1
CISCO REMOTE ACCESS
VPN SOLUTIONS
Remote Connectivity for Any Deployment Scenario
Sami Iivarinen Systems Engineer
2 2 2
Agenda
•
Solution Overview
•
Cisco WebVPN – SSL VPN
Connectivity
3 3 3
Cisco Strategy for Remote Access
Using “Best Fit” IPSec and SSL VPN Technologies
• ENGINEER—Many servers/apps, needs native app formats, VoIP, frequent access, long connect times
• ACCOUNT MANAGER—Diverse apps, home-grown apps, always works from enterprise-managed desktop
• PARTNER—Few apps/servers, tight access control, no control over desktop software environment, firewall traversal
• DOCTOR—Occasional access, few apps, no desktop software control
IPSEC VPN SSL VPN Central Site Doctor at Home Unmanaged Desktop Supply Partner Extranet Account Manager Mobile User Software Engineer Telecommuter VPN IP/Internet
4 4 4
SSL VPN
IPSEC VPN
Broad Application Access:
Clientless, Thin Client & Network-Layer Client Modes
Endpoint Security without Compromise
Clientless Terminal Services Support
Per-User/Group Portal and Access Customization
Broad Browser Support
• “Easy VPN” for Touchless Client Management
• Automated VPN Client Updates for Ease of Client Deployment &
Versioning
• Integrated Endpoint Security
• Proactive Endpoint Security Posture Assessment
• Flexible Access Controls
VPN 3000 Concentrator Solution Overview
Features and Benefits
• Clustering & Load Balancing
• Flexible User Authentication & Access Control
• Broad End-System OS Support
• Group-Based User Management
• Unified Web-Based Management
Foundation Features for Ease of Operations
5 5 5
Cisco WebVPN
Customizable Application Access with
Comprehensive Security
Cisco WebVPN
Customizable Application Access with
Comprehensive Security
5 5 5
6 6 6
Cisco VPN 3000 Concentrator
Setting the Standard in Remote Access VPNs
• Integrated IPSec and SSL VPN solution
• Dynamic load balancing and device clustering • Flexible user authentication methods
• Integrated web-based management • Numerous industry awards
SMB SMB ENTERPRISEENTERPRISE ROBO ROBO SOHO SOHO VPN 3005 50 SSL VPN Sessions VPN 3020 200 SSL VPN Sessions VPN 3030 500 SSL VPN Sessions PRICE FUNCTIONALITY VPN 3030 or 3060 Clusters N x 500 = 1000s of SSL VPN Sessions
7 7 7
Cisco WebVPN Version 4.7
Enabling Flexible, Secured SSL VPN Connectivity
• Cisco Secure Desktop
Security posture assessment
Data privacy and malware protection Post-session clean-up
• Cisco Secure Desktop
Security posture assessment
Data privacy and malware protection Post-session clean-up
Comprehensive, Reliable Endpoint Security
• Clientless, Thin Client, and Network Access for: Company-managed desktops
Employee-owned home PCs Public terminals
Extranet partner desktops Consultants
• Clientless, Thin Client, and Network Access for: Company-managed desktops
Employee-owned home PCs Public terminals
Extranet partner desktops Consultants
Customizable
Application Access for Diverse
Deployments
• Cost-Effective Deployment and Operations Minimized end-system software downloads Operates with non-Microsoft browsers
All functionality included in base price Leverage existing VPN 3000 investment
• Cost-Effective Deployment and Operations Minimized end-system software downloads Operates with non-Microsoft browsers
All functionality included in base price Leverage existing VPN 3000 investment Efficient Operations, Cost Effective Solution
Requirement
Solution
All SSL VPN Features All SSL VPN Features Included in Base Pricing Included in Base Pricing ––No Special Licenses! No Special Licenses!
8 8 8
Customizable Application Access
Deployment Examples: Extending Appropriate Connectivity
Company-Managed Desktop:
Controlled software environment
Known security posture & system privileges Diverse application requirements
Post-session clean-up optional
“LAN-like” remote connectivity desired Company-Managed Desktop:
Controlled software environment
Known security posture & system privileges Diverse application requirements
Post-session clean-up optional
“LAN-like” remote connectivity desired Home/Kiosk Access:
Uncontrolled environment - support issues Unknown security posture & system privileges Limited application access allowed
Posture assessment, post-session clean-up required Customized access portal often desirable
Home/Kiosk Access:
Uncontrolled environment - support issues Unknown security posture & system privileges Limited application access allowed
Posture assessment, post-session clean-up required Customized access portal often desirable
Partner Access:
Uncontrolled environment - support issues Unknown security posture & system privileges Very granular access controls
Posture assessment, post-session clean-up required Customized access portal often desirable
Partner Access:
Uncontrolled environment - support issues Unknown security posture & system privileges Very granular access controls
Posture assessment, post-session clean-up required Customized access portal often desirable
SSL VPN Tunneling Client
Persistent, “LAN-like” networked connectivity Access to virtually any application
Utilizes small, dynamically loaded client Best option for broad application access SSL VPN Tunneling Client
Persistent, “LAN-like” networked connectivity Access to virtually any application
Utilizes small, dynamically loaded client Best option for broad application access
Clientless, Web-Based Access
Reverse proxy “firewalled” connection
Access to web-based applications and Citrix No software downloaded
Best option for limited web application access and unmanaged desktops
Clientless, Web-Based Access
Reverse proxy “firewalled” connection
Access to web-based applications and Citrix No software downloaded
Best option for limited web application access and unmanaged desktops
Thin Client Port Forwarding
Reverse proxy “firewalled” connection
Access to web, email, calendar, IM and many other TCP applications
Small Java applet dynamically loaded
Best option for limited web and client/server applications and unmanaged desktops
Thin Client Port Forwarding
Reverse proxy “firewalled” connection
Access to web, email, calendar, IM and many other TCP applications
Small Java applet dynamically loaded
Best option for limited web and client/server applications and unmanaged desktops
9 9 9
Security Challenges
SSL VPN Brings New Points of Attack
Remote User Employee at Home Supply Partner During SSL VPN Session • Is session data protected?
• Are typed passwords protected?
• Has malware launched?
After SSL VPN Session
• Browser cached intranet web pages?
• Browser stored passwords?
• Downloaded files left behind?
Before SSL VPN Session
• Who owns the endpoint?
• Endpoint security posture: AV, personal firewall? • Is malware running? Extranet Machine Unmanaged Machine Customer Managed Machine
10 10 10
Cisco Secure Desktop
Comprehensive Endpoint Security for SSL VPN
Comprehensive Session Protection:
• Data sandbox and encryption protects every aspect of session
• Malware detection with hooks to Microsoft free anti-spyware software
Post-Session Clean-Up:
• Encrypted partition overwrite (not just deletion) using DoD algorithm
• Cache, history and cookie overwrite
• File download and email attachment overwrite
• Auto-complete password overwrite
Complete Pre-Connect Assessment:
• Location assessment – managed or unmanaged desktop?
• Security posture assessment – AV
operational/up-to-date, personal firewall operational, malware present?
Cisco Secure Desktop Windows 2000 or XP
Original User Desktop Temporary CSD Desktop
Works with Desktop Guest Permissions No Admin Privileges Required
11 11 11
Cisco Secure Desktop
How it Works
Step One: A user on the road connects with the concentrator and logs in
Step Four: At Logout the Virtual Desktop that the user has been working in is
eradicated and the user is notified
Enterprise HQ Employee-Owned Desktop www… Clientless SSL VPN Step Two: The concentrator pushes down
the Cisco Secure Desktop
Cisco Secure Desktop Step Three: An encrypted sandbox or
hard drive partition is created for the user to work in
Note: CSD download and eradication is seamless to the user. If the user forgets to terminate the session auto-timeout will close the session and erase all session
12 12 12
Remote User
Public Machine
Cisco Secure Desktop
Malware Detection
Features: Features:
• At session initiation CSD checks the host system for abnormal drivers indicating the presence of keystroke logging programs
• CSD prompts the user to select and
terminate the suspicious modules before loading the Secure Desktop
• If the user does not acknowledge that all unrecognized keystroke loggers are safe, the connection will not establish
• User is notified during the session if a keystroke logger is attempting install from within the secure desktop
• CSD can also be configured to check for the Microsoft AntiSpyware Software as part of its pre-connection host checking capability
13 13 13
Cisco Secure Desktop
Easy-to-Use and Manage Session Protection
• Transparent to the end user with automatic session creation
• Works with desktop guest permissions
• Small download size (less than 500 KB) for fast session initiation
• Delivered via Active X, Java or .exe to ensure operation in diverse
environments
• Customizable interface and templates
• User still has access to all of the PC’s hardware and software resources
• All applications and processes running in the Secure Desktop are controlled
• Creates a cryptographic file system on the fly and nothing is ever written in clear on the disk – user cannot unintentionally save data outside the partition
CSD Security Features
Prevents digital leakage
Protects user privacy
Is easy to implement & manage
;
;
;
14 14 14
Cisco Secure Desktop
Technical Details
Secure vault is created
• Installation can be done through either an activeX, a java applet or an executable • Total size is less than 500kB
• No reboot, no specific privilege required
• CSD supports triple DES (168-bit key) and RC4 (128-bit key) encryption • 128-character password is randomly generated
• All processes on the Virtual Desktop are monitored and can be controlled • All hard-disk (file or registry) are redirected to the vault
• All processes on the Virtual Desktop are killed • Secure vault is closed and password is lost
⇒At this time, it is not possible to recover any information
• Sanitization of the vault
• Implementation of the Department of Defense clearing and sanitizing standard DOD 5220.22-M CSD components are installed or updated Virtual session is created Session is closed Vault is closed Vault is destroyed Byte-to-byte
15 15 15
Using Cisco Secure Desktop for Security/Auditing
Compliance
Issue: HIPAA, Sarbanes-Oxley, and numerous other
regulations require privacy of sensitive information
Issue: HIPAA, Sarbanes-Oxley, and numerous other
regulations require privacy of sensitive information
•
Cisco Secure Desktop eases regulatory compliance
associated with remote access through:
– Easily demonstrated separation or “sandboxing” of all session data and downloaded content to compliance auditors
– Extensive logging for Cisco Secure Desktop activities
Was it loaded on endpoint? Did it execute properly?
– Validation of remote system security posture prior to session initiation
– Full session data overwrite using government approved DoD sanitation algorithm
•
Cisco Secure Desktop eases regulatory compliance
associated with remote access through:
– Easily demonstrated separation or “sandboxing” of all session data and downloaded content to compliance auditors
– Extensive logging for Cisco Secure Desktop activities
Was it loaded on endpoint? Did it execute properly?
– Validation of remote system security posture prior to session initiation
– Full session data overwrite using government approved DoD sanitation algorithm
16 16 16
Cache Cleaner for Linux and Mac
Running the Cache Cleaner on Host Machines
• The Cache Cleaner provides for the disabling or erasing all data that was downloaded, input, or created in the browser including file
downloads, cached browser information, passwords entered, and auto-complete information.
• The Cache Cleaner can be used with:
– Macintosh (MacOS X) - Safari 1.0 or later
– Red Hat Linux v9 - Mozilla 1.1 or later on
– Windows 98, Me, NT4, 2000, and XP - Explorer 5.0 or later
Cisco Secure Desktop generally used for Windows systems, though Cache Cleaner may be deployed to standardize functionality with Mac and Linux desktops
Remote Machine
17 17 17
Customizable Application Access
Network Tunneling Client for WebVPN
Features
• Enables IPSec-like application access through “web-pushed” client
• Less than 250KB download via Java, Active X or .exe
• No re-boot required after installation
• Client may be either removed at end of session or left
permanently installed
• Compatible with Cisco
Softphone for VoIP support
• Touchless central site configuration
Benefits
• Fast client download time
• Multiple delivery methods ensure broad compatibility
• No reboot = happy users
• No trace of client after session provides better security
• Touchless administration
• Multimedia data, voice
desktops for greatest user productivity
Leverages depth of Cisco encryption client experience to deliver a
18 18 18 (Remote
User/Machine)
Network Tunneling Client for WebVPN
How it Operates
Note: Tunneling client pushed via Active X, Java, and then .exe
Note: Tunneling client pushed via Active X, Java, and then .exe
Log into WebVPN URL
Log into WebVPN URL
Download Tunneling Client
Download Tunneling Client
TCP Connect (Port x or default 443)
TCP Connect (Port x or default 443)
Initiates SSL Handshake
Initiates SSL Handshake
SSL Server Certificate (Chain)
SSL Server Certificate (Chain)
Complete Handshake
Complete Handshake
VPN 3000 (SSL Gateway)
19 19 19
Network Tunneling Client
Software Attributes
•
Download Size of 250KB or less
•
Windows 2000 and XP support
•
Works on non-English Windows
•
System compatibility and version detection before
download
•
No Reboots!
•
Removal of client at termination (if desired by
administrator)
•
Central Site Configuration for WINS, DNS, etc.
•
No dependencies on installed applications
•
Co-existence with other security applications (CSA, VPN
Clients, Anti-virus, etc.)
20 20 20
WebVPN Clientless Access
Fully Clientless Citrix Support
• Citrix support requires vendor SSL Client or Java applets or other
system resident software
– Slow application initiation
– May not function due to browser security settings
– Potential software conflicts,
especially on non-managed systems
Typical SSL VPN Citrix Support Citrix Server Port Forwarding Applet Download
• Truly clientless Citrix Access
– Fast initiation time – nothing additional to download
– High performance – no local application translation
– Not impacted by differences in browser preference or security settings
– Highly stable – no potential for client software conflicts
Cisco Citrix Support
Slow download, software conflicts, browser blocks applet
Truly Clientless Citrix Support
Citrix Server
21 21 21
•
Citrix (ICA) is a software application that allows remote
access to centralized computing resources.
•
Companies leverage Citrix deployments to centralize all
applications on the network without requiring software to
be installed on the remote PC, or if remote access to a
specific non-Web enabled application is necessary.
•
To use Citrix, the client user must have an ICA client
installed on the machine.
•
Citrix ICA clients are presently available for Windows, Mac
OS, UNIX, Windows Based Terminals, and many handheld
platforms. A Java-based Citrix ICA client is also available.
WebVPN Clientless Access
22 22 22
WebVPN Clientless Access
Pocket PC Support
•
Pocket PC 2003
–
Browser: Pocket Internet Explorer (PIE)
–
SW: Microsoft + Manufacture OEMs
•
The built in browser with Pocket PC 2003 is
compatible with WebVPN clientless access.
23 23 23
Customizable Application Access
Thin Client Port Forwarding
•
Supplements pure clientless web browser access
by providing connectivity to non-webified thick
client applications like:
–
POP, SMTP or IMAP E-mail – Outlook, Notes, etc.
–
Instant messaging
–
Calendar
–
Client-initiated TCP-based applications like Telnet
•
Java-based applet (Sun JVM v1.4+)
24 24 24
Granular Access Controls & Portal Customizability
Enabling Application and Content Control
• Access controls per-group or user from RADIUS, LDAP or defined on-box
• Filter to IP, file, URL and server level
• WebVPN portal dynamically customizable based on access controls
Customizable Banner Graphic Customizable Banner Message Customizable Floating Toolbar
with Fast Links
Customizable Colors and Sections
Customizable Links, Network Resource
Access Customizable
25 25 25
Monitoring, Reporting, Troubleshooting
•
Extensive session logging for security and
troubleshooting
–
Per user session statistics, connect time, bytes
transferred, hosts accessed
–
Endpoint security monitoring and alerts for unsuccessful
endpoint session security
–
Integrated monitoring reports for quick statistics on
26 26 26
See an On-Line WebVPN Demo
27 27 27
Cisco WebVPN
Summary
WEBVPN FOR SSL VPN
• Flexible application access for any deployment scenario
• Reliable, comprehensive security against virus/worm propagation and data theft
• Fully clientless Citrix delivers better performance and
reliability for end-users
• Mature, stable network tunneling client
• All features included in simple, cost-effective pricing
WEBVPN FOR SSL VPN
• Flexible application access for any deployment scenario
• Reliable, comprehensive security against virus/worm propagation and data theft
• Fully clientless Citrix delivers better performance and
reliability for end-users
• Mature, stable network tunneling client
• All features included in simple, cost-effective pricing
COMBINED IPSEC & SSL VPN
• Not forced down a single technology path
• May utilize existing VPN 3000 infrastructure
• No need for parallel equipment or management infrastructures
• Streamlined operations – all remote connectivity options on one management console
• Simplified operations – one platform covers every
deployment environment
COMBINED IPSEC & SSL VPN
• Not forced down a single technology path
• May utilize existing VPN 3000 infrastructure
• No need for parallel equipment or management infrastructures
• Streamlined operations – all remote connectivity options on one management console
• Simplified operations – one platform covers every
deployment environment
Customizable Application Access with Comprehensive Security
28 28 28 28 Presentation_ID