- ホーム
- > 洋書
- > 英文書
- > Internet / General
Full Description
SSL Remote Access VPNsAn introduction to designing and configuring SSL virtual private networksJazib Frahim, CCIE (R) No. 5459Qiang Huang, CCIE No. 4937Cisco (R) SSL VPN solutions (formerly known as Cisco WebVPN solutions) give you a flexible and secure way to extend networking resources to virtually any remote user with access to the Internet and a web browser. Remote access based on SSL VPN delivers secure access to network resources by establishing an encrypted tunnel across the Internet using a broadband (cable or DSL) or ISP dialup connection. SSL Remote Access VPNs provides you with a basic working knowledge of SSL virtual private networks on Cisco SSL VPN-capable devices. Design guidance is provided to assist you in implementing SSL VPN in existing network infrastructures. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices. Common deployment scenarios are covered to assist you in deploying an SSL VPN in your network.SSL Remote Access VPNs gives you everything you need to know to understand, design, install, configure, and troubleshoot all the components that make up an effective, secure SSL VPN solution.Jazib Frahim, CCIE (R) No. 5459, is currently working as a technical leader in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks, with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security.Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for market-leading modular Ethernet switching platforms. During his time at Cisco, Qiang has played an important role in a number of technology groups, including the Cisco TAC security and VPN team, where he was responsible for trouble-shooting complicated customer deployments in security and VPN solutions. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and ISP Dial.Understand remote access VPN technologies, such as Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding (L2F), Layer 2 Tunneling (L2TP) over IPsec, and SSL VPNLearn about the building blocks of SSL VPN, including cryptographic algorithms and SSL and Transport Layer Security (TLS)Evaluate common design best practices for planning and designing an SSL VPN solutionGain insight into SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS (R) routers Install and configure SSL VPNs on Cisco ASA and Cisco IOS routers Manage your SSL VPN deployment using Cisco Security ManagerThis security book is part of the Cisco Press (R) Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.Category: Networking: SecurityCovers: SSL VPNs
Contents
Introduction Chapter 1: Introduction to Remote Access VPN TechnologiesRemote Access Technologies 5IPsec 5Software-Based VPN Clients 7Hardware-Based VPN Clients 7SSL VPN 7L2TP 9L2TP over IPsec 11PPTP 13Summary 14Chapter 2: SSL VPN TechnologyCryptographic Building Blocks of SSL VPNs 17Hashing and Message Integrity Authentication 17Hashing 18Message Authentication Code 18Encryption 20RC4 21DES and 3DES 22AES 22Diffie-Hellman 23RSA and DSA 24Digital Signatures and Digital Certification 24Digital Signatures 24Public Key Infrastructure, Digital Certificates, and Certification 25SSL and TLS 30SSL and TLS History 30SSL Protocols Overview 31OSI Layer Placement and TCP/IP Protocol Support 31SSL Record Protocol and Handshake Protocols 33SSL Connection Setup 34Application Data 42Case Study: SSL Connection Setup 43DTLS 48SSL VPN 49Reverse Proxy Technology 50URL Mangling 52Content Rewriting 53Port-Forwarding Technology 55Terminal Services 58SSL VPN Tunnel Client 58Summary 59References 60Chapter 3: SSL VPN Design ConsiderationsNot All Resource Access Methods Are Equal 63User Authentication and Access Privilege Management 65User Authentication 66Choice of Authentication Servers 66AAA Server Scalability and High Availability 67AAA Server Scalability 67AAA Server High Availability and Resiliency 68Resource Access Privilege Management 68Security Considerations 70Security Threats 71Lack of Security on Unmanaged Computers 71Data Theft 71Man-in-the-Middle Attacks 72Web Application Attack 73Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal Network 73Split Tunneling 73Password Attacks 74Security Risk Mitigation 74Strong User Authentication and Password Policy 75Choose Strong Cryptographic Algorithms 75Session Timeout and Persistent Sessions 75Endpoint Security Posture Assessment and Validation 75VPN Session Data Protection 76Techniques to Prevent Data Theft 76Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and Network Admission Control Technologies 77Device Placement 78Platform Options 79Virtualization 79High Availability 80Performance and Scalability 81Summary 82References 82Chapter 4: Cisco SSL VPN Family of ProductsOverview of Cisco SSL VPN Product Portfolio 85Cisco ASA 5500 Series 87SSL VPN History on Cisco ASA 87SSL VPN Specifications on Cisco ASA 88SSL VPN Licenses on Cisco ASA 89Cisco IOS Routers 90SSL VPN History on Cisco IOS Routers 90SSL VPN Licenses on Cisco IOS Routers 90Summary 91Chapter 5: SSL VPNs on Cisco ASASSL VPN Design Considerations 93SSL VPN Prerequisites 95SSL VPN Licenses 95Client Operating System and Browser and Software Requirements 96Infrastructure Requirements 97Pre-SSL VPN Configuration Guide 97Enrolling Digital Certificates (Recommended) 98Step 1: Configuring a Trustpoint 98Step 2: Obtaining a CA Certificate 99Step 3: Obtaining an Identity Certificate 100Setting Up ASDM 101Uploading ASDM 102Setting Up the Appliance 103Accessing ASDM 104Setting Up Tunnel and Group Policies 106Configuring Group-Policies 107Configuring a Tunnel Group 110Setting Up User Authentication 110Clientless SSL VPN Configuration Guide 114Enabling Clientless SSL VPN on an Interface 116Configuring SSL VPN Portal Customization 117Logon Page 118Portal Page 123Logout Page 125Portal Customization and User Group 126Full Customization 129Configuring Bookmarks 134Configuring Websites 135Configuring File Servers 137Applying a Bookmark List to a Group Policy 139Single Sign-On 140Configuring Web-Type ACLs 141Configuring Application Access 144Configuring Port Forwarding 144Configuring Smart Tunnels 147Configuring Client-Server Plug-Ins 150AnyConnect VPN Client Configuration Guide 152Loading the SVC Package 154Defining AnyConnect VPN Client Attributes 155Enabling AnyConnect VPN Client Functionality 155Defining a Pool of Addresses 156Configuring Traffic Filters 159Configuring a Tunnel Group 159Advanced Full Tunnel Features 159Split Tunneling 159DNS and WINS Assignment 161Keeping the SSL VPN Client Installed 162Configuring DTLS 163Cisco Secure Desktop 164CSD Components 165Secure Desktop Manager 165Secure Desktop 165Cache Cleaner 166CSD Requirements 166Supported Operating Systems 166User Privileges 167Supported Internet Browsers 167Internet Browser Settings 167CSD Architecture 168Configuring CSD 169Loading the CSD Package 169Defining Prelogin Sequences 170Host Scan 182Host Scan Modules 183Basic Host Scan 183Endpoint Assessment 183Advanced Endpoint Assessment 184Configuring Host Scan 184Setting Up Basic Host Scan 184Enabling Endpoint Host Scan 186Setting Up an Advanced Endpoint Host Scan 187Dynamic Access Policies 189DAP Architecture 190DAP Records 191DAP Selection Rules 191DAP Configuration File 191DAP Sequence of Events 191Configuring DAP 192Selecting a AAA Attribute 193Selecting Endpoint Attributes 195Defining Access Policies 197Deployment Scenarios 205AnyConnect Client with CSD and External Authentication 206Step 1: Set Up CSD 207Step 2: Set Up RADIUS for Authentication 207Step 3: Configure AnyConnect SSL VPN 208Clientless Connections with DAP 209Step 1: Define Clientless Connections 210Step 2: Configuring DAP 211Monitoring and Troubleshooting SSL VPN 212Monitoring SSL VPN 212Troubleshooting SSL VPN 215Troubleshooting SSL Negotiations 215Troubleshooting AnyConnect Client Issues 215Troubleshooting Clientless Issues 217Troubleshooting CSD 219Troubleshooting DAP 219Summary 220Chapter 6: SSL VPNs on Cisco IOS Routers SSL VPN Design Considerations 223IOS SSL VPN Prerequisites 225IOS SSL VPN Configuration Guide 226Configuring Pre-SSL VPN Setup 226Setting Up User Authentication 226Enrolling Digital Certificates (Recommended) 229Loading SDM (Recommended) 232Initial SSL VPN Configuration 235Step 1: Setting Up an SSL VPN Gateway 237Step 2: Setting Up an SSL VPN Context 239Step 3: Configuring SSL VPN Look and Feel 241Step 4: Configuring SSL VPN Group Policies 245Advanced SSL VPN Features 247Configuring Clientless SSL VPNs 247Windows File Sharing 253Configuring Application ACL 257Thin Client SSL VPNs 259Step 1: Defining Port-Forwarding Lists 261Step 2: Mapping Port-Forwarding Lists to a Group Policy 262AnyConnect SSL VPN Client 264Step 1: Loading the AnyConnect Package 264Step 2: Defining AnyConnect VPN Client Attributes 266Cisco Secure Desktop 276CSD Components 277Secure Desktop Manager 277Secure Desktop 277Cache Cleaner 278CSD Requirements 278Supported Operating Systems 278User Privileges 279Supported Internet Browsers 279Internet Browser Settings 279CSD Architecture 280Configuring CSD 281Step 1: Loading the CSD Package 282Step 2: Launching the CSD Package 283Step 3: Defining Policies for Windows-Based Clients 283Defining Policies for Windows CE 298Defining Policies for the Mac and Linux Cache Cleaner 298Deployment Scenarios 301Clientless Connections with CSD 301Step 1: User Authentication and DNS 302Step 2: Set Up CSD 303Step 3: Define Clientless Connections 303AnyConnect Client and External Authentication 304Step 1: Set Up RADIUS for Authentication 305Step 2: Install the AnyConnect SSL VPN 306Step 3: Configure AnyConnect SSL VPN Properties 306Monitoring an SSL VPN in Cisco IOS 307Summary 311Chapter 7: Management of SSL VPNs Multidevice Policy Provisioning 314Device View and Policy View 314Device View 314Policy View 318Use of Common Objects for Multidevice Management 320Workflow Control and Role-Based Access Control 322Workflow Control 323Workflow Mode 324Role-Based Administration 326Native Mode 326Cisco Secure ACS Integration Mode 327Summary 331References 3311587052423 TOC 5/13/2008
