Chapter 10: Designing and Building SSL Remote Access VPNs (WebVPN)

Cisco Press

1 2 3 4 5 6 7 8 Page 5
Page 5 of 8

Next, the password on the Outlook Express account properties Server tab must be configured using a similar format—the VPN 3000 concentrator user password must be specified first, with the e-mail server account password configured second. The two must again be separated using the VPN Name Delimiter.

If the VPN 3000 concentrator is configured to authenticate users and the password user mark is hello, and the e-mail server password for user markj is hithere, the password specified in the Password box on the client must be hello:hithere.

One other important setting to notice on the Server tab is the My server requires authentication check box under Outgoing Mail Server heading. It may be necessary to check this box if you receive an error when attempting to connect to the e-mail server via the VPN 3000 concentrator.

Having configured authentication, the next step is to specify POP3S and SMTPS ports under the Advanced tab, as shown in Figure 10-36.

figure 10.36

Figure 10-36

Configuring SMTPS and POP3S Ports on Outlook Express When Using E-Mail Proxy

Under the Server Port Numbers heading you must check both of the This server requires a secure connection (SSL) boxes (for both SMTP and POP3).

Having checked the boxes, you must now specify the ports to use for each protocol. These ports must match those specified on the VPN 3000 concentrator. In Figure 10-36, for example, the SMTPS and POP3S ports are configured as 988 and 995, respectively—these match those specified on the VPN 3000 concentrator in Figure 10-34.

Implementing Full Network Access Using the Cisco SSL VPN Client

By this stage, you will know that the type of access offered by clientless SSL remote access VPNs is much more restricted than that offered by IPsec remote access VPNs. If you do want to offer more functionality via an SSL remote access VPN, you can use the Cisco SSL VPN Client.

The Cisco SSL VPN Client is loaded on the VPN 3000 concentrator and then dynamically downloaded from the VPN 3000 concentrator by remote access VPN users. The Cisco SSL VPN Client offers remote access connectivity comparable to that offered by IPsec remote access VPNs.

One advantage of the Cisco SSL VPN Client is that it does not have to be permanently installed on client workstations and does not require particular configuration or administration, unlike IPsec remote access VPN client software. The Cisco SSL VPN Client software package is also relatively small in size.

It is worth mentioning, however, that for the SSL VPN Client software to be downloaded and installed, the remote access user must have administrative privileges on the workstation. Cisco does, however, provide an install enabler utility (STCIE.EXE) that must itself be installed by an administrator but will then allow other users to download and install the Cisco SSL VPN Client on-demand.

When compared to IPsec remote access VPNs, the disadvantages of an SSL VPN Client include the fact that the client software is downloaded from the VPN 3000 concentrator, which takes a variable amount of time depending on connection speed. Having said that, it is possible to configure the VPN 3000 concentrator to leave the SSL VPN Client software installed on the client workstations rather than causing it to be uninstalled whenever the SSL VPN connection between is terminated (the default).

Installing and Enabling the Cisco VPN Client Software

The first step in enabling use of the SSL VPN Client is to upload it to the VPN 3000 concentrator. You can accomplish this by going to Configuration > Tunneling and Security > WebVPN > Cisco SSL VPN Client (see Figure 10-37).

figure 10.37

Figure 10-37

Installing the SSL Cisco VPN Client

Choose Install a new Cisco SSL VPN Client, click the Browse button, browse to the location of the Cisco SSL VPN client software, and click Apply to install the software on the VPN 3000 concentrator.

After the client software is installed, the next step is to enable the use of the SSL VPN Client software for the appropriate user groups, as well as configure IP address pools (described in Chapters 8 and 9).

You can enable the user of the SSL VPN Client software by going to Configuration > User Management > Groups, choosing the appropriate group(s), clicking Modify, and clicking the WebVPN tab. The page shown in Figure 10-38 will then appear.

Checking the Enable Cisco SSL VPN Client box will, as it suggests, enable the use of the SSL VPN Client for the group.

It is also possible to require the use of the SSL VPN client by checking the Require Cisco SSL VPN Client box.

As discussed earlier in this section, the default behavior when using the SSL VPN Client is that the SSL VPN client software is removed when the client disconnects from the VPN 3000 concentrator. If the Keep Cisco SSL VPN Client box is checked, however, the client software remains on the client workstation even after disconnect. This clearly obviates the requirement to dynamically download the client software each time the client workstation connects to the VPN 3000 concentrator.

figure 10.38

Figure 10-38

Enabling the Use of the Cisco SSL VPN Client

Understanding Remote Access Connectivity When Using the Cisco SSL VPN Client

When the Cisco SSL VPN Client is enabled for a particular user group, and when a user in that group connects to the VPN 3000 concentrator and logs in via the WebVPN login page, the Cisco VPN SSL Client will begin to download (assuming it is not installed already). After the SSL VPN client has downloaded, it extracts and installs (see Figure 10-39).

One thing to notice in Figure 10-39 is the text shown in the upper left (Click here to skip installation of the Cisco SSL VPN Client and proceed to the WebVPN Home page). This text does not appear if the Require Cisco SSL VPN Client box is checked in the WebVPN tab of group settings (see Figure 10-38).

After the SSL VPN Client software has been installed, a key symbol will appear on the right of the taskbar. Clicking the key will display information about the Cisco SSL VPN Client and SSL connection, as shown in Figure 10-40.

figure 10.39

Figure 10-39

Cisco SSL VPN Client Extracts and Installs

figure 10.40

Figure 10-40

Information About the Cisco SSL VPN Client Connection

There are three tabs:

  • Statistics tab—Displays information about the connection, including address information (the IP address of the VPN 3000 gateway and the IP address assigned by the VPN 3000 concentrator to the SSL VPN Client tunnel interface/adapter); the number of bytes and frames sent and received over the tunnel; the encryption and hashing algorithms used by the cipher suite negotiated by the client and VPN 3000 concentrator; whether the client is allowed to access its local LAN and whether split tunneling is enabled; and how long the connection has been up

  • Route Details tab—Shows information about local LAN routes and secure routes that have been installed

  • About tab—Shows the version of the Cisco SSL VPN Client software that is installed

The Reset button on the Statistics tab can be used to reset to zero statistics relating to the number of bytes and frames sent and received over the SSL connection.

The Close and Disconnect buttons cause the Cisco SSL VPN Client information dialog box to close and cause the SSL connection to terminate respectively.

Strengthening SSL Remote Access VPNs Security by Implementing Cisco Secure Desktop

One of the main advantages of SSL remote access VPNs is that they can provide access from almost any location—from a hotel, from an Internet caf , or from a kiosk at an airport. Paradoxically, this ubiquity of access is also one of the main disadvantages of SSL remote access VPNs—these locations are often insecure, and a SSL remote access VPN implementation can, if you are not very careful, allow a hacker or cracker access to sensitive information including usernames, passwords, and data downloaded to the workstation from which a user is connecting.

This access to sensitive information can result from the installation of malware such as keystroke loggers as well as simply because web browser sessions leave traces such as caches, histories, temporary files, cookies, and password autocompletion. In addition, any data downloaded over an SSL remote access VPN and written to a hard disk is not effectively removed by its simple deletion—some or all of that data can be accessed fairly simply by someone with a minimal amount of technical expertise using readily available software tools.

So, having possibly horrified you with the possibilities of the compromise of SSL remote access VPNs, it is time to take a look at how the previously mentioned vulnerabilities can be addressed.

Cisco has software that helps to address these vulnerabilities called Cisco Secure Desktop. This software can be dynamically downloaded to client workstations upon initial connection via an ActiveX, Java, or .exe file.

The Cisco Secure Desktop suite can provide different levels of protection based on the location from which remote access users are connecting. In addition to the removal and overwrite of cache, histories, temporary files, and so on, the Secure Desktop suite can provide access based on the presence of antivirus software, firewall software, and operating systems and service packs.

Secure Desktop operates as follows:

  1. A remote access VPN user connects to the VPN 3000 concentrator.

  2. The Cisco Secure Desktop is dynamically downloaded from the concentrator to the user workstation, and the location of the workstation is assessed.

  3. Depending on the location, a secure, virtual desktop is created; a cache cleaner is applied; and/or a VPN feature policy is applied on the user workstation. The secure desktop includes an encrypted sandbox or hard drive partition.

  4. The user continues with his/her SSL remote access VPN session.

  5. When the user logs out from the VPN 3000 concentrator, the secure desktop is eliminated, with all cache, history, temporary files, and user data (including e-mail attachments) being overwritten using the U.S. Department of Defense (DoD) method for secure data elimination.

  6. Information elimination using overwrite ensures that data cannot be retrieved by another user at a later time.

Figure 10-41 illustrates the operation of Cisco Secure Desktop.

figure 10.41

Figure 10-41

Operation of Cisco Secure Desktop

Installing the Cisco Secure Desktop

The first step in implementing the Cisco Secure Desktop is to install the software on the VPN 3000 concentrator. You can accomplish this by going to Configuration > Tunneling and Security > WebVPN > Secure Desktop > Setup (see Figure 10-42).

figure 10.42

Figure 10-42

Installing the Cisco Secure Desktop

Choose Install a new Secure Desktop, browse to the location where the software is stored, and click Apply. If all is well and good, a page with a message stating that the software has been correctly uploaded will now display.

Configuring the Cisco Secure Desktop for Windows Clients

After the software has been installed, you can go to Configuration > Tunneling and Security > WebVPN > Secure Desktop > Manager to begin configuration.

As previously described, the Cisco Secure Desktop is location based. That is, the Cisco Secure Desktop applied depends on the location from which users connect.

Click the Windows Location Settings heading in the subtree on the left side of the Cisco Secure Desktop window. You will then see the Windows Location Settings page shown in Figure 10-43.

figure 10.43

Figure 10-43

Specifying Locations Within Cisco Secure Desktop

In the Location name box, you can specify the names of locations from which user can connect to the VPN 3000 concentrator and add them in turn by clicking the Add button. In Figure 10-43, two locations have been added, home and other.

When users connect to the VPN 3000 concentrator, they are matched against the configured locations in the order that they are listed in the Windows Location Settings window. So, it is important to list to locations in the correct order.

Configuration of the security setting associated with each location is achieved by clicking the location names in the left pane of the window.

You might be wondering how the VPN 3000 concentrator knows that, for example, a user is connecting from his home office and not some other location such as an Internet caf or kiosk. Locations are identified by the Secure Desktop when it downloads to a user workstation depending on whether a certificate is installed on the machine, whether the machine NIC is assigned a certain IP address, or whether a machine has a certain registry setting or file.

Figure 10-44 shows the configuration of the identification criteria for a location (in this example, home).

figure 10.44

Figure 10-44

Configuration of the Identification Criteria for a Location

If you take a look at the Identification pane in Figure 10-44 (Identification for home), you will see that there are three options (check boxes):

  • Enable identification using certificate criteria—By checking this box, it is possible to use the fields of a certificate installed on the user workstation to identify its location.

  • Enable identification using IP criteria—Checking this box enables an administrator to specify a range of IP addresses. If a user workstation is assigned an IP address within this range, the workstation's location is identified on this basis.

  • Enable identification using File or Registry criteria—This box, if checked, allows identification of a location based on a file or registry entry on a user workstation.

In Figure 10-44, the identification of the location home is based on the existence of a file called mjlsetup.exe on the user workstation.

In summary, when a user connects to the VPN 3000 concentrator, the Cisco Secure Desktop dynamically downloads, and the location of the workstation from which the user is connecting is assessed based on the configured criteria.

Related:
1 2 3 4 5 6 7 8 Page 5
Page 5 of 8
SD-WAN buyers guide: Key questions to ask vendors (and yourself)