BN.com Gift Guide

SSL Remote Access VPNs (Network Security)

( 1 )

Overview

SSL Remote Access VPNs

An introduction to designing and configuring SSL virtual private networks

Jazib Frahim, CCIE® No. 5459

Qiang Huang, CCIE No. 4937

Cisco® SSL VPN solutions (formerly known as Cisco WebVPN solutions) give you a flexible and secure way to extend networking resources to virtually any remote user with access to the Internet and a web browser. Remote access ...

See more details below
Paperback (New Edition)
$45.47
BN.com price
(Save 17%)$55.00 List Price
Other sellers (Paperback)
  • All (14) from $7.96   
  • New (7) from $15.00   
  • Used (7) from $7.96   
SSL Remote Access VPNs (Network Security)

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$25.49
BN.com price
(Save 42%)$43.99 List Price

Overview

SSL Remote Access VPNs

An introduction to designing and configuring SSL virtual private networks

Jazib Frahim, CCIE® No. 5459

Qiang Huang, CCIE No. 4937

Cisco® SSL VPN solutions (formerly known as Cisco WebVPN solutions) give you a flexible and secure way to extend networking resources to virtually any remote user with access to the Internet and a web browser. Remote access based on SSL VPN delivers secure access to network resources by establishing an encrypted tunnel across the Internet using a broadband (cable or DSL) or ISP dialup connection.

SSL Remote Access VPNs provides you with a basic working knowledge of SSL virtual private networks on Cisco SSL VPN-capable devices. Design guidance is provided to assist you in implementing SSL VPN in existing network infrastructures. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices. Common deployment scenarios are covered to assist you in deploying an SSL VPN in your network.

SSL Remote Access VPNs gives you everything you need to know to understand, design, install, configure, and troubleshoot all the components that make up an effective, secure SSL VPN solution.

Jazib Frahim, CCIE® No. 5459, is currently working as a technical leader in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks, with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security.

Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for market-leading modular Ethernet switching platforms. During his time at Cisco, Qiang has played an important role in a number of technology groups, including the Cisco TAC security and VPN team, where he was responsible for trouble-shooting complicated customer deployments in security and VPN solutions. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and

ISP Dial.

  • Understand remote access VPN technologies, such as Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding (L2F), Layer 2 Tunneling (L2TP) over IPsec, and SSL VPN
  • Learn about the building blocks of SSL VPN, including cryptographic algorithms and SSL and Transport Layer Security (TLS)
  • Evaluate common design best practices for planning and designing an SSL VPN solution
  • Gain insight into SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS® routers
  • Install and configure SSL VPNs on Cisco ASA and Cisco IOS routers
  • Manage your SSL VPN deployment using Cisco Security Manager

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Networking: Security

Covers: SSL VPNs

Read More Show Less

Product Details

  • ISBN-13: 9781587052422
  • Publisher: Cisco Press
  • Publication date: 6/13/2008
  • Series: Networking Technology: Security Series
  • Edition description: New Edition
  • Pages: 349
  • Product dimensions: 7.30 (w) x 9.00 (h) x 0.80 (d)

Meet the Author

Jazib Frahim, CCIE No. 5459, has been with Cisco for more than nine years. Having a bachelor’s degree in computer engineering from Illinois Institute of Technology, he started out as a TAC engineer in the LAN Switching team. He then moved to the TAC Security team, where he acted as a technical leader for the security products. He led a team of 20 engineers in resolving complicated security and VPN technologies. He is currently working as a technical leader in the Worldwide Security Services Practice of Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has been an active member on the Cisco online forum NetPro. He has presented at Networkers on multiple occasions and has taught many on-site and online courses to Cisco customers, partners, and employees.

He has recently received his master of business administration (MBA) degree from North Carolina State University. He is also an author of the following Cisco Press books: Cisco Network Admission Control, Volume II: NAC Deployment and Troubleshooting, and Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance.

Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Systems Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for Cisco marketleading modular Ethernet switching platforms. He has been with Cisco for almost ten years. During his time at Cisco, Qiang played an important role in a number of technology groups including the following: technical lead in the Cisco TAC security and VPN team, where he was responsible for troubleshooting complicated customer deployments in security and VPN solutions; a security consulting engineer in the Cisco Advanced Service Group, providing security posture assessment and consulting services to customers; a technical marketing engineer focusing on competitive analysis and market intelligence in network security with specialization in the emerging SSL VPN technology. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and ISP dial. He is also one of the contributing authors of Internetworking Technologies Handbook, Fourth Edition. Qiang received a master’s degree in electrical engineering from Colorado State University.

Read More Show Less

Table of Contents

Introduction

Chapter 1: Introduction to Remote Access VPN Technologies

Remote Access Technologies 5

IPsec 5

Software-Based VPN Clients 7

Hardware-Based VPN Clients 7

SSL VPN 7

L2TP 9

L2TP over IPsec 11

PPTP 13

Summary 14

Chapter 2: SSL VPN Technology

Cryptographic Building Blocks of SSL VPNs 17

Hashing and Message Integrity Authentication 17

Hashing 18

Message Authentication Code 18

Encryption 20

RC4 21

DES and 3DES 22

AES 22

Diffie-Hellman 23

RSA and DSA 24

Digital Signatures and Digital Certification 24

Digital Signatures 24

Public Key Infrastructure, Digital Certificates, and Certification 25

SSL and TLS 30

SSL and TLS History 30

SSL Protocols Overview 31

OSI Layer Placement and TCP/IP Protocol Support 31

SSL Record Protocol and Handshake Protocols 33

SSL Connection Setup 34

Application Data 42

Case Study: SSL Connection Setup 43

DTLS 48

SSL VPN 49

Reverse Proxy Technology 50

URL Mangling 52

Content Rewriting 53

Port-Forwarding Technology 55

Terminal Services 58

SSL VPN Tunnel Client 58

Summary 59

References 60

Chapter 3: SSL VPN Design Considerations

Not All Resource Access Methods Are Equal 63

User Authentication and Access Privilege Management 65

User Authentication 66

Choice of Authentication Servers 66

AAA Server Scalability and High Availability 67

AAA Server Scalability 67

AAA Server High Availability and Resiliency 68

Resource Access Privilege Management 68

Security Considerations 70

Security Threats 71

Lack of Security on Unmanaged Computers 71

Data Theft 71

Man-in-the-Middle Attacks 72

Web Application Attack 73

Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal Network 73

Split Tunneling 73

Password Attacks 74

Security Risk Mitigation 74

Strong User Authentication and Password Policy 75

Choose Strong Cryptographic Algorithms 75

Session Timeout and Persistent Sessions 75

Endpoint Security Posture Assessment and Validation 75

VPN Session Data Protection 76

Techniques to Prevent Data Theft 76

Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and Network Admission Control Technologies 77

Device Placement 78

Platform Options 79

Virtualization 79

High Availability 80

Performance and Scalability 81

Summary 82

References 82

Chapter 4: Cisco SSL VPN Family of Products

Overview of Cisco SSL VPN Product Portfolio 85

Cisco ASA 5500 Series 87

SSL VPN History on Cisco ASA 87

SSL VPN Specifications on Cisco ASA 88

SSL VPN Licenses on Cisco ASA 89

Cisco IOS Routers 90

SSL VPN History on Cisco IOS Routers 90

SSL VPN Licenses on Cisco IOS Routers 90

Summary 91

Chapter 5: SSL VPNs on Cisco ASA

SSL VPN Design Considerations 93

SSL VPN Prerequisites 95

SSL VPN Licenses 95

Client Operating System and Browser and Software Requirements 96

Infrastructure Requirements 97

Pre-SSL VPN Configuration Guide 97

Enrolling Digital Certificates (Recommended) 98

Step 1: Configuring a Trustpoint 98

Step 2: Obtaining a CA Certificate 99

Step 3: Obtaining an Identity Certificate 100

Setting Up ASDM 101

Uploading ASDM 102

Setting Up the Appliance 103

Accessing ASDM 104

Setting Up Tunnel and Group Policies 106

Configuring Group-Policies 107

Configuring a Tunnel Group 110

Setting Up User Authentication 110

Clientless SSL VPN Configuration Guide 114

Enabling Clientless SSL VPN on an Interface 116

Configuring SSL VPN Portal Customization 117

Logon Page 118

Portal Page 123

Logout Page 125

Portal Customization and User Group 126

Full Customization 129

Configuring Bookmarks 134

Configuring Websites 135

Configuring File Servers 137

Applying a Bookmark List to a Group Policy 139

Single Sign-On 140

Configuring Web-Type ACLs 141

Configuring Application Access 144

Configuring Port Forwarding 144

Configuring Smart Tunnels 147

Configuring Client-Server Plug-Ins 150

AnyConnect VPN Client Configuration Guide 152

Loading the SVC Package 154

Defining AnyConnect VPN Client Attributes 155

Enabling AnyConnect VPN Client Functionality 155

Defining a Pool of Addresses 156

Configuring Traffic Filters 159

Configuring a Tunnel Group 159

Advanced Full Tunnel Features 159

Split Tunneling 159

DNS and WINS Assignment 161

Keeping the SSL VPN Client Installed 162

Configuring DTLS 163

Cisco Secure Desktop 164

CSD Components 165

Secure Desktop Manager 165

Secure Desktop 165

Cache Cleaner 166

CSD Requirements 166

Supported Operating Systems 166

User Privileges 167

Supported Internet Browsers 167

Internet Browser Settings 167

CSD Architecture 168

Configuring CSD 169

Loading the CSD Package 169

Defining Prelogin Sequences 170

Host Scan 182

Host Scan Modules 183

Basic Host Scan 183

Endpoint Assessment 183

Advanced Endpoint Assessment 184

Configuring Host Scan 184

Setting Up Basic Host Scan 184

Enabling Endpoint Host Scan 186

Setting Up an Advanced Endpoint Host Scan 187

Dynamic Access Policies 189

DAP Architecture 190

DAP Records 191

DAP Selection Rules 191

DAP Configuration File 191

DAP Sequence of Events 191

Configuring DAP 192

Selecting a AAA Attribute 193

Selecting Endpoint Attributes 195

Defining Access Policies 197

Deployment Scenarios 205

AnyConnect Client with CSD and External Authentication 206

Step 1: Set Up CSD 207

Step 2: Set Up RADIUS for Authentication 207

Step 3: Configure AnyConnect SSL VPN 208

Clientless Connections with DAP 209

Step 1: Define Clientless Connections 210

Step 2: Configuring DAP 211

Monitoring and Troubleshooting SSL VPN 212

Monitoring SSL VPN 212

Troubleshooting SSL VPN 215

Troubleshooting SSL Negotiations 215

Troubleshooting AnyConnect Client Issues 215

Troubleshooting Clientless Issues 217

Troubleshooting CSD 219

Troubleshooting DAP 219

Summary 220

Chapter 6: SSL VPNs on Cisco IOS Routers

SSL VPN Design Considerations 223

IOS SSL VPN Prerequisites 225

IOS SSL VPN Configuration Guide 226

Configuring Pre-SSL VPN Setup 226

Setting Up User Authentication 226

Enrolling Digital Certificates (Recommended) 229

Loading SDM (Recommended) 232

Initial SSL VPN Configuration 235

Step 1: Setting Up an SSL VPN Gateway 237

Step 2: Setting Up an SSL VPN Context 239

Step 3: Configuring SSL VPN Look and Feel 241

Step 4: Configuring SSL VPN Group Policies 245

Advanced SSL VPN Features 247

Configuring Clientless SSL VPNs 247

Windows File Sharing 253

Configuring Application ACL 257

Thin Client SSL VPNs 259

Step 1: Defining Port-Forwarding Lists 261

Step 2: Mapping Port-Forwarding Lists to a Group Policy 262

AnyConnect SSL VPN Client 264

Step 1: Loading the AnyConnect Package 264

Step 2: Defining AnyConnect VPN Client Attributes 266

Cisco Secure Desktop 276

CSD Components 277

Secure Desktop Manager 277

Secure Desktop 277

Cache Cleaner 278

CSD Requirements 278

Supported Operating Systems 278

User Privileges 279

Supported Internet Browsers 279

Internet Browser Settings 279

CSD Architecture 280

Configuring CSD 281

Step 1: Loading the CSD Package 282

Step 2: Launching the CSD Package 283

Step 3: Defining Policies for Windows-Based Clients 283

Defining Policies for Windows CE 298

Defining Policies for the Mac and Linux Cache Cleaner 298

Deployment Scenarios 301

Clientless Connections with CSD 301

Step 1: User Authentication and DNS 302

Step 2: Set Up CSD 303

Step 3: Define Clientless Connections 303

AnyConnect Client and External Authentication 304

Step 1: Set Up RADIUS for Authentication 305

Step 2: Install the AnyConnect SSL VPN 306

Step 3: Configure AnyConnect SSL VPN Properties 306

Monitoring an SSL VPN in Cisco IOS 307

Summary 311

Chapter 7: Management of SSL VPNs

Multidevice Policy Provisioning 314

Device View and Policy View 314

Device View 314

Policy View 318

Use of Common Objects for Multidevice Management 320

Workflow Control and Role-Based Access Control 322

Workflow Control 323

Workflow Mode 324

Role-Based Administration 326

Native Mode 326

Cisco Secure ACS Integration Mode 327

Summary 331

References 331

1587052423 TOC 5/13/2008

Read More Show Less

Preface

Introduction

This book provides a complete guide to the SSL VPN technology and discusses its implementation on Cisco SSL VPN–capable devices. Design guidance is provided to assist you in implementing SSL VPNs in an existing network infrastructure. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices.

Toward the end of Chapters 5 and 6, common deployment scenarios are covered to assist you in deploying an SSL VPN in your network.

Who Should Read This Book?

This book serves as a guide for network professionals who want to implement the Cisco SSL VPN remote access solution in their network to allow users to access the corporate resources easily and safely. The book systematically walks you through the product or solution architecture, installation, configuration, deployment, monitoring, and troubleshooting the SSL VPN solution. Any network professional should be able to use this book as a guide to successfully deploy SSL VPN remote access solutions in their network. Requirements include a basic knowledge of TCP/IP and networking, familiarity with Cisco routers/firewalls and their command-line interface (CLI), and a general understanding of the overall SSL VPN solution.

How This Book Is Organized

Part I of this book includes Chapters 1 and 2, which provide an overview of the remote access VPN technologies and introduce the SSL VPN technology. The remainder of the book is divided into two parts.

Part II encompasses Chapters 3 and 4 and introduces the Cisco SSL VPN product lines, with guidance on different design considerations.

Part III encompasses Chapters 5 through 7 and covers the installation, configuration, deployment, and troubleshooting of the individual components that make up the SSL VPN solution.

  • Part I, "Introduction and Technology Overview," includes the following chapters:
  • Chapter 1, "Introduction to Remote Access VPN Technologies": This chapter covers the remote access Virtual Private Network (VPN) technologies in detail. Protocols, such as the Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding (L2F), Layer 2 Tunneling Protocol (L2TP) over IPsec, and SSL VPN, are discussed to provide readers with an overview of the available remote access VPN technologies.

    Chapter 2, "SSL VPN Technology": This chapter provides a technology overview of the building blocks of SSL VPNs, including cryptographic algorithms, SSL and Transport Layer Security (TLS), and common SSL VPN technologies.

  • Part II, "SSL VPN Design Considerations and Cisco Solution Overview," includes the following chapters:
  • Chapter 3, "SSL VPN Design Considerations": This chapter discusses the common design best practices for planning and designing an SSL VPN solution.

    Chapter 4, "Cisco SSL VPN Family of Products": This chapter discusses the SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS routers and provides product specifications that are focused on SSL VPNs.

  • Part III, "Deploying Cisco SSL VPN Solutions," includes the following chapters:
  • Chapter 5, "SSL VPNs on Cisco ASA": This chapter provides details about the SSL VPN functionality in Cisco ASA. This chapter discusses clientless and full tunnel SSL VPN client implementations and focuses on Cisco Secure Desktop (CSD). This chapter also discusses the Host Scan feature that is used to collect posture information about end workstations. The dynamic access policy (DAP) feature, its usage, and detailed configuration examples are also provided. To reinforce learning, many different deployment scenarios are presented along with their configurations.

    Chapter 6, "SSL VPNs on Cisco IOS Routers": This chapter provides details about the SSL VPN functionality in Cisco IOS routers. It begins by offering design guidance and then discusses the configuration of SSL VPNs in greater detail. The configurations of clientless, thin client, and AnyConnect Client modes are discussed. The second half of the chapter focuses on Cisco Secure Desktop (CSD) and offers guidance in setting up CSD features. To reinforce learning, two different deployment scenarios are presented along with their configurations. Toward the end of this chapter, SSL VPN monitoring through SDM is also discussed.

    Chapter 7, "Management of SSL VPNs": This chapter discusses the central management of SSL VPN devices using Cisco Security Manager.

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Average Rating 4
( 1 )
Rating Distribution

5 Star

(0)

4 Star

(1)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted July 13, 2008

    SSL Remote Access VPNs

    This book¿s goal is to serve as a complete guide to the SSL VPN technology and its implementation on Cisco SSL VPN-capable devices. It starts with the introduction to remote access VPN and SSL VPN technology before exploring the design consideration and Cisco SSL VPN family of products. The last part explains the SSL VPN implementation and configuration for Cisco ASA and Cisco IOS routers before it ends with the discussion on SSL VPN management. This book is not for network beginners. Prior knowledge of VPN technology and familiarity with Cisco command line interface is needed as the book explains the remote access VPN technology concepts only briefly. The book does come with a lot of screen shots and illustrations particularly on SSL VPN configuration chapters. It is trying to show readers how to configure SSL VPN thru ASDM but it also needs to provide CLI configuration so readers have alternative if they do not want to wade thru pages of pages of screenshots to configure SSL VPN. The book also needs to provide more reference as the provided configurations will only help readers to get the SSL VPN up and running but are missing many optional SSL VPN configurations. Although the book claims to be a complete guide, it does not even dedicate a chapter for SSL VPN troubleshooting guide. The troubleshooting section provided at the end of configuration chapters is quite meaningless. The last chapter on SSL VPN management looks more like a brochure for Cisco Security Manager 'CSM' and Cisco Access Control Server 'ACS' product. It only covers a very general concept of SSL VPN policy configuration and provisioning using CSM and ACS with a reference at the back of the chapter to go to Cisco web site to look up on how to configure CSM and ACS. All of this makes me confused on what target audience the book tries to cover as it is too complex for network beginners but not detail enough for people who already have extensive VPN knowledge. I find it interesting that the cover of the book indicates that it will serve as an introduction for SSL VPN but inside it claims to be a complete guide for SSL VPN technology. In spite of these, I rate this book 4 out of 5 and still recommend the book. It has a lot of helpful information that can help readers to get familiar with SSL VPN concept and configuration quickly. Beginners who have no VPN knowledge should read Richard Deal¿s The Complete Cisco VPN Configuration Guide book first before moving on to read this. VPN network experts can read this to get the basic working knowledge of SSL VPN.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)