SSL-Based Remote-Access VPN Solution



Similar documents
Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

Cisco IOS SSL VPN: Router-Based Remote Access for Employees and Partners

CISCO REMOTE ACCESS VPN SOLUTIONS

Cisco ASA 5500 Series VPN Edition

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

Remote-Access VPNs: Business Productivity, Deployment, and Security Considerations

Cisco ASA 5500 Series SSL/IPsec VPN Edition

Novell Access Manager SSL Virtual Private Network

Requirements on terminals and network Telia Secure Remote User, TSRU (version 7.1 R4)

Cisco ASA 5500 Series SSL / IPsec VPN Edition for the Enterprise

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Cisco ASA 5500 Series VPN Edition for the Enterprise

PRODUCT CATEGORY BROCHURE

SSL VPN Technical Primer

Requirements on terminals and network Telia Secure Remote User, TSRU (version 7.3 R6)

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

Cisco IOS Secure Sockets Layer (SSL) VPN Technology Overview

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Clientless SSL VPN Users

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Cisco Cisco 3845 X X X X X X X X X X X X X X X X X X

Integrated Services Router with the "AIM-VPN/SSL" Module

Citrix Access Gateway

Integrated Services Router with the "AIM-VPN/SSL" Module

WHITEPAPER IPSEC VPN Vs. SSL VPN

Cisco Secure Access Control Server 4.2 for Windows

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

SSL VPN Technology White Paper

Securing Networks with PIX and ASA

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. 1

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Cisco Secure Remote Access Cisco ASA 5500 Series SSL/IPsec VPN Edition

AnyConnect VPN Client FAQ

INTRODUCING KERIO WINROUTE FIREWALL

Network Configuration Settings

To participate in the hands-on labs in this class, you need to bring a laptop computer with the following:

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

SSL VPN A look at UCD through the tunnel

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Cisco IPsec and SSL VPN Solutions Portfolio

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

Clientless SSL VPN End User Set-up

Chapter 6 Virtual Private Networking Using SSL Connections

Cisco Virtual Office Express

SSL VPN vs. IPSec VPN

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

Securing Citrix with SSL VPN Technology

Using Entrust certificates with VPN

Understanding the Cisco VPN Client

Accessing the Media General SSL VPN

Cisco Easy VPN on Cisco IOS Software-Based Routers

vcloud Director User's Guide

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Using a VPN with Niagara Systems. v0.3 6, July 2013

DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS. Single Computer running I m InTouch with a DSL or Cable Modem Internet Connection

CISCO IOS NETWORK SECURITY (IINS)

Using a Firewall General Configuration Guide

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Using a VPN with CentraLine AX Systems

Scenario: IPsec Remote-Access VPN Configuration

For Sales Kathy Hall

Get Success in Passing Your Certification Exam at first attempt!

SSL VPN Server Guide. Access Manager 4.0. November 2013

Aventail SSL VPN. Installation and Administration Guide. Version 9.0.0

athenahealth Interface Connectivity SSH Implementation Guide

Mobile Access R Administration Guide. 13 August Classification: [Protected]

RemotelyAnywhere Getting Started Guide

CTS2134 Introduction to Networking. Module Network Security

Initial Access and Basic IPv4 Internet Configuration

Maximize your Remote Desktop Services

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Secure remote access to your applications and data. Secure Application Access

Configuration Guide BES12. Version 12.1

Understanding VPN Technology Choices

SSL VPN Portal Options

What s New in Juniper s SSL VPN Version 6.0

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

VPN. Date: 4/15/2004 By: Heena Patel

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Recommended IP Telephony Architecture

Windows in a Browser Secure Remote Access with HOB RD VPN

Feature and Technical

A Guide to New Features in Propalms OneGate 4.0

IINS Implementing Cisco Network Security 3.0 (IINS)

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

Face Off: IPSec vs. SSL VPNs

WebEx Remote Access White Paper. The CBORD Group, Inc.

Cisco Certified Security Professional (CCSP)

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

TABLE OF CONTENTS NETWORK SECURITY 2...1

Implementing Cisco IOS Network Security

Case Study for Layer 3 Authentication and Encryption

VPN_2: Deploying Cisco ASA VPN Solutions

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

Transcription:

Cisco IOS SSL VPN SSL-Based Remote-Access VPN Solution Product Overview Cisco IOS SSL VPN is the first router-based solution offering Secure Sockets Layer (SSL) VPN remote-access connectivity integrated with industry-leading security and routing features on a converged data, voice, and wireless platform. SSL VPN is compelling; the security is transparent to the end user and easy for IT to administer. Using only a Web browser, companies can extend their secure enterprise networks to any Internet-enabled location, including home computers, Internet kiosks, and wireless hotspots-thereby enabling higher employee productivity and protecting corporate data while providing network access to partners and consultants. Cisco IOS SSL VPN supports both clientless and full-network-access SSL VPN capabilities. Clientless access uses a Web browser to connect to applications such as HTML-based intranet content, e-mail, network file shares, and Citrix. A Java-based application helper provides support for additional TCP-based applications that are not Web-enabled. Cisco IOS SSL VPN also supports the Cisco SSL VPN Client, helping enable dynamic full network access remotely to virtually any application. As part of Cisco IOS SSL VPN, Cisco Secure Desktop provides advanced endpoint security and helps prevent data such as cookies, browser history, temporary files, and downloaded content from being left behind after an SSL VPN session terminates. Cisco IOS SSL VPN deployment is simple with Cisco Router and Security Device Manager (SDM) wizards. Cisco SDM also performs real-time monitoring and management of SSL VPN sessions. Cisco IOS SSL VPN is a single-box solution, unlike other vendor products that require multiple devices and management systems. An integrated solution is easier to learn, deploy, provision, manage, and maintain, and has higher availability. This integrated solution has lower initial capital expenditure, lower deployment costs, and lower operational costs over the lifetime of the solution. It also provides investment protection-existing Cisco integrated services routers support Cisco IOS SSL VPN through a feature upgrade license and software upgrade (Figure 1). All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 8

Figure 1. Integrated Services Router with IOS SSL VPN Customized Application Access for Employees, Partners, and Non-Company-Managed PCs Cisco IOS SSL VPN delivers clientless and SSL tunneling client access methods, enabling the appropriate level of application access based on the deployment environment. Clientless access with Cisco IOS SSL VPN allows users to connect, with few requirements beyond a basic Web browser, and access Web servers or resources such as file shares and e-mail through Microsoft Outlook Web Access. Additional TCP-based application access is achieved through a helper application enabled by a small Java applet download. Port forwarding relays data requested by the port on the local machine to the corresponding application port on the network side-granting the user access to more applications and network resources than a Web browser offers. Table 1 lists the features of Cisco IOS SSL VPN. Table 1. SSL VPN Clientless Operations Web content transformation Clientless Citrix Microsoft Outlook Web Access 2000 and 2003 Windows File Sharing- Common Internet File System (CIFS) SSL VPN Client Java-based application helper Allows access to HTML- and JavaScript-based intranet content for those trying to access Webbased services on the company network Allows Citrix clients to use applications running on a remote Citrix server as if they were running locally Allows access to Web e-mail in Microsoft Outlook Web Access for Microsoft Exchange 2000 and 2003 at the central site Allows file access to Windows file servers Supports virtually any application with a transparent LAN-like user experience, providing comprehensive application support. Supplements clientless access by providing connectivity to non-web applications such as e- mail, instant messaging, Microsoft Outlook Calendar, and client-initiated TCP-based applications such as Telnet All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 8

Terminal Server Support for Citrix To minimize costs while maximizing remote connectivity options, many businesses are centralizing their application management and distribution to allow access to internal computing resources through terminal server architecture. For this reason, it is important that a robust remote-access solution support Citrix deployments with a simple, dependable, and easy-to-use protocol, while providing a local, system-based experience for application use. Typical SSL solutions require either a software client or the existence of an applet download (Java or ActiveX) to access internal terminal server resources, slowing application initiation and creating potential access problems due to software conflicts or browser settings. Cisco IOS SSL VPN provides truly clientless Citrix support without relying on additional Java-based port forwarding mechanisms, delivering rapid and highly stable system access, regardless of browser or security settings (Table 2). Table 2. Enhanced Access to Internal Network Infrastructure Resources with Clientless Citrix Support Access to system resources Swift connectivity High performance Highly stable support Clientless access alleviates potential problems caused when incongruent browser or security settings prohibit the download of a client or applet. Application initiation is instantaneous, with no additional software client or applet downloads required. No local application translation is required. Client software conflicts with unmanaged machines or unfamiliar images are avoided with clientless access. With the SSL VPN Client (Table 3), Cisco delivers a lightweight, centrally configured, easy-tosupport SSL VPN tunneling client that allows access to virtually any application. The SSL VPN Client is compatible with any SSL-enabled browser and dynamically made available to the user in one of three methods-activex, Java, or an.exe file. Table 3. Cisco SSL VPN Client : Broad Application Access Through a Network-Tunneling Client Universal application access Ease of download and installation Increased security Zero-touch remote administration This feature provides full client capabilities over SSL, including access to Cisco IP SoftPhone and voice-over-ip (VoIP) support, increasing remote-user productivity. Dynamic download and multiple delivery methods help ensure transparent download and distribution with Java, ActiveX, or.exe. Small download size helps ensure rapid delivery. No reboot is required after installation. Client can be either removed at the end of a session or left permanently installed. Central-site configuration provides integration, with no administration on the remote client side needed. Supported operating systems: Windows 2000 and Windows XP Advanced Endpoint Security Minimizes the Risk of Data Theft The potential for network security attacks increases with the extension of the network to both secure and external endpoints. Whether users are accessing the network from a corporatemanaged PC, personal machine, or public terminal, the Cisco Secure Desktop seeks to minimize data leakage from the SSL session. The Cisco Secure Desktop host integrity verification feature performs pre-connection posture assessment to verify that the endpoint seeking access possesses the particular antivirus, firewall, and OS or service pack features required, and detects certain installed malware before granting access to the network. The Cisco Secure Desktop then creates a secure vault for session information by generating a virtual sandbox on the machine. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 8

During the session, information is encrypted and written to the Cisco Secure Desktop partition on the hard drive. At the close of the session, the secure vault is eradicated using a U.S. Department of Defense (DoD) sanitization algorithm. Session information, including cache files, history, cookies, file downloads, and passwords, are encrypted in real time, reducing the risk that data is left behind. This feature is unique; many comparable cache cleaning products attempt a postsession cleanup of tracked files. Similarly, the automatic timeout features of the Cisco Secure Desktop help ensure that session information is erased, whether or not the user takes the active role in terminating the session. The Cisco Secure Desktop can often run with guest permissions, providing advanced protection on endpoints regardless of Web settings, browser types, or system privileges. Table 4 lists features of Cisco Secure Desktop. Table 4. Cisco Secure Desktop: Comprehensive Security of Information from the Network to the Endpoint Available with guest permissions Preconnection posture assessment Comprehensive session protection End-of-session data cleanup Keystroke logger detection Users accessing the network from remote machines may not have administrator privileges on all systems. Cisco Secure Desktop can often be installed with only guest permissions, helping ensure delivery and installation on all systems. Host integrity verification checking detects the presence of antivirus software, personal firewall software, and Windows service packs on the endpoint system prior to granting network access. Additional protection is provided for all data associated with the session, including passwords, file download history, cookies, and cache files. All session data is encrypted to the secure vault of the Cisco Secure Desktop. Data in the secure vault is overwritten at the end of the session. Cisco Secure Desktop performs an initial check for certain software-based keystroke logging software at the start of the session. If an anomalous program begins running inside the secure vault after session initiation, the user is prompted to stop the suspicious activity. Figure 2 gives an application example for Cisco IOS SSL VPN. Figure 2. Application Example: Regional Law Firm with Multiple Offices All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 8

s and Benefits Advanced endpoint security The Cisco Secure Desktop offers preconnection security posture assessment and seeks to minimize data such as cookies, browser history, temporary files, and downloaded content from being left behind after an SSL VPN session terminates. Broad application support for SSL VPN The Cisco IOS SSL VPN solution offers extensive application support through its dynamically downloaded SSL VPN client, enabling network-layer connectivity to virtually any application. The solution delivers truly clientless support for Citrix application access, allowing a transparent, low-overhead extension of the network resources to VPN users through a standard Web browser. Pure clientless and thinclient port forwarding options can be deployed for environments with limited application access requirements, such as extranets. Comprehensive deployment scenario coverage SSL and IPsec are complementary technologies that address unique user access requirements; both are necessary in order for a company to meet the needs of a diverse user base. Cisco IOS Software supports both IPsec and SSL VPN, allowing businesses to choose the most appropriate technology for users accessing the network through different scenarios. This provides maximum flexibility and application access, all on one platform, alleviating the need to deploy and manage separate infrastructures. Simple, low, per-user pricing The simple licensing structure of Cisco IOS SSL VPN (no added licenses for special features), combined with the consolidated technology platform, provides customers with unparalleled cost savings and competitive per-user pricing. Ease of deployment with zero-touch remote endpoint management Intuitive, Webbased Cisco SDM provides a simple interface to configure and monitor all remote-access users, providing ease of manageability across both IPsec and SSL VPN environments. Group-based management features allow administrators to design security policies and authentication methods for each group, a feature that is essential when extending network resources to non-corporate-managed users and endpoints. Availability Table 5 gives information about feature availability. Table 6 gives additional features of the Cisco IOS SSL VPN solution. Table 5. Availability Platform Support Availability Cisco IOS Software Release Cisco IOS SSL VPN Cisco 870, 1800, 2800, 3700, 3800, 7200, and 7301 March 13, 2006 12.4(6)T All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 8

Figure 3. Cisco Integrated Services Routers: Core SSL VPN s for Router-Based Remote Access A complimentary 2-user trial license is included on all supported platforms at no additional cost. Table 6. Scalability Additional s Platform dependent: Cisco 870, 2 users Cisco 1811, 10 users Cisco 1841 and Cisco 2801, 25 users Cisco 2811 and Cisco 2821, 50 users Cisco 2851, 75 users Cisco 3725 and Cisco 3745, 75 users Cisco 3825 and 3845, 100 users Cisco 7200 and Cisco 7301, 150 users User authentication End-system integrity (Cisco Secure Desktop) Browser support Protocols Configuration and management Syslog support Cipher suites Network access control Virtualization RADIUS or authentication, authorization, and accounting (AAA) server Antivirus check Personal firewall check Seeks to minimize risk of temporary and downloaded files and cookies from remaining on system Netscape, Internet Explorer, Firefox, and Mozilla SSL 3.0 and 3.1; and Transparent LAN Services (TLS) 1.0 configuration and management Console command-line interface (CLI), HTTP, HTTPS, Telnet, Secure Shell (SSH) Protocol, and Web-based Cisco SDM Console display, external server, and internal buffer SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_DES_CSC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA IP address, Differentiated Services Code Point/type of service (DSCP/ToS), TCP/User Datagram Protocol (UDP) port, per-user, and per-group Ability to divide into multiple contexts, with each context as a complete, logical representation of the IOS SSL VPN service, complete with separate policies and configuration All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 8

Virtual Routing and Forwarding (VRF)- Aware VRF mapping Single IP model (URL-based or login-name-based) Multiple IP model Per-VRF AAA server Per-VRF Domain Name System (DNS) server Per-VRF gateway Per-VRF number of users Ordering Information For ordering information, refer to Table 7. Table 7. Ordering Information Product Name License SSL VPN Up To 10 Users (Incremental) License SSL VPN Up To 25 Users (Incremental) License SSL VPN Up To 100 Users (Incremental) License SSL VPN Up To 10 Users (Incremental) License SSL VPN Up To 25 Users (Incremental) License SSL VPN Up To 100 Users (Incremental) Part Number FL-WEBVPN-10-K9 FL-WEBVPN-25-K9 FL-WEBVPN-100-K9 FL-WEBVPN-10-K9= FL-WEBVPN-25-K9= FL-WEBVPN-100-K9= Part numbers ending in = are spares and can be ordered independently of any other product(s). For more details visit: http://www.cisco.com/en/us/products/ps6657/prod_bulletin0900aecd80501bb7.html To Download the Software Visit the Cisco Software Center to download Cisco IOS Software. The Cisco IOS Software Release 12.4(6)T Advanced Security Image and above contain the Cisco IOS SSL VPN feature set. For more information about Cisco IOS SSL VPN, visit www.cisco.com/go/iossslvpn, contact your local Cisco account representative, or send e-mail to ask-stg-ios-pm@cisco.com. All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 8

Printed in USA C78-60016-04 1/07 All contents are Copyright 1992 2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information