One of the main advantages of SSL remote access VPNs is that they can provide access from almost any locationfrom a hotel, from an Internet café, or from a kiosk at an airport. Paradoxically, this ubiquity of access is also one of the main disadvantages of SSL remote access VPNsthese locations are often insecure, and a SSL remote access VPN implementation can, if you are not very careful, allow a hacker or cracker access to sensitive information including usernames, passwords, and data downloaded to the workstation from which a user is connecting.
This access to sensitive information can result from the installation of malware such as keystroke loggers as well as simply because web browser sessions leave traces such as caches, histories, temporary files, cookies, and password autocompletion. In addition, any data downloaded over an SSL remote access VPN and written to a hard disk is not effectively removed by its simple deletionsome or all of that data can be accessed fairly simply by someone with a minimal amount of technical expertise using readily available software tools.
So, having possibly horrified you with the possibilities of the compromise of SSL remote access VPNs, it is time to take a look at how the previously mentioned vulnerabilities can be addressed.
Cisco has software that helps to address these vulnerabilities called Cisco Secure Desktop. This software can be dynamically downloaded to client workstations upon initial connection via an ActiveX, Java, or .exe file.
The Cisco Secure Desktop suite can provide different levels of protection based on the location from which remote access users are connecting. In addition to the removal and overwrite of cache, histories, temporary files, and so on, the Secure Desktop suite can provide access based on the presence of antivirus software, firewall software, and operating systems and service packs.
Secure Desktop operates as follows:
A remote access VPN user connects to the VPN 3000 concentrator.
The Cisco Secure Desktop is dynamically downloaded from the concentrator to the user workstation, and the location of the workstation is assessed.
Depending on the location, a secure, virtual desktop is created; a cache cleaner is applied; and/or a VPN feature policy is applied on the user workstation. The secure desktop includes an encrypted sandbox or hard drive partition.
The user continues with his/her SSL remote access VPN session.
When the user logs out from the VPN 3000 concentrator, the secure desktop is eliminated, with all cache, history, temporary files, and user data (including e-mail attachments) being overwritten using the U.S. Department of Defense (DoD) method for secure data elimination.
Figure 10-41 illustrates the operation of Cisco Secure Desktop.
Figure 10-41. Operation of Cisco Secure Desktop
Installing the Cisco Secure Desktop
The first step in implementing the Cisco Secure Desktop is to install the software on the VPN 3000 concentrator. You can accomplish this by going to Configuration > Tunneling and Security > WebVPN > Secure Desktop > Setup (see Figure 10-42).
Figure 10-42. Installing the Cisco Secure Desktop
Choose Install a new Secure Desktop, browse to the location where the software is stored, and click Apply. If all is well and good, a page with a message stating that the software has been correctly uploaded will now display.
Configuring the Cisco Secure Desktop for Windows Clients
After the software has been installed, you can go to Configuration > Tunneling and Security > WebVPN > Secure Desktop > Manager to begin configuration.
As previously described, the Cisco Secure Desktop is location based. That is, the Cisco Secure Desktop applied depends on the location from which users connect.
Click the Windows Location Settings heading in the subtree on the left side of the Cisco Secure Desktop window. You will then see the Windows Location Settings page shown in Figure 10-43.
Figure 10-43. Specifying Locations Within Cisco Secure Desktop
In the Location name box, you can specify the names of locations from which user can connect to the VPN 3000 concentrator and add them in turn by clicking the Add button. In Figure 10-43, two locations have been added, home and other.
When users connect to the VPN 3000 concentrator, they are matched against the configured locations in the order that they are listed in the Windows Location Settings window. So, it is important to list to locations in the correct order.
Configuration of the security setting associated with each location is achieved by clicking the location names in the left pane of the window.
You might be wondering how the VPN 3000 concentrator knows that, for example, a user is connecting from his home office and not some other location such as an Internet café or kiosk. Locations are identified by the Secure Desktop when it downloads to a user workstation depending on whether a certificate is installed on the machine, whether the machine NIC is assigned a certain IP address, or whether a machine has a certain registry setting or file.
Figure 10-44 shows the configuration of the identification criteria for a location (in this example, home).
Figure 10-44. Configuration of the Identification Criteria for a Location
If you take a look at the Identification pane in Figure 10-44 (Identification for home), you will see that there are three options (check boxes):
In Figure 10-44, the identification of the location home is based on the existence of a file called mjlsetup.exe on the user workstation.
In summary, when a user connects to the VPN 3000 concentrator, the Cisco Secure Desktop dynamically downloads, and the location of the workstation from which the user is connecting is assessed based on the configured criteria.
Having configured the location criteria, it is important to specify which Cisco Secure Desktop suite module or function will be applied on a user workstation according to its location. The modules and functions are as follows:
The particular module that is used on a workstation at a particular location depends on the selection specified at the bottom of the Identification pane (see Figure 10-44).
It is possible to choose either Secure Desktop or Cache Cleaner for a particular location by checking the appropriate box next to Use Module. If you do not choose Secure Desktop or Cache Cleaner, the VPN Feature Policy is used for a location.
Configuring the Windows Cache Cleaner
The Cache Cleaner settings for a particular location can be configured by clicking Cache Cleaner in the subtree of that location on the left side of the Cisco Secure Desktop Manager.
Figure 10-45 shows the configuration settings for the Cache Cleaner.
Figure 10-45. Configuration Settings for the Cache Cleaner
Specific settings for Cache Cleaner include the following:
Configuring VPN Feature Policy Settings
To configure VPN Feature Policy settings for a location, click the VPN Feature Policy on the subtree of the location; the screen shown in Figure 10-46 will appear.
Figure 10-46. Configuring VPN Feature Policy Settings
Settings for the VPN Feature Policy include Web Browsing, File Access, Port Forwarding, and Full Tunneling.
These settings (levels of access) can be enabled, enabled if certain conditions are fulfilled, or be disabled from a user workstation by choosing ON, ON if criteria are matched, or OFF, respectively, in the corresponding drop-down boxes.
If you choose the ON if criteria are matched option, the criteria that must be fulfilled for a particular level of access to be enabled can be specified by clicking on the ellipsis (. . .) button.
The criteria that can be matched include the presence of antivirus software, firewall software, operating system and service pack, and other Secure Desktop features on the user workstation.
Configuring Secure Desktop Options
When the Secure Desktop is specified for a particular location, you can configure the associated options by clicking Secure Desktop General, Secure Desktop Settings, and Secure Desktop Browser in location subtree.
Figure 10-47 shows the options associated with Secure Desktop General.
Figure 10-47. Configuring Options Associated with Secure Desktop General
Secure Desktop General settings include the following:
This setting only works if the user has administrator privileges on the workstation.
It is a very good idea to check this option so that users can respond to any application prompts.
The user selects a password to allow access to this Secure Desktop.
Clicking Secure Desktop Settings in the subtree allows further Secure Desktop options to be configured (see Figure 10-48).
Figure 10-48. Configuring Secure Desktop Settings
The further four options contained under Secure Desktop Settings are as follows:
The options under Secure Desktop Settings can be chosen to ensure the highest level of security for the Secure Desktop.
Configuring Cache Cleaner Options for Mac and Linux Users
The Mac and Linux Cache Cleaner heading under the subtree in the Secure Desktop Manager allows the configuration of options associated with the Cache Cleaner for Mac and Linux users.
Figure 10-49 shows the configuration options for the Mac and Linux Cache Cleaner.
Figure 10-49. Configuration Options for the Mac and Linux Cache Cleaner
Mac and Linux Cache Cleaner options are as follows:
The Successful Installation Policy options allow the configuration of VPN Feature Policy settings for Mac and Linux users:
Note that VPN Feature Policy settings on Mac and Linux workstations do not depend on criteria such as the presence of antivirus software or access from a particular location (unlike Windows VPN Feature Policy settings).
Having configured Cisco Secure Desktop, make sure that you save the configuration within the Cisco Secure Desktopthe configuration is independent of that for the VPN 3000 concentrator as a whole.
Enabling the Cisco Secure Desktop
After all the relevant settings have been configured within the Cisco Secure Desktop Manager, it is time to enable the Cisco Secure Desktop. You can accomplish this under Configuration > Tunneling and Security > WebVPN > Secure Desktop > Setup (Figure 10-50).
Figure 10-50. Enabling the Secure Desktop
Choose Enable Secure Desktop and click Apply. The Secure Desktop is now enabled.
Part I: Understanding VPN Technology
What Is a Virtual Private Network?
Part II: Site-to-Site VPNs
Designing and Deploying L2TPv3-Based Layer 2 VPNs
Designing and Implementing AToM-Based Layer 2 VPNs
Designing MPLS Layer 3 Site-to-Site VPNs
Advanced MPLS Layer 3 VPN Deployment Considerations
Deploying Site-to-Site IPsec VPNs
Scaling and Optimizing IPsec VPNs
Part III: Remote Access VPNs
Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs
Designing and Deploying IPsec Remote Access and Teleworker VPNs
Designing and Building SSL Remote Access VPNs (WebVPN)
Part IV: Appendixes
Designing and Building SSL Remote Access VPNs (WebVPN)
Appendix B. Answers to Review Questions