CISCO REMOTE ACCESS VPN SOLUTIONS Remote Connectivity for Any Deployment Scenario Sami Iivarinen Systems Engineer Cisco Systems Finland 1
Agenda Solution Overview Cisco WebVPN SSL VPN Connectivity 2
Cisco Strategy for Remote Access Using Best Fit IPSec and SSL VPN Technologies Supply Partner Extranet Central Site Account Manager Mobile User IP/Internet VPN Software Engineer Telecommuter Doctor at Home Unmanaged Desktop SSL VPN IPSEC VPN PARTNER Few apps/servers, tight access control, no control over desktop software environment, firewall traversal DOCTOR Occasional access, few apps, no desktop software control ENGINEER Many servers/apps, needs native app formats, VoIP, frequent access, long connect times ACCOUNT MANAGER Diverse apps, homegrown apps, always works from enterprisemanaged desktop 3
VPN 3000 Concentrator Solution Overview Features and Benefits SSL VPN IPSEC VPN Broad Application Access: Clientless, Thin Client & Network- Layer Client Modes Endpoint Security without Compromise Clientless Terminal Services Support Per-User/Group Portal and Access Customization Easy VPN for Touchless Client Management Automated VPN Client Updates for Ease of Client Deployment & Versioning Integrated Endpoint Security Proactive Endpoint Security Posture Assessment Flexible Access Controls Broad Browser Support Foundation Features for Ease of Operations Clustering & Load Balancing Broad End-System OS Support Flexible User Authentication & Access Control Group-Based User Management Unified Web-Based Management 4
Cisco WebVPN Customizable Application Access with Comprehensive Security 2005 2004 Cisco Systems, Inc. All rights reserved. 5
Cisco VPN 3000 Concentrator Setting the Standard in Remote Access VPNs PRICE Integrated IPSec and SSL VPN solution Dynamic load balancing and device clustering Flexible user authentication methods Integrated web-based management Numerous industry awards VPN 3030 or 3060 Clusters N x 500 = 1000s of SSL VPN Sessions VPN 3030 500 SSL VPN Sessions VPN 3005 50 SSL VPN Sessions VPN 3020 200 SSL VPN Sessions SOHO ROBO SMB ENTERPRISE FUNCTIONALITY 6
Cisco WebVPN Version 4.7 Enabling Flexible, Secured SSL VPN Connectivity Requirement Solution All SSL VPN Features Included in Base Pricing No Special Licenses! Customizable Application Access for Diverse Deployments Comprehensive, Reliable Endpoint Security Clientless, Thin Client, and Network Access for: Company-managed desktops Employee-owned home PCs Public terminals Extranet partner desktops Consultants Cisco Secure Desktop Security posture assessment Data privacy and malware protection Post-session clean-up Efficient Operations, Cost Effective Solution Cost-Effective Deployment and Operations Minimized end-system software downloads Operates with non-microsoft browsers All functionality included in base price Leverage existing VPN 3000 investment 7
Customizable Application Access Deployment Examples: Extending Appropriate Connectivity Company-Managed SSL VPN Tunneling Desktop: Client Controlled Persistent, software LAN-like environment networked connectivity Known Access security to virtually posture any & application system privileges Diverse Utilizes application small, dynamically requirements loaded client Post-session Best option for clean-up broad optional application access LAN-like remote connectivity desired Home/Kiosk Clientless, Web-Based Access: Access Uncontrolled Reverse proxy environment firewalled - support connection issues Unknown Access to security web-based posture applications & system and privileges Citrix Limited No software application downloaded access allowed Posture Best option assessment, for limited post-session web application clean-up access required and Customized unmanaged access desktops portal often desirable Partner Thin Client Access: Port Forwarding Uncontrolled Reverse proxy environment firewalled - support connection issues Unknown Access to security web, email, posture calendar, & system IM and privileges many other Very TCP granular applications access controls Posture Small Java assessment, applet dynamically post-session loaded clean-up required Customized Best option access for limited portal web often and desirable client/server applications and unmanaged desktops 8
Security Challenges SSL VPN Brings New Points of Attack Supply Partner Extranet Machine Employee at Home Unmanaged Machine Remote User Customer Managed Machine Before SSL VPN Session Who owns the endpoint? Endpoint security posture: AV, personal firewall? Is malware running? During SSL VPN Session Is session data protected? Are typed passwords protected? Has malware launched? After SSL VPN Session Browser cached intranet web pages? Browser stored passwords? Downloaded files left behind? 9
Cisco Secure Desktop Comprehensive Endpoint Security for SSL VPN Complete Pre-Connect Assessment: Location assessment managed or unmanaged desktop? Security posture assessment AV operational/up-to-date, personal firewall operational, malware present? Works with Desktop Guest Permissions No Admin Privileges Required Comprehensive Session Protection: Data sandbox and encryption protects every aspect of session Malware detection with hooks to Microsoft free anti-spyware software Windows 2000 or XP Original User Desktop Cisco Secure Desktop Temporary CSD Desktop Post-Session Clean-Up: Encrypted partition overwrite (not just deletion) using DoD algorithm Cache, history and cookie overwrite File download and email attachment overwrite Auto-complete password overwrite 10
Cisco Secure Desktop How it Works Step One: A user on the road connects with the concentrator and logs in Step Two: The concentrator pushes down the Cisco Secure Desktop Step Three: An encrypted sandbox or hard drive partition is created for the user to work in Step Four: At Logout the Virtual Desktop that the user has been working in is eradicated and the user is notified Cisco Clientless Secure Note: CSD download and SSL Desktop VPN eradication is seamless to the user. If the user forgets to terminate the session autotimeout will close the session www and erase all session information Employee- Owned Desktop Enterprise HQ 11
Cisco Secure Desktop Malware Detection Features: At session initiation CSD checks the host system for abnormal drivers indicating the presence of keystroke logging programs CSD prompts the user to select and terminate the suspicious modules before loading the Secure Desktop If the user does not acknowledge that all unrecognized keystroke loggers are safe, the connection will not establish User is notified during the session if a keystroke logger is attempting install from within the secure desktop Remote User Public Machine CSD can also be configured to check for the Microsoft AntiSpyware Software as part of its pre-connection host checking capability 12
Cisco Secure Desktop Easy-to-Use and Manage Session Protection Transparent to the end user with automatic session creation Works with desktop guest permissions Small download size (less than 500 KB) for fast session initiation Delivered via Active X, Java or.exe to ensure operation in diverse environments Customizable interface and templates User still has access to all of the PC s hardware and software resources All applications and processes running in the Secure Desktop are controlled Creates a cryptographic file system on the fly and nothing is ever written in clear on the disk user cannot unintentionally save data outside the partition CSD Security Features Prevents digital leakage Protects user privacy Is easy to implement & manage 13
Cisco Secure Desktop Technical Details CSD components are installed or updated Installation can be done through either an activex, a java applet or an executable Total size is less than 500kB No reboot, no specific privilege required Secure vault is created CSD supports triple DES (168-bit key) and RC4 (128-bit key) encryption 128-character password is randomly generated Virtual session is created All processes on the Virtual Desktop are monitored and can be controlled All hard-disk (file or registry) are redirected to the vault Session is closed Vault is closed All processes on the Virtual Desktop are killed Secure vault is closed and password is lost At this time, it is not possible to recover any information Vault is destroyed Byte-to-byte Sanitization of the vault Implementation of the Department of Defense clearing and sanitizing standard DOD 5220.22-M 14
Using Cisco Secure Desktop for Security/Auditing Compliance Issue: HIPAA, Sarbanes-Oxley, and numerous other regulations require privacy of sensitive information Cisco Secure Desktop eases regulatory compliance associated with remote access through: Easily demonstrated separation or sandboxing of all session data and downloaded content to compliance auditors Extensive logging for Cisco Secure Desktop activities Was it loaded on endpoint? Did it execute properly? Validation of remote system security posture prior to session initiation Full session data overwrite using government approved DoD sanitation algorithm 15
Cache Cleaner for Linux and Mac Running the Cache Cleaner on Host Machines Remote Machine The Cache Cleaner provides for the disabling or erasing all data that was downloaded, input, or created in the browser including file downloads, cached browser information, passwords entered, and auto-complete information. The Cache Cleaner can be used with: Macintosh (MacOS X) - Safari 1.0 or later Red Hat Linux v9 - Mozilla 1.1 or later on Windows 98, Me, NT4, 2000, and XP - Explorer 5.0 or later Cisco Secure Desktop generally used for Windows systems, though Cache Cleaner may be deployed to standardize functionality with Mac and Linux desktops 16
Customizable Application Access Network Tunneling Client for WebVPN Leverages depth of Cisco encryption client experience to deliver a lightweight, stable and easy-to-support SSL VPN tunneling client Features Enables IPSec-like application access through web-pushed client Less than 250KB download via Java, Active X or.exe No re-boot required after installation Client may be either removed at end of session or left permanently installed Compatible with Cisco Softphone for VoIP support Touchless central site configuration Benefits Fast client download time Multiple delivery methods ensure broad compatibility No reboot = happy users No trace of client after session provides better security Touchless administration Multimedia data, voice desktops for greatest user productivity 17
Network Tunneling Client for WebVPN How it Operates Log into WebVPN URL Download Tunneling Client TCP Connect (Port x or default 443) (Remote User/Machine) Initiates SSL Handshake SSL Server Certificate (Chain) Complete Handshake VPN 3000 (SSL Gateway) Note: Tunneling client pushed via Active X, Java, and then.exe 18
Network Tunneling Client Software Attributes Download Size of 250KB or less Windows 2000 and XP support Works on non-english Windows System compatibility and version detection before download No Reboots! Removal of client at termination (if desired by administrator) Central Site Configuration for WINS, DNS, etc. No dependencies on installed applications Co-existence with other security applications (CSA, VPN Clients, Anti-virus, etc.) 19
WebVPN Clientless Access Fully Clientless Citrix Support Port Forwarding Applet Download Slow download, software conflicts, browser blocks applet Citrix Server Citrix Server Truly Clientless Citrix Support Typical SSL VPN Citrix Support Citrix support requires vendor SSL Client or Java applets or other system resident software Slow application initiation May not function due to browser security settings Potential software conflicts, especially on non-managed systems Cisco Citrix Support Truly clientless Citrix Access Fast initiation time nothing additional to download High performance no local application translation Not impacted by differences in browser preference or security settings Highly stable no potential for client software conflicts 20
WebVPN Clientless Access Fully Clientless Citrix Support Citrix (ICA) is a software application that allows remote access to centralized computing resources. Companies leverage Citrix deployments to centralize all applications on the network without requiring software to be installed on the remote PC, or if remote access to a specific non-web enabled application is necessary. To use Citrix, the client user must have an ICA client installed on the machine. Citrix ICA clients are presently available for Windows, Mac OS, UNIX, Windows Based Terminals, and many handheld platforms. A Java-based Citrix ICA client is also available. 21
WebVPN Clientless Access Pocket PC Support Pocket PC 2003 Browser: Pocket Internet Explorer (PIE) SW: Microsoft + Manufacture OEMs The built in browser with Pocket PC 2003 is compatible with WebVPN clientless access. Internet 22
Customizable Application Access Thin Client Port Forwarding Supplements pure clientless web browser access by providing connectivity to non-webified thick client applications like: POP, SMTP or IMAP E-mail Outlook, Notes, etc. Instant messaging Calendar Client-initiated TCP-based applications like Telnet Java-based applet (Sun JVM v1.4+) Less than 100KB download 23
Granular Access Controls & Portal Customizability Enabling Application and Content Control Access controls per-group or user from RADIUS, LDAP or defined on-box Filter to IP, file, URL and server level WebVPN portal dynamically customizable based on access controls Customizable Banner Graphic Customizable Floating Toolbar with Fast Links Customizable Banner Message Customizable Colors and Sections Customizable Access Methods Customizable Links, Network Resource Access 24
Monitoring, Reporting, Troubleshooting Extensive session logging for security and troubleshooting Per user session statistics, connect time, bytes transferred, hosts accessed Endpoint security monitoring and alerts for unsuccessful endpoint session security Integrated monitoring reports for quick statistics on usage and user behavior 25
See an On-Line WebVPN Demo Go to: www.cisco.com/go/sslvpndemo 26
Cisco WebVPN Summary WEBVPN FOR SSL VPN Flexible application access for any deployment scenario Reliable, comprehensive security against virus/worm propagation and data theft Fully clientless Citrix delivers better performance and reliability for end-users Mature, stable network tunneling client All features included in simple, cost-effective pricing COMBINED IPSEC & SSL VPN Not forced down a single technology path May utilize existing VPN 3000 infrastructure No need for parallel equipment or management infrastructures Streamlined operations all remote connectivity options on one management console Simplified operations one platform covers every deployment environment Customizable Application Access with Comprehensive Security 27
Presentation_ID 2001, Cisco Systems, 2005 Inc. Cisco All Systems, rights reserved. Inc. All rights reserved. 28