55
Deploying Advanced Application Access for Clientless
SSL VPN:
• Configuring Smart Tunnels:
Clientless Plug-ins:
• Java applets that enable secure application connectivity
through the SSL VPN browser session and enables new
URL and bookmark types
–Citrix Client (ica://), RDP (rdp://, rdp2://), Shell (telnet://, ssh://), VNC
(vnc://)
–Does not require administrator privileges on endpoint
56. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 56
Clientless Plug-ins Configuration:
1.Load the plug-ins via ASDM
2.Customize bookmarks with Plug-Ins URLs
Clientless Port Forwarding:
• Port forwarding supports TCP applications over the SSL
VPN
• Works by opening local ports and forwarding the connection
as defined by the port forward configuration
• DNS is intercepted to force applications to connect to the
local ports
• Requires administrative rights on the endpoint to function
• Works on Windows, Mac, and Linux
57. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 57
Port Forwarding Configuration:
1.Configure Port Forwarding List
2.Specify Port Forwarding List in Group Policy
58. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 58
Customizing the Clientless SSL VPN User Interface and
Portal:
Customizing the SSL Login Page:
59. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 59
WebACL Example
Debugging Clientless SSL VPN:
• Utilize ASDM Monitoring VPN functionality
• Ensure connections are mapping to correct group policy
and connection profile
• Debugging commands
–show webvpn ?
–debug webvpn ?
–debug aaa
–debug radius
–debug dap
60. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 60
High Availability for Cisco ASA VPN Solutions:
• Redundant head-end peering
– Configure two head-ends with 2 IPsec tunnels
– Utilize two interfaces with 2 ISPs for additional redundancy
– Static route tracking is used to switch between ISPs
High Availability Options:
• Active / Standby chassis redundancy
–ASA must be in single context and routed mode to support VPNs
–Configure both Failover link and Stateful link to preserve VPN
sessions
61. These slides taken from Cisco live 2012 &
2013
3/12/2014
Eng. Mohannad Alhanahnah 61
• VPN Load Balancing feature
–Virtual load balancing built into ASA
–No external load balancer required
–Works with IPsec (remote access)
• SSL VPN tunnels, and SSL VPN clientless
–VPN Clustering requires a Unified Client Certificate