21.1 Key Terms
SSL
= Secure Sockets Layer. The original security method for HTTPS, although
succeeded by TLS, this term is still widely used and assumed. This is a secure
alternative to HTTP.
TLS
= Transport Layer Security. Based on SSL, but more widely adopted as an IETF standard
in RFC 5246.
clientless
SSL VPN = Allows for limited VPN resource access within some protocols
that can natively support TLS, such as HTTPS and CIFS shared over HTTPS.
AnyConnect
full-tunnel VPN = Cisco’s secure mobility client solution, supporting
full-tunnel VPN. Requires a small client on the workstation, but then tunnels
all traffic through the SSL or IPsec tunnel, allowing other nonsecure protocols
to be transported and secured
PKI
= Public key infrastructure. A scalable architecture that includes software,
hardware, people, and procedures to facilitate the management of digital
certificates
digital
certificate = An encrypted hash that uniquely identifies the sender of a
message and authenticates the validity and integrity of the data received. Signing
is done with the private key of the sender, and validation of that signature
(done by the receiver) is done using the public key of the sender.
21.2 Things to
Remember
21.2.1 Comparison Between SSL and TLS
SSL v TLS
> Developed
by Netscape in the 1990s v
Standard developed by the
Internet Engineering Task Force (IETF)
> Starts with a secured channel
and continues directly to security negations on a dedicated port v Can start with unsecured communications and dynamically
switch to a secured channel based on the negotiation with the other side
> Widely
supported on client-side applications v Supported
and implemented more on servers, compared to end-user devices
> More weaknesses identified in
older SSL versions v Stronger implementation because
of the standards
process
21.2.2 Options for SSL VPN Implementation
CSV: Clientless
SSL VPN
CSV+: Clientless
SSL VPN with Plug-Ins for Some Port Forwarding
ACV: Full
AnyConnect SSL VPN Client
Other names:
CSV: Web VPN
CSV+: Thin
client
ACV: Full SSL
client
Installed software on client:
CSV: No client
required
CSV+: Small
applets and/or configuration required.
ACV: Full
install of AnyConnect required, but may be installed by initially connecting
via the clientless option, and securely installing it that way.
User experience:
CSV: Feels
like accessing resources (that are on the corporate network) through a specific
browser window or hyperlink.
CSV+: Some
applications can be run locally with output redirected through the VPN.
Includes the features of the clientless VPN.
ACV: Full
access to the corporate network. The local computer acts and feels like it is a
full participant on the corporate network.
Servers that can be used:
CSV: IOS with
the correct software, and ASA with the correct licenses
CSV+: IOS with
the correct software, and ASA with the correct licenses
ACV: IOS with
the correct software, and ASA with the correct licenses
How the user looks from the
corporate network:
CSV: Traffic
is proxied ( Port Address Translation [PAT] ) by the SSL server, as the users
packets enter the corporate network.
CSV+: Traffic
is proxied ( Port Address Translation [PAT] ) by the SSL server, as the users
packets enter the corporate network.
ACV: Clients
are assigned their own virtual IP address to use while accessing the corporate
network. Traffic is forwarded from the given IP address of the client into the
corporate network.
Clients supported:
CSV: Most
SSL-capable computers
CSV+: Computers
that support SSL and Java
ACV: Most
computers that support SSL
21.3 Command
Examples
Implementing a
Clientless SSL VPN
asa1 (config)# group-policy
SSL_Group internal
asa1 (config)# ssl
trust-point ASDM_TrustPoint0 outside
asa1 (config)#
webvpn
asa1 (config-webvpn)# enable outside
asa1 (config-webvpn)# group-policy SSL_Group attributes
asa1 (config-group-policy)# vpn-tunnel-protocol ssl-clientless
asa1 (config-group-policy)# webvpn
asa1 (config-group-webvpn)# url-list value MyList
asa1 (config-group-webvpn)# exit
asa1 (config-group-policy)# exit
asa1 (config)# tunnel-group
Connection_Profile_IINS type remote-access
asa1 (config)# tunnel-group
Connection_Profile_IINS general-attributes
asa1 (config-tunnel-general)# default-group-policy SSL_Group
asa1 (config-tunnel-general)# tunnel-group Connection_Profile_IINS webvpn-attributes
asa1 (config-tunnel-webvpn)# group-alias SSL_VPN enable
asa1 (config-tunnel-webvpn)# group-url https://73.143.61.175/SSL_VPN enable
Configuring an SSL
AnyConnection Client VPN
# object network
NETWORK_OBJ_10.0.0.0_25
# subnet 10.0.0.0
255.255.255.128
# ip local pool
POOLS-for-AnyConnect 10.0.0.51-10.0.0.100 mask 255.255.255.0
# group-policy
GroupPolicy_SSL_AnyConnect internal
# group-policy
GroupPolicy_SSL_AnyConnect attributes
.#
vpn-tunnel-protocol ssl-client
.# dns-server
value 8.8.8.8
.# wins-sever none
.# default-domain
value cisco.com
# exit
# webvpn
.# enable outside
.# anyconnect
image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1
.# anyconnect
image disk0:/anyconnect-win-2.5.2014-k9.pkg 2
.# anyconnect
enable
.# tunnel-group-list
enable
# tunnel-group
SSL_AnyConnect type remote-access
# tunnel-group
SSL_AnyConnect general-attributes
.# default-group-policy
GroupPolicy_SSL_AnyConnect
.# address-pool
POOLS-for-AnyConnect
# tunnel-group
SSL_AnyConnect webvpn-attributes
.# group-alias
SSL_AnyConnect enable
# nat
(inside,outside) 3 source static inside interface destination static
NETWORK_OBJ_10.0.0.0_25 NETWORK_OBJ_10.0.0.0_25 no-proxy-arp route-lookup
Comments
Post a Comment