• Save
CCNP Security-VPN
Upcoming SlideShare
Loading in...5
×
 

CCNP Security-VPN

on

  • 169 views

 

Statistics

Views

Total Views
169
Views on SlideShare
169
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

CCNP Security-VPN CCNP Security-VPN Document Transcript

  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 1 DEPLOYING CISCO ASA VPN SOLUTIONS (VPN) Agenda: • Overview of CCNP Security VPN v2.0 Exam • VPN v2.0 Topics • ASA VPN Architecture and Fundamentals • VPN Fundamentals • IPSec Site to Site • IPSec Remote Access • AnyConnect VPN • Clientless SSL VPN
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 2 Overview of the CCNP Security • All four CCNP Security exams required • SECURE – 642-637 • IPS – 642-627 • FIREWALL – 642-618 • VPN – 642-648 • ~90 minutes with 60-70 questions • 60-70 questions • Register with Pearson Vue • http://www.vue.com/cisco • Exam cost is $200.00 US • Preparing for the VPN v2.0 Exam: • Recommended reading • CCNP Security VPN 642-648 Official Cert Guide • Cisco ASA 8.4 Configuration Guide • Recommended training via Cisco Learning Partners • Deploying Cisco ASA VPN Solutions • Cisco Learning Network – Exam Blueprints • www.cisco.com/go/learnnetspace • Practical experience • Real equipment • ASDM in demo mode
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 3 Cisco ASAArchitecture and VPN Fundamentals • ASA VPN Overview • ASA Design Considerations • AAA and PKI Refreshers • VPN Configuration Basics Virtual Private Networks (VPNs): • Virtual Private Networks (VPNs) are a way to establish private connections over another network • VPN Capabilities View slide
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 4 ASA Virtual Private Network Options ASA Virtual Private Networks (VPNs): • Site-to-Site VPN • Connects two separate networks using two VPN gateway devices such as an ASA • Utilizes Ipsec • Remote Access VPN • Connects single user to a remote network via gateway such as an ASA • Utilizes IPsec or Secure Sockets Layer (SSL) View slide
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 5 Remote Access VPN: • Client-based VPN • Remote access using an installed VPN client like AnyConnect • Permits “full tunnel” access • Clientless VPN • Remote access through a web browser that leverages the browser’s SSL encryption for protection • Permits limited access but no footprint required Choosing Remote Access VPN Method: • IPsec VPN –Traditional IPsec access –Cisco VPN Client • AnyConnect VPN –Recommended next generation remote access – Windows 7 supported –SSL VPN or IPSec –Hostscan and other advanced features • Clientless SSL VPN (WebVPN) –Recommended for thin, flexible access from any computer –Web browser based using SSL encryption – no software required –Permits network access via HTTP/S, plug-ins, and port forwarding –Cisco Secure Desktop
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 6 EasyVPN: • EasyVPN can be used for Remote Access or Site-to-Site VPNs –Uses IPSec as transport –Remote Access uses Cisco VPN Client –Site-to-Site uses hardware VPNs such as an ASA 5505 or Cisco router • Benefits –Minimizes configuration for deploying software and hardware clients –Centralizes configuration on the ASA head end Choosing an ASA for Site-to-Site VPN: • Model considerations –VPN throughput –Number of VPN peers • No licenses required for IPSec –ASA 5505 Security Plus license increases session max –3DES/AES license
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 7 Choosing an ASA for Remote Access VPN: • Model considerations –VPN throughput –Number of Remote Access User Sessions (combined) Remote Access VPN Licensing: • Other VPN – IPSec IKEv1 • AnyConnect Essentials –AnyConnect client provides full tunnel connectivity –Windows, Mac, Linux, iOS, and Android • AnyConnect Premium –Adds Clientless (Web VPN) and Hostscan features –Adds additional AnyConnect client features http://www.cisco.com/en/US/docs/security/asa/asa84/li cense/license_management/license.html
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 8 Remote Access Licensing: ASA License Keys: • Two types – Permanent and Time-Based • One Permanent license • Time-Based licenses can be stacked • Some licensed features use higher value but some combine • Understand the rules: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/lic ense/license_management/license.html
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 9 VPN Configuration: VPN Configuration Components: VPN Group Policy: • Internal (ASA) or External (RADIUS) • Sample of various settings: –WINS, DNS, DHCP, web proxy settings –VPN access hours, idle timeout, network filter, permitted VPN protocols –Split tunneling • Default Group Policy is called DfltGrpPolicy. Can be modified but NOT deleted. • Settings are inherited: –User ==> Connection Profile’s Group Policy ==> Default Group Policy
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 10 External Group Policy: • Stored on a RADIUS server as a special user account • RADIUS user includes Vendor-Specific Attributes (VSAs) for Group Policy settings • Group Policy configuration includes the RADIUS username and password VPN Group Policy:
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 11 VPN Connection Profile: • Formerly called Tunnel Group. Command line still uses tunnel-group terminology. • Core VPN Service Attributes –VPN Type (IPsec Site-to-Site, IPsec Remote Access, SSL VPN, Clientless) –Authentication, authorization, and accounting servers –Default group policy –Client address assignment method –VPN type specific attributes for IPsec and SSL VPN • Default Connection Profiles. They can be modified but NOT deleted. ‒ DefaultRAGroup – Remote Access connections ‒ DefaultWEBVPNGroup – Clientless SSL VPN connections ‒ DefaultL2LGroup – IPsec site-to-site connections • Settings are inherited
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 12 VPN Configuration Methods: • Command line • ADSM with Connection Profiles and Group Policies • ASDM VPN Wizard
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 13 AAA and PKI Refreshers: AAA Refresher: • Authentication, Authorization, and Accounting (AAA) –Authentication: Proving the identity of the user –Authorization: Granting permissions to the user –Accounting: Logging the user’s session • AAA servers are used to perform one or more of the AAA functions –Supported AAA servers include RADIUS, TACACS+, RSA/SDI, NT, Kerberos, LDAP, HTTP Forms, and LOCAL database –Server example – Cisco ACS for RADIUS or TACACS+ Public Key Infrastructure (PKI) Refresher: • Pre-Shared Key (PSK) deployments do not scale (symmetric keys) • PKI scale better with improved security and management • Uses Digital Certificates and public key cryptography • Asymmetric Cryptography –Encryption with the public key is decrypted with the private –Encryption with the private key is decrypted with the public
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 14 • Each device has a public key, private key, and certificate signed by the Certificate Authority • Certificates are issued: –Manually –Certificate Signing Requests (CSR) –Simple Certificate Enrollment Protocol (SCEP) • Validation steps –Check validity of the certificate based on date/time and certificate attributes –Check the certificate using the stored Certificate Authority certificate –Ensure certificate has not been revoked (optional) • Check the Certificate Revocation List (CRL) • Online Certificate Status Protocol (OCSP) • Enrollment options –Manually enroll ASA and endpoints by creating certificates and loading them –ASA can also utilize SCEP to enroll directly with the CA –VPN Clients can enrollment online with the ASA using Simple Certificate Enrollment Protocol (SCEP) proxy
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 15 IPSec: • IPSec is a open standard (IETF) • Network layer protocol • It provide Data security and tunneling services • It is a framework of many open standard • Scales from small to very large networks • It can Work only for IP unicast traffic • IPSec over GRE is used for protecting non-IP or Multicast traffic IPSec Mode: • Tunnel or transport mode • In transport mode, • Security is provided only for the transport layer and above. • Protects the payload of the packet but leaves the original IP address in the clear. • Original IP address is used to route the packet through the Internet. • Tunnel mode • Provides security for the whole original IP packet. • Original IP packet is encrypted. • Encrypted packet is encapsulated in another IP packet.
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 16 IPSec Protocols: • Negotiation protocol • IKE • Security Protocol • ESP • AH
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 17 • Encryption • DES • 3DES • AES • Authentication • MD5 • SHA • Protection (Diffie-Hellman for password exchange) • DH 1 • DH 2 • DH 5 • DH 7 Internet Key Exchange: • IKE solves the problems of manual and unscalable implementation of IPSec by automating the entire key exchange process: • Negotiation of SA characteristics • Automatic key generation • Automatic key refresh • Manageable manual configuration
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 18 • In IKE Phase One, in main or aggressive mode, the peers will: • Negotiate an IKE protection suite • Authenticate each other • Exchange keying material to protect the IKE session • Establish the IKE SA • Then in IKE Phase Two, in quick mode, peers: • Negotiate IPsec policies • Exchange keying material of IPsec SAs • Establish IPsec SAs IKE Phase One: • Runs in main or aggressive mode. • Mode used is implementation and situation dependent. • The IKE main mode - ISAKMP uses six messages to establish the IKE SA. • SA negotiation, Diffie-Hellman key exchange, and authentication of peers. • Hides the identity of IKE peers from eavesdroppers • Can use the protocol’s negotiation capabilities to the fullest. • Aggressive mode takes half the number of messages • Offers less negotiating flexibility. • Initiating peer proposes a list of policies, and the responder accepts a policy or rejects the offers • Does not provide peer identity protection. • Much faster than an IKE main mode • Used mainly when security policies are well known on both peers,
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 19 IKE Phase Two: • Used to negotiate and establish SAs of other protocols, such as AH and ESP for IPSec, • Only operates in one defined mode - quick mode. • IKE initiator presents a list of IPSec policy proposals and the IKE responder chooses an acceptable proposal • Quick mode is quite fast, with almost no noticeable delay associated • Once an IKE SA is in place only quick mode exchanges are used to negotiate additional IPsec SAs or to rekey established IPsec SAs.
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 20 IKE Negotiation: Copyright Zoom Technologies ® Head Office IP / Internet Branch X Branch Y 3800 2600 2500 Policy 1 Encryption: AES Hash: SHA Authentication: Pre Share DH 2 Policy 2 Encryption: 3DES Hash: SHA Authentication: Pre Share DH 2 Policy 3 Encryption: DES Hash: MD5 Authentication: Pre Share DH 2 Policy 1 Encryption: 3DES Hash: SHA Authentication: Pre Share DH 2 Policy 2 Encryption: DES Hash: MD5 Authentication: Pre Share DH 2 Policy 1 Encryption: DES Hash: MD5 Authentication: Pre Share DH 2 ESP and AH: • ESP protocol ID 50 • Provides framework for encrypting, authenticating and data integrity. Optional Anti-replay
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 21 Authentication Header: • AH protocol ID 51 • Provides framework for authenticating and data integrity. Optional Anti-Replay Digital signatures and certificates:
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 22 IPSec and SSL Encryption Fundamentals IPsec Connection Overview: 1.Interesting Traffic 2.Phase 1 (ISAKMP) 3.Phase 1.5 (ISAKMP) 4.Phase 2 (IPSec) 5.Data Transfer 6.IPSec Tunnel Termination 1.Match Interesting Traffic –Access Control List (ACL) defines matching source/destination addresses to protect –Both sides have mirrored ACLs –Internet Key Exchange (IKE) kicks off when a packet matches the ACL
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 23 2.Phase 1 – ISAKMP –Main Mode or Aggressive Mode exchange –ISAKMP policies matched –Diffie-Hellman exchange – Creates shared key –Identities exchanged and authenticated –ISAKMP Security Association (SA) created –Negotiate Phase 2 parameters 3.Phase 1.5 – Xauth and mode config –Additional user authentication –Client configuration – IP Address, DNS Server, etc.
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 24 4.Phase 2 – IPSec Security Associations (SA) –SA is a unidirectional data channel –Negotiated encryption and hashing –Re-keyed after time or byte limit 5.Data transfer over IPSec SAs 6.Tunnel termination –Lack of interesting traffic –Peer quits responding –Admin termination –Re-keyed after time or byte limit
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 25 IKEv1 Details: • Main Mode –Three 2-way exchanges (6 messages) for: • ISAKMP policy • Diffie-Hellman exchange • Verifying the IPSec peer’s identity –Protects identities by exchanging them in secure tunnel • Aggressive Mode –Performs the 3 exchanges in a single exchange –Faster than Main Mode due to less messages (3 total) –Exposes identities –3 total exchanges –Required in some cases! Dynamic peers with Pre-Shared Key (Easy VPN)
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 26 IKEv2: • Internet Key Exchange version 2 – RFC 4306 • Introduced in ASA 8.4 and AnyConnect 3.0 • Benefits –Denial of Service prevention using cookies –Fewer negotiation messages –Built-in Dead Peer Detection –Built-in Configuration Payload and User Authentication (using EAP) –Allows unidirectional authentication –Built-in NAT Traversal –Better rekeying and collision handling IPSec Details: • Phase 2 – Quick Mode –Exchange protected by Phase 1 IKE Security Association (SA) –Negotiates IPSec SA parameters –Creates IPSec SAs –Periodically renegotiates the IPSec SAs –(optional) Performs Diffie-Hellman exchange for Perfect Forward Secrecy (PFS)
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 27 Phase 1 Configuration – Diffie-Hellman: SSL and TLS : • TLS is the evolution of SSL (developed by Netscape Communications) • Server and client (optional) are authenticated via X.509 certificates • Cryptographic algorithms and shared secrets are negotiated • SSL VPN use the TLS encryption to protect tunneled IP traffic • Standard browsers and AnyConnect use TLS for SSL VPNs
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 28 VPN Ports and Protocols: Debugging Basics: • Enable logging • Issue relevant debug commands • Utilize ASDM Log Viewer, CLI, or syslog
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 29 ASDM Real-Time Log Viewer: ASDM VPN Monitoring:
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 30 Debugging VPN Connections: • Debugging commands –debug crypto [ ikev1 | ikev2 ] (Phase 1 debugs) –debug crypto ipsec (Phase 2 debugs) –debug [ webvpn | aaa | radius | dap ] • Common IPSec VPN problems http://www.cisco.com/en/US/products/ps6120/products_tec h_note09186a00807e0aca.shtml • IPSec debug guide http://www.cisco.com/en/US/tech/tk583/tk372/technologies _tech_note09186a00800949c5.shtml IPSec Site-to-Site VPNs: • Site-to-site VPNs are used to connect two sites together • They are often used to connect a branch offices to the main office • Used instead of private WAN connections
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 31 Site-to-Site IPsec Connection Creation: • Key configuration choices: –Peer IP Address –Authentication type (Pre-Shared Key or certificate) –IKE Policy (Phase 1) –IPsec Policy (Phase 2) –Interesting traffic ACL – Local and Remote networks Site-to-Site IPsec Configuration: 1.Enable IKEv1 or IKEv2 on interface 2.Create Connection Profile –Specify parameters such as peer address, protected networks, IKE parameters, and IPSec parameters
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 32 IPSec Wizard Configuration: IPSec Manual Configuration:
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 33 Site-to-Site IPsec IKEv2: • ASA supports fallback to IKEv1 for easy migration • Similar to a standard IPSec IKEv1 configuration –Enable IKEv2 on the interface –Configure and use IKEv2 Policies –Configure and use IKEv2 Tunnel Group settings Debugging Site-to-Site Connections: • Ensure Phase 1 (ISAKMP) Policies match • Ensure Phase 2 (IPSec) Transforms match • Ensure crypto Access Control Lists match • Ensure Pre-Shared Keys Match or Certificates are valid –Ensure clocks are synchronized if using certificates • Ensure IPSec traffic reaches the ASA (sysopt connection permit-vpn) • Debugging commands –debug crypto [ ikev1 | ikev2 ] (Phase 1 debugs) –debug crypto ipsec (Phase 2 debugs)
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 34 IPSec Remote Access VPN: • Easy VPN Remote Access VPN: • Traditional IPsec VPN utilizing client software on the endpoint • Minimal client configuration for simplified deployment • Also works with hardware clients such as an ASA or Cisco router • Traffic can be tunneled over UDP or TCP for easier firewall and NAT traversal • Numerous authentication options. PSK, username/password, certificates, and combinations. IPSec Remote Access Configuration: 1.Enable IKEv1 or IKEv2 on interface 2.Create Connection Profile with IPSec enabled –Configure group authentication –Configure user authentication –Configure IPSec parameters –Configure user network settings 3.Customize group policy or create a custom group policy –Configure user network settings 4.Configure Cisco VPN Client or Cisco AnyConnect
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 35 Certificate Authentication for Easy VPN: Full EZVPN certificate configuration example: http://www.cisco.com/c/en/us/support/docs/security/as a-5500-x-series-next-generation-firewalls/100413- asavpnclient-ca.html Deploying an Easy VPN Hardware Client: • Utilizes hardware such as Cisco ASA or Cisco ISR in two modes: –Client Mode performs Port Address Translation (PAT) for hosts behind client –Network Extension Mode (NEM) connects the client network to the head-end
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 36 Easy VPN Hardware Authentication: • Authentication options for Phase 1.5 Xauth: –Default authentication: Interactive CLI authentication –No authentication (beyond group authentication during Phase 1) –Secure Unit Authentication (SUA): Single user behind Client authenticates once –Individual User Authentication (IUA): Each user behind Client must authenticate • HTTP redirection intercepts web traffic to permit interactive SUA or IUA authentication Deploying an Easy VPN Server: • Uses a Dynamic Crypto Map –Only IPSec Transform set defined (encryption and hashing) –Peers are unknown due to Remote Access clients with dynamic addresses • Easy VPN attributes are stored in the Group Policy and User attributes • Sample Group Policy settings –Enable/disable NEM: nem –Secure Unit Authentication: secure-unit-authentication –Split Tunnel ACL: split-tunnel-network-list –Split Tunnel Policy: split-tunnel-policy [ excludespecified | tunnelall | tunnelspecified ] –VPN Filter: vpn-filter
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 37 AnyConnect IKEv2 Remote Access: • IKEv2 permits use of AnyConnect instead of Cisco VPN Client • Uses WebVPN attributes (not IPSec attributes) in Connection Profile • Allows Client Services features which run over SSL –If services are disabled, provides basic IPSec IKEv2 tunnel –Services: AnyConnect update, AnyConnect profile update, Hostscan, etc. IPSec Certificate Authentication: • Utilizes certificate for authentication instead of PSK • Certificates can be revoked to disable a client if stolen/compromised • Can be enabled with AAA to provide 2-factor authentication
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 38 IPSec Certificate Authentication Configuration: • Configure a trustpoint (CA certificate) and ASA certificate • Configure Certificate for IKE Authentication in the Connection Profile • Configure clients to use a Client Certificate instead of PSK Debugging Remote Access Connections: • Ensure Phase 1 (IKE / ISAKMP) policies match • Ensure Phase 2 (IPSec) Transforms match • Ensure address pools are valid and not exhausted • Ensure Pre-Shared Keys Match or Certificates are valid –Ensure clocks are synchronized if using certificates • Ensure AAA servers are reachable and functional • Utilize ASDM Monitoring VPN functionality • Ensure connections are mapping to correct group policy and connection profile • Debugging commands –debug crypto [ ikev1 | ikev2] (Phase 1 and 1.5 debugs) –debug crypto ipsec (Phase 2 debugs) –debug aaa –debug radius
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 39 AnyConnect SSL VPN: • AnyConnect Secure Mobility Client • Complete client solution for secure connectivity –VPN, 3G/4G, WiFi hotspot, trusted WiFi, 802.1x, MACSEC • Components –IPSec IKEv2 VPN –SSL VPN –Posture Assessment (HostScan) –Web Security (ScanSafe) –Telemetry (Ironport integration) –Network Access Manager (Wireless, 802.1x, MACSEC) AnyConnect Remote Access Overview: • Provides full tunnel access similar to IPsec remote access • AnyConnect Profiles allow client settings pushed from head- end • Provides extra security with Cisco Secure Desktop functionality • Requires the use of AnyConnect client • Client can be pre-loaded or downloaded from the ASA using WebVPN
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 40 • Actual protocol is Transport Layer Security (TLS v1.0) or Datagram Transport Layer Security (DTLS) • TLS uses TCP 443, DTLS uses UDP 443 • DTLS functions over UDP to provide better performance for real-time applications (voice) that are sensitive to packet delays and jitter –Uses TLS first to negotiate and establish DTLS connections –Uses DTLS to transmit datagrams AnyConnect Configuration: • Key design and configuration choices: –Client deployment: pre-deploy and/or web deployment –VPN Protocol: TLS or IPSec IKEv2 –Authentication type: password, one-time-password, certificate, or two methods –Split tunneling policy –Cisco Secure Desktop requirements –AnyConnect Profile options
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 41 AnyConnect Profiles: • Profiles are XML files stored on the ASA flash and pushed to clients • Profile settings configure the client to simplify user interaction • Profiles are edited via ASDM • Sample profile settings • Load uploaded profiles for user with Group Policies
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 42 Troubleshooting AnyConnect Client: Debugging AnyConnect SSL VPN: • Utilize ASDM Monitoring VPN functionality • Ensure connections are mapping to correct group policy and connection profile • Debugging commands –show webvpn ? –debug webvpn ? –debug aaa –debug radius
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 43 Advanced Cisco AnyConnect Solutions: AnyConnect Certificate Authentication: • Certificate authentication can enable simplified authentication, 2-factor authentication, and on-demand VPN (mobile) • Configuration: 1.Select ASA Device Certificate from Connection Profile screen 2.Enable Certificate or Both authentication methods in Connection Profile 3.Configure clients with valid certificates or enable SCEP Proxy
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 44 AnyConnect Double Authentication: Allows the use of two AAA servers 1.Configure first AAA server as normal 2.Configure Secondary Authentication Server Group Benefits of a full-tunneling remote-access SSL VPN include the following: ■ It supports transparent access to any IP application. ■ Just basic user training is required, only for creating and terminating the VPN tunnel. ■ It supports low-latency forwarding of sensitive applications, such as IP voice, because of Datagram Transport Layer Security (DTLS) encapsulation. ■ Because it uses regular HTTPS port 443, it traverses firewalls and NAT devices transparently. ■ VPN termination on ASA is restricted to AnyConnect clients (thus adding a layer of security). ■ Auto-updates for AnyConnect clients are pushed from the ASA. Drawbacks of a full-tunneling remote-access SSL VPN include the following: ■ It requires installation of AnyConnect software on client machines. ■ It requires administrative privilege on the client machine for the initial install but not for updates.
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 45 Benefits of a clientless SSL VPN include the following: ■ Because it uses regular HTTPS port 443, it traverses firewalls and NAT devices transparently. ■ It does not require any software installation on client devices and is therefore compatible with any device for which AnyConnect is not available. ■ It does not require any administrative privileges on client device. Drawbacks of a clientless SSL VPN include the following: ■ It does not support full native-application access (for example, only those supported by port forwarding and smart tunnel, with respective restrictions). ■ It might require user training for optimum web portal usage. ■ It does not support low-latency forwarding and real-time applications. ■ The login portal on ASA could be accessed by anyone, and therefore additional security measures are needed. Benefits of a full-tunneling IPsec VPN include the following: ■ It supports transparent access to any IP application. ■ Just basic user training is required (only creating and terminating the VPN tunnel). ■ It supports low-latency forwarding of sensitive applications like IP voice, because IPsec is a connectionless protocol. ■ VPN termination on ASA is restricted to only Cisco VPN clients. ■ It does not require licensing for IKEv1IPsec sessions. Drawbacks of a full-tunneling IPsec VPN include the following: ■ It requires installation of Cisco VPN IPsec software on client machines for IKEv1 IPsec sessions. ■ It requires installation of Cisco AnyConnect Secure Mobility Client on client machines for IKEv2 IPsec sessions. ■ It requires administrative privilege on the client machine for both initial installment and updates; AnyConnect updates do not require administrative privileges. ■ It can experience connectivity problems over firewalls and NAT devices because IPsec(ESP) and IKEv1/IKEv2 might be restricted along the path between clients and VPN gateway.
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 46 Simple Certificate Enrollment Protocol (SCEP): • SCEP Proxy allows clients to self provision certificates • The ASA proxies requests from clients to CA Cisco Secure Desktop: • Advanced endpoint analysis, security, and remediation • Downloaded and executed when AnyConnect or Clientless session is initiated • Works on Windows, Mac, and Linux (varying capabilities) • Results of host analysis can be used with Dynamic Access Policies • Capabilities: –Host scan – Checks for OS, patch levels, registry entries, processes, and files –Endpoint assessment – Checks and remediates Anti-Virus, Anti- Spyware, and Personal Firewall –Cache cleaner – Securely delete web browsing data remnants –Keystroke logger detection –Onscreen keyboard – Mitigate keystroke logger threat
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 47 Cisco Secure Desktop Setup: • CSD ASDM installation 1.On CSD Setup page, upload CSD image 2.Click ‘Enable Secure Desktop’ • Enable features needed like pre-login policy, onscreen keyboard, etc. Pre-login Policy Decision Tree:
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 48 Onscreen Keyboard Configuration: Keystroke Logger Configuration:
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 49 There are two major components in the process of VPN configuration: 1. Connection profiles , also known as tunnel groups from the CLI, which define the prelogin requirements of a VPN session. A connection profile separates all VPN sessions into groups based on requirements such as AAA method used or connection method/protocol used, to apply different security policies on each group or user. 2. Group policies , which define the postlogin security policies applied, such as traffic filtering (authorization) or time restrictions. Policy priority philosophy, starting from the highest priority: 1. DAP rules 2. User profiles (local or remotely pushed from the AAA server) 3. Group policy attached to user profile 4. Group policy attached to connection profile 5. DfltGrpPolicy group policy settings For example, if you assign a group policy at both user profile and connection profile levels for the respective user and VPN session, settings from both policies are combined to form a final set of rules. If two policies have conflicting settings, settings from the group policy applied at the user profile are preferred (in accordance with the priority chart). Dynamic Access Policies (DAP): • Create powerful rules that enable dynamic access • DAP selection criteria are combined with logical expressions –AAA attributes from LDAP or RADIUS –Endpoint attributes from Endpoint Assessment and Host Scan
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 50 Dynamic Access Policies Configuration: • If criteria met, Access and Authorization Policies can be set –Permit, Quarantine, or Terminate connection and display message to user –Apply a Network ACL –Apply a Web ACL (clientless) –Enable/disable file browsing, file server entry, HTTP proxy, and URL entry (clientless) –Enable/disable/auto-start port forwarding lists (clientless) –Enable bookmark lists (clientless) –Permit or deny access methods such as AnyConnect and/or Clientless
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 51 Selection Hierarchy for VPN Attributes: Clientless SSL VPN: Clientless SSL VPN Overview: • Provides network access using a standard web browser. No client. • Secure access through multiple methods –Internal websites – delivering internal websites over HTTPS –Windows file shares – web-based file browsing capabilities –Plug-ins – Java applets for telnet, SSH, RDP, VNC, and Citrix (ICA) –Smart Tunnels – Automatic tunneling of application traffic through the SSL VPN –Port Forwarding – Opening local ports to be forwarded over the SSL VPN • Provides extra security with Cisco Secure Desktop functionality
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 52 Clientless SSL VPN Configuration: • Key design and configuration choices: –Which access methods to permit (web, file browsing, plug-ins, etc.) –Bookmarks for users –Different web portals for different groups –Authentication type: password, one-time-password, certificate, or two methods –Cisco Secure Desktop requirements Clientless ASDM Configuration: 1.Upload Plug-ins and CSD to flash if needed 2.Configure AAA servers for required user authentication methods 3.Install an SSL certificate on the ASA for secure remote connections 4.Configure Trustpoint if needed for client certificate authentication 5.Create Group Policy •Define most of the Clientless options 6.Create Connection Profile •User authentication type •Associate Group Policy •Create Connection Aliases and Group URLs for users to access this Clientless SSL VPN 7.Enable SSL VPN on the appropriate interface
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 53 Clientless SSL VPN Bookmarks: • Methods for assigning bookmarks –Group policy –User attributes –LDAP or RADIUS attributes –Dynamic Access Policy (DAP) result • URL Variables for Single Sign On –CSCO_WEBVPN_USERNAME — User login name –CSCO_WEBVPN_PASSWORD — Obtained from user login password –CSCO_WEBVPN_INTERNAL_PASSWORD — Obtained from the Internal password field. You can use this field as Domain for Single Sign-on operations. –CSCO_WEBVPN_CONNECTION_PROFILE — User login group drop- down –CSCO_WEBVPN_MACRO1 — Set via Radius or LDAP vendor specific attribute –CSCO_WEBVPN_MACRO2 — Set via Radius or LDAP vendor specific attribute
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 54 Clientless Smart Tunnels: • Allows a TCP-based application to tunnel through the clientless VPN • Benefits –Better performance than plug-ins –Simplifies user experience compared to forwarding local ports –Does not require administrative privileges like port forwarding • Available for Windows (using Internet Explorer) and Mac • Configuring Smart Tunnels in Group Policy
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 55 Deploying Advanced Application Access for Clientless SSL VPN: • Configuring Smart Tunnels: Clientless Plug-ins: • Java applets that enable secure application connectivity through the SSL VPN browser session and enables new URL and bookmark types –Citrix Client (ica://), RDP (rdp://, rdp2://), Shell (telnet://, ssh://), VNC (vnc://) –Does not require administrator privileges on endpoint
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 56 Clientless Plug-ins Configuration: 1.Load the plug-ins via ASDM 2.Customize bookmarks with Plug-Ins URLs Clientless Port Forwarding: • Port forwarding supports TCP applications over the SSL VPN • Works by opening local ports and forwarding the connection as defined by the port forward configuration • DNS is intercepted to force applications to connect to the local ports • Requires administrative rights on the endpoint to function • Works on Windows, Mac, and Linux
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 57 Port Forwarding Configuration: 1.Configure Port Forwarding List 2.Specify Port Forwarding List in Group Policy
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 58 Customizing the Clientless SSL VPN User Interface and Portal: Customizing the SSL Login Page:
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 59 WebACL Example Debugging Clientless SSL VPN: • Utilize ASDM Monitoring VPN functionality • Ensure connections are mapping to correct group policy and connection profile • Debugging commands –show webvpn ? –debug webvpn ? –debug aaa –debug radius –debug dap
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 60 High Availability for Cisco ASA VPN Solutions: • Redundant head-end peering – Configure two head-ends with 2 IPsec tunnels – Utilize two interfaces with 2 ISPs for additional redundancy – Static route tracking is used to switch between ISPs High Availability Options: • Active / Standby chassis redundancy –ASA must be in single context and routed mode to support VPNs –Configure both Failover link and Stateful link to preserve VPN sessions
  • These slides taken from Cisco live 2012 & 2013 3/12/2014 Eng. Mohannad Alhanahnah 61 • VPN Load Balancing feature –Virtual load balancing built into ASA –No external load balancer required –Works with IPsec (remote access) • SSL VPN tunnels, and SSL VPN clientless –VPN Clustering requires a Unified Client Certificate